| Matthew Treinish | bc1b15b | 2015-02-20 15:56:07 -0500 | [diff] [blame] | 1 | Tempest Configuration Guide |
| 2 | =========================== |
| 3 | |
| 4 | Auth/Credentials |
| 5 | ---------------- |
| 6 | |
| 7 | Tempest currently has 2 different ways in configuration to provide credentials |
| 8 | to use when running tempest. One is a traditional set of configuration options |
| 9 | in the tempest.conf file. These options are in the identity section and let you |
| 10 | specify a regular user, a global admin user, and a alternate user set of |
| 11 | credentials. (which consist of a username, password, and project/tenant name) |
| 12 | These options should be clearly labelled in the sample config file in the |
| 13 | identity section. |
| 14 | |
| 15 | The other method to provide credentials is using the accounts.yaml file. This |
| 16 | file is used to specify an arbitrary number of users available to run tests |
| 17 | with. You can specify the location of the file in the |
| 18 | auth section in the tempest.conf file. To see the specific format used in |
| 19 | the file please refer to the accounts.yaml.sample file included in tempest. |
| 20 | Currently users that are specified in the accounts.yaml file are assumed to |
| 21 | have the same set of roles which can be used for executing all the tests you |
| 22 | are running. This will be addressed in the future, but is a current limitation. |
| 23 | Eventually the config options for providing credentials to tempest will be |
| 24 | deprecated and removed in favor of the accounts.yaml file. |
| 25 | |
| 26 | Credential Provider Mechanisms |
| 27 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 28 | |
| 29 | Tempest currently also has 3 different internal methods for providing |
| 30 | authentication to tests. Tenant isolation, locking test accounts, and |
| 31 | non-locking test accounts. Depending on which one is in use the configuration |
| 32 | of tempest is slightly different. |
| 33 | |
| 34 | Tenant Isolation |
| 35 | """""""""""""""" |
| 36 | Tenant isolation was originally create to enable running tempest in parallel. |
| 37 | For each test class it creates a unique set of user credentials to use for the |
| 38 | tests in the class. It can create up to 3 sets of username, password, and |
| 39 | tenant/project names for a primary user, an admin user, and an alternate user. |
| 40 | To enable and use tenant isolation you only need to configure 2 things: |
| 41 | |
| 42 | #. A set of admin credentials with permissions to create users and |
| 43 | tenants/projects. This is specified in the identity section with the |
| 44 | admin_username, admin_tenant_name, and admin_password options |
| 45 | #. To enable tenant_isolation in the auth section with the |
| 46 | allow_tenant_isolation option. |
| 47 | |
| Matthew Treinish | 0fd69e4 | 2015-03-06 00:40:51 -0500 | [diff] [blame] | 48 | This is also the currently the default credential provider enabled by tempest, |
| 49 | due to it's common use and ease of configuration. |
| Matthew Treinish | bc1b15b | 2015-02-20 15:56:07 -0500 | [diff] [blame] | 50 | |
| 51 | Locking Test Accounts |
| 52 | """"""""""""""""""""" |
| 53 | For a long time using tenant isolation was the only method available if you |
| 54 | wanted to enable parallel execution of tempest tests. However this was |
| 55 | insufficient for certain use cases because of the admin credentials requirement |
| 56 | to create the credential sets on demand. To get around that the accounts.yaml |
| 57 | file was introduced and with that a new internal credential provider to enable |
| 58 | using the list of credentials instead of creating them on demand. With locking |
| 59 | test accounts each test class will reserve a set of credentials from the |
| 60 | accounts.yaml before executing any of its tests so that each class is isolated |
| 61 | like in tenant isolation. |
| 62 | |
| Matthew Treinish | 0fd69e4 | 2015-03-06 00:40:51 -0500 | [diff] [blame] | 63 | Currently, this mechanism has some limitations, mostly around networking. The |
| 64 | locking test accounts provider will only work with a single flat network as |
| Matthew Treinish | bc1b15b | 2015-02-20 15:56:07 -0500 | [diff] [blame] | 65 | the default for each tenant/project. If another network configuration is used |
| 66 | in your cloud you might face unexpected failures. |
| 67 | |
| 68 | To enable and use locking test accounts you need do a few things: |
| 69 | |
| 70 | #. Enable the locking test account provider with the |
| 71 | locking_credentials_provider option in the auth section |
| 72 | #. Create a accounts.yaml file which contains the set of pre-existing |
| 73 | credentials to use for testing. To make sure you don't have a credentials |
| 74 | starvation issue when running in parallel make sure you have at least 2 |
| 75 | times the number of parallel workers you are using to execute tempest |
| 76 | available in the file. |
| Matthew Treinish | 0fd69e4 | 2015-03-06 00:40:51 -0500 | [diff] [blame] | 77 | |
| 78 | You can check the sample file packaged in tempest for the yaml format |
| Matthew Treinish | bc1b15b | 2015-02-20 15:56:07 -0500 | [diff] [blame] | 79 | #. Provide tempest with the location of you accounts.yaml file with the |
| 80 | test_accounts_file option in the auth section |
| 81 | |
| 82 | |
| 83 | Non-locking test accounts |
| 84 | """"""""""""""""""""""""" |
| 85 | When tempest was refactored to allow for locking test accounts, the original |
| 86 | non-tenant isolated case was converted to support the new accounts.yaml file. |
| 87 | This mechanism is the non-locking test accounts provider. It only makes sense |
| 88 | to use it if parallel execution isn't needed. If the role restrictions were too |
| 89 | limiting with the locking accounts provider and tenant isolation is not wanted |
| 90 | then you can use the non-locking test accounts credential provider without the |
| Matthew Treinish | 0fd69e4 | 2015-03-06 00:40:51 -0500 | [diff] [blame] | 91 | accounts.yaml file. |
| Matthew Treinish | bc1b15b | 2015-02-20 15:56:07 -0500 | [diff] [blame] | 92 | |
| 93 | To use the non-locking test accounts provider you have 2 ways to configure it. |
| 94 | First you can specify the sets of credentials in the configuration file like |
| 95 | detailed above with following 9 options in the identity section: |
| 96 | |
| 97 | #. username |
| 98 | #. password |
| 99 | #. tenant_name |
| 100 | #. admin_username |
| 101 | #. admin_password |
| 102 | #. admin_tenant_name |
| 103 | #. alt_username |
| 104 | #. alt_password |
| 105 | #. alt_tenant_name |
| 106 | |
| Matthew Treinish | 0fd69e4 | 2015-03-06 00:40:51 -0500 | [diff] [blame] | 107 | The only restriction with using the traditional config options for credentials |
| 108 | is that if a test requires specific roles on accounts these tests can not be |
| 109 | run. This is because the config options do not give sufficient flexibility to |
| 110 | describe the roles assigned to a user for running the tests. |
| Matthew Treinish | bc1b15b | 2015-02-20 15:56:07 -0500 | [diff] [blame] | 111 | |
| 112 | You also can use the accounts.yaml file to specify the credentials used for |
| 113 | testing. This will just allocate them serially so you only need to provide |
| 114 | a pair of credentials. Do note that all the restrictions associated with |
| Matthew Treinish | 0fd69e4 | 2015-03-06 00:40:51 -0500 | [diff] [blame] | 115 | locking test accounts applies to using the accounts.yaml file this way too, |
| 116 | except since you can't run in parallel only 2 of each type of credential is |
| 117 | required to run. However, the limitation on tests which require specific roles |
| 118 | does not apply here. |
| 119 | |
| Matthew Treinish | bc1b15b | 2015-02-20 15:56:07 -0500 | [diff] [blame] | 120 | The procedure for doing this is very similar to with the locking accounts |
| 121 | provider just don't set the locking_credentials_provider to true and you |
| 122 | only should need a single pair of credentials. |