def setUp(self):
super(IdentityV3RbacTokenTest, self).setUp()
own_creds = auth.KeystoneV3Credentials(**self.own_keystone_creds)
own_creds = clients.get_auth_provider(own_creds).fill_credentials()
self.own_token = clients.Manager(
credentials=own_creds).identity_v3_client.token
project_creds = auth.KeystoneV3Credentials(
user_id=self.user_id,
password=self.user['password'],
project_id=self.project_id)
project_creds = clients.get_auth_provider(
project_creds).fill_credentials()
self.project_token = clients.Manager(
credentials=project_creds).identity_v3_client.token
domain_creds = auth.KeystoneV3Credentials(
user_id=self.user_id,
password=self.user['password'],
domain_id=self.domain_id)
domain_creds = clients.get_auth_provider(
domain_creds).fill_credentials()
self.domain_token = clients.Manager(
credentials=domain_creds).identity_v3_client.token
system_creds = auth.KeystoneV3Credentials(
user_id=self.user_id, password=self.user['password'], system='all')
system_creds = clients.get_auth_provider(
system_creds).fill_credentials()
self.system_token = clients.Manager(
credentials=system_creds).identity_v3_client.token
def testProjectTenantNoCollision(self):
creds = auth.KeystoneV3Credentials(tenant_id='tenant')
self.assertEqual('tenant', creds.project_id)
creds = auth.KeystoneV3Credentials(project_id='project')
self.assertEqual('project', creds.tenant_id)
creds = auth.KeystoneV3Credentials(tenant_name='tenant')
self.assertEqual('tenant', creds.project_name)
creds = auth.KeystoneV3Credentials(project_name='project')
self.assertEqual('project', creds.tenant_name)
def testSetAttrProjectDomain(self):
creds = auth.KeystoneV3Credentials()
creds.project_domain_name = 'project_domain'
creds.domain_name = 'domain'
self.assertEqual('project_domain', creds.user_domain_name)
creds = auth.KeystoneV3Credentials()
creds.domain_name = 'domain'
creds.project_domain_name = 'project_domain'
self.assertEqual('project_domain', creds.project_domain_name)
def setup_user_client(self, project_id=None):
"""Set up project user with its own client.
This is useful for testing protection of resources in separate
projects.
Returns a client object and the user's ID.
"""
user_dict = {
'name': data_utils.rand_name('user'),
'password': data_utils.rand_password(),
}
user_id = self.os_system_admin.users_v3_client.create_user(
**user_dict)['user']['id']
self.addCleanup(self.os_system_admin.users_v3_client.delete_user,
user_id)
if not project_id:
project_id = self.os_system_admin.projects_client.create_project(
data_utils.rand_name())['project']['id']
self.addCleanup(
self.os_system_admin.projects_client.delete_project,
project_id)
member_role_id = self.os_system_admin.roles_v3_client.list_roles(
name='member')['roles'][0]['id']
self.os_system_admin.roles_v3_client.create_user_role_on_project(
project_id, user_id, member_role_id)
creds = auth.KeystoneV3Credentials(user_id=user_id,
password=user_dict['password'],
project_id=project_id)
auth_provider = clients.get_auth_provider(creds)
creds = auth_provider.fill_credentials()
client = clients.Manager(credentials=creds)
return client
def _setup_new_user_client(cls, project_id, role):
"""Create a new tempest.clients.Manager
Creates a new user with the given roles on the given project,
and returns an instance of tempest.clients.Manager set up
for that user.
Users are cleaned up during class teardown in cls.clear_credentials
"""
user = {
'name': data_utils.rand_name('user'),
'password': data_utils.rand_password()
}
user_id = cls.os_system_admin.users_v3_client.create_user(
**user)['user']['id']
cls._created_users.append(user_id)
role_id = cls.os_system_admin.roles_v3_client.list_roles(
name=role)['roles'][0]['id']
cls.os_system_admin.roles_v3_client.create_user_role_on_project(
project_id, user_id, role_id)
creds = auth.KeystoneV3Credentials(user_id=user_id,
password=user['password'],
project_id=project_id)
auth_provider = clients.get_auth_provider(creds)
creds = auth_provider.fill_credentials()
return clients.Manager(credentials=creds)
def test_default_project_id(self):
# create a domain
dom_name = data_utils.rand_name('dom')
domain_body = self.domains_client.create_domain(
name=dom_name)['domain']
dom_id = domain_body['id']
self.addCleanup(self._delete_domain, dom_id)
# create a project in the domain
proj_name = data_utils.rand_name('proj')
proj_body = self.projects_client.create_project(
proj_name, domain_id=dom_id)['project']
proj_id = proj_body['id']
self.addCleanup(self.projects_client.delete_project, proj_id)
self.assertEqual(
proj_body['domain_id'], dom_id,
"project " + proj_name + "doesn't have domain id " + dom_id)
# create a user in the domain, with the previous project as his
# default project
user_name = data_utils.rand_name('user')
user_body = self.users_client.create_user(
name=user_name,
password=user_name,
domain_id=dom_id,
default_project_id=proj_id)['user']
user_id = user_body['id']
self.addCleanup(self.users_client.delete_user, user_id)
self.assertEqual(
user_body['domain_id'], dom_id,
"user " + user_name + "doesn't have domain id " + dom_id)
# get roles and find the admin role
admin_role = self.get_role_by_name(CONF.identity.admin_role)
admin_role_id = admin_role['id']
# grant the admin role to the user on his project
self.roles_client.create_user_role_on_project(proj_id, user_id,
admin_role_id)
# create a new client with user's credentials (NOTE: unscoped token!)
creds = auth.KeystoneV3Credentials(username=user_name,
password=user_name,
user_domain_name=dom_name)
auth_provider = clients.get_auth_provider(creds)
creds = auth_provider.fill_credentials()
admin_client = clients.Manager(credentials=creds)
# verify the user's token and see that it is scoped to the project
token, auth_data = admin_client.auth_provider.get_auth()
result = admin_client.identity_v3_client.show_token(token)['token']
self.assertEqual(result['project']['domain']['id'], dom_id)
self.assertEqual(result['project']['id'], proj_id)
def resource_setup(cls):
trustor_user = {
'name': data_utils.rand_name('user'),
'password': data_utils.rand_password(),
}
cls.trustor = cls.admin_client.users_v3_client.create_user(
**trustor_user)['user']['id']
cls.addClassResourceCleanup(
cls.admin_client.users_v3_client.delete_user,
user_id=cls.trustor)
cls.trustee = cls.admin_client.users_v3_client.create_user(
name=data_utils.rand_name())['user']['id']
cls.addClassResourceCleanup(
cls.admin_client.users_v3_client.delete_user,
user_id=cls.trustee)
cls.project = cls.admin_client.projects_client.create_project(
name=data_utils.rand_name()
)['project']['id']
cls.addClassResourceCleanup(
cls.admin_client.projects_client.delete_project,
project_id=cls.project)
cls.roles = [
{'id': cls.admin_client.roles_v3_client.create_role(
name=data_utils.rand_name())['role']['id']}
]
cls.addClassResourceCleanup(
cls.admin_client.roles_v3_client.delete_role,
role_id=cls.roles[0]['id'])
cls.admin_client.roles_v3_client.create_user_role_on_project(
project_id=cls.project,
user_id=cls.trustor,
role_id=cls.roles[0]['id']
)
creds = auth.KeystoneV3Credentials(
user_id=cls.trustor,
password=trustor_user['password'],
project_id=cls.project)
auth_provider = clients.get_auth_provider(creds)
creds = auth_provider.fill_credentials()
user_client = clients.Manager(credentials=creds)
cls.user_trust_client = user_client.trusts_client
cls.admin_role_id = cls.admin_client.roles_v3_client.list_roles(
name='admin')['roles'][0]['id']
cls.member_role_id = cls.admin_client.roles_v3_client.list_roles(
name='member')['roles'][0]['id']
cls.reader_role_id = cls.admin_client.roles_v3_client.list_roles(
name='reader')['roles'][0]['id']
def setup_user_client(cls, domain_id=None):
"""Set up project user with its own client.
This is to enable the project user to create its own credential.
Returns a client object and the user's ID.
"""
user_dict = {
'name': data_utils.rand_name('user'),
'password': data_utils.rand_password(),
}
if domain_id:
user_dict['domain_id'] = domain_id
user_id = cls.admin_client.users_v3_client.create_user(
**user_dict)['user']['id']
def try_cleanup_user():
# if domain is cleaned up first, user will already be deleted
try:
cls.admin_client.users_v3_client.delete_user(user_id)
except exceptions.NotFound:
pass
cls.addClassResourceCleanup(try_cleanup_user)
project_id = cls.admin_client.projects_client.create_project(
data_utils.rand_name())['project']['id']
cls.addClassResourceCleanup(
cls.admin_client.projects_client.delete_project, project_id)
member_role_id = cls.admin_client.roles_v3_client.list_roles(
name='member')['roles'][0]['id']
cls.admin_client.roles_v3_client.create_user_role_on_project(
project_id, user_id, member_role_id)
creds = auth.KeystoneV3Credentials(user_id=user_id,
password=user_dict['password'],
project_id=project_id)
auth_provider = clients.get_auth_provider(creds)
creds = auth_provider.fill_credentials()
client = clients.Manager(credentials=creds)
return client, user_id, project_id
