Blame - doc/source/library/credential_providers.rst - packaging/sources/tempest

blob: d96c97a7b27f236ea39db7c15d4a659450486661 [file] [log] [blame]

Matthew Treinish	c51b712	2017-07-17 12:28:07 -0400	[diff] [blame]	1	.. _cred_providers:
				2
				3	Credential Providers
				4	====================
				5
				6	These library interfaces are used to deal with allocating credentials on demand
				7	either dynamically by calling keystone to allocate new credentials, or from
Matthew Treinish	841b75e	2017-07-17 13:17:43 -0400	[diff] [blame]	8	a list of preprovisioned credentials. These 2 modules are implementations of
shangxiaobj	284d311	2017-08-13 23:37:34 -0700	[diff] [blame]	9	the same abstract credential providers class and can be used interchangeably.
Matthew Treinish	841b75e	2017-07-17 13:17:43 -0400	[diff] [blame]	10	However, each implementation has some additional parameters that are used to
				11	influence the behavior of the modules. The API reference at the bottom of this
				12	doc shows the interface definitions for both modules, however that may be a bit
				13	opaque. You can see some examples of how to leverage this interface below.
Matthew Treinish	c51b712	2017-07-17 12:28:07 -0400	[diff] [blame]	14
Matthew Treinish	841b75e	2017-07-17 13:17:43 -0400	[diff] [blame]	15	Initialization Example
				16	----------------------
				17	This example is from Tempest itself (from tempest/common/credentials_factory.py
				18	just modified slightly) and is how it initializes the credential provider based
				19	on config::
				20
				21	from tempest import config
				22	from tempest.lib.common import dynamic_creds
				23	from tempest.lib.common import preprov_creds
				24
				25	CONF = config.CONF
				26
				27	def get_credentials_provider(name, network_resources=None,
				28	force_tenant_isolation=False,
				29	identity_version=None):
				30	# If a test requires a new account to work, it can have it via forcing
				31	# dynamic credentials. A new account will be produced only for that test.
				32	# In case admin credentials are not available for the account creation,
				33	# the test should be skipped else it would fail.
				34	identity_version = identity_version or CONF.identity.auth_version
				35	if CONF.auth.use_dynamic_credentials or force_tenant_isolation:
				36	admin_creds = get_configured_admin_credentials(
				37	fill_in=True, identity_version=identity_version)
				38	return dynamic_creds.DynamicCredentialProvider(
				39	name=name,
				40	network_resources=network_resources,
				41	identity_version=identity_version,
				42	admin_creds=admin_creds,
				43	identity_admin_domain_scope=CONF.identity.admin_domain_scope,
				44	identity_admin_role=CONF.identity.admin_role,
				45	extra_roles=CONF.auth.tempest_roles,
				46	neutron_available=CONF.service_available.neutron,
				47	project_network_cidr=CONF.network.project_network_cidr,
				48	project_network_mask_bits=CONF.network.project_network_mask_bits,
				49	public_network_id=CONF.network.public_network_id,
				50	create_networks=(CONF.auth.create_isolated_networks and not
				51	CONF.network.shared_physical_network),
				52	resource_prefix=CONF.resources_prefix,
				53	credentials_domain=CONF.auth.default_credentials_domain_name,
				54	admin_role=CONF.identity.admin_role,
				55	identity_uri=CONF.identity.uri_v3,
				56	identity_admin_endpoint_type=CONF.identity.v3_endpoint_type)
				57	else:
				58	if CONF.auth.test_accounts_file:
				59	# Most params are not relevant for pre-created accounts
				60	return preprov_creds.PreProvisionedCredentialProvider(
				61	name=name, identity_version=identity_version,
				62	accounts_lock_dir=lockutils.get_lock_path(CONF),
				63	test_accounts_file=CONF.auth.test_accounts_file,
				64	object_storage_operator_role=CONF.object_storage.operator_role,
				65	object_storage_reseller_admin_role=reseller_admin_role,
				66	credentials_domain=CONF.auth.default_credentials_domain_name,
				67	admin_role=CONF.identity.admin_role,
				68	identity_uri=CONF.identity.uri_v3,
				69	identity_admin_endpoint_type=CONF.identity.v3_endpoint_type)
				70	else:
				71	raise exceptions.InvalidConfiguration(
				72	'A valid credential provider is needed')
				73
				74	This function just returns an initialized credential provider class based on the
				75	config file. The consumer of this function treats the output as the same
				76	regardless of whether it's a dynamic or preprovisioned provider object.
				77
				78	Dealing with Credentials
				79	------------------------
				80
				81	Once you have a credential provider object created the access patterns for
				82	allocating and removing credentials are the same across both the dynamic
				83	and preprovisioned credentials. These are defined in the abstract
				84	CredentialProvider class. At a high level the credentials provider enables
				85	you to get 3 basic types of credentials at once (per object): a primary, alt,
				86	and admin. You're also able to allocate a credential by role. These credentials
				87	are tracked by the provider object and delete must manually be called otherwise
				88	the created resources will not be deleted (or returned to the pool in the case
				89	of preprovisioned creds)
				90
				91	Examples
				92	''''''''
				93
				94	Continuing from the example above, to allocate credentials by the 3 basic types
				95	you can do the following::
				96
				97	provider = get_credentials_provider('my_tests')
				98	primary_creds = provider.get_primary_creds()
				99	alt_creds = provider.get_alt_creds()
				100	admin_creds = provider.get_admin_creds()
				101	# Make sure to delete the credentials when you're finished
				102	provider.clear_creds()
				103
				104	To create and interact with credentials by role you can do the following::
				105
				106	provider = get_credentials_provider('my_tests')
				107	my_role_creds = provider.get_creds_by_role({'roles': ['my_role']})
				108	# provider.clear_creds() will clear all creds including those allocated by
				109	# role
				110	provider.clear_creds()
				111
				112	When multiple roles are specified a set of creds with all the roles assigned
				113	will be allocated::
				114
				115	provider = get_credentials_provider('my_tests')
				116	my_role_creds = provider.get_creds_by_role({'roles': ['my_role',
				117	'my_other_role']})
				118	# provider.clear_creds() will clear all creds including those allocated by
				119	# role
				120	provider.clear_creds()
				121
				122	If you need multiple sets of credentials with the same roles you can also do
				123	this by leveraging the ``force_new`` kwarg::
				124
				125	provider = get_credentials_provider('my_tests')
				126	my_role_creds = provider.get_creds_by_role({'roles': ['my_role']})
				127	my_role_other_creds = provider.get_creds_by_role({'roles': ['my_role']},
				128	force_new=True)
				129	# provider.clear_creds() will clear all creds including those allocated by
				130	# role
				131	provider.clear_creds()
				132
Matthew Treinish	c51b712	2017-07-17 12:28:07 -0400	[diff] [blame]	133
Masayuki Igawa	a1c3af3	2017-09-07 10:22:37 +0900	[diff] [blame]	134	API Reference
				135	-------------
				136
Matthew Treinish	c51b712	2017-07-17 12:28:07 -0400	[diff] [blame]	137	The dynamic credentials module
Masayuki Igawa	a1c3af3	2017-09-07 10:22:37 +0900	[diff] [blame]	138	''''''''''''''''''''''''''''''
Matthew Treinish	c51b712	2017-07-17 12:28:07 -0400	[diff] [blame]	139
				140	.. automodule:: tempest.lib.common.dynamic_creds
				141	:members:
Matthew Treinish	b19c55d	2017-07-17 12:38:35 -0400	[diff] [blame]	142
Matthew Treinish	b19c55d	2017-07-17 12:38:35 -0400	[diff] [blame]	143	The pre-provisioned credentials module
Masayuki Igawa	a1c3af3	2017-09-07 10:22:37 +0900	[diff] [blame]	144	''''''''''''''''''''''''''''''''''''''
Matthew Treinish	b19c55d	2017-07-17 12:38:35 -0400	[diff] [blame]	145
				146	.. automodule:: tempest.lib.common.preprov_creds
				147	:members: