Merge "Split out roles client from keystone identity client"
diff --git a/tempest/api/identity/admin/v2/test_roles.py b/tempest/api/identity/admin/v2/test_roles.py
index 8702db7..e547bdd 100644
--- a/tempest/api/identity/admin/v2/test_roles.py
+++ b/tempest/api/identity/admin/v2/test_roles.py
@@ -27,7 +27,7 @@
super(RolesTestJSON, cls).resource_setup()
for _ in moves.xrange(5):
role_name = data_utils.rand_name(name='role')
- role = cls.client.create_role(role_name)['role']
+ role = cls.roles_client.create_role(role_name)['role']
cls.data.roles.append(role)
def _get_role_params(self):
@@ -48,7 +48,7 @@
@test.idempotent_id('75d9593f-50b7-4fcf-bd64-e3fb4a278e23')
def test_list_roles(self):
"""Return a list of all roles."""
- body = self.client.list_roles()['roles']
+ body = self.roles_client.list_roles()['roles']
found = [role for role in body if role in self.data.roles]
self.assertTrue(any(found))
self.assertEqual(len(found), len(self.data.roles))
@@ -57,16 +57,16 @@
def test_role_create_delete(self):
"""Role should be created, verified, and deleted."""
role_name = data_utils.rand_name(name='role-test')
- body = self.client.create_role(role_name)['role']
+ body = self.roles_client.create_role(role_name)['role']
self.assertEqual(role_name, body['name'])
- body = self.client.list_roles()['roles']
+ body = self.roles_client.list_roles()['roles']
found = [role for role in body if role['name'] == role_name]
self.assertTrue(any(found))
- body = self.client.delete_role(found[0]['id'])
+ body = self.roles_client.delete_role(found[0]['id'])
- body = self.client.list_roles()['roles']
+ body = self.roles_client.list_roles()['roles']
found = [role for role in body if role['name'] == role_name]
self.assertFalse(any(found))
@@ -76,7 +76,7 @@
self.data.setup_test_role()
role_id = self.data.role['id']
role_name = self.data.role['name']
- body = self.client.show_role(role_id)['role']
+ body = self.roles_client.show_role(role_id)['role']
self.assertEqual(role_id, body['id'])
self.assertEqual(role_name, body['name'])
@@ -84,24 +84,28 @@
def test_assign_user_role(self):
"""Assign a role to a user on a tenant."""
(user, tenant, role) = self._get_role_params()
- self.client.assign_user_role(tenant['id'], user['id'], role['id'])
- roles = self.client.list_user_roles(tenant['id'], user['id'])['roles']
+ self.roles_client.assign_user_role(tenant['id'], user['id'],
+ role['id'])
+ roles = self.roles_client.list_user_roles(tenant['id'],
+ user['id'])['roles']
self.assert_role_in_role_list(role, roles)
@test.idempotent_id('f0b9292c-d3ba-4082-aa6c-440489beef69')
def test_remove_user_role(self):
"""Remove a role assigned to a user on a tenant."""
(user, tenant, role) = self._get_role_params()
- user_role = self.client.assign_user_role(tenant['id'],
- user['id'],
- role['id'])['role']
- self.client.delete_user_role(tenant['id'], user['id'],
- user_role['id'])
+ user_role = self.roles_client.assign_user_role(tenant['id'],
+ user['id'],
+ role['id'])['role']
+ self.roles_client.delete_user_role(tenant['id'], user['id'],
+ user_role['id'])
@test.idempotent_id('262e1e3e-ed71-4edd-a0e5-d64e83d66d05')
def test_list_user_roles(self):
"""List roles assigned to a user on tenant."""
(user, tenant, role) = self._get_role_params()
- self.client.assign_user_role(tenant['id'], user['id'], role['id'])
- roles = self.client.list_user_roles(tenant['id'], user['id'])['roles']
+ self.roles_client.assign_user_role(tenant['id'], user['id'],
+ role['id'])
+ roles = self.roles_client.list_user_roles(tenant['id'],
+ user['id'])['roles']
self.assert_role_in_role_list(role, roles)
diff --git a/tempest/api/identity/admin/v2/test_roles_negative.py b/tempest/api/identity/admin/v2/test_roles_negative.py
index 45c95df..a57163d 100644
--- a/tempest/api/identity/admin/v2/test_roles_negative.py
+++ b/tempest/api/identity/admin/v2/test_roles_negative.py
@@ -37,7 +37,7 @@
def test_list_roles_by_unauthorized_user(self):
# Non-administrator user should not be able to list roles
self.assertRaises(lib_exc.Forbidden,
- self.non_admin_client.list_roles)
+ self.non_admin_roles_client.list_roles)
@test.attr(type=['negative'])
@test.idempotent_id('11a3c7da-df6c-40c2-abc2-badd682edf9f')
@@ -45,14 +45,15 @@
# Request to list roles without a valid token should fail
token = self.client.auth_provider.get_token()
self.client.delete_token(token)
- self.assertRaises(lib_exc.Unauthorized, self.client.list_roles)
+ self.assertRaises(lib_exc.Unauthorized, self.roles_client.list_roles)
self.client.auth_provider.clear_auth()
@test.attr(type=['negative'])
@test.idempotent_id('c0b89e56-accc-4c73-85f8-9c0f866104c1')
def test_role_create_blank_name(self):
# Should not be able to create a role with a blank name
- self.assertRaises(lib_exc.BadRequest, self.client.create_role, '')
+ self.assertRaises(lib_exc.BadRequest, self.roles_client.create_role,
+ '')
@test.attr(type=['negative'])
@test.idempotent_id('585c8998-a8a4-4641-a5dd-abef7a8ced00')
@@ -60,7 +61,7 @@
# Non-administrator user should not be able to create role
role_name = data_utils.rand_name(name='role')
self.assertRaises(lib_exc.Forbidden,
- self.non_admin_client.create_role, role_name)
+ self.non_admin_roles_client.create_role, role_name)
@test.attr(type=['negative'])
@test.idempotent_id('a7edd17a-e34a-4aab-8bb7-fa6f498645b8')
@@ -70,7 +71,7 @@
self.client.delete_token(token)
role_name = data_utils.rand_name(name='role')
self.assertRaises(lib_exc.Unauthorized,
- self.client.create_role, role_name)
+ self.roles_client.create_role, role_name)
self.client.auth_provider.clear_auth()
@test.attr(type=['negative'])
@@ -78,10 +79,10 @@
def test_role_create_duplicate(self):
# Role names should be unique
role_name = data_utils.rand_name(name='role-dup')
- body = self.client.create_role(role_name)['role']
+ body = self.roles_client.create_role(role_name)['role']
role1_id = body.get('id')
- self.addCleanup(self.client.delete_role, role1_id)
- self.assertRaises(lib_exc.Conflict, self.client.create_role,
+ self.addCleanup(self.roles_client.delete_role, role1_id)
+ self.assertRaises(lib_exc.Conflict, self.roles_client.create_role,
role_name)
@test.attr(type=['negative'])
@@ -89,24 +90,24 @@
def test_delete_role_by_unauthorized_user(self):
# Non-administrator user should not be able to delete role
role_name = data_utils.rand_name(name='role')
- body = self.client.create_role(role_name)['role']
+ body = self.roles_client.create_role(role_name)['role']
self.data.roles.append(body)
role_id = body.get('id')
self.assertRaises(lib_exc.Forbidden,
- self.non_admin_client.delete_role, role_id)
+ self.non_admin_roles_client.delete_role, role_id)
@test.attr(type=['negative'])
@test.idempotent_id('44b60b20-70de-4dac-beaf-a3fc2650a16b')
def test_delete_role_request_without_token(self):
# Request to delete role without a valid token should fail
role_name = data_utils.rand_name(name='role')
- body = self.client.create_role(role_name)['role']
+ body = self.roles_client.create_role(role_name)['role']
self.data.roles.append(body)
role_id = body.get('id')
token = self.client.auth_provider.get_token()
self.client.delete_token(token)
self.assertRaises(lib_exc.Unauthorized,
- self.client.delete_role,
+ self.roles_client.delete_role,
role_id)
self.client.auth_provider.clear_auth()
@@ -115,7 +116,7 @@
def test_delete_role_non_existent(self):
# Attempt to delete a non existent role should fail
non_existent_role = str(uuid.uuid4().hex)
- self.assertRaises(lib_exc.NotFound, self.client.delete_role,
+ self.assertRaises(lib_exc.NotFound, self.roles_client.delete_role,
non_existent_role)
@test.attr(type=['negative'])
@@ -125,7 +126,7 @@
# assign a role to user
(user, tenant, role) = self._get_role_params()
self.assertRaises(lib_exc.Forbidden,
- self.non_admin_client.assign_user_role,
+ self.non_admin_roles_client.assign_user_role,
tenant['id'], user['id'], role['id'])
@test.attr(type=['negative'])
@@ -136,7 +137,7 @@
token = self.client.auth_provider.get_token()
self.client.delete_token(token)
self.assertRaises(lib_exc.Unauthorized,
- self.client.assign_user_role, tenant['id'],
+ self.roles_client.assign_user_role, tenant['id'],
user['id'], role['id'])
self.client.auth_provider.clear_auth()
@@ -146,7 +147,7 @@
# Attempt to assign a non existent role to user should fail
(user, tenant, role) = self._get_role_params()
non_existent_role = str(uuid.uuid4().hex)
- self.assertRaises(lib_exc.NotFound, self.client.assign_user_role,
+ self.assertRaises(lib_exc.NotFound, self.roles_client.assign_user_role,
tenant['id'], user['id'], non_existent_role)
@test.attr(type=['negative'])
@@ -155,7 +156,7 @@
# Attempt to assign a role on a non existent tenant should fail
(user, tenant, role) = self._get_role_params()
non_existent_tenant = str(uuid.uuid4().hex)
- self.assertRaises(lib_exc.NotFound, self.client.assign_user_role,
+ self.assertRaises(lib_exc.NotFound, self.roles_client.assign_user_role,
non_existent_tenant, user['id'], role['id'])
@test.attr(type=['negative'])
@@ -163,8 +164,9 @@
def test_assign_duplicate_user_role(self):
# Duplicate user role should not get assigned
(user, tenant, role) = self._get_role_params()
- self.client.assign_user_role(tenant['id'], user['id'], role['id'])
- self.assertRaises(lib_exc.Conflict, self.client.assign_user_role,
+ self.roles_client.assign_user_role(tenant['id'], user['id'],
+ role['id'])
+ self.assertRaises(lib_exc.Conflict, self.roles_client.assign_user_role,
tenant['id'], user['id'], role['id'])
@test.attr(type=['negative'])
@@ -173,11 +175,11 @@
# Non-administrator user should not be authorized to
# remove a user's role
(user, tenant, role) = self._get_role_params()
- self.client.assign_user_role(tenant['id'],
- user['id'],
- role['id'])
+ self.roles_client.assign_user_role(tenant['id'],
+ user['id'],
+ role['id'])
self.assertRaises(lib_exc.Forbidden,
- self.non_admin_client.delete_user_role,
+ self.non_admin_roles_client.delete_user_role,
tenant['id'], user['id'], role['id'])
@test.attr(type=['negative'])
@@ -185,13 +187,13 @@
def test_remove_user_role_request_without_token(self):
# Request to remove a user's role without a valid token
(user, tenant, role) = self._get_role_params()
- self.client.assign_user_role(tenant['id'],
- user['id'],
- role['id'])
+ self.roles_client.assign_user_role(tenant['id'],
+ user['id'],
+ role['id'])
token = self.client.auth_provider.get_token()
self.client.delete_token(token)
self.assertRaises(lib_exc.Unauthorized,
- self.client.delete_user_role, tenant['id'],
+ self.roles_client.delete_user_role, tenant['id'],
user['id'], role['id'])
self.client.auth_provider.clear_auth()
@@ -200,11 +202,11 @@
def test_remove_user_role_non_existent_role(self):
# Attempt to delete a non existent role from a user should fail
(user, tenant, role) = self._get_role_params()
- self.client.assign_user_role(tenant['id'],
- user['id'],
- role['id'])
+ self.roles_client.assign_user_role(tenant['id'],
+ user['id'],
+ role['id'])
non_existent_role = str(uuid.uuid4().hex)
- self.assertRaises(lib_exc.NotFound, self.client.delete_user_role,
+ self.assertRaises(lib_exc.NotFound, self.roles_client.delete_user_role,
tenant['id'], user['id'], non_existent_role)
@test.attr(type=['negative'])
@@ -212,11 +214,11 @@
def test_remove_user_role_non_existent_tenant(self):
# Attempt to remove a role from a non existent tenant should fail
(user, tenant, role) = self._get_role_params()
- self.client.assign_user_role(tenant['id'],
- user['id'],
- role['id'])
+ self.roles_client.assign_user_role(tenant['id'],
+ user['id'],
+ role['id'])
non_existent_tenant = str(uuid.uuid4().hex)
- self.assertRaises(lib_exc.NotFound, self.client.delete_user_role,
+ self.assertRaises(lib_exc.NotFound, self.roles_client.delete_user_role,
non_existent_tenant, user['id'], role['id'])
@test.attr(type=['negative'])
@@ -225,10 +227,11 @@
# Non-administrator user should not be authorized to list
# a user's roles
(user, tenant, role) = self._get_role_params()
- self.client.assign_user_role(tenant['id'], user['id'], role['id'])
+ self.roles_client.assign_user_role(tenant['id'], user['id'],
+ role['id'])
self.assertRaises(lib_exc.Forbidden,
- self.non_admin_client.list_user_roles, tenant['id'],
- user['id'])
+ self.non_admin_roles_client.list_user_roles,
+ tenant['id'], user['id'])
@test.attr(type=['negative'])
@test.idempotent_id('682adfb2-fd5f-4b0a-a9ca-322e9bebb907')
@@ -239,7 +242,7 @@
self.client.delete_token(token)
try:
self.assertRaises(lib_exc.Unauthorized,
- self.client.list_user_roles, tenant['id'],
+ self.roles_client.list_user_roles, tenant['id'],
user['id'])
finally:
self.client.auth_provider.clear_auth()
diff --git a/tempest/api/identity/admin/v2/test_tokens.py b/tempest/api/identity/admin/v2/test_tokens.py
index 0daa66d..e752b02 100644
--- a/tempest/api/identity/admin/v2/test_tokens.py
+++ b/tempest/api/identity/admin/v2/test_tokens.py
@@ -77,15 +77,15 @@
# Create a role
role_name = data_utils.rand_name(name='role')
- role = self.client.create_role(role_name)['role']
+ role = self.roles_client.create_role(role_name)['role']
self.data.roles.append(role)
# Grant the user the role on the tenants.
- self.client.assign_user_role(tenant1['id'], user['id'],
- role['id'])
+ self.roles_client.assign_user_role(tenant1['id'], user['id'],
+ role['id'])
- self.client.assign_user_role(tenant2['id'], user['id'],
- role['id'])
+ self.roles_client.assign_user_role(tenant2['id'], user['id'],
+ role['id'])
# Get an unscoped token.
body = self.token_client.auth(user_name, user_password)
diff --git a/tempest/api/identity/admin/v2/test_users.py b/tempest/api/identity/admin/v2/test_users.py
index 9cf1ce0..2e9714e 100644
--- a/tempest/api/identity/admin/v2/test_users.py
+++ b/tempest/api/identity/admin/v2/test_users.py
@@ -170,8 +170,8 @@
user_ids = list()
fetched_user_ids = list()
user_ids.append(user['id'])
- role = self.client.assign_user_role(tenant['id'], user['id'],
- role['id'])['role']
+ role = self.roles_client.assign_user_role(tenant['id'], user['id'],
+ role['id'])['role']
alt_user2 = data_utils.rand_name('second_user')
alt_password2 = data_utils.rand_password()
@@ -180,9 +180,9 @@
'user2@123')['user']
user_ids.append(second_user['id'])
self.data.users.append(second_user)
- role = self.client.assign_user_role(tenant['id'],
- second_user['id'],
- role['id'])['role']
+ role = self.roles_client.assign_user_role(tenant['id'],
+ second_user['id'],
+ role['id'])['role']
# List of users with roles for the respective tenant ID
body = (self.tenants_client.list_tenant_users(self.data.tenant['id'])
['users'])
diff --git a/tempest/api/identity/base.py b/tempest/api/identity/base.py
index 8359b8f..1a4c8bb 100644
--- a/tempest/api/identity/base.py
+++ b/tempest/api/identity/base.py
@@ -56,7 +56,7 @@
@classmethod
def get_role_by_name(cls, name):
- roles = cls.client.list_roles()['roles']
+ roles = cls.roles_client.list_roles()['roles']
role = [r for r in roles if r['name'] == name]
if len(role) > 0:
return role[0]
@@ -76,6 +76,7 @@
cls.non_admin_client = cls.os.identity_public_client
cls.non_admin_token_client = cls.os.token_client
cls.non_admin_tenants_client = cls.os.tenants_public_client
+ cls.non_admin_roles_client = cls.os.roles_public_client
@classmethod
def resource_setup(cls):
@@ -98,11 +99,14 @@
cls.token_client = cls.os_adm.token_client
cls.tenants_client = cls.os_adm.tenants_client
cls.non_admin_tenants_client = cls.os.tenants_client
+ cls.roles_client = cls.os_adm.roles_client
+ cls.non_admin_roles_client = cls.os.roles_client
@classmethod
def resource_setup(cls):
super(BaseIdentityV2AdminTest, cls).resource_setup()
- cls.data = DataGenerator(cls.client, cls.tenants_client)
+ cls.data = DataGenerator(cls.client, cls.tenants_client,
+ cls.roles_client)
@classmethod
def resource_cleanup(cls):
@@ -187,10 +191,11 @@
class DataGenerator(object):
- def __init__(self, client, tenants_client=None):
+ def __init__(self, client, tenants_client=None, roles_client=None):
self.client = client
# TODO(dmellado) split Datagenerator for v2 and v3
self.tenants_client = tenants_client
+ self.roles_client = roles_client
self.users = []
self.tenants = []
self.roles = []
@@ -232,7 +237,7 @@
def setup_test_role(self):
"""Set up a test role."""
self.test_role = data_utils.rand_name('role')
- self.role = self.client.create_role(self.test_role)['role']
+ self.role = self.roles_client.create_role(self.test_role)['role']
self.roles.append(self.role)
def setup_test_v3_user(self):
@@ -294,7 +299,7 @@
for tenant in self.tenants:
self._try_wrapper(self.tenants_client.delete_tenant, tenant)
for role in self.roles:
- self._try_wrapper(self.client.delete_role, role)
+ self._try_wrapper(self.roles_client.delete_role, role)
for v3_user in self.v3_users:
self._try_wrapper(self.client.delete_user, v3_user)
for v3_project in self.projects:
diff --git a/tempest/clients.py b/tempest/clients.py
index 74f8684..a837ce1 100644
--- a/tempest/clients.py
+++ b/tempest/clients.py
@@ -89,6 +89,8 @@
DatabaseVersionsClient
from tempest.services.identity.v2.json.identity_client import \
IdentityClient
+from tempest.services.identity.v2.json.roles_client import \
+ RolesClient
from tempest.services.identity.v2.json.tenants_client import \
TenantsClient
from tempest.services.identity.v3.json.credentials_client import \
@@ -437,6 +439,8 @@
**params_v2_admin)
self.tenants_client = TenantsClient(self.auth_provider,
**params_v2_admin)
+ self.roles_client = RolesClient(self.auth_provider,
+ **params_v2_admin)
params_v2_public = params.copy()
params_v2_public['endpoint_type'] = (
CONF.identity.v2_public_endpoint_type)
@@ -445,6 +449,8 @@
**params_v2_public)
self.tenants_public_client = TenantsClient(self.auth_provider,
**params_v2_public)
+ self.roles_public_client = RolesClient(self.auth_provider,
+ **params_v2_public)
params_v3 = params.copy()
params_v3['endpoint_type'] = CONF.identity.v3_endpoint_type
# Clients below use the endpoint type of Keystone API v3
diff --git a/tempest/cmd/account_generator.py b/tempest/cmd/account_generator.py
index 64c9b00..297a066 100755
--- a/tempest/cmd/account_generator.py
+++ b/tempest/cmd/account_generator.py
@@ -93,6 +93,7 @@
from tempest import config
from tempest import exceptions as exc
from tempest.services.identity.v2.json import identity_client
+from tempest.services.identity.v2.json import roles_client
from tempest.services.identity.v2.json import tenants_client
from tempest.services.network.json import network_client
from tempest.services.network.json import networks_client
@@ -146,6 +147,13 @@
endpoint_type='adminURL',
**params
)
+ roles_admin = roles_client.RolesClient(
+ _auth,
+ CONF.identity.catalog_type,
+ CONF.identity.region,
+ endpoint_type='adminURL',
+ **params
+ )
network_admin = None
networks_admin = None
subnets_admin = None
@@ -171,14 +179,14 @@
CONF.network.region or CONF.identity.region,
endpoint_type='adminURL',
**params)
- return (identity_admin, tenants_admin, neutron_iso_networks, network_admin,
- networks_admin, subnets_admin)
+ return (identity_admin, tenants_admin, roles_admin, neutron_iso_networks,
+ network_admin, networks_admin, subnets_admin)
def create_resources(opts, resources):
- (identity_admin, tenants_admin, neutron_iso_networks,
+ (identity_admin, tenants_admin, roles_admin, neutron_iso_networks,
network_admin, networks_admin, subnets_admin) = get_admin_clients(opts)
- roles = identity_admin.list_roles()['roles']
+ roles = roles_admin.list_roles()['roles']
for u in resources['users']:
u['role_ids'] = []
for r in u.get('roles', ()):
@@ -240,7 +248,7 @@
continue
for r in u['role_ids']:
try:
- identity_admin.assign_user_role(tenant['id'], user['id'], r)
+ roles_admin.assign_user_role(tenant['id'], user['id'], r)
except tempest_lib.exceptions.Conflict:
# don't care if it's already assigned
pass
diff --git a/tempest/cmd/cleanup.py b/tempest/cmd/cleanup.py
index 1c8ddcb..3c32d48 100644
--- a/tempest/cmd/cleanup.py
+++ b/tempest/cmd/cleanup.py
@@ -177,6 +177,7 @@
def _init_admin_ids(self):
id_cl = self.admin_mgr.identity_client
+ rl_cl = self.admin_mgr.roles_client
tenant = identity.get_tenant_by_name(id_cl,
CONF.auth.admin_tenant_name)
@@ -186,7 +187,7 @@
CONF.auth.admin_username)
self.admin_id = user['id']
- roles = id_cl.list_roles()['roles']
+ roles = rl_cl.list_roles()['roles']
for role in roles:
if role['name'] == CONF.identity.admin_role:
self.admin_role_id = role['id']
@@ -221,8 +222,9 @@
def _add_admin(self, tenant_id):
id_cl = self.admin_mgr.identity_client
+ rl_cl = self.admin_mgr.roles_client
needs_role = True
- roles = id_cl.list_user_roles(tenant_id, self.admin_id)['roles']
+ roles = rl_cl.list_user_roles(tenant_id, self.admin_id)['roles']
for role in roles:
if role['id'] == self.admin_role_id:
needs_role = False
diff --git a/tempest/cmd/cleanup_service.py b/tempest/cmd/cleanup_service.py
index b5b78c6..032b8b4 100644
--- a/tempest/cmd/cleanup_service.py
+++ b/tempest/cmd/cleanup_service.py
@@ -857,10 +857,13 @@
class RoleService(IdentityService):
+ def __init__(self, manager, **kwargs):
+ super(RoleService, self).__init__(kwargs)
+ self.client = manager.roles_client
+
def list(self):
- client = self.client
try:
- roles = client.list_roles()['roles']
+ roles = self.client.list_roles()['roles']
# reconcile roles with saved state and never list admin role
if not self.is_save_state:
roles = [role for role in roles if
@@ -874,11 +877,10 @@
return []
def delete(self):
- client = self.client
roles = self.list()
for role in roles:
try:
- client.delete_role(role['id'])
+ self.client.delete_role(role['id'])
except Exception:
LOG.exception("Delete Role exception.")
diff --git a/tempest/cmd/javelin.py b/tempest/cmd/javelin.py
index 826d8e8..9084b26 100755
--- a/tempest/cmd/javelin.py
+++ b/tempest/cmd/javelin.py
@@ -128,6 +128,7 @@
from tempest.services.compute.json import security_group_rules_client
from tempest.services.compute.json import servers_client
from tempest.services.identity.v2.json import identity_client
+from tempest.services.identity.v2.json import roles_client
from tempest.services.identity.v2.json import tenants_client
from tempest.services.image.v2.json import images_client
from tempest.services.network.json import network_client
@@ -206,6 +207,12 @@
CONF.identity.region,
endpoint_type='adminURL',
**default_params_with_timeout_values)
+ self.roles = roles_client.RolesClient(
+ _auth,
+ CONF.identity.catalog_type,
+ CONF.identity.region,
+ endpoint_type='adminURL',
+ **default_params_with_timeout_values)
self.servers = servers_client.ServersClient(_auth,
**compute_params)
self.flavors = flavors_client.FlavorsClient(_auth,
@@ -339,11 +346,11 @@
def _assign_swift_role(user, swift_role):
admin = keystone_admin()
- roles = admin.identity.list_roles()
+ roles = admin.roles.list_roles()
role = next(r for r in roles if r['name'] == swift_role)
LOG.debug(USERS[user])
try:
- admin.identity.assign_user_role(
+ admin.roles.assign_user_role(
USERS[user]['tenant_id'],
USERS[user]['id'],
role['id'])
diff --git a/tempest/common/cred_client.py b/tempest/common/cred_client.py
index 94515dc..a33732e 100644
--- a/tempest/common/cred_client.py
+++ b/tempest/common/cred_client.py
@@ -31,12 +31,14 @@
admin credentials used for generating credentials.
"""
- def __init__(self, identity_client, projects_client=None):
+ def __init__(self, identity_client, projects_client=None,
+ roles_client=None):
# The client implies version and credentials
self.identity_client = identity_client
# this is temporary until the v3 project client is
# separated, then projects_client will become mandatory
self.projects_client = projects_client or identity_client
+ self.roles_client = roles_client or identity_client
def create_user(self, username, password, project, email):
user = self.identity_client.create_user(
@@ -59,7 +61,7 @@
def create_user_role(self, role_name):
if not self._check_role_exists(role_name):
- self.identity_client.create_role(role_name)
+ self.roles_client.create_role(role_name)
def assign_user_role(self, user, project, role_name):
role = self._check_role_exists(role_name)
@@ -67,8 +69,8 @@
msg = 'No "%s" role found' % role_name
raise lib_exc.NotFound(msg)
try:
- self.identity_client.assign_user_role(project['id'], user['id'],
- role['id'])
+ self.roles_client.assign_user_role(project['id'], user['id'],
+ role['id'])
except lib_exc.Conflict:
LOG.debug("Role %s already assigned on project %s for user %s" % (
role['id'], project['id'], user['id']))
@@ -88,14 +90,16 @@
self.identity_client.delete_user(user_id)
def _list_roles(self):
- roles = self.identity_client.list_roles()['roles']
+ roles = self.roles_client.list_roles()['roles']
return roles
class V2CredsClient(CredsClient):
- def __init__(self, identity_client, projects_client):
- super(V2CredsClient, self).__init__(identity_client, projects_client)
+ def __init__(self, identity_client, projects_client, roles_client):
+ super(V2CredsClient, self).__init__(identity_client,
+ projects_client,
+ roles_client)
def create_project(self, name, description):
tenant = self.projects_client.create_tenant(
@@ -160,8 +164,9 @@
def get_creds_client(identity_client,
projects_client=None,
+ roles_client=None,
project_domain_name=None):
if isinstance(identity_client, v2_identity.IdentityClient):
- return V2CredsClient(identity_client, projects_client)
+ return V2CredsClient(identity_client, projects_client, roles_client)
else:
return V3CredsClient(identity_client, project_domain_name)
diff --git a/tempest/common/dynamic_creds.py b/tempest/common/dynamic_creds.py
index 813d94f..c52aa41 100644
--- a/tempest/common/dynamic_creds.py
+++ b/tempest/common/dynamic_creds.py
@@ -58,6 +58,7 @@
self.ports = []
self.default_admin_creds = admin_creds
(self.identity_admin_client, self.tenants_admin_client,
+ self.roles_admin_client,
self.network_admin_client,
self.networks_admin_client,
self.subnets_admin_client,
@@ -72,6 +73,7 @@
self.creds_client = cred_client.get_creds_client(
self.identity_admin_client,
self.tenants_admin_client,
+ self.roles_admin_client,
self.creds_domain_name)
def _get_admin_clients(self):
@@ -83,10 +85,11 @@
"""
os = clients.Manager(self.default_admin_creds)
if self.identity_version == 'v2':
- return (os.identity_client, os.tenants_client, os.network_client,
- os.networks_client, os.subnets_client, os.ports_client)
+ return (os.identity_client, os.tenants_client, os.roles_client,
+ os.network_client, os.networks_client, os.subnets_client,
+ os.ports_client)
else:
- return (os.identity_v3_client, None, os.network_client,
+ return (os.identity_v3_client, None, None, os.network_client,
os.networks_client, os.subnets_client, os.ports_client)
def _create_creds(self, suffix="", admin=False, roles=None):
diff --git a/tempest/services/identity/v2/json/identity_client.py b/tempest/services/identity/v2/json/identity_client.py
index f80e22d..54596be 100644
--- a/tempest/services/identity/v2/json/identity_client.py
+++ b/tempest/services/identity/v2/json/identity_client.py
@@ -26,60 +26,6 @@
body = json.loads(body)
return service_client.ResponseBody(resp, body)
- def create_role(self, name):
- """Create a role."""
- post_body = {
- 'name': name,
- }
- post_body = json.dumps({'role': post_body})
- resp, body = self.post('OS-KSADM/roles', post_body)
- self.expected_success(200, resp.status)
- body = json.loads(body)
- return service_client.ResponseBody(resp, body)
-
- def show_role(self, role_id):
- """Get a role by its id."""
- resp, body = self.get('OS-KSADM/roles/%s' % role_id)
- self.expected_success(200, resp.status)
- body = json.loads(body)
- return service_client.ResponseBody(resp, body)
-
- def delete_role(self, role_id):
- """Delete a role."""
- resp, body = self.delete('OS-KSADM/roles/%s' % str(role_id))
- self.expected_success(204, resp.status)
- return resp, body
-
- def list_user_roles(self, tenant_id, user_id):
- """Returns a list of roles assigned to a user for a tenant."""
- url = '/tenants/%s/users/%s/roles' % (tenant_id, user_id)
- resp, body = self.get(url)
- self.expected_success(200, resp.status)
- body = json.loads(body)
- return service_client.ResponseBody(resp, body)
-
- def assign_user_role(self, tenant_id, user_id, role_id):
- """Add roles to a user on a tenant."""
- resp, body = self.put('/tenants/%s/users/%s/roles/OS-KSADM/%s' %
- (tenant_id, user_id, role_id), "")
- self.expected_success(200, resp.status)
- body = json.loads(body)
- return service_client.ResponseBody(resp, body)
-
- def delete_user_role(self, tenant_id, user_id, role_id):
- """Removes a role assignment for a user on a tenant."""
- resp, body = self.delete('/tenants/%s/users/%s/roles/OS-KSADM/%s' %
- (tenant_id, user_id, role_id))
- self.expected_success(204, resp.status)
- return service_client.ResponseBody(resp, body)
-
- def list_roles(self):
- """Returns roles."""
- resp, body = self.get('OS-KSADM/roles')
- self.expected_success(200, resp.status)
- body = json.loads(body)
- return service_client.ResponseBody(resp, body)
-
def create_user(self, name, password, tenant_id, email, **kwargs):
"""Create a user."""
post_body = {
diff --git a/tempest/services/identity/v2/json/roles_client.py b/tempest/services/identity/v2/json/roles_client.py
new file mode 100644
index 0000000..de8f9cb
--- /dev/null
+++ b/tempest/services/identity/v2/json/roles_client.py
@@ -0,0 +1,73 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from oslo_serialization import jsonutils as json
+
+from tempest.common import service_client
+
+
+class RolesClient(service_client.ServiceClient):
+ api_version = "v2.0"
+
+ def create_role(self, name):
+ """Create a role."""
+ post_body = {
+ 'name': name,
+ }
+ post_body = json.dumps({'role': post_body})
+ resp, body = self.post('OS-KSADM/roles', post_body)
+ self.expected_success(200, resp.status)
+ body = json.loads(body)
+ return service_client.ResponseBody(resp, body)
+
+ def show_role(self, role_id):
+ """Get a role by its id."""
+ resp, body = self.get('OS-KSADM/roles/%s' % role_id)
+ self.expected_success(200, resp.status)
+ body = json.loads(body)
+ return service_client.ResponseBody(resp, body)
+
+ def delete_role(self, role_id):
+ """Delete a role."""
+ resp, body = self.delete('OS-KSADM/roles/%s' % str(role_id))
+ self.expected_success(204, resp.status)
+ return resp, body
+
+ def list_user_roles(self, tenant_id, user_id):
+ """Returns a list of roles assigned to a user for a tenant."""
+ url = '/tenants/%s/users/%s/roles' % (tenant_id, user_id)
+ resp, body = self.get(url)
+ self.expected_success(200, resp.status)
+ body = json.loads(body)
+ return service_client.ResponseBody(resp, body)
+
+ def assign_user_role(self, tenant_id, user_id, role_id):
+ """Add roles to a user on a tenant."""
+ resp, body = self.put('/tenants/%s/users/%s/roles/OS-KSADM/%s' %
+ (tenant_id, user_id, role_id), "")
+ self.expected_success(200, resp.status)
+ body = json.loads(body)
+ return service_client.ResponseBody(resp, body)
+
+ def delete_user_role(self, tenant_id, user_id, role_id):
+ """Removes a role assignment for a user on a tenant."""
+ resp, body = self.delete('/tenants/%s/users/%s/roles/OS-KSADM/%s' %
+ (tenant_id, user_id, role_id))
+ self.expected_success(204, resp.status)
+ return service_client.ResponseBody(resp, body)
+
+ def list_roles(self):
+ """Returns roles."""
+ resp, body = self.get('OS-KSADM/roles')
+ self.expected_success(200, resp.status)
+ body = json.loads(body)
+ return service_client.ResponseBody(resp, body)
diff --git a/tempest/stress/driver.py b/tempest/stress/driver.py
index cac848b..a550d71 100644
--- a/tempest/stress/driver.py
+++ b/tempest/stress/driver.py
@@ -147,11 +147,13 @@
if CONF.identity.auth_version == 'v2':
identity_client = admin_manager.identity_client
projects_client = admin_manager.tenants_client
+ roles_client = admin_manager.roles_client
else:
identity_client = admin_manager.identity_v3_client
projects_client = None
+ roles_client = None
credentials_client = cred_client.get_creds_client(
- identity_client, projects_client)
+ identity_client, projects_client, roles_client)
project = credentials_client.create_project(
name=tenant_name, description=tenant_name)
user = credentials_client.create_user(username, password,
diff --git a/tempest/test.py b/tempest/test.py
index 8e961f4..407df3b 100644
--- a/tempest/test.py
+++ b/tempest/test.py
@@ -437,9 +437,11 @@
if CONF.identity.auth_version == 'v2':
client = self.os_admin.identity_client
project_client = self.os_admin.tenants_client
+ roles_client = self.os_admin.roles_client
else:
client = self.os_admin.identity_v3_client
project_client = None
+ roles_client = None
try:
domain = client.auth_provider.credentials.project_domain_name
@@ -447,6 +449,7 @@
domain = 'Default'
return cred_client.get_creds_client(client, project_client,
+ roles_client,
project_domain_name=domain)
@classmethod
diff --git a/tempest/tests/common/test_dynamic_creds.py b/tempest/tests/common/test_dynamic_creds.py
index 10acd14..d520985 100644
--- a/tempest/tests/common/test_dynamic_creds.py
+++ b/tempest/tests/common/test_dynamic_creds.py
@@ -24,6 +24,8 @@
from tempest import exceptions
from tempest.services.identity.v2.json import identity_client as \
json_iden_client
+from tempest.services.identity.v2.json import roles_client as \
+ json_roles_client
from tempest.services.identity.v2.json import tenants_client as \
json_tenants_client
from tempest.services.network.json import network_client as json_network_client
@@ -84,7 +86,7 @@
def _mock_list_roles(self, id, name):
roles_fix = self.useFixture(mockpatch.PatchObject(
- json_iden_client.IdentityClient,
+ json_roles_client.RolesClient,
'list_roles',
return_value=(service_client.ResponseBody
(200,
@@ -95,7 +97,7 @@
def _mock_list_2_roles(self):
roles_fix = self.useFixture(mockpatch.PatchObject(
- json_iden_client.IdentityClient,
+ json_roles_client.RolesClient,
'list_roles',
return_value=(service_client.ResponseBody
(200,
@@ -106,7 +108,7 @@
def _mock_assign_user_role(self):
tenant_fix = self.useFixture(mockpatch.PatchObject(
- json_iden_client.IdentityClient,
+ json_roles_client.RolesClient,
'assign_user_role',
return_value=(service_client.ResponseBody
(200, {}))))
@@ -114,7 +116,7 @@
def _mock_list_role(self):
roles_fix = self.useFixture(mockpatch.PatchObject(
- json_iden_client.IdentityClient,
+ json_roles_client.RolesClient,
'list_roles',
return_value=(service_client.ResponseBody
(200, {'roles': [{'id': '1',
@@ -178,11 +180,11 @@
self._mock_user_create('1234', 'fake_admin_user')
self._mock_tenant_create('1234', 'fake_admin_tenant')
- user_mock = mock.patch.object(json_iden_client.IdentityClient,
+ user_mock = mock.patch.object(json_roles_client.RolesClient,
'assign_user_role')
user_mock.start()
self.addCleanup(user_mock.stop)
- with mock.patch.object(json_iden_client.IdentityClient,
+ with mock.patch.object(json_roles_client.RolesClient,
'assign_user_role') as user_mock:
admin_creds = creds.get_admin_creds()
user_mock.assert_has_calls([
@@ -201,11 +203,11 @@
self._mock_user_create('1234', 'fake_role_user')
self._mock_tenant_create('1234', 'fake_role_tenant')
- user_mock = mock.patch.object(json_iden_client.IdentityClient,
+ user_mock = mock.patch.object(json_roles_client.RolesClient,
'assign_user_role')
user_mock.start()
self.addCleanup(user_mock.stop)
- with mock.patch.object(json_iden_client.IdentityClient,
+ with mock.patch.object(json_roles_client.RolesClient,
'assign_user_role') as user_mock:
role_creds = creds.get_creds_by_roles(
roles=['role1', 'role2'])