Keystone is moving away from using either project-scope or domain-scope
for the main cloud administrator user, and instead moving toward the
admin user having a role assignment on the "system" scope[1]. This will
mean that no particular project or domain is special, and instead the
cloud administrator scopes to the system in order to make
deployment-wide changes. Keystone has now migrated all of its policies
to understand system scope[2], and if a deployment sets
[oslo_policy]/enforce_scope=true in keystone.conf and uses the new
policies, an admin user scoped to the admin project will not be able to
create dynamic credentials for tempest.
This patch adds a new parameter ``[auth]/admin_system`` to indicate that
neither the ``admin_project`` or ``admin_domain`` parameters apply to
the admin user and that the user should instead authenticate with the
system scope. This also adds ``admin_user_domain_name`` so that the
admin user can be found in its domain (namespace) without setting
``domain_name``, and for completeness also adds
``admin_project_domain_name`` so that ``domain_name`` could be omitted
even if using project scope.
[1] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html
[2] https://bugs.launchpad.net/keystone/+bugs?field.status%3Alist=FIXRELEASED&field.tag=system-scope
Depends-on: https://review.opendev.org/739262
Change-Id: I840b273c37ca7cc4592c43813abfb424337e2836
Now that we no longer support py27, we can use the standard library
unittest.mock module instead of the third party mock lib.
Change-Id: If1de2f48da1fd6ed3f96c98b8dce9eace4f8095d
Signed-off-by: Sean McGinnis <sean.mcginnis@gmail.com>
The credentials_factory module loads a few bit configuration
at module import time when the DEFAULT_PARAMS variable is defined.
This is not a good idea as it forces configuration to be loaded
even during test discovery. Besides DEFAULT_PARAMS was out of
date as it did not include http_timeout.
Replacing the DEFAULT_PARAMS variable with calls to
config.service_client_config().
Not loading CONF at test discovery time uncovered the fact that
the account generator unit tests were depending on oslo log
configuration parameters to be there. Mocking the log setup
step fixed the issue.
Change-Id: I6e0eb85b3749baedb6035f59ed1c66850f6c95fb
Add unit tests for credentials_factory and mark it stable for
plugins. This is part of the work to make tempest/test.py stable
for plugins.
Change-Id: I99414cb2704ce5469fcb66406b6905e2d1871dba
Colleen Murphy