tempest/releasenotes/notes/add-scope-to-auth-b5a82493ea89f41e.yaml
Andrea Frittoli (andreaf) 3e82af7f6c Introduce scope in the auth API
Adding the ability to select the scope of the authentication.
When using identity v3, this makes it possible to use either
project scope or domain scope regardless of whether a project
is included or not in the Credentials object.

The interface to auth for most tests is the AuthProvider.
The scope is defined in the constructor of the AuthProvider,
and it can also be changed at a later time via 'set_scope'.

In most cases a set of credentials will use the same scope.
Test credentials will use project scope. Admin test credentials
may use domain scope on identity API alls, or project scope on
other APIs. Since clients are initialised with an auth provider
by the client manager, we extend the client manager interface to
include the scope. Tests and Tempest parts that require a domain
scoped token will instanciate the relevant client manager with
scope == 'domain', or set the scope to domain on the 'auth_provider'.

The default scope in the v3 auth provider is 'projet;, which me must
do for backward compatibility reasons (besides it's what most tests
expects. We also filter the list of attributes based on scope, so
that tests or service clients may request a different scope.

The original behaviour of the token client is unchanged:
all fields passed to it towards the API server. This
maintains backward compatibility, and leaves full control
for test that want to define what is sent in the token
request.

Closes-bug: #1475359
Change-Id: I6fad6dd48a4d306f69da27c6793de687bbf72add
2016-05-24 14:11:14 +00:00

7 lines
343 B
YAML

---
features:
- Tempest library auth interface now supports scope. Scope allows to control
the scope of tokens requested via the identity API. Identity V2 supports
unscoped and project scoped tokens, but only the latter are implemented.
Identity V3 supports unscoped, project and domain scoped token, all three
are available.