[Openstack] [Keystone][Tempest]

Liam Young liam.young at canonical.com
Mon Jan 23 15:58:01 UTC 2017


Basically my question is: Should I expect a tempest full run to pass
against a Newton deployment using the policy.json from

What I'm seeing is that some tests (like
tempest.api.compute.admin.test_quotas) fail when they try and list_domains.
This seems to be because the test creates:

1) A new project in the admin domain
2) A new user in the admin domain
3) Grants the admin role on the new project to the new user.

The test then authenticates with the new users credentials and attempts to
list_domains. The policy.json, however, has:

    "cloud_admin": "role:admin and (token.is_admin_project:True or
    "identity:list_domains": "rule:cloud_admin",

>From tempest I see:

tags: worker-0
Empty attachments:

pythonlogging:'': {{{2017-01-23 15:57:09,806 2014 INFO
[tempest.lib.common.rest_client] Request
(QuotasAdminTestJSON:test_delete_quota): 403 GET 0.066s}}}

Traceback (most recent call last):
  File "tempest/api/compute/admin/test_quotas.py", line 128, in
    project = self.identity_utils.create_project(name=project_name,
  File "tempest/test.py", line 470, in identity_utils
  File "tempest/lib/common/cred_client.py", line 210, in get_creds_client
    roles_client, domains_client, project_domain_name)
  File "tempest/lib/common/cred_client.py", line 142, in __init__
  File "tempest/lib/services/identity/v3/domains_client.py", line 57, in
    resp, body = self.get(url)
  File "tempest/lib/common/rest_client.py", line 290, in get
    return self.request('GET', url, extra_headers, headers)
  File "tempest/lib/common/rest_client.py", line 663, in request
    self._error_checker(resp, resp_body)
  File "tempest/lib/common/rest_client.py", line 755, in _error_checker
    raise exceptions.Forbidden(resp_body, resp=resp)
tempest.lib.exceptions.Forbidden: Forbidden
Details: {u'message': u'You are not authorized to perform the requested
action: identity:list_domains', u'code': 403, u'title': u'Forbidden'}

In the keystone log I see:

(keystone.policy.backends.rules): 2017-01-23 15:35:57,198 DEBUG enforce
identity:list_domains: {'is_delegated_auth': False,
'access_token_id': None,
'user_id': u'3fd9e70825d648d996080d855cf9c181',
'roles': [u'Admin'],
'user_domain_id': u'363ab68785c24c81a784edca1bceb935',
'consumer_id': None,
'trustee_id': None,
'is_domain': False,
'trustor_id': None,
'token': <KeystoneToken (audit_id=4cQHEfwhSvuvibK4TAjKUw,
audit_chain_id=4cQHEfwhSvuvibK4TAjKUw) at 0x7fbcceaa33c8>,
'project_id': u'b48ba24e96d84de4a48077b9310faac7',
'trust_id': None,
'project_domain_id': u'363ab68785c24c81a784edca1bceb935'}
(keystone.common.wsgi): 2017-01-23 15:35:57,199 WARNING You are not
authorized to perform the requested action: identity:list_domains

This appears to be project scoped. If I update the policy.json to grant
cloud_admin if the project is the admin domain then that seems to fix
things. The change I'm trying is:

<     "cloud_admin": "role:admin and (token.is_admin_project:True or
>     "bob": "project_domain_id:363ab68785c24c81a784edca1bceb935 or
>     "cloud_admin": "role:admin and (token.is_admin_project:True or

I did notice this comment on Bug #1451987:

If you see following errors for all identity api v3 tests, then please be
known that its not a a bug in tempest, rather you need to change keystone
v3 policy.json and make it more relaxed so tempest can authorize with users
created for each test with separate projects(tenants) because we set
tenant_isolation to True in tempest.conf ...

( https://bugs.launchpad.net/tempest/+bug/1451987/comments/2 )

This suggests to me that it is expected for policy.json to need tweaking.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20170123/9d4173a4/attachment.html>

More information about the Openstack mailing list