openstack/tempest
Code Issues Proposed changes
a5965217ed
tempest/doc/source/keystone_scopes_and_roles_support.rst
Ghanshyam Mann 672eee1d31 Add documentation on the usage of keystone's scope & roles 
As Tempest support the keystone's scope and new default roles
like reader, this commit document that how those can be
requested and used in Tempest or its plugins tests.

Change-Id: Iebacbeda231f82d6d16dbdcde635f19ae862181f
2021-03-12 09:54:39 -06:00

9.0 KiB
Raw Blame History

Keystone Scopes & Roles Support in Tempest

OpenStack Keystone supports different scopes in token, refer to the Keystone doc. Along with the scopes, keystone supports default roles, one of which is a reader role, for details refer to this keystone document.

Tempest supports those scopes and roles credentials that can be used to test APIs under different scope and roles.

Dynamic Credentials

Dynamic credential supports all the below set of personas and allows you to generate credentials tailored to a specific persona that you can use in your test.

Domain scoped personas:

  1. Domain Admin: This is supported and can be requested and used from the test as below:

    class TestDummy(base.DummyBaseTest):

    credentials = ['domain_admin']

    @classmethod
    def setup_clients(cls):
        super(TestDummy, cls).setup_clients()
        cls.az_d_admin_client = (
            cls.os_domain_admin.availability_zone_client)

  2. Domain Member: This is supported and can be requested and used from the test as below:

    class TestDummy(base.DummyBaseTest):

    credentials = ['domain_member']

    @classmethod
    def setup_clients(cls):
        super(TestDummy, cls).setup_clients()
        cls.az_d_member_client = (
            cls.os_domain_member.availability_zone_client)

  3. Domain Reader: This is supported and can be requested and used from the test as below:

    class TestDummy(base.DummyBaseTest):

    credentials = ['domain_reader']

    @classmethod
    def setup_clients(cls):
        super(TestDummy, cls).setup_clients()
        cls.az_d_reader_client = (
            cls.os_domain_reader.availability_zone_client)

  4. Domain other roles: This is supported and can be requested and used from the test as below:

    You need to use the domain as the prefix in credentials type, and based on that, Tempest will create test users under 'domain' scope.

    class TestDummy(base.DummyBaseTest):

    credentials = [['domain_my_role1', 'my_own_role1', 'admin']
                   ['domain_my_role2', 'my_own_role2']]

    @classmethod
    def setup_clients(cls):
        super(TestDummy, cls).setup_clients()
        cls.az_d_role1_client = (
            cls.os_domain_my_role1.availability_zone_client)
        cls.az_d_role2_client = (
            cls.os_domain_my_role2.availability_zone_client)

System scoped personas:

  1. System Admin: This is supported and can be requested and used from the test as below:

    class TestDummy(base.DummyBaseTest):

    credentials = ['system_admin']

    @classmethod
    def setup_clients(cls):
        super(TestDummy, cls).setup_clients()
        cls.az_s_admin_client = (
            cls.os_system_admin.availability_zone_client)

  2. System Member: This is supported and can be requested and used from the test as below:

    class TestDummy(base.DummyBaseTest):

    credentials = ['system_member']

    @classmethod
    def setup_clients(cls):
        super(TestDummy, cls).setup_clients()
        cls.az_s_member_client = (
            cls.os_system_member.availability_zone_client)

  3. System Reader: This is supported and can be requested and used from the test as below:

    class TestDummy(base.DummyBaseTest):

    credentials = ['system_reader']

    @classmethod
    def setup_clients(cls):
        super(TestDummy, cls).setup_clients()
        cls.az_s_reader_client = (
            cls.os_system_reader.availability_zone_client)

  4. System other roles: This is supported and can be requested and used from the test as below:

    You need to use the system as the prefix in credentials type, and based on that, Tempest will create test users under 'project' scope.

    class TestDummy(base.DummyBaseTest):

    credentials = [['system_my_role1', 'my_own_role1', 'admin']
                   ['system_my_role2', 'my_own_role2']]

    @classmethod
    def setup_clients(cls):
        super(TestDummy, cls).setup_clients()
        cls.az_s_role1_client = (
            cls.os_system_my_role1.availability_zone_client)
        cls.az_s_role2_client = (
            cls.os_system_my_role2.availability_zone_client)

Project scoped personas:

  1. Project Admin: This is supported and can be requested and used from the test as below:

    class TestDummy(base.DummyBaseTest):

    credentials = ['project_admin']

    @classmethod
    def setup_clients(cls):
        super(TestDummy, cls).setup_clients()
        cls.az_p_admin_client = (
            cls.os_project_admin.availability_zone_client)

  2. Project Member: This is supported and can be requested and used from the test as below:

    class TestDummy(base.DummyBaseTest):

    credentials = ['project_member']

    @classmethod
    def setup_clients(cls):
        super(TestDummy, cls).setup_clients()
        cls.az_p_member_client = (
            cls.os_project_member.availability_zone_client)

  3. Project Reader: This is supported and can be requested and used from the test as below:

    class TestDummy(base.DummyBaseTest):

    credentials = ['project_reader']

    @classmethod
    def setup_clients(cls):
        super(TestDummy, cls).setup_clients()
        cls.az_p_reader_client = (
            cls.os_project_reader.availability_zone_client)

  4. Project alternate Admin: This is supported and can be requested and used from the test as below:

    class TestDummy(base.DummyBaseTest):

    credentials = ['project_alt_admin']

    @classmethod
    def setup_clients(cls):
        super(TestDummy, cls).setup_clients()
        cls.az_p_alt_admin_client = (
            cls.os_project_alt_admin.availability_zone_client)

  5. Project alternate Member: This is supported and can be requested and used from the test as below:

    class TestDummy(base.DummyBaseTest):

    credentials = ['project_alt_member']

    @classmethod
    def setup_clients(cls):
        super(TestDummy, cls).setup_clients()
        cls.az_p_alt_member_client = (
            cls.os_project_alt_member.availability_zone_client)

  6. Project alternate Reader: This is supported and can be requested and used from the test as below:

    class TestDummy(base.DummyBaseTest):

    credentials = ['project_alt_reader']

    @classmethod
    def setup_clients(cls):
        super(TestDummy, cls).setup_clients()
        cls.az_p_alt_reader_client = (
            cls.os_project_alt_reader.availability_zone_client)

  7. Project other roles: This is supported and can be requested and used from the test as below:

    You need to use the project as the prefix in credentials type, and based on that, Tempest will create test users under 'project' scope.

    class TestDummy(base.DummyBaseTest):

    credentials = [['project_my_role1', 'my_own_role1', 'admin']
                   ['project_my_role2', 'my_own_role2']]

    @classmethod
    def setup_clients(cls):
        super(TestDummy, cls).setup_clients()
        cls.az_role1_client = (
            cls.os_project_my_role1.availability_zone_client)
        cls.az_role2_client = (
            cls.os_project_my_role2.availability_zone_client)

Pre-Provisioned Credentials

Pre-Provisioned credentials support the below set of personas and can be used in the test as shown above in the Dynamic Credentials Section.

  • Domain Admin
  • Domain Member
  • Domain Reader
  • System Admin
  • System Member
  • System Reader
  • Project Admin
  • Project Member
  • Project Reader