[openstack-qa] Is tempest must be able to operate without identity admin privileges?

Attila Fazekas afazekas at redhat.com
Tue Jun 11 15:05:13 UTC 2013 



----- Original Message -----
> From: "Andrea Frittoli (Cloud Services)" <frittoli at hp.com>
> To: "All Things QA." <openstack-qa at lists.openstack.org>
> Sent: Sunday, June 9, 2013 11:34:29 PM
> Subject: Re: [openstack-qa] Is tempest must be able to operate without identity admin privileges?
> 
> Nova generally only cares about tenants/projects, the only exception being
> keypairs.
> AFAIK multiple users for nova tests are only needed to provide isolation on
> keypairs.
> 
Yes, the keypairs are special.

They belongs to the user, but I saw initiatives to make them as tenant resources.
They needs to be cleaned up, or they must be predefined before tempest run.

> As a side note, with Keystone V3 we'll have domains, a new role of domain
> admin and possibly domain level quotas.
> Any solution we design for handling of users and roles in tempest shall be
> compatible with both V2 and V3 keystone APIs.

I fully agree.
 
> andrea
> 
> -----Original Message-----
> From: Jay Pipes [mailto:jaypipes at gmail.com]
> Sent: 09 June 2013 20:01
> To: openstack-qa at lists.openstack.org
> Subject: Re: [openstack-qa] Is tempest must be able to operate without
> identity admin privileges?
> 
> On 06/09/2013 03:26 AM, Attila Fazekas wrote:
> > Looks like everybody is able to change the quota at the same time, when he
> creates the test user.
> 
> No, this is not true. You need to have admin privileges do update the quota
> of a tenant.
> 
> > It implies the question:
> >   Why do we create new tenants in test case,
> >    which must be able to run in parallel with a single tenant ?
> >
> >   Why we not just create tenants only when it is really needed ?
> 
> As mentioned before, creating a new tenant for the test case provides
> isolation for the various list operations. If you are doing a call to, say,
> list servers or list images, you need to be able to rely on the result of
> that call not changing, otherwise you can get non-deterministic assertions
> in tests due to other users in the same tenant creating and destroying
> resources.
> 
> -jay
> 
> > ----- Original Message -----
> >> From: "Jay Pipes" <jaypipes at gmail.com>
> >> To: openstack-qa at lists.openstack.org
> >> Sent: Sunday, June 9, 2013 12:17:29 AM
> >> Subject: Re: [openstack-qa] Is tempest must be able to operate without
> identity admin privileges?
> >>
> >> On 06/08/2013 02:05 PM, Daryl Walleck wrote:
> >>> There's other ways to work around the quotas issue. The way I've been
> >>> handling this is configuring users that have modified quota groups. This
> >>> has allowed me to run all my compute tests in parallel with a single
> user.
> >>
> >> Note that the above solution runs into the exact same issue that Attila
> >> is talking about: you need admin privileges in order to change the quota
> >> of a tenant.
> >>
> >> Best,
> >> -jay
> >>
> >>> Daryl
> >>>
> >>> -----Original Message-----
> >>> From: Attila Fazekas [mailto:afazekas at redhat.com]
> >>> Sent: Saturday, June 8, 2013 8:04 AM
> >>> To: Sean Dague
> >>> Cc: All Things QA.
> >>> Subject: Re: [openstack-qa] Is tempest must be able to operate without
> >>> identity admin privileges?
> >>>
> >>> Do we want parallel execution in this cases ?
> >>> - obviously yes
> >>> - nice to have
> >>> - who cares
> >>>
> >>> Can we expect larger quota than the default 10 in this case ?
> >>> - never
> >>> - usually
> >>> - always
> >>>
> >>>
> >>> ----- Original Message -----
> >>>> From: "Sean Dague" <sean at dague.net>
> >>>> To: "All Things QA." <openstack-qa at lists.openstack.org>
> >>>> Cc: "Attila Fazekas" <afazekas at redhat.com>
> >>>> Sent: Saturday, June 8, 2013 1:49:40 PM
> >>>> Subject: Re: [openstack-qa] Is tempest must be able to operate without
> >>>> identity admin privileges?
> >>>>
> >>>> On 06/08/2013 03:06 AM, Attila Fazekas wrote:
> >>>>> Hi All,
> >>>>>
> >>>>> In modeling viewpoint keeping the ability to run tempest without
> >>>>> identity admin credentials is not easy.
> >>>>>
> >>>>> The demo and alt_demo user is still in the config to maintain the
> >>>>> ability, to run tempest against a cloud where you do not know the
> >>>>> identity admin credentials.
> >>>>>
> >>>>> I would like to know, is it real use case for anyone ?
> >>>>>
> >>>>> Without these users you lose the ability to run tempest against any
> >>>>> cloud where you do not know the admin credentials.
> >>>>>
> >>>>> The benefits of removing these can give you:
> >>>>>     - simpler model
> >>>>>     - better role based test suite
> >>>>
> >>>> Yes, it is a real use case, we can't remove that.
> >>>>
> >>>> 	-Sean
> >>>>
> >>>> --
> >>>> Sean Dague
> >>>> http://dague.net
> >>>>
> >>>
> >>> _______________________________________________
> >>> openstack-qa mailing list
> >>> openstack-qa at lists.openstack.org
> >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-qa
> >>>
> >>> _______________________________________________
> >>> openstack-qa mailing list
> >>> openstack-qa at lists.openstack.org
> >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-qa
> >>>
> >>
> >>
> >> _______________________________________________
> >> openstack-qa mailing list
> >> openstack-qa at lists.openstack.org
> >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-qa
> >>
> >
> > _______________________________________________
> > openstack-qa mailing list
> > openstack-qa at lists.openstack.org
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-qa
> >
> 
> 
> _______________________________________________
> openstack-qa mailing list
> openstack-qa at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-qa
> 
> _______________________________________________
> openstack-qa mailing list
> openstack-qa at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-qa
>

More information about the openstack-qa mailing list