Add role for tempest to allow set image location

Recent glance policy additions prevent non admins from setting image location and therefore creating remote images. Tempest users need this functionality, so this patch adds a role to those users and a policy to allow that role to set image location. The change that allows users to specify roles to be added to tempest users has already been merged upstream: https://review.openstack.org/#/c/147542/ In order to use the upstream tempest changes, I had to bump the tempest sha, which in turn required some client package upgrades: * tempest to 3feb4d4e1f9367269a226f788ff468f820751340 * python-glanceclient to 0.15.0 * python-saharaclient to 0.7.6 Change-Id: I9ed053bf70680db54b1cf679a171d61ea639f19d Closes-Bug: #1411599 (cherry picked from commit a5ab931)
openstack · Jan 29, 2015 · 278ec80 · 278ec80
1 parent 9b3780a
commit 278ec80
Show file tree

Hide file tree

Showing 6 changed files with 15 additions and 6 deletions.
diff --git a/rpc_deployment/roles/glance_common/templates/policy.json b/rpc_deployment/roles/glance_common/templates/policy.json
@@ -13,9 +13,9 @@
     "download_image": "",
     "upload_image": "",
 
-    "delete_image_location": "role:admin",
+    "delete_image_location": "role:admin or role:remote_image",
     "get_image_location": "",
-    "set_image_location": "role:admin",
+    "set_image_location": "role:admin or role:remote_image",
 
     "add_member": "",
     "delete_member": "",

diff --git a/rpc_deployment/roles/tempest/templates/tempest.conf.j2 b/rpc_deployment/roles/tempest/templates/tempest.conf.j2
@@ -5,6 +5,7 @@ use_stderr = False
 lock_path = /opt/{{ repo_path }}/locks
 
 [auth]
+tempest_roles = remote_image
 
 [boto]
 ssh_user = cirros
@@ -77,7 +78,6 @@ uri_v3 = http://{{ external_vip_address }}:5000/v3/
 uri = http://{{ external_vip_address }}:5000/v2.0/
 
 
-
 [identity-feature-enabled]
 xml_api = False
 

diff --git a/rpc_deployment/roles/tempest_resources/tasks/main.yml b/rpc_deployment/roles/tempest_resources/tasks/main.yml
@@ -65,6 +65,15 @@
     - demo
     - alt_demo
 
+- name: Ensure remote_image role exists
+  keystone:
+    command: ensure_role
+    role_name: remote_image
+    endpoint: "{{ auth_identity_uri }}"
+    login_tenant_name: "{{ auth_admin_tenant }}"
+    login_user: "{{ auth_admin_username }}"
+    login_password: "{{ auth_admin_password }}"
+
 - name: Ensure tempest network exists
   neutron:
     command: create_network_with_subnet

diff --git a/rpc_deployment/vars/repo_packages/python_glanceclient.yml b/rpc_deployment/vars/repo_packages/python_glanceclient.yml
@@ -19,6 +19,6 @@ repo_path: "{{ pip_wheel_name }}_{{ git_install_branch | replace('/', '_') }}"
 git_repo: https://github.com/openstack/python-glanceclient
 git_fallback_repo: https://git.openstack.org/openstack/python-glanceclient
 git_dest: "/opt/{{ repo_path }}"
-git_install_branch: b126351d9d61fac777b72707620583dcb516e8d5
+git_install_branch: 0.15.0
 
 pip_wheel_name: python-glanceclient
diff --git a/rpc_deployment/vars/repo_packages/python_saharaclient.yml b/rpc_deployment/vars/repo_packages/python_saharaclient.yml
@@ -19,6 +19,6 @@ repo_path: "{{ pip_wheel_name }}_{{ git_install_branch | replace('/', '_') }}"
 git_repo: https://github.com/openstack/python-saharaclient
 git_fallback_repo: https://git.openstack.org/openstack/python-saharaclient
 git_dest: "/opt/{{ repo_path }}"
-git_install_branch: 0.7.5
+git_install_branch: 0.7.6
 
 pip_wheel_name: python-saharaclient
diff --git a/rpc_deployment/vars/repo_packages/tempest.yml b/rpc_deployment/vars/repo_packages/tempest.yml
@@ -21,7 +21,7 @@ repo_path: "{{ repo_package_name }}_{{ git_install_branch | replace('/', '_') }}
 git_repo: https://github.com/openstack/tempest
 git_fallback_repo: https://git.openstack.org/openstack/tempest
 git_dest: "/opt/{{ repo_path }}"
-git_install_branch: 3a94488ced15985f34b276993891b3bf3def3845
+git_install_branch: 7c73dd5b18d29f0f3f3be0088514121dade53c8f
 
 pip_wheel_name: tempest