Keystone is moving away from using either project-scope or domain-scope
for the main cloud administrator user, and instead moving toward the
admin user having a role assignment on the "system" scope[1]. This will
mean that no particular project or domain is special, and instead the
cloud administrator scopes to the system in order to make
deployment-wide changes. Keystone has now migrated all of its policies
to understand system scope[2], and if a deployment sets
[oslo_policy]/enforce_scope=true in keystone.conf and uses the new
policies, an admin user scoped to the admin project will not be able to
create dynamic credentials for tempest.
This patch adds a new parameter ``[auth]/admin_system`` to indicate that
neither the ``admin_project`` or ``admin_domain`` parameters apply to
the admin user and that the user should instead authenticate with the
system scope. This also adds ``admin_user_domain_name`` so that the
admin user can be found in its domain (namespace) without setting
``domain_name``, and for completeness also adds
``admin_project_domain_name`` so that ``domain_name`` could be omitted
even if using project scope.
[1] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html
[2] https://bugs.launchpad.net/keystone/+bugs?field.status%3Alist=FIXRELEASED&field.tag=system-scope
Depends-on: https://review.opendev.org/739262
Change-Id: I840b273c37ca7cc4592c43813abfb424337e2836
The repo is Python 3 now, so update hacking to version 3.0 which
supports Python 3.
Fix problems found.
Update local hacking checks for new flake8, remove vi check, it's now in
hacking as H106.
The tempest plugin is used on older branches as well.
We really only need hacking on this repo anyways,
where we no longer support python 2, so here we
make the requirement specific to python 3.
Change-Id: I3f4216f66606fbc450a46c93de306399b7f3cd65
When proxy_url was added, it was added to the AuthProvider
but not to the get_credentials helper, so fixing that.
Change-Id: I2bcb8446295178cc7a24437478a6a1d293e5a197
As part of the migration from httblib2 -> urllib3 we lost support for
handling the env vars for setting an http proxy. This wasn't ever an
explicit feature in tempest, but instead was an artifact of our
library choice for doing http. However as people relied on this
functionality and it is a useful feature having tempest support this
explicitly will make sure we don't accidentally drop support for it in
the future. This commit adds a new config options to specify and
proxy_url to replace the lost functionality.
Change-Id: Id8f6422a323f8bfdb10527f55c0cb046622b88bf
Closes-Bug: #1556864
This commit makes to use sequence directly instead of using
len(SEQUENCE). The original code works correctly, and it's really
straight forward. However, PEP8 recommends like below[1]. And it
makes code more simple, too.
```
For sequences, (strings, lists, tuples), use the fact that empty
sequences are false.
Yes: if not seq:
if seq:
No: if len(seq):
if not len(seq):
```
[1] https://www.python.org/dev/peps/pep-0008/#programming-recommendations
Change-Id: I8d41e16d82b1b3860a98e5217cb7a541fc83b907
Class Credentials defines __eq__() built-in function, but does
not define __ne__() built-in function, so self.assertEqual works
but self.assertNotEqual does not work at all in this test case in
python2. This patch fixes it.
Change-Id: I2c0d9d6202d64de57700ceb7c15db8ed3ad7e8ff
Closes-Bug: #1586268
If timeout is not set in urllib3.poolmanager.PoolManager, it will
use "Python's default timeout for sockets", but if "timeout for
sockets" is not set, the timeout will be infinite(will not timeout).
so this is intented to set timeout value in urllib3.poolmanager.
PoolManager to avoid infinite timeout.
Change-Id: Ic035fdb93734c926b26b33feb610e0977e48c646
Closes-Bug: #1558931
Looping over the .keys() method of a dictionary is an anti-pattern. In
fact, the method is actually creating a new list which is redundant and
unnecessary. Looping over a dictionary implicitly loops over its keys.
Change-Id: I937d3f060bf95bb86e50fcb5dec8def524f6208e
Certain identity v3 API calls require a domain scoped token when
policy.v3cloudsample.json is used.
Introduce a new config flag to tell Tempest that keystone in the
targe cloud requires domain scoped tokens for admin actions.
Modify the v3 client managers used to obtain v3 admin identity
clients to request the domain scope when the flag is turned on.
Co-authored by: Roxana Gherle <roxana.gherle@hp.com>
Change-Id: I91ca907992428a5a14fb8d48a4fad105d2906e27
Previously, if there were multiple endpoints with the same type and region,
or without a region, the first endpoint would be returned. Now,
by specifying the name, a specific one can be used.
Co-Authored-By: Franklin Naval <franklin.naval@gmail.com>
Change-Id: Ife6d435e2aa84153d8717463930d45e5f21272f7
Closes-Bug: #1486834
Adding the ability to select the scope of the authentication.
When using identity v3, this makes it possible to use either
project scope or domain scope regardless of whether a project
is included or not in the Credentials object.
The interface to auth for most tests is the AuthProvider.
The scope is defined in the constructor of the AuthProvider,
and it can also be changed at a later time via 'set_scope'.
In most cases a set of credentials will use the same scope.
Test credentials will use project scope. Admin test credentials
may use domain scope on identity API alls, or project scope on
other APIs. Since clients are initialised with an auth provider
by the client manager, we extend the client manager interface to
include the scope. Tests and Tempest parts that require a domain
scoped token will instanciate the relevant client manager with
scope == 'domain', or set the scope to domain on the 'auth_provider'.
The default scope in the v3 auth provider is 'projet;, which me must
do for backward compatibility reasons (besides it's what most tests
expects. We also filter the list of attributes based on scope, so
that tests or service clients may request a different scope.
The original behaviour of the token client is unchanged:
all fields passed to it towards the API server. This
maintains backward compatibility, and leaves full control
for test that want to define what is sent in the token
request.
Closes-bug: #1475359
Change-Id: I6fad6dd48a4d306f69da27c6793de687bbf72add
Preprovision credential provider hashes credentials based on all
fields specified in the YAML. The same configured credentials can
be used to build both v2 and v3 credential objects, so we need to
hash on the fields that are common between v2 and v3 only.
Because v2 only understand tenants (and not project) the
intersection would be only user and password. Because of that, and
because we want to promote project against tenant, accept
project in v2 credentials as well, by translating it to tenant at
__init__ time.
Change-Id: Ib62c26cdffc2db6f6352d9889c689db3ff09aa5d
When an API server is on an unversioned path (for example, keystone
is on http://localhost/identity), verify-config would fail with a
404 Not Found because the version wasn't put on the URL as required
(for example, the v2.0 keystone url should have been
http://localhost/identity/v2.0 but was instead
http://localhost/identity). This is because the version replacement
code wasn't adding the version when it wasn't present and a path
was there.
Change-Id: I559bd967a87b646906f37df81a7db096148488db
Code for applying filters to the urls in the KeystoneV*AuthProvider
classes was copy-pasted. Extracting the copied code to a function so
that fixes can be made in one place.
Change-Id: I6b1029d2004fe0208519b506c2751390a6c49569
Fixing V3 credential behavior so that contradicting parameter combinations
do not result in unpredictable behavior. Updating accounts.yaml.sample
file to reference the correct location of the credentials
classes and to describe the updated behavior of Identity V3 attributes.
Change-Id: I29efe778afcb1e4a55dffd6a8ed8212d62a4dd15
Using string replace to replace the new path back onto the old path
fails when there is no path setup in the catalog initially. Instead of
this lets use the inverse to the urlparse previously performed.
Change-Id: I931f0c558aafc8dfaa5519744c6e4e7fcffc3205
Closes-Bug: #1552475
When EndpointNotFound exception happens, the detail contains service
value only, but the exception depends on the other values also.
So this patch adds these value to EndpointNotFound exception for
more easy debugging.
Change-Id: I05095e6ce56bc62485e964241047fd3b3864f181
After implementing blueprint "Ability to run some Nova services under Apache2"(
https://blueprints.launchpad.net/nova/+spec/run-nova-services-under-apache2)
it becomes possible not to use separate ports for each openstack service but
share 80 port with different URL prefixes.
Mailing list thread with discussion the details of this feature:
http://lists.openstack.org/pipermail/openstack-dev/2015-June/067147.html.
Openstack wiki page with mapping urls to services:
https://wiki.openstack.org/wiki/URLs.
If nova-api service is started by Apache (or similar),
using 'Alias' directive script name contains alias-prefix.
We get things like: '/ALIAS/NAME/v2', '/ALIAS/NAME/v2.1'
This change makes sure we compose correct url for getting list of versions.
Co-Authored-By: Marian Horban <mhorban@mirantis.com>
Co-Authored-By: Pavel Kholkin <pkholkin@mirantis.com>
Closes-Bug: #1471833
Change-Id: I2c78e22095975aef777bc62b19d46bcc8fea2d96
This commit migrates all of the code from tempest-lib as of it's
current HEAD, 6ad0ce42c2791a28125d38b40e7dcddf32dbeed7. The only
changes made to the tempest-lib code is to update the imports and
other references to tempest_lib. Since in it's new home it should
be tempest.lib.
Partially implements bp tempest-lib-reintegration
Change-Id: Iadc1b61953a86fa9de34e285a0bb083b1ba06fa8
Colleen Murphy