tempest

tempest is always getting project scoped tokens is a project exists in credentials

Bug #1475359 reported by Andrea Frittoli on 2015-07-16

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	tempest	Fix Released	Medium	Andrea Frittoli

Bug Description

The auth framework in tempest-lib passes all fields from the Credentials object to the token request.
Getting a domain scoped token requires creating a new Credentials object stripped of any project info, and a new client manager and identity client for it.

There should be an option in the auth framework to select a scope to be used with the same Credentials object.

Matthew Treinish (treinish) on 2015-07-16

Changed in tempest:
status:	New → Confirmed
importance:	Undecided → Medium
assignee:	nobody → Andrea Frittoli (andrea-frittoli)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-07-16: Fix proposed to tempest-lib (master)

Fix proposed to branch: master
Review: https://review.openstack.org/202705

Changed in tempest:
status:	Confirmed → In Progress

OpenStack Infra (hudson-openstack) on 2015-09-09

Changed in tempest:
assignee:	Andrea Frittoli (andrea-frittoli) → Roxana Gherle (roxana-gherle)

OpenStack Infra (hudson-openstack) on 2015-09-17

Changed in tempest:
assignee:	Roxana Gherle (roxana-gherle) → Andrea Frittoli (andrea-frittoli)

OpenStack Infra (hudson-openstack) on 2015-09-25

Changed in tempest:
assignee:	Andrea Frittoli (andrea-frittoli) → Roxana Gherle (roxana-gherle)

OpenStack Infra (hudson-openstack) on 2015-10-02

Changed in tempest:
assignee:	Roxana Gherle (roxana-gherle) → Andrea Frittoli (andrea-frittoli)

Revision history for this message

Andrea Frittoli (andrea-frittoli) wrote on 2016-05-05:

Since tempest-lib is now merged back into tempest, the fix must be implemented in tempest.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-05-05: Fix proposed to tempest (master)

Fix proposed to branch: master
Review: https://review.openstack.org/313171

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-05-05: Change abandoned on tempest-lib (master)

Change abandoned by Andrea Frittoli (<email address hidden>) on branch: master
Review: https://review.openstack.org/202705
Reason: Move to tempest: https://review.openstack.org/#/c/313171/

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-05-25: Fix merged to tempest (master)

Reviewed: https://review.openstack.org/313171
Committed: https://git.openstack.org/cgit/openstack/tempest/commit/?id=3e82af7f6cf565c80fbb8f0c7e614a6dc20c16f2
Submitter: Jenkins
Branch: master

commit 3e82af7f6cf565c80fbb8f0c7e614a6dc20c16f2
Author: Andrea Frittoli (andreaf) <email address hidden>
Date: Thu May 5 22:53:38 2016 +0100

Introduce scope in the auth API

    Adding the ability to select the scope of the authentication.
    When using identity v3, this makes it possible to use either
    project scope or domain scope regardless of whether a project
    is included or not in the Credentials object.

    The interface to auth for most tests is the AuthProvider.
    The scope is defined in the constructor of the AuthProvider,
    and it can also be changed at a later time via 'set_scope'.

    In most cases a set of credentials will use the same scope.
    Test credentials will use project scope. Admin test credentials
    may use domain scope on identity API alls, or project scope on
    other APIs. Since clients are initialised with an auth provider
    by the client manager, we extend the client manager interface to
    include the scope. Tests and Tempest parts that require a domain
    scoped token will instanciate the relevant client manager with
    scope == 'domain', or set the scope to domain on the 'auth_provider'.

    The default scope in the v3 auth provider is 'projet;, which me must
    do for backward compatibility reasons (besides it's what most tests
    expects. We also filter the list of attributes based on scope, so
    that tests or service clients may request a different scope.

    The original behaviour of the token client is unchanged:
    all fields passed to it towards the API server. This
    maintains backward compatibility, and leaves full control
    for test that want to define what is sent in the token
    request.

Closes-bug: #1475359
Change-Id: I6fad6dd48a4d306f69da27c6793de687bbf72add

Reviewed:  https://review.openstack.org/313171
Committed: https://git.openstack.org/cgit/openstack/tempest/commit/?id=3e82af7f6cf565c80fbb8f0c7e614a6dc20c16f2
Submitter: Jenkins
Branch:    master

commit 3e82af7f6cf565c80fbb8f0c7e614a6dc20c16f2
Author: Andrea Frittoli (andreaf) <andrea.frittoli@hpe.com>
Date:   Thu May 5 22:53:38 2016 +0100

Introduce scope in the auth API
    
    Adding the ability to select the scope of the authentication.
    When using identity v3, this makes it possible to use either
    project scope or domain scope regardless of whether a project
    is included or not in the Credentials object.
    
    The interface to auth for most tests is the AuthProvider.
    The scope is defined in the constructor of the AuthProvider,
    and it can also be changed at a later time via 'set_scope'.
    
    In most cases a set of credentials will use the same scope.
    Test credentials will use project scope. Admin test credentials
    may use domain scope on identity API alls, or project scope on
    other APIs. Since clients are initialised with an auth provider
    by the client manager, we extend the client manager interface to
    include the scope. Tests and Tempest parts that require a domain
    scoped token will instanciate the relevant client manager with
    scope == 'domain', or set the scope to domain on the 'auth_provider'.
    
    The default scope in the v3 auth provider is 'projet;, which me must
    do for backward compatibility reasons (besides it's what most tests
    expects. We also filter the list of attributes based on scope, so
    that tests or service clients may request a different scope.
    
    The original behaviour of the token client is unchanged:
    all fields passed to it towards the API server. This
    maintains backward compatibility, and leaves full control
    for test that want to define what is sent in the token
    request.
    
    Closes-bug: #1475359
    Change-Id: I6fad6dd48a4d306f69da27c6793de687bbf72add

Changed in tempest:
status:	In Progress → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.