[openstack-qa] Is tempest must be able to operate without identity admin privileges?

Frittoli, Andrea (Cloud Services) frittoli at hp.com
Sun Jun 9 21:34:29 UTC 2013


Nova generally only cares about tenants/projects, the only exception being
keypairs.
AFAIK multiple users for nova tests are only needed to provide isolation on
keypairs. 

As a side note, with Keystone V3 we'll have domains, a new role of domain
admin and possibly domain level quotas.
Any solution we design for handling of users and roles in tempest shall be
compatible with both V2 and V3 keystone APIs.

andrea

-----Original Message-----
From: Jay Pipes [mailto:jaypipes at gmail.com] 
Sent: 09 June 2013 20:01
To: openstack-qa at lists.openstack.org
Subject: Re: [openstack-qa] Is tempest must be able to operate without
identity admin privileges?

On 06/09/2013 03:26 AM, Attila Fazekas wrote:
> Looks like everybody is able to change the quota at the same time, when he
creates the test user.

No, this is not true. You need to have admin privileges do update the quota
of a tenant.

> It implies the question:
>   Why do we create new tenants in test case,
>    which must be able to run in parallel with a single tenant ?
>
>   Why we not just create tenants only when it is really needed ?

As mentioned before, creating a new tenant for the test case provides
isolation for the various list operations. If you are doing a call to, say,
list servers or list images, you need to be able to rely on the result of
that call not changing, otherwise you can get non-deterministic assertions
in tests due to other users in the same tenant creating and destroying
resources.

-jay

> ----- Original Message -----
>> From: "Jay Pipes" <jaypipes at gmail.com>
>> To: openstack-qa at lists.openstack.org
>> Sent: Sunday, June 9, 2013 12:17:29 AM
>> Subject: Re: [openstack-qa] Is tempest must be able to operate without
identity admin privileges?
>>
>> On 06/08/2013 02:05 PM, Daryl Walleck wrote:
>>> There's other ways to work around the quotas issue. The way I've been
>>> handling this is configuring users that have modified quota groups. This
>>> has allowed me to run all my compute tests in parallel with a single
user.
>>
>> Note that the above solution runs into the exact same issue that Attila
>> is talking about: you need admin privileges in order to change the quota
>> of a tenant.
>>
>> Best,
>> -jay
>>
>>> Daryl
>>>
>>> -----Original Message-----
>>> From: Attila Fazekas [mailto:afazekas at redhat.com]
>>> Sent: Saturday, June 8, 2013 8:04 AM
>>> To: Sean Dague
>>> Cc: All Things QA.
>>> Subject: Re: [openstack-qa] Is tempest must be able to operate without
>>> identity admin privileges?
>>>
>>> Do we want parallel execution in this cases ?
>>> - obviously yes
>>> - nice to have
>>> - who cares
>>>
>>> Can we expect larger quota than the default 10 in this case ?
>>> - never
>>> - usually
>>> - always
>>>
>>>
>>> ----- Original Message -----
>>>> From: "Sean Dague" <sean at dague.net>
>>>> To: "All Things QA." <openstack-qa at lists.openstack.org>
>>>> Cc: "Attila Fazekas" <afazekas at redhat.com>
>>>> Sent: Saturday, June 8, 2013 1:49:40 PM
>>>> Subject: Re: [openstack-qa] Is tempest must be able to operate without
>>>> identity admin privileges?
>>>>
>>>> On 06/08/2013 03:06 AM, Attila Fazekas wrote:
>>>>> Hi All,
>>>>>
>>>>> In modeling viewpoint keeping the ability to run tempest without
>>>>> identity admin credentials is not easy.
>>>>>
>>>>> The demo and alt_demo user is still in the config to maintain the
>>>>> ability, to run tempest against a cloud where you do not know the
>>>>> identity admin credentials.
>>>>>
>>>>> I would like to know, is it real use case for anyone ?
>>>>>
>>>>> Without these users you lose the ability to run tempest against any
>>>>> cloud where you do not know the admin credentials.
>>>>>
>>>>> The benefits of removing these can give you:
>>>>>     - simpler model
>>>>>     - better role based test suite
>>>>
>>>> Yes, it is a real use case, we can't remove that.
>>>>
>>>> 	-Sean
>>>>
>>>> --
>>>> Sean Dague
>>>> http://dague.net
>>>>
>>>
>>> _______________________________________________
>>> openstack-qa mailing list
>>> openstack-qa at lists.openstack.org
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-qa
>>>
>>> _______________________________________________
>>> openstack-qa mailing list
>>> openstack-qa at lists.openstack.org
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-qa
>>>
>>
>>
>> _______________________________________________
>> openstack-qa mailing list
>> openstack-qa at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-qa
>>
>
> _______________________________________________
> openstack-qa mailing list
> openstack-qa at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-qa
>


_______________________________________________
openstack-qa mailing list
openstack-qa at lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-qa
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6202 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-qa/attachments/20130609/8748c66b/attachment.bin>


More information about the openstack-qa mailing list