diff --git a/heat_integrationtests/common/clients.py b/heat_integrationtests/common/clients.py index d2cc929775..6079db19df 100644 --- a/heat_integrationtests/common/clients.py +++ b/heat_integrationtests/common/clients.py @@ -17,6 +17,7 @@ from heat.common.i18n import _ from heatclient import client as heat_client from keystoneauth1.identity.generic import password from keystoneauth1 import session +from keystoneclient.v3 import client as kc_v3 from neutronclient.v2_0 import client as neutron_client from novaclient import client as nova_client from swiftclient import client as swift_client @@ -79,6 +80,7 @@ class ClientManager(object): self.ca_file = self.conf.ca_file self.identity_client = self._get_identity_client() + self.keystone_client = self._get_keystone_client() self.orchestration_client = self._get_orchestration_client() self.compute_client = self._get_compute_client() self.network_client = self._get_network_client() @@ -143,6 +145,12 @@ class ClientManager(object): return KeystoneWrapperClient(auth, verify_cert) + def _get_keystone_client(self): + # Create our default Keystone client to use in testing + return kc_v3.Client( + session=self.identity_client.session, + region_name=self.conf.region) + def _get_compute_client(self): # Create our default Nova client to use in testing return nova_client.Client( diff --git a/heat_integrationtests/common/test.py b/heat_integrationtests/common/test.py index fcc117d6ef..52a7fe45de 100644 --- a/heat_integrationtests/common/test.py +++ b/heat_integrationtests/common/test.py @@ -100,6 +100,7 @@ class HeatIntegrationTest(testscenarios.WithScenarios, def setup_clients(self, conf, admin_credentials=False): self.manager = clients.ClientManager(conf, admin_credentials) self.identity_client = self.manager.identity_client + self.keystone_client = self.manager.keystone_client self.orchestration_client = self.manager.orchestration_client self.compute_client = self.manager.compute_client self.network_client = self.manager.network_client diff --git a/heat_integrationtests/functional/test_keystone_user_with_domain.py b/heat_integrationtests/functional/test_keystone_user_with_domain.py new file mode 100644 index 0000000000..aff4f75a11 --- /dev/null +++ b/heat_integrationtests/functional/test_keystone_user_with_domain.py @@ -0,0 +1,183 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from heat_integrationtests.common import test +from heat_integrationtests.functional import functional_base + +create_user = ''' +heat_template_version: 2014-10-16 +description: test template to test user role assignment with user{domain} +parameters: + user_name: + type: string + label: User Name + description: Test user name + project_name: + type: string + label: Project Name + description: Test project name + domain_name: + type: string + label: Domain Name + description: Test domain name +resources: + Domain: + properties: + description: "Test Domain" + enabled: true + name: {get_param: domain_name} + type: OS::Keystone::Domain + Project: + properties: + description: "Test Project" + enabled: true + name: {get_param: project_name} + type: OS::Keystone::Project + User: + type: OS::Keystone::User + properties: + name: {get_param: user_name} + domain: {get_resource: Domain} + description: Test user + enabled: true + email: xyz@abc.com + password: passWORD +outputs: + project_name: + value: {get_attr: [Project, name]} + user_name: + value: {get_attr: [User, name]} +''' +assign_user_roles = ''' +heat_template_version: 2014-10-16 +description: test template to test user role assignment with user{domain} +parameters: + user_name: + type: string + label: User Name + description: Test user name + project_name: + type: string + label: Project Name + description: Test project name + domain_name: + type: string + label: Domain Name + description: Test domain name +resources: + UserRoleAssignemnt: + properties: + roles: + - role: admin + project: {get_param: project_name} + user: + list_join: ['', + [ + {get_param: user_name}, + '{', + {get_param: domain_name}, + '}' + ] + ] + type: OS::Keystone::UserRoleAssignment +''' +disable_domain = ''' +heat_template_version: 2014-10-16 +description: test template to test user role assignment with user{domain} +parameters: + user_name: + type: string + label: User Name + description: Test user name + project_name: + type: string + label: Project Name + description: Test project name + domain_name: + type: string + label: Domain Name + description: Test domain name +resources: + Domain: + properties: + description: "Test Domain" + enabled: false + name: {get_param: domain_name} + type: OS::Keystone::Domain + Project: + properties: + description: "Test Project" + enabled: true + name: {get_param: project_name} + type: OS::Keystone::Project + User: + type: OS::Keystone::User + properties: + name: {get_param: user_name} + domain: {get_resource: Domain} + description: Test user + enabled: true + email: xyz@abc.com + password: passWORD +outputs: + project_name: + value: {get_attr: [Project, name]} + user_name: + value: {get_attr: [User, name]} +''' + + +class CreateUserTest(functional_base.FunctionalTestsBase): + + def get_user_and_project_outputs(self, stack_identifier): + stack = self.client.stacks.get(stack_identifier) + project_name = self._stack_output(stack, 'project_name') + user_name = self._stack_output(stack, 'user_name') + return project_name, user_name + + def get_outputs(self, stack_identifier, output_key): + stack = self.client.stacks.get(stack_identifier) + return self._stack_output(stack, output_key) + + def test_assign_user_role_with_domain(self): + # Setup admin clients + self.setup_clients_for_admin() + parms = { + 'user_name': test.rand_name('test-user-domain-user-name'), + 'project_name': test.rand_name('test-user-domain-project'), + 'domain_name': test.rand_name('test-user-domain-domain-name') + } + stack_identifier_create_user = self.stack_create( + template=create_user, + parameters=parms) + + self.stack_create( + template=assign_user_roles, + parameters=parms) + + project_name, user_name = self.get_user_and_project_outputs( + stack_identifier_create_user) + self.assertEqual(project_name, project_name) + self.assertEqual(user_name, user_name) + users = self.keystone_client.users.list() + projects = self.keystone_client.projects.list() + user_id = [x for x in users if x.name == user_name][0].id + project_id = [x for x in projects if x.name == project_name][0].id + self.assertIsNotNone( + self.keystone_client.role_assignments.list( + user=user_id, project=project_id)) + + # Disable domain so stack can be deleted + self.update_stack( + stack_identifier=stack_identifier_create_user, + template=disable_domain, + parameters=parms)