def setUp(self):
super(IdentityV3RbacTokenTest, self).setUp()
own_creds = auth.KeystoneV3Credentials(**self.own_keystone_creds)
own_creds = clients.get_auth_provider(own_creds).fill_credentials()
self.own_token = clients.Manager(
credentials=own_creds).identity_v3_client.token
project_creds = auth.KeystoneV3Credentials(
user_id=self.user_id,
password=self.user['password'],
project_id=self.project_id)
project_creds = clients.get_auth_provider(
project_creds).fill_credentials()
self.project_token = clients.Manager(
credentials=project_creds).identity_v3_client.token
domain_creds = auth.KeystoneV3Credentials(
user_id=self.user_id,
password=self.user['password'],
domain_id=self.domain_id)
domain_creds = clients.get_auth_provider(
domain_creds).fill_credentials()
self.domain_token = clients.Manager(
credentials=domain_creds).identity_v3_client.token
system_creds = auth.KeystoneV3Credentials(
user_id=self.user_id, password=self.user['password'], system='all')
system_creds = clients.get_auth_provider(
system_creds).fill_credentials()
self.system_token = clients.Manager(
credentials=system_creds).identity_v3_client.token
def setup_user_client(self, project_id=None):
"""Set up project user with its own client.
This is useful for testing protection of resources in separate
projects.
Returns a client object and the user's ID.
"""
user_dict = {
'name': data_utils.rand_name('user'),
'password': data_utils.rand_password(),
}
user_id = self.os_system_admin.users_v3_client.create_user(
**user_dict)['user']['id']
self.addCleanup(self.os_system_admin.users_v3_client.delete_user,
user_id)
if not project_id:
project_id = self.os_system_admin.projects_client.create_project(
data_utils.rand_name())['project']['id']
self.addCleanup(
self.os_system_admin.projects_client.delete_project,
project_id)
member_role_id = self.os_system_admin.roles_v3_client.list_roles(
name='member')['roles'][0]['id']
self.os_system_admin.roles_v3_client.create_user_role_on_project(
project_id, user_id, member_role_id)
creds = auth.KeystoneV3Credentials(user_id=user_id,
password=user_dict['password'],
project_id=project_id)
auth_provider = clients.get_auth_provider(creds)
creds = auth_provider.fill_credentials()
client = clients.Manager(credentials=creds)
return client
def _setup_new_user_client(cls, project_id, role):
"""Create a new tempest.clients.Manager
Creates a new user with the given roles on the given project,
and returns an instance of tempest.clients.Manager set up
for that user.
Users are cleaned up during class teardown in cls.clear_credentials
"""
user = {
'name': data_utils.rand_name('user'),
'password': data_utils.rand_password()
}
user_id = cls.os_system_admin.users_v3_client.create_user(
**user)['user']['id']
cls._created_users.append(user_id)
role_id = cls.os_system_admin.roles_v3_client.list_roles(
name=role)['roles'][0]['id']
cls.os_system_admin.roles_v3_client.create_user_role_on_project(
project_id, user_id, role_id)
creds = auth.KeystoneV3Credentials(user_id=user_id,
password=user['password'],
project_id=project_id)
auth_provider = clients.get_auth_provider(creds)
creds = auth_provider.fill_credentials()
return clients.Manager(credentials=creds)
def test_default_project_id(self):
# create a domain
dom_name = data_utils.rand_name('dom')
domain_body = self.domains_client.create_domain(
name=dom_name)['domain']
dom_id = domain_body['id']
self.addCleanup(self._delete_domain, dom_id)
# create a project in the domain
proj_name = data_utils.rand_name('proj')
proj_body = self.projects_client.create_project(
proj_name, domain_id=dom_id)['project']
proj_id = proj_body['id']
self.addCleanup(self.projects_client.delete_project, proj_id)
self.assertEqual(
proj_body['domain_id'], dom_id,
"project " + proj_name + "doesn't have domain id " + dom_id)
# create a user in the domain, with the previous project as his
# default project
user_name = data_utils.rand_name('user')
user_body = self.users_client.create_user(
name=user_name,
password=user_name,
domain_id=dom_id,
default_project_id=proj_id)['user']
user_id = user_body['id']
self.addCleanup(self.users_client.delete_user, user_id)
self.assertEqual(
user_body['domain_id'], dom_id,
"user " + user_name + "doesn't have domain id " + dom_id)
# get roles and find the admin role
admin_role = self.get_role_by_name(CONF.identity.admin_role)
admin_role_id = admin_role['id']
# grant the admin role to the user on his project
self.roles_client.create_user_role_on_project(proj_id, user_id,
admin_role_id)
# create a new client with user's credentials (NOTE: unscoped token!)
creds = auth.KeystoneV3Credentials(username=user_name,
password=user_name,
user_domain_name=dom_name)
auth_provider = clients.get_auth_provider(creds)
creds = auth_provider.fill_credentials()
admin_client = clients.Manager(credentials=creds)
# verify the user's token and see that it is scoped to the project
token, auth_data = admin_client.auth_provider.get_auth()
result = admin_client.identity_v3_client.show_token(token)['token']
self.assertEqual(result['project']['domain']['id'], dom_id)
self.assertEqual(result['project']['id'], proj_id)
def test_default_project_id(self):
# create a domain
dom_name = data_utils.rand_name('dom')
domain_body = self.domains_client.create_domain(
name=dom_name)['domain']
dom_id = domain_body['id']
self.addCleanup(self._delete_domain, dom_id)
# create a project in the domain
proj_name = data_utils.rand_name('proj')
proj_body = self.projects_client.create_project(
proj_name, domain_id=dom_id)['project']
proj_id = proj_body['id']
self.addCleanup(self.projects_client.delete_project, proj_id)
self.assertEqual(proj_body['domain_id'], dom_id,
"project " + proj_name +
"doesn't have domain id " + dom_id)
# create a user in the domain, with the previous project as his
# default project
user_name = data_utils.rand_name('user')
user_body = self.users_client.create_user(
name=user_name,
password=user_name,
domain_id=dom_id,
default_project_id=proj_id)['user']
user_id = user_body['id']
self.addCleanup(self.users_client.delete_user, user_id)
self.assertEqual(user_body['domain_id'], dom_id,
"user " + user_name +
"doesn't have domain id " + dom_id)
# get roles and find the admin role
admin_role = self.get_role_by_name(CONF.identity.admin_role)
admin_role_id = admin_role['id']
# grant the admin role to the user on his project
self.roles_client.create_user_role_on_project(proj_id, user_id,
admin_role_id)
# create a new client with user's credentials (NOTE: unscoped token!)
creds = auth.KeystoneV3Credentials(username=user_name,
password=user_name,
user_domain_name=dom_name)
auth_provider = clients.get_auth_provider(creds)
creds = auth_provider.fill_credentials()
admin_client = clients.Manager(credentials=creds)
# verify the user's token and see that it is scoped to the project
token, auth_data = admin_client.auth_provider.get_auth()
result = admin_client.identity_v3_client.show_token(token)['token']
self.assertEqual(result['project']['domain']['id'], dom_id)
self.assertEqual(result['project']['id'], proj_id)
def setup_clients(cls):
super(ResourceReservationScenarioTest, cls).setup_clients()
if not CONF.service_available.blazar:
raise cls.skipException("Resource reservation support is"
"required")
cred_provider = cls._get_credentials_provider()
creds = cred_provider.get_credentials('admin')
auth_prov = tempestclients.get_auth_provider(creds._credentials)
cls.os_admin.resource_reservation_client = (
clients.ResourceReservationV1Client(auth_prov, 'reservation',
CONF.identity.region))
cls.reservation_client = (cls.os_admin.resource_reservation_client)
def get_auth_provider(credentials, pre_auth=False, scope='project'):
"""Shim to get_auth_provider in clients.py
get_auth_provider used to be hosted in this module, but it has been
moved to clients.py now as a more permanent location.
This module will be removed eventually, and this shim is only
maintained for the benefit of plugins already consuming this interface.
"""
msg = ("tempest.manager.get_auth_provider is not a stable interface and "
"as such it should not imported directly. It will be removed as "
"the client manager becomes available in tempest.lib.")
LOG.warning(msg)
return tempest_clients.get_auth_provider(credentials=credentials,
pre_auth=pre_auth, scope=scope)
def resource_setup(cls):
trustor_user = {
'name': data_utils.rand_name('user'),
'password': data_utils.rand_password(),
}
cls.trustor = cls.admin_client.users_v3_client.create_user(
**trustor_user)['user']['id']
cls.addClassResourceCleanup(
cls.admin_client.users_v3_client.delete_user,
user_id=cls.trustor)
cls.trustee = cls.admin_client.users_v3_client.create_user(
name=data_utils.rand_name())['user']['id']
cls.addClassResourceCleanup(
cls.admin_client.users_v3_client.delete_user,
user_id=cls.trustee)
cls.project = cls.admin_client.projects_client.create_project(
name=data_utils.rand_name()
)['project']['id']
cls.addClassResourceCleanup(
cls.admin_client.projects_client.delete_project,
project_id=cls.project)
cls.roles = [
{'id': cls.admin_client.roles_v3_client.create_role(
name=data_utils.rand_name())['role']['id']}
]
cls.addClassResourceCleanup(
cls.admin_client.roles_v3_client.delete_role,
role_id=cls.roles[0]['id'])
cls.admin_client.roles_v3_client.create_user_role_on_project(
project_id=cls.project,
user_id=cls.trustor,
role_id=cls.roles[0]['id']
)
creds = auth.KeystoneV3Credentials(
user_id=cls.trustor,
password=trustor_user['password'],
project_id=cls.project)
auth_provider = clients.get_auth_provider(creds)
creds = auth_provider.fill_credentials()
user_client = clients.Manager(credentials=creds)
cls.user_trust_client = user_client.trusts_client
cls.admin_role_id = cls.admin_client.roles_v3_client.list_roles(
name='admin')['roles'][0]['id']
cls.member_role_id = cls.admin_client.roles_v3_client.list_roles(
name='member')['roles'][0]['id']
cls.reader_role_id = cls.admin_client.roles_v3_client.list_roles(
name='reader')['roles'][0]['id']
def credentials():
# You can get credentials either from tempest.conf file or
# from OS environment.
tempest_creds = clients.get_auth_provider(
creds_factory.get_configured_admin_credentials())
creds = tempest_creds.credentials
creds_dict = {
'--os-username':
os.environ.get('OS_USERNAME', creds.username),
'--os-password':
os.environ.get('OS_PASSWORD', creds.password),
'--os-project-name':
os.environ.get('OS_PROJECT_NAME', creds.project_name),
'--os-auth-url':
os.environ.get('OS_AUTH_URL', tempest_creds.auth_url),
'--os-project-domain-name':
os.environ.get('OS_PROJECT_DOMAIN_ID', creds.project_domain_name),
'--os-user-domain-name':
os.environ.get('OS_USER_DOMAIN_ID', creds.user_domain_name),
}
return [x for sub in creds_dict.items() for x in sub]
def setup_user_client(cls, domain_id=None):
"""Set up project user with its own client.
This is to enable the project user to create its own credential.
Returns a client object and the user's ID.
"""
user_dict = {
'name': data_utils.rand_name('user'),
'password': data_utils.rand_password(),
}
if domain_id:
user_dict['domain_id'] = domain_id
user_id = cls.admin_client.users_v3_client.create_user(
**user_dict)['user']['id']
def try_cleanup_user():
# if domain is cleaned up first, user will already be deleted
try:
cls.admin_client.users_v3_client.delete_user(user_id)
except exceptions.NotFound:
pass
cls.addClassResourceCleanup(try_cleanup_user)
project_id = cls.admin_client.projects_client.create_project(
data_utils.rand_name())['project']['id']
cls.addClassResourceCleanup(
cls.admin_client.projects_client.delete_project, project_id)
member_role_id = cls.admin_client.roles_v3_client.list_roles(
name='member')['roles'][0]['id']
cls.admin_client.roles_v3_client.create_user_role_on_project(
project_id, user_id, member_role_id)
creds = auth.KeystoneV3Credentials(user_id=user_id,
password=user_dict['password'],
project_id=project_id)
auth_provider = clients.get_auth_provider(creds)
creds = auth_provider.fill_credentials()
client = clients.Manager(credentials=creds)
return client, user_id, project_id
def start_fixture(self):
cred_provider = self._get_credentials_provider()
creds = cred_provider.get_credentials('admin')
auth_prov = tempestclients.get_auth_provider(creds._credentials)
os.environ['OS_TOKEN'] = auth_prov.get_token()