[openstack-dev] [qa] identity v3 issue causing non-admin job to fail

Andrea Frittoli andrea.frittoli at gmail.com
Thu Jul 16 22:30:34 UTC 2015 

Hi David,

admin_domain_name is used at the moment to fill in the domain when missing
in a few cases. The get_credentials method is one of them.
Another two are setting the default domain for the users in tempest.conf
[0], and setting the domain for credentials loaded from a YAML file [1].

[0]
http://git.openstack.org/cgit/openstack/tempest/tree/tempest/config.py#n1246
[1]
http://git.openstack.org/cgit/openstack/tempest/tree/tempest/common/accounts.py#n219

There is also a tenant_isolation_domain_name, which is used when
provisioning v3 isolated credentials.
Because tenant_isolation and pre-provisioned credentials are mutually
exclusive, and to avoid having too many config options, I would suggest to
rename tenant_isolation_domain_name to default_credentials_domain_name (or
something similar), and to use it in [0], [1] and in the code you quoted.

The admin_domain_name would then become fully optional, and it should be
assumed == default_credentials_domain_name unless configured otherwise.

andrea



On Tue, Jul 14, 2015 at 8:49 PM David Kranz <dkranz at redhat.com> wrote:

> Now that the tempest periodic jobs are back (thanks infra!), I was
> looking into the real failures. It seems the main one is caused by the
> fact that the v3 check for primary creds fails if 'admin_domain_name' in
> the identity section is None, which it is when devstack configures
> tempest for non-admin.
>
> The problem is with this code and there is even a comment related to
> this issue. There are various ways to fix this but I'm not sure what the
> value should be for the non-admin case. Andrea, any ideas?
>
>   -David
>
> def get_credentials(fill_in=True, identity_version=None, **kwargs):
>      params = dict(DEFAULT_PARAMS, **kwargs)
>      identity_version = identity_version or CONF.identity.auth_version
>      # In case of "v3" add the domain from config if not specified
>      if identity_version == 'v3':
>          domain_fields = set(x for x in
> auth.KeystoneV3Credentials.ATTRIBUTES
>                              if 'domain' in x)
>          if not domain_fields.intersection(kwargs.keys()):
>              # TODO(andreaf) It might be better here to use a dedicated
> config
>              # option such as CONF.auth.tenant_isolation_domain_name
>              params['user_domain_name'] = CONF.identity.admin_domain_name
>          auth_url = CONF.identity.uri_v3
>      else:
>          auth_url = CONF.identity.uri
>      return auth.get_credentials(auth_url,
>                                  fill_in=fill_in,
>                                  identity_version=identity_version,
>                                  **params)
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150716/a22050d8/attachment.html>

More information about the OpenStack-dev mailing list