Keystone is moving away from using either project-scope or domain-scope
for the main cloud administrator user, and instead moving toward the
admin user having a role assignment on the "system" scope. This will
mean that no particular project or domain is special, and instead the
cloud administrator scopes to the system in order to make
deployment-wide changes. Keystone has now migrated all of its policies
to understand system scope, and if a deployment sets
[oslo_policy]/enforce_scope=true in keystone.conf and uses the new
policies, an admin user scoped to the admin project will not be able to
create dynamic credentials for tempest.
This patch adds a new parameter ``[auth]/admin_system`` to indicate that
neither the ``admin_project`` or ``admin_domain`` parameters apply to
the admin user and that the user should instead authenticate with the
system scope. This also adds ``admin_user_domain_name`` so that the
admin user can be found in its domain (namespace) without setting
``domain_name``, and for completeness also adds
``admin_project_domain_name`` so that ``domain_name`` could be omitted
even if using project scope.
The repo is Python 3 now, so update hacking to version 3.0 which
supports Python 3.
Fix problems found.
Update local hacking checks for new flake8, remove vi check, it's now in
hacking as H106.
The tempest plugin is used on older branches as well.
We really only need hacking on this repo anyways,
where we no longer support python 2, so here we
make the requirement specific to python 3.
As part of the migration from httblib2 -> urllib3 we lost support for
handling the env vars for setting an http proxy. This wasn't ever an
explicit feature in tempest, but instead was an artifact of our
library choice for doing http. However as people relied on this
functionality and it is a useful feature having tempest support this
explicitly will make sure we don't accidentally drop support for it in
the future. This commit adds a new config options to specify and
proxy_url to replace the lost functionality.
This commit makes to use sequence directly instead of using
len(SEQUENCE). The original code works correctly, and it's really
straight forward. However, PEP8 recommends like below. And it
makes code more simple, too.
For sequences, (strings, lists, tuples), use the fact that empty
sequences are false.
Yes: if not seq:
No: if len(seq):
if not len(seq):
Class Credentials defines __eq__() built-in function, but does
not define __ne__() built-in function, so self.assertEqual works
but self.assertNotEqual does not work at all in this test case in
python2. This patch fixes it.
If timeout is not set in urllib3.poolmanager.PoolManager, it will
use "Python's default timeout for sockets", but if "timeout for
sockets" is not set, the timeout will be infinite(will not timeout).
so this is intented to set timeout value in urllib3.poolmanager.
PoolManager to avoid infinite timeout.
Looping over the .keys() method of a dictionary is an anti-pattern. In
fact, the method is actually creating a new list which is redundant and
unnecessary. Looping over a dictionary implicitly loops over its keys.
Certain identity v3 API calls require a domain scoped token when
policy.v3cloudsample.json is used.
Introduce a new config flag to tell Tempest that keystone in the
targe cloud requires domain scoped tokens for admin actions.
Modify the v3 client managers used to obtain v3 admin identity
clients to request the domain scope when the flag is turned on.
Co-authored by: Roxana Gherle <email@example.com>
Previously, if there were multiple endpoints with the same type and region,
or without a region, the first endpoint would be returned. Now,
by specifying the name, a specific one can be used.
Co-Authored-By: Franklin Naval <firstname.lastname@example.org>
Adding the ability to select the scope of the authentication.
When using identity v3, this makes it possible to use either
project scope or domain scope regardless of whether a project
is included or not in the Credentials object.
The interface to auth for most tests is the AuthProvider.
The scope is defined in the constructor of the AuthProvider,
and it can also be changed at a later time via 'set_scope'.
In most cases a set of credentials will use the same scope.
Test credentials will use project scope. Admin test credentials
may use domain scope on identity API alls, or project scope on
other APIs. Since clients are initialised with an auth provider
by the client manager, we extend the client manager interface to
include the scope. Tests and Tempest parts that require a domain
scoped token will instanciate the relevant client manager with
scope == 'domain', or set the scope to domain on the 'auth_provider'.
The default scope in the v3 auth provider is 'projet;, which me must
do for backward compatibility reasons (besides it's what most tests
expects. We also filter the list of attributes based on scope, so
that tests or service clients may request a different scope.
The original behaviour of the token client is unchanged:
all fields passed to it towards the API server. This
maintains backward compatibility, and leaves full control
for test that want to define what is sent in the token
Preprovision credential provider hashes credentials based on all
fields specified in the YAML. The same configured credentials can
be used to build both v2 and v3 credential objects, so we need to
hash on the fields that are common between v2 and v3 only.
Because v2 only understand tenants (and not project) the
intersection would be only user and password. Because of that, and
because we want to promote project against tenant, accept
project in v2 credentials as well, by translating it to tenant at
When an API server is on an unversioned path (for example, keystone
is on http://localhost/identity), verify-config would fail with a
404 Not Found because the version wasn't put on the URL as required
(for example, the v2.0 keystone url should have been
http://localhost/identity/v2.0 but was instead
http://localhost/identity). This is because the version replacement
code wasn't adding the version when it wasn't present and a path
Code for applying filters to the urls in the KeystoneV*AuthProvider
classes was copy-pasted. Extracting the copied code to a function so
that fixes can be made in one place.
Fixing V3 credential behavior so that contradicting parameter combinations
do not result in unpredictable behavior. Updating accounts.yaml.sample
file to reference the correct location of the credentials
classes and to describe the updated behavior of Identity V3 attributes.
Using string replace to replace the new path back onto the old path
fails when there is no path setup in the catalog initially. Instead of
this lets use the inverse to the urlparse previously performed.
When EndpointNotFound exception happens, the detail contains service
value only, but the exception depends on the other values also.
So this patch adds these value to EndpointNotFound exception for
more easy debugging.
This commit migrates all of the code from tempest-lib as of it's
current HEAD, 6ad0ce42c2791a28125d38b40e7dcddf32dbeed7. The only
changes made to the tempest-lib code is to update the imports and
other references to tempest_lib. Since in it's new home it should
Partially implements bp tempest-lib-reintegration