Feature/nested projects

[Be-El]

This large change set implements support for nested project and a complete quota support for nova, neutron and cinder.

To use it:

• build complete environment, but define both OS_DOMAIN_NAME and OS_PROJECT_NAME
• user need to be both domain admin (for keystone) and project admin (for quotas)
• use the --nested / -n flag for nested projects
• use the --quotas / -q flag for quota support
• or both ;-)

Example: python denbi/scripts/perun_propagation.py -q -v -v --role member --domain adapter_test -n test/resources/perun.tar.gz

Projects will be created as sub project of the project given by OS_PROJECT_NAME; they inherit the role assignment (-> user is also admin), and the accumulated quotas of sub projects may not exceed the parent project quota.

I've tested the change only in this setup; I did not perform any tests with cloud admin credentials or other setups. The code should work in these environments, too....but please test it before merging it!

I'll extend the branch with a documentation update later.

The test dataset in test/resources/perun.tar.gz is also extended to set a cinder and neutron quota.

[pep8speaks]

Hello @Be-El! Thanks for updating this PR. We checked the lines you've touched for PEP 8 issues, and found:

• In the file denbi/perun/keystone.py:

Line 235:181: E501 line too long (264 > 180 characters) Line 237:181: E501 line too long (182 > 180 characters)

• In the file setup.py:

Line 13:1: E302 expected 2 blank lines, found 1

Comment last updated at 2019-03-27 14:16:51 UTC

[jkrue]

Before merging this branch we have to make sure that it still works with with cloud-admin permissions, which is currently not that case. However in every case the unit tests must be adjusted to run successful with cloud-admin and domain-admin credentials. The tests can not run successfully in current state, since the idea to make as less api calls as possible is skipped. Anyway, I like the idea of a factory class for different services (nova, neutron and cinder) quotas as a very flexible solution, but then we have to adjust the tests.
Another import point is to update the documentation, testing the quota setting needs a full Openstack setup - the keystone-in-a-container solution will not work anymore.

Work to do (before merging):

• fix cloud-admin usage
• rewrite quota test
• update documentation (uses DevStack instead of keystone container)

I can do most of things, but need then some help when testing in a domain-admin environment

[jkrue]

@Be-El Could you check if the adapter still works with an domain-admin-account ? Thx

[Be-El]

Two fixes:

• domain scoped token may not have a project name or project id
• newly created projects were not assigned correctly, resulting in follow up error at quota setting

[jkrue]

@Be-El , @pbelmann I update the PR, improve documentation, logging and the example service. I fix also a bug setting the quotas. What's missing ?

• The tests only check the keystone stuff (users, projects and membership) but not any quotas settings.
• The travis CI build still fails.
• the logging could be still improved - separate everything the pks changes on openstack from everything else ...

I run the PKS from pr branch on our development cloud, it's working fine ;-)

What do you think, could we merge the pull request and open new issues for the missing parts?