Patrole

Use heat tempest plugin for heat patrole tests

Registered by Felipe Monteiro

Currently, Patrole uses Tempest's built-in Orchestration client for running Heat RBAC tests. However, this is a short-term solution because Tempest wants to remove the Orchestration client altogether from its project. This means that Patrole should no longer rely on this soon-to-be-deprecated client.

Instead, Patrole should use Heat's Tempest plugin [0].

However, Heat's Tempest plugin uses credentials defined in a configuration file, meaning that it expects pre-provisioned credentials as opposed to dynamically created credentials. There are 2 ways around this.

1) Add the expected heat plugin configuration section and values (for admin and non-admin credentials) with pre-provisioned credentials in Patrole's post_test_hook.sh. Then instantiate admin and non-admin versions of the client manager.

This approach, however, has the following downside: Patrole's role-switching is executed against Tempest's dynamically created credentials. Meaning that role-switching won't be performed against pre-provisioned credentials defined in a conf file.

There is a workaround: use the admin client for set up/clean up of resources and the non-admin client to perform the API action.

2) Client instantiation looks like this for Heat's Tempest client:

    def __init__(self, conf, admin_credentials=False):
        self.conf = conf
        self.admin_credentials = admin_credentials

        if self.conf.auth_url.find('/v'):
            self.auth_version = self.conf.auth_url.split('/v')[1]
        else:
            raise ValueError(_('Incorrectly specified auth_url config: no '
                               'version found.'))
        self.insecure = self.conf.disable_ssl_certificate_validation
        self.ca_file = self.conf.ca_file
       ....

So it's possible to instantiate an object inside Patrole's Heat's rbac_base.py that simply is a dummy holding all the conf values that the constructor expects. This way, Tempest's dynamically created credentials can be passed to the client manager.

For example:

conf = HeatConf()
conf.username = <tempest's non-admin username>
conf.password = <tempest's non-admin password>

admin_conf = HeatConf()
admin_conf.admin_username = <tempest's admin username>
admin_conf.admin_password = <tempest's admin password>

heat_manager = clients.ClientManager(conf, admin_credentials=False)
admin_heat_manager = clients.ClientManager(admin_conf, admin_credentials=True)

cls.os.orchestration_client = heat_manager.orchestration_client
...
cls.os_adm.orchestration_client = admin_heat_manager.orchestration_client
...
[0] https://github.com/openstack/heat/blob/master/heat_integrationtests/common/clients.py

Blueprint information

Status:
Complete
Approver:
Felipe Monteiro
Priority:
High
Drafter:
Felipe Monteiro
Direction:
Approved
Assignee:
Samantha Blanco
Definition:
Obsolete
Series goal:
None
Implementation:
Deferred
Milestone target:
None
Completed by
Samantha Blanco

Related branches

Sprints

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:bp/use-heat-tempest-plugin,n,z

Addressed by: https://review.openstack.org/453348
    [WIP] Refactor Heat Patrole tests

Gerrit topic: https://review.openstack.org/#q,topic:bp/initial-tests-orchestration,n,z

---

Support for Heat tests is being removed from Tempest and Patrole.

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.
Edit subscription

Subscribers

No subscribers.