diff --git a/keystone/auth/controllers.py b/keystone/auth/controllers.py index d5233d759..f3375d557 100644 --- a/keystone/auth/controllers.py +++ b/keystone/auth/controllers.py @@ -94,9 +94,10 @@ class AuthInfo(object): target='domain') try: if domain_name: - domain_ref = self.identity_api.get_domain_by_name(domain_name) + domain_ref = self.assignment_api.get_domain_by_name( + domain_name) else: - domain_ref = self.identity_api.get_domain(domain_id) + domain_ref = self.assignment_api.get_domain(domain_id) except exception.DomainNotFound as e: LOG.exception(e) raise exception.Unauthorized(e) diff --git a/keystone/auth/plugins/external.py b/keystone/auth/plugins/external.py index 15f21d0aa..a6fe1b45a 100644 --- a/keystone/auth/plugins/external.py +++ b/keystone/auth/plugins/external.py @@ -87,7 +87,7 @@ class Domain(Base): username = names.pop(0) if names: domain_name = names[0] - domain_ref = (auth_info.identity_api. + domain_ref = (auth_info.assignment_api. get_domain_by_name(domain_name)) domain_id = domain_ref['id'] else: diff --git a/keystone/auth/plugins/password.py b/keystone/auth/plugins/password.py index 9531261d8..619010e23 100644 --- a/keystone/auth/plugins/password.py +++ b/keystone/auth/plugins/password.py @@ -24,7 +24,7 @@ METHOD_NAME = 'password' LOG = logging.getLogger(__name__) -@dependency.requires('identity_api') +@dependency.requires('assignment_api', 'identity_api') class UserAuthInfo(object): @staticmethod def create(auth_payload): @@ -58,9 +58,10 @@ class UserAuthInfo(object): target='domain') try: if domain_name: - domain_ref = self.identity_api.get_domain_by_name(domain_name) + domain_ref = self.assignment_api.get_domain_by_name( + domain_name) else: - domain_ref = self.identity_api.get_domain(domain_id) + domain_ref = self.assignment_api.get_domain(domain_id) except exception.DomainNotFound as e: LOG.exception(e) raise exception.Unauthorized(e) @@ -89,7 +90,7 @@ class UserAuthInfo(object): user_name, domain_ref['id']) else: user_ref = self.identity_api.get_user(user_id) - domain_ref = self.identity_api.get_domain( + domain_ref = self.assignment_api.get_domain( user_ref['domain_id']) self._assert_domain_is_enabled(domain_ref) except exception.UserNotFound as e: diff --git a/keystone/identity/controllers.py b/keystone/identity/controllers.py index 158eecb56..50f7b5a56 100644 --- a/keystone/identity/controllers.py +++ b/keystone/identity/controllers.py @@ -605,16 +605,6 @@ class DomainV3(controller.V3Controller): self._delete_domain_contents(context, domain_id) return self.assignment_api.delete_domain(domain_id) - def _get_domain_by_name(self, context, domain_name): - """Get the domain via its unique name. - - For use by token authentication - not for hooking to the identity - router as a public api. - - """ - ref = self.assignment_api.get_domain_by_name(domain_name) - return {'domain': ref} - class ProjectV3(controller.V3Controller): collection_name = 'projects' diff --git a/keystone/identity/core.py b/keystone/identity/core.py index fbdde1663..6a9f90c9d 100644 --- a/keystone/identity/core.py +++ b/keystone/identity/core.py @@ -27,6 +27,7 @@ from keystone import clean from keystone.common import controller from keystone.common import dependency from keystone.common import manager +from keystone.common import utils from keystone import config from keystone import exception from keystone import notifications @@ -279,7 +280,7 @@ class Manager(manager.Manager): if driver: return driver else: - self.get_domain(domain_id) + self.assignment_api.get_domain(domain_id) return self.driver def _get_domain_conf(self, domain_id): @@ -453,25 +454,161 @@ class Manager(manager.Manager): domain_id, driver = self._get_domain_id_and_driver(domain_scope) return driver.check_user_in_group(user_id, group_id) - # TODO(henry-nash, ayoung) The following cross calls to the assignment - # API should be removed, with the controller and tests making the correct - # calls direct to assignment. - - # NOTE(tellesmvn):The following 4 methods where not removed since ayoung - # told me not to because someone else is working on a new feature involving - # these methods where the idea is to identify in which domain the user is + # TODO(morganfainberg): Remove the following deprecated methods once + # Icehouse is released. Maintain identity -> assignment proxy for 1 + # release. + @utils.deprecated('I', in_favor_of='assignment_api.get_domain_by_name', + remove_in=1, what='identity_api.get_domain_by_name') def get_domain_by_name(self, domain_name): return self.assignment_api.get_domain_by_name(domain_name) + @utils.deprecated('I', in_favor_of='assignment_api.get_domain', + remove_in=1, what='identity_api.get_domain') def get_domain(self, domain_id): return self.assignment_api.get_domain(domain_id) + @utils.deprecated('I', in_favor_of='assignment_api.update_domain', + remove_in=1, what='identity_api.update_domain') def update_domain(self, domain_id, domain): return self.assignment_api.update_domain(domain_id, domain) + @utils.deprecated('I', in_favor_of='assignment_api.list_domains', + remove_in=1, what='identity_api.list_domains') def list_domains(self): return self.assignment_api.list_domains() + @utils.deprecated('I', in_favor_of='assignment_api.delete_domain', + remove_in=1, what='identity_api.delete_domain') + def delete_domain(self, domain_id): + return self.assignment_api.delete_domain(domain_id) + + @utils.deprecated('I', in_favor_of='assignment_api.create_domain', + remove_in=1, what='identity_api.create_domain') + def create_domain(self, domain_id, domain): + return self.assignment_api.create_domain(domain_id, domain) + + @utils.deprecated('I', in_favor_of='assignment_api.list_projects_for_user', + remove_in=1, what='identity_api.list_projects_for_user') + def list_projects_for_user(self, user_id): + return self.assignment_api.list_projects_for_user(user_id) + + @utils.deprecated('I', in_favor_of='assignment_api.add_user_to_project', + remove_in=1, what='identity_api.add_user_to_project') + def add_user_to_project(self, tenant_id, user_id): + return self.assignment_api.add_user_to_project(tenant_id, user_id) + + @utils.deprecated('I', + in_favor_of='assignment_api.remove_user_from_project', + remove_in=1, + what='identity_api.remove_user_from_project') + def remove_user_from_project(self, tenant_id, user_id): + return self.assignment_api.remove_user_from_project(tenant_id, user_id) + + @utils.deprecated('I', in_favor_of='assignment_api.get_project', + remove_in=1, what='identity_api.get_project') + def get_project(self, tenant_id): + return self.assignment_api.get_project(tenant_id) + + @utils.deprecated('I', in_favor_of='assignment_api.list_projects', + remove_in=1, what='identity_api.list_projects') + def list_projects(self, domain_id=None): + return self.assignment_api.list_projects(domain_id) + + @utils.deprecated('I', in_favor_of='assignment_api.get_role', + remove_in=1, what='identity_api.get_role') + def get_role(self, role_id): + return self.assignment_api.get_role(role_id) + + @utils.deprecated('I', in_favor_of='assignment_api.list_roles', + remove_in=1, what='identity_api.list_roles') + def list_roles(self): + return self.assignment_api.list_roles() + + @utils.deprecated('I', in_favor_of='assignment_api.get_project_users', + remove_in=1, what='identity_api.get_project_users') + def get_project_users(self, tenant_id): + return self.assignment_api.get_project_users(tenant_id) + + @utils.deprecated('I', in_favor_of='assignment_api.list_projects_for_user', + remove_in=1, what='identity_api.list_projects_for_user') + def get_roles_for_user_and_project(self, user_id, tenant_id): + return self.assignment_api.get_roles_for_user_and_project( + user_id, tenant_id) + + @utils.deprecated( + 'I', in_favor_of='assignment_api.get_roles_for_user_and_domain', + remove_in=1, what='identity_api.get_roles_for_user_and_domain') + def get_roles_for_user_and_domain(self, user_id, domain_id): + return (self.assignment_api.get_roles_for_user_and_domain + (user_id, domain_id)) + + @utils.deprecated( + 'I', in_favor_of='assignment_api.add_role_to_user_and_project', + remove_in=1, what='identity_api.add_role_to_user_and_project') + def add_role_to_user_and_project(self, user_id, + tenant_id, role_id): + return (self.assignment_api.add_role_to_user_and_project + (user_id, tenant_id, role_id)) + + @utils.deprecated('I', in_favor_of='assignment_api.create_role', + remove_in=1, what='identity_api.create_role') + def create_role(self, role_id, role): + return self.assignment_api.create_role(role_id, role) + + @utils.deprecated('I', in_favor_of='assignment_api.delete_role', + remove_in=1, what='identity_api.delete_role') + def delete_role(self, role_id): + return self.assignment_api.delete_role(role_id) + + @utils.deprecated( + 'I', in_favor_of='assignment_api.remove_role_from_user_and_project', + remove_in=1, what='identity_api.remove_role_from_user_and_project') + def remove_role_from_user_and_project(self, user_id, + tenant_id, role_id): + return (self.assignment_api.remove_role_from_user_and_project + (user_id, tenant_id, role_id)) + + @utils.deprecated('I', in_favor_of='assignment_api.update_role', + remove_in=1, what='identity_api.update_role') + def update_role(self, role_id, role): + return self.assignment_api.update_role(role_id, role) + + @utils.deprecated('I', in_favor_of='assignment_api.create_grant', + remove_in=1, what='identity_api.create_grant') + def create_grant(self, role_id, user_id=None, group_id=None, + domain_id=None, project_id=None, + inherited_to_projects=False): + return (self.assignment_api.create_grant + (role_id, user_id, group_id, domain_id, project_id, + inherited_to_projects)) + + @utils.deprecated('I', in_favor_of='assignment_api.list_grants', + remove_in=1, what='identity_api.list_grants') + def list_grants(self, user_id=None, group_id=None, + domain_id=None, project_id=None, + inherited_to_projects=False): + return (self.assignment_api.list_grants + (user_id, group_id, domain_id, project_id, + inherited_to_projects)) + + @utils.deprecated('I', in_favor_of='assignment_api.get_grant', + remove_in=1, what='identity_api.get_grant') + def get_grant(self, role_id, user_id=None, group_id=None, + domain_id=None, project_id=None, + inherited_to_projects=False): + return (self.assignment_api.get_grant + (role_id, user_id, group_id, domain_id, project_id, + inherited_to_projects)) + + @utils.deprecated('I', in_favor_of='assignment_api.delete_grant', + remove_in=1, what='identity_api.delete_grant') + def delete_grant(self, role_id, user_id=None, group_id=None, + domain_id=None, project_id=None, + inherited_to_projects=False): + return (self.assignment_api.delete_grant + (role_id, user_id, group_id, domain_id, project_id, + inherited_to_projects)) + @six.add_metaclass(abc.ABCMeta) class Driver(object): diff --git a/keystone/tests/test_backend.py b/keystone/tests/test_backend.py index 898048550..75b6288fc 100644 --- a/keystone/tests/test_backend.py +++ b/keystone/tests/test_backend.py @@ -2418,17 +2418,17 @@ class IdentityTests(object): domain = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex, 'enabled': True} self.assignment_api.create_domain(domain['id'], domain) - domain_ref = self.identity_api.get_domain(domain['id']) + domain_ref = self.assignment_api.get_domain(domain['id']) self.assertDictEqual(domain_ref, domain) domain['name'] = uuid.uuid4().hex self.assignment_api.update_domain(domain['id'], domain) - domain_ref = self.identity_api.get_domain(domain['id']) + domain_ref = self.assignment_api.get_domain(domain['id']) self.assertDictEqual(domain_ref, domain) self.assignment_api.delete_domain(domain['id']) self.assertRaises(exception.DomainNotFound, - self.identity_api.get_domain, + self.assignment_api.get_domain, domain['id']) def test_create_domain_case_sensitivity(self): diff --git a/keystone/tests/test_backend_ldap.py b/keystone/tests/test_backend_ldap.py index 19ac85d30..dcdc148e1 100644 --- a/keystone/tests/test_backend_ldap.py +++ b/keystone/tests/test_backend_ldap.py @@ -40,7 +40,7 @@ CONF = config.CONF class BaseLDAPIdentity(test_backend.IdentityTests): def _get_domain_fixture(self): """Domains in LDAP are read-only, so just return the static one.""" - return self.identity_api.get_domain(CONF.identity.default_domain_id) + return self.assignment_api.get_domain(CONF.identity.default_domain_id) def clear_database(self): for shelf in fakeldap.FakeShelves: @@ -267,7 +267,7 @@ class BaseLDAPIdentity(test_backend.IdentityTests): self.assertEqual(res[0]['id'], user_1_id, "Expected user 1 id") def test_list_domains(self): - domains = self.identity_api.list_domains() + domains = self.assignment_api.list_domains() self.assertEqual( domains, [assignment.DEFAULT_DOMAIN]) @@ -729,7 +729,7 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity): CONF.identity.default_domain_id, domain) self.assertRaises(exception.DomainNotFound, - self.identity_api.get_domain, + self.assignment_api.get_domain, domain['id']) domain['description'] = uuid.uuid4().hex @@ -742,7 +742,7 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity): CONF.identity.default_domain_id, domain) self.assertRaises(exception.DomainNotFound, - self.identity_api.get_domain, + self.assignment_api.get_domain, domain['id']) self.assertRaises(exception.DomainNotFound, self.assignment_api.delete_domain, @@ -751,7 +751,7 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity): self.assignment_api.delete_domain, CONF.identity.default_domain_id) self.assertRaises(exception.DomainNotFound, - self.identity_api.get_domain, + self.assignment_api.get_domain, domain['id']) def test_create_domain_case_sensitivity(self): @@ -1004,7 +1004,7 @@ class LdapIdentitySqlAssignment(sql.Base, tests.TestCase, BaseLDAPIdentity): pass def test_list_domains(self): - domains = self.identity_api.list_domains() + domains = self.assignment_api.list_domains() self.assertEqual(domains, [assignment.DEFAULT_DOMAIN]) def test_project_filter(self): diff --git a/keystone/tests/test_v3_identity.py b/keystone/tests/test_v3_identity.py index a686583b3..551a96489 100644 --- a/keystone/tests/test_v3_identity.py +++ b/keystone/tests/test_v3_identity.py @@ -287,7 +287,7 @@ class IdentityTestCase(test_v3.RestfulTestCase): # Check all the domain2 relevant entities are gone self.assertRaises(exception.DomainNotFound, - self.identity_api.get_domain, + self.assignment_api.get_domain, self.domain2['id']) self.assertRaises(exception.ProjectNotFound, self.assignment_api.get_project, @@ -303,7 +303,7 @@ class IdentityTestCase(test_v3.RestfulTestCase): self.credential2['id']) # ...and that all self.domain entities are still here - r = self.identity_api.get_domain(self.domain['id']) + r = self.assignment_api.get_domain(self.domain['id']) self.assertDictEqual(r, self.domain) r = self.assignment_api.get_project(self.project['id']) self.assertDictEqual(r, self.project) diff --git a/keystone/token/controllers.py b/keystone/token/controllers.py index cff71a87f..710a2318a 100644 --- a/keystone/token/controllers.py +++ b/keystone/token/controllers.py @@ -351,7 +351,7 @@ class Auth(controller.V2Controller): domain_name = auth.get('domainName', None) if domain_name: try: - domain_ref = self.identity_api._get_domain_by_name( + domain_ref = self.assignment_api.get_domain_by_name( domain_name) domain_id = domain_ref['id'] except exception.DomainNotFound as e: diff --git a/keystone/token/core.py b/keystone/token/core.py index 8d83c526a..9518ab26a 100644 --- a/keystone/token/core.py +++ b/keystone/token/core.py @@ -70,7 +70,7 @@ def validate_auth_info(self, user_ref, tenant_ref): raise exception.Unauthorized(msg) # If the user's domain is disabled don't allow them to authenticate - user_domain_ref = self.identity_api.get_domain( + user_domain_ref = self.assignment_api.get_domain( user_ref['domain_id']) if user_domain_ref and not user_domain_ref.get('enabled', True): msg = 'Domain is disabled: %s' % user_domain_ref['id'] @@ -85,7 +85,7 @@ def validate_auth_info(self, user_ref, tenant_ref): raise exception.Unauthorized(msg) # If the project's domain is disabled don't allow them to authenticate - project_domain_ref = self.identity_api.get_domain( + project_domain_ref = self.assignment_api.get_domain( tenant_ref['domain_id']) if (project_domain_ref and not project_domain_ref.get('enabled', True)): diff --git a/keystone/token/providers/uuid.py b/keystone/token/providers/uuid.py index 5ddc0498b..90e5a3864 100644 --- a/keystone/token/providers/uuid.py +++ b/keystone/token/providers/uuid.py @@ -140,7 +140,7 @@ class V3TokenDataHelper(object): self.trust_api = trust.Manager() def _get_filtered_domain(self, domain_id): - domain_ref = self.identity_api.get_domain(domain_id) + domain_ref = self.assignment_api.get_domain(domain_id) return {'id': domain_ref['id'], 'name': domain_ref['name']} def _get_filtered_project(self, project_id):