Prerequisite: Please make sure you have an OpenStack IceHouse instance and configured it with Keystone V3. Also, my experimental OpenStack instance has cloud_admin set in policy.json as:
"cloud_admin": "rule:admin_required and domain_id:default",
Get the latest tempest resources from GitHub:
Image may be NSFW.
Clik here to view.
Create a configuration file “tempest/etc/tempest.conf” for tempest using the sample file from “tempest/etc/tempest.conf.sample”.
Image may be NSFW.
Clik here to view.
Sample configuration file has all the configurations commented out. Here is the list of all required configuration options for running testing identity V3 API:
[idenitity] # Full URI of the OpenStack Identity API (Keystone), v2 uri=http://10.0.2.15:5000/v2.0/ # Full URI of the OpenStack Identity API (Keystone), v3 uri_v3=http://10.0.2.15:5000/v3/ # Identity API version to be used for authentication for API tests. auth_version=v3 # Admin username username=admin # API key to use when authenticating. password=openstack # Domain name for authentication (Keystone V3).The same domain # applies to user and project. domain_name=Default # Role required to administrate keystone. admin_role=admin # Administrative Username to use for Keystone API requests. admin_username=admin # API key to use when authenticating as admin. admin_password=openstack # Admin domain name for authentication (Keystone V3).The same # domain applies to user and project. admin_domain_name=Default # The endpoint type to use for the identity service. endpoint_type=publicURL # Catalog type of the Identity service. catalog_type=identity [identity-feature-enabled] # Is the v3 identity API enabled (boolean value) api_v3=true
Always run tests in virtualenv which is created automatically with all the necessary dependencies with run_tempest.sh script.
Image may be NSFW.
Clik here to view.
Ideally, the latest tempest test cases from github should be executed successfully. But I was running into few permissions issues. I modified few tempest source files and here is the list of changes I made:
CHANGE-01: tempest/tempest/services/identity/v3/json/identity_client.py
Updated def auth() from V3TokenClientJSON class:
Original:
if tenant is not None: _domain = dict(name=domain) project = dict(name=tenant, domain=_domain) scope = dict(project=project) creds['auth']['scope'] = scope
Changed to:
if tenant is not None: _domain = dict(name=domain) scope = dict(domain=_domain) creds['auth']['scope'] = scope
Rationale: This change is modifying scope of a token. Setting the token scope to domain level instead of project level. For admin operations like creating/updating/deleting projects, creating/updating users, authentication token should have domain level scope. This might not be the ideal fix as token scope is changed and set to domain level for all test cases. The same reason applies to the following change.
Also, notice that we have not specified tenant_name and admin_tenant_name in tempest.conf which are mandatory without these changes.
CHANGE-02: tempest/tempest/services/identity/v3/xml/identity_client.py
Updated def auth() from V3TokenClientXML class:
Original:
if tenant is not None: project = common.Element('project', name=tenant) _domain = common.Element('domain', name=domain) project.append(_domain) scope = common.Element('scope') scope.append(project) auth.append(scope)
Changed to:
if tenant is not None: _domain = common.Element('domain', name=domain) scope = common.Element('scope') scope.append(_domain) auth.append(scope)
CHANGE-03: tempest/tempest /auth.py
Updated def _fill_credentials() from KeystoneV3AuthProvider class.
Original:
if domain is not None: if self.credentials.domain_id is None: self.credentials.domain_id = domain['id'] if self.credentials.domain_name is None: self.credentials.domain_name = domain['name']
Changed to:
if domain is not None: if self.credentials.user_domain_id is None: self.credentials.user_domain_id = domain['id'] if self.credentials.user_domain_name is None: self.credentials.user_domain_name = domain['name']
Rationale: After changing scope of authentication tokens, credentials object is changed to use appropriate attributes, user_domain_id and user_domain_name.
CHANGE-04: tempest/tempest/api/identity/base.py
Updated def _try_wrapper() from DataGenerator class.
Original:
try: if kwargs: func(item['id'], kwargs)
Changed to:
try: if kwargs: func(item['id'], **kwargs)
Rationale: This function has typo and kwargs should be passed as a packed dictionary. I have a Launchpad bug created for this change here.
Now, try and execute tempest test cases with run_tempest.sh:
Image may be NSFW.
Clik here to view.
Image may be NSFW.
Clik here to view.
You can also run tests in debug mode using –d option, like:
./run_tempest.sh -d tempest.api.identity.admin.v3.test_domains
Good luck with Tempest and Keystone V3 !