def setUp(self):
"""Declare variables that will be used both in tests and tearDown."""
self.RESOURCE_PREFIX = 'zaza-nova'
self.keystone_client = openstack_utils.get_keystone_session_client(
self.keystone_session)
self.trait_name = 'CUSTOM_ZAZA_VGPU'
self.flavor_id = 42
def openstack_setup_kerberos():
"""Create a test domain, project, and user for kerberos tests."""
kerberos_domain = 'k8s'
kerberos_project = 'k8s'
kerberos_user = '******'
kerberos_password = '******'
role = 'admin'
logging.info('Retrieving a keystone session and client.')
keystone_session = openstack_utils.get_overcloud_keystone_session()
keystone_client = openstack_utils.get_keystone_session_client(
keystone_session)
logging.info('Creating domain, project and user for Kerberos tests.')
domain = keystone_client.domains.create(kerberos_domain,
description='Kerberos Domain',
enabled=True)
project = keystone_client.projects.create(kerberos_project,
domain,
description='Test project',
enabled=True)
demo_user = keystone_client.users.create(kerberos_user,
domain=domain,
project=project,
password=kerberos_password,
email='*****@*****.**',
description='Demo User',
enabled=True)
admin_role = keystone_client.roles.find(name=role)
keystone_client.roles.grant(admin_role,
user=demo_user,
project_domain=domain,
project=project)
keystone_client.roles.grant(admin_role, user=demo_user, domain=domain)
def _find_keystone_v3_group(self, group, domain):
"""Find a group within a specified keystone v3 domain.
:param str group: Group to search for in keystone
:param str domain: group selected from which domain
:return: return group if found
:rtype: Optional[str]
"""
for ip in self.keystone_ips:
logging.info('Keystone IP {}'.format(ip))
session = openstack_utils.get_keystone_session(
openstack_utils.get_overcloud_auth(address=ip))
client = openstack_utils.get_keystone_session_client(session)
domain_groups = client.groups.list(
domain=client.domains.find(name=domain).id
)
for searched_group in domain_groups:
if searched_group.name.lower() == group.lower():
return searched_group
logging.debug(
"Group {} was not found. Returning None.".format(group)
)
return None
def main(argv):
cli_utils.setup_logging()
overcloud_novarc = openstack_utils.get_overcloud_auth()
user_file = mojo_utils.get_mojo_file('keystone_users.yaml')
user_config = generic_utils.get_yaml_config(user_file)
try:
cacert = os.path.join(os.environ.get('MOJO_LOCAL_DIR'), 'cacert.pem')
os.stat(cacert)
except FileNotFoundError:
cacert = None
keystone_session = openstack_utils.get_overcloud_keystone_session(
verify=cacert)
keystone_client = openstack_utils.get_keystone_session_client(
keystone_session)
if overcloud_novarc.get('API_VERSION', 2) == 2:
projects = [user['project'] for user in user_config]
mojo_os_utils.project_create(keystone_client, projects)
mojo_os_utils.user_create_v2(keystone_client, user_config)
# TODO validate this works without adding roles
# mojo_os_utils.add_users_to_roles(keystone_client, user_config)
else:
for user in user_config:
mojo_os_utils.domain_create(keystone_client, [user['domain']])
mojo_os_utils.project_create(keystone_client, [user['project']],
user['domain'])
mojo_os_utils.user_create_v3(keystone_client, user_config)
def setUpClass(cls):
"""Run class setup for running Keystone charm operation tests."""
super(BaseKeystoneTest, cls).setUpClass(application_name='keystone')
# Check if we are related to Vault TLS certificates
cls.tls_rid = zaza.model.get_relation_id(
'keystone', 'vault', remote_interface_name='certificates')
# Check for VIP
cls.vip = (zaza.model.get_application_config('keystone').get(
'vip').get('value'))
cls.keystone_ips = zaza.model.get_app_ips('keystone')
# If we have a VIP set and we are using TLS only check the VIP
# If you check the individual IP haproxy may send to a different
# back end which leads to mismatched certificates.
if cls.vip:
if cls.tls_rid:
cls.keystone_ips = [cls.vip]
else:
cls.keystone_ips.append(cls.vip)
if (openstack_utils.get_os_release() <
openstack_utils.get_os_release('xenial_queens')):
cls.default_api_version = '2'
else:
cls.default_api_version = '3'
cls.admin_keystone_session = (
openstack_utils.get_overcloud_keystone_session())
cls.admin_keystone_client = (
openstack_utils.get_keystone_session_client(
cls.admin_keystone_session,
client_api_version=cls.default_api_version))
def setup_network():
cli_utils.setup_logging()
keystone_session = openstack_utils.get_overcloud_keystone_session()
# Retrieve necessary clients
keystone_client = openstack_utils.get_keystone_session_client(
keystone_session)
neutron_client = openstack_utils.get_neutron_session_client(
keystone_session)
# Retrieve necessary variables
admin_domain = None
if openstack_utils.get_keystone_api_version() > 2:
admin_domain = "admin_domain"
project_id = openstack_utils.get_project_id(
keystone_client,
"admin",
domain_name=admin_domain,
)
# Create simple private network
project_network = openstack_utils.create_project_network(
neutron_client, project_id, shared=False, network_type="gre")
openstack_utils.create_project_subnet(neutron_client,
project_id,
project_network,
private_subnet,
ip_version=4)
def setUpClass(cls):
"""Run class setup for running LBaaSv2 service tests."""
super(LBAASv2Test, cls).setUpClass()
cls.keystone_client = ObjectRetrierWraps(
openstack_utils.get_keystone_session_client(cls.keystone_session))
if (openstack_utils.get_os_release() >=
openstack_utils.get_os_release('focal_wallaby')):
# add role to admin user for the duration of the test
grant_role_current_user(cls.keystone_client, cls.keystone_session,
LBAAS_ADMIN_ROLE)
cls.neutron_client = ObjectRetrierWraps(
openstack_utils.get_neutron_session_client(cls.keystone_session))
cls.octavia_client = ObjectRetrierWraps(
openstack_utils.get_octavia_session_client(cls.keystone_session))
cls.RESOURCE_PREFIX = 'zaza-octavia'
# NOTE(fnordahl): in the event of a test failure we do not want to run
# tear down code as it will make debugging a problem virtually
# impossible. To alleviate each test method will set the
# `run_tearDown` instance variable at the end which will let us run
# tear down only when there were no failure.
cls.run_tearDown = False
# List of load balancers created by this test
cls.loadbalancers = []
# List of floating IPs created by this test
cls.fips = []
def _find_keystone_v3_user(self, username, domain, group=None):
"""Find a user within a specified keystone v3 domain.
:param str username: Username to search for in keystone
:param str domain: username selected from which domain
:param str group: group to search for in keystone for group membership
:return: return username if found
:rtype: Optional[str]
"""
for ip in self.keystone_ips:
logging.info('Keystone IP {}'.format(ip))
session = openstack_utils.get_keystone_session(
openstack_utils.get_overcloud_auth(address=ip))
client = openstack_utils.get_keystone_session_client(session)
if group is None:
domain_users = client.users.list(
domain=client.domains.find(name=domain).id,
)
else:
domain_users = client.users.list(
domain=client.domains.find(name=domain).id,
group=self._find_keystone_v3_group(group, domain).id,
)
usernames = [u.name.lower() for u in domain_users]
if username.lower() in usernames:
return username
logging.debug(
"User {} was not found. Returning None.".format(username)
)
return None
def setUpClass(cls):
"""Run class setup for running tests."""
super().setUpClass(application_name=cls.application_name)
cls.cinder_client = openstack_utils.get_cinder_session_client(
cls.keystone_session)
cls.nova_client = openstack_utils.get_nova_session_client(
cls.keystone_session)
cls.keystone_client = openstack_utils.get_keystone_session_client(
cls.keystone_session)
def s3_setup():
"""Run setup of s3 options for Trilio."""
session = openstack_utils.get_overcloud_keystone_session()
ks_client = openstack_utils.get_keystone_session_client(session)
# Get token data so we can glean our user_id and project_id
token_data = ks_client.tokens.get_token_data(session.get_token())
project_id = token_data['token']['project']['id']
user_id = token_data['token']['user']['id']
# Store URL to service providing S3 compatible API
for entry in token_data['token']['catalog']:
if entry['type'] == 's3':
for endpoint in entry['endpoints']:
if endpoint['interface'] == 'public':
s3_region = endpoint['region']
s3_endpoint = endpoint['url']
# Create AWS compatible application credentials in Keystone
ec2_creds = ks_client.ec2.create(user_id, project_id)
cacert = openstack_utils.get_cacert()
kwargs = {
'region_name': s3_region,
'aws_access_key_id': ec2_creds.access,
'aws_secret_access_key': ec2_creds.secret,
'endpoint_url': s3_endpoint,
'verify': cacert,
}
s3 = boto3.resource('s3', **kwargs)
# Create bucket
bucket_name = 'zaza-trilio'
logging.info("Creating bucket: {}".format(bucket_name))
bucket = s3.Bucket(bucket_name)
bucket.create()
s3_config = {
'tv-s3-secret-key': ec2_creds.secret,
'tv-s3-access-key': ec2_creds.access,
'tv-s3-region-name': s3_region,
'tv-s3-bucket': bucket_name,
'tv-s3-endpoint-url': s3_endpoint
}
for app in ['trilio-wlm', 'trilio-data-mover']:
logging.info("Setting s3 config for {}".format(app))
zaza_model.set_application_config(app, s3_config)
test_config = lifecycle_utils.get_charm_config(fatal=False)
states = test_config.get('target_deploy_status', {})
states['trilio-wlm'] = {
'workload-status': 'blocked',
'workload-status-message': 'application not trusted'
}
zaza_model.wait_for_application_states(states=test_config.get(
'target_deploy_status', {}),
timeout=7200)
zaza_model.block_until_all_units_idle()
def _v2():
keystone_session = openstack_utils.get_overcloud_keystone_session()
keystone_client = openstack_utils.get_keystone_session_client(
keystone_session, client_api_version=2)
tenant = keystone_client.tenants.create(tenant_name=DEMO_TENANT,
description='Demo Tenant',
enabled=True)
keystone_client.users.create(name=DEMO_USER,
password=DEMO_PASSWORD,
tenant_id=tenant.id)
def keystone_federation_setup(federated_domain=FEDERATED_DOMAIN,
federated_group=FEDERATED_GROUP,
idp_name=IDP,
idp_remote_id=REMOTE_ID):
"""Configure Keystone Federation."""
cli_utils.setup_logging()
keystone_session = openstack_utils.get_overcloud_keystone_session()
keystone_client = openstack_utils.get_keystone_session_client(
keystone_session)
try:
domain = keystone_client.domains.find(name=federated_domain)
except keystoneauth1.exceptions.http.NotFound:
domain = keystone_client.domains.create(federated_domain,
description="Federated Domain",
enabled=True)
try:
group = keystone_client.groups.find(name=federated_group,
domain=domain)
except keystoneauth1.exceptions.http.NotFound:
group = keystone_client.groups.create(federated_group,
domain=domain,
enabled=True)
role = keystone_client.roles.find(name=MEMBER)
keystone_client.roles.grant(role, group=group, domain=domain)
try:
idp = keystone_client.federation.identity_providers.get(idp_name)
except keystoneauth1.exceptions.http.NotFound:
idp = keystone_client.federation.identity_providers.create(
idp_name,
remote_ids=[idp_remote_id],
domain_id=domain.id,
enabled=True)
JSON_RULES = json.loads(
MAP_TEMPLATE.format(domain_id=domain.id,
group_id=group.id,
role_name=MEMBER))
map_name = "{}_mapping".format(idp_name)
try:
keystone_client.federation.mappings.get(map_name)
except keystoneauth1.exceptions.http.NotFound:
keystone_client.federation.mappings.create(map_name, rules=JSON_RULES)
try:
keystone_client.federation.protocols.get(idp_name, PROTOCOL_NAME)
except keystoneauth1.exceptions.http.NotFound:
keystone_client.federation.protocols.create(PROTOCOL_NAME,
mapping=map_name,
identity_provider=idp)
def get_service_list(keystone_session):
"""Retrieve list of services from keystone.
:param keystone_session: keystoneauth1.session.Session object
:type: keystoneauth1.session.Session
:returns: None
:rtype: None
"""
keystone_client = openstack_utils.get_keystone_session_client(
keystone_session)
return [s.name for s in keystone_client.services.list() if s.enabled]
def test_rotate_admin_password(self):
"""Verify action used to rotate admin user's password."""
ADMIN_PASSWD = 'admin_passwd'
old_passwd = juju_utils.leader_get(self.application_name, ADMIN_PASSWD)
# test access using the old password
with self.v3_keystone_preferred():
for ip in self.keystone_ips:
try:
ks_session = openstack_utils.get_keystone_session(
openstack_utils.get_overcloud_auth(address=ip))
ks_client = openstack_utils.get_keystone_session_client(
ks_session)
ks_client.users.list()
except keystoneauth1.exceptions.http.Forbidden:
raise zaza_exceptions.KeystoneAuthorizationStrict(
'Keystone auth with old password FAILED.')
# run the action to rotate the password
zaza.model.run_action_on_leader(
self.application_name,
'rotate-admin-password',
)
# test access using the new password
with self.v3_keystone_preferred():
for ip in self.keystone_ips:
try:
ks_session = openstack_utils.get_keystone_session(
openstack_utils.get_overcloud_auth(address=ip))
ks_client = openstack_utils.get_keystone_session_client(
ks_session)
ks_client.users.list()
except keystoneauth1.exceptions.http.Forbidden:
raise zaza_exceptions.KeystoneAuthorizationStrict(
'Keystone auth with new password FAILED.')
# make sure the password was actually changed
new_passwd = juju_utils.leader_get(self.application_name, ADMIN_PASSWD)
assert old_passwd != new_passwd
def setup_sdn_provider_vlan(network_config, keystone_session=None):
"""Perform setup for Software Defined Network, specifically a provider VLAN.
:param network_config: Network configuration settings dictionary
:type network_config: dict
:param keystone_session: Keystone session object for overcloud
:type keystone_session: keystoneauth1.session.Session object
:returns: None
:rtype: None
"""
# If a session has not been provided, acquire one
if not keystone_session:
keystone_session = openstack_utils.get_overcloud_keystone_session()
# Get authenticated clients
keystone_client = openstack_utils.get_keystone_session_client(
keystone_session)
neutron_client = openstack_utils.get_neutron_session_client(
keystone_session)
admin_domain = None
if openstack_utils.get_keystone_api_version() > 2:
admin_domain = "admin_domain"
# Resolve the project name from the overcloud openrc into a project id
project_id = openstack_utils.get_project_id(
keystone_client,
"admin",
domain_name=admin_domain,
)
logging.info("Configuring VLAN provider network")
# Create the external network
provider_vlan_network = openstack_utils.create_provider_network(
neutron_client,
project_id,
net_name=network_config["provider_vlan_net_name"],
external=False,
shared=True,
network_type='vlan',
vlan_id=network_config["provider_vlan_id"])
provider_vlan_subnet = openstack_utils.create_provider_subnet(
neutron_client,
project_id,
provider_vlan_network,
network_config["provider_vlan_subnet_name"],
cidr=network_config["provider_vlan_cidr"],
dhcp=True)
openstack_utils.plug_subnet_into_router(neutron_client,
network_config["router_name"],
provider_vlan_network,
provider_vlan_subnet)
openstack_utils.add_neutron_secgroup_rules(neutron_client, project_id)
def wait_for_region2():
"""Ensure two regions are present."""
keystone_session = openstack.get_overcloud_keystone_session()
keystone_client = (
openstack.get_keystone_session_client(
keystone_session,
client_api_version='3'))
swift_svc_id = keystone_client.services.find(name='swift').id
regions = set([ep.region
for ep in keystone_client.endpoints.list(swift_svc_id)])
logging.info('Checking there are 2 regions. Current count is {}'.format(
len(regions)))
assert len(set(regions)) == 2, "Incorrect number of regions"
def setUpClass(cls, application_name=None):
"""Run class setup for running OctaviaTests charm operation tests."""
super(OctaviaTests, cls).setUpClass(application_name="octavia")
cls.application_name = "octavia"
cls.keystone_client = ObjectRetrierWraps(
openstack_utils.get_keystone_session_client(cls.keystone_session))
if (openstack_utils.get_os_release() >=
openstack_utils.get_os_release('focal_wallaby')):
# add role to admin user for the duration of the test
octavia_tests.grant_role_current_user(
cls.keystone_client, cls.keystone_session,
octavia_tests.LBAAS_ADMIN_ROLE)
def test_backward_compatible_uuid_for_default_domain(self):
"""Check domain named ``default`` literally has ``default`` as ID.
Some third party software chooses to hard code this value for some
inexplicable reason.
"""
with self.v3_keystone_preferred():
ks_session = openstack_utils.get_keystone_session(
openstack_utils.get_overcloud_auth())
ks_client = openstack_utils.get_keystone_session_client(ks_session)
domain = ks_client.domains.get('default')
logging.info(pprint.pformat(domain))
assert domain.id == 'default'
def add_keystone_config(ctxt, keystone_session):
"""Add keystone config to context.
:param ctxt: Context dictionary
:type ctxt: dict
:param keystone_session: keystoneauth1.session.Session object
:type: keystoneauth1.session.Session
:returns: None
:rtype: None
"""
keystone_client = openstack_utils.get_keystone_session_client(
keystone_session)
domain = keystone_client.domains.find(name="admin_domain")
ctxt['default_domain_id'] = domain.id
def test_admin_project_scoped_access(self):
"""Verify cloud admin access using project scoped token.
`admin` user in `admin_domain` should be able to access API methods
guarded by `rule:cloud_admin` policy using a token scoped to `admin`
project in `admin_domain`.
We implement a policy that enables domain segregation and
administration delegation [0]. It is important to understand that this
differs from the default policy.
In the initial implementation it was necessary to switch between using
a `domain` scoped and `project` scoped token to successfully manage a
cloud, but since the introduction of `is_admin` functionality in
Keystone [1][2][3] and our subsequent adoption of it in Keystone charm
[4], this is no longer necessary.
This test here to validate this behaviour.
0: https://github.com/openstack/keystone/commit/c7a5c6c
1: https://github.com/openstack/keystone/commit/e702369
2: https://github.com/openstack/keystone/commit/e923a14
3: https://github.com/openstack/keystone/commit/9804081
4: https://github.com/openstack/charm-keystone/commit/10e3d84
"""
if (openstack_utils.get_os_release() <
openstack_utils.get_os_release('trusty_mitaka')):
logging.info('skipping test < trusty_mitaka')
return
with self.config_change(
{'preferred-api-version': self.default_api_version},
{'preferred-api-version': '3'},
application_name="keystone"):
for ip in self.keystone_ips:
try:
logging.info('keystone IP {}'.format(ip))
ks_session = openstack_utils.get_keystone_session(
openstack_utils.get_overcloud_auth(address=ip))
ks_client = openstack_utils.get_keystone_session_client(
ks_session)
result = ks_client.domains.list()
logging.info('.domains.list: "{}"'.format(
pprint.pformat(result)))
except keystoneauth1.exceptions.http.Forbidden as e:
raise zaza_exceptions.KeystoneAuthorizationStrict(
'Retrieve domain list as admin with project scoped '
'token FAILED. ({})'.format(e))
logging.info('OK')
def _add_additional_roles(roles):
"""Add additional roles to this deployment.
:param ctxt: roles
:type ctxt: list
:returns: None
:rtype: None
"""
keystone_session = openstack_utils.get_overcloud_keystone_session()
keystone_client = openstack_utils.get_keystone_session_client(
keystone_session)
for role_name in roles:
try:
keystone_client.roles.create(role_name)
except keystoneauth1.exceptions.http.Conflict:
pass
def get_client_and_attempt_operation(self, ip):
"""Attempt to list services. If it fails, raise an exception.
This operation should pass normally for the demo_user, and fail when
the rule has been overriden (see the `rule` class variable.
:param ip: the IP address to get the session against.
:type ip: str
:raises: PolicydOperationFailedException if operation fails.
"""
keystone_client = openstack_utils.get_keystone_session_client(
self.get_keystone_session_demo_admin_user(ip))
try:
keystone_client.credentials.list()
except keystoneauth1.exceptions.http.Forbidden:
raise PolicydOperationFailedException()
def configure_s3_backend():
"""Inject S3 parameters from Swift for Gnocchi config."""
session = openstack_utils.get_overcloud_keystone_session()
ks_client = openstack_utils.get_keystone_session_client(session)
logging.info('Retrieving S3 connection data from Swift')
token_data = ks_client.tokens.get_token_data(session.get_token())
project_id = token_data['token']['project']['id']
user_id = token_data['token']['user']['id']
# Store URL to service providing S3 compatible API
for entry in token_data['token']['catalog']:
if entry['type'] == 's3':
for endpoint in entry['endpoints']:
if endpoint['interface'] == 'public':
s3_region = endpoint['region']
s3_endpoint = endpoint['url']
# Create AWS compatible application credentials in Keystone
ec2_creds = ks_client.ec2.create(user_id, project_id)
logging.info('Changing Gnocchi charm config to connect to S3')
model.set_application_config(
'gnocchi', {
's3-endpoint-url': s3_endpoint,
's3-region-name': s3_region,
's3-access-key-id': ec2_creds.access,
's3-secret-access-key': ec2_creds.secret
})
logging.info('Waiting for units to execute config-changed hook')
model.wait_for_agent_status()
logging.info('Waiting for units to reach target states')
model.wait_for_application_states(
states={
'gnocchi': {
'workload-status-': 'active',
'workload-status-message': 'Unit is ready'
},
'ceilometer': {
'workload-status':
'blocked',
'workload-status-message':
'Run the ' + 'ceilometer-upgrade action on the leader ' +
'to initialize ceilometer and gnocchi'
}
})
model.block_until_all_units_idle()
def test_end_user_domain_admin_access(self):
"""Verify that end-user domain admin does not have elevated privileges.
In additon to validating that the `policy.json` is written and the
service is restarted on config-changed, the test validates that our
`policy.json` is correct.
Catch regressions like LP: #1651989
"""
if (openstack_utils.get_os_release() <
openstack_utils.get_os_release('xenial_ocata')):
logging.info('skipping test < xenial_ocata')
return
with self.config_change(
{'preferred-api-version': self.default_api_version},
{'preferred-api-version': '3'},
application_name="keystone"):
for ip in self.keystone_ips:
openrc = {
'API_VERSION': 3,
'OS_USERNAME': DEMO_ADMIN_USER,
'OS_PASSWORD': DEMO_ADMIN_USER_PASSWORD,
'OS_AUTH_URL': 'http://{}:5000/v3'.format(ip),
'OS_USER_DOMAIN_NAME': DEMO_DOMAIN,
'OS_DOMAIN_NAME': DEMO_DOMAIN,
}
if self.tls_rid:
openrc['OS_CACERT'] = openstack_utils.KEYSTONE_LOCAL_CACERT
openrc['OS_AUTH_URL'] = (openrc['OS_AUTH_URL'].replace(
'http', 'https'))
logging.info('keystone IP {}'.format(ip))
keystone_session = openstack_utils.get_keystone_session(
openrc, scope='DOMAIN')
keystone_client = openstack_utils.get_keystone_session_client(
keystone_session)
try:
# expect failure
keystone_client.domains.list()
except keystoneauth1.exceptions.http.Forbidden as e:
logging.debug('Retrieve domain list as end-user domain '
'admin NOT allowed...OK ({})'.format(e))
pass
else:
raise zaza_exceptions.KeystoneAuthorizationPermissive(
'Retrieve domain list as end-user domain admin '
'allowed when it should not be.')
logging.info('OK')
def _get_catalog():
"""Retrieve the Keystone service catalog.
:returns: The raw Keystone service catalog.
:rtype: List[Dict]
"""
keystone_session = openstack_utils.get_overcloud_keystone_session()
keystone_client = openstack_utils.get_keystone_session_client(
keystone_session)
token = keystone_session.get_token()
token_data = keystone_client.tokens.get_token_data(token)
if 'catalog' not in token_data['token']:
raise ValueError('catalog not in token data: "{}"'.format(
pprint.pformat(token_data)))
return token_data['token']['catalog']
def add_cinder_config(ctxt, keystone_session):
"""Add cinder config to context.
:param ctxt: Context dictionary
:type ctxt: dict
:param keystone_session: keystoneauth1.session.Session object
:type: keystoneauth1.session.Session
:returns: None
:rtype: None
"""
volume_types = ['volumev2', 'volumev3']
keystone_client = openstack_utils.get_keystone_session_client(
keystone_session)
for volume_type in volume_types:
service = keystone_client.services.list(type=volume_type)
if service:
ctxt['catalog_type'] = volume_type
break
def prepare_payload_instance():
"""Prepare a instance we can use as payload test."""
session = openstack.get_overcloud_keystone_session()
keystone = openstack.get_keystone_session_client(session)
neutron = openstack.get_neutron_session_client(session)
project_id = openstack.get_project_id(keystone,
'admin',
domain_name='admin_domain')
openstack.add_neutron_secgroup_rules(neutron, project_id,
[{
'protocol': 'tcp',
'port_range_min': '80',
'port_range_max': '80',
'direction': 'ingress'
}])
zaza.openstack.configure.guest.launch_instance(
glance_setup.LTS_IMAGE_NAME,
userdata='#cloud-config\npackages:\n - apache2\n')
def _v3():
keystone_session = openstack_utils.get_overcloud_keystone_session()
keystone_client = openstack_utils.get_keystone_session_client(
keystone_session)
domain = keystone_client.domains.create(DEMO_DOMAIN,
description='Demo Domain',
enabled=True)
project = keystone_client.projects.create(DEMO_PROJECT,
domain,
description='Demo Project',
enabled=True)
demo_user = keystone_client.users.create(DEMO_USER,
domain=domain,
project=project,
password=DEMO_PASSWORD,
email='*****@*****.**',
description='Demo User',
enabled=True)
member_role = keystone_client.roles.find(name='Member')
keystone_client.roles.grant(member_role,
user=demo_user,
project_domain=domain,
project=project)
demo_admin_user = keystone_client.users.create(
DEMO_ADMIN_USER,
domain=domain,
project=project,
password=DEMO_ADMIN_USER_PASSWORD,
email='*****@*****.**',
description='Demo Admin User',
enabled=True)
admin_role = keystone_client.roles.find(name='Admin')
keystone_client.roles.grant(admin_role,
user=demo_admin_user,
domain=domain)
keystone_client.roles.grant(member_role,
user=demo_admin_user,
project_domain=domain,
project=project)
keystone_client.roles.grant(admin_role,
user=demo_admin_user,
project_domain=domain,
project=project)
def test_keystone_kerberos_authentication(self):
"""Validate auth to Openstack through the kerberos method."""
logging.info('Retrieving a kerberos token with kinit for admin user')
ubuntu_test_host = zaza.model.get_units('ubuntu-test-host')[0]
result = zaza.model.run_on_unit(ubuntu_test_host.name,
"echo password123 | kinit admin")
assert result['Code'] == '0', result['Stderr']
logging.info('Changing token mod for user access')
result = zaza.model.run_on_unit(
ubuntu_test_host.name,
"sudo install -m 777 /tmp/krb5cc_0 /tmp/krb5cc_1000"
)
assert result['Code'] == '0', result['Stderr']
logging.info('Fetching user/project info in Openstack')
domain_name = 'k8s'
project_name = 'k8s'
keystone_session = openstack_utils.get_overcloud_keystone_session()
keystone_client = openstack_utils.get_keystone_session_client(
keystone_session)
domain_id = keystone_client.domains.find(name=domain_name).id
project_id = keystone_client.projects.find(name=project_name).id
keystone_hostname = get_unit_full_hostname('keystone')
logging.info('Retrieving an Openstack token to validate auth')
cmd = 'openstack token issue -f value -c id ' \
'--os-auth-url http://{}:5000/krb/v3 ' \
'--os-project-id {} ' \
'--os-project-name {} ' \
'--os-project-domain-id {} ' \
'--os-region-name RegionOne ' \
'--os-interface public ' \
'--os-identity-api-version 3 ' \
'--os-auth-type v3kerberos'.format(keystone_hostname,
project_id,
project_name,
domain_id)
result = zaza.model.run_on_unit(ubuntu_test_host.name, cmd)
assert result['Code'] == '0', result['Stderr']
def setUpClass(cls):
"""Run class setup for running LBaaSv2 service tests."""
super(LBAASv2Test, cls).setUpClass()
cls.keystone_client = openstack_utils.get_keystone_session_client(
cls.keystone_session)
cls.neutron_client = openstack_utils.get_neutron_session_client(
cls.keystone_session)
cls.octavia_client = openstack_utils.get_octavia_session_client(
cls.keystone_session)
cls.RESOURCE_PREFIX = 'zaza-octavia'
# NOTE(fnordahl): in the event of a test failure we do not want to run
# tear down code as it will make debugging a problem virtually
# impossible. To alleviate each test method will set the
# `run_tearDown` instance variable at the end which will let us run
# tear down only when there were no failure.
cls.run_tearDown = False
# List of load balancers created by this test
cls.loadbalancers = []
# List of floating IPs created by this test
cls.fips = []
