Only use accounts.yaml with locking provider
This commit removes support for using an accounts.yaml file with the
non-locking provider. There is no reason the non-locking provider
would ever need to be used with an accounts.yaml file because the
locking provider supports running serially just fine. (which would be
the sole use case for accounts file with the non-locking provider)
Doing this relegates the non-locking provider to just handle the
legacy config options for providing credentials.
Removing this code path provides the advantage of removing a double
maintenance burden for the non-locking provider, in addition to
simplifying the config and user story around the cred providers. It
also turns out this config permutation was never properly tested and
didn't actually work.
Change-Id: I8088d75897589203264ae29326fe9901c3457cc3
diff --git a/doc/source/configuration.rst b/doc/source/configuration.rst
index 15369de..4fe2e9f 100644
--- a/doc/source/configuration.rst
+++ b/doc/source/configuration.rst
@@ -84,13 +84,11 @@
To enable and use locking test accounts you need do a few things:
- #. Enable the locking test account provider with the
- locking_credentials_provider option in the auth section
#. Create a accounts.yaml file which contains the set of pre-existing
credentials to use for testing. To make sure you don't have a credentials
starvation issue when running in parallel make sure you have at least 2
- times the number of parallel workers you are using to execute tempest
- available in the file.
+ times the number of worker processes you are using to execute tempest
+ available in the file. (if running serially the worker count is 1)
You can check the sample file packaged in tempest for the yaml format
#. Provide tempest with the location of you accounts.yaml file with the
@@ -125,15 +123,3 @@
is that if a test requires specific roles on accounts these tests can not be
run. This is because the config options do not give sufficient flexibility to
describe the roles assigned to a user for running the tests.
-
-You also can use the accounts.yaml file to specify the credentials used for
-testing. This will just allocate them serially so you only need to provide
-a pair of credentials. Do note that all the restrictions associated with
-locking test accounts applies to using the accounts.yaml file this way too,
-except since you can't run in parallel only 2 of each type of credential is
-required to run. However, the limitation on tests which require specific roles
-does not apply here.
-
-The procedure for doing this is very similar to with the locking accounts
-provider just don't set the locking_credentials_provider to true and you
-only should need a single pair of credentials.
diff --git a/etc/tempest.conf.sample b/etc/tempest.conf.sample
index 7c5461b..fae24c4 100644
--- a/etc/tempest.conf.sample
+++ b/etc/tempest.conf.sample
@@ -94,8 +94,12 @@
#
# Path to the yaml file that contains the list of credentials to use
-# for running tests (string value)
-#test_accounts_file = etc/accounts.yaml
+# for running tests. If used when running in parallel you have to make
+# sure sufficient credentials are provided in the accounts file. For
+# example if no tests with roles are being run it requires at least `2
+# * CONC` distinct accounts configured in the `test_accounts_file`,
+# with CONC == the number of concurrent test processes. (string value)
+#test_accounts_file = <None>
# Allows test cases to create/destroy tenants and users. This option
# requires that OpenStack Identity API admin credentials are known. If
@@ -105,14 +109,6 @@
# Deprecated group/name - [orchestration]/allow_tenant_isolation
#allow_tenant_isolation = true
-# If set to True it enables the Accounts provider, which locks
-# credentials to allow for parallel execution with pre-provisioned
-# accounts. It can only be used to run tests that ensure credentials
-# cleanup happens. It requires at least `2 * CONC` distinct accounts
-# configured in `test_accounts_file`, with CONC == the number of
-# concurrent test processes. (boolean value)
-#locking_credentials_provider = false
-
# Roles to assign to all users created by tempest (list value)
#tempest_roles =
diff --git a/tempest/common/accounts.py b/tempest/common/accounts.py
index 8e9a018..fc8e6a5 100644
--- a/tempest/common/accounts.py
+++ b/tempest/common/accounts.py
@@ -261,18 +261,14 @@
def _unique_creds(self, cred_arg=None):
"""Verify that the configured credentials are valid and distinct """
- if self.use_default_creds:
- try:
- user = self.get_primary_creds()
- alt_user = self.get_alt_creds()
- return getattr(user, cred_arg) != getattr(alt_user, cred_arg)
- except exceptions.InvalidCredentials as ic:
- msg = "At least one of the configured credentials is " \
- "not valid: %s" % ic.message
- raise exceptions.InvalidConfiguration(msg)
- else:
- # TODO(andreaf) Add a uniqueness check here
- return len(self.hash_dict['creds']) > 1
+ try:
+ user = self.get_primary_creds()
+ alt_user = self.get_alt_creds()
+ return getattr(user, cred_arg) != getattr(alt_user, cred_arg)
+ except exceptions.InvalidCredentials as ic:
+ msg = "At least one of the configured credentials is " \
+ "not valid: %s" % ic.message
+ raise exceptions.InvalidConfiguration(msg)
def is_multi_user(self):
return self._unique_creds('username')
@@ -280,42 +276,20 @@
def is_multi_tenant(self):
return self._unique_creds('tenant_id')
- def get_creds(self, id, roles=None):
- try:
- hashes = self._get_match_hash_list(roles)
- # No need to sort the dict as within the same python process
- # the HASH seed won't change, so subsequent calls to keys()
- # will return the same result
- _hash = hashes[id]
- except IndexError:
- msg = 'Insufficient number of users provided'
- raise exceptions.InvalidConfiguration(msg)
- return self.hash_dict['creds'][_hash]
-
def get_primary_creds(self):
if self.isolated_creds.get('primary'):
return self.isolated_creds.get('primary')
- if not self.use_default_creds:
- creds = self.get_creds(0)
- primary_credential = cred_provider.get_credentials(
- identity_version=self.identity_version, **creds)
- else:
- primary_credential = cred_provider.get_configured_credentials(
- credential_type='user', identity_version=self.identity_version)
+ primary_credential = cred_provider.get_configured_credentials(
+ credential_type='user', identity_version=self.identity_version)
self.isolated_creds['primary'] = primary_credential
return primary_credential
def get_alt_creds(self):
if self.isolated_creds.get('alt'):
return self.isolated_creds.get('alt')
- if not self.use_default_creds:
- creds = self.get_creds(1)
- alt_credential = cred_provider.get_credentials(
- identity_version=self.identity_version, **creds)
- else:
- alt_credential = cred_provider.get_configured_credentials(
- credential_type='alt_user',
- identity_version=self.identity_version)
+ alt_credential = cred_provider.get_configured_credentials(
+ credential_type='alt_user',
+ identity_version=self.identity_version)
self.isolated_creds['alt'] = alt_credential
return alt_credential
@@ -323,35 +297,14 @@
self.isolated_creds = {}
def get_admin_creds(self):
- if not self.use_default_creds:
- return self.get_creds_by_roles([CONF.identity.admin_role])
- else:
- creds = cred_provider.get_configured_credentials(
- "identity_admin", fill_in=False)
- self.isolated_creds['admin'] = creds
- return creds
+ creds = cred_provider.get_configured_credentials(
+ "identity_admin", fill_in=False)
+ self.isolated_creds['admin'] = creds
+ return creds
def get_creds_by_roles(self, roles, force_new=False):
- roles = list(set(roles))
- exist_creds = self.isolated_creds.get(str(roles), None)
- index = 0
- if exist_creds and not force_new:
- return exist_creds
- elif exist_creds and force_new:
- new_index = str(roles) + '-' + str(len(self.isolated_creds))
- self.isolated_creds[new_index] = exist_creds
- # Figure out how many existing creds for this roles set are present
- # use this as the index the returning hash list to ensure separate
- # creds are returned with force_new being True
- for creds_names in self.isolated_creds:
- if str(roles) in creds_names:
- index = index + 1
- if not self.use_default_creds:
- creds = self.get_creds(index, roles=roles)
- role_credential = cred_provider.get_credentials(**creds)
- self.isolated_creds[str(roles)] = role_credential
- else:
- msg = "Default credentials can not be used with specifying "\
- "credentials by roles"
- raise exceptions.InvalidConfiguration(msg)
- return role_credential
+ msg = "Credentials being specified through the config file can not be"\
+ " used with tests that specify using credentials by roles. "\
+ "Either exclude/skip the tests doing this or use either an "\
+ "test_accounts_file or tenant isolation."
+ raise exceptions.InvalidConfiguration(msg)
diff --git a/tempest/common/credentials.py b/tempest/common/credentials.py
index 1ca0128..f3ddab9 100644
--- a/tempest/common/credentials.py
+++ b/tempest/common/credentials.py
@@ -38,7 +38,7 @@
network_resources=network_resources,
identity_version=identity_version)
else:
- if CONF.auth.locking_credentials_provider:
+ if os.path.isfile(CONF.auth.test_accounts_file):
# Most params are not relevant for pre-created accounts
return accounts.Accounts(name=name,
identity_version=identity_version)
diff --git a/tempest/config.py b/tempest/config.py
index 78952f1..9577f2d 100644
--- a/tempest/config.py
+++ b/tempest/config.py
@@ -35,9 +35,14 @@
AuthGroup = [
cfg.StrOpt('test_accounts_file',
- default='etc/accounts.yaml',
help="Path to the yaml file that contains the list of "
- "credentials to use for running tests"),
+ "credentials to use for running tests. If used when "
+ "running in parallel you have to make sure sufficient "
+ "credentials are provided in the accounts file. For "
+ "example if no tests with roles are being run it requires "
+ "at least `2 * CONC` distinct accounts configured in "
+ " the `test_accounts_file`, with CONC == the "
+ "number of concurrent test processes."),
cfg.BoolOpt('allow_tenant_isolation',
default=True,
help="Allows test cases to create/destroy tenants and "
@@ -49,15 +54,6 @@
group='compute'),
cfg.DeprecatedOpt('allow_tenant_isolation',
group='orchestration')]),
- cfg.BoolOpt('locking_credentials_provider',
- default=False,
- help="If set to True it enables the Accounts provider, "
- "which locks credentials to allow for parallel execution "
- "with pre-provisioned accounts. It can only be used to "
- "run tests that ensure credentials cleanup happens. "
- "It requires at least `2 * CONC` distinct accounts "
- "configured in `test_accounts_file`, with CONC == the "
- "number of concurrent test processes."),
cfg.ListOpt('tempest_roles',
help="Roles to assign to all users created by tempest",
default=[]),
diff --git a/tempest/tests/common/test_accounts.py b/tempest/tests/common/test_accounts.py
index 2a98a06..0f8fa92 100644
--- a/tempest/tests/common/test_accounts.py
+++ b/tempest/tests/common/test_accounts.py
@@ -297,12 +297,8 @@
cfg.CONF.set_default('test_accounts_file', '', group='auth')
self.useFixture(mockpatch.Patch('os.path.isfile', return_value=True))
- def test_get_creds(self):
+ def test_get_creds_roles_nonlocking_invalid(self):
test_accounts_class = accounts.NotLockingAccounts('v2', 'test_name')
- for i in xrange(len(self.test_accounts)):
- creds = test_accounts_class.get_creds(i)
- msg = "Empty credentials returned for ID %s" % str(i)
- self.assertIsNotNone(creds, msg)
self.assertRaises(exceptions.InvalidConfiguration,
- test_accounts_class.get_creds,
- id=len(self.test_accounts))
+ test_accounts_class.get_creds_by_roles,
+ ['fake_role'])