tempest/doc/source/configuration.rst

Tempest Configuration Guide

This guide is a starting point for configuring tempest. It aims to elaborate on and explain some of the mandatory and common configuration settings and how they are used in conjunction. The source of truth on each option is the sample config file which explains the purpose of each individual option.

Lock Path

There are some tests and operations inside of tempest that need to be externally locked when running in parallel to prevent them from running at the same time. This is a mandatory step for configuring tempest and is still needed even when running serially. All that is needed to do this is:

1. Set the lock_path option in the oslo_concurrency group

Auth/Credentials

Tempest currently has 2 different ways in configuration to provide credentials to use when running tempest. One is a traditional set of configuration options in the tempest.conf file. These options are in the identity section and let you specify a regular user, a global admin user, and a alternate user set of credentials. (which consist of a username, password, and project/tenant name) These options should be clearly labelled in the sample config file in the identity section.

The other method to provide credentials is using the accounts.yaml file. This file is used to specify an arbitrary number of users available to run tests with. You can specify the location of the file in the auth section in the tempest.conf file. To see the specific format used in the file please refer to the accounts.yaml.sample file included in tempest. Currently users that are specified in the accounts.yaml file are assumed to have the same set of roles which can be used for executing all the tests you are running. This will be addressed in the future, but is a current limitation. Eventually the config options for providing credentials to tempest will be deprecated and removed in favor of the accounts.yaml file.

Credential Provider Mechanisms

Tempest currently also has 3 different internal methods for providing authentication to tests. Tenant isolation, locking test accounts, and non-locking test accounts. Depending on which one is in use the configuration of tempest is slightly different.

Tenant Isolation

Tenant isolation was originally create to enable running tempest in parallel. For each test class it creates a unique set of user credentials to use for the tests in the class. It can create up to 3 sets of username, password, and tenant/project names for a primary user, an admin user, and an alternate user. To enable and use tenant isolation you only need to configure 2 things:

1. A set of admin credentials with permissions to create users and tenants/projects. This is specified in the identity section with the admin_username, admin_tenant_name, and admin_password options
2. To enable tenant_isolation in the auth section with the allow_tenant_isolation option.

This is also the currently the default credential provider enabled by tempest, due to it's common use and ease of configuration.

Locking Test Accounts

For a long time using tenant isolation was the only method available if you wanted to enable parallel execution of tempest tests. However this was insufficient for certain use cases because of the admin credentials requirement to create the credential sets on demand. To get around that the accounts.yaml file was introduced and with that a new internal credential provider to enable using the list of credentials instead of creating them on demand. With locking test accounts each test class will reserve a set of credentials from the accounts.yaml before executing any of its tests so that each class is isolated like in tenant isolation.

Currently, this mechanism has some limitations, mostly around networking. The locking test accounts provider will only work with a single flat network as the default for each tenant/project. If another network configuration is used in your cloud you might face unexpected failures.

To enable and use locking test accounts you need do a few things:

1. Create a accounts.yaml file which contains the set of pre-existing credentials to use for testing. To make sure you don't have a credentials starvation issue when running in parallel make sure you have at least 2 times the number of worker processes you are using to execute tempest available in the file. (if running serially the worker count is 1)

   You can check the sample file packaged in tempest for the yaml format

2. Provide tempest with the location of you accounts.yaml file with the test_accounts_file option in the auth section

Non-locking test accounts

When tempest was refactored to allow for locking test accounts, the original non-tenant isolated case was converted to support the new accounts.yaml file. This mechanism is the non-locking test accounts provider. It only makes sense to use it if parallel execution isn't needed. If the role restrictions were too limiting with the locking accounts provider and tenant isolation is not wanted then you can use the non-locking test accounts credential provider without the accounts.yaml file.

To use the non-locking test accounts provider you have 2 ways to configure it. First you can specify the sets of credentials in the configuration file like detailed above with following 9 options in the identity section:

1. username
2. password
3. tenant_name
4. admin_username
5. admin_password
6. admin_tenant_name
7. alt_username
8. alt_password
9. alt_tenant_name

The only restriction with using the traditional config options for credentials is that if a test requires specific roles on accounts these tests can not be run. This is because the config options do not give sufficient flexibility to describe the roles assigned to a user for running the tests.