v26.1.0 Release Notes

26.1.0 Release Notes

26.1.0

Prelude

This is an intermediate release during the Wallaby development cycle to make new functionality available to plugins and other consumers.

The integrated horizon dashboard test is now moved from tempest-horizon plugin into Tempest. You do not need to install tempest-horizon to run the horizon test which can be run using Tempest itself.

Support for RBAC new system scope is added in Tempest.

New Features

  • The following tempest clients for keystone v3 OS_FEDERATION API were implemented in this release

    • identity_providers

    • protocols

    • mappings

    • service_providers

  • Add project alternate admin, member and reader role for dynamic credentials.

  • Added methods to the identity v3 roles client to support:

    • PUT /v3/system/users/{user}/roles/{role}

    • GET /v3/system/users/{user}/roles

    • GET /v3/system/users/{user}/roles/{role}

    • DELETE /v3/system/users/{user}/roles/{role}

    • PUT /v3/system/groups/{group}/roles/{role}

    • GET /v3/system/groups/{group}/roles

    • GET /v3/system/groups/{group}/roles/{role}

    • DELETE /v3/system/groups/{group}/roles/{role}

  • Added public interface create_loginable_secgroup_rule(). Since this interface is meant to be used by tempest plugins, It doesn’t neccessarily require to be private api.

  • Added public interface create_security_group_rule(). Since this interface is meant to be used by tempest plugins, It doesn’t neccessarily require to be private api.

  • Added public interface log_console_output(). It used to be a private method with name _log_console_output(). Since this interface is meant to be used by tempest plugins, It doesn’t neccessarily require to be private api.

  • Keystone provides the new scoped token called system which can be used to query the system scoped API operation. Projects are moving towards the policy with new scope types, Keystone, Nova already provide the new policy for RBAC checks. Tempest has added the support to query the system scoped token from keystone to test the new policy. As next step, we will be moving all the Tempest tests on the project’s new policy.

  • Dynamic credentials now support the scope type for specific roles too along with admin, member, reader role. Test can specify the scope in the prefix of cls.credentials name. If system is prefix in cls.credentials name then creds will be created with scope as system. If domain is prefix in cls.credentials name then creds will be created with scope as domain otherwise default project scope will be used. For Example:

    credentials = [['my_role', 'role1'], # this will be old style and project scoped
               ['project_my_role', 'role1'], # this will be project scoped
               ['domain_my_role', 'role1'], # this will be domain scoped
               ['system_my_role', 'role1']] # this will be system scoped

    And below is how test can access the credential manager of respective credentials type:

    cls.os_my_role.any_client
cls.os_project_my_role.any_client
cls.os_domain_my_role.any_client
cls.os_system_my_role.any_client

    For backward compatibility, we set the credentials manager class attribute in old style form too which is prefix with os_roles_*, example cls.os_roles_my_role but we recommend to use the new style attribute as shown above.

  • Adds new personas that can be used to test service policies for all default scopes (project, domain, and system) and roles (reader, member, and admin). Both dynamic credentials and pre-provisioned credentials are supported.

Known Issues

  • Scope support for specific role is not yet added for pre-provisioned credentials.

Upgrade Notes

  • In this release tempest/manager.py is removed after more than 4 years of deprecation.

  • The tempest.lib.common.utils.data_utils.random_bytes() helper function will no longer allow a size of more than 1MiB. Tests generally do not need to generate and use large payloads for feature verification and it is easy to lose track of and duplicate large buffers. The sum total of such errors can become problematic in paralllelized and constrained CI environments.

  • Deprecated config options to select the Volume API version have been removed. Use CONF.volume.catalog_type to run volume tests under v3 or v2 APIs.

    • CONF.volume-feature-enabled.api_v2

    • CONF.volume-feature-enabled.api_v3

Deprecation Notes

  • In this release the following tempest arguments are deprecated and replaced by new ones which are functionally equivalent:

    • –black-regex is replaced by –exclude-regex

    • –blacklist-file is replaced by –exclude-list

    • –whitelist-file is replaced by –include-list

    For now Tempest supports both (new and old ones) in order to make the transition for all consumers smoother. However, that’s just a temporary case and the old options will be removed soon.

Bug Fixes

  • [bug 1613819] admin_domain_name and default_credentials_domain_name parameters under [auth] now affect a domain used for creating test users just as they affect it for projects. Previously a domain with an id set to “default” had to be present in order for test user creation to succeed with Keystone v3.