[openstack-qa] Is tempest must be able to operate without identity admin privileges?

Daryl Walleck daryl.walleck at RACKSPACE.COM
Sun Jun 9 21:49:16 UTC 2013 

"Nova generally only cares about tenants/projects, the only exception being keypairs.
AFAIK multiple users for nova tests are only needed to provide isolation on keypairs."

I'm not sure if I understand your point here. I believe there was a point when all keypairs for a tenant were injected into a server, but as it works now, it seems like you can only add a single keypair to a server.

The only other time I can think of when having an isolated tenant would be a must would be when testing usage of quotas, as it'd be impossible to keep a tenant's quota usage in one state with multiple concurrent tests running. Networks and Cinder would have similar concerns, as would any integration testing with Ceilometer.

Daryl

-----Original Message-----
From: Frittoli, Andrea (Cloud Services) [mailto:frittoli at hp.com] 
Sent: Sunday, June 9, 2013 4:34 PM
To: All Things QA.
Subject: Re: [openstack-qa] Is tempest must be able to operate without identity admin privileges?

Nova generally only cares about tenants/projects, the only exception being keypairs.
AFAIK multiple users for nova tests are only needed to provide isolation on keypairs. 

As a side note, with Keystone V3 we'll have domains, a new role of domain admin and possibly domain level quotas.
Any solution we design for handling of users and roles in tempest shall be compatible with both V2 and V3 keystone APIs.

andrea

-----Original Message-----
From: Jay Pipes [mailto:jaypipes at gmail.com]
Sent: 09 June 2013 20:01
To: openstack-qa at lists.openstack.org
Subject: Re: [openstack-qa] Is tempest must be able to operate without identity admin privileges?

On 06/09/2013 03:26 AM, Attila Fazekas wrote:
> Looks like everybody is able to change the quota at the same time, 
> when he
creates the test user.

No, this is not true. You need to have admin privileges do update the quota of a tenant.

> It implies the question:
>   Why do we create new tenants in test case,
>    which must be able to run in parallel with a single tenant ?
>
>   Why we not just create tenants only when it is really needed ?

As mentioned before, creating a new tenant for the test case provides isolation for the various list operations. If you are doing a call to, say, list servers or list images, you need to be able to rely on the result of that call not changing, otherwise you can get non-deterministic assertions in tests due to other users in the same tenant creating and destroying resources.

-jay

> ----- Original Message -----
>> From: "Jay Pipes" <jaypipes at gmail.com>
>> To: openstack-qa at lists.openstack.org
>> Sent: Sunday, June 9, 2013 12:17:29 AM
>> Subject: Re: [openstack-qa] Is tempest must be able to operate 
>> without
identity admin privileges?
>>
>> On 06/08/2013 02:05 PM, Daryl Walleck wrote:
>>> There's other ways to work around the quotas issue. The way I've 
>>> been handling this is configuring users that have modified quota 
>>> groups. This has allowed me to run all my compute tests in parallel 
>>> with a single
user.
>>
>> Note that the above solution runs into the exact same issue that 
>> Attila is talking about: you need admin privileges in order to change 
>> the quota of a tenant.
>>
>> Best,
>> -jay
>>
>>> Daryl
>>>
>>> -----Original Message-----
>>> From: Attila Fazekas [mailto:afazekas at redhat.com]
>>> Sent: Saturday, June 8, 2013 8:04 AM
>>> To: Sean Dague
>>> Cc: All Things QA.
>>> Subject: Re: [openstack-qa] Is tempest must be able to operate 
>>> without identity admin privileges?
>>>
>>> Do we want parallel execution in this cases ?
>>> - obviously yes
>>> - nice to have
>>> - who cares
>>>
>>> Can we expect larger quota than the default 10 in this case ?
>>> - never
>>> - usually
>>> - always
>>>
>>>
>>> ----- Original Message -----
>>>> From: "Sean Dague" <sean at dague.net>
>>>> To: "All Things QA." <openstack-qa at lists.openstack.org>
>>>> Cc: "Attila Fazekas" <afazekas at redhat.com>
>>>> Sent: Saturday, June 8, 2013 1:49:40 PM
>>>> Subject: Re: [openstack-qa] Is tempest must be able to operate 
>>>> without identity admin privileges?
>>>>
>>>> On 06/08/2013 03:06 AM, Attila Fazekas wrote:
>>>>> Hi All,
>>>>>
>>>>> In modeling viewpoint keeping the ability to run tempest without 
>>>>> identity admin credentials is not easy.
>>>>>
>>>>> The demo and alt_demo user is still in the config to maintain the 
>>>>> ability, to run tempest against a cloud where you do not know the 
>>>>> identity admin credentials.
>>>>>
>>>>> I would like to know, is it real use case for anyone ?
>>>>>
>>>>> Without these users you lose the ability to run tempest against 
>>>>> any cloud where you do not know the admin credentials.
>>>>>
>>>>> The benefits of removing these can give you:
>>>>>     - simpler model
>>>>>     - better role based test suite
>>>>
>>>> Yes, it is a real use case, we can't remove that.
>>>>
>>>> 	-Sean
>>>>
>>>> --
>>>> Sean Dague
>>>> http://dague.net
>>>>
>>>
>>> _______________________________________________
>>> openstack-qa mailing list
>>> openstack-qa at lists.openstack.org
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-qa
>>>
>>> _______________________________________________
>>> openstack-qa mailing list
>>> openstack-qa at lists.openstack.org
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-qa
>>>
>>
>>
>> _______________________________________________
>> openstack-qa mailing list
>> openstack-qa at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-qa
>>
>
> _______________________________________________
> openstack-qa mailing list
> openstack-qa at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-qa
>


_______________________________________________
openstack-qa mailing list
openstack-qa at lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-qa

More information about the openstack-qa mailing list