cd0bbbdad3
Keystone is moving away from using either project-scope or domain-scope for the main cloud administrator user, and instead moving toward the admin user having a role assignment on the "system" scope[1]. This will mean that no particular project or domain is special, and instead the cloud administrator scopes to the system in order to make deployment-wide changes. Keystone has now migrated all of its policies to understand system scope[2], and if a deployment sets [oslo_policy]/enforce_scope=true in keystone.conf and uses the new policies, an admin user scoped to the admin project will not be able to create dynamic credentials for tempest. This patch adds a new parameter ``[auth]/admin_system`` to indicate that neither the ``admin_project`` or ``admin_domain`` parameters apply to the admin user and that the user should instead authenticate with the system scope. This also adds ``admin_user_domain_name`` so that the admin user can be found in its domain (namespace) without setting ``domain_name``, and for completeness also adds ``admin_project_domain_name`` so that ``domain_name`` could be omitted even if using project scope. [1] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html [2] https://bugs.launchpad.net/keystone/+bugs?field.status%3Alist=FIXRELEASED&field.tag=system-scope Depends-on: https://review.opendev.org/739262 Change-Id: I840b273c37ca7cc4592c43813abfb424337e2836 |
||
---|---|---|
.. | ||
api | ||
cmd | ||
common | ||
hacking | ||
lib | ||
scenario | ||
services | ||
test_discover | ||
tests | ||
README.rst | ||
__init__.py | ||
clients.py | ||
config.py | ||
exceptions.py | ||
manager.py | ||
test.py | ||
version.py |
README.rst
Tempest Field Guide Overview
Tempest is designed to be useful for a large number of different environments. This includes being useful for gating commits to OpenStack core projects, being used to validate OpenStack cloud implementations for both correctness, as well as a burn in tool for OpenStack clouds.
As such Tempest tests come in many flavors, each with their own rules and guidelines. Below is the overview of the Tempest repository structure to make this clear.
tempest/
api/ - API tests
scenario/ - complex scenario tests
tests/ - unit tests for Tempest internals
Each of these directories contains different types of tests. What belongs in each directory, the rules and examples for good tests, are documented in a README.rst file in the directory.
api_field_guide
API tests are validation tests for the OpenStack API. They should not use the existing Python clients for OpenStack, but should instead use the Tempest implementations of clients. Having raw clients let us pass invalid JSON to the APIs and see the results, something we could not get with the native clients.
When it makes sense, API testing should be moved closer to the projects themselves, possibly as functional tests in their unit test frameworks.
scenario_field_guide
Scenario tests are complex "through path" tests for OpenStack functionality. They are typically a series of steps where complicated state requiring multiple services is set up exercised, and torn down.
Scenario tests should not use the existing Python clients for OpenStack, but should instead use the Tempest implementations of clients.
unit_tests_field_guide
Unit tests are the self checks for Tempest. They provide functional verification and regression checking for the internal components of Tempest. They should be used to just verify that the individual pieces of Tempest are working as expected.