File 0001-Ensure-a-role-is-assigned-to-created-users... of Package openstack-tempest

Overview Repositories Revisions Requests Users Attributes Meta

File 0001-Ensure-a-role-is-assigned-to-created-users-with-v3-a.patch of Package openstack-tempest

From 9ef8aeb8e4847414b4f1d392738c8d31aea4a118 Mon Sep 17 00:00:00 2001
From: Matthew Treinish <mtreinish@kortar.org>
Date: Tue, 14 Jul 2015 19:58:46 -0400
Subject: [PATCH] Ensure a role is assigned to created users with v3 auth

This commit adds a default role assign to created users and projects
in the isolated credentials path if no other role will be assigned.
The issue previously was that when running with v3 auth tempest was
not assigning a role on the project for the newly created users. So
unless this was done out of band the created users would not be able
to get a token because they didn't have access to the project. By
always assigning a role to the user on the project this will no
longer be an issue. Additionally, we need to ensure that the default
role membership role we're using, "Member" exists before we try to use
it. If it does not it will be created before using it.

Change-Id: I4081cbd61f078bcc457062e2a55adb7b6f249a59
Closes-Bug: #1474193
(cherry picked from commit 32f98a43d313bac1b657c2e0525003a8657b36a1)
---
 tempest/common/isolated_creds.py | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/tempest/common/isolated_creds.py b/tempest/common/isolated_creds.py
index fee1467..9f70e2e 100644
--- a/tempest/common/isolated_creds.py
+++ b/tempest/common/isolated_creds.py
@@ -51,11 +51,21 @@ class CredsClient(object):
     def create_project(self, name, description):
         pass
 
-    def assign_user_role(self, user, project, role_name):
+    def _check_role_exists(self, role_name):
         try:
             roles = self._list_roles()
             role = next(r for r in roles if r['name'] == role_name)
         except StopIteration:
+            return None
+        return role
+
+    def create_user_role(self, role_name):
+        if not self._check_role_exists(role_name):
+            self.identity_client.create_role(role_name)
+
+    def assign_user_role(self, user, project, role_name):
+        role = self._check_role_exists(role_name)
+        if not role:
             msg = 'No "%s" role found' % role_name
             raise lib_exc.NotFound(msg)
         try:
@@ -196,16 +206,27 @@ class IsolatedCreds(cred_provider.CredentialProvider):
         email = data_utils.rand_name(root) + suffix + "@example.com"
         user = self.creds_client.create_user(
             username, self.password, project, email)
+        role_assigned = False
         if admin:
             self.creds_client.assign_user_role(user, project,
                                                CONF.identity.admin_role)
+            role_assigned = True
         # Add roles specified in config file
         for conf_role in CONF.auth.tempest_roles:
             self.creds_client.assign_user_role(user, project, conf_role)
+            role_assigned = True
         # Add roles requested by caller
         if roles:
             for role in roles:
                 self.creds_client.assign_user_role(user, project, role)
+                role_assigned = True
+        # NOTE(mtreinish) For a user to have access to a project with v3 auth
+        # it must beassigned a role on the project. So we need to ensure that
+        # our newly created user has a role on the newly created project.
+        if self.identity_version == 'v3' and not role_assigned:
+            self.creds_client.create_user_role('Member')
+            self.creds_client.assign_user_role(user, project, 'Member')
+
         creds = self.creds_client.get_credentials(user, project, self.password)
         return cred_provider.TestResources(creds)
 
-- 
2.4.3

Places

File 0001-Ensure-a-role-is-assigned-to-created-users-with-v3-a.patch of Package openstack-tempest

Places