identity admin: dynamic credentials causes failures when using an immutable user source

Bug #1714277 reported by Trevor McCasland
18
This bug affects 2 people
Affects Status Importance Assigned to Milestone
tempest
Fix Released
Undecided
Nicolas Helgeson

Bug Description

currently the identity admin tests based off BaseIdentityV3AdminTest and BaseIdentityV2AdminTest are forced to use dynamic credentials and cause failures in an immutable user source (like LDAP) when the dynamic credentials are created.

We would like to allow passing the configuration value (default behavior) for using dynamic credentials rather than overwriting them.

The same failure happens when a test user is created so we would like to limit test user creation to a minimum, using the pre-provisioned credentials instead, where-ever possible.

Revision history for this message
Trevor McCasland (twm2016) wrote :

Re identity v2 testing: i found using the rest_client results in a 404 too.. http://paste.openstack.org/show/620100/

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tempest (master)

Fix proposed to branch: master
Review: https://review.openstack.org/499756

Changed in tempest:
assignee: nobody → Trevor McCasland (twm2016)
status: New → In Progress
description: updated
summary: - roles: immutable user source causes failures when using dynamic
- credentials
+ identity admin: dynamic credentials causes failures when using an
+ immutable user source
Revision history for this message
Trevor McCasland (twm2016) wrote :

Can we discuss this bug in the comments here?

Changed in tempest:
status: In Progress → New
Changed in tempest:
status: New → In Progress
Revision history for this message
Trevor McCasland (twm2016) wrote :

admin tests are not a concern for interoperability based on feedback I got from ML.

Changed in tempest:
status: In Progress → Opinion
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/521981

Changed in tempest:
status: Opinion → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on tempest (master)

Change abandoned by Trevor McCasland (<email address hidden>) on branch: master
Review: https://review.openstack.org/499756
Reason: Breaking this up into changes at a per test basis. If the first one goes well I propose more, see for test_tokens test https://review.openstack.org/#/c/521981/

description: updated
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tempest (master)

Fix proposed to branch: master
Review: https://review.openstack.org/523976

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/525244

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/531450

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on tempest (master)

Change abandoned by Trevor McCasland (<email address hidden>) on branch: master
Review: https://review.openstack.org/521981
Reason: Abandoning my patches with no activity for eight weeks - https://etherpad.openstack.org/p/qa-queens-retrospective

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Change abandoned by Trevor McCasland (<email address hidden>) on branch: master
Review: https://review.openstack.org/531450

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Change abandoned by Trevor McCasland (<email address hidden>) on branch: master
Review: https://review.openstack.org/525244

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Change abandoned by Trevor McCasland (<email address hidden>) on branch: master
Review: https://review.openstack.org/524655

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Change abandoned by Trevor McCasland (<email address hidden>) on branch: master
Review: https://review.openstack.org/523976
Reason: Abandoning my patches with no activity for eight weeks - https://etherpad.openstack.org/p/qa-queens-retrospective

Changed in tempest:
assignee: Trevor McCasland (twm2016) → Tin Lam (lamt)
Changed in tempest:
assignee: Tin Lam (lamt) → Felipe Monteiro (fm577c)
Changed in tempest:
assignee: Felipe Monteiro (fm577c) → Tin Lam (lamt)
Changed in tempest:
assignee: Tin Lam (lamt) → Felipe Monteiro (fm577c)
Changed in tempest:
assignee: Felipe Monteiro (fm577c) → Tin Lam (lamt)
Changed in tempest:
assignee: Tin Lam (lamt) → Felipe Monteiro (fm577c)
Changed in tempest:
assignee: Felipe Monteiro (fm577c) → Tin Lam (lamt)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tempest (master)

Reviewed: https://review.openstack.org/521981
Committed: https://git.openstack.org/cgit/openstack/tempest/commit/?id=285b3f887ec4cbe5b4f6afe236c390b59f175c89
Submitter: Zuul
Branch: master

commit 285b3f887ec4cbe5b4f6afe236c390b59f175c89
Author: Trevor McCasland <email address hidden>
Date: Wed Nov 22 13:36:04 2017 -0600

    Move test_tokens test to static

    Letting os_primary be the user in this test case allows the token to
    authenticate, get and delete without having to create a test user. This
    allows the test to work with pre-provisioned credentials. Also moves the
    test to the non-admin directory because the test uses os_primary creds
    (for principle of least privilege).

    Partial-Bug: #1714277
    Co-Authored-By: Tin Lam <email address hidden>
    Change-Id: I55345132e0f461b36b08d222680a7e11eb945116

Changed in tempest:
assignee: Tin Lam (lamt) → Trevor McCasland (twm2016)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tempest (master)

Fix proposed to branch: master
Review: https://review.openstack.org/581891

Changed in tempest:
assignee: Trevor McCasland (twm2016) → Tin Lam (lamt)
Revision history for this message
Ghanshyam Mann (ghanshyammann) wrote :

Thanks for bug report. I am partially agree here.

Agree on not forcing the dynamic cred on tests which does not change the test account like GET etc.

Disagree on removing the forcing of dynamic cred for tests which are changing the test account in some extend. Changing the test cred can effect the other tests execution as same cred are shared among other tests when using pre provisioned accounts. That was the main reason to making all the identity admin tests to use force_tenant_isolation by default.

So this bug is valid and we will go case by case and evaluate the above criteria to decide whether we can remove the force_tenant_isolation from identity tests. I will review the proposed patches.

Changed in tempest:
assignee: Tin Lam (lamt) → Trevor McCasland (twm2016)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tempest (master)

Reviewed: https://review.openstack.org/531450
Committed: https://git.openstack.org/cgit/openstack/tempest/commit/?id=87a71821f25c87bb40b7cad6a68b81b7cfd5432e
Submitter: Zuul
Branch: master

commit 87a71821f25c87bb40b7cad6a68b81b7cfd5432e
Author: Trevor McCasland <email address hidden>
Date: Fri Jan 5 11:45:49 2018 -0600

    no force_tenant_isolation in endpoint tests

    Setting force_tenant_isolation to False so these tests can be
    executed with pre-provisioned credentials and an LDAP backend.

    Change-Id: I9a4acbfdf282c8617e32d9fa3991ece28ae2bb4f
    Partial-Bug: #1714277

Changed in tempest:
assignee: Trevor McCasland (twm2016) → Gage Hugo (gagehugo)
Changed in tempest:
assignee: Gage Hugo (gagehugo) → Trevor McCasland (twm2016)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on tempest (master)

Change abandoned by Trevor McCasland (<email address hidden>) on branch: master
Review: https://review.openstack.org/524655

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Change abandoned by Trevor McCasland (<email address hidden>) on branch: master
Review: https://review.openstack.org/524746

Changed in tempest:
assignee: Trevor McCasland (twm2016) → Nicolas Helgeson (nhelgeson)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tempest (master)

Reviewed: https://review.openstack.org/525244
Committed: https://git.openstack.org/cgit/openstack/tempest/commit/?id=8d94885df02ea0a4826a1f271f011dfefd2c2ca9
Submitter: Zuul
Branch: master

commit 8d94885df02ea0a4826a1f271f011dfefd2c2ca9
Author: Trevor McCasland <email address hidden>
Date: Mon Dec 4 09:55:38 2017 -0600

    no force_tenant_isolation in DefaultDomainTestJSON

    No need for dynamic credentials to test showing the default domain.

    By setting this value to False, consumers with an immutable user source
    can execute this test.

    Depends-On: I83a9b8af775580d36a1141be55e9c1cc283a75b6
    Partial-Bug: #1714277
    Change-Id: Ib85691ae3f7b5a4d4a9da620b6ec46c44380ef03

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/628284
Committed: https://git.openstack.org/cgit/openstack/tempest/commit/?id=bd89841dc6106cd30789edd9879cd35011349481
Submitter: Zuul
Branch: master

commit bd89841dc6106cd30789edd9879cd35011349481
Author: Trevor McCasland <email address hidden>
Date: Thu Jan 17 10:04:40 2019 -0600

    Update v3 identity inherits tests to work w/ pre-prov

    I don't see any limitations by using pre-provisioned credentials
    for the tests:

    * test_inherit_assign_list_check_revoke_roles_on_domains_group
    * test_inherit_assign_check_revoke_roles_on_projects_group
    * test_inherit_assign_list_check_revoke_roles_on_domains_user
    * test_inherit_assign_list_check_revoke_roles_on_domains_group
    * test_inherit_assign_check_revoke_roles_on_projects_user
    * test_inherit_assign_list_revoke_user_roles_on_domain
    * test_inherit_assign_list_revoke_user_roles_on_project_tree

    By setting force_tenant_isolation=False these tests now be
    can executed with backends that don't allow user creation
    (immutable user source) like LDAP.

    Partial-Bug: #1714277

    Change-Id: I6b7bfbaef3355afede2adba56f342d5bfcbe3975

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/628211
Committed: https://git.openstack.org/cgit/openstack/tempest/commit/?id=7ea7e0a14e6bfdb01972c3cddc26326b12486214
Submitter: Zuul
Branch: master

commit 7ea7e0a14e6bfdb01972c3cddc26326b12486214
Author: Trevor McCasland <email address hidden>
Date: Thu Jan 17 11:35:39 2019 -0600

    update identity role tests to work w/ pre-prov

    I don't see any limitations by using pre-provisioned
    credentials for these tests:

    * test_role_create_update_show_list
    * test_list_roles
    * test_implied_roles_create_check_show_delete
    * test_roles_hierarchy
    * test_assignments_for_implied_roles_create_delete
    * test_domain_roles_create_delete
    * test_implied_domain_roles
    * test_assignments_for_domain_roles
    * test_list_all_implied_roles
    * test_grant_list_revoke_role_to_user_on_project
    * test_grant_list_revoke_role_to_user_on_domain
    * test_grant_list_revoke_role_to_group_on_project
    * test_grant_list_revoke_role_to_group_on_domain

    By setting force_tenant_isolation=False these tests now be
    can executed with backends that don't allow user creation
    (immutable user source) like LDAP.

    Partial-Bug: #1714277

    Change-Id: Id82f3b6187e878abe04a0aea9e7dbb9e8fb6360e

Revision history for this message
Martin Kopec (mkopec) wrote :

What is the status here? Is it still in progress? I see that a few patches got merged, can this be considered done?

Revision history for this message
Martin Kopec (mkopec) wrote :

Based on comment #17, the plan was to push patches addressing this issue in identity tests - the patches have been merged for 2 years.
Based on the merged patches and no activity since then I'm assuming this is done. If that's not the case, feel free to reopen it by providing more current info.

Changed in tempest:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers