def get_product_streams(url): """Get product streams json data with retry.""" # There is a race between the images being available in glance and any # metadata being written. Use tenacity to avoid this race. client = requests.session() json_data = client.get(url, verify=openstack_utils.get_cacert()).text return json.loads(json_data)
def setUpClass(cls, application_name=None, model_alias=None): """Run setup for test class to create common resources.""" super(OpenStackBaseTest, cls).setUpClass(application_name, model_alias) cls.keystone_session = openstack_utils.get_overcloud_keystone_session( model_name=cls.model_name) cls.cacert = openstack_utils.get_cacert() cls.nova_client = ( openstack_utils.get_nova_session_client(cls.keystone_session))
def s3_setup(): """Run setup of s3 options for Trilio.""" session = openstack_utils.get_overcloud_keystone_session() ks_client = openstack_utils.get_keystone_session_client(session) # Get token data so we can glean our user_id and project_id token_data = ks_client.tokens.get_token_data(session.get_token()) project_id = token_data['token']['project']['id'] user_id = token_data['token']['user']['id'] # Store URL to service providing S3 compatible API for entry in token_data['token']['catalog']: if entry['type'] == 's3': for endpoint in entry['endpoints']: if endpoint['interface'] == 'public': s3_region = endpoint['region'] s3_endpoint = endpoint['url'] # Create AWS compatible application credentials in Keystone ec2_creds = ks_client.ec2.create(user_id, project_id) cacert = openstack_utils.get_cacert() kwargs = { 'region_name': s3_region, 'aws_access_key_id': ec2_creds.access, 'aws_secret_access_key': ec2_creds.secret, 'endpoint_url': s3_endpoint, 'verify': cacert, } s3 = boto3.resource('s3', **kwargs) # Create bucket bucket_name = 'zaza-trilio' logging.info("Creating bucket: {}".format(bucket_name)) bucket = s3.Bucket(bucket_name) bucket.create() s3_config = { 'tv-s3-secret-key': ec2_creds.secret, 'tv-s3-access-key': ec2_creds.access, 'tv-s3-region-name': s3_region, 'tv-s3-bucket': bucket_name, 'tv-s3-endpoint-url': s3_endpoint } for app in ['trilio-wlm', 'trilio-data-mover']: logging.info("Setting s3 config for {}".format(app)) zaza_model.set_application_config(app, s3_config) test_config = lifecycle_utils.get_charm_config(fatal=False) states = test_config.get('target_deploy_status', {}) states['trilio-wlm'] = { 'workload-status': 'blocked', 'workload-status-message': 'application not trusted' } zaza_model.wait_for_application_states(states=test_config.get( 'target_deploy_status', {}), timeout=7200) zaza_model.block_until_all_units_idle()
def test_end_user_domain_admin_access(self): """Verify that end-user domain admin does not have elevated privileges. In addition to validating that the `policy.json` is written and the service is restarted on config-changed, the test validates that our `policy.json` is correct. Catch regressions like LP: #1651989 """ if (openstack_utils.get_os_release() < openstack_utils.get_os_release('xenial_ocata')): logging.info('skipping test < xenial_ocata') return with self.v3_keystone_preferred(): for ip in self.keystone_ips: openrc = { 'API_VERSION': 3, 'OS_USERNAME': DEMO_ADMIN_USER, 'OS_PASSWORD': DEMO_ADMIN_USER_PASSWORD, 'OS_AUTH_URL': 'http://{}:5000/v3'.format(ip), 'OS_USER_DOMAIN_NAME': DEMO_DOMAIN, 'OS_DOMAIN_NAME': DEMO_DOMAIN, } if self.tls_rid: openrc['OS_CACERT'] = openstack_utils.get_cacert() openrc['OS_AUTH_URL'] = ( openrc['OS_AUTH_URL'].replace('http', 'https')) logging.info('keystone IP {}'.format(ip)) keystone_session = openstack_utils.get_keystone_session( openrc, scope='DOMAIN') keystone_client = openstack_utils.get_keystone_session_client( keystone_session) try: # expect failure keystone_client.domains.list() except keystoneauth1.exceptions.http.Forbidden as e: logging.debug('Retrieve domain list as end-user domain ' 'admin NOT allowed...OK ({})'.format(e)) pass else: raise zaza_exceptions.KeystoneAuthorizationPermissive( 'Retrieve domain list as end-user domain admin ' 'allowed when it should not be.') logging.info('OK')
def _get_keystone_session(self, ip, openrc, scope='DOMAIN'): """Return the keystone session for the IP address passed. :param ip: the IP address to get the session against. :type ip: str :param openrc: the params to authenticate with. :type openrc: Dict[str, str] :param scope: the scope of the token :type scope: str :returns: a keystone session to the IP address :rtype: keystoneauth1.session.Session """ logging.info('Authentication for {} on keystone IP {}'.format( openrc['OS_USERNAME'], ip)) if self.tls_rid: openrc['OS_CACERT'] = openstack_utils.get_cacert() openrc['OS_AUTH_URL'] = (openrc['OS_AUTH_URL'].replace( 'http', 'https')) logging.info('keystone IP {}'.format(ip)) keystone_session = openstack_utils.get_keystone_session(openrc, scope=scope) return keystone_session
def _validate_token_data(openrc): if self.tls_rid: openrc['OS_CACERT'] = openstack_utils.get_cacert() openrc['OS_AUTH_URL'] = ( openrc['OS_AUTH_URL'].replace('http', 'https')) logging.info('keystone IP {}'.format(ip)) keystone_session = openstack_utils.get_keystone_session( openrc) keystone_client = openstack_utils.get_keystone_session_client( keystone_session) token = keystone_session.get_token() if (openstack_utils.get_os_release() < openstack_utils.get_os_release('xenial_ocata')): if len(token) != 32: raise zaza_exceptions.KeystoneWrongTokenProvider( 'We expected a UUID token and got this: "{}"' .format(token)) else: if len(token) < 180: raise zaza_exceptions.KeystoneWrongTokenProvider( 'We expected a Fernet token and got this: "{}"' .format(token)) logging.info('token: "{}"'.format(pprint.pformat(token))) if (openstack_utils.get_os_release() < openstack_utils.get_os_release('trusty_mitaka')): logging.info('skip: tokens.get_token_data() not allowed prior ' 'to trusty_mitaka') return # get_token_data call also gets the service catalog token_data = keystone_client.tokens.get_token_data(token) if token_data.get('token', {}).get('catalog', None) is None: raise zaza_exceptions.KeystoneAuthorizationStrict( # NOTE(fnordahl) the above call will probably throw a # http.Forbidden exception, but just in case 'Regular end user not allowed to retrieve the service ' 'catalog. ("{}")'.format(pprint.pformat(token_data))) logging.info('token_data: "{}"'.format(pprint.pformat(token_data)))