def main(argv): cli_utils.setup_logging() overcloud_novarc = openstack_utils.get_overcloud_auth() user_file = mojo_utils.get_mojo_file('keystone_users.yaml') user_config = generic_utils.get_yaml_config(user_file) try: cacert = os.path.join(os.environ.get('MOJO_LOCAL_DIR'), 'cacert.pem') os.stat(cacert) except FileNotFoundError: cacert = None keystone_session = openstack_utils.get_overcloud_keystone_session( verify=cacert) keystone_client = openstack_utils.get_keystone_session_client( keystone_session) if overcloud_novarc.get('API_VERSION', 2) == 2: projects = [user['project'] for user in user_config] mojo_os_utils.project_create(keystone_client, projects) mojo_os_utils.user_create_v2(keystone_client, user_config) # TODO validate this works without adding roles # mojo_os_utils.add_users_to_roles(keystone_client, user_config) else: for user in user_config: mojo_os_utils.domain_create(keystone_client, [user['domain']]) mojo_os_utils.project_create(keystone_client, [user['project']], user['domain']) mojo_os_utils.user_create_v3(keystone_client, user_config)
def test_admin_project_scoped_access(self): """Verify cloud admin access using project scoped token. `admin` user in `admin_domain` should be able to access API methods guarded by `rule:cloud_admin` policy using a token scoped to `admin` project in `admin_domain`. We implement a policy that enables domain segregation and administration delegation [0]. It is important to understand that this differs from the default policy. In the initial implementation it was necessary to switch between using a `domain` scoped and `project` scoped token to successfully manage a cloud, but since the introduction of `is_admin` functionality in Keystone [1][2][3] and our subsequent adoption of it in Keystone charm [4], this is no longer necessary. This test here to validate this behaviour. 0: https://github.com/openstack/keystone/commit/c7a5c6c 1: https://github.com/openstack/keystone/commit/e702369 2: https://github.com/openstack/keystone/commit/e923a14 3: https://github.com/openstack/keystone/commit/9804081 4: https://github.com/openstack/charm-keystone/commit/10e3d84 """ if (openstack_utils.get_os_release() < openstack_utils.get_os_release('trusty_mitaka')): logging.info('skipping test < trusty_mitaka') return with self.config_change( {'preferred-api-version': self.default_api_version}, {'preferred-api-version': '3'}, application_name="keystone"): for ip in self.keystone_ips: try: logging.info('keystone IP {}'.format(ip)) ks_session = openstack_utils.get_keystone_session( openstack_utils.get_overcloud_auth(address=ip)) ks_client = openstack_utils.get_keystone_session_client( ks_session) result = ks_client.domains.list() logging.info('.domains.list: "{}"'.format( pprint.pformat(result))) except keystoneauth1.exceptions.http.Forbidden as e: raise zaza_exceptions.KeystoneAuthorizationStrict( 'Retrieve domain list as admin with project scoped ' 'token FAILED. ({})'.format(e)) logging.info('OK')
def keystone_v3_domain_setup(): overcloud_novarc = openstack_utils.get_overcloud_auth() if overcloud_novarc.get('API_VERSION', 2) == 3: try: cacert = os.path.join(os.environ.get('MOJO_LOCAL_DIR'), 'cacert.pem') os.stat(cacert) except FileNotFoundError: cacert = None keystone_session = openstack_utils.get_overcloud_keystone_session( verify=cacert) keystone_client = openstack_utils.get_keystone_session_client( keystone_session) mojo_os_utils.project_create(keystone_client, ['admin'], 'admin_domain') admin_project_id = openstack_utils.get_project_id( keystone_client, 'admin', api_version=3, domain_name='admin_domain') role = keystone_client.roles.find(name='admin') user = keystone_client.users.find(name='admin') keystone_client.roles.grant(role, user=user, project=admin_project_id)
def _test_get_overcloud_auth(self, tls_relation=False, ssl_cert=False, v2_api=False): self.patch_object(openstack_utils.model, 'get_relation_id') self.patch_object(openstack_utils, 'get_application_config_option') self.patch_object(openstack_utils, 'get_keystone_ip') self.patch_object(openstack_utils, "get_current_os_versions") self.patch_object(openstack_utils.juju_utils, 'leader_get') self.get_keystone_ip.return_value = '127.0.0.1' self.get_relation_id.return_value = None self.get_application_config_option.return_value = None self.leader_get.return_value = 'openstack' if tls_relation or ssl_cert: port = 35357 transport = 'https' if tls_relation: self.get_relation_id.return_value = 'tls-certificates:1' if ssl_cert: self.get_application_config_option.side_effect = [ 'FAKECRTDATA', None, ] else: port = 5000 transport = 'http' if v2_api: str_api = 'v2.0' self.get_current_os_versions.return_value = {"keystone": "mitaka"} expect = { 'OS_AUTH_URL': '{}://127.0.0.1:{}/{}'.format(transport, port, str_api), 'OS_TENANT_NAME': 'admin', 'OS_USERNAME': '******', 'OS_PASSWORD': '******', 'OS_REGION_NAME': 'RegionOne', 'API_VERSION': 2, } else: str_api = 'v3' self.get_current_os_versions.return_value = {"keystone": "queens"} expect = { 'OS_AUTH_URL': '{}://127.0.0.1:{}/{}'.format(transport, port, str_api), 'OS_USERNAME': '******', 'OS_PASSWORD': '******', 'OS_REGION_NAME': 'RegionOne', 'OS_DOMAIN_NAME': 'admin_domain', 'OS_USER_DOMAIN_NAME': 'admin_domain', 'OS_PROJECT_NAME': 'admin', 'OS_PROJECT_DOMAIN_NAME': 'admin_domain', 'API_VERSION': 3, } self.assertEqual(openstack_utils.get_overcloud_auth(), expect)
def main(argv): cli_utils.setup_logging() parser = argparse.ArgumentParser() default_machines = ["cirros:m1.tiny:1"] parser.add_argument("machines", default=default_machines, nargs="*") parser.add_argument("--active_wait", default=180) parser.add_argument("--cloudinit_wait", default=180) parser.add_argument("--ping_wait", default=180) options = parser.parse_args() machines = cli_utils.parse_arg(options, 'machines', multiargs=True) active_wait = int(cli_utils.parse_arg(options, 'active_wait')) cloudinit_wait = int(cli_utils.parse_arg(options, 'cloudinit_wait')) ping_wait = int(cli_utils.parse_arg(options, 'ping_wait')) overcloud_novarc = openstack_utils.get_overcloud_auth() try: cacert = os.path.join(os.environ.get('MOJO_LOCAL_DIR'), 'cacert.pem') os.stat(cacert) except FileNotFoundError: cacert = None keystone_session = openstack_utils.get_overcloud_keystone_session( verify=cacert) keystonec = openstack_utils.get_keystone_session_client(keystone_session) domain = overcloud_novarc.get('OS_PROJECT_DOMAIN_NAME') project_id = openstack_utils.get_project_id( keystonec, 'admin', api_version=overcloud_novarc['API_VERSION'], domain_name=domain) novac = openstack_utils.get_nova_session_client(keystone_session) neutronc = openstack_utils.get_neutron_session_client(keystone_session) init_flavors(novac) priv_key = mojo_os_utils.create_keypair(novac, 'mojo') openstack_utils.add_neutron_secgroup_rules(neutronc, project_id) for server in novac.servers.list(): novac.servers.delete(server.id) for instanceset in machines: image_name, flavor_name, count = instanceset.split(":") # when instance count allows boot instances off both regular instance # storage and volume storage # # account for count=1 and odd numbers # NOTE(fnordahl) temporarilly disable test while tests settle # regular_boot_count = int(int(count) / 2) + (int(count) % 2) # volume_boot_count = int(int(count) / 2) regular_boot_count = int(count) volume_boot_count = 0 mojo_os_utils.boot_and_test( novac, neutronc, image_name=image_name, flavor_name=flavor_name, number=regular_boot_count, privkey=priv_key, active_wait=active_wait, cloudinit_wait=cloudinit_wait, ping_wait=ping_wait, ) mojo_os_utils.boot_and_test( novac, neutronc, image_name=image_name, flavor_name=flavor_name, number=volume_boot_count, privkey=priv_key, active_wait=active_wait, cloudinit_wait=cloudinit_wait, ping_wait=ping_wait, boot_from_volume=True, )