Allow v3 identity to work without the admin domain name
The problem was that the value of admin_domain_name was required in order to
use identity v3 even if no admin was being used.
A new option auth.default_credentials_domain_name
is used instead of admin_domain_name except when requesting admin creds.
This defaults to 'Default' which is the name keystone uses for compatibility
with v2.
Because tenant_isolation and pre-provisioned credentials are mutually
exclusive, and to avoid having too many config options, the new option is
used instead of tenant_isolation_domain_name as well.
Change-Id: I52f0d4c0cc7e5eafa896776b12315ed6154dfae2
diff --git a/etc/tempest.conf.sample b/etc/tempest.conf.sample
index 724bff4..1f8c889 100644
--- a/etc/tempest.conf.sample
+++ b/etc/tempest.conf.sample
@@ -123,10 +123,10 @@
# Roles to assign to all users created by tempest (list value)
#tempest_roles =
-# Only applicable when identity.auth_version is v3.Domain within which
-# isolated credentials are provisioned.The default "None" means that
-# the domain from theadmin user is used instead. (string value)
-#tenant_isolation_domain_name = <None>
+# Default domain used when getting v3 credentials. This is the name
+# keystone uses for v2 compatibility. (string value)
+# Deprecated group/name - [auth]/tenant_isolation_domain_name
+#default_credentials_domain_name = Default
# If allow_tenant_isolation is set to True and Neutron is enabled
# Tempest will try to create a useable network, subnet, and router
diff --git a/tempest/common/accounts.py b/tempest/common/accounts.py
index 78e0e72..27b44f6 100644
--- a/tempest/common/accounts.py
+++ b/tempest/common/accounts.py
@@ -216,7 +216,7 @@
if ('user_domain_name' in init_attributes and 'user_domain_name'
not in hash_attributes):
# Allow for the case of domain_name populated from config
- domain_name = CONF.identity.admin_domain_name
+ domain_name = CONF.auth.default_credentials_domain_name
hash_attributes['user_domain_name'] = domain_name
if all([getattr(creds, k) == hash_attributes[k] for
k in init_attributes]):
diff --git a/tempest/common/cred_provider.py b/tempest/common/cred_provider.py
index 2b7e0db..783a5fc 100644
--- a/tempest/common/cred_provider.py
+++ b/tempest/common/cred_provider.py
@@ -84,9 +84,9 @@
domain_fields = set(x for x in auth.KeystoneV3Credentials.ATTRIBUTES
if 'domain' in x)
if not domain_fields.intersection(kwargs.keys()):
- # TODO(andreaf) It might be better here to use a dedicated config
- # option such as CONF.auth.tenant_isolation_domain_name
- params['user_domain_name'] = CONF.identity.admin_domain_name
+ domain_name = CONF.auth.default_credentials_domain_name
+ params['user_domain_name'] = domain_name
+
auth_url = CONF.identity.uri_v3
else:
auth_url = CONF.identity.uri
diff --git a/tempest/common/isolated_creds.py b/tempest/common/isolated_creds.py
index ff4eda9..7888811 100644
--- a/tempest/common/isolated_creds.py
+++ b/tempest/common/isolated_creds.py
@@ -163,8 +163,8 @@
self.creds_domain_name = None
if self.identity_version == 'v3':
self.creds_domain_name = (
- CONF.auth.tenant_isolation_domain_name or
- self.default_admin_creds.project_domain_name)
+ self.default_admin_creds.project_domain_name or
+ CONF.auth.default_credentials_domain_name)
self.creds_client = get_creds_client(
self.identity_admin_client, self.creds_domain_name)
diff --git a/tempest/config.py b/tempest/config.py
index 5ea4d10..46f84ee 100644
--- a/tempest/config.py
+++ b/tempest/config.py
@@ -67,12 +67,13 @@
cfg.ListOpt('tempest_roles',
help="Roles to assign to all users created by tempest",
default=[]),
- cfg.StrOpt('tenant_isolation_domain_name',
- default=None,
- help="Only applicable when identity.auth_version is v3."
- "Domain within which isolated credentials are provisioned."
- "The default \"None\" means that the domain from the"
- "admin user is used instead."),
+ cfg.StrOpt('default_credentials_domain_name',
+ default='Default',
+ help="Default domain used when getting v3 credentials. "
+ "This is the name keystone uses for v2 compatibility.",
+ deprecated_opts=[cfg.DeprecatedOpt(
+ 'tenant_isolation_domain_name',
+ group='auth')]),
cfg.BoolOpt('create_isolated_networks',
default=True,
help="If allow_tenant_isolation is set to True and Neutron is "
@@ -1257,9 +1258,11 @@
self.baremetal = _CONF.baremetal
self.input_scenario = _CONF['input-scenario']
self.negative = _CONF.negative
- _CONF.set_default('domain_name', self.identity.admin_domain_name,
+ _CONF.set_default('domain_name',
+ self.auth.default_credentials_domain_name,
group='identity')
- _CONF.set_default('alt_domain_name', self.identity.admin_domain_name,
+ _CONF.set_default('alt_domain_name',
+ self.auth.default_credentials_domain_name,
group='identity')
def __init__(self, parse_conf=True, config_path=None):