<div dir="ltr">Hi David,<div><br></div><div>admin_domain_name is used at the moment to fill in the domain when missing in a few cases. The get_credentials method is one of them.</div><div>Another two are setting the default domain for the users in tempest.conf [0], and setting the domain for credentials loaded from a YAML file [1].</div><div><br></div><div>[0] <a href="http://git.openstack.org/cgit/openstack/tempest/tree/tempest/config.py#n1246">http://git.openstack.org/cgit/openstack/tempest/tree/tempest/config.py#n1246</a></div><div>[1] <a href="http://git.openstack.org/cgit/openstack/tempest/tree/tempest/common/accounts.py#n219">http://git.openstack.org/cgit/openstack/tempest/tree/tempest/common/accounts.py#n219</a></div><div><br></div><div>There is also a tenant_isolation_domain_name, which is used when provisioning v3 isolated credentials.</div><div>Because tenant_isolation and pre-provisioned credentials are mutually exclusive, and to avoid having too many config options, I would suggest to rename <span style="line-height:1.5">tenant_isolation_domain_name to default_credentials_domain_name (or something similar), and to use it in [0], [1] and in the code you quoted.</span></div><div><span style="line-height:1.5"><br></span></div><div><span style="line-height:1.5">The admin_domain_name would then become fully optional, and it should be assumed == default_credentials_domain_name unless configured otherwise.</span></div><div><span style="line-height:1.5"><br></span></div><div><span style="line-height:1.5">andrea</span></div><div><br></div><div> </div></div><br><div class="gmail_quote"><div dir="ltr">On Tue, Jul 14, 2015 at 8:49 PM David Kranz <<a href="mailto:dkranz@redhat.com">dkranz@redhat.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Now that the tempest periodic jobs are back (thanks infra!), I was<br>
looking into the real failures. It seems the main one is caused by the<br>
fact that the v3 check for primary creds fails if 'admin_domain_name' in<br>
the identity section is None, which it is when devstack configures<br>
tempest for non-admin.<br>
<br>
The problem is with this code and there is even a comment related to<br>
this issue. There are various ways to fix this but I'm not sure what the<br>
value should be for the non-admin case. Andrea, any ideas?<br>
<br>
-David<br>
<br>
def get_credentials(fill_in=True, identity_version=None, **kwargs):<br>
params = dict(DEFAULT_PARAMS, **kwargs)<br>
identity_version = identity_version or CONF.identity.auth_version<br>
# In case of "v3" add the domain from config if not specified<br>
if identity_version == 'v3':<br>
domain_fields = set(x for x in<br>
auth.KeystoneV3Credentials.ATTRIBUTES<br>
if 'domain' in x)<br>
if not domain_fields.intersection(kwargs.keys()):<br>
# TODO(andreaf) It might be better here to use a dedicated<br>
config<br>
# option such as CONF.auth.tenant_isolation_domain_name<br>
params['user_domain_name'] = CONF.identity.admin_domain_name<br>
auth_url = CONF.identity.uri_v3<br>
else:<br>
auth_url = CONF.identity.uri<br>
return auth.get_credentials(auth_url,<br>
fill_in=fill_in,<br>
identity_version=identity_version,<br>
**params)<br>
<br>
<br>
__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
</blockquote></div>