def main(argv):
cli_utils.setup_logging()
overcloud_novarc = openstack_utils.get_overcloud_auth()
user_file = mojo_utils.get_mojo_file('keystone_users.yaml')
user_config = generic_utils.get_yaml_config(user_file)
try:
cacert = os.path.join(os.environ.get('MOJO_LOCAL_DIR'), 'cacert.pem')
os.stat(cacert)
except FileNotFoundError:
cacert = None
keystone_session = openstack_utils.get_overcloud_keystone_session(
verify=cacert)
keystone_client = openstack_utils.get_keystone_session_client(
keystone_session)
if overcloud_novarc.get('API_VERSION', 2) == 2:
projects = [user['project'] for user in user_config]
mojo_os_utils.project_create(keystone_client, projects)
mojo_os_utils.user_create_v2(keystone_client, user_config)
# TODO validate this works without adding roles
# mojo_os_utils.add_users_to_roles(keystone_client, user_config)
else:
for user in user_config:
mojo_os_utils.domain_create(keystone_client, [user['domain']])
mojo_os_utils.project_create(keystone_client, [user['project']],
user['domain'])
mojo_os_utils.user_create_v3(keystone_client, user_config)
def test_admin_project_scoped_access(self):
"""Verify cloud admin access using project scoped token.
`admin` user in `admin_domain` should be able to access API methods
guarded by `rule:cloud_admin` policy using a token scoped to `admin`
project in `admin_domain`.
We implement a policy that enables domain segregation and
administration delegation [0]. It is important to understand that this
differs from the default policy.
In the initial implementation it was necessary to switch between using
a `domain` scoped and `project` scoped token to successfully manage a
cloud, but since the introduction of `is_admin` functionality in
Keystone [1][2][3] and our subsequent adoption of it in Keystone charm
[4], this is no longer necessary.
This test here to validate this behaviour.
0: https://github.com/openstack/keystone/commit/c7a5c6c
1: https://github.com/openstack/keystone/commit/e702369
2: https://github.com/openstack/keystone/commit/e923a14
3: https://github.com/openstack/keystone/commit/9804081
4: https://github.com/openstack/charm-keystone/commit/10e3d84
"""
if (openstack_utils.get_os_release() <
openstack_utils.get_os_release('trusty_mitaka')):
logging.info('skipping test < trusty_mitaka')
return
with self.config_change(
{'preferred-api-version': self.default_api_version},
{'preferred-api-version': '3'},
application_name="keystone"):
for ip in self.keystone_ips:
try:
logging.info('keystone IP {}'.format(ip))
ks_session = openstack_utils.get_keystone_session(
openstack_utils.get_overcloud_auth(address=ip))
ks_client = openstack_utils.get_keystone_session_client(
ks_session)
result = ks_client.domains.list()
logging.info('.domains.list: "{}"'.format(
pprint.pformat(result)))
except keystoneauth1.exceptions.http.Forbidden as e:
raise zaza_exceptions.KeystoneAuthorizationStrict(
'Retrieve domain list as admin with project scoped '
'token FAILED. ({})'.format(e))
logging.info('OK')
def keystone_v3_domain_setup():
overcloud_novarc = openstack_utils.get_overcloud_auth()
if overcloud_novarc.get('API_VERSION', 2) == 3:
try:
cacert = os.path.join(os.environ.get('MOJO_LOCAL_DIR'),
'cacert.pem')
os.stat(cacert)
except FileNotFoundError:
cacert = None
keystone_session = openstack_utils.get_overcloud_keystone_session(
verify=cacert)
keystone_client = openstack_utils.get_keystone_session_client(
keystone_session)
mojo_os_utils.project_create(keystone_client, ['admin'],
'admin_domain')
admin_project_id = openstack_utils.get_project_id(
keystone_client,
'admin',
api_version=3,
domain_name='admin_domain')
role = keystone_client.roles.find(name='admin')
user = keystone_client.users.find(name='admin')
keystone_client.roles.grant(role, user=user, project=admin_project_id)
def _test_get_overcloud_auth(self,
tls_relation=False,
ssl_cert=False,
v2_api=False):
self.patch_object(openstack_utils.model, 'get_relation_id')
self.patch_object(openstack_utils, 'get_application_config_option')
self.patch_object(openstack_utils, 'get_keystone_ip')
self.patch_object(openstack_utils, "get_current_os_versions")
self.patch_object(openstack_utils.juju_utils, 'leader_get')
self.get_keystone_ip.return_value = '127.0.0.1'
self.get_relation_id.return_value = None
self.get_application_config_option.return_value = None
self.leader_get.return_value = 'openstack'
if tls_relation or ssl_cert:
port = 35357
transport = 'https'
if tls_relation:
self.get_relation_id.return_value = 'tls-certificates:1'
if ssl_cert:
self.get_application_config_option.side_effect = [
'FAKECRTDATA',
None,
]
else:
port = 5000
transport = 'http'
if v2_api:
str_api = 'v2.0'
self.get_current_os_versions.return_value = {"keystone": "mitaka"}
expect = {
'OS_AUTH_URL':
'{}://127.0.0.1:{}/{}'.format(transport, port, str_api),
'OS_TENANT_NAME':
'admin',
'OS_USERNAME':
'******',
'OS_PASSWORD':
'******',
'OS_REGION_NAME':
'RegionOne',
'API_VERSION':
2,
}
else:
str_api = 'v3'
self.get_current_os_versions.return_value = {"keystone": "queens"}
expect = {
'OS_AUTH_URL':
'{}://127.0.0.1:{}/{}'.format(transport, port, str_api),
'OS_USERNAME':
'******',
'OS_PASSWORD':
'******',
'OS_REGION_NAME':
'RegionOne',
'OS_DOMAIN_NAME':
'admin_domain',
'OS_USER_DOMAIN_NAME':
'admin_domain',
'OS_PROJECT_NAME':
'admin',
'OS_PROJECT_DOMAIN_NAME':
'admin_domain',
'API_VERSION':
3,
}
self.assertEqual(openstack_utils.get_overcloud_auth(), expect)
def main(argv):
cli_utils.setup_logging()
parser = argparse.ArgumentParser()
default_machines = ["cirros:m1.tiny:1"]
parser.add_argument("machines", default=default_machines, nargs="*")
parser.add_argument("--active_wait", default=180)
parser.add_argument("--cloudinit_wait", default=180)
parser.add_argument("--ping_wait", default=180)
options = parser.parse_args()
machines = cli_utils.parse_arg(options, 'machines', multiargs=True)
active_wait = int(cli_utils.parse_arg(options, 'active_wait'))
cloudinit_wait = int(cli_utils.parse_arg(options, 'cloudinit_wait'))
ping_wait = int(cli_utils.parse_arg(options, 'ping_wait'))
overcloud_novarc = openstack_utils.get_overcloud_auth()
try:
cacert = os.path.join(os.environ.get('MOJO_LOCAL_DIR'), 'cacert.pem')
os.stat(cacert)
except FileNotFoundError:
cacert = None
keystone_session = openstack_utils.get_overcloud_keystone_session(
verify=cacert)
keystonec = openstack_utils.get_keystone_session_client(keystone_session)
domain = overcloud_novarc.get('OS_PROJECT_DOMAIN_NAME')
project_id = openstack_utils.get_project_id(
keystonec,
'admin',
api_version=overcloud_novarc['API_VERSION'],
domain_name=domain)
novac = openstack_utils.get_nova_session_client(keystone_session)
neutronc = openstack_utils.get_neutron_session_client(keystone_session)
init_flavors(novac)
priv_key = mojo_os_utils.create_keypair(novac, 'mojo')
openstack_utils.add_neutron_secgroup_rules(neutronc, project_id)
for server in novac.servers.list():
novac.servers.delete(server.id)
for instanceset in machines:
image_name, flavor_name, count = instanceset.split(":")
# when instance count allows boot instances off both regular instance
# storage and volume storage
#
# account for count=1 and odd numbers
# NOTE(fnordahl) temporarilly disable test while tests settle
# regular_boot_count = int(int(count) / 2) + (int(count) % 2)
# volume_boot_count = int(int(count) / 2)
regular_boot_count = int(count)
volume_boot_count = 0
mojo_os_utils.boot_and_test(
novac,
neutronc,
image_name=image_name,
flavor_name=flavor_name,
number=regular_boot_count,
privkey=priv_key,
active_wait=active_wait,
cloudinit_wait=cloudinit_wait,
ping_wait=ping_wait,
)
mojo_os_utils.boot_and_test(
novac,
neutronc,
image_name=image_name,
flavor_name=flavor_name,
number=volume_boot_count,
privkey=priv_key,
active_wait=active_wait,
cloudinit_wait=cloudinit_wait,
ping_wait=ping_wait,
boot_from_volume=True,
)