This work is licensed under a Creative Commons Attribution 3.0 Unported License.

Tempest support for multiple keystone API versions

Decouple tempest from keystone version specifics and run tests with keystone v3

Problem description

Tempest code is tightly coupled with keystone V2 specific implementations. Common classes (such as rest client and tenant isolation), test base classes and test themselves all assume the identity service is provided by a keystone v2 endpoint. Tempest shall be able to run with a keystone V3 identity service, and newer versions as they become available.

Proposed change

A new configuration flag is introduced to specify the auth version to be used. The flag is defined as follows:

           help="Identity API version to be used for authentication "
                "for API tests."),

And it’s used to select the matching version of Credentials and Auth Provider:

if CONF.identity.auth_version == 'v2':
    credential_class = KeystoneV2Credentials
    auth_provider_class = KeystoneV2AuthProvider
elif CONF.identity.auth_version == 'v3':
    credential_class = KeystoneV3Credentials
    auth_provider_class = KeystoneV3AuthProvider
    raise exceptions.InvalidConfiguration('Unsupported auth version')

A number of refactors are required to achieve this and make sure we don’t need to change test code again when moving to different keystone API versions.

Authentication are factored out in an authentication provider. Credentials are handled via a dedicated class, provided to tests by a credential manager. Clients managers receive credentials and are the sole responsible for instantiating clients and provide them to tests. At the moment client managers instantiate all available clients when created. This is unnecessary, and it leads to issues when not all openstack services are available for test. Client managers are thus changed to lazy instantiation of clients.

Manager __init__ method signature before and after refactor:


   def __init__(self, username=None, password=None, tenant_name=None,
                interface='json', service=None):


   def __init__(self, credentials=None, interface='json', service=None):

Authentication in rest client before and after refactor:


   def request(self, method, url,
               headers=None, body=None):
       if (self.token is None) or (self.base_url is None):

       if headers is None:
           headers = {}
       headers['X-Auth-Token'] = self.token

       resp, resp_body = self._request(method, url,
                                       headers=headers, body=body)


   def _request(self, method, url, headers=None, body=None):
       # Authenticate the request with the auth provider
       req_url, req_headers, req_body = self.auth_provider.auth_request(
           method, url, headers, body, self.filters)

Access to credentials IDs from the tests, before and after refactor:


       # Retrieve the ResellerAdmin tenant id
       _, users = cls.os_admin.identity_client.get_users()
       reseller_user_id = next(usr['id'] for usr in users if usr['name']

       # Retrieve the ResellerAdmin tenant id
       _, tenants = cls.os_admin.identity_client.list_tenants()
       reseller_tenant_id = next(tnt['id'] for tnt in tenants if tnt['name']


       # Retrieve the ResellerAdmin user id
       reseller_user_id =

       # Retrieve the ResellerAdmin tenant id
       reseller_tenant_id =

Areas affected by refactor:

  • Rest client (tempest/common/ move auth code to an external auth provider

  • Client managers (tempest/, tempest/, tempest/scenario/ work with a Credentials class. Lazy load of clients.

  • Tests base classes (tempest/api/**/ adapt where needed to modified rest client, client manager and credentials

  • Tests: adapt where needed to modified rest client, client manager and credentials


We could change all the code in place - without refactoring - adding checks for the configured auth version. This would still require touching a considerable chunk of tempest code, without the benefit for future keystone versions.



Primary assignee:

Andrea Frittoli <>


Target Milestone for completion:


Work Items

  • Move auth from rest_client to auth provider

  • Provide unit tests for the new auth and credential classes

  • Refactor Manager, Credentials class everywhere

  • Client Manager provide client lazy load

  • Tenant isolation support for V3

  • Provide multi auth-version for API tests

  • Provide multi auth-version for scenario tests

  • Provide multi auth-version for CLI tests

  • Provide multi auth-version for 3rd part tests

  • Provide multi auth-version for stress framework

  • Add experimental job with auth_version = v3


  • Python bindings and CLI are not yet all V3 ready. Some of the work in this blueprint will have to be postponed until this is fixed