1165 lines
47 KiB
Python
1165 lines
47 KiB
Python
#!/usr/bin/env python
|
|
#
|
|
# Copyright 2016 Canonical Ltd
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
"""
|
|
Basic keystone amulet functional tests.
|
|
"""
|
|
|
|
import amulet
|
|
import json
|
|
import os
|
|
|
|
from charmhelpers.contrib.openstack.amulet.deployment import (
|
|
OpenStackAmuletDeployment
|
|
)
|
|
|
|
from charmhelpers.contrib.openstack.amulet.utils import (
|
|
OpenStackAmuletUtils,
|
|
DEBUG,
|
|
# ERROR
|
|
)
|
|
import keystoneclient
|
|
from keystoneauth1 import exceptions as ksauth1_exceptions
|
|
|
|
# Use DEBUG to turn on debug logging
|
|
u = OpenStackAmuletUtils(DEBUG)
|
|
|
|
|
|
class KeystoneBasicDeployment(OpenStackAmuletDeployment):
|
|
"""Amulet tests on a basic keystone deployment."""
|
|
|
|
DEFAULT_DOMAIN = 'default'
|
|
|
|
def __init__(self, series=None, openstack=None,
|
|
source=None, stable=False, snap_source=None):
|
|
"""Deploy the entire test environment."""
|
|
super(KeystoneBasicDeployment, self).__init__(series, openstack,
|
|
source, stable)
|
|
|
|
self._initialize_deployment_differences()
|
|
|
|
self._setup_test_object(snap_source)
|
|
self._add_services()
|
|
self._add_relations()
|
|
self._configure_services()
|
|
self._deploy()
|
|
|
|
u.log.info('Waiting on extended status checks...')
|
|
self.exclude_services = []
|
|
self._auto_wait_for_status(exclude_services=self.exclude_services)
|
|
|
|
self.d.sentry.wait()
|
|
self._initialize_tests()
|
|
self._initialize_test_differences()
|
|
|
|
def _initialize_deployment_differences(self):
|
|
self.keystone_num_units = 3
|
|
self.keystone_api_version = 2
|
|
|
|
def _setup_test_object(self, snap_source):
|
|
self.snap_source = snap_source
|
|
if self.snap_source:
|
|
self.config_base = '/var/snap/keystone/common'
|
|
self.keystone_conf = ('{}/etc/keystone/keystone.conf.d/'
|
|
'keystone.conf'.format(self.config_base))
|
|
self.process_services = ["haproxy", "nginx", "uwsgi"]
|
|
self.init_services = ["snap.keystone.nginx",
|
|
"snap.keystone.uwsgi"]
|
|
self.no_origin = ['keystone']
|
|
self.keystone_config = {'openstack-origin': self.snap_source}
|
|
self.pymysql = '+pymysql'
|
|
self.policy_json = ('{}/etc/keystone/keystone.conf.d/policy.json'
|
|
''.format(self.config_base))
|
|
self.logging_config = ('{}/etc/keystone/logging.conf'
|
|
''.format(self.config_base))
|
|
self.log_file = '{}/log/keystone.log'.format(self.config_base)
|
|
self.services_to_configs = {'uwsgi': self.keystone_conf}
|
|
else:
|
|
self.config_base = ''
|
|
self.keystone_conf = '/etc/keystone/keystone.conf'
|
|
self.no_origin = []
|
|
self.keystone_config = {}
|
|
self.pymysql = ''
|
|
self.policy_json = ('{}/etc/keystone/policy.json'
|
|
''.format(self.config_base))
|
|
self.logging_config = ('{}/etc/keystone/logging.conf'
|
|
''.format(self.config_base))
|
|
self.log_file = '/var/log/keystone/keystone.log'
|
|
|
|
if self.is_liberty_or_newer():
|
|
self.process_services = ["apache2", "haproxy"]
|
|
self.init_services = ['apache2']
|
|
self.services_to_configs = {'apache2': self.keystone_conf}
|
|
else:
|
|
self.process_services = ["keystone-all", "apache2", "haproxy"]
|
|
self.init_services = ['keystone']
|
|
self.services_to_configs = {'keystone-all': self.keystone_conf}
|
|
|
|
def _assert_services(self, should_run):
|
|
for unit in self.keystone_sentries:
|
|
u.get_unit_process_ids(
|
|
{unit: self.process_services}, expect_success=should_run)
|
|
|
|
def _add_services(self):
|
|
"""Add services
|
|
|
|
Add the services that we're testing, where keystone is local,
|
|
and the rest of the service are from lp branches that are
|
|
compatible with the local charm (e.g. stable or next).
|
|
"""
|
|
this_service = {'name': 'keystone', 'units': self.keystone_num_units}
|
|
other_services = [
|
|
{'name': 'percona-cluster', 'constraints': {'mem': '3072M'}},
|
|
{'name': 'rabbitmq-server'}, # satisfy wrkload stat
|
|
{'name': 'cinder'},
|
|
]
|
|
super(KeystoneBasicDeployment, self)._add_services(
|
|
this_service, other_services, no_origin=self.no_origin)
|
|
|
|
def _add_relations(self):
|
|
"""Add all of the relations for the services."""
|
|
relations = {'keystone:shared-db': 'percona-cluster:shared-db',
|
|
'cinder:shared-db': 'percona-cluster:shared-db',
|
|
'cinder:amqp': 'rabbitmq-server:amqp',
|
|
'cinder:identity-service': 'keystone:identity-service'}
|
|
super(KeystoneBasicDeployment, self)._add_relations(relations)
|
|
|
|
def _configure_services(self):
|
|
"""Configure all of the services."""
|
|
self.keystone_config.update({
|
|
'admin-password': 'openstack',
|
|
'admin-token': 'ubuntutesting',
|
|
'preferred-api-version': self.keystone_api_version,
|
|
})
|
|
|
|
pxc_config = {
|
|
'dataset-size': '25%',
|
|
'max-connections': 1000,
|
|
'root-password': 'ChangeMe123',
|
|
'sst-password': 'ChangeMe123',
|
|
}
|
|
cinder_config = {'block-device': 'vdb',
|
|
'glance-api-version': '2',
|
|
'overwrite': 'true',
|
|
'ephemeral-unmount': '/mnt'}
|
|
configs = {
|
|
'keystone': self.keystone_config,
|
|
'percona-cluster': pxc_config,
|
|
'cinder': cinder_config,
|
|
}
|
|
super(KeystoneBasicDeployment, self)._configure_services(configs)
|
|
|
|
def api_change_required(self, api_version):
|
|
if api_version == 2:
|
|
try:
|
|
self.keystone_v2.service_catalog.get_urls()
|
|
u.log.debug('Already at required api version {}'
|
|
''.format(api_version))
|
|
return False
|
|
except (AttributeError, ksauth1_exceptions.http.Unauthorized):
|
|
u.log.debug('Change to api version {} required'
|
|
''.format(api_version))
|
|
return True
|
|
else:
|
|
try:
|
|
self.keystone_v3.service_catalog.get_urls()
|
|
u.log.debug('Already at required api version {}'
|
|
''.format(api_version))
|
|
return False
|
|
except (AttributeError, ksauth1_exceptions.http.Unauthorized):
|
|
u.log.debug('Change to api version {} required'
|
|
''.format(api_version))
|
|
return True
|
|
|
|
def set_api_version(self, api_version):
|
|
# Avoid costly settings if we are already at the correct api_version
|
|
if self.api_change_required(api_version):
|
|
u.log.debug('Setting preferred-api-version={}'.format(api_version))
|
|
se_rels = []
|
|
for i in range(0, self.keystone_num_units):
|
|
se_rels.append(
|
|
(self.keystone_sentries[i], 'cinder:identity-service'),
|
|
)
|
|
# Make config change, wait for propagation
|
|
u.keystone_configure_api_version(se_rels, self, api_version)
|
|
|
|
# Store in self.keystone_client
|
|
if api_version == 2:
|
|
self.keystone_v2 = self.get_keystone_client(api_version=2)
|
|
self.keystone_client = self.keystone_v2
|
|
else:
|
|
self.keystone_v3 = self.get_keystone_client(api_version=3)
|
|
self.keystone_client = self.keystone_v3
|
|
self.keystone_api_version = api_version
|
|
|
|
def get_keystone_client(self, api_version=None, keystone_ip=None):
|
|
if keystone_ip is None:
|
|
keystone_ip = self.keystone_ip
|
|
if api_version == 2:
|
|
return u.authenticate_keystone_admin(self.keystone_sentries[0],
|
|
user='admin',
|
|
password='openstack',
|
|
tenant='admin',
|
|
api_version=api_version,
|
|
keystone_ip=keystone_ip)
|
|
else:
|
|
return u.authenticate_keystone_admin(self.keystone_sentries[0],
|
|
user='admin',
|
|
password='openstack',
|
|
api_version=api_version,
|
|
keystone_ip=keystone_ip)
|
|
|
|
def create_users_v2(self):
|
|
# Create a demo tenant/role/user
|
|
self.demo_tenant = 'demoTenant'
|
|
self.demo_role = 'demoRole'
|
|
self.demo_user = 'demoUser'
|
|
if not u.tenant_exists(self.keystone_client, self.demo_tenant):
|
|
tenant = self.keystone_client.tenants.create(
|
|
tenant_name=self.demo_tenant,
|
|
description='demo tenant',
|
|
enabled=True)
|
|
self.keystone_client.roles.create(name=self.demo_role)
|
|
self.keystone_client.users.create(name=self.demo_user,
|
|
password='password',
|
|
tenant_id=tenant.id,
|
|
email='demo@demo.com')
|
|
|
|
# Authenticate keystone demo
|
|
self.keystone_demo = u.authenticate_keystone_user(
|
|
self.keystone_client, user=self.demo_user,
|
|
password='password', tenant=self.demo_tenant)
|
|
|
|
def create_users_v3(self):
|
|
# Create a demo tenant/role/user
|
|
self.demo_project = 'demoProject'
|
|
self.demo_user_v3 = 'demoUserV3'
|
|
self.demo_role = 'demoRoleV3'
|
|
self.demo_domain_admin = 'demoDomainAdminV3'
|
|
self.demo_domain = 'demoDomain'
|
|
try:
|
|
domain = self.keystone_client.domains.find(name=self.demo_domain)
|
|
except keystoneclient.exceptions.NotFound:
|
|
domain = self.keystone_client.domains.create(
|
|
self.demo_domain,
|
|
description='Demo Domain',
|
|
enabled=True
|
|
)
|
|
|
|
try:
|
|
self.keystone_client.projects.find(name=self.demo_project)
|
|
except keystoneclient.exceptions.NotFound:
|
|
self.keystone_client.projects.create(
|
|
self.demo_project,
|
|
domain,
|
|
description='Demo Project',
|
|
enabled=True,
|
|
)
|
|
|
|
try:
|
|
self.keystone_client.roles.find(name=self.demo_role)
|
|
except keystoneclient.exceptions.NotFound:
|
|
self.keystone_client.roles.create(name=self.demo_role)
|
|
|
|
if not self.find_keystone_v3_user(self.keystone_client,
|
|
self.demo_user_v3,
|
|
self.demo_domain):
|
|
self.keystone_client.users.create(
|
|
self.demo_user_v3,
|
|
domain=domain.id,
|
|
project=self.demo_project,
|
|
password='password',
|
|
email='demov3@demo.com',
|
|
description='Demo',
|
|
enabled=True)
|
|
|
|
try:
|
|
self.keystone_client.roles.find(name='Admin')
|
|
except keystoneclient.exceptions.NotFound:
|
|
self.keystone_client.roles.create(name='Admin')
|
|
|
|
if not self.find_keystone_v3_user(self.keystone_client,
|
|
self.demo_domain_admin,
|
|
self.demo_domain):
|
|
user = self.keystone_client.users.create(
|
|
self.demo_domain_admin,
|
|
domain=domain.id,
|
|
project=self.demo_project,
|
|
password='password',
|
|
email='demoadminv3@demo.com',
|
|
description='Demo Admin',
|
|
enabled=True)
|
|
|
|
role = self.keystone_client.roles.find(name='Admin')
|
|
u.log.debug("self.keystone_client.roles.grant('{}', user='{}', "
|
|
"domain='{}')".format(role.id, user.id, domain.id))
|
|
self.keystone_client.roles.grant(
|
|
role.id,
|
|
user=user.id,
|
|
domain=domain.id)
|
|
|
|
def _initialize_tests(self):
|
|
"""Perform final initialization before tests get run."""
|
|
# Access the sentries for inspecting service units
|
|
self.pxc_sentry = self.d.sentry['percona-cluster'][0]
|
|
self.keystone_sentries = []
|
|
for i in range(0, self.keystone_num_units):
|
|
self.keystone_sentries.append(self.d.sentry['keystone'][i])
|
|
self.cinder_sentry = self.d.sentry['cinder'][0]
|
|
u.log.debug('openstack release val: {}'.format(
|
|
self._get_openstack_release()))
|
|
u.log.debug('openstack release str: {}'.format(
|
|
self._get_openstack_release_string()))
|
|
self.keystone_ip = self.keystone_sentries[0].relation(
|
|
'shared-db',
|
|
'percona-cluster:shared-db')['private-address']
|
|
|
|
def _initialize_test_differences(self):
|
|
self.set_api_version(2)
|
|
self.create_users_v2()
|
|
|
|
def test_100_services(self):
|
|
"""Verify the expected services are running on the corresponding
|
|
service units."""
|
|
services = {
|
|
self.cinder_sentry: ['cinder-scheduler',
|
|
'cinder-volume']
|
|
}
|
|
if self._get_openstack_release() >= self.xenial_ocata:
|
|
services.update({self.cinder_sentry: ['apache2']})
|
|
else:
|
|
services.update({self.cinder_sentry: ['cinder-api']})
|
|
|
|
for i in range(0, self.keystone_num_units):
|
|
services.update({self.keystone_sentries[i]: self.init_services})
|
|
|
|
ret = u.validate_services_by_name(services)
|
|
if ret:
|
|
amulet.raise_status(amulet.FAIL, msg=ret)
|
|
|
|
def validate_keystone_tenants(self, client):
|
|
"""Verify all existing tenants."""
|
|
u.log.debug('Checking keystone tenants...')
|
|
expected = [
|
|
{'name': 'services',
|
|
'enabled': True,
|
|
'description': 'Created by Juju',
|
|
'id': u.not_null},
|
|
{'name': 'demoTenant',
|
|
'enabled': True,
|
|
'description': 'demo tenant',
|
|
'id': u.not_null},
|
|
{'name': 'admin',
|
|
'enabled': True,
|
|
'description': 'Created by Juju',
|
|
'id': u.not_null}
|
|
]
|
|
if self.keystone_api_version == 2:
|
|
actual = client.tenants.list()
|
|
else:
|
|
actual = client.projects.list()
|
|
|
|
ret = u.validate_tenant_data(expected, actual)
|
|
if ret:
|
|
amulet.raise_status(amulet.FAIL, msg=ret)
|
|
|
|
def test_102_keystone_tenants(self):
|
|
self.set_api_version(2)
|
|
self.validate_keystone_tenants(self.keystone_client)
|
|
|
|
def validate_keystone_roles(self, client):
|
|
"""Verify all existing roles."""
|
|
u.log.debug('Checking keystone roles...')
|
|
expected = [
|
|
{'name': 'demoRole',
|
|
'id': u.not_null},
|
|
{'name': 'Admin',
|
|
'id': u.not_null}
|
|
]
|
|
actual = client.roles.list()
|
|
|
|
ret = u.validate_role_data(expected, actual)
|
|
if ret:
|
|
amulet.raise_status(amulet.FAIL, msg=ret)
|
|
|
|
def test_104_keystone_roles(self):
|
|
self.set_api_version(2)
|
|
self.validate_keystone_roles(self.keystone_client)
|
|
|
|
def validate_keystone_users(self, client):
|
|
"""Verify all existing roles."""
|
|
u.log.debug('Checking keystone users...')
|
|
|
|
if self._get_openstack_release() < self.xenial_pike:
|
|
cinder_user = 'cinder_cinderv2'
|
|
else:
|
|
cinder_user = 'cinderv2_cinderv3'
|
|
base = [
|
|
{'name': 'demoUser',
|
|
'enabled': True,
|
|
'id': u.not_null,
|
|
'email': 'demo@demo.com'},
|
|
{'name': 'admin',
|
|
'enabled': True,
|
|
'id': u.not_null,
|
|
'email': 'juju@localhost'},
|
|
{'name': cinder_user,
|
|
'enabled': True,
|
|
'id': u.not_null,
|
|
'email': u'juju@localhost'}
|
|
]
|
|
expected = []
|
|
for user_info in base:
|
|
if self.keystone_api_version == 2:
|
|
user_info['tenantId'] = u.not_null
|
|
else:
|
|
user_info['default_project_id'] = u.not_null
|
|
expected.append(user_info)
|
|
if self.keystone_api_version == 2:
|
|
actual = client.users.list()
|
|
else:
|
|
# Ensure list is scoped to the default domain
|
|
# when checking v3 users (v2->v3 upgrade check)
|
|
actual = client.users.list(
|
|
domain=client.domains.find(name=self.DEFAULT_DOMAIN).id
|
|
)
|
|
ret = u.validate_user_data(expected, actual,
|
|
api_version=self.keystone_api_version)
|
|
if ret:
|
|
amulet.raise_status(amulet.FAIL, msg=ret)
|
|
|
|
def find_keystone_v3_user(self, client, username, domain):
|
|
"""Find a user within a specified keystone v3 domain"""
|
|
domain_users = client.users.list(
|
|
domain=client.domains.find(name=domain).id
|
|
)
|
|
for user in domain_users:
|
|
if username.lower() == user.name.lower():
|
|
return user
|
|
return None
|
|
|
|
def test_106_keystone_users(self):
|
|
self.set_api_version(2)
|
|
self.validate_keystone_users(self.keystone_client)
|
|
|
|
def is_liberty_or_newer(self):
|
|
# os_release = self._get_openstack_release_string()
|
|
os_release = self._get_openstack_release()
|
|
# if os_release >= 'liberty':
|
|
if os_release >= self.trusty_liberty:
|
|
return True
|
|
else:
|
|
u.log.info('Skipping test, {} < liberty'.format(os_release))
|
|
return False
|
|
|
|
def is_mitaka_or_newer(self):
|
|
# os_release = self._get_openstack_release_string()
|
|
os_release = self._get_openstack_release()
|
|
# if os_release >= 'mitaka':
|
|
if os_release >= self.xenial_mitaka:
|
|
return True
|
|
else:
|
|
u.log.info('Skipping test, {} < mitaka'.format(os_release))
|
|
return False
|
|
|
|
def test_112_keystone_list_resources(self):
|
|
if self.is_mitaka_or_newer():
|
|
self.set_api_version(3)
|
|
self.validate_keystone_tenants(self.keystone_client)
|
|
self.validate_keystone_roles(self.keystone_client)
|
|
self.validate_keystone_users(self.keystone_client)
|
|
|
|
def test_118_keystone_create_users(self):
|
|
if self.is_mitaka_or_newer():
|
|
self.set_api_version(3)
|
|
self.create_users_v3()
|
|
actual_user = self.find_keystone_v3_user(self.keystone_client,
|
|
self.demo_user_v3,
|
|
self.demo_domain)
|
|
assert actual_user is not None
|
|
expect = {
|
|
'default_project_id': self.demo_project,
|
|
'email': 'demov3@demo.com',
|
|
'name': self.demo_user_v3,
|
|
}
|
|
for key in expect.keys():
|
|
u.log.debug('Checking user {} {} is {}'.format(
|
|
self.demo_user_v3,
|
|
key,
|
|
expect[key])
|
|
)
|
|
assert expect[key] == getattr(actual_user, key)
|
|
|
|
def test_120_keystone_domains(self):
|
|
if self.is_mitaka_or_newer():
|
|
self.set_api_version(3)
|
|
self.create_users_v3()
|
|
actual_domain = self.keystone_client.domains.find(
|
|
name=self.demo_domain
|
|
)
|
|
expect = {
|
|
'name': self.demo_domain,
|
|
}
|
|
for key in expect.keys():
|
|
u.log.debug('Checking domain {} {} is {}'.format(
|
|
self.demo_domain,
|
|
key,
|
|
expect[key])
|
|
)
|
|
assert expect[key] == getattr(actual_domain, key)
|
|
|
|
def test_121_keystone_demo_domain_admin_access(self):
|
|
"""Verify that end-user domain admin does not have elevated
|
|
privileges. Catch regressions like LP#1651989"""
|
|
if self.is_mitaka_or_newer():
|
|
u.log.debug('Checking keystone end-user domain admin access...')
|
|
self.set_api_version(3)
|
|
# Authenticate as end-user domain admin and verify that we have
|
|
# appropriate access.
|
|
client = u.authenticate_keystone(
|
|
self.keystone_sentries[0].info['public-address'],
|
|
username=self.demo_domain_admin,
|
|
password='password',
|
|
api_version=3,
|
|
user_domain_name=self.demo_domain,
|
|
domain_name=self.demo_domain,
|
|
)
|
|
|
|
try:
|
|
# Expect failure
|
|
client.domains.list()
|
|
except Exception as e:
|
|
message = ('Retrieve domain list as end-user domain admin '
|
|
'NOT allowed...OK ({})'.format(e))
|
|
u.log.debug(message)
|
|
pass
|
|
else:
|
|
message = ('Retrieve domain list as end-user domain admin '
|
|
'allowed')
|
|
amulet.raise_status(amulet.FAIL, msg=message)
|
|
|
|
def test_122_keystone_project_scoped_admin_access(self):
|
|
"""Verify that user admin in domain admin_domain has access to
|
|
identity-calls guarded by rule:cloud_admin when using project
|
|
scoped token."""
|
|
if self.is_mitaka_or_newer():
|
|
u.log.debug('Checking keystone project scoped admin access...')
|
|
self.set_api_version(3)
|
|
# Authenticate as end-user domain admin and verify that we have
|
|
# appropriate access.
|
|
client = u.authenticate_keystone(
|
|
self.keystone_sentries[0].info['public-address'],
|
|
username='admin',
|
|
password='openstack',
|
|
api_version=3,
|
|
admin_port=True,
|
|
user_domain_name='admin_domain',
|
|
project_domain_name='admin_domain',
|
|
project_name='admin',
|
|
)
|
|
|
|
try:
|
|
client.domains.list()
|
|
u.log.debug('OK')
|
|
except Exception as e:
|
|
message = ('Retrieve domain list as admin with project scoped '
|
|
'token FAILED. ({})'.format(e))
|
|
amulet.raise_status(amulet.FAIL, msg=message)
|
|
|
|
def test_138_service_catalog(self):
|
|
"""Verify that the service catalog endpoint data is valid."""
|
|
u.log.debug('Checking keystone service catalog...')
|
|
self.set_api_version(2)
|
|
endpoint_check = {
|
|
'adminURL': u.valid_url,
|
|
'id': u.not_null,
|
|
'region': 'RegionOne',
|
|
'publicURL': u.valid_url,
|
|
'internalURL': u.valid_url
|
|
}
|
|
expected = {
|
|
'volume': [endpoint_check],
|
|
'identity': [endpoint_check]
|
|
}
|
|
if self._get_openstack_release() >= self.xenial_pike:
|
|
expected.pop('volume')
|
|
expected['volumev2'] = [endpoint_check]
|
|
actual = self.keystone_v2.service_catalog.get_endpoints()
|
|
|
|
ret = u.validate_svc_catalog_endpoint_data(expected, actual)
|
|
if ret:
|
|
amulet.raise_status(amulet.FAIL, msg=ret)
|
|
|
|
def test_140_keystone_endpoint(self):
|
|
"""Verify the keystone endpoint data."""
|
|
u.log.debug('Checking keystone api endpoint data...')
|
|
self.set_api_version(2)
|
|
endpoints = self.keystone_client.endpoints.list()
|
|
admin_port = '35357'
|
|
internal_port = public_port = '5000'
|
|
expected = {
|
|
'id': u.not_null,
|
|
'region': 'RegionOne',
|
|
'adminurl': u.valid_url,
|
|
'internalurl': u.valid_url,
|
|
'publicurl': u.valid_url,
|
|
'service_id': u.not_null
|
|
}
|
|
ret = u.validate_endpoint_data(endpoints, admin_port, internal_port,
|
|
public_port, expected)
|
|
if ret:
|
|
amulet.raise_status(amulet.FAIL,
|
|
msg='keystone endpoint: {}'.format(ret))
|
|
|
|
def test_142_cinder_endpoint(self):
|
|
"""Verify the cinder endpoint data."""
|
|
u.log.debug('Checking cinder endpoint...')
|
|
endpoints = self.keystone_client.endpoints.list()
|
|
admin_port = internal_port = public_port = '8776'
|
|
expected = {
|
|
'id': u.not_null,
|
|
'region': 'RegionOne',
|
|
'adminurl': u.valid_url,
|
|
'internalurl': u.valid_url,
|
|
'publicurl': u.valid_url,
|
|
'service_id': u.not_null
|
|
}
|
|
|
|
ret = u.validate_endpoint_data(endpoints, admin_port, internal_port,
|
|
public_port, expected)
|
|
if ret:
|
|
amulet.raise_status(amulet.FAIL,
|
|
msg='cinder endpoint: {}'.format(ret))
|
|
|
|
def test_200_keystone_mysql_shared_db_relation(self):
|
|
"""Verify the keystone shared-db relation data"""
|
|
u.log.debug('Checking keystone to mysql db relation data...')
|
|
relation = ['shared-db', 'percona-cluster:shared-db']
|
|
expected = {
|
|
'username': 'keystone',
|
|
'private-address': u.valid_ip,
|
|
'hostname': u.valid_ip,
|
|
'database': 'keystone'
|
|
}
|
|
for unit in self.keystone_sentries:
|
|
ret = u.validate_relation_data(unit, relation, expected)
|
|
if ret:
|
|
message = u.relation_error('keystone shared-db', ret)
|
|
amulet.raise_status(amulet.FAIL, msg=message)
|
|
|
|
def test_201_mysql_keystone_shared_db_relation(self):
|
|
"""Verify the mysql shared-db relation data"""
|
|
u.log.debug('Checking mysql to keystone db relation data...')
|
|
unit = self.pxc_sentry
|
|
relation = ['shared-db', 'keystone:shared-db']
|
|
expected_data = {
|
|
'private-address': u.valid_ip,
|
|
'password': u.not_null,
|
|
'db_host': u.valid_ip
|
|
}
|
|
ret = u.validate_relation_data(unit, relation, expected_data)
|
|
if ret:
|
|
message = u.relation_error('mysql shared-db', ret)
|
|
amulet.raise_status(amulet.FAIL, msg=message)
|
|
|
|
def test_202_keystone_cinder_identity_service_relation(self):
|
|
"""Verify the keystone identity-service relation data"""
|
|
u.log.debug('Checking keystone to cinder id relation data...')
|
|
relation = ['identity-service', 'cinder:identity-service']
|
|
expected = {
|
|
'service_protocol': 'http',
|
|
'service_tenant': 'services',
|
|
'admin_token': 'ubuntutesting',
|
|
'service_password': u.not_null,
|
|
'service_port': '5000',
|
|
'auth_port': '35357',
|
|
'auth_protocol': 'http',
|
|
'private-address': u.valid_ip,
|
|
'auth_host': u.valid_ip,
|
|
'service_username': 'cinder_cinderv2',
|
|
'service_tenant_id': u.not_null,
|
|
'service_host': u.valid_ip
|
|
}
|
|
if self._get_openstack_release() >= self.xenial_pike:
|
|
expected['service_username'] = 'cinderv2_cinderv3'
|
|
for unit in self.keystone_sentries:
|
|
ret = u.validate_relation_data(unit, relation, expected)
|
|
if ret:
|
|
message = u.relation_error('keystone identity-service', ret)
|
|
amulet.raise_status(amulet.FAIL, msg=message)
|
|
|
|
def test_203_cinder_keystone_identity_service_relation(self):
|
|
"""Verify the cinder identity-service relation data"""
|
|
u.log.debug('Checking cinder to keystone id relation data...')
|
|
unit = self.cinder_sentry
|
|
relation = ['identity-service', 'keystone:identity-service']
|
|
expected = {
|
|
'cinder_service': 'cinder',
|
|
'cinder_region': 'RegionOne',
|
|
'cinder_public_url': u.valid_url,
|
|
'cinder_internal_url': u.valid_url,
|
|
'cinder_admin_url': u.valid_url,
|
|
'cinderv2_service': 'cinderv2',
|
|
'cinderv2_region': 'RegionOne',
|
|
'cinderv2_public_url': u.valid_url,
|
|
'cinderv2_internal_url': u.valid_url,
|
|
'cinderv2_admin_url': u.valid_url,
|
|
'private-address': u.valid_ip,
|
|
}
|
|
|
|
if self._get_openstack_release() >= self.xenial_pike:
|
|
expected.pop('cinder_region')
|
|
expected.pop('cinder_service')
|
|
expected.pop('cinder_public_url')
|
|
expected.pop('cinder_admin_url')
|
|
expected.pop('cinder_internal_url')
|
|
expected.update({
|
|
'cinderv2_region': 'RegionOne',
|
|
'cinderv3_region': 'RegionOne',
|
|
'cinderv3_service': 'cinderv3',
|
|
'cinderv3_region': 'RegionOne',
|
|
'cinderv3_public_url': u.valid_url,
|
|
'cinderv3_internal_url': u.valid_url,
|
|
'cinderv3_admin_url': u.valid_url})
|
|
|
|
ret = u.validate_relation_data(unit, relation, expected)
|
|
if ret:
|
|
message = u.relation_error('cinder identity-service', ret)
|
|
amulet.raise_status(amulet.FAIL, msg=message)
|
|
|
|
def test_300_keystone_default_config(self):
|
|
"""Verify the data in the keystone config file,
|
|
comparing some of the variables vs relation data."""
|
|
u.log.debug('Checking keystone config file...')
|
|
ks_ci_rel = self.keystone_sentries[0].relation(
|
|
'identity-service',
|
|
'cinder:identity-service')
|
|
my_ks_rel = self.pxc_sentry.relation('shared-db',
|
|
'keystone:shared-db')
|
|
db_uri = "mysql{}://{}:{}@{}/{}".format(self.pymysql,
|
|
'keystone',
|
|
my_ks_rel['password'],
|
|
my_ks_rel['db_host'],
|
|
'keystone')
|
|
expected = {
|
|
'DEFAULT': {
|
|
'debug': 'False',
|
|
'admin_token': ks_ci_rel['admin_token'],
|
|
'use_syslog': 'False',
|
|
'log_config_append': (self.logging_config),
|
|
'public_endpoint': u.valid_url, # get specific
|
|
'admin_endpoint': u.valid_url, # get specific
|
|
},
|
|
'extra_headers': {
|
|
'Distribution': 'Ubuntu'
|
|
},
|
|
'database': {
|
|
'connection': db_uri,
|
|
'idle_timeout': '200'
|
|
}
|
|
}
|
|
|
|
if self._get_openstack_release() < self.trusty_mitaka:
|
|
expected['DEFAULT']['verbose'] = 'False'
|
|
expected['DEFAULT']['log_config'] = \
|
|
expected['DEFAULT']['log_config_append']
|
|
del expected['DEFAULT']['log_config_append']
|
|
|
|
if self._get_openstack_release() >= self.trusty_kilo and \
|
|
self._get_openstack_release() < self.trusty_mitaka:
|
|
# Kilo and Liberty
|
|
expected['eventlet_server'] = {
|
|
'admin_bind_host': '0.0.0.0',
|
|
'public_bind_host': '0.0.0.0',
|
|
'admin_port': '35347',
|
|
'public_port': '4990',
|
|
}
|
|
elif self._get_openstack_release() <= self.trusty_icehouse:
|
|
# Juno and earlier
|
|
expected['DEFAULT'].update({
|
|
'admin_port': '35347',
|
|
'public_port': '4990',
|
|
'bind_host': '0.0.0.0',
|
|
})
|
|
|
|
for unit in self.keystone_sentries:
|
|
for section, pairs in expected.iteritems():
|
|
ret = u.validate_config_data(unit, self.keystone_conf, section,
|
|
pairs)
|
|
if ret:
|
|
message = "keystone config error: {}".format(ret)
|
|
amulet.raise_status(amulet.FAIL, msg=message)
|
|
|
|
def test_301_keystone_default_policy(self):
|
|
"""Verify the data in the keystone policy.json file,
|
|
comparing some of the variables vs relation data."""
|
|
if not self.is_liberty_or_newer():
|
|
return
|
|
u.log.debug('Checking keystone v3 policy.json file')
|
|
self.set_api_version(3)
|
|
ks_ci_rel = self.keystone_sentries[0].relation(
|
|
'identity-service',
|
|
'cinder:identity-service')
|
|
if self._get_openstack_release() >= self.xenial_ocata:
|
|
expected = {
|
|
'admin_required': 'role:Admin',
|
|
'cloud_admin':
|
|
'rule:admin_required and '
|
|
'(is_admin_project:True or '
|
|
'domain_id:{admin_domain_id} or '
|
|
'project_id:{service_tenant_id})'.format(
|
|
admin_domain_id=ks_ci_rel['admin_domain_id'],
|
|
service_tenant_id=ks_ci_rel['service_tenant_id']),
|
|
}
|
|
elif self._get_openstack_release() >= self.trusty_mitaka:
|
|
expected = {
|
|
'admin_required': 'role:Admin',
|
|
'cloud_admin':
|
|
'rule:admin_required and '
|
|
'(token.is_admin_project:True or '
|
|
'domain_id:{admin_domain_id} or '
|
|
'project_id:{service_tenant_id})'.format(
|
|
admin_domain_id=ks_ci_rel['admin_domain_id'],
|
|
service_tenant_id=ks_ci_rel['service_tenant_id']),
|
|
}
|
|
else:
|
|
expected = {
|
|
'admin_required': 'role:Admin',
|
|
'cloud_admin':
|
|
'rule:admin_required and '
|
|
'domain_id:{admin_domain_id}'.format(
|
|
admin_domain_id=ks_ci_rel['admin_domain_id']),
|
|
}
|
|
|
|
for unit in self.keystone_sentries:
|
|
data = json.loads(unit.file_contents(self.policy_json))
|
|
ret = u._validate_dict_data(expected, data)
|
|
if ret:
|
|
message = "keystone policy.json error: {}".format(ret)
|
|
amulet.raise_status(amulet.FAIL, msg=message)
|
|
|
|
u.log.debug('OK')
|
|
|
|
def test_302_keystone_logging_config(self):
|
|
"""Verify the data in the keystone logging config file"""
|
|
u.log.debug('Checking keystone config file...')
|
|
expected = {
|
|
'logger_root': {
|
|
'level': 'WARNING',
|
|
'handlers': 'file,production',
|
|
},
|
|
'handlers': {
|
|
'keys': 'production,file,devel'
|
|
},
|
|
'handler_file': {
|
|
'level': 'DEBUG',
|
|
'args': "('{}', 'a')".format(self.log_file)
|
|
}
|
|
}
|
|
|
|
for unit in self.keystone_sentries:
|
|
for section, pairs in expected.iteritems():
|
|
ret = u.validate_config_data(unit, self.logging_config,
|
|
section, pairs)
|
|
if ret:
|
|
message = "keystone logging config error: {}".format(ret)
|
|
amulet.raise_status(amulet.FAIL, msg=message)
|
|
|
|
def test_900_keystone_restart_on_config_change(self):
|
|
"""Verify that the specified services are restarted when the config
|
|
is changed."""
|
|
sentry = self.keystone_sentries[0]
|
|
juju_service = 'keystone'
|
|
|
|
# Expected default and alternate values
|
|
set_default = {'use-syslog': 'False'}
|
|
set_alternate = {'use-syslog': 'True'}
|
|
|
|
# Make config change, check for service restarts
|
|
u.log.debug('Making config change on {}...'.format(juju_service))
|
|
mtime = u.get_sentry_time(sentry)
|
|
self.d.configure(juju_service, set_alternate)
|
|
|
|
sleep_time = 30
|
|
for s, conf_file in self.services_to_configs.iteritems():
|
|
u.log.debug("Checking that service restarted: {}".format(s))
|
|
if not u.validate_service_config_changed(sentry, mtime, s,
|
|
conf_file,
|
|
sleep_time=sleep_time):
|
|
|
|
self.d.configure(juju_service, set_default)
|
|
msg = "service {} didn't restart after config change".format(s)
|
|
amulet.raise_status(amulet.FAIL, msg=msg)
|
|
|
|
self.d.configure(juju_service, set_default)
|
|
|
|
u.log.debug('OK')
|
|
|
|
def test_901_pause_resume(self):
|
|
"""Test pause and resume actions.
|
|
|
|
NOTE: Toggle setting when service is paused to check config-changed
|
|
hook respects pause Bug #1648016
|
|
"""
|
|
# Expected default and alternate values
|
|
set_default = {'use-syslog': 'False'}
|
|
set_alternate = {'use-syslog': 'True'}
|
|
self._assert_services(should_run=True)
|
|
for unit in self.keystone_sentries:
|
|
action_id = u.run_action(unit, "pause")
|
|
assert u.wait_on_action(action_id), "Pause action failed."
|
|
|
|
self._assert_services(should_run=False)
|
|
self.d.configure('keystone', set_alternate)
|
|
for unit in self.keystone_sentries:
|
|
action_id = u.run_action(unit, "resume")
|
|
assert u.wait_on_action(action_id), "Resume action failed"
|
|
self._assert_services(should_run=True)
|
|
self.d.configure('keystone', set_default)
|
|
self._auto_wait_for_status(message="Unit is ready",
|
|
include_only=['keystone'])
|
|
|
|
def test_910_test_user_password_reset(self):
|
|
"""Test that the admin v3 users password is set during
|
|
shared-db-relation-changed. Bug #1644606
|
|
|
|
NOTE: The amulet tests setup v2 and v3 credentials which means
|
|
that the troublesome update_user_password executes cleanly but
|
|
updates the v2 admin user in error. So, to catch this bug change
|
|
the admin password and ensure that it is changed back when
|
|
shared-db-relation-changed hook runs.
|
|
"""
|
|
# NOTE(dosaboy): skipping this test so that we can land fix for
|
|
# LP: #1648677. Currently, if the admin password is
|
|
# changed outside the charm e.g. cli, the charm has no
|
|
# way to detect or retreive that password. The user
|
|
# would not need to update the admin-password config
|
|
# option to fix this.
|
|
return
|
|
|
|
if self.is_mitaka_or_newer():
|
|
timeout = int(os.environ.get('AMULET_SETUP_TIMEOUT', 900))
|
|
self.set_api_version(3)
|
|
self._auto_wait_for_status(
|
|
message="Unit is ready",
|
|
timeout=timeout,
|
|
include_only=['keystone'])
|
|
domain = self.keystone_client.domains.find(name='admin_domain')
|
|
v3_admin_user = self.keystone_client.users.list(domain=domain)[0]
|
|
u.log.debug(v3_admin_user)
|
|
self.keystone_client.users.update(user=v3_admin_user,
|
|
password='wrongpass')
|
|
u.log.debug('Removing keystone percona-cluster relation')
|
|
self.d.unrelate('keystone:shared-db', 'percona-cluster:shared-db')
|
|
self.d.sentry.wait(timeout=timeout)
|
|
u.log.debug('Adding keystone percona-cluster relation')
|
|
self.d.sentry.wait(timeout=timeout)
|
|
self.d.relate('keystone:shared-db', 'percona-cluster:shared-db')
|
|
self.set_api_version(3)
|
|
self._auto_wait_for_status(
|
|
message="Unit is ready",
|
|
timeout=timeout,
|
|
include_only=['keystone'])
|
|
re_auth = u.authenticate_keystone_admin(
|
|
self.keystone_sentries[0],
|
|
user='admin',
|
|
password='openstack',
|
|
api_version=3,
|
|
keystone_ip=self.keystone_ip)
|
|
try:
|
|
re_auth.users.list()
|
|
except ksauth1_exceptions.http.Unauthorized:
|
|
amulet.raise_status(
|
|
amulet.FAIL,
|
|
msg="Admin user password not reset")
|
|
u.log.debug('OK')
|
|
|
|
|
|
class KeystoneV3Deployment(KeystoneBasicDeployment):
|
|
"""Amulet tests on a basic keystone deployment."""
|
|
|
|
def _initialize_deployment_differences(self):
|
|
self.keystone_num_units = 3
|
|
self.keystone_api_version = 3
|
|
|
|
def _initialize_test_differences(self):
|
|
self.keystone_client = self.get_keystone_client(api_version=3)
|
|
self.create_users_v3()
|
|
|
|
def api_change_required(self, api_version):
|
|
u.log.warn('This is a Keystone V3 only deployment.')
|
|
return False
|
|
|
|
def set_api_version(self, api_version):
|
|
u.log.warn('This is a Keystone V3 only deployment. '
|
|
'Ignoring request for api version 2')
|
|
|
|
def validate_keystone_tenants(self, client):
|
|
"""Verify all existing tenants."""
|
|
u.log.debug('Checking keystone tenants...')
|
|
expected = [
|
|
{'name': 'services',
|
|
'enabled': True,
|
|
'description': 'Created by Juju',
|
|
'id': u.not_null},
|
|
{'name': 'demoProject',
|
|
'enabled': True,
|
|
'description': 'Demo Project',
|
|
'id': u.not_null},
|
|
{'name': 'admin',
|
|
'enabled': True,
|
|
'description': 'Created by Juju',
|
|
'id': u.not_null}
|
|
]
|
|
actual = client.projects.list()
|
|
|
|
ret = u.validate_tenant_data(expected, actual)
|
|
if ret:
|
|
amulet.raise_status(amulet.FAIL, msg=ret)
|
|
|
|
def validate_keystone_roles(self, client):
|
|
"""Verify all existing roles."""
|
|
u.log.debug('Checking keystone roles...')
|
|
expected = [
|
|
{'name': 'demoRoleV3',
|
|
'id': u.not_null},
|
|
{'name': 'Admin',
|
|
'id': u.not_null}
|
|
]
|
|
actual = client.roles.list()
|
|
|
|
ret = u.validate_role_data(expected, actual)
|
|
if ret:
|
|
amulet.raise_status(amulet.FAIL, msg=ret)
|
|
|
|
def validate_keystone_users(self, client):
|
|
"""Verify all existing roles."""
|
|
u.log.debug('Checking keystone users...')
|
|
|
|
if self._get_openstack_release() < self.xenial_pike:
|
|
cinder_user = 'cinder_cinderv2'
|
|
else:
|
|
cinder_user = 'cinderv2_cinderv3'
|
|
base = [
|
|
{'name': 'demoUserV3',
|
|
'enabled': True,
|
|
'id': u.not_null,
|
|
'email': 'demov3@demo.com'},
|
|
{'name': 'admin',
|
|
'enabled': True,
|
|
'id': u.not_null,
|
|
'email': 'juju@localhost'},
|
|
{'name': cinder_user,
|
|
'enabled': True,
|
|
'id': u.not_null,
|
|
'email': u'juju@localhost'}
|
|
]
|
|
expected = []
|
|
for user_info in base:
|
|
user_info['default_project_id'] = u.not_null
|
|
expected.append(user_info)
|
|
# Ensure list is scoped to the default domain
|
|
# when checking v3 users (v2->v3 upgrade check)
|
|
actual = client.users.list(
|
|
domain=client.domains.find(name=self.DEFAULT_DOMAIN).id
|
|
)
|
|
actual += client.users.list(
|
|
domain=client.domains.find(name=self.demo_domain).id)
|
|
actual += client.users.list(
|
|
domain=client.domains.find(name='admin_domain').id)
|
|
ret = u.validate_user_data(expected, actual,
|
|
api_version=self.keystone_api_version)
|
|
if ret:
|
|
amulet.raise_status(amulet.FAIL, msg=ret)
|
|
|
|
def test_138_service_catalog(self):
|
|
"""Verify that the service catalog endpoint data is valid."""
|
|
u.log.debug('Checking keystone service catalog...')
|
|
expected = {
|
|
u'identity': [{u'id': u.not_null,
|
|
u'interface': u'admin',
|
|
u'region': u'RegionOne',
|
|
u'region_id': u'RegionOne',
|
|
u'url': u.valid_url},
|
|
{u'id': u.not_null,
|
|
u'interface': u'public',
|
|
u'region': u'RegionOne',
|
|
u'region_id': u'RegionOne',
|
|
u'url': u.valid_url},
|
|
{u'id': u.not_null,
|
|
u'interface': u'internal',
|
|
u'region': u'RegionOne',
|
|
u'region_id': u'RegionOne',
|
|
u'url': u.valid_url}],
|
|
|
|
u'volumev2': [{u'id': u.not_null,
|
|
u'interface': u'admin',
|
|
u'region': u'RegionOne',
|
|
u'region_id': u'RegionOne',
|
|
u'url': u.valid_url},
|
|
{u'id': u.not_null,
|
|
u'interface': u'public',
|
|
u'region': u'RegionOne',
|
|
u'region_id': u'RegionOne',
|
|
u'url': u.valid_url},
|
|
{u'id': u.not_null,
|
|
u'interface': u'internal',
|
|
u'region': u'RegionOne',
|
|
u'region_id': u'RegionOne',
|
|
u'url': u.valid_url}]}
|
|
|
|
actual = self.keystone_client.service_catalog.get_endpoints()
|
|
ret = u.validate_v3_svc_catalog_endpoint_data(expected, actual)
|
|
if ret:
|
|
amulet.raise_status(amulet.FAIL, msg=ret)
|
|
|
|
def test_140_keystone_endpoint(self):
|
|
"""Verify the keystone endpoint data."""
|
|
u.log.debug('Checking keystone api endpoint data...')
|
|
admin_port = '35357'
|
|
internal_port = public_port = '5000'
|
|
expected = {'id': u.not_null,
|
|
'region': 'RegionOne',
|
|
'region_id': 'RegionOne',
|
|
'interface': u.not_null,
|
|
'url': u.valid_url,
|
|
'service_id': u.not_null}
|
|
|
|
endpoints = self.keystone_client.endpoints.list()
|
|
ret = u.validate_v3_endpoint_data(endpoints, admin_port, internal_port,
|
|
public_port, expected)
|
|
if ret:
|
|
amulet.raise_status(amulet.FAIL,
|
|
msg='keystone endpoint: {}'.format(ret))
|
|
|
|
def test_142_cinder_endpoint(self):
|
|
"""Verify the cinder endpoint data."""
|
|
u.log.debug('Checking cinder endpoint...')
|
|
admin_port = internal_port = public_port = '8776'
|
|
expected = {'id': u.not_null,
|
|
'region': 'RegionOne',
|
|
'region_id': 'RegionOne',
|
|
'interface': u.not_null,
|
|
'url': u.valid_url,
|
|
'service_id': u.not_null}
|
|
endpoints = self.keystone_client.endpoints.list()
|
|
ret = u.validate_v3_endpoint_data(endpoints, admin_port, internal_port,
|
|
public_port, expected,
|
|
expected_num_eps=6)
|
|
if ret:
|
|
amulet.raise_status(amulet.FAIL,
|
|
msg='cinder endpoint: {}'.format(ret))
|