Only use EC2 creds from our project. Clean up after use.

garloff · garloff · commit 7e466356589d · 2025-03-13T13:32:58.000+01:00
When looking for existing EC2 credentials, we only accept those
created for our own project.
If we need to create one, remember this and clean it up again.

Signed-off-by: Kurt Garloff &lt;kurt@garloff.de&gt;
diff --git a/Tests/iaas/mandatory-services/mandatory-iaas-services.py b/Tests/iaas/mandatory-services/mandatory-iaas-services.py
@@ -115,30 +115,34 @@ def s3_from_env(creds, fieldnm, env, prefix=""):
 
 
 def s3_from_ostack(creds, conn, endpoint):
-    "Set creds from openstack swift/keystone"
+    """Set creds from openstack swift/keystone
+       Returns credential ID *if* an ec2 credential was created,
+       None otherwise."""
     rgx = re.compile(r"^(https*://[^/]*)/")
     match = rgx.match(endpoint)
     if match:
         creds["HOST"] = match.group(1)
-    # Use first ec2 cred if one exists
+    # Use first ec2 cred that matches the project (if one exists)
+    project_id = conn.identity.get_project_id()
     ec2_creds = [cred for cred in conn.identity.credentials()
-                 if cred.type == "ec2"]
+                 if cred.type == "ec2" and cred.project_id == project_id]
     if len(ec2_creds):
         # FIXME: Assume cloud is not evil
         ec2_dict = eval(ec2_creds[0].blob, {"null": None})
         creds["AK"] = ec2_dict["access"]
         creds["SK"] = ec2_dict["secret"]
-        return
+        return None
     # Generate keyid and secret
     ak = uuid.uuid4().hex
     sk = uuid.uuid4().hex
     blob = f'{{"access": "{ak}", "secret": "{sk}"}}'
     try:
-        conn.identity.create_credential(type="ec2", blob=blob,
-                                        user_id=conn.current_user_id,
-                                        project_id=conn.current_project_id)
+        crd = conn.identity.create_credential(type="ec2", blob=blob,
+                                              user_id=conn.current_user_id,
+                                              project_id=conn.current_project_id)
         creds["AK"] = ak
         creds["SK"] = sk
+        return crd.id
     except BaseException as exc:
         print(f"WARNING: ec2 creds creation failed: {exc!s}", file=sys.stderr)
         # pass
@@ -173,7 +177,7 @@ def check_for_s3_and_swift(conn: openstack.connection.Connection, s3_credentials
         )
         return 1
     # Get S3 endpoint (swift) and ec2 creds from OpenStack (keystone)
-    s3_from_ostack(s3_creds, conn, endpoint)
+    ec2_cred = s3_from_ostack(s3_creds, conn, endpoint)
     # Overrides (var names are from libs3, in case you wonder)
     s3_from_env(s3_creds, "HOST", "S3_HOSTNAME", "https://")
     s3_from_env(s3_creds, "AK", "S3_ACCESS_KEY_ID")
@@ -190,14 +194,19 @@ def check_for_s3_and_swift(conn: openstack.connection.Connection, s3_credentials
     # if not swift_containers:
     #    swift_containers = create_container(conn, TESTCONTNAME)
     result = 0
+    # Compare number of buckets/containers
+    # FIXME: Could compare list of sorted names
     if Counter(s3_buckets) != Counter(swift_containers):
         logger.warning("S3 buckets and Swift Containers differ:\n"
                        f"S3: {sorted(s3_buckets)}\nSW: {sorted(swift_containers)}")
         result = 1
     else:
         logger.info("SUCCESS: S3 and Swift exist and agree")
-    # Clean up
-    # FIXME: Cleanup created EC2 credential
+    # Clean up ec2 cred IF we created one
+    if ec2_cred:
+        conn.identity.delete_credential(ec2_cred)
+    # No need to clean up swift container, as we did not create one
+    # (If swift and S3 agree, there will be a S3 bucket that we clean up with S3.)
     # if swift_containers == [TESTCONTNAME]:
     #    del_container(conn, TESTCONTNAME)
     # Cleanup created S3 bucket
