From 100d18df69be8995f5baaa634c09fe6354656ec9 Mon Sep 17 00:00:00 2001 From: "Andrea Frittoli (andreaf)" Date: Thu, 5 May 2016 23:34:52 +0100 Subject: Use scope in v3 identity client Certain identity v3 API calls require a domain scoped token when policy.v3cloudsample.json is used. Introduce a new config flag to tell Tempest that keystone in the targe cloud requires domain scoped tokens for admin actions. Modify the v3 client managers used to obtain v3 admin identity clients to request the domain scope when the flag is turned on. Co-authored by: Roxana Gherle Change-Id: I91ca907992428a5a14fb8d48a4fad105d2906e27 --- doc/source/configuration.rst | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) (limited to 'doc/source/configuration.rst') diff --git a/doc/source/configuration.rst b/doc/source/configuration.rst index 9a7ce1538..743b57516 100644 --- a/doc/source/configuration.rst +++ b/doc/source/configuration.rst @@ -26,6 +26,11 @@ can be used to: - Run tests for admin APIs - Generate test credentials on the fly (see `Dynamic Credentials`_) +When keystone uses a policy that requires domain scoped tokens for admin +actions, the flag ``admin_domain_scope`` must be set to ``True``. +The admin user configured, if any, must have a role assigned to the domain to +be usable. + Tempest allows for configuring pre-provisioned test credentials as well. This can be done using the accounts.yaml file (see `Pre-Provisioned Credentials`_). This file is used to specify an arbitrary @@ -87,6 +92,14 @@ list of role names each of which will be assigned to each of the users created by dynamic credentials. This option will not have any effect when Tempest is not configured to use dynamic credentials. +When the ``admin_domain_scope`` option is set to ``True``, provisioned admin +accounts will be assigned a role on domain configured in +``default_credentials_domain_name``. This will make the accounts provisioned +usable in a cloud where domain scoped tokens are required by keystone for +admin operations. Note that the the initial pre-provision admin accounts, +configured in tempest.conf, must have a role on the same domain as well, for +Dynamic Credentials to work. + Pre-Provisioned Credentials """"""""""""""""""""""""""" @@ -124,6 +137,18 @@ should have a unique project. This is required to provide proper isolation to the tests using the credentials, and failure to do this will likely cause unexpected failures in some tests. +When the keystone in the target cloud requires domain scoped tokens to +perform admin actions, all pre-provisioned admin users must have a role +assigned on the domain where test accounts a provisioned. +The option ``admin_domain_scope`` is used to tell tempest that domain scoped +tokens shall be used. ``default_credentials_domain_name`` is the domain where +test accounts are expected to be provisioned if no domain is specified. + +Note that if credentials are pre-provisioned via ``tempest account-generator`` +the role on the domain will be assigned automatically for you, as long as +``admin_domain_scope`` as ``default_credentials_domain_name`` are configured +properly in tempest.conf. + Pre-Provisioned Credentials are also know as accounts.yaml or accounts file. Compute -- cgit v1.2.1