diff options
| author | Andrea Frittoli (andreaf) <andrea.frittoli@hpe.com> | 2016-05-05 23:34:52 +0100 |
|---|---|---|
| committer | Andrea Frittoli (andreaf) <andrea.frittoli@hpe.com> | 2016-06-09 00:24:09 +0100 |
| commit | 100d18df69be8995f5baaa634c09fe6354656ec9 (patch) | |
| tree | 560bfa9b4edc8d4e022ad0aff3534463d82745e0 /doc/source/configuration.rst | |
| parent | bd06f981a7fccc911711f95f9318cc01d40c5eef (diff) | |
| download | tempest-100d18df69be8995f5baaa634c09fe6354656ec9.tar.gz | |
Use scope in v3 identity client
Certain identity v3 API calls require a domain scoped token when
policy.v3cloudsample.json is used.
Introduce a new config flag to tell Tempest that keystone in the
targe cloud requires domain scoped tokens for admin actions.
Modify the v3 client managers used to obtain v3 admin identity
clients to request the domain scope when the flag is turned on.
Co-authored by: Roxana Gherle <roxana.gherle@hp.com>
Change-Id: I91ca907992428a5a14fb8d48a4fad105d2906e27
Diffstat (limited to 'doc/source/configuration.rst')
| -rw-r--r-- | doc/source/configuration.rst | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/doc/source/configuration.rst b/doc/source/configuration.rst index 9a7ce1538..743b57516 100644 --- a/doc/source/configuration.rst +++ b/doc/source/configuration.rst @@ -26,6 +26,11 @@ can be used to: - Run tests for admin APIs - Generate test credentials on the fly (see `Dynamic Credentials`_) +When keystone uses a policy that requires domain scoped tokens for admin +actions, the flag ``admin_domain_scope`` must be set to ``True``. +The admin user configured, if any, must have a role assigned to the domain to +be usable. + Tempest allows for configuring pre-provisioned test credentials as well. This can be done using the accounts.yaml file (see `Pre-Provisioned Credentials`_). This file is used to specify an arbitrary @@ -87,6 +92,14 @@ list of role names each of which will be assigned to each of the users created by dynamic credentials. This option will not have any effect when Tempest is not configured to use dynamic credentials. +When the ``admin_domain_scope`` option is set to ``True``, provisioned admin +accounts will be assigned a role on domain configured in +``default_credentials_domain_name``. This will make the accounts provisioned +usable in a cloud where domain scoped tokens are required by keystone for +admin operations. Note that the the initial pre-provision admin accounts, +configured in tempest.conf, must have a role on the same domain as well, for +Dynamic Credentials to work. + Pre-Provisioned Credentials """"""""""""""""""""""""""" @@ -124,6 +137,18 @@ should have a unique project. This is required to provide proper isolation to the tests using the credentials, and failure to do this will likely cause unexpected failures in some tests. +When the keystone in the target cloud requires domain scoped tokens to +perform admin actions, all pre-provisioned admin users must have a role +assigned on the domain where test accounts a provisioned. +The option ``admin_domain_scope`` is used to tell tempest that domain scoped +tokens shall be used. ``default_credentials_domain_name`` is the domain where +test accounts are expected to be provisioned if no domain is specified. + +Note that if credentials are pre-provisioned via ``tempest account-generator`` +the role on the domain will be assigned automatically for you, as long as +``admin_domain_scope`` as ``default_credentials_domain_name`` are configured +properly in tempest.conf. + Pre-Provisioned Credentials are also know as accounts.yaml or accounts file. Compute |