[openstack-qa] Is tempest must be able to operate without identity admin privileges?

Attila Fazekas afazekas at redhat.com
Tue Jun 11 15:17:40 UTC 2013





----- Original Message -----
> From: "Attila Fazekas" <afazekas at redhat.com>
> To: "All Things QA." <openstack-qa at lists.openstack.org>
> Sent: Tuesday, June 11, 2013 4:51:48 PM
> Subject: Re: [openstack-qa] Is tempest must be able to operate without identity admin privileges?
> 
> 
> 
> 
> 
> ----- Original Message -----
> > From: "Jay Pipes" <jaypipes at gmail.com>
> > To: openstack-qa at lists.openstack.org
> > Sent: Sunday, June 9, 2013 9:00:56 PM
> > Subject: Re: [openstack-qa] Is tempest must be able to operate without
> > identity admin privileges?
> > 
> > On 06/09/2013 03:26 AM, Attila Fazekas wrote:
> > > Looks like everybody is able to change the quota at the same time, when
> > > he
> > > creates the test user.
> > 
> > No, this is not true. You need to have admin privileges do update the
> > quota of a tenant.
> > 
> It is true, because everybody has the admin privileges to create users.
> In this use case, you just want to test the orations which is doable by a
> regular user.

To be more precises: in this use case, you have contact to the admin, who can
increase the quota. 

> > > It implies the question:
> > >   Why do we create new tenants in test case,
> > >    which must be able to run in parallel with a single tenant ?
> > >
> > >   Why we not just create tenants only when it is really needed ?
> > 
> > As mentioned before, creating a new tenant for the test case provides
> > isolation for the various list operations. If you are doing a call to,
> > say, list servers or list images, you need to be able to rely on the
> > result of that call not changing, otherwise you can get
> > non-deterministic assertions in tests due to other users in the same
> > tenant creating and destroying resources.
> 
> The tenant just isolates the user operations in most cases, but not always.
> 
> 
> > -jay
> > 
> > > ----- Original Message -----
> > >> From: "Jay Pipes" <jaypipes at gmail.com>
> > >> To: openstack-qa at lists.openstack.org
> > >> Sent: Sunday, June 9, 2013 12:17:29 AM
> > >> Subject: Re: [openstack-qa] Is tempest must be able to operate without
> > >> identity admin privileges?
> > >>
> > >> On 06/08/2013 02:05 PM, Daryl Walleck wrote:
> > >>> There's other ways to work around the quotas issue. The way I've been
> > >>> handling this is configuring users that have modified quota groups.
> > >>> This
> > >>> has allowed me to run all my compute tests in parallel with a single
> > >>> user.
> > >>
> > >> Note that the above solution runs into the exact same issue that Attila
> > >> is talking about: you need admin privileges in order to change the quota
> > >> of a tenant.
> > >>
> > >> Best,
> > >> -jay
> > >>
> > >>> Daryl
> > >>>
> > >>> -----Original Message-----
> > >>> From: Attila Fazekas [mailto:afazekas at redhat.com]
> > >>> Sent: Saturday, June 8, 2013 8:04 AM
> > >>> To: Sean Dague
> > >>> Cc: All Things QA.
> > >>> Subject: Re: [openstack-qa] Is tempest must be able to operate without
> > >>> identity admin privileges?
> > >>>
> > >>> Do we want parallel execution in this cases ?
> > >>> - obviously yes
> > >>> - nice to have
> > >>> - who cares
> > >>>
> > >>> Can we expect larger quota than the default 10 in this case ?
> > >>> - never
> > >>> - usually
> > >>> - always
> > >>>
> > >>>
> > >>> ----- Original Message -----
> > >>>> From: "Sean Dague" <sean at dague.net>
> > >>>> To: "All Things QA." <openstack-qa at lists.openstack.org>
> > >>>> Cc: "Attila Fazekas" <afazekas at redhat.com>
> > >>>> Sent: Saturday, June 8, 2013 1:49:40 PM
> > >>>> Subject: Re: [openstack-qa] Is tempest must be able to operate without
> > >>>> identity admin privileges?
> > >>>>
> > >>>> On 06/08/2013 03:06 AM, Attila Fazekas wrote:
> > >>>>> Hi All,
> > >>>>>
> > >>>>> In modeling viewpoint keeping the ability to run tempest without
> > >>>>> identity admin credentials is not easy.
> > >>>>>
> > >>>>> The demo and alt_demo user is still in the config to maintain the
> > >>>>> ability, to run tempest against a cloud where you do not know the
> > >>>>> identity admin credentials.
> > >>>>>
> > >>>>> I would like to know, is it real use case for anyone ?
> > >>>>>
> > >>>>> Without these users you lose the ability to run tempest against any
> > >>>>> cloud where you do not know the admin credentials.
> > >>>>>
> > >>>>> The benefits of removing these can give you:
> > >>>>>     - simpler model
> > >>>>>     - better role based test suite
> > >>>>
> > >>>> Yes, it is a real use case, we can't remove that.
> > >>>>
> > >>>> 	-Sean
> > >>>>
> > >>>> --
> > >>>> Sean Dague
> > >>>> http://dague.net
> > >>>>
> > >>>
> > >>> _______________________________________________
> > >>> openstack-qa mailing list
> > >>> openstack-qa at lists.openstack.org
> > >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-qa
> > >>>
> > >>> _______________________________________________
> > >>> openstack-qa mailing list
> > >>> openstack-qa at lists.openstack.org
> > >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-qa
> > >>>
> > >>
> > >>
> > >> _______________________________________________
> > >> openstack-qa mailing list
> > >> openstack-qa at lists.openstack.org
> > >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-qa
> > >>
> > >
> > > _______________________________________________
> > > openstack-qa mailing list
> > > openstack-qa at lists.openstack.org
> > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-qa
> > >
> > 
> > 
> > _______________________________________________
> > openstack-qa mailing list
> > openstack-qa at lists.openstack.org
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-qa
> > 
> 
> _______________________________________________
> openstack-qa mailing list
> openstack-qa at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-qa
> 



More information about the openstack-qa mailing list