def setUp(self): super(IdentityV3RbacTokenTest, self).setUp() own_creds = auth.KeystoneV3Credentials(**self.own_keystone_creds) own_creds = clients.get_auth_provider(own_creds).fill_credentials() self.own_token = clients.Manager( credentials=own_creds).identity_v3_client.token project_creds = auth.KeystoneV3Credentials( user_id=self.user_id, password=self.user['password'], project_id=self.project_id) project_creds = clients.get_auth_provider( project_creds).fill_credentials() self.project_token = clients.Manager( credentials=project_creds).identity_v3_client.token domain_creds = auth.KeystoneV3Credentials( user_id=self.user_id, password=self.user['password'], domain_id=self.domain_id) domain_creds = clients.get_auth_provider( domain_creds).fill_credentials() self.domain_token = clients.Manager( credentials=domain_creds).identity_v3_client.token system_creds = auth.KeystoneV3Credentials( user_id=self.user_id, password=self.user['password'], system='all') system_creds = clients.get_auth_provider( system_creds).fill_credentials() self.system_token = clients.Manager( credentials=system_creds).identity_v3_client.token
def setup_user_client(self, project_id=None): """Set up project user with its own client. This is useful for testing protection of resources in separate projects. Returns a client object and the user's ID. """ user_dict = { 'name': data_utils.rand_name('user'), 'password': data_utils.rand_password(), } user_id = self.os_system_admin.users_v3_client.create_user( **user_dict)['user']['id'] self.addCleanup(self.os_system_admin.users_v3_client.delete_user, user_id) if not project_id: project_id = self.os_system_admin.projects_client.create_project( data_utils.rand_name())['project']['id'] self.addCleanup( self.os_system_admin.projects_client.delete_project, project_id) member_role_id = self.os_system_admin.roles_v3_client.list_roles( name='member')['roles'][0]['id'] self.os_system_admin.roles_v3_client.create_user_role_on_project( project_id, user_id, member_role_id) creds = auth.KeystoneV3Credentials(user_id=user_id, password=user_dict['password'], project_id=project_id) auth_provider = clients.get_auth_provider(creds) creds = auth_provider.fill_credentials() client = clients.Manager(credentials=creds) return client
def _setup_new_user_client(cls, project_id, role): """Create a new tempest.clients.Manager Creates a new user with the given roles on the given project, and returns an instance of tempest.clients.Manager set up for that user. Users are cleaned up during class teardown in cls.clear_credentials """ user = { 'name': data_utils.rand_name('user'), 'password': data_utils.rand_password() } user_id = cls.os_system_admin.users_v3_client.create_user( **user)['user']['id'] cls._created_users.append(user_id) role_id = cls.os_system_admin.roles_v3_client.list_roles( name=role)['roles'][0]['id'] cls.os_system_admin.roles_v3_client.create_user_role_on_project( project_id, user_id, role_id) creds = auth.KeystoneV3Credentials(user_id=user_id, password=user['password'], project_id=project_id) auth_provider = clients.get_auth_provider(creds) creds = auth_provider.fill_credentials() return clients.Manager(credentials=creds)
def test_default_project_id(self): # create a domain dom_name = data_utils.rand_name('dom') domain_body = self.domains_client.create_domain( name=dom_name)['domain'] dom_id = domain_body['id'] self.addCleanup(self._delete_domain, dom_id) # create a project in the domain proj_name = data_utils.rand_name('proj') proj_body = self.projects_client.create_project( proj_name, domain_id=dom_id)['project'] proj_id = proj_body['id'] self.addCleanup(self.projects_client.delete_project, proj_id) self.assertEqual( proj_body['domain_id'], dom_id, "project " + proj_name + "doesn't have domain id " + dom_id) # create a user in the domain, with the previous project as his # default project user_name = data_utils.rand_name('user') user_body = self.users_client.create_user( name=user_name, password=user_name, domain_id=dom_id, default_project_id=proj_id)['user'] user_id = user_body['id'] self.addCleanup(self.users_client.delete_user, user_id) self.assertEqual( user_body['domain_id'], dom_id, "user " + user_name + "doesn't have domain id " + dom_id) # get roles and find the admin role admin_role = self.get_role_by_name(CONF.identity.admin_role) admin_role_id = admin_role['id'] # grant the admin role to the user on his project self.roles_client.create_user_role_on_project(proj_id, user_id, admin_role_id) # create a new client with user's credentials (NOTE: unscoped token!) creds = auth.KeystoneV3Credentials(username=user_name, password=user_name, user_domain_name=dom_name) auth_provider = clients.get_auth_provider(creds) creds = auth_provider.fill_credentials() admin_client = clients.Manager(credentials=creds) # verify the user's token and see that it is scoped to the project token, auth_data = admin_client.auth_provider.get_auth() result = admin_client.identity_v3_client.show_token(token)['token'] self.assertEqual(result['project']['domain']['id'], dom_id) self.assertEqual(result['project']['id'], proj_id)
def test_default_project_id(self): # create a domain dom_name = data_utils.rand_name('dom') domain_body = self.domains_client.create_domain( name=dom_name)['domain'] dom_id = domain_body['id'] self.addCleanup(self._delete_domain, dom_id) # create a project in the domain proj_name = data_utils.rand_name('proj') proj_body = self.projects_client.create_project( proj_name, domain_id=dom_id)['project'] proj_id = proj_body['id'] self.addCleanup(self.projects_client.delete_project, proj_id) self.assertEqual(proj_body['domain_id'], dom_id, "project " + proj_name + "doesn't have domain id " + dom_id) # create a user in the domain, with the previous project as his # default project user_name = data_utils.rand_name('user') user_body = self.users_client.create_user( name=user_name, password=user_name, domain_id=dom_id, default_project_id=proj_id)['user'] user_id = user_body['id'] self.addCleanup(self.users_client.delete_user, user_id) self.assertEqual(user_body['domain_id'], dom_id, "user " + user_name + "doesn't have domain id " + dom_id) # get roles and find the admin role admin_role = self.get_role_by_name(CONF.identity.admin_role) admin_role_id = admin_role['id'] # grant the admin role to the user on his project self.roles_client.create_user_role_on_project(proj_id, user_id, admin_role_id) # create a new client with user's credentials (NOTE: unscoped token!) creds = auth.KeystoneV3Credentials(username=user_name, password=user_name, user_domain_name=dom_name) auth_provider = clients.get_auth_provider(creds) creds = auth_provider.fill_credentials() admin_client = clients.Manager(credentials=creds) # verify the user's token and see that it is scoped to the project token, auth_data = admin_client.auth_provider.get_auth() result = admin_client.identity_v3_client.show_token(token)['token'] self.assertEqual(result['project']['domain']['id'], dom_id) self.assertEqual(result['project']['id'], proj_id)
def setup_clients(cls): super(ResourceReservationScenarioTest, cls).setup_clients() if not CONF.service_available.blazar: raise cls.skipException("Resource reservation support is" "required") cred_provider = cls._get_credentials_provider() creds = cred_provider.get_credentials('admin') auth_prov = tempestclients.get_auth_provider(creds._credentials) cls.os_admin.resource_reservation_client = ( clients.ResourceReservationV1Client(auth_prov, 'reservation', CONF.identity.region)) cls.reservation_client = (cls.os_admin.resource_reservation_client)
def get_auth_provider(credentials, pre_auth=False, scope='project'): """Shim to get_auth_provider in clients.py get_auth_provider used to be hosted in this module, but it has been moved to clients.py now as a more permanent location. This module will be removed eventually, and this shim is only maintained for the benefit of plugins already consuming this interface. """ msg = ("tempest.manager.get_auth_provider is not a stable interface and " "as such it should not imported directly. It will be removed as " "the client manager becomes available in tempest.lib.") LOG.warning(msg) return tempest_clients.get_auth_provider(credentials=credentials, pre_auth=pre_auth, scope=scope)
def resource_setup(cls): trustor_user = { 'name': data_utils.rand_name('user'), 'password': data_utils.rand_password(), } cls.trustor = cls.admin_client.users_v3_client.create_user( **trustor_user)['user']['id'] cls.addClassResourceCleanup( cls.admin_client.users_v3_client.delete_user, user_id=cls.trustor) cls.trustee = cls.admin_client.users_v3_client.create_user( name=data_utils.rand_name())['user']['id'] cls.addClassResourceCleanup( cls.admin_client.users_v3_client.delete_user, user_id=cls.trustee) cls.project = cls.admin_client.projects_client.create_project( name=data_utils.rand_name() )['project']['id'] cls.addClassResourceCleanup( cls.admin_client.projects_client.delete_project, project_id=cls.project) cls.roles = [ {'id': cls.admin_client.roles_v3_client.create_role( name=data_utils.rand_name())['role']['id']} ] cls.addClassResourceCleanup( cls.admin_client.roles_v3_client.delete_role, role_id=cls.roles[0]['id']) cls.admin_client.roles_v3_client.create_user_role_on_project( project_id=cls.project, user_id=cls.trustor, role_id=cls.roles[0]['id'] ) creds = auth.KeystoneV3Credentials( user_id=cls.trustor, password=trustor_user['password'], project_id=cls.project) auth_provider = clients.get_auth_provider(creds) creds = auth_provider.fill_credentials() user_client = clients.Manager(credentials=creds) cls.user_trust_client = user_client.trusts_client cls.admin_role_id = cls.admin_client.roles_v3_client.list_roles( name='admin')['roles'][0]['id'] cls.member_role_id = cls.admin_client.roles_v3_client.list_roles( name='member')['roles'][0]['id'] cls.reader_role_id = cls.admin_client.roles_v3_client.list_roles( name='reader')['roles'][0]['id']
def credentials(): # You can get credentials either from tempest.conf file or # from OS environment. tempest_creds = clients.get_auth_provider( creds_factory.get_configured_admin_credentials()) creds = tempest_creds.credentials creds_dict = { '--os-username': os.environ.get('OS_USERNAME', creds.username), '--os-password': os.environ.get('OS_PASSWORD', creds.password), '--os-project-name': os.environ.get('OS_PROJECT_NAME', creds.project_name), '--os-auth-url': os.environ.get('OS_AUTH_URL', tempest_creds.auth_url), '--os-project-domain-name': os.environ.get('OS_PROJECT_DOMAIN_ID', creds.project_domain_name), '--os-user-domain-name': os.environ.get('OS_USER_DOMAIN_ID', creds.user_domain_name), } return [x for sub in creds_dict.items() for x in sub]
def setup_user_client(cls, domain_id=None): """Set up project user with its own client. This is to enable the project user to create its own credential. Returns a client object and the user's ID. """ user_dict = { 'name': data_utils.rand_name('user'), 'password': data_utils.rand_password(), } if domain_id: user_dict['domain_id'] = domain_id user_id = cls.admin_client.users_v3_client.create_user( **user_dict)['user']['id'] def try_cleanup_user(): # if domain is cleaned up first, user will already be deleted try: cls.admin_client.users_v3_client.delete_user(user_id) except exceptions.NotFound: pass cls.addClassResourceCleanup(try_cleanup_user) project_id = cls.admin_client.projects_client.create_project( data_utils.rand_name())['project']['id'] cls.addClassResourceCleanup( cls.admin_client.projects_client.delete_project, project_id) member_role_id = cls.admin_client.roles_v3_client.list_roles( name='member')['roles'][0]['id'] cls.admin_client.roles_v3_client.create_user_role_on_project( project_id, user_id, member_role_id) creds = auth.KeystoneV3Credentials(user_id=user_id, password=user_dict['password'], project_id=project_id) auth_provider = clients.get_auth_provider(creds) creds = auth_provider.fill_credentials() client = clients.Manager(credentials=creds) return client, user_id, project_id
def start_fixture(self): cred_provider = self._get_credentials_provider() creds = cred_provider.get_credentials('admin') auth_prov = tempestclients.get_auth_provider(creds._credentials) os.environ['OS_TOKEN'] = auth_prov.get_token()