Allow v3 identity to work without the admin domain name

The problem was that the value of admin_domain_name was required in order to
use identity v3 even if no admin was being used.

A new option auth.default_credentials_domain_name
is used instead of admin_domain_name except when requesting admin creds.
This defaults to 'Default' which is the name keystone uses for compatibility
with v2.
Because tenant_isolation and pre-provisioned credentials are mutually
exclusive, and to avoid having too many config options, the new option is
used instead of tenant_isolation_domain_name as well.

Change-Id: I52f0d4c0cc7e5eafa896776b12315ed6154dfae2
This commit is contained in:
David Kranz 2015-07-28 14:05:20 -04:00
parent 74647862be
commit 87fc7e9ac0
5 changed files with 21 additions and 18 deletions

View File

@ -123,10 +123,10 @@
# Roles to assign to all users created by tempest (list value)
#tempest_roles =
# Only applicable when identity.auth_version is v3.Domain within which
# isolated credentials are provisioned.The default "None" means that
# the domain from theadmin user is used instead. (string value)
#tenant_isolation_domain_name = <None>
# Default domain used when getting v3 credentials. This is the name
# keystone uses for v2 compatibility. (string value)
# Deprecated group/name - [auth]/tenant_isolation_domain_name
#default_credentials_domain_name = Default
# If allow_tenant_isolation is set to True and Neutron is enabled
# Tempest will try to create a useable network, subnet, and router

View File

@ -216,7 +216,7 @@ class Accounts(cred_provider.CredentialProvider):
if ('user_domain_name' in init_attributes and 'user_domain_name'
not in hash_attributes):
# Allow for the case of domain_name populated from config
domain_name = CONF.identity.admin_domain_name
domain_name = CONF.auth.default_credentials_domain_name
hash_attributes['user_domain_name'] = domain_name
if all([getattr(creds, k) == hash_attributes[k] for
k in init_attributes]):

View File

@ -84,9 +84,9 @@ def get_credentials(fill_in=True, identity_version=None, **kwargs):
domain_fields = set(x for x in auth.KeystoneV3Credentials.ATTRIBUTES
if 'domain' in x)
if not domain_fields.intersection(kwargs.keys()):
# TODO(andreaf) It might be better here to use a dedicated config
# option such as CONF.auth.tenant_isolation_domain_name
params['user_domain_name'] = CONF.identity.admin_domain_name
domain_name = CONF.auth.default_credentials_domain_name
params['user_domain_name'] = domain_name
auth_url = CONF.identity.uri_v3
else:
auth_url = CONF.identity.uri

View File

@ -163,8 +163,8 @@ class IsolatedCreds(cred_provider.CredentialProvider):
self.creds_domain_name = None
if self.identity_version == 'v3':
self.creds_domain_name = (
CONF.auth.tenant_isolation_domain_name or
self.default_admin_creds.project_domain_name)
self.default_admin_creds.project_domain_name or
CONF.auth.default_credentials_domain_name)
self.creds_client = get_creds_client(
self.identity_admin_client, self.creds_domain_name)

View File

@ -67,12 +67,13 @@ AuthGroup = [
cfg.ListOpt('tempest_roles',
help="Roles to assign to all users created by tempest",
default=[]),
cfg.StrOpt('tenant_isolation_domain_name',
default=None,
help="Only applicable when identity.auth_version is v3."
"Domain within which isolated credentials are provisioned."
"The default \"None\" means that the domain from the"
"admin user is used instead."),
cfg.StrOpt('default_credentials_domain_name',
default='Default',
help="Default domain used when getting v3 credentials. "
"This is the name keystone uses for v2 compatibility.",
deprecated_opts=[cfg.DeprecatedOpt(
'tenant_isolation_domain_name',
group='auth')]),
cfg.BoolOpt('create_isolated_networks',
default=True,
help="If allow_tenant_isolation is set to True and Neutron is "
@ -1257,9 +1258,11 @@ class TempestConfigPrivate(object):
self.baremetal = _CONF.baremetal
self.input_scenario = _CONF['input-scenario']
self.negative = _CONF.negative
_CONF.set_default('domain_name', self.identity.admin_domain_name,
_CONF.set_default('domain_name',
self.auth.default_credentials_domain_name,
group='identity')
_CONF.set_default('alt_domain_name', self.identity.admin_domain_name,
_CONF.set_default('alt_domain_name',
self.auth.default_credentials_domain_name,
group='identity')
def __init__(self, parse_conf=True, config_path=None):