tempest

identity admin: dynamic credentials causes failures when using an immutable user source

Bug #1714277 reported by Trevor McCasland on 2017-08-31

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	tempest	Fix Released	Undecided	Nicolas Helgeson

Bug Description

currently the identity admin tests based off BaseIdentityV3AdminTest and BaseIdentityV2AdminTest are forced to use dynamic credentials and cause failures in an immutable user source (like LDAP) when the dynamic credentials are created.

We would like to allow passing the configuration value (default behavior) for using dynamic credentials rather than overwriting them.

The same failure happens when a test user is created so we would like to limit test user creation to a minimum, using the pre-provisioned credentials instead, where-ever possible.

See original description

Revision history for this message

Trevor McCasland (twm2016) wrote on 2017-08-31:

Re identity v2 testing: i found using the rest_client results in a 404 too.. http://paste.openstack.org/show/620100/

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-08-31: Fix proposed to tempest (master)

Fix proposed to branch: master
Review: https://review.openstack.org/499756

Changed in tempest:
assignee:	nobody → Trevor McCasland (twm2016)
status:	New → In Progress

Trevor McCasland (twm2016) on 2017-09-21

description:	updated
summary:	- roles: immutable user source causes failures when using dynamic - credentials + identity admin: dynamic credentials causes failures when using an + immutable user source

Revision history for this message

Trevor McCasland (twm2016) wrote on 2017-11-10:

Can we discuss this bug in the comments here?

Changed in tempest:
status:	In Progress → New

OpenStack Infra (hudson-openstack) on 2017-11-21

Changed in tempest:
status:	New → In Progress

Revision history for this message

Trevor McCasland (twm2016) wrote on 2017-11-21:

admin tests are not a concern for interoperability based on feedback I got from ML.

Changed in tempest:
status:	In Progress → Opinion

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-11-21:

Fix proposed to branch: master
Review: https://review.openstack.org/521981

Changed in tempest:
status:	Opinion → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-11-21: Change abandoned on tempest (master)

Change abandoned by Trevor McCasland (<email address hidden>) on branch: master
Review: https://review.openstack.org/499756
Reason: Breaking this up into changes at a per test basis. If the first one goes well I propose more, see for test_tokens test https://review.openstack.org/#/c/521981/

Trevor McCasland (twm2016) on 2017-11-24

description:

updated

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-11-29: Fix proposed to tempest (master)

Fix proposed to branch: master
Review: https://review.openstack.org/523976

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-12-04:

Fix proposed to branch: master
Review: https://review.openstack.org/525244

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-01-05:

Fix proposed to branch: master
Review: https://review.openstack.org/531450

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-03-19: Change abandoned on tempest (master)

#10

Change abandoned by Trevor McCasland (<email address hidden>) on branch: master
Review: https://review.openstack.org/521981
Reason: Abandoning my patches with no activity for eight weeks - https://etherpad.openstack.org/p/qa-queens-retrospective

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-03-19:

#11

Change abandoned by Trevor McCasland (<email address hidden>) on branch: master
Review: https://review.openstack.org/531450

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-03-19:

#12

Change abandoned by Trevor McCasland (<email address hidden>) on branch: master
Review: https://review.openstack.org/525244

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-03-19:

#13

Change abandoned by Trevor McCasland (<email address hidden>) on branch: master
Review: https://review.openstack.org/524655

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-03-19:

#14

Change abandoned by Trevor McCasland (<email address hidden>) on branch: master
Review: https://review.openstack.org/523976
Reason: Abandoning my patches with no activity for eight weeks - https://etherpad.openstack.org/p/qa-queens-retrospective

OpenStack Infra (hudson-openstack) on 2018-07-02

Changed in tempest:
assignee:	Trevor McCasland (twm2016) → Tin Lam (lamt)

OpenStack Infra (hudson-openstack) on 2018-07-02

Changed in tempest:
assignee:	Tin Lam (lamt) → Felipe Monteiro (fm577c)

OpenStack Infra (hudson-openstack) on 2018-07-03

Changed in tempest:
assignee:	Felipe Monteiro (fm577c) → Tin Lam (lamt)

OpenStack Infra (hudson-openstack) on 2018-07-03

Changed in tempest:
assignee:	Tin Lam (lamt) → Felipe Monteiro (fm577c)

OpenStack Infra (hudson-openstack) on 2018-07-03

Changed in tempest:
assignee:	Felipe Monteiro (fm577c) → Tin Lam (lamt)

OpenStack Infra (hudson-openstack) on 2018-07-05

Changed in tempest:
assignee:	Tin Lam (lamt) → Felipe Monteiro (fm577c)

OpenStack Infra (hudson-openstack) on 2018-07-07

Changed in tempest:
assignee:	Felipe Monteiro (fm577c) → Tin Lam (lamt)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-07-10: Fix merged to tempest (master)

#15

Reviewed: https://review.openstack.org/521981
Committed: https://git.openstack.org/cgit/openstack/tempest/commit/?id=285b3f887ec4cbe5b4f6afe236c390b59f175c89
Submitter: Zuul
Branch: master

commit 285b3f887ec4cbe5b4f6afe236c390b59f175c89
Author: Trevor McCasland <email address hidden>
Date: Wed Nov 22 13:36:04 2017 -0600

Move test_tokens test to static

    Letting os_primary be the user in this test case allows the token to
    authenticate, get and delete without having to create a test user. This
    allows the test to work with pre-provisioned credentials. Also moves the
    test to the non-admin directory because the test uses os_primary creds
    (for principle of least privilege).

    Partial-Bug: #1714277
    Co-Authored-By: Tin Lam <email address hidden>
    Change-Id: I55345132e0f461b36b08d222680a7e11eb945116

OpenStack Infra (hudson-openstack) on 2018-07-10

Changed in tempest:
assignee:	Tin Lam (lamt) → Trevor McCasland (twm2016)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-07-11: Fix proposed to tempest (master)

#16

Fix proposed to branch: master
Review: https://review.openstack.org/581891

OpenStack Infra (hudson-openstack) on 2018-07-15

Changed in tempest:
assignee:	Trevor McCasland (twm2016) → Tin Lam (lamt)

Revision history for this message

Ghanshyam Mann (ghanshyammann) wrote on 2018-07-17:

#17

Thanks for bug report. I am partially agree here.

Agree on not forcing the dynamic cred on tests which does not change the test account like GET etc.

Disagree on removing the forcing of dynamic cred for tests which are changing the test account in some extend. Changing the test cred can effect the other tests execution as same cred are shared among other tests when using pre provisioned accounts. That was the main reason to making all the identity admin tests to use force_tenant_isolation by default.

So this bug is valid and we will go case by case and evaluate the above criteria to decide whether we can remove the force_tenant_isolation from identity tests. I will review the proposed patches.

OpenStack Infra (hudson-openstack) on 2018-07-17

Changed in tempest:
assignee:	Tin Lam (lamt) → Trevor McCasland (twm2016)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-07-20: Fix merged to tempest (master)

#18

Reviewed: https://review.openstack.org/531450
Committed: https://git.openstack.org/cgit/openstack/tempest/commit/?id=87a71821f25c87bb40b7cad6a68b81b7cfd5432e
Submitter: Zuul
Branch: master

commit 87a71821f25c87bb40b7cad6a68b81b7cfd5432e
Author: Trevor McCasland <email address hidden>
Date: Fri Jan 5 11:45:49 2018 -0600

no force_tenant_isolation in endpoint tests

Setting force_tenant_isolation to False so these tests can be
executed with pre-provisioned credentials and an LDAP backend.

Change-Id: I9a4acbfdf282c8617e32d9fa3991ece28ae2bb4f
Partial-Bug: #1714277

OpenStack Infra (hudson-openstack) on 2018-09-24

Changed in tempest:
assignee:	Trevor McCasland (twm2016) → Gage Hugo (gagehugo)

OpenStack Infra (hudson-openstack) on 2018-09-26

Changed in tempest:
assignee:	Gage Hugo (gagehugo) → Trevor McCasland (twm2016)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-01-03: Change abandoned on tempest (master)

#19

Change abandoned by Trevor McCasland (<email address hidden>) on branch: master
Review: https://review.openstack.org/524655

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-01-22:

#20

Change abandoned by Trevor McCasland (<email address hidden>) on branch: master
Review: https://review.openstack.org/524746

OpenStack Infra (hudson-openstack) on 2019-02-20

Changed in tempest:
assignee:	Trevor McCasland (twm2016) → Nicolas Helgeson (nhelgeson)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-03-06: Fix merged to tempest (master)

#21

Reviewed: https://review.openstack.org/525244
Committed: https://git.openstack.org/cgit/openstack/tempest/commit/?id=8d94885df02ea0a4826a1f271f011dfefd2c2ca9
Submitter: Zuul
Branch: master

commit 8d94885df02ea0a4826a1f271f011dfefd2c2ca9
Author: Trevor McCasland <email address hidden>
Date: Mon Dec 4 09:55:38 2017 -0600

no force_tenant_isolation in DefaultDomainTestJSON

No need for dynamic credentials to test showing the default domain.

By setting this value to False, consumers with an immutable user source
can execute this test.

    Depends-On: I83a9b8af775580d36a1141be55e9c1cc283a75b6
    Partial-Bug: #1714277
    Change-Id: Ib85691ae3f7b5a4d4a9da620b6ec46c44380ef03

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-03-17:

#22

Reviewed: https://review.openstack.org/628284
Committed: https://git.openstack.org/cgit/openstack/tempest/commit/?id=bd89841dc6106cd30789edd9879cd35011349481
Submitter: Zuul
Branch: master

commit bd89841dc6106cd30789edd9879cd35011349481
Author: Trevor McCasland <email address hidden>
Date: Thu Jan 17 10:04:40 2019 -0600

Update v3 identity inherits tests to work w/ pre-prov

I don't see any limitations by using pre-provisioned credentials
for the tests:

    * test_inherit_assign_list_check_revoke_roles_on_domains_group
    * test_inherit_assign_check_revoke_roles_on_projects_group
    * test_inherit_assign_list_check_revoke_roles_on_domains_user
    * test_inherit_assign_list_check_revoke_roles_on_domains_group
    * test_inherit_assign_check_revoke_roles_on_projects_user
    * test_inherit_assign_list_revoke_user_roles_on_domain
    * test_inherit_assign_list_revoke_user_roles_on_project_tree

    By setting force_tenant_isolation=False these tests now be
    can executed with backends that don't allow user creation
    (immutable user source) like LDAP.

Partial-Bug: #1714277

Change-Id: I6b7bfbaef3355afede2adba56f342d5bfcbe3975

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-04-11:

#23

Reviewed: https://review.openstack.org/628211
Committed: https://git.openstack.org/cgit/openstack/tempest/commit/?id=7ea7e0a14e6bfdb01972c3cddc26326b12486214
Submitter: Zuul
Branch: master

commit 7ea7e0a14e6bfdb01972c3cddc26326b12486214
Author: Trevor McCasland <email address hidden>
Date: Thu Jan 17 11:35:39 2019 -0600

update identity role tests to work w/ pre-prov

I don't see any limitations by using pre-provisioned
credentials for these tests:

    * test_role_create_update_show_list
    * test_list_roles
    * test_implied_roles_create_check_show_delete
    * test_roles_hierarchy
    * test_assignments_for_implied_roles_create_delete
    * test_domain_roles_create_delete
    * test_implied_domain_roles
    * test_assignments_for_domain_roles
    * test_list_all_implied_roles
    * test_grant_list_revoke_role_to_user_on_project
    * test_grant_list_revoke_role_to_user_on_domain
    * test_grant_list_revoke_role_to_group_on_project
    * test_grant_list_revoke_role_to_group_on_domain

    By setting force_tenant_isolation=False these tests now be
    can executed with backends that don't allow user creation
    (immutable user source) like LDAP.

Partial-Bug: #1714277

Change-Id: Id82f3b6187e878abe04a0aea9e7dbb9e8fb6360e

Revision history for this message

Martin Kopec (mkopec) wrote on 2020-10-26:

#24

What is the status here? Is it still in progress? I see that a few patches got merged, can this be considered done?

Revision history for this message

Martin Kopec (mkopec) wrote on 2021-01-08:

#25

Based on comment #17, the plan was to push patches addressing this issue in identity tests - the patches have been merged for 2 years.
Based on the merged patches and no activity since then I'm assuming this is done. If that's not the case, feel free to reopen it by providing more current info.

Changed in tempest:
status:	In Progress → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.