Merge "Adding sudo to command _renew_lease_dhclient in remote_client"
diff --git a/etc/tempest.conf.sample b/etc/tempest.conf.sample
index 80d52a4..2e57007 100644
--- a/etc/tempest.conf.sample
+++ b/etc/tempest.conf.sample
@@ -116,6 +116,11 @@
 # Roles to assign to all users created by tempest (list value)
 #tempest_roles =
 
+# Only applicable when identity.auth_version is v3.Domain within which
+# isolated credentials are provisioned.The default "None" means that
+# the domain from theadmin user is used instead. (string value)
+#tenant_isolation_domain_name = <None>
+
 
 [baremetal]
 
diff --git a/requirements.txt b/requirements.txt
index 2328203..35b5144 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -12,17 +12,17 @@
 python-glanceclient>=0.15.0
 python-cinderclient>=1.1.0
 python-heatclient>=0.3.0
-python-saharaclient>=0.7.6
+python-saharaclient>=0.8.0
 python-swiftclient>=2.2.0
 testrepository>=0.0.18
-oslo.concurrency>=1.4.1         # Apache-2.0
-oslo.config>=1.6.0  # Apache-2.0
-oslo.i18n>=1.3.0  # Apache-2.0
-oslo.log>=0.4.0  # Apache-2.0
-oslo.serialization>=1.2.0               # Apache-2.0
-oslo.utils>=1.2.0                       # Apache-2.0
+oslo.concurrency>=1.8.0,<1.9.0         # Apache-2.0
+oslo.config>=1.9.3,<1.10.0  # Apache-2.0
+oslo.i18n>=1.5.0,<1.6.0  # Apache-2.0
+oslo.log>=1.0.0,<1.1.0  # Apache-2.0
+oslo.serialization>=1.4.0,<1.5.0               # Apache-2.0
+oslo.utils>=1.4.0,<1.5.0                       # Apache-2.0
 six>=1.9.0
 iso8601>=0.1.9
 fixtures>=0.3.14
 testscenarios>=0.4
-tempest-lib>=0.3.0
+tempest-lib>=0.4.0
diff --git a/tempest/api_schema/response/compute/aggregates.py b/tempest/api_schema/response/compute/aggregates.py
deleted file mode 100644
index fc20885..0000000
--- a/tempest/api_schema/response/compute/aggregates.py
+++ /dev/null
@@ -1,101 +0,0 @@
-# Copyright 2014 NEC Corporation.  All rights reserved.
-#
-#    Licensed under the Apache License, Version 2.0 (the "License"); you may
-#    not use this file except in compliance with the License. You may obtain
-#    a copy of the License at
-#
-#         http://www.apache.org/licenses/LICENSE-2.0
-#
-#    Unless required by applicable law or agreed to in writing, software
-#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-#    License for the specific language governing permissions and limitations
-#    under the License.
-
-import copy
-
-# create-aggregate api doesn't have 'hosts' and 'metadata' attributes.
-aggregate_for_create = {
-    'type': 'object',
-    'properties': {
-        'availability_zone': {'type': ['string', 'null']},
-        'created_at': {'type': 'string'},
-        'deleted': {'type': 'boolean'},
-        'deleted_at': {'type': ['string', 'null']},
-        'id': {'type': 'integer'},
-        'name': {'type': 'string'},
-        'updated_at': {'type': ['string', 'null']}
-    },
-    'required': ['availability_zone', 'created_at', 'deleted',
-                 'deleted_at', 'id', 'name', 'updated_at']
-}
-
-aggregate = copy.deepcopy(aggregate_for_create)
-aggregate['properties'].update({
-    'hosts': {'type': 'array'},
-    'metadata': {'type': 'object'}
-})
-aggregate['required'].extend(['hosts', 'metadata'])
-
-aggregate = {
-    'type': 'object',
-    'properties': {
-        'availability_zone': {'type': ['string', 'null']},
-        'created_at': {'type': 'string'},
-        'deleted': {'type': 'boolean'},
-        'deleted_at': {'type': ['string', 'null']},
-        'hosts': {'type': 'array'},
-        'id': {'type': 'integer'},
-        'metadata': {'type': 'object'},
-        'name': {'type': 'string'},
-        'updated_at': {'type': ['string', 'null']}
-    },
-    'required': ['availability_zone', 'created_at', 'deleted',
-                 'deleted_at', 'hosts', 'id', 'metadata',
-                 'name', 'updated_at']
-}
-
-list_aggregates = {
-    'status_code': [200],
-    'response_body': {
-        'type': 'object',
-        'properties': {
-            'aggregates': {
-                'type': 'array',
-                'items': aggregate
-            }
-        },
-        'required': ['aggregates']
-    }
-}
-
-get_aggregate = {
-    'status_code': [200],
-    'response_body': {
-        'type': 'object',
-        'properties': {
-            'aggregate': aggregate
-        },
-        'required': ['aggregate']
-    }
-}
-
-aggregate_set_metadata = get_aggregate
-# The 'updated_at' attribute of 'update_aggregate' can't be null.
-update_aggregate = copy.deepcopy(get_aggregate)
-update_aggregate['response_body']['properties']['aggregate']['properties'][
-    'updated_at'] = {
-        'type': 'string'
-    }
-
-common_create_aggregate = {
-    'response_body': {
-        'type': 'object',
-        'properties': {
-            'aggregate': aggregate_for_create
-        },
-        'required': ['aggregate']
-    }
-}
-
-aggregate_add_remove_host = get_aggregate
diff --git a/tempest/api_schema/response/compute/v2_1/aggregates.py b/tempest/api_schema/response/compute/v2_1/aggregates.py
index d87e4de..c935592 100644
--- a/tempest/api_schema/response/compute/v2_1/aggregates.py
+++ b/tempest/api_schema/response/compute/v2_1/aggregates.py
@@ -14,12 +14,75 @@
 
 import copy
 
-from tempest.api_schema.response.compute import aggregates
+# create-aggregate api doesn't have 'hosts' and 'metadata' attributes.
+aggregate_for_create = {
+    'type': 'object',
+    'properties': {
+        'availability_zone': {'type': ['string', 'null']},
+        'created_at': {'type': 'string'},
+        'deleted': {'type': 'boolean'},
+        'deleted_at': {'type': ['string', 'null']},
+        'id': {'type': 'integer'},
+        'name': {'type': 'string'},
+        'updated_at': {'type': ['string', 'null']}
+    },
+    'required': ['availability_zone', 'created_at', 'deleted',
+                 'deleted_at', 'id', 'name', 'updated_at'],
+}
+
+common_aggregate_info = copy.deepcopy(aggregate_for_create)
+common_aggregate_info['properties'].update({
+    'hosts': {'type': 'array'},
+    'metadata': {'type': 'object'}
+})
+common_aggregate_info['required'].extend(['hosts', 'metadata'])
+
+list_aggregates = {
+    'status_code': [200],
+    'response_body': {
+        'type': 'object',
+        'properties': {
+            'aggregates': {
+                'type': 'array',
+                'items': common_aggregate_info
+            }
+        },
+        'required': ['aggregates'],
+    }
+}
+
+get_aggregate = {
+    'status_code': [200],
+    'response_body': {
+        'type': 'object',
+        'properties': {
+            'aggregate': common_aggregate_info
+        },
+        'required': ['aggregate'],
+    }
+}
+
+aggregate_set_metadata = get_aggregate
+# The 'updated_at' attribute of 'update_aggregate' can't be null.
+update_aggregate = copy.deepcopy(get_aggregate)
+update_aggregate['response_body']['properties']['aggregate']['properties'][
+    'updated_at'] = {
+        'type': 'string'
+    }
 
 delete_aggregate = {
     'status_code': [200]
 }
 
-create_aggregate = copy.deepcopy(aggregates.common_create_aggregate)
-# V2 API's response status_code is 200
-create_aggregate['status_code'] = [200]
+create_aggregate = {
+    'status_code': [200],
+    'response_body': {
+        'type': 'object',
+        'properties': {
+            'aggregate': aggregate_for_create
+        },
+        'required': ['aggregate'],
+    }
+}
+
+aggregate_add_remove_host = get_aggregate
diff --git a/tempest/api_schema/response/compute/v2_1/fixed_ips.py b/tempest/api_schema/response/compute/v2_1/fixed_ips.py
index 446633f..13e70bf 100644
--- a/tempest/api_schema/response/compute/v2_1/fixed_ips.py
+++ b/tempest/api_schema/response/compute/v2_1/fixed_ips.py
@@ -12,7 +12,7 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
-fixed_ips = {
+get_fixed_ip = {
     'status_code': [200],
     'response_body': {
         'type': 'object',
@@ -35,7 +35,7 @@
     }
 }
 
-fixed_ip_action = {
+reserve_fixed_ip = {
     'status_code': [202],
     'response_body': {'type': 'string'}
 }
diff --git a/tempest/api_schema/response/compute/v2_1/floating_ips.py b/tempest/api_schema/response/compute/v2_1/floating_ips.py
index 7250773..7369bec 100644
--- a/tempest/api_schema/response/compute/v2_1/floating_ips.py
+++ b/tempest/api_schema/response/compute/v2_1/floating_ips.py
@@ -12,6 +12,28 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+common_floating_ip_info = {
+    'type': 'object',
+    'properties': {
+        # NOTE: Now the type of 'id' is integer, but
+        # here allows 'string' also because we will be
+        # able to change it to 'uuid' in the future.
+        'id': {'type': ['integer', 'string']},
+        'pool': {'type': ['string', 'null']},
+        'instance_id': {'type': ['string', 'null']},
+        'ip': {
+            'type': 'string',
+            'format': 'ip-address'
+        },
+        'fixed_ip': {
+            'type': ['string', 'null'],
+            'format': 'ip-address'
+        }
+    },
+    'required': ['id', 'pool', 'instance_id',
+                 'ip', 'fixed_ip'],
+
+}
 list_floating_ips = {
     'status_code': [200],
     'response_body': {
@@ -19,29 +41,10 @@
         'properties': {
             'floating_ips': {
                 'type': 'array',
-                'items': {
-                    'type': 'object',
-                    'properties': {
-                        # NOTE: Now the type of 'id' is integer, but
-                        # here allows 'string' also because we will be
-                        # able to change it to 'uuid' in the future.
-                        'id': {'type': ['integer', 'string']},
-                        'pool': {'type': ['string', 'null']},
-                        'instance_id': {'type': ['string', 'null']},
-                        'ip': {
-                            'type': 'string',
-                            'format': 'ip-address'
-                        },
-                        'fixed_ip': {
-                            'type': ['string', 'null'],
-                            'format': 'ip-address'
-                        }
-                    },
-                    'required': ['id', 'pool', 'instance_id', 'ip', 'fixed_ip']
-                }
-            }
+                'items': common_floating_ip_info
+            },
         },
-        'required': ['floating_ips']
+        'required': ['floating_ips'],
     }
 }
 
@@ -50,28 +53,9 @@
     'response_body': {
         'type': 'object',
         'properties': {
-            'floating_ip': {
-                'type': 'object',
-                'properties': {
-                    # NOTE: Now the type of 'id' is integer, but here allows
-                    # 'string' also because we will be able to change it to
-                    # 'uuid' in the future.
-                    'id': {'type': ['integer', 'string']},
-                    'pool': {'type': ['string', 'null']},
-                    'instance_id': {'type': ['string', 'null']},
-                    'ip': {
-                        'type': 'string',
-                        'format': 'ip-address'
-                    },
-                    'fixed_ip': {
-                        'type': ['string', 'null'],
-                        'format': 'ip-address'
-                    }
-                },
-                'required': ['id', 'pool', 'instance_id', 'ip', 'fixed_ip']
-            }
+            'floating_ip': common_floating_ip_info
         },
-        'required': ['floating_ip']
+        'required': ['floating_ip'],
     }
 }
 
@@ -87,11 +71,11 @@
                     'properties': {
                         'name': {'type': 'string'}
                     },
-                    'required': ['name']
+                    'required': ['name'],
                 }
             }
         },
-        'required': ['floating_ip_pools']
+        'required': ['floating_ip_pools'],
     }
 }
 
@@ -111,10 +95,10 @@
                     'ip_range': {'type': 'string'},
                     'pool': {'type': ['string', 'null']},
                 },
-                'required': ['interface', 'ip_range', 'pool']
+                'required': ['interface', 'ip_range', 'pool'],
             }
         },
-        'required': ['floating_ips_bulk_create']
+        'required': ['floating_ips_bulk_create'],
     }
 }
 
@@ -125,7 +109,7 @@
         'properties': {
             'floating_ips_bulk_delete': {'type': 'string'}
         },
-        'required': ['floating_ips_bulk_delete']
+        'required': ['floating_ips_bulk_delete'],
     }
 }
 
@@ -155,10 +139,10 @@
                     # NOTE: fixed_ip is introduced after JUNO release,
                     # So it is not defined as 'required'.
                     'required': ['address', 'instance_uuid', 'interface',
-                                 'pool', 'project_id']
+                                 'pool', 'project_id'],
                 }
             }
         },
-        'required': ['floating_ip_info']
+        'required': ['floating_ip_info'],
     }
 }
diff --git a/tempest/clients.py b/tempest/clients.py
index c75bef5..e1b6eab 100644
--- a/tempest/clients.py
+++ b/tempest/clients.py
@@ -227,7 +227,7 @@
             endpoint_type=CONF.data_processing.endpoint_type,
             **self.default_params_with_timeout_values)
         self.negative_client = negative_rest_client.NegativeRestClient(
-            self.auth_provider, service)
+            self.auth_provider, service, **self.default_params)
 
         # Generating EC2 credentials in tempest is only supported
         # with identity v2
diff --git a/tempest/common/accounts.py b/tempest/common/accounts.py
index c8b2b93..8e9a018 100644
--- a/tempest/common/accounts.py
+++ b/tempest/common/accounts.py
@@ -35,9 +35,9 @@
 
 class Accounts(cred_provider.CredentialProvider):
 
-    def __init__(self, name):
-        super(Accounts, self).__init__(name)
-        self.name = name
+    def __init__(self, identity_version=None, name=None):
+        super(Accounts, self).__init__(identity_version=identity_version,
+                                       name=name)
         if os.path.isfile(CONF.auth.test_accounts_file):
             accounts = read_accounts_yaml(CONF.auth.test_accounts_file)
             self.use_default_creds = False
@@ -45,13 +45,7 @@
             accounts = {}
             self.use_default_creds = True
         self.hash_dict = self.get_hash_dict(accounts)
-        # FIXME(dhellmann): The configuration option is not part of
-        # the API of the library, because if we change the option name
-        # or group it will break this use. Tempest needs to set this
-        # value somewhere that it owns, and then use
-        # lockutils.set_defaults() to tell oslo.concurrency what value
-        # to use.
-        self.accounts_dir = os.path.join(CONF.oslo_concurrency.lock_path,
+        self.accounts_dir = os.path.join(lockutils.get_lock_path(CONF),
                                          'test_accounts')
         self.isolated_creds = {}
 
@@ -208,7 +202,8 @@
         if self.isolated_creds.get('primary'):
             return self.isolated_creds.get('primary')
         creds = self._get_creds()
-        primary_credential = cred_provider.get_credentials(**creds)
+        primary_credential = cred_provider.get_credentials(
+            identity_version=self.identity_version, **creds)
         self.isolated_creds['primary'] = primary_credential
         return primary_credential
 
@@ -216,7 +211,8 @@
         if self.isolated_creds.get('alt'):
             return self.isolated_creds.get('alt')
         creds = self._get_creds()
-        alt_credential = cred_provider.get_credentials(**creds)
+        alt_credential = cred_provider.get_credentials(
+            identity_version=self.identity_version, **creds)
         self.isolated_creds['alt'] = alt_credential
         return alt_credential
 
@@ -232,7 +228,8 @@
             new_index = str(roles) + '-' + str(len(self.isolated_creds))
             self.isolated_creds[new_index] = exist_creds
         creds = self._get_creds(roles=roles)
-        role_credential = cred_provider.get_credentials(**creds)
+        role_credential = cred_provider.get_credentials(
+            identity_version=self.identity_version, **creds)
         self.isolated_creds[str(roles)] = role_credential
         return role_credential
 
@@ -300,10 +297,11 @@
             return self.isolated_creds.get('primary')
         if not self.use_default_creds:
             creds = self.get_creds(0)
-            primary_credential = cred_provider.get_credentials(**creds)
+            primary_credential = cred_provider.get_credentials(
+                identity_version=self.identity_version, **creds)
         else:
             primary_credential = cred_provider.get_configured_credentials(
-                'user')
+                credential_type='user', identity_version=self.identity_version)
         self.isolated_creds['primary'] = primary_credential
         return primary_credential
 
@@ -312,10 +310,12 @@
             return self.isolated_creds.get('alt')
         if not self.use_default_creds:
             creds = self.get_creds(1)
-            alt_credential = cred_provider.get_credentials(**creds)
+            alt_credential = cred_provider.get_credentials(
+                identity_version=self.identity_version, **creds)
         else:
             alt_credential = cred_provider.get_configured_credentials(
-                'alt_user')
+                credential_type='alt_user',
+                identity_version=self.identity_version)
         self.isolated_creds['alt'] = alt_credential
         return alt_credential
 
diff --git a/tempest/common/cred_provider.py b/tempest/common/cred_provider.py
index bff9a0a..b0300cb 100644
--- a/tempest/common/cred_provider.py
+++ b/tempest/common/cred_provider.py
@@ -83,7 +83,7 @@
         domain_fields = set(x for x in auth.KeystoneV3Credentials.ATTRIBUTES
                             if 'domain' in x)
         if not domain_fields.intersection(kwargs.keys()):
-            kwargs['user_domain_name'] = CONF.identity.admin_domain_name
+            params['user_domain_name'] = CONF.identity.admin_domain_name
         auth_url = CONF.identity.uri_v3
     else:
         auth_url = CONF.identity.uri
@@ -95,8 +95,25 @@
 
 @six.add_metaclass(abc.ABCMeta)
 class CredentialProvider(object):
-    def __init__(self, name, password='pass', network_resources=None):
-        self.name = name
+    def __init__(self, identity_version=None, name=None, password='pass',
+                 network_resources=None):
+        """A CredentialProvider supplies credentials to test classes.
+        :param identity_version If specified it will return credentials of the
+                                corresponding identity version, otherwise it
+                                uses auth_version from configuration
+        :param name Name of the calling test. Included in provisioned
+                    credentials when credentials are provisioned on the fly
+        :param password Used for provisioned credentials when credentials are
+                        provisioned on the fly
+        :param network_resources Network resources required for the credentials
+        """
+        # TODO(andreaf) name and password are tenant isolation specific, and
+        # could be removed from this abstract class
+        self.name = name or "test_creds"
+        self.identity_version = identity_version or CONF.identity.auth_version
+        if not auth.is_identity_version_supported(self.identity_version):
+            raise exceptions.InvalidIdentityVersion(
+                identity_version=self.identity_version)
 
     @abc.abstractmethod
     def get_primary_creds(self):
diff --git a/tempest/common/credentials.py b/tempest/common/credentials.py
index 2f7fb73..1ca0128 100644
--- a/tempest/common/credentials.py
+++ b/tempest/common/credentials.py
@@ -26,7 +26,8 @@
 # Dropping interface and password, as they are never used anyways
 # TODO(andreaf) Drop them from the CredentialsProvider interface completely
 def get_isolated_credentials(name, network_resources=None,
-                             force_tenant_isolation=False):
+                             force_tenant_isolation=False,
+                             identity_version=None):
     # If a test requires a new account to work, it can have it via forcing
     # tenant isolation. A new account will be produced only for that test.
     # In case admin credentials are not available for the account creation,
@@ -34,13 +35,16 @@
     if CONF.auth.allow_tenant_isolation or force_tenant_isolation:
         return isolated_creds.IsolatedCreds(
             name=name,
-            network_resources=network_resources)
+            network_resources=network_resources,
+            identity_version=identity_version)
     else:
         if CONF.auth.locking_credentials_provider:
             # Most params are not relevant for pre-created accounts
-            return accounts.Accounts(name=name)
+            return accounts.Accounts(name=name,
+                                     identity_version=identity_version)
         else:
-            return accounts.NotLockingAccounts(name=name)
+            return accounts.NotLockingAccounts(
+                name=name, identity_version=identity_version)
 
 
 # We want a helper function here to check and see if admin credentials
diff --git a/tempest/common/isolated_creds.py b/tempest/common/isolated_creds.py
index 5f582c1..22fc9c3 100644
--- a/tempest/common/isolated_creds.py
+++ b/tempest/common/isolated_creds.py
@@ -12,8 +12,10 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+import abc
 import netaddr
 from oslo_log import log as logging
+import six
 from tempest_lib.common.utils import data_utils
 from tempest_lib import exceptions as lib_exc
 
@@ -21,22 +23,142 @@
 from tempest.common import cred_provider
 from tempest import config
 from tempest import exceptions
+from tempest.services.identity.v2.json import identity_client as v2_identity
 
 CONF = config.CONF
 LOG = logging.getLogger(__name__)
 
 
+@six.add_metaclass(abc.ABCMeta)
+class CredsClient(object):
+    """This class is a wrapper around the identity clients, to provide a
+     single interface for managing credentials in both v2 and v3 cases.
+     It's not bound to created credentials, only to a specific set of admin
+     credentials used for generating credentials.
+    """
+
+    def __init__(self, identity_client):
+        # The client implies version and credentials
+        self.identity_client = identity_client
+        self.credentials = self.identity_client.auth_provider.credentials
+
+    def create_user(self, username, password, project, email):
+        user = self.identity_client.create_user(
+            username, password, project['id'], email)
+        return user
+
+    @abc.abstractmethod
+    def create_project(self, name, description):
+        pass
+
+    def assign_user_role(self, user, project, role_name):
+        try:
+            roles = self._list_roles()
+            role = next(r for r in roles if r['name'] == role_name)
+        except StopIteration:
+            msg = 'No "%s" role found' % role_name
+            raise lib_exc.NotFound(msg)
+        try:
+            self.identity_client.assign_user_role(project['id'], user['id'],
+                                                  role['id'])
+        except lib_exc.Conflict:
+            LOG.debug("Role %s already assigned on project %s for user %s" % (
+                role['id'], project['id'], user['id']))
+
+    @abc.abstractmethod
+    def get_credentials(self, user, project, password):
+        pass
+
+    def delete_user(self, user_id):
+        self.identity_client.delete_user(user_id)
+
+    def _list_roles(self):
+        roles = self.identity_client.list_roles()
+        return roles
+
+
+class V2CredsClient(CredsClient):
+
+    def create_project(self, name, description):
+        tenant = self.identity_client.create_tenant(
+            name=name, description=description)
+        return tenant
+
+    def get_credentials(self, user, project, password):
+        return cred_provider.get_credentials(
+            identity_version='v2',
+            username=user['name'], user_id=user['id'],
+            tenant_name=project['name'], tenant_id=project['id'],
+            password=password)
+
+    def delete_project(self, project_id):
+        self.identity_client.delete_tenant(project_id)
+
+
+class V3CredsClient(CredsClient):
+
+    def __init__(self, identity_client, domain_name):
+        super(V3CredsClient, self).__init__(identity_client)
+        try:
+            # Domain names must be unique, in any case a list is returned,
+            # selecting the first (and only) element
+            self.creds_domain = self.identity_client.list_domains(
+                params={'name': domain_name})[0]
+        except lib_exc.NotFound:
+            # TODO(andrea) we could probably create the domain on the fly
+            msg = "Configured domain %s could not be found" % domain_name
+            raise exceptions.InvalidConfiguration(msg)
+
+    def create_project(self, name, description):
+        project = self.identity_client.create_project(
+            name=name, description=description,
+            domain_id=self.creds_domain['id'])
+        return project
+
+    def get_credentials(self, user, project, password):
+        return cred_provider.get_credentials(
+            identity_version='v3',
+            username=user['name'], user_id=user['id'],
+            project_name=project['name'], project_id=project['id'],
+            password=password,
+            project_domain_name=self.creds_domain['name'])
+
+    def delete_project(self, project_id):
+        self.identity_client.delete_project(project_id)
+
+
+def get_creds_client(identity_client, project_domain_name=None):
+    if isinstance(identity_client, v2_identity.IdentityClientJSON):
+        return V2CredsClient(identity_client)
+    else:
+        return V3CredsClient(identity_client, project_domain_name)
+
+
 class IsolatedCreds(cred_provider.CredentialProvider):
 
-    def __init__(self, name, password='pass', network_resources=None):
-        super(IsolatedCreds, self).__init__(name, password, network_resources)
+    def __init__(self, identity_version=None, name=None, password='pass',
+                 network_resources=None):
+        super(IsolatedCreds, self).__init__(identity_version, name, password,
+                                            network_resources)
         self.network_resources = network_resources
         self.isolated_creds = {}
         self.isolated_net_resources = {}
         self.ports = []
         self.password = password
+        self.default_admin_creds = cred_provider.get_configured_credentials(
+            'identity_admin', fill_in=True,
+            identity_version=self.identity_version)
         self.identity_admin_client, self.network_admin_client = (
             self._get_admin_clients())
+        # Domain where isolated credentials are provisioned (v3 only).
+        # Use that of the admin account is None is configured.
+        self.creds_domain_name = None
+        if self.identity_version == 'v3':
+            self.creds_domain_name = (
+                CONF.auth.tenant_isolation_domain_name or
+                self.default_admin_creds.project_domain_name)
+        self.creds_client = get_creds_client(
+            self.identity_admin_client, self.creds_domain_name)
 
     def _get_admin_clients(self):
         """
@@ -45,57 +167,11 @@
             identity
             network
         """
-        os = clients.AdminManager()
-        return os.identity_client, os.network_client
-
-    def _create_tenant(self, name, description):
-        tenant = self.identity_admin_client.create_tenant(
-            name=name, description=description)
-        return tenant
-
-    def _get_tenant_by_name(self, name):
-        tenant = self.identity_admin_client.get_tenant_by_name(name)
-        return tenant
-
-    def _create_user(self, username, password, tenant, email):
-        user = self.identity_admin_client.create_user(
-            username, password, tenant['id'], email)
-        return user
-
-    def _get_user(self, tenant, username):
-        user = self.identity_admin_client.get_user_by_username(
-            tenant['id'], username)
-        return user
-
-    def _list_roles(self):
-        roles = self.identity_admin_client.list_roles()
-        return roles
-
-    def _assign_user_role(self, tenant, user, role_name):
-        role = None
-        try:
-            roles = self._list_roles()
-            role = next(r for r in roles if r['name'] == role_name)
-        except StopIteration:
-            msg = 'No "%s" role found' % role_name
-            raise lib_exc.NotFound(msg)
-        try:
-            self.identity_admin_client.assign_user_role(tenant['id'],
-                                                        user['id'],
-                                                        role['id'])
-        except lib_exc.Conflict:
-            LOG.warning('Trying to add %s for user %s in tenant %s but they '
-                        ' were already granted that role' % (role_name,
-                                                             user['name'],
-                                                             tenant['name']))
-
-    def _delete_user(self, user):
-        self.identity_admin_client.delete_user(user)
-
-    def _delete_tenant(self, tenant):
-        if CONF.service_available.neutron:
-            self._cleanup_default_secgroup(tenant)
-        self.identity_admin_client.delete_tenant(tenant)
+        os = clients.Manager(self.default_admin_creds)
+        if self.identity_version == 'v2':
+            return os.identity_client, os.network_client
+        else:
+            return os.identity_v3_client, os.network_client
 
     def _create_creds(self, suffix="", admin=False, roles=None):
         """Create random credentials under the following schema.
@@ -112,31 +188,26 @@
         else:
             root = self.name
 
-        tenant_name = data_utils.rand_name(root) + suffix
-        tenant_desc = tenant_name + "-desc"
-        tenant = self._create_tenant(name=tenant_name,
-                                     description=tenant_desc)
+        project_name = data_utils.rand_name(root) + suffix
+        project_desc = project_name + "-desc"
+        project = self.creds_client.create_project(
+            name=project_name, description=project_desc)
 
         username = data_utils.rand_name(root) + suffix
         email = data_utils.rand_name(root) + suffix + "@example.com"
-        user = self._create_user(username, self.password,
-                                 tenant, email)
+        user = self.creds_client.create_user(
+            username, self.password, project, email)
         if admin:
-            self._assign_user_role(tenant, user, CONF.identity.admin_role)
+            self.creds_client.assign_user_role(user, project,
+                                               CONF.identity.admin_role)
         # Add roles specified in config file
         for conf_role in CONF.auth.tempest_roles:
-            self._assign_user_role(tenant, user, conf_role)
+            self.creds_client.assign_user_role(user, project, conf_role)
         # Add roles requested by caller
         if roles:
             for role in roles:
-                self._assign_user_role(tenant, user, role)
-        return self._get_credentials(user, tenant)
-
-    def _get_credentials(self, user, tenant):
-        return cred_provider.get_credentials(
-            username=user['name'], user_id=user['id'],
-            tenant_name=tenant['name'], tenant_id=tenant['id'],
-            password=self.password)
+                self.creds_client.assign_user_role(user, project, role)
+        return self.creds_client.get_credentials(user, project, self.password)
 
     def _create_network_resources(self, tenant_id):
         network = None
@@ -371,12 +442,14 @@
         self._clear_isolated_net_resources()
         for creds in self.isolated_creds.itervalues():
             try:
-                self._delete_user(creds.user_id)
+                self.creds_client.delete_user(creds.user_id)
             except lib_exc.NotFound:
                 LOG.warn("user with name: %s not found for delete" %
                          creds.username)
             try:
-                self._delete_tenant(creds.tenant_id)
+                if CONF.service_available.neutron:
+                    self._cleanup_default_secgroup(creds.tenant_id)
+                self.creds_client.delete_project(creds.tenant_id)
             except lib_exc.NotFound:
                 LOG.warn("tenant with name: %s not found for delete" %
                          creds.tenant_name)
diff --git a/tempest/common/negative_rest_client.py b/tempest/common/negative_rest_client.py
index a02e494..abd8b31 100644
--- a/tempest/common/negative_rest_client.py
+++ b/tempest/common/negative_rest_client.py
@@ -25,25 +25,39 @@
     """
     Version of RestClient that does not raise exceptions.
     """
-    def __init__(self, auth_provider, service):
-        region = self._get_region(service)
-        super(NegativeRestClient, self).__init__(auth_provider,
-                                                 service, region)
+    def __init__(self, auth_provider, service,
+                 build_interval=None, build_timeout=None,
+                 disable_ssl_certificate_validation=None,
+                 ca_certs=None, trace_requests=None):
+        region, endpoint_type = self._get_region_and_endpoint_type(service)
+        super(NegativeRestClient, self).__init__(
+            auth_provider,
+            service,
+            region,
+            endpoint_type=endpoint_type,
+            build_interval=build_interval,
+            build_timeout=build_timeout,
+            disable_ssl_certificate_validation=(
+                disable_ssl_certificate_validation),
+            ca_certs=ca_certs,
+            trace_requests=trace_requests)
 
-    def _get_region(self, service):
+    def _get_region_and_endpoint_type(self, service):
         """
         Returns the region for a specific service
         """
         service_region = None
+        service_endpoint_type = None
         for cfgname in dir(CONF._config):
             # Find all config.FOO.catalog_type and assume FOO is a service.
             cfg = getattr(CONF, cfgname)
             catalog_type = getattr(cfg, 'catalog_type', None)
             if catalog_type == service:
                 service_region = getattr(cfg, 'region', None)
+                service_endpoint_type = getattr(cfg, 'endpoint_type', None)
         if not service_region:
             service_region = CONF.identity.region
-        return service_region
+        return service_region, service_endpoint_type
 
     def _error_checker(self, method, url,
                        headers, body, resp, resp_body):
diff --git a/tempest/common/service_client.py b/tempest/common/service_client.py
index ad6610a..87e925d 100644
--- a/tempest/common/service_client.py
+++ b/tempest/common/service_client.py
@@ -14,10 +14,6 @@
 
 from tempest_lib.common import rest_client
 
-from tempest import config
-
-CONF = config.CONF
-
 
 class ServiceClient(rest_client.RestClient):
 
@@ -26,15 +22,11 @@
                  disable_ssl_certificate_validation=None, ca_certs=None,
                  trace_requests=None):
 
-        # TODO(oomichi): This params setting should be removed after all
-        # service clients pass these values, and we can make ServiceClient
-        # free from CONF values.
-        dscv = (disable_ssl_certificate_validation or
-                CONF.identity.disable_ssl_certificate_validation)
+        dscv = disable_ssl_certificate_validation
         params = {
             'disable_ssl_certificate_validation': dscv,
-            'ca_certs': ca_certs or CONF.identity.ca_certificates_file,
-            'trace_requests': trace_requests or CONF.debug.trace_requests
+            'ca_certs': ca_certs,
+            'trace_requests': trace_requests
         }
 
         if endpoint_type is not None:
diff --git a/tempest/config.py b/tempest/config.py
index 12620de..4ee4669 100644
--- a/tempest/config.py
+++ b/tempest/config.py
@@ -60,7 +60,13 @@
                      "number of concurrent test processes."),
     cfg.ListOpt('tempest_roles',
                 help="Roles to assign to all users created by tempest",
-                default=[])
+                default=[]),
+    cfg.StrOpt('tenant_isolation_domain_name',
+               default=None,
+               help="Only applicable when identity.auth_version is v3."
+                    "Domain within which isolated credentials are provisioned."
+                    "The default \"None\" means that the domain from the"
+                    "admin user is used instead.")
 ]
 
 identity_group = cfg.OptGroup(name='identity',
diff --git a/tempest/services/compute/json/aggregates_client.py b/tempest/services/compute/json/aggregates_client.py
index 7f1c162..36a347b 100644
--- a/tempest/services/compute/json/aggregates_client.py
+++ b/tempest/services/compute/json/aggregates_client.py
@@ -17,8 +17,7 @@
 
 from tempest_lib import exceptions as lib_exc
 
-from tempest.api_schema.response.compute import aggregates as schema
-from tempest.api_schema.response.compute.v2_1 import aggregates as v2_schema
+from tempest.api_schema.response.compute.v2_1 import aggregates as schema
 from tempest.common import service_client
 
 
@@ -44,7 +43,7 @@
         resp, body = self.post('os-aggregates', post_body)
 
         body = json.loads(body)
-        self.validate_response(v2_schema.create_aggregate, resp, body)
+        self.validate_response(schema.create_aggregate, resp, body)
         return service_client.ResponseBody(resp, body['aggregate'])
 
     def update_aggregate(self, aggregate_id, name, availability_zone=None):
@@ -63,7 +62,7 @@
     def delete_aggregate(self, aggregate_id):
         """Deletes the given aggregate."""
         resp, body = self.delete("os-aggregates/%s" % str(aggregate_id))
-        self.validate_response(v2_schema.delete_aggregate, resp, body)
+        self.validate_response(schema.delete_aggregate, resp, body)
         return service_client.ResponseBody(resp, body)
 
     def is_resource_deleted(self, id):
diff --git a/tempest/services/compute/json/fixed_ips_client.py b/tempest/services/compute/json/fixed_ips_client.py
index dda940c..7ba424f 100644
--- a/tempest/services/compute/json/fixed_ips_client.py
+++ b/tempest/services/compute/json/fixed_ips_client.py
@@ -25,12 +25,12 @@
         url = "os-fixed-ips/%s" % (fixed_ip)
         resp, body = self.get(url)
         body = json.loads(body)
-        self.validate_response(schema.fixed_ips, resp, body)
+        self.validate_response(schema.get_fixed_ip, resp, body)
         return service_client.ResponseBody(resp, body['fixed_ip'])
 
     def reserve_fixed_ip(self, ip, body):
         """This reserves and unreserves fixed ips."""
         url = "os-fixed-ips/%s/action" % (ip)
         resp, body = self.post(url, json.dumps(body))
-        self.validate_response(schema.fixed_ip_action, resp, body)
+        self.validate_response(schema.reserve_fixed_ip, resp, body)
         return service_client.ResponseBody(resp)
diff --git a/tempest/services/identity/v3/json/identity_client.py b/tempest/services/identity/v3/json/identity_client.py
index be5aa80..bc90fd1 100644
--- a/tempest/services/identity/v3/json/identity_client.py
+++ b/tempest/services/identity/v3/json/identity_client.py
@@ -242,9 +242,12 @@
         self.expected_success(204, resp.status)
         return service_client.ResponseBody(resp, body)
 
-    def list_domains(self):
+    def list_domains(self, params=None):
         """List Domains."""
-        resp, body = self.get('domains')
+        url = 'domains'
+        if params:
+            url += '?%s' % urllib.urlencode(params)
+        resp, body = self.get(url)
         self.expected_success(200, resp.status)
         body = json.loads(body)
         return service_client.ResponseBodyList(resp, body['domains'])
diff --git a/tempest/services/image/v1/json/image_client.py b/tempest/services/image/v1/json/image_client.py
index 0c35174..ec7900b 100644
--- a/tempest/services/image/v1/json/image_client.py
+++ b/tempest/services/image/v1/json/image_client.py
@@ -36,7 +36,7 @@
     def __init__(self, auth_provider, catalog_type, region, endpoint_type=None,
                  build_interval=None, build_timeout=None,
                  disable_ssl_certificate_validation=None,
-                 ca_certs=None, **kwargs):
+                 ca_certs=None, trace_requests=None):
         super(ImageClientJSON, self).__init__(
             auth_provider,
             catalog_type,
@@ -47,7 +47,7 @@
             disable_ssl_certificate_validation=(
                 disable_ssl_certificate_validation),
             ca_certs=ca_certs,
-            **kwargs)
+            trace_requests=trace_requests)
         self._http = None
         self.dscv = disable_ssl_certificate_validation
         self.ca_certs = ca_certs
diff --git a/tempest/services/image/v2/json/image_client.py b/tempest/services/image/v2/json/image_client.py
index e55a824..6b04144 100644
--- a/tempest/services/image/v2/json/image_client.py
+++ b/tempest/services/image/v2/json/image_client.py
@@ -28,7 +28,7 @@
     def __init__(self, auth_provider, catalog_type, region, endpoint_type=None,
                  build_interval=None, build_timeout=None,
                  disable_ssl_certificate_validation=None, ca_certs=None,
-                 **kwargs):
+                 trace_requests=None):
         super(ImageClientV2JSON, self).__init__(
             auth_provider,
             catalog_type,
@@ -39,7 +39,7 @@
             disable_ssl_certificate_validation=(
                 disable_ssl_certificate_validation),
             ca_certs=ca_certs,
-            **kwargs)
+            trace_requests=trace_requests)
         self._http = None
         self.dscv = disable_ssl_certificate_validation
         self.ca_certs = ca_certs
diff --git a/tempest/test.py b/tempest/test.py
index 7039f4c..19bae74 100644
--- a/tempest/test.py
+++ b/tempest/test.py
@@ -378,17 +378,19 @@
                                                    level=None))
 
     @classmethod
-    def get_client_manager(cls):
+    def get_client_manager(cls, identity_version=None):
         """
         Returns an OpenStack client manager
         """
         force_tenant_isolation = getattr(cls, 'force_tenant_isolation', None)
+        identity_version = identity_version or CONF.identity.auth_version
 
         if (not hasattr(cls, 'isolated_creds') or
             not cls.isolated_creds.name == cls.__name__):
             cls.isolated_creds = credentials.get_isolated_credentials(
                 name=cls.__name__, network_resources=cls.network_resources,
                 force_tenant_isolation=force_tenant_isolation,
+                identity_version=identity_version
             )
 
         creds = cls.isolated_creds.get_primary_creds()
diff --git a/tempest/tests/common/test_accounts.py b/tempest/tests/common/test_accounts.py
index 29fe902..2a98a06 100644
--- a/tempest/tests/common/test_accounts.py
+++ b/tempest/tests/common/test_accounts.py
@@ -17,6 +17,7 @@
 
 import mock
 from oslo_concurrency.fixture import lockutils as lockutils_fixtures
+from oslo_concurrency import lockutils
 from oslo_config import cfg
 from oslotest import mockpatch
 
@@ -81,7 +82,7 @@
     def test_get_hash(self):
         self.stubs.Set(token_client.TokenClientJSON, 'raw_request',
                        fake_identity._fake_v2_response)
-        test_account_class = accounts.Accounts('test_name')
+        test_account_class = accounts.Accounts('v2', 'test_name')
         hash_list = self._get_hash_list(self.test_accounts)
         test_cred_dict = self.test_accounts[3]
         test_creds = auth.get_credentials(fake_identity.FAKE_AUTH_URL,
@@ -90,7 +91,7 @@
         self.assertEqual(hash_list[3], results)
 
     def test_get_hash_dict(self):
-        test_account_class = accounts.Accounts('test_name')
+        test_account_class = accounts.Accounts('v2', 'test_name')
         hash_dict = test_account_class.get_hash_dict(self.test_accounts)
         hash_list = self._get_hash_list(self.test_accounts)
         for hash in hash_list:
@@ -101,7 +102,7 @@
         # Emulate the lock existing on the filesystem
         self.useFixture(mockpatch.Patch('os.path.isfile', return_value=True))
         with mock.patch('__builtin__.open', mock.mock_open(), create=True):
-            test_account_class = accounts.Accounts('test_name')
+            test_account_class = accounts.Accounts('v2', 'test_name')
             res = test_account_class._create_hash_file('12345')
         self.assertFalse(res, "_create_hash_file should return False if the "
                          "pseudo-lock file already exists")
@@ -110,7 +111,7 @@
         # Emulate the lock not existing on the filesystem
         self.useFixture(mockpatch.Patch('os.path.isfile', return_value=False))
         with mock.patch('__builtin__.open', mock.mock_open(), create=True):
-            test_account_class = accounts.Accounts('test_name')
+            test_account_class = accounts.Accounts('v2', 'test_name')
             res = test_account_class._create_hash_file('12345')
         self.assertTrue(res, "_create_hash_file should return True if the "
                         "pseudo-lock doesn't already exist")
@@ -122,17 +123,11 @@
         hash_list = self._get_hash_list(self.test_accounts)
         mkdir_mock = self.useFixture(mockpatch.Patch('os.mkdir'))
         self.useFixture(mockpatch.Patch('os.path.isfile', return_value=False))
-        test_account_class = accounts.Accounts('test_name')
+        test_account_class = accounts.Accounts('v2', 'test_name')
         with mock.patch('__builtin__.open', mock.mock_open(),
                         create=True) as open_mock:
             test_account_class._get_free_hash(hash_list)
-            # FIXME(dhellmann): The configuration option is not part
-            # of the API of the library, because if we change the
-            # option name or group it will break this use. Tempest
-            # needs to set this value somewhere that it owns, and then
-            # use lockutils.set_defaults() to tell oslo.concurrency
-            # what value to use.
-            lock_path = os.path.join(accounts.CONF.oslo_concurrency.lock_path,
+            lock_path = os.path.join(lockutils.get_lock_path(accounts.CONF),
                                      'test_accounts',
                                      hash_list[0])
             open_mock.assert_called_once_with(lock_path, 'w')
@@ -147,7 +142,7 @@
         self.useFixture(mockpatch.Patch('os.path.isdir', return_value=True))
         # Emulate all lcoks in list are in use
         self.useFixture(mockpatch.Patch('os.path.isfile', return_value=True))
-        test_account_class = accounts.Accounts('test_name')
+        test_account_class = accounts.Accounts('v2', 'test_name')
         with mock.patch('__builtin__.open', mock.mock_open(), create=True):
             self.assertRaises(exceptions.InvalidConfiguration,
                               test_account_class._get_free_hash, hash_list)
@@ -157,7 +152,7 @@
         # Emulate no pre-existing lock
         self.useFixture(mockpatch.Patch('os.path.isdir', return_value=True))
         hash_list = self._get_hash_list(self.test_accounts)
-        test_account_class = accounts.Accounts('test_name')
+        test_account_class = accounts.Accounts('v2', 'test_name')
 
         def _fake_is_file(path):
             # Fake isfile() to return that the path exists unless a specific
@@ -170,13 +165,7 @@
         with mock.patch('__builtin__.open', mock.mock_open(),
                         create=True) as open_mock:
             test_account_class._get_free_hash(hash_list)
-            # FIXME(dhellmann): The configuration option is not part
-            # of the API of the library, because if we change the
-            # option name or group it will break this use. Tempest
-            # needs to set this value somewhere that it owns, and then
-            # use lockutils.set_defaults() to tell oslo.concurrency
-            # what value to use.
-            lock_path = os.path.join(accounts.CONF.oslo_concurrency.lock_path,
+            lock_path = os.path.join(lockutils.get_lock_path(accounts.CONF),
                                      'test_accounts',
                                      hash_list[3])
             open_mock.assert_has_calls([mock.call(lock_path, 'w')])
@@ -188,17 +177,11 @@
         self.useFixture(mockpatch.Patch('os.path.isfile', return_value=True))
         # Pretend the lock dir is empty
         self.useFixture(mockpatch.Patch('os.listdir', return_value=[]))
-        test_account_class = accounts.Accounts('test_name')
+        test_account_class = accounts.Accounts('v2', 'test_name')
         remove_mock = self.useFixture(mockpatch.Patch('os.remove'))
         rmdir_mock = self.useFixture(mockpatch.Patch('os.rmdir'))
         test_account_class.remove_hash(hash_list[2])
-        # FIXME(dhellmann): The configuration option is not part of
-        # the API of the library, because if we change the option name
-        # or group it will break this use. Tempest needs to set this
-        # value somewhere that it owns, and then use
-        # lockutils.set_defaults() to tell oslo.concurrency what value
-        # to use.
-        hash_path = os.path.join(accounts.CONF.oslo_concurrency.lock_path,
+        hash_path = os.path.join(lockutils.get_lock_path(accounts.CONF),
                                  'test_accounts',
                                  hash_list[2])
         lock_path = os.path.join(accounts.CONF.oslo_concurrency.lock_path,
@@ -214,24 +197,18 @@
         # Pretend the lock dir is empty
         self.useFixture(mockpatch.Patch('os.listdir', return_value=[
             hash_list[1], hash_list[4]]))
-        test_account_class = accounts.Accounts('test_name')
+        test_account_class = accounts.Accounts('v2', 'test_name')
         remove_mock = self.useFixture(mockpatch.Patch('os.remove'))
         rmdir_mock = self.useFixture(mockpatch.Patch('os.rmdir'))
         test_account_class.remove_hash(hash_list[2])
-        # FIXME(dhellmann): The configuration option is not part of
-        # the API of the library, because if we change the option name
-        # or group it will break this use. Tempest needs to set this
-        # value somewhere that it owns, and then use
-        # lockutils.set_defaults() to tell oslo.concurrency what value
-        # to use.
-        hash_path = os.path.join(accounts.CONF.oslo_concurrency.lock_path,
+        hash_path = os.path.join(lockutils.get_lock_path(accounts.CONF),
                                  'test_accounts',
                                  hash_list[2])
         remove_mock.mock.assert_called_once_with(hash_path)
         rmdir_mock.mock.assert_not_called()
 
     def test_is_multi_user(self):
-        test_accounts_class = accounts.Accounts('test_name')
+        test_accounts_class = accounts.Accounts('v2', 'test_name')
         self.assertTrue(test_accounts_class.is_multi_user())
 
     def test_is_not_multi_user(self):
@@ -239,14 +216,14 @@
         self.useFixture(mockpatch.Patch(
             'tempest.common.accounts.read_accounts_yaml',
             return_value=self.test_accounts))
-        test_accounts_class = accounts.Accounts('test_name')
+        test_accounts_class = accounts.Accounts('v2', 'test_name')
         self.assertFalse(test_accounts_class.is_multi_user())
 
     def test__get_creds_by_roles_one_role(self):
         self.useFixture(mockpatch.Patch(
             'tempest.common.accounts.read_accounts_yaml',
             return_value=self.test_accounts))
-        test_accounts_class = accounts.Accounts('test_name')
+        test_accounts_class = accounts.Accounts('v2', 'test_name')
         hashes = test_accounts_class.hash_dict['roles']['role4']
         temp_hash = hashes[0]
         get_free_hash_mock = self.useFixture(mockpatch.PatchObject(
@@ -263,7 +240,7 @@
         self.useFixture(mockpatch.Patch(
             'tempest.common.accounts.read_accounts_yaml',
             return_value=self.test_accounts))
-        test_accounts_class = accounts.Accounts('test_name')
+        test_accounts_class = accounts.Accounts('v2', 'test_name')
         hashes = test_accounts_class.hash_dict['roles']['role4']
         hashes2 = test_accounts_class.hash_dict['roles']['role2']
         hashes = list(set(hashes) & set(hashes2))
@@ -282,7 +259,7 @@
         self.useFixture(mockpatch.Patch(
             'tempest.common.accounts.read_accounts_yaml',
             return_value=self.test_accounts))
-        test_accounts_class = accounts.Accounts('test_name')
+        test_accounts_class = accounts.Accounts('v2', 'test_name')
         hashes = test_accounts_class.hash_dict['creds'].keys()
         admin_hashes = test_accounts_class.hash_dict['roles'][
             cfg.CONF.identity.admin_role]
@@ -321,7 +298,7 @@
         self.useFixture(mockpatch.Patch('os.path.isfile', return_value=True))
 
     def test_get_creds(self):
-        test_accounts_class = accounts.NotLockingAccounts('test_name')
+        test_accounts_class = accounts.NotLockingAccounts('v2', 'test_name')
         for i in xrange(len(self.test_accounts)):
             creds = test_accounts_class.get_creds(i)
             msg = "Empty credentials returned for ID %s" % str(i)
diff --git a/tempest/tests/test_tenant_isolation.py b/tempest/tests/test_tenant_isolation.py
index 7ab3f1e..82cbde9 100644
--- a/tempest/tests/test_tenant_isolation.py
+++ b/tempest/tests/test_tenant_isolation.py
@@ -44,7 +44,7 @@
         self._mock_list_ec2_credentials('fake_user_id', 'fake_tenant_id')
 
     def test_tempest_client(self):
-        iso_creds = isolated_creds.IsolatedCreds('test class')
+        iso_creds = isolated_creds.IsolatedCreds(name='test class')
         self.assertTrue(isinstance(iso_creds.identity_admin_client,
                                    json_iden_client.IdentityClientJSON))
         self.assertTrue(isinstance(iso_creds.network_admin_client,
@@ -139,7 +139,7 @@
     @mock.patch('tempest_lib.common.rest_client.RestClient')
     def test_primary_creds(self, MockRestClient):
         cfg.CONF.set_default('neutron', False, 'service_available')
-        iso_creds = isolated_creds.IsolatedCreds('test class',
+        iso_creds = isolated_creds.IsolatedCreds(name='test class',
                                                  password='fake_password')
         self._mock_assign_user_role()
         self._mock_list_role()
@@ -155,7 +155,7 @@
     @mock.patch('tempest_lib.common.rest_client.RestClient')
     def test_admin_creds(self, MockRestClient):
         cfg.CONF.set_default('neutron', False, 'service_available')
-        iso_creds = isolated_creds.IsolatedCreds('test class',
+        iso_creds = isolated_creds.IsolatedCreds(name='test class',
                                                  password='fake_password')
         self._mock_list_roles('1234', 'admin')
         self._mock_user_create('1234', 'fake_admin_user')
@@ -179,7 +179,7 @@
     @mock.patch('tempest_lib.common.rest_client.RestClient')
     def test_role_creds(self, MockRestClient):
         cfg.CONF.set_default('neutron', False, 'service_available')
-        iso_creds = isolated_creds.IsolatedCreds('test class',
+        iso_creds = isolated_creds.IsolatedCreds('v2', 'test class',
                                                  password='fake_password')
         self._mock_list_2_roles()
         self._mock_user_create('1234', 'fake_role_user')
@@ -207,7 +207,7 @@
     @mock.patch('tempest_lib.common.rest_client.RestClient')
     def test_all_cred_cleanup(self, MockRestClient):
         cfg.CONF.set_default('neutron', False, 'service_available')
-        iso_creds = isolated_creds.IsolatedCreds('test class',
+        iso_creds = isolated_creds.IsolatedCreds(name='test class',
                                                  password='fake_password')
         self._mock_assign_user_role()
         roles_fix = self._mock_list_role()
@@ -251,7 +251,7 @@
     @mock.patch('tempest_lib.common.rest_client.RestClient')
     def test_alt_creds(self, MockRestClient):
         cfg.CONF.set_default('neutron', False, 'service_available')
-        iso_creds = isolated_creds.IsolatedCreds('test class',
+        iso_creds = isolated_creds.IsolatedCreds(name='test class',
                                                  password='fake_password')
         self._mock_assign_user_role()
         self._mock_list_role()
@@ -266,7 +266,7 @@
 
     @mock.patch('tempest_lib.common.rest_client.RestClient')
     def test_network_creation(self, MockRestClient):
-        iso_creds = isolated_creds.IsolatedCreds('test class',
+        iso_creds = isolated_creds.IsolatedCreds(name='test class',
                                                  password='fake_password')
         self._mock_assign_user_role()
         self._mock_list_role()
@@ -298,7 +298,7 @@
                                          "description": args['name'],
                                          "security_group_rules": [],
                                          "id": "sg-%s" % args['tenant_id']}]}
-        iso_creds = isolated_creds.IsolatedCreds('test class',
+        iso_creds = isolated_creds.IsolatedCreds(name='test class',
                                                  password='fake_password')
         # Create primary tenant and network
         self._mock_assign_user_role()
@@ -415,7 +415,7 @@
 
     @mock.patch('tempest_lib.common.rest_client.RestClient')
     def test_network_alt_creation(self, MockRestClient):
-        iso_creds = isolated_creds.IsolatedCreds('test class',
+        iso_creds = isolated_creds.IsolatedCreds(name='test class',
                                                  password='fake_password')
         self._mock_assign_user_role()
         self._mock_list_role()
@@ -441,7 +441,7 @@
 
     @mock.patch('tempest_lib.common.rest_client.RestClient')
     def test_network_admin_creation(self, MockRestClient):
-        iso_creds = isolated_creds.IsolatedCreds('test class',
+        iso_creds = isolated_creds.IsolatedCreds(name='test class',
                                                  password='fake_password')
         self._mock_assign_user_role()
         self._mock_user_create('1234', 'fake_admin_user')
@@ -473,7 +473,7 @@
             'subnet': False,
             'dhcp': False,
         }
-        iso_creds = isolated_creds.IsolatedCreds('test class',
+        iso_creds = isolated_creds.IsolatedCreds(name='test class',
                                                  password='fake_password',
                                                  network_resources=net_dict)
         self._mock_assign_user_role()
@@ -509,7 +509,7 @@
             'subnet': False,
             'dhcp': False,
         }
-        iso_creds = isolated_creds.IsolatedCreds('test class',
+        iso_creds = isolated_creds.IsolatedCreds(name='test class',
                                                  password='fake_password',
                                                  network_resources=net_dict)
         self._mock_assign_user_role()
@@ -527,7 +527,7 @@
             'subnet': True,
             'dhcp': False,
         }
-        iso_creds = isolated_creds.IsolatedCreds('test class',
+        iso_creds = isolated_creds.IsolatedCreds(name='test class',
                                                  password='fake_password',
                                                  network_resources=net_dict)
         self._mock_assign_user_role()
@@ -545,7 +545,7 @@
             'subnet': False,
             'dhcp': True,
         }
-        iso_creds = isolated_creds.IsolatedCreds('test class',
+        iso_creds = isolated_creds.IsolatedCreds(name='test class',
                                                  password='fake_password',
                                                  network_resources=net_dict)
         self._mock_assign_user_role()
diff --git a/test-requirements.txt b/test-requirements.txt
index 6a9111e..76ae521 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -5,9 +5,9 @@
 # needed for doc build
 sphinx>=1.1.2,!=1.2.0,!=1.3b1,<1.3
 python-subunit>=0.0.18
-oslosphinx>=2.2.0  # Apache-2.0
+oslosphinx>=2.5.0,<2.6.0  # Apache-2.0
 mox>=0.5.3
 mock>=1.0
 coverage>=3.6
-oslotest>=1.2.0  # Apache-2.0
-stevedore>=1.1.0  # Apache-2.0
+oslotest>=1.5.1,<1.6.0  # Apache-2.0
+stevedore>=1.3.0,<1.4.0  # Apache-2.0