Gitiles
Code Review Sign In
spfactory.storpool.com / tempest / cd0bbbdad37a31248d479ef78df948da0a1e850e^! / . / tempest / config.py
commitcd0bbbdad37a31248d479ef78df948da0a1e850e[log] [tgz]
authorColleen Murphy <colleen.murphy@suse.de>Tue Oct 01 16:18:36 2019 -0700
committerGhanshyam <gmann@ghanshyammann.com>Mon Jan 11 19:11:45 2021 +0000
tree30d7da594a7f5daf1090b305659993018ee77f25
parentfec2c93cdcc14ad08d0a35136ee287525e7a4879 [diff] [blame]
Add system scope for admin auth

Keystone is moving away from using either project-scope or domain-scope
for the main cloud administrator user, and instead moving toward the
admin user having a role assignment on the "system" scope[1]. This will
mean that no particular project or domain is special, and instead the
cloud administrator scopes to the system in order to make
deployment-wide changes. Keystone has now migrated all of its policies
to understand system scope[2], and if a deployment sets
[oslo_policy]/enforce_scope=true in keystone.conf and uses the new
policies, an admin user scoped to the admin project will not be able to
create dynamic credentials for tempest.

This patch adds a new parameter ``[auth]/admin_system`` to indicate that
neither the ``admin_project`` or ``admin_domain`` parameters apply to
the admin user and that the user should instead authenticate with the
system scope. This also adds ``admin_user_domain_name`` so that the
admin user can be found in its domain (namespace) without setting
``domain_name``, and for completeness also adds
``admin_project_domain_name`` so that ``domain_name`` could be omitted
even if using project scope.

[1] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html
[2] https://bugs.launchpad.net/keystone/+bugs?field.status%3Alist=FIXRELEASED&field.tag=system-scope

Depends-on: https://review.opendev.org/739262

Change-Id: I840b273c37ca7cc4592c43813abfb424337e2836

diff --git a/tempest/config.py b/tempest/config.py
index 382b80f..7c4539c 100644
--- a/tempest/config.py
+++ b/tempest/config.py

@@ -92,7 +92,24 @@
     cfg.StrOpt('admin_domain_name',
                default='Default',
                help="Admin domain name for authentication (Keystone V3). "
-                    "The same domain applies to user and project"),
+                    "The same domain applies to user and project if "
+                    "admin_user_domain_name and admin_project_domain_name "
+                    "are not specified"),
+    cfg.StrOpt('admin_user_domain_name',
+               help="Domain name that contains the admin user (Keystone V3). "
+                    "May be different from admin_project_domain_name and "
+                    "admin_domain_name"),
+    cfg.StrOpt('admin_project_domain_name',
+               help="Domain name that contains the project given by "
+                    "admin_project_name (Keystone V3). May be different from "
+                    "admin_user_domain_name and admin_domain_name"),
+    cfg.StrOpt('admin_system',
+               default=None,
+               help="The system scope on which an admin user has an admin "
+                    "role assignment, if any. Valid values are 'all' or None. "
+                    "This must be set to 'all' if using the "
+                    "[oslo_policy]/enforce_scope=true option for the "
+                    "identity service."),
 ]
 
 identity_group = cfg.OptGroup(name='identity',