[openstack-dev] [tempest] BadAltAuth / Test Isolation same tenant

Vincent Gatignol openstack at gatignol.fr
Mon Feb 8 17:04:15 UTC 2016


Hi there, 

I know that it's not the default configuration for openstack nor tempest but I need to make a script that test user isolation _inside_ the same tenant. 

Some of our users are in the same tenant but they must not interfere with each others. 

We have modified the nova policy rules and we must test these policies (the default one is : "rule:admin_or_user"). 
We are using tempest as a base tool with pre-provisioned credentials (cannot use admin account for security reasons) 

First thought was "easy" : load tempest with pre-created users via account.yaml file, all in the same tenant, and launch 'tempest.api.compute.test_authorization' that contains almost what we need to test. 

But we ran into the "BadAltAuth" exception and I don't know how to get rid of it except breaking the tempest_lib (skipping/commenting this exception) 
This exception is thrown when the accounts used in tempest have the same auth url. 

I tried another approach, without alt_authentication : 
>From a prompt, I'm launching a test that creates a test_server and export its ID, then wait until the timeout value (default to 500s) 
>From another prompt, I launch the real test that get the server ID and try to delete it. But the same BadAltAuth thing happen... 
(I'm using an account file with 2 different users in the same tenant and with the locking mechanism, the logic is using both accounts for this group of tests) 

So I'm asking here if someone have a clue to help us ? 

It could be some kind of rewrite of tempest_lib/auth regarding this BadAltAuth, throwing a warning instead of a critical exception. 

Thank you all for your time answering this, 

Regards, 

Vincent 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160208/d0b74f81/attachment.html>


More information about the OpenStack-dev mailing list