def setUp(self): """Declare variables that will be used both in tests and tearDown.""" self.RESOURCE_PREFIX = 'zaza-nova' self.keystone_client = openstack_utils.get_keystone_session_client( self.keystone_session) self.trait_name = 'CUSTOM_ZAZA_VGPU' self.flavor_id = 42
def openstack_setup_kerberos(): """Create a test domain, project, and user for kerberos tests.""" kerberos_domain = 'k8s' kerberos_project = 'k8s' kerberos_user = '******' kerberos_password = '******' role = 'admin' logging.info('Retrieving a keystone session and client.') keystone_session = openstack_utils.get_overcloud_keystone_session() keystone_client = openstack_utils.get_keystone_session_client( keystone_session) logging.info('Creating domain, project and user for Kerberos tests.') domain = keystone_client.domains.create(kerberos_domain, description='Kerberos Domain', enabled=True) project = keystone_client.projects.create(kerberos_project, domain, description='Test project', enabled=True) demo_user = keystone_client.users.create(kerberos_user, domain=domain, project=project, password=kerberos_password, email='*****@*****.**', description='Demo User', enabled=True) admin_role = keystone_client.roles.find(name=role) keystone_client.roles.grant(admin_role, user=demo_user, project_domain=domain, project=project) keystone_client.roles.grant(admin_role, user=demo_user, domain=domain)
def _find_keystone_v3_group(self, group, domain): """Find a group within a specified keystone v3 domain. :param str group: Group to search for in keystone :param str domain: group selected from which domain :return: return group if found :rtype: Optional[str] """ for ip in self.keystone_ips: logging.info('Keystone IP {}'.format(ip)) session = openstack_utils.get_keystone_session( openstack_utils.get_overcloud_auth(address=ip)) client = openstack_utils.get_keystone_session_client(session) domain_groups = client.groups.list( domain=client.domains.find(name=domain).id ) for searched_group in domain_groups: if searched_group.name.lower() == group.lower(): return searched_group logging.debug( "Group {} was not found. Returning None.".format(group) ) return None
def main(argv): cli_utils.setup_logging() overcloud_novarc = openstack_utils.get_overcloud_auth() user_file = mojo_utils.get_mojo_file('keystone_users.yaml') user_config = generic_utils.get_yaml_config(user_file) try: cacert = os.path.join(os.environ.get('MOJO_LOCAL_DIR'), 'cacert.pem') os.stat(cacert) except FileNotFoundError: cacert = None keystone_session = openstack_utils.get_overcloud_keystone_session( verify=cacert) keystone_client = openstack_utils.get_keystone_session_client( keystone_session) if overcloud_novarc.get('API_VERSION', 2) == 2: projects = [user['project'] for user in user_config] mojo_os_utils.project_create(keystone_client, projects) mojo_os_utils.user_create_v2(keystone_client, user_config) # TODO validate this works without adding roles # mojo_os_utils.add_users_to_roles(keystone_client, user_config) else: for user in user_config: mojo_os_utils.domain_create(keystone_client, [user['domain']]) mojo_os_utils.project_create(keystone_client, [user['project']], user['domain']) mojo_os_utils.user_create_v3(keystone_client, user_config)
def setUpClass(cls): """Run class setup for running Keystone charm operation tests.""" super(BaseKeystoneTest, cls).setUpClass(application_name='keystone') # Check if we are related to Vault TLS certificates cls.tls_rid = zaza.model.get_relation_id( 'keystone', 'vault', remote_interface_name='certificates') # Check for VIP cls.vip = (zaza.model.get_application_config('keystone').get( 'vip').get('value')) cls.keystone_ips = zaza.model.get_app_ips('keystone') # If we have a VIP set and we are using TLS only check the VIP # If you check the individual IP haproxy may send to a different # back end which leads to mismatched certificates. if cls.vip: if cls.tls_rid: cls.keystone_ips = [cls.vip] else: cls.keystone_ips.append(cls.vip) if (openstack_utils.get_os_release() < openstack_utils.get_os_release('xenial_queens')): cls.default_api_version = '2' else: cls.default_api_version = '3' cls.admin_keystone_session = ( openstack_utils.get_overcloud_keystone_session()) cls.admin_keystone_client = ( openstack_utils.get_keystone_session_client( cls.admin_keystone_session, client_api_version=cls.default_api_version))
def setup_network(): cli_utils.setup_logging() keystone_session = openstack_utils.get_overcloud_keystone_session() # Retrieve necessary clients keystone_client = openstack_utils.get_keystone_session_client( keystone_session) neutron_client = openstack_utils.get_neutron_session_client( keystone_session) # Retrieve necessary variables admin_domain = None if openstack_utils.get_keystone_api_version() > 2: admin_domain = "admin_domain" project_id = openstack_utils.get_project_id( keystone_client, "admin", domain_name=admin_domain, ) # Create simple private network project_network = openstack_utils.create_project_network( neutron_client, project_id, shared=False, network_type="gre") openstack_utils.create_project_subnet(neutron_client, project_id, project_network, private_subnet, ip_version=4)
def setUpClass(cls): """Run class setup for running LBaaSv2 service tests.""" super(LBAASv2Test, cls).setUpClass() cls.keystone_client = ObjectRetrierWraps( openstack_utils.get_keystone_session_client(cls.keystone_session)) if (openstack_utils.get_os_release() >= openstack_utils.get_os_release('focal_wallaby')): # add role to admin user for the duration of the test grant_role_current_user(cls.keystone_client, cls.keystone_session, LBAAS_ADMIN_ROLE) cls.neutron_client = ObjectRetrierWraps( openstack_utils.get_neutron_session_client(cls.keystone_session)) cls.octavia_client = ObjectRetrierWraps( openstack_utils.get_octavia_session_client(cls.keystone_session)) cls.RESOURCE_PREFIX = 'zaza-octavia' # NOTE(fnordahl): in the event of a test failure we do not want to run # tear down code as it will make debugging a problem virtually # impossible. To alleviate each test method will set the # `run_tearDown` instance variable at the end which will let us run # tear down only when there were no failure. cls.run_tearDown = False # List of load balancers created by this test cls.loadbalancers = [] # List of floating IPs created by this test cls.fips = []
def _find_keystone_v3_user(self, username, domain, group=None): """Find a user within a specified keystone v3 domain. :param str username: Username to search for in keystone :param str domain: username selected from which domain :param str group: group to search for in keystone for group membership :return: return username if found :rtype: Optional[str] """ for ip in self.keystone_ips: logging.info('Keystone IP {}'.format(ip)) session = openstack_utils.get_keystone_session( openstack_utils.get_overcloud_auth(address=ip)) client = openstack_utils.get_keystone_session_client(session) if group is None: domain_users = client.users.list( domain=client.domains.find(name=domain).id, ) else: domain_users = client.users.list( domain=client.domains.find(name=domain).id, group=self._find_keystone_v3_group(group, domain).id, ) usernames = [u.name.lower() for u in domain_users] if username.lower() in usernames: return username logging.debug( "User {} was not found. Returning None.".format(username) ) return None
def setUpClass(cls): """Run class setup for running tests.""" super().setUpClass(application_name=cls.application_name) cls.cinder_client = openstack_utils.get_cinder_session_client( cls.keystone_session) cls.nova_client = openstack_utils.get_nova_session_client( cls.keystone_session) cls.keystone_client = openstack_utils.get_keystone_session_client( cls.keystone_session)
def s3_setup(): """Run setup of s3 options for Trilio.""" session = openstack_utils.get_overcloud_keystone_session() ks_client = openstack_utils.get_keystone_session_client(session) # Get token data so we can glean our user_id and project_id token_data = ks_client.tokens.get_token_data(session.get_token()) project_id = token_data['token']['project']['id'] user_id = token_data['token']['user']['id'] # Store URL to service providing S3 compatible API for entry in token_data['token']['catalog']: if entry['type'] == 's3': for endpoint in entry['endpoints']: if endpoint['interface'] == 'public': s3_region = endpoint['region'] s3_endpoint = endpoint['url'] # Create AWS compatible application credentials in Keystone ec2_creds = ks_client.ec2.create(user_id, project_id) cacert = openstack_utils.get_cacert() kwargs = { 'region_name': s3_region, 'aws_access_key_id': ec2_creds.access, 'aws_secret_access_key': ec2_creds.secret, 'endpoint_url': s3_endpoint, 'verify': cacert, } s3 = boto3.resource('s3', **kwargs) # Create bucket bucket_name = 'zaza-trilio' logging.info("Creating bucket: {}".format(bucket_name)) bucket = s3.Bucket(bucket_name) bucket.create() s3_config = { 'tv-s3-secret-key': ec2_creds.secret, 'tv-s3-access-key': ec2_creds.access, 'tv-s3-region-name': s3_region, 'tv-s3-bucket': bucket_name, 'tv-s3-endpoint-url': s3_endpoint } for app in ['trilio-wlm', 'trilio-data-mover']: logging.info("Setting s3 config for {}".format(app)) zaza_model.set_application_config(app, s3_config) test_config = lifecycle_utils.get_charm_config(fatal=False) states = test_config.get('target_deploy_status', {}) states['trilio-wlm'] = { 'workload-status': 'blocked', 'workload-status-message': 'application not trusted' } zaza_model.wait_for_application_states(states=test_config.get( 'target_deploy_status', {}), timeout=7200) zaza_model.block_until_all_units_idle()
def _v2(): keystone_session = openstack_utils.get_overcloud_keystone_session() keystone_client = openstack_utils.get_keystone_session_client( keystone_session, client_api_version=2) tenant = keystone_client.tenants.create(tenant_name=DEMO_TENANT, description='Demo Tenant', enabled=True) keystone_client.users.create(name=DEMO_USER, password=DEMO_PASSWORD, tenant_id=tenant.id)
def keystone_federation_setup(federated_domain=FEDERATED_DOMAIN, federated_group=FEDERATED_GROUP, idp_name=IDP, idp_remote_id=REMOTE_ID): """Configure Keystone Federation.""" cli_utils.setup_logging() keystone_session = openstack_utils.get_overcloud_keystone_session() keystone_client = openstack_utils.get_keystone_session_client( keystone_session) try: domain = keystone_client.domains.find(name=federated_domain) except keystoneauth1.exceptions.http.NotFound: domain = keystone_client.domains.create(federated_domain, description="Federated Domain", enabled=True) try: group = keystone_client.groups.find(name=federated_group, domain=domain) except keystoneauth1.exceptions.http.NotFound: group = keystone_client.groups.create(federated_group, domain=domain, enabled=True) role = keystone_client.roles.find(name=MEMBER) keystone_client.roles.grant(role, group=group, domain=domain) try: idp = keystone_client.federation.identity_providers.get(idp_name) except keystoneauth1.exceptions.http.NotFound: idp = keystone_client.federation.identity_providers.create( idp_name, remote_ids=[idp_remote_id], domain_id=domain.id, enabled=True) JSON_RULES = json.loads( MAP_TEMPLATE.format(domain_id=domain.id, group_id=group.id, role_name=MEMBER)) map_name = "{}_mapping".format(idp_name) try: keystone_client.federation.mappings.get(map_name) except keystoneauth1.exceptions.http.NotFound: keystone_client.federation.mappings.create(map_name, rules=JSON_RULES) try: keystone_client.federation.protocols.get(idp_name, PROTOCOL_NAME) except keystoneauth1.exceptions.http.NotFound: keystone_client.federation.protocols.create(PROTOCOL_NAME, mapping=map_name, identity_provider=idp)
def get_service_list(keystone_session): """Retrieve list of services from keystone. :param keystone_session: keystoneauth1.session.Session object :type: keystoneauth1.session.Session :returns: None :rtype: None """ keystone_client = openstack_utils.get_keystone_session_client( keystone_session) return [s.name for s in keystone_client.services.list() if s.enabled]
def test_rotate_admin_password(self): """Verify action used to rotate admin user's password.""" ADMIN_PASSWD = 'admin_passwd' old_passwd = juju_utils.leader_get(self.application_name, ADMIN_PASSWD) # test access using the old password with self.v3_keystone_preferred(): for ip in self.keystone_ips: try: ks_session = openstack_utils.get_keystone_session( openstack_utils.get_overcloud_auth(address=ip)) ks_client = openstack_utils.get_keystone_session_client( ks_session) ks_client.users.list() except keystoneauth1.exceptions.http.Forbidden: raise zaza_exceptions.KeystoneAuthorizationStrict( 'Keystone auth with old password FAILED.') # run the action to rotate the password zaza.model.run_action_on_leader( self.application_name, 'rotate-admin-password', ) # test access using the new password with self.v3_keystone_preferred(): for ip in self.keystone_ips: try: ks_session = openstack_utils.get_keystone_session( openstack_utils.get_overcloud_auth(address=ip)) ks_client = openstack_utils.get_keystone_session_client( ks_session) ks_client.users.list() except keystoneauth1.exceptions.http.Forbidden: raise zaza_exceptions.KeystoneAuthorizationStrict( 'Keystone auth with new password FAILED.') # make sure the password was actually changed new_passwd = juju_utils.leader_get(self.application_name, ADMIN_PASSWD) assert old_passwd != new_passwd
def setup_sdn_provider_vlan(network_config, keystone_session=None): """Perform setup for Software Defined Network, specifically a provider VLAN. :param network_config: Network configuration settings dictionary :type network_config: dict :param keystone_session: Keystone session object for overcloud :type keystone_session: keystoneauth1.session.Session object :returns: None :rtype: None """ # If a session has not been provided, acquire one if not keystone_session: keystone_session = openstack_utils.get_overcloud_keystone_session() # Get authenticated clients keystone_client = openstack_utils.get_keystone_session_client( keystone_session) neutron_client = openstack_utils.get_neutron_session_client( keystone_session) admin_domain = None if openstack_utils.get_keystone_api_version() > 2: admin_domain = "admin_domain" # Resolve the project name from the overcloud openrc into a project id project_id = openstack_utils.get_project_id( keystone_client, "admin", domain_name=admin_domain, ) logging.info("Configuring VLAN provider network") # Create the external network provider_vlan_network = openstack_utils.create_provider_network( neutron_client, project_id, net_name=network_config["provider_vlan_net_name"], external=False, shared=True, network_type='vlan', vlan_id=network_config["provider_vlan_id"]) provider_vlan_subnet = openstack_utils.create_provider_subnet( neutron_client, project_id, provider_vlan_network, network_config["provider_vlan_subnet_name"], cidr=network_config["provider_vlan_cidr"], dhcp=True) openstack_utils.plug_subnet_into_router(neutron_client, network_config["router_name"], provider_vlan_network, provider_vlan_subnet) openstack_utils.add_neutron_secgroup_rules(neutron_client, project_id)
def wait_for_region2(): """Ensure two regions are present.""" keystone_session = openstack.get_overcloud_keystone_session() keystone_client = ( openstack.get_keystone_session_client( keystone_session, client_api_version='3')) swift_svc_id = keystone_client.services.find(name='swift').id regions = set([ep.region for ep in keystone_client.endpoints.list(swift_svc_id)]) logging.info('Checking there are 2 regions. Current count is {}'.format( len(regions))) assert len(set(regions)) == 2, "Incorrect number of regions"
def setUpClass(cls, application_name=None): """Run class setup for running OctaviaTests charm operation tests.""" super(OctaviaTests, cls).setUpClass(application_name="octavia") cls.application_name = "octavia" cls.keystone_client = ObjectRetrierWraps( openstack_utils.get_keystone_session_client(cls.keystone_session)) if (openstack_utils.get_os_release() >= openstack_utils.get_os_release('focal_wallaby')): # add role to admin user for the duration of the test octavia_tests.grant_role_current_user( cls.keystone_client, cls.keystone_session, octavia_tests.LBAAS_ADMIN_ROLE)
def test_backward_compatible_uuid_for_default_domain(self): """Check domain named ``default`` literally has ``default`` as ID. Some third party software chooses to hard code this value for some inexplicable reason. """ with self.v3_keystone_preferred(): ks_session = openstack_utils.get_keystone_session( openstack_utils.get_overcloud_auth()) ks_client = openstack_utils.get_keystone_session_client(ks_session) domain = ks_client.domains.get('default') logging.info(pprint.pformat(domain)) assert domain.id == 'default'
def add_keystone_config(ctxt, keystone_session): """Add keystone config to context. :param ctxt: Context dictionary :type ctxt: dict :param keystone_session: keystoneauth1.session.Session object :type: keystoneauth1.session.Session :returns: None :rtype: None """ keystone_client = openstack_utils.get_keystone_session_client( keystone_session) domain = keystone_client.domains.find(name="admin_domain") ctxt['default_domain_id'] = domain.id
def test_admin_project_scoped_access(self): """Verify cloud admin access using project scoped token. `admin` user in `admin_domain` should be able to access API methods guarded by `rule:cloud_admin` policy using a token scoped to `admin` project in `admin_domain`. We implement a policy that enables domain segregation and administration delegation [0]. It is important to understand that this differs from the default policy. In the initial implementation it was necessary to switch between using a `domain` scoped and `project` scoped token to successfully manage a cloud, but since the introduction of `is_admin` functionality in Keystone [1][2][3] and our subsequent adoption of it in Keystone charm [4], this is no longer necessary. This test here to validate this behaviour. 0: https://github.com/openstack/keystone/commit/c7a5c6c 1: https://github.com/openstack/keystone/commit/e702369 2: https://github.com/openstack/keystone/commit/e923a14 3: https://github.com/openstack/keystone/commit/9804081 4: https://github.com/openstack/charm-keystone/commit/10e3d84 """ if (openstack_utils.get_os_release() < openstack_utils.get_os_release('trusty_mitaka')): logging.info('skipping test < trusty_mitaka') return with self.config_change( {'preferred-api-version': self.default_api_version}, {'preferred-api-version': '3'}, application_name="keystone"): for ip in self.keystone_ips: try: logging.info('keystone IP {}'.format(ip)) ks_session = openstack_utils.get_keystone_session( openstack_utils.get_overcloud_auth(address=ip)) ks_client = openstack_utils.get_keystone_session_client( ks_session) result = ks_client.domains.list() logging.info('.domains.list: "{}"'.format( pprint.pformat(result))) except keystoneauth1.exceptions.http.Forbidden as e: raise zaza_exceptions.KeystoneAuthorizationStrict( 'Retrieve domain list as admin with project scoped ' 'token FAILED. ({})'.format(e)) logging.info('OK')
def _add_additional_roles(roles): """Add additional roles to this deployment. :param ctxt: roles :type ctxt: list :returns: None :rtype: None """ keystone_session = openstack_utils.get_overcloud_keystone_session() keystone_client = openstack_utils.get_keystone_session_client( keystone_session) for role_name in roles: try: keystone_client.roles.create(role_name) except keystoneauth1.exceptions.http.Conflict: pass
def get_client_and_attempt_operation(self, ip): """Attempt to list services. If it fails, raise an exception. This operation should pass normally for the demo_user, and fail when the rule has been overriden (see the `rule` class variable. :param ip: the IP address to get the session against. :type ip: str :raises: PolicydOperationFailedException if operation fails. """ keystone_client = openstack_utils.get_keystone_session_client( self.get_keystone_session_demo_admin_user(ip)) try: keystone_client.credentials.list() except keystoneauth1.exceptions.http.Forbidden: raise PolicydOperationFailedException()
def configure_s3_backend(): """Inject S3 parameters from Swift for Gnocchi config.""" session = openstack_utils.get_overcloud_keystone_session() ks_client = openstack_utils.get_keystone_session_client(session) logging.info('Retrieving S3 connection data from Swift') token_data = ks_client.tokens.get_token_data(session.get_token()) project_id = token_data['token']['project']['id'] user_id = token_data['token']['user']['id'] # Store URL to service providing S3 compatible API for entry in token_data['token']['catalog']: if entry['type'] == 's3': for endpoint in entry['endpoints']: if endpoint['interface'] == 'public': s3_region = endpoint['region'] s3_endpoint = endpoint['url'] # Create AWS compatible application credentials in Keystone ec2_creds = ks_client.ec2.create(user_id, project_id) logging.info('Changing Gnocchi charm config to connect to S3') model.set_application_config( 'gnocchi', { 's3-endpoint-url': s3_endpoint, 's3-region-name': s3_region, 's3-access-key-id': ec2_creds.access, 's3-secret-access-key': ec2_creds.secret }) logging.info('Waiting for units to execute config-changed hook') model.wait_for_agent_status() logging.info('Waiting for units to reach target states') model.wait_for_application_states( states={ 'gnocchi': { 'workload-status-': 'active', 'workload-status-message': 'Unit is ready' }, 'ceilometer': { 'workload-status': 'blocked', 'workload-status-message': 'Run the ' + 'ceilometer-upgrade action on the leader ' + 'to initialize ceilometer and gnocchi' } }) model.block_until_all_units_idle()
def test_end_user_domain_admin_access(self): """Verify that end-user domain admin does not have elevated privileges. In additon to validating that the `policy.json` is written and the service is restarted on config-changed, the test validates that our `policy.json` is correct. Catch regressions like LP: #1651989 """ if (openstack_utils.get_os_release() < openstack_utils.get_os_release('xenial_ocata')): logging.info('skipping test < xenial_ocata') return with self.config_change( {'preferred-api-version': self.default_api_version}, {'preferred-api-version': '3'}, application_name="keystone"): for ip in self.keystone_ips: openrc = { 'API_VERSION': 3, 'OS_USERNAME': DEMO_ADMIN_USER, 'OS_PASSWORD': DEMO_ADMIN_USER_PASSWORD, 'OS_AUTH_URL': 'http://{}:5000/v3'.format(ip), 'OS_USER_DOMAIN_NAME': DEMO_DOMAIN, 'OS_DOMAIN_NAME': DEMO_DOMAIN, } if self.tls_rid: openrc['OS_CACERT'] = openstack_utils.KEYSTONE_LOCAL_CACERT openrc['OS_AUTH_URL'] = (openrc['OS_AUTH_URL'].replace( 'http', 'https')) logging.info('keystone IP {}'.format(ip)) keystone_session = openstack_utils.get_keystone_session( openrc, scope='DOMAIN') keystone_client = openstack_utils.get_keystone_session_client( keystone_session) try: # expect failure keystone_client.domains.list() except keystoneauth1.exceptions.http.Forbidden as e: logging.debug('Retrieve domain list as end-user domain ' 'admin NOT allowed...OK ({})'.format(e)) pass else: raise zaza_exceptions.KeystoneAuthorizationPermissive( 'Retrieve domain list as end-user domain admin ' 'allowed when it should not be.') logging.info('OK')
def _get_catalog(): """Retrieve the Keystone service catalog. :returns: The raw Keystone service catalog. :rtype: List[Dict] """ keystone_session = openstack_utils.get_overcloud_keystone_session() keystone_client = openstack_utils.get_keystone_session_client( keystone_session) token = keystone_session.get_token() token_data = keystone_client.tokens.get_token_data(token) if 'catalog' not in token_data['token']: raise ValueError('catalog not in token data: "{}"'.format( pprint.pformat(token_data))) return token_data['token']['catalog']
def add_cinder_config(ctxt, keystone_session): """Add cinder config to context. :param ctxt: Context dictionary :type ctxt: dict :param keystone_session: keystoneauth1.session.Session object :type: keystoneauth1.session.Session :returns: None :rtype: None """ volume_types = ['volumev2', 'volumev3'] keystone_client = openstack_utils.get_keystone_session_client( keystone_session) for volume_type in volume_types: service = keystone_client.services.list(type=volume_type) if service: ctxt['catalog_type'] = volume_type break
def prepare_payload_instance(): """Prepare a instance we can use as payload test.""" session = openstack.get_overcloud_keystone_session() keystone = openstack.get_keystone_session_client(session) neutron = openstack.get_neutron_session_client(session) project_id = openstack.get_project_id(keystone, 'admin', domain_name='admin_domain') openstack.add_neutron_secgroup_rules(neutron, project_id, [{ 'protocol': 'tcp', 'port_range_min': '80', 'port_range_max': '80', 'direction': 'ingress' }]) zaza.openstack.configure.guest.launch_instance( glance_setup.LTS_IMAGE_NAME, userdata='#cloud-config\npackages:\n - apache2\n')
def _v3(): keystone_session = openstack_utils.get_overcloud_keystone_session() keystone_client = openstack_utils.get_keystone_session_client( keystone_session) domain = keystone_client.domains.create(DEMO_DOMAIN, description='Demo Domain', enabled=True) project = keystone_client.projects.create(DEMO_PROJECT, domain, description='Demo Project', enabled=True) demo_user = keystone_client.users.create(DEMO_USER, domain=domain, project=project, password=DEMO_PASSWORD, email='*****@*****.**', description='Demo User', enabled=True) member_role = keystone_client.roles.find(name='Member') keystone_client.roles.grant(member_role, user=demo_user, project_domain=domain, project=project) demo_admin_user = keystone_client.users.create( DEMO_ADMIN_USER, domain=domain, project=project, password=DEMO_ADMIN_USER_PASSWORD, email='*****@*****.**', description='Demo Admin User', enabled=True) admin_role = keystone_client.roles.find(name='Admin') keystone_client.roles.grant(admin_role, user=demo_admin_user, domain=domain) keystone_client.roles.grant(member_role, user=demo_admin_user, project_domain=domain, project=project) keystone_client.roles.grant(admin_role, user=demo_admin_user, project_domain=domain, project=project)
def test_keystone_kerberos_authentication(self): """Validate auth to Openstack through the kerberos method.""" logging.info('Retrieving a kerberos token with kinit for admin user') ubuntu_test_host = zaza.model.get_units('ubuntu-test-host')[0] result = zaza.model.run_on_unit(ubuntu_test_host.name, "echo password123 | kinit admin") assert result['Code'] == '0', result['Stderr'] logging.info('Changing token mod for user access') result = zaza.model.run_on_unit( ubuntu_test_host.name, "sudo install -m 777 /tmp/krb5cc_0 /tmp/krb5cc_1000" ) assert result['Code'] == '0', result['Stderr'] logging.info('Fetching user/project info in Openstack') domain_name = 'k8s' project_name = 'k8s' keystone_session = openstack_utils.get_overcloud_keystone_session() keystone_client = openstack_utils.get_keystone_session_client( keystone_session) domain_id = keystone_client.domains.find(name=domain_name).id project_id = keystone_client.projects.find(name=project_name).id keystone_hostname = get_unit_full_hostname('keystone') logging.info('Retrieving an Openstack token to validate auth') cmd = 'openstack token issue -f value -c id ' \ '--os-auth-url http://{}:5000/krb/v3 ' \ '--os-project-id {} ' \ '--os-project-name {} ' \ '--os-project-domain-id {} ' \ '--os-region-name RegionOne ' \ '--os-interface public ' \ '--os-identity-api-version 3 ' \ '--os-auth-type v3kerberos'.format(keystone_hostname, project_id, project_name, domain_id) result = zaza.model.run_on_unit(ubuntu_test_host.name, cmd) assert result['Code'] == '0', result['Stderr']
def setUpClass(cls): """Run class setup for running LBaaSv2 service tests.""" super(LBAASv2Test, cls).setUpClass() cls.keystone_client = openstack_utils.get_keystone_session_client( cls.keystone_session) cls.neutron_client = openstack_utils.get_neutron_session_client( cls.keystone_session) cls.octavia_client = openstack_utils.get_octavia_session_client( cls.keystone_session) cls.RESOURCE_PREFIX = 'zaza-octavia' # NOTE(fnordahl): in the event of a test failure we do not want to run # tear down code as it will make debugging a problem virtually # impossible. To alleviate each test method will set the # `run_tearDown` instance variable at the end which will let us run # tear down only when there were no failure. cls.run_tearDown = False # List of load balancers created by this test cls.loadbalancers = [] # List of floating IPs created by this test cls.fips = []