Enable domain specific drivers

Enable support for domain specific drivers, managed via
configuration files (instead of directly using the API and
database).

Using multiple domains means that calls to users.list must
be scoped to a specific domain; ensure that v3 calls to this
method are appropriately scoped.

Change-Id: I7ed84b7210597ab1633eba343a0c68741a5a8578
Partial-Bug: 1645803

hooks/keystone_utils.py

@@ -790,13 +790,18 @@ def create_or_show_domain(name):
 
 def user_exists(name, domain=None):
     manager = get_manager()
+    domain_id = None
     if domain:
         domain_id = manager.resolve_domain_id(domain)
         if not domain_id:
             error_out('Could not resolve domain_id for {} when checking if '
                       ' user {} exists'.format(domain, name))
     if manager.resolve_user_id(name, user_domain=domain):
-        for user in manager.api.users.list():
+        if manager.api_version == 2:
+            users = manager.api.users.list()
+        else:
+            users = manager.api.users.list(domain=domain_id)
+        for user in users:
             if user.name.lower() == name.lower():
                 # In v3 Domains are seperate user namespaces so need to check
                 # that the domain matched if provided

hooks/manager.py

@@ -201,9 +201,10 @@ class KeystoneManager3(KeystoneManager):
 
     def resolve_user_id(self, name, user_domain=None):
         """Find the user_id of a given user"""
+        domain_id = None
         if user_domain:
             domain_id = self.resolve_domain_id(user_domain)
-        for user in self.api.users.list():
+        for user in self.api.users.list(domain=domain_id):
             if name.lower() == user.name.lower():
                 if user_domain:
                     if domain_id == user.domain_id:

templates/kilo/keystone.conf

@@ -34,6 +34,11 @@ driver = keystone.identity.backends.{{ identity_backend }}.Identity
 default_domain_id = {{ default_domain_id }}
 {% endif -%}
 
+{% if api_version == 3 -%}
+domain_specific_drivers_enabled = True
+domain_config_dir = /etc/keystone/domains
+{% endif -%}
+
 [credential]
 driver = keystone.credential.backends.sql.Credential
 

templates/mitaka/keystone.conf

@@ -25,6 +25,11 @@ driver = {{ identity_backend }}
 default_domain_id = {{ default_domain_id }}
 {% endif -%}
 
+{% if api_version == 3 -%}
+domain_specific_drivers_enabled = True
+domain_config_dir = /etc/keystone/domains
+{% endif -%}
+
 [credential]
 driver = sql
 

tests/basic_deployment.py

@@ -43,6 +43,8 @@ u = OpenStackAmuletUtils(DEBUG)
 class KeystoneBasicDeployment(OpenStackAmuletDeployment):
     """Amulet tests on a basic keystone deployment."""
 
+    DEFAULT_DOMAIN = 'default'
+
     def __init__(self, series=None, openstack=None,
                  source=None, git=False, stable=False):
         """Deploy the entire test environment."""
@@ -252,9 +254,9 @@ class KeystoneBasicDeployment(OpenStackAmuletDeployment):
         except keystoneclient.exceptions.NotFound:
             self.keystone_v3.roles.create(name=self.demo_role)
 
-        try:
-            self.keystone_v3.users.find(name=self.demo_user_v3)
-        except keystoneclient.exceptions.NotFound:
+        if not self.find_keystone_v3_user(self.keystone_v3,
+                                          self.demo_user_v3,
+                                          self.demo_domain):
             self.keystone_v3.users.create(
                 self.demo_user_v3,
                 domain=domain.id,
@@ -375,12 +377,29 @@ class KeystoneBasicDeployment(OpenStackAmuletDeployment):
             else:
                 user_info['default_project_id'] = u.not_null
             expected.append(user_info)
-        actual = client.users.list()
+        if self.keystone_api_version == 2:
+            actual = client.users.list()
+        else:
+            # Ensure list is scoped to the default domain
+            # when checking v3 users (v2->v3 upgrade check)
+            actual = client.users.list(
+                domain=client.domains.find(name=self.DEFAULT_DOMAIN).id
+            )
         ret = u.validate_user_data(expected, actual,
                                    api_version=self.keystone_api_version)
         if ret:
             amulet.raise_status(amulet.FAIL, msg=ret)
 
+    def find_keystone_v3_user(self, client, username, domain):
+        """Find a user within a specified keystone v3 domain"""
+        domain_users = client.users.list(
+            domain=client.domains.find(name=domain).id
+        )
+        for user in domain_users:
+            if username.lower() == user.name.lower():
+                return user
+        return None
+
     def test_106_keystone_users(self):
         self.set_api_version(2)
         self.validate_keystone_users(self.keystone_v2)
@@ -412,7 +431,10 @@ class KeystoneBasicDeployment(OpenStackAmuletDeployment):
         if self.is_liberty_or_newer():
             self.set_api_version(3)
             self.create_users_v3()
-            actual_user = self.keystone_v3.users.find(name=self.demo_user_v3)
+            actual_user = self.find_keystone_v3_user(self.keystone_v3,
+                                                     self.demo_user_v3,
+                                                     self.demo_domain)
+            assert actual_user is not None
             expect = {
                 'default_project_id': self.demo_project,
                 'email': 'demov3@demo.com',