| Matthew Treinish | bc1b15b | 2015-02-20 15:56:07 -0500 | [diff] [blame] | 1 | Tempest Configuration Guide |
| 2 | =========================== |
| 3 | |
| Matthew Treinish | f640f66 | 2015-03-11 15:13:30 -0400 | [diff] [blame^] | 4 | This guide is a starting point for configuring tempest. It aims to elaborate |
| 5 | on and explain some of the mandatory and common configuration settings and how |
| 6 | they are used in conjunction. The source of truth on each option is the sample |
| 7 | config file which explains the purpose of each individual option. |
| 8 | |
| 9 | Lock Path |
| 10 | --------- |
| 11 | |
| 12 | There are some tests and operations inside of tempest that need to be |
| 13 | externally locked when running in parallel to prevent them from running at |
| 14 | the same time. This is a mandatory step for configuring tempest and is still |
| 15 | needed even when running serially. All that is needed to do this is: |
| 16 | |
| 17 | #. Set the lock_path option in the oslo_concurrency group |
| 18 | |
| Matthew Treinish | bc1b15b | 2015-02-20 15:56:07 -0500 | [diff] [blame] | 19 | Auth/Credentials |
| 20 | ---------------- |
| 21 | |
| 22 | Tempest currently has 2 different ways in configuration to provide credentials |
| 23 | to use when running tempest. One is a traditional set of configuration options |
| 24 | in the tempest.conf file. These options are in the identity section and let you |
| 25 | specify a regular user, a global admin user, and a alternate user set of |
| 26 | credentials. (which consist of a username, password, and project/tenant name) |
| 27 | These options should be clearly labelled in the sample config file in the |
| 28 | identity section. |
| 29 | |
| 30 | The other method to provide credentials is using the accounts.yaml file. This |
| 31 | file is used to specify an arbitrary number of users available to run tests |
| 32 | with. You can specify the location of the file in the |
| 33 | auth section in the tempest.conf file. To see the specific format used in |
| 34 | the file please refer to the accounts.yaml.sample file included in tempest. |
| 35 | Currently users that are specified in the accounts.yaml file are assumed to |
| 36 | have the same set of roles which can be used for executing all the tests you |
| 37 | are running. This will be addressed in the future, but is a current limitation. |
| 38 | Eventually the config options for providing credentials to tempest will be |
| 39 | deprecated and removed in favor of the accounts.yaml file. |
| 40 | |
| 41 | Credential Provider Mechanisms |
| 42 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 43 | |
| 44 | Tempest currently also has 3 different internal methods for providing |
| 45 | authentication to tests. Tenant isolation, locking test accounts, and |
| 46 | non-locking test accounts. Depending on which one is in use the configuration |
| 47 | of tempest is slightly different. |
| 48 | |
| 49 | Tenant Isolation |
| 50 | """""""""""""""" |
| 51 | Tenant isolation was originally create to enable running tempest in parallel. |
| 52 | For each test class it creates a unique set of user credentials to use for the |
| 53 | tests in the class. It can create up to 3 sets of username, password, and |
| 54 | tenant/project names for a primary user, an admin user, and an alternate user. |
| 55 | To enable and use tenant isolation you only need to configure 2 things: |
| 56 | |
| 57 | #. A set of admin credentials with permissions to create users and |
| 58 | tenants/projects. This is specified in the identity section with the |
| 59 | admin_username, admin_tenant_name, and admin_password options |
| 60 | #. To enable tenant_isolation in the auth section with the |
| 61 | allow_tenant_isolation option. |
| 62 | |
| Matthew Treinish | 0fd69e4 | 2015-03-06 00:40:51 -0500 | [diff] [blame] | 63 | This is also the currently the default credential provider enabled by tempest, |
| 64 | due to it's common use and ease of configuration. |
| Matthew Treinish | bc1b15b | 2015-02-20 15:56:07 -0500 | [diff] [blame] | 65 | |
| 66 | Locking Test Accounts |
| 67 | """"""""""""""""""""" |
| 68 | For a long time using tenant isolation was the only method available if you |
| 69 | wanted to enable parallel execution of tempest tests. However this was |
| 70 | insufficient for certain use cases because of the admin credentials requirement |
| 71 | to create the credential sets on demand. To get around that the accounts.yaml |
| 72 | file was introduced and with that a new internal credential provider to enable |
| 73 | using the list of credentials instead of creating them on demand. With locking |
| 74 | test accounts each test class will reserve a set of credentials from the |
| 75 | accounts.yaml before executing any of its tests so that each class is isolated |
| 76 | like in tenant isolation. |
| 77 | |
| Matthew Treinish | 0fd69e4 | 2015-03-06 00:40:51 -0500 | [diff] [blame] | 78 | Currently, this mechanism has some limitations, mostly around networking. The |
| 79 | locking test accounts provider will only work with a single flat network as |
| Matthew Treinish | bc1b15b | 2015-02-20 15:56:07 -0500 | [diff] [blame] | 80 | the default for each tenant/project. If another network configuration is used |
| 81 | in your cloud you might face unexpected failures. |
| 82 | |
| 83 | To enable and use locking test accounts you need do a few things: |
| 84 | |
| 85 | #. Enable the locking test account provider with the |
| 86 | locking_credentials_provider option in the auth section |
| 87 | #. Create a accounts.yaml file which contains the set of pre-existing |
| 88 | credentials to use for testing. To make sure you don't have a credentials |
| 89 | starvation issue when running in parallel make sure you have at least 2 |
| 90 | times the number of parallel workers you are using to execute tempest |
| 91 | available in the file. |
| Matthew Treinish | 0fd69e4 | 2015-03-06 00:40:51 -0500 | [diff] [blame] | 92 | |
| 93 | You can check the sample file packaged in tempest for the yaml format |
| Matthew Treinish | bc1b15b | 2015-02-20 15:56:07 -0500 | [diff] [blame] | 94 | #. Provide tempest with the location of you accounts.yaml file with the |
| 95 | test_accounts_file option in the auth section |
| 96 | |
| 97 | |
| 98 | Non-locking test accounts |
| 99 | """"""""""""""""""""""""" |
| 100 | When tempest was refactored to allow for locking test accounts, the original |
| 101 | non-tenant isolated case was converted to support the new accounts.yaml file. |
| 102 | This mechanism is the non-locking test accounts provider. It only makes sense |
| 103 | to use it if parallel execution isn't needed. If the role restrictions were too |
| 104 | limiting with the locking accounts provider and tenant isolation is not wanted |
| 105 | then you can use the non-locking test accounts credential provider without the |
| Matthew Treinish | 0fd69e4 | 2015-03-06 00:40:51 -0500 | [diff] [blame] | 106 | accounts.yaml file. |
| Matthew Treinish | bc1b15b | 2015-02-20 15:56:07 -0500 | [diff] [blame] | 107 | |
| 108 | To use the non-locking test accounts provider you have 2 ways to configure it. |
| 109 | First you can specify the sets of credentials in the configuration file like |
| 110 | detailed above with following 9 options in the identity section: |
| 111 | |
| 112 | #. username |
| 113 | #. password |
| 114 | #. tenant_name |
| 115 | #. admin_username |
| 116 | #. admin_password |
| 117 | #. admin_tenant_name |
| 118 | #. alt_username |
| 119 | #. alt_password |
| 120 | #. alt_tenant_name |
| 121 | |
| Matthew Treinish | 0fd69e4 | 2015-03-06 00:40:51 -0500 | [diff] [blame] | 122 | The only restriction with using the traditional config options for credentials |
| 123 | is that if a test requires specific roles on accounts these tests can not be |
| 124 | run. This is because the config options do not give sufficient flexibility to |
| 125 | describe the roles assigned to a user for running the tests. |
| Matthew Treinish | bc1b15b | 2015-02-20 15:56:07 -0500 | [diff] [blame] | 126 | |
| 127 | You also can use the accounts.yaml file to specify the credentials used for |
| 128 | testing. This will just allocate them serially so you only need to provide |
| 129 | a pair of credentials. Do note that all the restrictions associated with |
| Matthew Treinish | 0fd69e4 | 2015-03-06 00:40:51 -0500 | [diff] [blame] | 130 | locking test accounts applies to using the accounts.yaml file this way too, |
| 131 | except since you can't run in parallel only 2 of each type of credential is |
| 132 | required to run. However, the limitation on tests which require specific roles |
| 133 | does not apply here. |
| 134 | |
| Matthew Treinish | bc1b15b | 2015-02-20 15:56:07 -0500 | [diff] [blame] | 135 | The procedure for doing this is very similar to with the locking accounts |
| 136 | provider just don't set the locking_credentials_provider to true and you |
| 137 | only should need a single pair of credentials. |