From bc1b15b800068b55fdcbead85046b25993389644 Mon Sep 17 00:00:00 2001 From: Matthew Treinish Date: Fri, 20 Feb 2015 15:56:07 -0500 Subject: [PATCH] Add tempest config guide doc This commit adds a new doc page to the tempest documentation to provide a guide to configuring tempest. It currently contains one section to elaborate on the credentials and auth options in the config file. This doc will be expanded in the future to add details around other pieces of tempest configuration. Change-Id: Iaf7cefc6a5e508437e4b4620ba5bfaa221f3611b --- doc/source/configuration.rst | 115 +++++++++++++++++++++++++++++++++++ doc/source/index.rst | 9 +++ 2 files changed, 124 insertions(+) create mode 100644 doc/source/configuration.rst diff --git a/doc/source/configuration.rst b/doc/source/configuration.rst new file mode 100644 index 0000000000..08f37cc7cd --- /dev/null +++ b/doc/source/configuration.rst @@ -0,0 +1,115 @@ +Tempest Configuration Guide +=========================== + +Auth/Credentials +---------------- + +Tempest currently has 2 different ways in configuration to provide credentials +to use when running tempest. One is a traditional set of configuration options +in the tempest.conf file. These options are in the identity section and let you +specify a regular user, a global admin user, and a alternate user set of +credentials. (which consist of a username, password, and project/tenant name) +These options should be clearly labelled in the sample config file in the +identity section. + +The other method to provide credentials is using the accounts.yaml file. This +file is used to specify an arbitrary number of users available to run tests +with. You can specify the location of the file in the +auth section in the tempest.conf file. To see the specific format used in +the file please refer to the accounts.yaml.sample file included in tempest. +Currently users that are specified in the accounts.yaml file are assumed to +have the same set of roles which can be used for executing all the tests you +are running. This will be addressed in the future, but is a current limitation. +Eventually the config options for providing credentials to tempest will be +deprecated and removed in favor of the accounts.yaml file. + +Credential Provider Mechanisms +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Tempest currently also has 3 different internal methods for providing +authentication to tests. Tenant isolation, locking test accounts, and +non-locking test accounts. Depending on which one is in use the configuration +of tempest is slightly different. + +Tenant Isolation +"""""""""""""""" +Tenant isolation was originally create to enable running tempest in parallel. +For each test class it creates a unique set of user credentials to use for the +tests in the class. It can create up to 3 sets of username, password, and +tenant/project names for a primary user, an admin user, and an alternate user. +To enable and use tenant isolation you only need to configure 2 things: + + #. A set of admin credentials with permissions to create users and + tenants/projects. This is specified in the identity section with the + admin_username, admin_tenant_name, and admin_password options + #. To enable tenant_isolation in the auth section with the + allow_tenant_isolation option. + + +Locking Test Accounts +""""""""""""""""""""" +For a long time using tenant isolation was the only method available if you +wanted to enable parallel execution of tempest tests. However this was +insufficient for certain use cases because of the admin credentials requirement +to create the credential sets on demand. To get around that the accounts.yaml +file was introduced and with that a new internal credential provider to enable +using the list of credentials instead of creating them on demand. With locking +test accounts each test class will reserve a set of credentials from the +accounts.yaml before executing any of its tests so that each class is isolated +like in tenant isolation. + +Currently, this mechanism has some limitations, first only non-admin users with +the same role set can be used at one time. The second limitation is around +networking, locking test accounts will only work with a single flat network as +the default for each tenant/project. If another network configuration is used +in your cloud you might face unexpected failures. + +To enable and use locking test accounts you need do a few things: + + #. Enable the locking test account provider with the + locking_credentials_provider option in the auth section + #. Create a accounts.yaml file which contains the set of pre-existing + credentials to use for testing. To make sure you don't have a credentials + starvation issue when running in parallel make sure you have at least 2 + times the number of parallel workers you are using to execute tempest + available in the file. + #. Provide tempest with the location of you accounts.yaml file with the + test_accounts_file option in the auth section + + +Non-locking test accounts +""""""""""""""""""""""""" +When tempest was refactored to allow for locking test accounts, the original +non-tenant isolated case was converted to support the new accounts.yaml file. +This mechanism is the non-locking test accounts provider. It only makes sense +to use it if parallel execution isn't needed. If the role restrictions were too +limiting with the locking accounts provider and tenant isolation is not wanted +then you can use the non-locking test accounts credential provider without the +accounts.yaml file. This is also the currently the default configuration for +tempest, since it doesn't require elevated permissions or the extra file. + +To use the non-locking test accounts provider you have 2 ways to configure it. +First you can specify the sets of credentials in the configuration file like +detailed above with following 9 options in the identity section: + + #. username + #. password + #. tenant_name + #. admin_username + #. admin_password + #. admin_tenant_name + #. alt_username + #. alt_password + #. alt_tenant_name + +You should use this if you need to specify credentials with different roles. +(i.e. you want to use admin credentials) However, this isn't a requirement for +its usage. + +You also can use the accounts.yaml file to specify the credentials used for +testing. This will just allocate them serially so you only need to provide +a pair of credentials. Do note that all the restrictions associated with +locking test accounts applies to using the accounts.yaml file this way too. +The procedure for doing this is very similar to with the locking accounts +provider just don't set the locking_credentials_provider to true and you +only should need a single pair of credentials. diff --git a/doc/source/index.rst b/doc/source/index.rst index 1f06bc54eb..cb1c504cc1 100644 --- a/doc/source/index.rst +++ b/doc/source/index.rst @@ -29,6 +29,15 @@ where your test contributions should go. field_guide/thirdparty field_guide/unit_tests +--------------------------- +Tempest Configuration Guide +--------------------------- + +.. toctree:: + :maxdepth: 2 + + configuration + --------------------- Command Documentation ---------------------