Merge "Add namespace tags client and tests"
diff --git a/releasenotes/notes/deprecate-allow_port_security_disabled-option-2d3d87f6bd11d03a.yaml b/releasenotes/notes/deprecate-allow_port_security_disabled-option-2d3d87f6bd11d03a.yaml
new file mode 100644
index 0000000..4acdc6d
--- /dev/null
+++ b/releasenotes/notes/deprecate-allow_port_security_disabled-option-2d3d87f6bd11d03a.yaml
@@ -0,0 +1,8 @@
+---
+upgrade:
+  - The default value for the ``allow_port_security_disabled`` option in the
+    ``compute-feature-enabled`` section has been changed from ``False``
+    to ``True``.
+deprecations:
+  - The ``allow_port_security_disabled`` option in the
+   ``compute-feature-enabled`` section is now deprecated.
diff --git a/releasenotes/source/conf.py b/releasenotes/source/conf.py
index 140263c..eec42cd 100644
--- a/releasenotes/source/conf.py
+++ b/releasenotes/source/conf.py
@@ -1,4 +1,3 @@
-# -*- coding: utf-8 -*-
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
diff --git a/tempest/api/compute/admin/test_keypairs_v210.py b/tempest/api/compute/admin/test_keypairs_v210.py
index dfa7c39..9011433 100644
--- a/tempest/api/compute/admin/test_keypairs_v210.py
+++ b/tempest/api/compute/admin/test_keypairs_v210.py
@@ -32,9 +32,9 @@
         key_list = list()
         for i in range(2):
             k_name = data_utils.rand_name('keypair')
-            keypair = self._create_keypair(k_name,
-                                           keypair_type='ssh',
-                                           user_id=user_id)
+            keypair = self.create_keypair(k_name,
+                                          keypair_type='ssh',
+                                          user_id=user_id)
             self.assertEqual(k_name, keypair['name'],
                              "The created keypair name is not equal "
                              "to the requested name!")
@@ -56,8 +56,7 @@
         self.assertEqual(user_id, keypair_detail['user_id'],
                          "The fetched keypair is not for requested user!")
         # Create a admin keypair
-        admin_k_name = data_utils.rand_name('keypair')
-        admin_keypair = self._create_keypair(admin_k_name, keypair_type='ssh')
+        admin_keypair = self.create_keypair(keypair_type='ssh')
         admin_keypair.pop('private_key', None)
         admin_keypair.pop('user_id')
 
diff --git a/tempest/api/compute/images/test_images_negative.py b/tempest/api/compute/images/test_images_negative.py
index 549262e..6c97072 100644
--- a/tempest/api/compute/images/test_images_negative.py
+++ b/tempest/api/compute/images/test_images_negative.py
@@ -50,21 +50,19 @@
         self.servers_client.delete_server(server['id'])
         waiters.wait_for_server_termination(self.servers_client, server['id'])
         # Create a new image after server is deleted
-        name = data_utils.rand_name('image')
         meta = {'image_type': 'test'}
         self.assertRaises(lib_exc.NotFound,
                           self.create_image_from_server,
-                          server['id'], name=name, meta=meta)
+                          server['id'], meta=meta)
 
     @test.attr(type=['negative'])
     @test.idempotent_id('82c5b0c4-9dbd-463c-872b-20c4755aae7f')
     def test_create_image_from_invalid_server(self):
         # An image should not be created with invalid server id
         # Create a new image with invalid server id
-        name = data_utils.rand_name('image')
         meta = {'image_type': 'test'}
         self.assertRaises(lib_exc.NotFound, self.create_image_from_server,
-                          '!@$^&*()', name=name, meta=meta)
+                          data_utils.rand_name('invalid'), meta=meta)
 
     @test.attr(type=['negative'])
     @test.idempotent_id('ec176029-73dc-4037-8d72-2e4ff60cf538')
@@ -89,7 +87,7 @@
     def test_delete_image_with_invalid_image_id(self):
         # An image should not be deleted with invalid image id
         self.assertRaises(lib_exc.NotFound, self.client.delete_image,
-                          '!@$^&*()')
+                          data_utils.rand_name('invalid'))
 
     @test.attr(type=['negative'])
     @test.idempotent_id('137aef61-39f7-44a1-8ddf-0adf82511701')
diff --git a/tempest/api/compute/keypairs/base.py b/tempest/api/compute/keypairs/base.py
index ad7f958..21f504b 100644
--- a/tempest/api/compute/keypairs/base.py
+++ b/tempest/api/compute/keypairs/base.py
@@ -14,6 +14,7 @@
 #    under the License.
 
 from tempest.api.compute import base
+from tempest.common.utils import data_utils
 
 
 class BaseKeypairTest(base.BaseV2ComputeTest):
@@ -27,9 +28,12 @@
     def _delete_keypair(self, keypair_name, **params):
         self.client.delete_keypair(keypair_name, **params)
 
-    def _create_keypair(self, keypair_name,
-                        pub_key=None, keypair_type=None,
-                        user_id=None):
+    def create_keypair(self, keypair_name=None,
+                       pub_key=None, keypair_type=None,
+                       user_id=None):
+        if keypair_name is None:
+            keypair_name = data_utils.rand_name(
+                self.__class__.__name__ + '-keypair')
         kwargs = {'name': keypair_name}
         delete_params = {}
         if pub_key:
diff --git a/tempest/api/compute/keypairs/test_keypairs.py b/tempest/api/compute/keypairs/test_keypairs.py
index 562a508..8acc25a 100644
--- a/tempest/api/compute/keypairs/test_keypairs.py
+++ b/tempest/api/compute/keypairs/test_keypairs.py
@@ -27,8 +27,7 @@
         # Create 3 keypairs
         key_list = list()
         for i in range(3):
-            k_name = data_utils.rand_name('keypair')
-            keypair = self._create_keypair(k_name)
+            keypair = self.create_keypair()
             # Need to pop these keys so that our compare doesn't fail later,
             # as the keypair dicts from list API doesn't have them.
             keypair.pop('private_key')
@@ -51,7 +50,7 @@
     def test_keypair_create_delete(self):
         # Keypair should be created, verified and deleted
         k_name = data_utils.rand_name('keypair')
-        keypair = self._create_keypair(k_name)
+        keypair = self.create_keypair(k_name)
         private_key = keypair['private_key']
         key_name = keypair['name']
         self.assertEqual(key_name, k_name,
@@ -64,7 +63,7 @@
     def test_get_keypair_detail(self):
         # Keypair should be created, Got details by name and deleted
         k_name = data_utils.rand_name('keypair')
-        self._create_keypair(k_name)
+        self.create_keypair(k_name)
         keypair_detail = self.client.show_keypair(k_name)['keypair']
         self.assertIn('name', keypair_detail)
         self.assertIn('public_key', keypair_detail)
@@ -88,7 +87,7 @@
                    "LOeB1kYMOBaiUPLQTWXR3JpckqFIQwhIH0zoHlJvZE8hh90"
                    "XcPojYN56tI0OlrGqojbediJYD0rUsJu4weZpbn8vilb3JuDY+jws"
                    "snSA8wzBx3A/8y9Pp1B nova@ubuntu")
-        keypair = self._create_keypair(k_name, pub_key)
+        keypair = self.create_keypair(k_name, pub_key)
         self.assertNotIn('private_key', keypair,
                          "Field private_key is not empty!")
         key_name = keypair['name']
diff --git a/tempest/api/compute/keypairs/test_keypairs_negative.py b/tempest/api/compute/keypairs/test_keypairs_negative.py
index 2a6139b..f5ffa19 100644
--- a/tempest/api/compute/keypairs/test_keypairs_negative.py
+++ b/tempest/api/compute/keypairs/test_keypairs_negative.py
@@ -25,10 +25,9 @@
     @test.idempotent_id('29cca892-46ae-4d48-bc32-8fe7e731eb81')
     def test_keypair_create_with_invalid_pub_key(self):
         # Keypair should not be created with a non RSA public key
-        k_name = data_utils.rand_name('keypair')
         pub_key = "ssh-rsa JUNK nova@ubuntu"
         self.assertRaises(lib_exc.BadRequest,
-                          self._create_keypair, k_name, pub_key)
+                          self.create_keypair, pub_key=pub_key)
 
     @test.attr(type=['negative'])
     @test.idempotent_id('7cc32e47-4c42-489d-9623-c5e2cb5a2fa5')
@@ -42,19 +41,17 @@
     @test.idempotent_id('dade320e-69ca-42a9-ba4a-345300f127e0')
     def test_create_keypair_with_empty_public_key(self):
         # Keypair should not be created with an empty public key
-        k_name = data_utils.rand_name("keypair")
         pub_key = ' '
-        self.assertRaises(lib_exc.BadRequest, self._create_keypair,
-                          k_name, pub_key)
+        self.assertRaises(lib_exc.BadRequest, self.create_keypair,
+                          pub_key=pub_key)
 
     @test.attr(type=['negative'])
     @test.idempotent_id('fc100c19-2926-4b9c-8fdc-d0589ee2f9ff')
     def test_create_keypair_when_public_key_bits_exceeds_maximum(self):
         # Keypair should not be created when public key bits are too long
-        k_name = data_utils.rand_name("keypair")
         pub_key = 'ssh-rsa ' + 'A' * 2048 + ' openstack@ubuntu'
-        self.assertRaises(lib_exc.BadRequest, self._create_keypair,
-                          k_name, pub_key)
+        self.assertRaises(lib_exc.BadRequest, self.create_keypair,
+                          pub_key=pub_key)
 
     @test.attr(type=['negative'])
     @test.idempotent_id('0359a7f1-f002-4682-8073-0c91e4011b7c')
@@ -63,7 +60,7 @@
         k_name = data_utils.rand_name('keypair')
         self.client.create_keypair(name=k_name)
         # Now try the same keyname to create another key
-        self.assertRaises(lib_exc.Conflict, self._create_keypair,
+        self.assertRaises(lib_exc.Conflict, self.create_keypair,
                           k_name)
         self.client.delete_keypair(k_name)
 
@@ -71,7 +68,7 @@
     @test.idempotent_id('1398abe1-4a84-45fb-9294-89f514daff00')
     def test_create_keypair_with_empty_name_string(self):
         # Keypairs with name being an empty string should not be created
-        self.assertRaises(lib_exc.BadRequest, self._create_keypair,
+        self.assertRaises(lib_exc.BadRequest, self.create_keypair,
                           '')
 
     @test.attr(type=['negative'])
@@ -79,7 +76,7 @@
     def test_create_keypair_with_long_keynames(self):
         # Keypairs with name longer than 255 chars should not be created
         k_name = 'keypair-'.ljust(260, '0')
-        self.assertRaises(lib_exc.BadRequest, self._create_keypair,
+        self.assertRaises(lib_exc.BadRequest, self.create_keypair,
                           k_name)
 
     @test.attr(type=['negative'])
@@ -87,5 +84,5 @@
     def test_create_keypair_invalid_name(self):
         # Keypairs with name being an invalid name should not be created
         k_name = 'key_/.\@:'
-        self.assertRaises(lib_exc.BadRequest, self._create_keypair,
+        self.assertRaises(lib_exc.BadRequest, self.create_keypair,
                           k_name)
diff --git a/tempest/api/compute/keypairs/test_keypairs_v22.py b/tempest/api/compute/keypairs/test_keypairs_v22.py
index 997ef9b..4bd1a40 100644
--- a/tempest/api/compute/keypairs/test_keypairs_v22.py
+++ b/tempest/api/compute/keypairs/test_keypairs_v22.py
@@ -28,7 +28,7 @@
 
     def _test_keypairs_create_list_show(self, keypair_type=None):
         k_name = data_utils.rand_name('keypair')
-        keypair = self._create_keypair(k_name, keypair_type=keypair_type)
+        keypair = self.create_keypair(k_name, keypair_type=keypair_type)
         # Verify whether 'type' is present in keypair create response of
         # version 2.2 and it is with default value 'ssh'.
         self._check_keypair_type(keypair, keypair_type)
diff --git a/tempest/api/compute/security_groups/base.py b/tempest/api/compute/security_groups/base.py
index f70f6d3..cb18775 100644
--- a/tempest/api/compute/security_groups/base.py
+++ b/tempest/api/compute/security_groups/base.py
@@ -14,6 +14,11 @@
 #    under the License.
 
 from tempest.api.compute import base
+from tempest.common.utils import data_utils
+from tempest import config
+from tempest import test
+
+CONF = config.CONF
 
 
 class BaseSecurityGroupsTest(base.BaseV2ComputeTest):
@@ -23,3 +28,11 @@
         # A network and a subnet will be created for these tests
         cls.set_network_resources(network=True, subnet=True)
         super(BaseSecurityGroupsTest, cls).setup_credentials()
+
+    @staticmethod
+    def generate_random_security_group_id():
+        if (CONF.service_available.neutron and
+            test.is_extension_enabled('security-group', 'network')):
+            return data_utils.rand_uuid()
+        else:
+            return data_utils.rand_int_id(start=999)
diff --git a/tempest/api/compute/security_groups/test_security_group_rules_negative.py b/tempest/api/compute/security_groups/test_security_group_rules_negative.py
index 32b3ea3..78c19ca 100644
--- a/tempest/api/compute/security_groups/test_security_group_rules_negative.py
+++ b/tempest/api/compute/security_groups/test_security_group_rules_negative.py
@@ -15,20 +15,9 @@
 
 from tempest.api.compute.security_groups import base
 from tempest.common.utils import data_utils
-from tempest import config
 from tempest.lib import exceptions as lib_exc
 from tempest import test
 
-CONF = config.CONF
-
-
-def not_existing_id():
-    if (CONF.service_available.neutron and
-        test.is_extension_enabled('security-group', 'network')):
-        return data_utils.rand_uuid()
-    else:
-        return data_utils.rand_int_id(start=999)
-
 
 class SecurityGroupRulesNegativeTestJSON(base.BaseSecurityGroupsTest):
 
@@ -44,7 +33,7 @@
         # Negative test: Creation of Security Group rule should FAIL
         # with non existent Parent group id
         # Adding rules to the non existent Security Group id
-        parent_group_id = not_existing_id()
+        parent_group_id = self.generate_random_security_group_id()
         ip_protocol = 'tcp'
         from_port = 22
         to_port = 22
@@ -179,7 +168,7 @@
     def test_delete_security_group_rule_with_non_existent_id(self):
         # Negative test: Deletion of Security Group rule should be FAIL
         # with non existent id
-        non_existent_rule_id = not_existing_id()
+        non_existent_rule_id = self.generate_random_security_group_id()
         self.assertRaises(lib_exc.NotFound,
                           self.rules_client.delete_security_group_rule,
                           non_existent_rule_id)
diff --git a/tempest/api/compute/security_groups/test_security_groups_negative.py b/tempest/api/compute/security_groups/test_security_groups_negative.py
index e6abf28..bcada1e 100644
--- a/tempest/api/compute/security_groups/test_security_groups_negative.py
+++ b/tempest/api/compute/security_groups/test_security_groups_negative.py
@@ -37,29 +37,13 @@
         super(SecurityGroupsNegativeTestJSON, cls).resource_setup()
         cls.neutron_available = CONF.service_available.neutron
 
-    def _generate_a_non_existent_security_group_id(self):
-        security_group_id = []
-        body = self.client.list_security_groups()['security_groups']
-        for i in range(len(body)):
-            security_group_id.append(body[i]['id'])
-        # Generate a non-existent security group id
-        while True:
-            if (self.neutron_available and
-                test.is_extension_enabled('security-group', 'network')):
-                non_exist_id = data_utils.rand_uuid()
-            else:
-                non_exist_id = data_utils.rand_int_id(start=999)
-            if non_exist_id not in security_group_id:
-                break
-        return non_exist_id
-
     @test.attr(type=['negative'])
     @test.idempotent_id('673eaec1-9b3e-48ed-bdf1-2786c1b9661c')
     @test.services('network')
     def test_security_group_get_nonexistent_group(self):
         # Negative test:Should not be able to GET the details
         # of non-existent Security Group
-        non_exist_id = self._generate_a_non_existent_security_group_id()
+        non_exist_id = self.generate_random_security_group_id()
         self.assertRaises(lib_exc.NotFound, self.client.show_security_group,
                           non_exist_id)
 
@@ -139,7 +123,7 @@
     @test.services('network')
     def test_delete_nonexistent_security_group(self):
         # Negative test:Deletion of a non-existent Security Group should fail
-        non_exist_id = self._generate_a_non_existent_security_group_id()
+        non_exist_id = self.generate_random_security_group_id()
         self.assertRaises(lib_exc.NotFound,
                           self.client.delete_security_group, non_exist_id)
 
@@ -204,7 +188,7 @@
     @test.services('network')
     def test_update_non_existent_security_group(self):
         # Update a non-existent Security Group should Fail
-        non_exist_id = self._generate_a_non_existent_security_group_id()
+        non_exist_id = self.generate_random_security_group_id()
         s_name = data_utils.rand_name('sg')
         s_description = data_utils.rand_name('description')
         self.assertRaises(lib_exc.NotFound,
diff --git a/tempest/api/compute/servers/test_servers_negative.py b/tempest/api/compute/servers/test_servers_negative.py
index f66bc72..2b4cee7 100644
--- a/tempest/api/compute/servers/test_servers_negative.py
+++ b/tempest/api/compute/servers/test_servers_negative.py
@@ -209,7 +209,7 @@
     @test.attr(type=['negative'])
     @test.idempotent_id('c3e0fb12-07fc-4d76-a22e-37409887afe8')
     def test_create_server_name_length_exceeds_256(self):
-        # Create a server with name length exceeding 256 characters
+        # Create a server with name length exceeding 255 characters
 
         server_name = 'a' * 256
         self.assertRaises(lib_exc.BadRequest,
diff --git a/tempest/api/compute/volumes/test_attach_volume.py b/tempest/api/compute/volumes/test_attach_volume.py
index 30549ec..fa465af 100644
--- a/tempest/api/compute/volumes/test_attach_volume.py
+++ b/tempest/api/compute/volumes/test_attach_volume.py
@@ -13,7 +13,7 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
-import logging
+from oslo_log import log as logging
 import testtools
 
 from tempest.api.compute import base
diff --git a/tempest/api/compute/volumes/test_volumes_negative.py b/tempest/api/compute/volumes/test_volumes_negative.py
index c4041cb..0e1fef2 100644
--- a/tempest/api/compute/volumes/test_volumes_negative.py
+++ b/tempest/api/compute/volumes/test_volumes_negative.py
@@ -95,7 +95,8 @@
         # Negative: Should not be able to delete volume when invalid ID is
         # passed
         self.assertRaises(lib_exc.NotFound,
-                          self.client.delete_volume, '!@#$%^&*()')
+                          self.client.delete_volume,
+                          data_utils.rand_name('invalid'))
 
     @test.attr(type=['negative'])
     @test.idempotent_id('0d1417c5-4ae8-4c2c-adc5-5f0b864253e5')
diff --git a/tempest/api/identity/base.py b/tempest/api/identity/base.py
index 14bf4f8..9515788 100644
--- a/tempest/api/identity/base.py
+++ b/tempest/api/identity/base.py
@@ -105,6 +105,15 @@
 
     credentials = ['primary', 'admin']
 
+    # NOTE(andreaf) Identity tests work with credentials, so it is safer
+    # for them to always use disposable credentials. Forcing dynamic creds
+    # on regular identity tests would be however to restrictive, since it
+    # would prevent any identity test from being executed against clouds where
+    # admin credentials are not available.
+    # Since All admin tests require admin credentials to be
+    # executed, so this will not impact the ability to execute tests.
+    force_tenant_isolation = True
+
     @classmethod
     def setup_clients(cls):
         super(BaseIdentityV2AdminTest, cls).setup_clients()
@@ -165,6 +174,15 @@
 
     credentials = ['primary', 'admin']
 
+    # NOTE(andreaf) Identity tests work with credentials, so it is safer
+    # for them to always use disposable credentials. Forcing dynamic creds
+    # on regular identity tests would be however to restrictive, since it
+    # would prevent any identity test from being executed against clouds where
+    # admin credentials are not available.
+    # Since All admin tests require admin credentials to be
+    # executed, so this will not impact the ability to execute tests.
+    force_tenant_isolation = True
+
     @classmethod
     def setup_clients(cls):
         super(BaseIdentityV3AdminTest, cls).setup_clients()
diff --git a/tempest/api/image/v1/test_images.py b/tempest/api/image/v1/test_images.py
index 0caaa67..b22ceed 100644
--- a/tempest/api/image/v1/test_images.py
+++ b/tempest/api/image/v1/test_images.py
@@ -30,13 +30,23 @@
     a_formats = ['ami', 'ari', 'aki']
 
     container_format = CONF.image.container_formats[0]
-    disk_format = CONF.image.disk_formats[0]
 
-    if container_format in a_formats and container_format != disk_format:
-        msg = ("The container format and the disk format don't match. "
-               "Container format: %(container)s, Disk format: %(disk)s." %
-               {'container': container_format, 'disk': disk_format})
-        raise exceptions.InvalidConfiguration(msg)
+    # In v1, If container_format is one of ['ami', 'ari', 'aki'], then
+    # disk_format must be same with container_format.
+    # If they are of different item sequence in tempest.conf, such as:
+    #     container_formats = ami,ari,aki,bare
+    #     disk_formats = ari,ami,aki,vhd
+    # we can select one in disk_format list that is same with container_format.
+    if container_format in a_formats:
+        if container_format in CONF.image.disk_formats:
+            disk_format = container_format
+        else:
+            msg = ("The container format and the disk format don't match. "
+                   "Container format: %(container)s, Disk format: %(disk)s." %
+                   {'container': container_format, 'disk': disk_format})
+            raise exceptions.InvalidConfiguration(msg)
+    else:
+        disk_format = CONF.image.disk_formats[0]
 
     return container_format, disk_format
 
diff --git a/tempest/api/image/v2/test_images.py b/tempest/api/image/v2/test_images.py
index 453bb34..cdf0b23 100644
--- a/tempest/api/image/v2/test_images.py
+++ b/tempest/api/image/v2/test_images.py
@@ -336,17 +336,22 @@
 
     @test.idempotent_id('3fa50be4-8e38-4c02-a8db-7811bb780122')
     def test_list_images_param_member_status(self):
-        # Share one of the images created with the alt user
+        # Create an image to be shared using default visibility
+        image_file = six.BytesIO(data_utils.random_bytes(2048))
+        container_format = CONF.image.container_formats[0]
+        disk_format = CONF.image.disk_formats[0]
+        image = self.create_image(container_format=container_format,
+                                  disk_format=disk_format)
+        self.client.store_image_file(image['id'], data=image_file)
+
+        # Share the image created with the alt user
         self.image_member_client.create_image_member(
-            image_id=self.test_data['id'],
-            member=self.alt_img_client.tenant_id)
-        # Update the info on the test data so it remains accurate
-        self.test_data['updated_at'] = self.client.show_image(
-            self.test_data['id'])['updated_at']
+            image_id=image['id'], member=self.alt_img_client.tenant_id)
+
         # As an image consumer you need to provide the member_status parameter
         # along with the visibility=shared parameter in order for it to show
         # results
         params = {'member_status': 'pending', 'visibility': 'shared'}
         fetched_images = self.alt_img_client.list_images(params)['images']
         self.assertEqual(1, len(fetched_images))
-        self.assertEqual(self.test_data['id'], fetched_images[0]['id'])
+        self.assertEqual(image['id'], fetched_images[0]['id'])
diff --git a/tempest/api/network/base.py b/tempest/api/network/base.py
index c2c42bb..132e23e 100644
--- a/tempest/api/network/base.py
+++ b/tempest/api/network/base.py
@@ -108,10 +108,10 @@
             # Not all classes in the hierarchy have the client class variable
             if len(cls.metering_label_rules) > 0:
                 label_rules_client = cls.admin_metering_label_rules_client
-            for metering_label_rule in cls.metering_label_rules:
-                test_utils.call_and_ignore_notfound_exc(
-                    label_rules_client.delete_metering_label_rule,
-                    metering_label_rule['id'])
+                for metering_label_rule in cls.metering_label_rules:
+                    test_utils.call_and_ignore_notfound_exc(
+                        label_rules_client.delete_metering_label_rule,
+                        metering_label_rule['id'])
             # Clean up metering labels
             for metering_label in cls.metering_labels:
                 test_utils.call_and_ignore_notfound_exc(
diff --git a/tempest/api/orchestration/stacks/test_swift_resources.py b/tempest/api/orchestration/stacks/test_swift_resources.py
index c0f1c4b..3672526 100644
--- a/tempest/api/orchestration/stacks/test_swift_resources.py
+++ b/tempest/api/orchestration/stacks/test_swift_resources.py
@@ -1,4 +1,3 @@
-# -*- coding: utf-8 -*-
 # Copyright (C) 2013 eNovance SAS <licensing@enovance.com>
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may
diff --git a/tempest/api/volume/base.py b/tempest/api/volume/base.py
index a4ed7a5..98e050e 100644
--- a/tempest/api/volume/base.py
+++ b/tempest/api/volume/base.py
@@ -171,7 +171,8 @@
         client.delete_volume(volume_id)
         client.wait_for_resource_deletion(volume_id)
 
-    def delete_snapshot(self, client, snapshot_id):
+    @staticmethod
+    def delete_snapshot(client, snapshot_id):
         """Delete snapshot by the given client"""
         client.delete_snapshot(snapshot_id)
         client.wait_for_resource_deletion(snapshot_id)
diff --git a/tempest/api/volume/test_volumes_backup.py b/tempest/api/volume/test_volumes_backup.py
index 70b3c58..6dcde08 100644
--- a/tempest/api/volume/test_volumes_backup.py
+++ b/tempest/api/volume/test_volumes_backup.py
@@ -89,14 +89,7 @@
                         volume['id'])
         server = self.create_server(wait_until='ACTIVE')
         # Attach volume to instance
-        self.servers_client.attach_volume(server['id'],
-                                          volumeId=volume['id'])
-        waiters.wait_for_volume_status(self.volumes_client,
-                                       volume['id'], 'in-use')
-        self.addCleanup(waiters.wait_for_volume_status, self.volumes_client,
-                        volume['id'], 'available')
-        self.addCleanup(self.servers_client.detach_volume, server['id'],
-                        volume['id'])
+        self.attach_volume(server['id'], volume['id'])
         # Create backup using force flag
         backup_name = data_utils.rand_name(
             self.__class__.__name__ + '-Backup')
diff --git a/tempest/api/volume/test_volumes_negative.py b/tempest/api/volume/test_volumes_negative.py
index c45ace6..bcdbd22 100644
--- a/tempest/api/volume/test_volumes_negative.py
+++ b/tempest/api/volume/test_volumes_negative.py
@@ -133,7 +133,8 @@
         v_name = data_utils.rand_name(self.__class__.__name__ + '-Volume')
         metadata = {'Type': 'work'}
         self.assertRaises(lib_exc.NotFound, self.volumes_client.update_volume,
-                          volume_id='#$%%&^&^', display_name=v_name,
+                          volume_id=data_utils.rand_name('invalid'),
+                          display_name=v_name,
                           metadata=metadata)
 
     @test.attr(type=['negative'])
@@ -150,7 +151,7 @@
     def test_get_invalid_volume_id(self):
         # Should not be able to get volume with invalid id
         self.assertRaises(lib_exc.NotFound, self.volumes_client.show_volume,
-                          '#$%%&^&^')
+                          data_utils.rand_name('invalid'))
 
     @test.attr(type=['negative'])
     @test.idempotent_id('c6c3db06-29ad-4e91-beb0-2ab195fe49e3')
@@ -164,7 +165,7 @@
     def test_delete_invalid_volume_id(self):
         # Should not be able to delete volume when invalid ID is passed
         self.assertRaises(lib_exc.NotFound, self.volumes_client.delete_volume,
-                          '!@#$%^&*()')
+                          data_utils.rand_name('invalid'))
 
     @test.attr(type=['negative'])
     @test.idempotent_id('441a1550-5d44-4b30-af0f-a6d402f52026')
diff --git a/tempest/clients.py b/tempest/clients.py
index a4306d8..18116f3 100644
--- a/tempest/clients.py
+++ b/tempest/clients.py
@@ -19,7 +19,6 @@
 from tempest.lib import auth
 from tempest.lib import exceptions as lib_exc
 from tempest.lib.services import clients
-from tempest.lib.services import identity
 from tempest.services import object_storage
 from tempest.services import orchestration
 
@@ -166,6 +165,7 @@
         self.aggregates_client = self.compute.AggregatesClient()
         self.services_client = self.compute.ServicesClient()
         self.tenant_usages_client = self.compute.TenantUsagesClient()
+        self.baremetal_nodes_client = self.compute.BaremetalNodesClient()
         self.hosts_client = self.compute.HostsClient()
         self.hypervisor_client = self.compute.HypervisorClient()
         self.instance_usages_audit_log_client = (
@@ -239,15 +239,15 @@
         # API version is marked as enabled
         if CONF.identity_feature_enabled.api_v2:
             if CONF.identity.uri:
-                self.token_client = identity.v2.TokenClient(
-                    CONF.identity.uri, **self.default_params)
+                self.token_client = self.identity_v2.TokenClient(
+                    auth_url=CONF.identity.uri)
             else:
                 msg = 'Identity v2 API enabled, but no identity.uri set'
                 raise lib_exc.InvalidConfiguration(msg)
         if CONF.identity_feature_enabled.api_v3:
             if CONF.identity.uri_v3:
-                self.token_v3_client = identity.v3.V3TokenClient(
-                    CONF.identity.uri_v3, **self.default_params)
+                self.token_v3_client = self.identity_v3.V3TokenClient(
+                    auth_url=CONF.identity.uri_v3)
             else:
                 msg = 'Identity v3 API enabled, but no identity.uri_v3 set'
                 raise lib_exc.InvalidConfiguration(msg)
diff --git a/tempest/cmd/run.py b/tempest/cmd/run.py
index a3105e0..54b844a 100644
--- a/tempest/cmd/run.py
+++ b/tempest/cmd/run.py
@@ -21,7 +21,7 @@
 
  * **--regex/-r**: This is a selection regex like what testr uses. It will run
                    any tests that match on re.match() with the regex
- * **--smoke**: Run all the tests tagged as smoke
+ * **--smoke/-s**: Run all the tests tagged as smoke
 
 There are also the **--blacklist-file** and **--whitelist-file** options that
 let you pass a filepath to tempest run with the file format being a line
@@ -52,7 +52,7 @@
 There are several options to control how the tests are executed. By default
 tempest will run in parallel with a worker for each CPU present on the machine.
 If you want to adjust the number of workers use the **--concurrency** option
-and if you want to run tests serially use **--serial**
+and if you want to run tests serially use **--serial/-t**
 
 Running with Workspaces
 -----------------------
@@ -198,7 +198,7 @@
                             help='Configuration file to run tempest with')
         # test selection args
         regex = parser.add_mutually_exclusive_group()
-        regex.add_argument('--smoke', action='store_true',
+        regex.add_argument('--smoke', '-s', action='store_true',
                            help="Run the smoke tests only")
         regex.add_argument('--regex', '-r', default='',
                            help='A normal testr selection regex used to '
@@ -225,7 +225,7 @@
                               action='store_true',
                               help='Run tests in parallel (this is the'
                                    ' default)')
-        parallel.add_argument('--serial', dest='parallel',
+        parallel.add_argument('--serial', '-t', dest='parallel',
                               action='store_false',
                               help='Run tests serially')
         # output args
diff --git a/tempest/cmd/workspace.py b/tempest/cmd/workspace.py
index 3c58648..d2dc00d 100644
--- a/tempest/cmd/workspace.py
+++ b/tempest/cmd/workspace.py
@@ -151,7 +151,7 @@
         if not os.path.isfile(self.path):
             return
         with open(self.path, 'r') as f:
-            self.workspaces = yaml.load(f) or {}
+            self.workspaces = yaml.safe_load(f) or {}
 
 
 class TempestWorkspace(command.Command):
diff --git a/tempest/common/preprov_creds.py b/tempest/common/preprov_creds.py
index 6a95588..a92d16a 100644
--- a/tempest/common/preprov_creds.py
+++ b/tempest/common/preprov_creds.py
@@ -33,7 +33,7 @@
 def read_accounts_yaml(path):
     try:
         with open(path, 'r') as yaml_file:
-            accounts = yaml.load(yaml_file)
+            accounts = yaml.safe_load(yaml_file)
     except IOError:
         raise lib_exc.InvalidConfiguration(
             'The path for the test accounts file: %s '
diff --git a/tempest/config.py b/tempest/config.py
index 4162718..fe8c175 100644
--- a/tempest/config.py
+++ b/tempest/config.py
@@ -16,7 +16,6 @@
 from __future__ import print_function
 
 import functools
-import logging as std_logging
 import os
 import tempfile
 
@@ -332,9 +331,12 @@
     # NOTE(mriedem): This is a feature toggle for bug 1175464 which is fixed in
     # mitaka and newton. This option can be removed after liberty-eol.
     cfg.BoolOpt('allow_port_security_disabled',
-                default=False,
+                default=True,
                 help='Does the test environment support creating ports in a '
-                     'network where port security is disabled?'),
+                     'network where port security is disabled?',
+                deprecated_for_removal=True,
+                deprecated_reason='This config switch was added for Liberty '
+                                  'which is not supported anymore.'),
     cfg.BoolOpt('disk_config',
                 default=True,
                 help="If false, skip disk config tests"),
@@ -1196,7 +1198,7 @@
         register_opts()
         self._set_attrs()
         if parse_conf:
-            _CONF.log_opt_values(LOG, std_logging.DEBUG)
+            _CONF.log_opt_values(LOG, logging.DEBUG)
 
 
 class TempestConfigProxy(object):
@@ -1204,14 +1206,14 @@
     _path = None
 
     _extra_log_defaults = [
-        ('paramiko.transport', std_logging.INFO),
-        ('requests.packages.urllib3.connectionpool', std_logging.WARN),
+        ('paramiko.transport', logging.INFO),
+        ('requests.packages.urllib3.connectionpool', logging.WARN),
     ]
 
     def _fix_log_levels(self):
         """Tweak the oslo log defaults."""
         for name, level in self._extra_log_defaults:
-            std_logging.getLogger(name).setLevel(level)
+            logging.getLogger(name).logger.setLevel(level)
 
     def __getattr__(self, attr):
         if not self._config:
diff --git a/tempest/lib/api_schema/response/compute/v2_1/servers.py b/tempest/lib/api_schema/response/compute/v2_1/servers.py
index 63e8467..1264416 100644
--- a/tempest/lib/api_schema/response/compute/v2_1/servers.py
+++ b/tempest/lib/api_schema/response/compute/v2_1/servers.py
@@ -238,14 +238,17 @@
     'status_code': [200],
     'response_body': {
         'type': 'object',
-        'properties': {
-            'adminPass': {'type': 'string'}
-        },
         'additionalProperties': False,
-        'required': ['adminPass']
     }
 }
 
+rescue_server_with_admin_pass = copy.deepcopy(rescue_server)
+rescue_server_with_admin_pass['response_body'].update(
+    {'properties': {'adminPass': {'type': 'string'}}})
+rescue_server_with_admin_pass['response_body'].update(
+    {'required': ['adminPass']})
+
+
 list_virtual_interfaces = {
     'status_code': [200],
     'response_body': {
diff --git a/tempest/lib/cli/base.py b/tempest/lib/cli/base.py
index 5d7fbe3..5468a7b 100644
--- a/tempest/lib/cli/base.py
+++ b/tempest/lib/cli/base.py
@@ -13,11 +13,11 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
-import logging
 import os
 import shlex
 import subprocess
 
+from oslo_log import log as logging
 import six
 
 from tempest.lib import base
diff --git a/tempest/lib/cli/output_parser.py b/tempest/lib/cli/output_parser.py
index c71c7a7..716f374 100644
--- a/tempest/lib/cli/output_parser.py
+++ b/tempest/lib/cli/output_parser.py
@@ -15,9 +15,10 @@
 
 """Collection of utilities for parsing CLI clients output."""
 
-import logging
 import re
 
+from oslo_log import log as logging
+
 from tempest.lib import exceptions
 
 
diff --git a/tempest/lib/common/rest_client.py b/tempest/lib/common/rest_client.py
index 31d2ba5..2c36f55 100644
--- a/tempest/lib/common/rest_client.py
+++ b/tempest/lib/common/rest_client.py
@@ -16,7 +16,6 @@
 
 import collections
 import email.utils
-import logging as real_logging
 import re
 import time
 
@@ -248,8 +247,8 @@
         # NOTE(afazekas): the http status code above 400 is processed by
         # the _error_checker method
         if read_code < 400:
-            pattern = """Unexpected http success status code {0},
-                         The expected status code is {1}"""
+            pattern = ("Unexpected http success status code {0}, "
+                       "The expected status code is {1}")
             if ((not isinstance(expected_code, list) and
                  (read_code != expected_code)) or
                 (isinstance(expected_code, list) and
@@ -455,7 +454,7 @@
 
         # Also look everything at DEBUG if you want to filter this
         # out, don't run at debug.
-        if self.LOG.isEnabledFor(real_logging.DEBUG):
+        if self.LOG.isEnabledFor(logging.DEBUG):
             self._log_request_full(resp, req_headers, req_body,
                                    resp_body, extra)
 
diff --git a/tempest/lib/services/clients.py b/tempest/lib/services/clients.py
index 262a894..445e8bd 100644
--- a/tempest/lib/services/clients.py
+++ b/tempest/lib/services/clients.py
@@ -17,7 +17,8 @@
 import copy
 import importlib
 import inspect
-import logging
+
+from oslo_log import log as logging
 
 from tempest.lib import auth
 from tempest.lib.common.utils import misc
@@ -279,7 +280,7 @@
         a dictionary ready to be injected in kwargs.
 
         Exceptions are:
-        - Token clients for 'identity' have a very different interface
+        - Token clients for 'identity' must be given an 'auth_url' parameter
         - Volume client for 'volume' accepts 'default_volume_size'
         - Servers client from 'compute' accepts 'enable_instance_password'
 
diff --git a/tempest/lib/services/compute/servers_client.py b/tempest/lib/services/compute/servers_client.py
index 597e815..50ce32e 100644
--- a/tempest/lib/services/compute/servers_client.py
+++ b/tempest/lib/services/compute/servers_client.py
@@ -616,7 +616,11 @@
         API reference:
         http://developer.openstack.org/api-ref-compute-v2.1.html#rescue
         """
-        return self.action(server_id, 'rescue', schema.rescue_server, **kwargs)
+        if self.enable_instance_password:
+            rescue_schema = schema.rescue_server_with_admin_pass
+        else:
+            rescue_schema = schema.rescue_server
+        return self.action(server_id, 'rescue', rescue_schema, **kwargs)
 
     def unrescue_server(self, server_id):
         """Unrescue the provided server.
diff --git a/tempest/lib/services/identity/v2/token_client.py b/tempest/lib/services/identity/v2/token_client.py
index c4fd483..458c862 100644
--- a/tempest/lib/services/identity/v2/token_client.py
+++ b/tempest/lib/services/identity/v2/token_client.py
@@ -23,7 +23,22 @@
 
     def __init__(self, auth_url, disable_ssl_certificate_validation=None,
                  ca_certs=None, trace_requests=None, **kwargs):
+        """Initialises the Token client
+
+        :param auth_url: URL to which the token request is sent
+        :param disable_ssl_certificate_validation: pass-through to rest client
+        :param ca_certs: pass-through to rest client
+        :param trace_requests: pass-through to rest client
+        :param kwargs: any extra parameter to pass through the rest client.
+               region, service and auth_provider will be ignored, if passed,
+               as they are not meaningful for token client
+        """
         dscv = disable_ssl_certificate_validation
+        # NOTE(andreaf) region, service and auth_provider are passed
+        # positionally with None. Having them in kwargs would raise a
+        # "multiple values for keyword arguments" error
+        for unwanted_kwargs in ['region', 'service', 'auth_provider']:
+            kwargs.pop(unwanted_kwargs, None)
         super(TokenClient, self).__init__(
             None, None, None, disable_ssl_certificate_validation=dscv,
             ca_certs=ca_certs, trace_requests=trace_requests, **kwargs)
diff --git a/tempest/lib/services/identity/v3/token_client.py b/tempest/lib/services/identity/v3/token_client.py
index 06927f4..33f6f16 100644
--- a/tempest/lib/services/identity/v3/token_client.py
+++ b/tempest/lib/services/identity/v3/token_client.py
@@ -23,7 +23,19 @@
 
     def __init__(self, auth_url, disable_ssl_certificate_validation=None,
                  ca_certs=None, trace_requests=None, **kwargs):
+        """Initialises the Token client
+
+        :param auth_url: URL to which the token request is sent
+        :param disable_ssl_certificate_validation: pass-through to rest client
+        :param ca_certs: pass-through to rest client
+        :param trace_requests: pass-through to rest client
+        :param kwargs: any extra parameter to pass through the rest client.
+               Three kwargs are forbidden: region, service and auth_provider
+               as they are not meaningful for token client
+        """
         dscv = disable_ssl_certificate_validation
+        for unwanted_kwargs in ['region', 'service', 'auth_provider']:
+            kwargs.pop(unwanted_kwargs, None)
         super(V3TokenClient, self).__init__(
             None, None, None, disable_ssl_certificate_validation=dscv,
             ca_certs=ca_certs, trace_requests=trace_requests, **kwargs)
diff --git a/tempest/scenario/manager.py b/tempest/scenario/manager.py
index 2da2f92..a3a0100 100644
--- a/tempest/scenario/manager.py
+++ b/tempest/scenario/manager.py
@@ -529,14 +529,14 @@
 
         caller = test_utils.find_test_caller()
         LOG.debug('%(caller)s begins to ping %(ip)s in %(timeout)s sec and the'
-                  ' expected result is %(should_succeed)s', **{
+                  ' expected result is %(should_succeed)s', {
                       'caller': caller, 'ip': ip_address, 'timeout': timeout,
                       'should_succeed':
                       'reachable' if should_succeed else 'unreachable'
                   })
         result = test_utils.call_until_true(ping, timeout, 1)
         LOG.debug('%(caller)s finishes ping %(ip)s in %(timeout)s sec and the '
-                  'ping result is %(result)s', **{
+                  'ping result is %(result)s', {
                       'caller': caller, 'ip': ip_address, 'timeout': timeout,
                       'result': 'expected' if result else 'unexpected'
                   })
diff --git a/tempest/test_discover/plugins.py b/tempest/test_discover/plugins.py
index e9f59af..abe2b73 100644
--- a/tempest/test_discover/plugins.py
+++ b/tempest/test_discover/plugins.py
@@ -13,8 +13,8 @@
 # under the License.
 
 import abc
-import logging
 
+from oslo_log import log as logging
 import six
 import stevedore
 
diff --git a/tempest/tests/lib/test_tempest_lib.py b/tempest/tests/lib/test_tempest_lib.py
index d70e53d..4d9f099 100644
--- a/tempest/tests/lib/test_tempest_lib.py
+++ b/tempest/tests/lib/test_tempest_lib.py
@@ -1,5 +1,3 @@
-# -*- coding: utf-8 -*-
-
 # Licensed under the Apache License, Version 2.0 (the "License"); you may
 # not use this file except in compliance with the License. You may obtain
 # a copy of the License at