| Matthew Treinish | c51b712 | 2017-07-17 12:28:07 -0400 | [diff] [blame] | 1 | .. _cred_providers: | 
|  | 2 |  | 
|  | 3 | Credential Providers | 
|  | 4 | ==================== | 
|  | 5 |  | 
|  | 6 | These library interfaces are used to deal with allocating credentials on demand | 
|  | 7 | either dynamically by calling keystone to allocate new credentials, or from | 
| Matthew Treinish | 841b75e | 2017-07-17 13:17:43 -0400 | [diff] [blame] | 8 | a list of preprovisioned credentials. These 2 modules are implementations of | 
| shangxiaobj | 284d311 | 2017-08-13 23:37:34 -0700 | [diff] [blame] | 9 | the same abstract credential providers class and can be used interchangeably. | 
| Matthew Treinish | 841b75e | 2017-07-17 13:17:43 -0400 | [diff] [blame] | 10 | However, each implementation has some additional parameters that are used to | 
|  | 11 | influence the behavior of the modules. The API reference at the bottom of this | 
|  | 12 | doc shows the interface definitions for both modules, however that may be a bit | 
|  | 13 | opaque. You can see some examples of how to leverage this interface below. | 
| Matthew Treinish | c51b712 | 2017-07-17 12:28:07 -0400 | [diff] [blame] | 14 |  | 
| Matthew Treinish | 841b75e | 2017-07-17 13:17:43 -0400 | [diff] [blame] | 15 | Initialization Example | 
|  | 16 | ---------------------- | 
|  | 17 | This example is from Tempest itself (from tempest/common/credentials_factory.py | 
|  | 18 | just modified slightly) and is how it initializes the credential provider based | 
|  | 19 | on config:: | 
|  | 20 |  | 
|  | 21 | from tempest import config | 
|  | 22 | from tempest.lib.common import dynamic_creds | 
|  | 23 | from tempest.lib.common import preprov_creds | 
|  | 24 |  | 
|  | 25 | CONF = config.CONF | 
|  | 26 |  | 
|  | 27 | def get_credentials_provider(name, network_resources=None, | 
|  | 28 | force_tenant_isolation=False, | 
|  | 29 | identity_version=None): | 
|  | 30 | # If a test requires a new account to work, it can have it via forcing | 
|  | 31 | # dynamic credentials. A new account will be produced only for that test. | 
|  | 32 | # In case admin credentials are not available for the account creation, | 
|  | 33 | # the test should be skipped else it would fail. | 
|  | 34 | identity_version = identity_version or CONF.identity.auth_version | 
|  | 35 | if CONF.auth.use_dynamic_credentials or force_tenant_isolation: | 
|  | 36 | admin_creds = get_configured_admin_credentials( | 
|  | 37 | fill_in=True, identity_version=identity_version) | 
|  | 38 | return dynamic_creds.DynamicCredentialProvider( | 
|  | 39 | name=name, | 
|  | 40 | network_resources=network_resources, | 
|  | 41 | identity_version=identity_version, | 
|  | 42 | admin_creds=admin_creds, | 
|  | 43 | identity_admin_domain_scope=CONF.identity.admin_domain_scope, | 
|  | 44 | identity_admin_role=CONF.identity.admin_role, | 
|  | 45 | extra_roles=CONF.auth.tempest_roles, | 
|  | 46 | neutron_available=CONF.service_available.neutron, | 
|  | 47 | project_network_cidr=CONF.network.project_network_cidr, | 
|  | 48 | project_network_mask_bits=CONF.network.project_network_mask_bits, | 
|  | 49 | public_network_id=CONF.network.public_network_id, | 
|  | 50 | create_networks=(CONF.auth.create_isolated_networks and not | 
|  | 51 | CONF.network.shared_physical_network), | 
| ghanshyam | b20f7e6 | 2017-12-10 07:10:22 +0300 | [diff] [blame] | 52 | resource_prefix='tempest', | 
| Matthew Treinish | 841b75e | 2017-07-17 13:17:43 -0400 | [diff] [blame] | 53 | credentials_domain=CONF.auth.default_credentials_domain_name, | 
|  | 54 | admin_role=CONF.identity.admin_role, | 
|  | 55 | identity_uri=CONF.identity.uri_v3, | 
|  | 56 | identity_admin_endpoint_type=CONF.identity.v3_endpoint_type) | 
|  | 57 | else: | 
|  | 58 | if CONF.auth.test_accounts_file: | 
|  | 59 | # Most params are not relevant for pre-created accounts | 
|  | 60 | return preprov_creds.PreProvisionedCredentialProvider( | 
|  | 61 | name=name, identity_version=identity_version, | 
|  | 62 | accounts_lock_dir=lockutils.get_lock_path(CONF), | 
|  | 63 | test_accounts_file=CONF.auth.test_accounts_file, | 
|  | 64 | object_storage_operator_role=CONF.object_storage.operator_role, | 
|  | 65 | object_storage_reseller_admin_role=reseller_admin_role, | 
|  | 66 | credentials_domain=CONF.auth.default_credentials_domain_name, | 
|  | 67 | admin_role=CONF.identity.admin_role, | 
|  | 68 | identity_uri=CONF.identity.uri_v3, | 
|  | 69 | identity_admin_endpoint_type=CONF.identity.v3_endpoint_type) | 
|  | 70 | else: | 
|  | 71 | raise exceptions.InvalidConfiguration( | 
|  | 72 | 'A valid credential provider is needed') | 
|  | 73 |  | 
|  | 74 | This function just returns an initialized credential provider class based on the | 
|  | 75 | config file. The consumer of this function treats the output as the same | 
|  | 76 | regardless of whether it's a dynamic or preprovisioned provider object. | 
|  | 77 |  | 
|  | 78 | Dealing with Credentials | 
|  | 79 | ------------------------ | 
|  | 80 |  | 
|  | 81 | Once you have a credential provider object created the access patterns for | 
|  | 82 | allocating and removing credentials are the same across both the dynamic | 
|  | 83 | and preprovisioned credentials. These are defined in the abstract | 
|  | 84 | CredentialProvider class. At a high level the credentials provider enables | 
|  | 85 | you to get 3 basic types of credentials at once (per object): a primary, alt, | 
|  | 86 | and admin. You're also able to allocate a credential by role. These credentials | 
|  | 87 | are tracked by the provider object and delete must manually be called otherwise | 
|  | 88 | the created resources will not be deleted (or returned to the pool in the case | 
|  | 89 | of preprovisioned creds) | 
|  | 90 |  | 
|  | 91 | Examples | 
|  | 92 | '''''''' | 
|  | 93 |  | 
|  | 94 | Continuing from the example above, to allocate credentials by the 3 basic types | 
|  | 95 | you can do the following:: | 
|  | 96 |  | 
|  | 97 | provider = get_credentials_provider('my_tests') | 
|  | 98 | primary_creds = provider.get_primary_creds() | 
|  | 99 | alt_creds = provider.get_alt_creds() | 
|  | 100 | admin_creds = provider.get_admin_creds() | 
|  | 101 | # Make sure to delete the credentials when you're finished | 
|  | 102 | provider.clear_creds() | 
|  | 103 |  | 
|  | 104 | To create and interact with credentials by role you can do the following:: | 
|  | 105 |  | 
|  | 106 | provider = get_credentials_provider('my_tests') | 
|  | 107 | my_role_creds = provider.get_creds_by_role({'roles': ['my_role']}) | 
|  | 108 | # provider.clear_creds() will clear all creds including those allocated by | 
|  | 109 | # role | 
|  | 110 | provider.clear_creds() | 
|  | 111 |  | 
|  | 112 | When multiple roles are specified a set of creds with all the roles assigned | 
|  | 113 | will be allocated:: | 
|  | 114 |  | 
|  | 115 | provider = get_credentials_provider('my_tests') | 
|  | 116 | my_role_creds = provider.get_creds_by_role({'roles': ['my_role', | 
|  | 117 | 'my_other_role']}) | 
|  | 118 | # provider.clear_creds() will clear all creds including those allocated by | 
|  | 119 | # role | 
|  | 120 | provider.clear_creds() | 
|  | 121 |  | 
|  | 122 | If you need multiple sets of credentials with the same roles you can also do | 
|  | 123 | this by leveraging the ``force_new`` kwarg:: | 
|  | 124 |  | 
|  | 125 | provider = get_credentials_provider('my_tests') | 
|  | 126 | my_role_creds = provider.get_creds_by_role({'roles': ['my_role']}) | 
|  | 127 | my_role_other_creds = provider.get_creds_by_role({'roles': ['my_role']}, | 
|  | 128 | force_new=True) | 
|  | 129 | # provider.clear_creds() will clear all creds including those allocated by | 
|  | 130 | # role | 
|  | 131 | provider.clear_creds() | 
|  | 132 |  | 
| Matthew Treinish | c51b712 | 2017-07-17 12:28:07 -0400 | [diff] [blame] | 133 |  | 
| Masayuki Igawa | a1c3af3 | 2017-09-07 10:22:37 +0900 | [diff] [blame] | 134 | API Reference | 
|  | 135 | ------------- | 
|  | 136 |  | 
| Matthew Treinish | c51b712 | 2017-07-17 12:28:07 -0400 | [diff] [blame] | 137 | The dynamic credentials module | 
| Masayuki Igawa | a1c3af3 | 2017-09-07 10:22:37 +0900 | [diff] [blame] | 138 | '''''''''''''''''''''''''''''' | 
| Matthew Treinish | c51b712 | 2017-07-17 12:28:07 -0400 | [diff] [blame] | 139 |  | 
|  | 140 | .. automodule:: tempest.lib.common.dynamic_creds | 
|  | 141 | :members: | 
| Matthew Treinish | b19c55d | 2017-07-17 12:38:35 -0400 | [diff] [blame] | 142 |  | 
| Matthew Treinish | b19c55d | 2017-07-17 12:38:35 -0400 | [diff] [blame] | 143 | The pre-provisioned credentials module | 
| Masayuki Igawa | a1c3af3 | 2017-09-07 10:22:37 +0900 | [diff] [blame] | 144 | '''''''''''''''''''''''''''''''''''''' | 
| Matthew Treinish | b19c55d | 2017-07-17 12:38:35 -0400 | [diff] [blame] | 145 |  | 
|  | 146 | .. automodule:: tempest.lib.common.preprov_creds | 
|  | 147 | :members: |