Proxy Assignment from Identity Deprecated
The identity_api served as a proxy for calling the assignment_api and a majority of this proxy mechanism was removed. This is the second pass on the proxy cleanup fixing up the lingering domain calls from the identity core api. All proxy calls removed in the Icehouse development cycle (so far) have been re-added and now have the @deprecated mechanism used to indicate the support will be removed once development for J release has been opened as discussed at the Icehouse design summit. See https://etherpad.openstack.org/p/icehouse-keystone-internal-apis for information on why these were added back in. closes-bug: #1220913 Change-Id: If28b6d9189fa5879c8dbe131174b8cb8f84d9668
This commit is contained in:
parent
e5416c493f
commit
0116044118
@ -94,9 +94,10 @@ class AuthInfo(object):
|
||||
target='domain')
|
||||
try:
|
||||
if domain_name:
|
||||
domain_ref = self.identity_api.get_domain_by_name(domain_name)
|
||||
domain_ref = self.assignment_api.get_domain_by_name(
|
||||
domain_name)
|
||||
else:
|
||||
domain_ref = self.identity_api.get_domain(domain_id)
|
||||
domain_ref = self.assignment_api.get_domain(domain_id)
|
||||
except exception.DomainNotFound as e:
|
||||
LOG.exception(e)
|
||||
raise exception.Unauthorized(e)
|
||||
|
@ -87,7 +87,7 @@ class Domain(Base):
|
||||
username = names.pop(0)
|
||||
if names:
|
||||
domain_name = names[0]
|
||||
domain_ref = (auth_info.identity_api.
|
||||
domain_ref = (auth_info.assignment_api.
|
||||
get_domain_by_name(domain_name))
|
||||
domain_id = domain_ref['id']
|
||||
else:
|
||||
|
@ -24,7 +24,7 @@ METHOD_NAME = 'password'
|
||||
LOG = logging.getLogger(__name__)
|
||||
|
||||
|
||||
@dependency.requires('identity_api')
|
||||
@dependency.requires('assignment_api', 'identity_api')
|
||||
class UserAuthInfo(object):
|
||||
@staticmethod
|
||||
def create(auth_payload):
|
||||
@ -58,9 +58,10 @@ class UserAuthInfo(object):
|
||||
target='domain')
|
||||
try:
|
||||
if domain_name:
|
||||
domain_ref = self.identity_api.get_domain_by_name(domain_name)
|
||||
domain_ref = self.assignment_api.get_domain_by_name(
|
||||
domain_name)
|
||||
else:
|
||||
domain_ref = self.identity_api.get_domain(domain_id)
|
||||
domain_ref = self.assignment_api.get_domain(domain_id)
|
||||
except exception.DomainNotFound as e:
|
||||
LOG.exception(e)
|
||||
raise exception.Unauthorized(e)
|
||||
@ -89,7 +90,7 @@ class UserAuthInfo(object):
|
||||
user_name, domain_ref['id'])
|
||||
else:
|
||||
user_ref = self.identity_api.get_user(user_id)
|
||||
domain_ref = self.identity_api.get_domain(
|
||||
domain_ref = self.assignment_api.get_domain(
|
||||
user_ref['domain_id'])
|
||||
self._assert_domain_is_enabled(domain_ref)
|
||||
except exception.UserNotFound as e:
|
||||
|
@ -605,16 +605,6 @@ class DomainV3(controller.V3Controller):
|
||||
self._delete_domain_contents(context, domain_id)
|
||||
return self.assignment_api.delete_domain(domain_id)
|
||||
|
||||
def _get_domain_by_name(self, context, domain_name):
|
||||
"""Get the domain via its unique name.
|
||||
|
||||
For use by token authentication - not for hooking to the identity
|
||||
router as a public api.
|
||||
|
||||
"""
|
||||
ref = self.assignment_api.get_domain_by_name(domain_name)
|
||||
return {'domain': ref}
|
||||
|
||||
|
||||
class ProjectV3(controller.V3Controller):
|
||||
collection_name = 'projects'
|
||||
|
@ -27,6 +27,7 @@ from keystone import clean
|
||||
from keystone.common import controller
|
||||
from keystone.common import dependency
|
||||
from keystone.common import manager
|
||||
from keystone.common import utils
|
||||
from keystone import config
|
||||
from keystone import exception
|
||||
from keystone import notifications
|
||||
@ -279,7 +280,7 @@ class Manager(manager.Manager):
|
||||
if driver:
|
||||
return driver
|
||||
else:
|
||||
self.get_domain(domain_id)
|
||||
self.assignment_api.get_domain(domain_id)
|
||||
return self.driver
|
||||
|
||||
def _get_domain_conf(self, domain_id):
|
||||
@ -453,25 +454,161 @@ class Manager(manager.Manager):
|
||||
domain_id, driver = self._get_domain_id_and_driver(domain_scope)
|
||||
return driver.check_user_in_group(user_id, group_id)
|
||||
|
||||
# TODO(henry-nash, ayoung) The following cross calls to the assignment
|
||||
# API should be removed, with the controller and tests making the correct
|
||||
# calls direct to assignment.
|
||||
|
||||
# NOTE(tellesmvn):The following 4 methods where not removed since ayoung
|
||||
# told me not to because someone else is working on a new feature involving
|
||||
# these methods where the idea is to identify in which domain the user is
|
||||
# TODO(morganfainberg): Remove the following deprecated methods once
|
||||
# Icehouse is released. Maintain identity -> assignment proxy for 1
|
||||
# release.
|
||||
@utils.deprecated('I', in_favor_of='assignment_api.get_domain_by_name',
|
||||
remove_in=1, what='identity_api.get_domain_by_name')
|
||||
def get_domain_by_name(self, domain_name):
|
||||
return self.assignment_api.get_domain_by_name(domain_name)
|
||||
|
||||
@utils.deprecated('I', in_favor_of='assignment_api.get_domain',
|
||||
remove_in=1, what='identity_api.get_domain')
|
||||
def get_domain(self, domain_id):
|
||||
return self.assignment_api.get_domain(domain_id)
|
||||
|
||||
@utils.deprecated('I', in_favor_of='assignment_api.update_domain',
|
||||
remove_in=1, what='identity_api.update_domain')
|
||||
def update_domain(self, domain_id, domain):
|
||||
return self.assignment_api.update_domain(domain_id, domain)
|
||||
|
||||
@utils.deprecated('I', in_favor_of='assignment_api.list_domains',
|
||||
remove_in=1, what='identity_api.list_domains')
|
||||
def list_domains(self):
|
||||
return self.assignment_api.list_domains()
|
||||
|
||||
@utils.deprecated('I', in_favor_of='assignment_api.delete_domain',
|
||||
remove_in=1, what='identity_api.delete_domain')
|
||||
def delete_domain(self, domain_id):
|
||||
return self.assignment_api.delete_domain(domain_id)
|
||||
|
||||
@utils.deprecated('I', in_favor_of='assignment_api.create_domain',
|
||||
remove_in=1, what='identity_api.create_domain')
|
||||
def create_domain(self, domain_id, domain):
|
||||
return self.assignment_api.create_domain(domain_id, domain)
|
||||
|
||||
@utils.deprecated('I', in_favor_of='assignment_api.list_projects_for_user',
|
||||
remove_in=1, what='identity_api.list_projects_for_user')
|
||||
def list_projects_for_user(self, user_id):
|
||||
return self.assignment_api.list_projects_for_user(user_id)
|
||||
|
||||
@utils.deprecated('I', in_favor_of='assignment_api.add_user_to_project',
|
||||
remove_in=1, what='identity_api.add_user_to_project')
|
||||
def add_user_to_project(self, tenant_id, user_id):
|
||||
return self.assignment_api.add_user_to_project(tenant_id, user_id)
|
||||
|
||||
@utils.deprecated('I',
|
||||
in_favor_of='assignment_api.remove_user_from_project',
|
||||
remove_in=1,
|
||||
what='identity_api.remove_user_from_project')
|
||||
def remove_user_from_project(self, tenant_id, user_id):
|
||||
return self.assignment_api.remove_user_from_project(tenant_id, user_id)
|
||||
|
||||
@utils.deprecated('I', in_favor_of='assignment_api.get_project',
|
||||
remove_in=1, what='identity_api.get_project')
|
||||
def get_project(self, tenant_id):
|
||||
return self.assignment_api.get_project(tenant_id)
|
||||
|
||||
@utils.deprecated('I', in_favor_of='assignment_api.list_projects',
|
||||
remove_in=1, what='identity_api.list_projects')
|
||||
def list_projects(self, domain_id=None):
|
||||
return self.assignment_api.list_projects(domain_id)
|
||||
|
||||
@utils.deprecated('I', in_favor_of='assignment_api.get_role',
|
||||
remove_in=1, what='identity_api.get_role')
|
||||
def get_role(self, role_id):
|
||||
return self.assignment_api.get_role(role_id)
|
||||
|
||||
@utils.deprecated('I', in_favor_of='assignment_api.list_roles',
|
||||
remove_in=1, what='identity_api.list_roles')
|
||||
def list_roles(self):
|
||||
return self.assignment_api.list_roles()
|
||||
|
||||
@utils.deprecated('I', in_favor_of='assignment_api.get_project_users',
|
||||
remove_in=1, what='identity_api.get_project_users')
|
||||
def get_project_users(self, tenant_id):
|
||||
return self.assignment_api.get_project_users(tenant_id)
|
||||
|
||||
@utils.deprecated('I', in_favor_of='assignment_api.list_projects_for_user',
|
||||
remove_in=1, what='identity_api.list_projects_for_user')
|
||||
def get_roles_for_user_and_project(self, user_id, tenant_id):
|
||||
return self.assignment_api.get_roles_for_user_and_project(
|
||||
user_id, tenant_id)
|
||||
|
||||
@utils.deprecated(
|
||||
'I', in_favor_of='assignment_api.get_roles_for_user_and_domain',
|
||||
remove_in=1, what='identity_api.get_roles_for_user_and_domain')
|
||||
def get_roles_for_user_and_domain(self, user_id, domain_id):
|
||||
return (self.assignment_api.get_roles_for_user_and_domain
|
||||
(user_id, domain_id))
|
||||
|
||||
@utils.deprecated(
|
||||
'I', in_favor_of='assignment_api.add_role_to_user_and_project',
|
||||
remove_in=1, what='identity_api.add_role_to_user_and_project')
|
||||
def add_role_to_user_and_project(self, user_id,
|
||||
tenant_id, role_id):
|
||||
return (self.assignment_api.add_role_to_user_and_project
|
||||
(user_id, tenant_id, role_id))
|
||||
|
||||
@utils.deprecated('I', in_favor_of='assignment_api.create_role',
|
||||
remove_in=1, what='identity_api.create_role')
|
||||
def create_role(self, role_id, role):
|
||||
return self.assignment_api.create_role(role_id, role)
|
||||
|
||||
@utils.deprecated('I', in_favor_of='assignment_api.delete_role',
|
||||
remove_in=1, what='identity_api.delete_role')
|
||||
def delete_role(self, role_id):
|
||||
return self.assignment_api.delete_role(role_id)
|
||||
|
||||
@utils.deprecated(
|
||||
'I', in_favor_of='assignment_api.remove_role_from_user_and_project',
|
||||
remove_in=1, what='identity_api.remove_role_from_user_and_project')
|
||||
def remove_role_from_user_and_project(self, user_id,
|
||||
tenant_id, role_id):
|
||||
return (self.assignment_api.remove_role_from_user_and_project
|
||||
(user_id, tenant_id, role_id))
|
||||
|
||||
@utils.deprecated('I', in_favor_of='assignment_api.update_role',
|
||||
remove_in=1, what='identity_api.update_role')
|
||||
def update_role(self, role_id, role):
|
||||
return self.assignment_api.update_role(role_id, role)
|
||||
|
||||
@utils.deprecated('I', in_favor_of='assignment_api.create_grant',
|
||||
remove_in=1, what='identity_api.create_grant')
|
||||
def create_grant(self, role_id, user_id=None, group_id=None,
|
||||
domain_id=None, project_id=None,
|
||||
inherited_to_projects=False):
|
||||
return (self.assignment_api.create_grant
|
||||
(role_id, user_id, group_id, domain_id, project_id,
|
||||
inherited_to_projects))
|
||||
|
||||
@utils.deprecated('I', in_favor_of='assignment_api.list_grants',
|
||||
remove_in=1, what='identity_api.list_grants')
|
||||
def list_grants(self, user_id=None, group_id=None,
|
||||
domain_id=None, project_id=None,
|
||||
inherited_to_projects=False):
|
||||
return (self.assignment_api.list_grants
|
||||
(user_id, group_id, domain_id, project_id,
|
||||
inherited_to_projects))
|
||||
|
||||
@utils.deprecated('I', in_favor_of='assignment_api.get_grant',
|
||||
remove_in=1, what='identity_api.get_grant')
|
||||
def get_grant(self, role_id, user_id=None, group_id=None,
|
||||
domain_id=None, project_id=None,
|
||||
inherited_to_projects=False):
|
||||
return (self.assignment_api.get_grant
|
||||
(role_id, user_id, group_id, domain_id, project_id,
|
||||
inherited_to_projects))
|
||||
|
||||
@utils.deprecated('I', in_favor_of='assignment_api.delete_grant',
|
||||
remove_in=1, what='identity_api.delete_grant')
|
||||
def delete_grant(self, role_id, user_id=None, group_id=None,
|
||||
domain_id=None, project_id=None,
|
||||
inherited_to_projects=False):
|
||||
return (self.assignment_api.delete_grant
|
||||
(role_id, user_id, group_id, domain_id, project_id,
|
||||
inherited_to_projects))
|
||||
|
||||
|
||||
@six.add_metaclass(abc.ABCMeta)
|
||||
class Driver(object):
|
||||
|
@ -2418,17 +2418,17 @@ class IdentityTests(object):
|
||||
domain = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
|
||||
'enabled': True}
|
||||
self.assignment_api.create_domain(domain['id'], domain)
|
||||
domain_ref = self.identity_api.get_domain(domain['id'])
|
||||
domain_ref = self.assignment_api.get_domain(domain['id'])
|
||||
self.assertDictEqual(domain_ref, domain)
|
||||
|
||||
domain['name'] = uuid.uuid4().hex
|
||||
self.assignment_api.update_domain(domain['id'], domain)
|
||||
domain_ref = self.identity_api.get_domain(domain['id'])
|
||||
domain_ref = self.assignment_api.get_domain(domain['id'])
|
||||
self.assertDictEqual(domain_ref, domain)
|
||||
|
||||
self.assignment_api.delete_domain(domain['id'])
|
||||
self.assertRaises(exception.DomainNotFound,
|
||||
self.identity_api.get_domain,
|
||||
self.assignment_api.get_domain,
|
||||
domain['id'])
|
||||
|
||||
def test_create_domain_case_sensitivity(self):
|
||||
|
@ -40,7 +40,7 @@ CONF = config.CONF
|
||||
class BaseLDAPIdentity(test_backend.IdentityTests):
|
||||
def _get_domain_fixture(self):
|
||||
"""Domains in LDAP are read-only, so just return the static one."""
|
||||
return self.identity_api.get_domain(CONF.identity.default_domain_id)
|
||||
return self.assignment_api.get_domain(CONF.identity.default_domain_id)
|
||||
|
||||
def clear_database(self):
|
||||
for shelf in fakeldap.FakeShelves:
|
||||
@ -267,7 +267,7 @@ class BaseLDAPIdentity(test_backend.IdentityTests):
|
||||
self.assertEqual(res[0]['id'], user_1_id, "Expected user 1 id")
|
||||
|
||||
def test_list_domains(self):
|
||||
domains = self.identity_api.list_domains()
|
||||
domains = self.assignment_api.list_domains()
|
||||
self.assertEqual(
|
||||
domains,
|
||||
[assignment.DEFAULT_DOMAIN])
|
||||
@ -729,7 +729,7 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity):
|
||||
CONF.identity.default_domain_id,
|
||||
domain)
|
||||
self.assertRaises(exception.DomainNotFound,
|
||||
self.identity_api.get_domain,
|
||||
self.assignment_api.get_domain,
|
||||
domain['id'])
|
||||
|
||||
domain['description'] = uuid.uuid4().hex
|
||||
@ -742,7 +742,7 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity):
|
||||
CONF.identity.default_domain_id,
|
||||
domain)
|
||||
self.assertRaises(exception.DomainNotFound,
|
||||
self.identity_api.get_domain,
|
||||
self.assignment_api.get_domain,
|
||||
domain['id'])
|
||||
self.assertRaises(exception.DomainNotFound,
|
||||
self.assignment_api.delete_domain,
|
||||
@ -751,7 +751,7 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity):
|
||||
self.assignment_api.delete_domain,
|
||||
CONF.identity.default_domain_id)
|
||||
self.assertRaises(exception.DomainNotFound,
|
||||
self.identity_api.get_domain,
|
||||
self.assignment_api.get_domain,
|
||||
domain['id'])
|
||||
|
||||
def test_create_domain_case_sensitivity(self):
|
||||
@ -1004,7 +1004,7 @@ class LdapIdentitySqlAssignment(sql.Base, tests.TestCase, BaseLDAPIdentity):
|
||||
pass
|
||||
|
||||
def test_list_domains(self):
|
||||
domains = self.identity_api.list_domains()
|
||||
domains = self.assignment_api.list_domains()
|
||||
self.assertEqual(domains, [assignment.DEFAULT_DOMAIN])
|
||||
|
||||
def test_project_filter(self):
|
||||
|
@ -287,7 +287,7 @@ class IdentityTestCase(test_v3.RestfulTestCase):
|
||||
|
||||
# Check all the domain2 relevant entities are gone
|
||||
self.assertRaises(exception.DomainNotFound,
|
||||
self.identity_api.get_domain,
|
||||
self.assignment_api.get_domain,
|
||||
self.domain2['id'])
|
||||
self.assertRaises(exception.ProjectNotFound,
|
||||
self.assignment_api.get_project,
|
||||
@ -303,7 +303,7 @@ class IdentityTestCase(test_v3.RestfulTestCase):
|
||||
self.credential2['id'])
|
||||
|
||||
# ...and that all self.domain entities are still here
|
||||
r = self.identity_api.get_domain(self.domain['id'])
|
||||
r = self.assignment_api.get_domain(self.domain['id'])
|
||||
self.assertDictEqual(r, self.domain)
|
||||
r = self.assignment_api.get_project(self.project['id'])
|
||||
self.assertDictEqual(r, self.project)
|
||||
|
@ -351,7 +351,7 @@ class Auth(controller.V2Controller):
|
||||
domain_name = auth.get('domainName', None)
|
||||
if domain_name:
|
||||
try:
|
||||
domain_ref = self.identity_api._get_domain_by_name(
|
||||
domain_ref = self.assignment_api.get_domain_by_name(
|
||||
domain_name)
|
||||
domain_id = domain_ref['id']
|
||||
except exception.DomainNotFound as e:
|
||||
|
@ -70,7 +70,7 @@ def validate_auth_info(self, user_ref, tenant_ref):
|
||||
raise exception.Unauthorized(msg)
|
||||
|
||||
# If the user's domain is disabled don't allow them to authenticate
|
||||
user_domain_ref = self.identity_api.get_domain(
|
||||
user_domain_ref = self.assignment_api.get_domain(
|
||||
user_ref['domain_id'])
|
||||
if user_domain_ref and not user_domain_ref.get('enabled', True):
|
||||
msg = 'Domain is disabled: %s' % user_domain_ref['id']
|
||||
@ -85,7 +85,7 @@ def validate_auth_info(self, user_ref, tenant_ref):
|
||||
raise exception.Unauthorized(msg)
|
||||
|
||||
# If the project's domain is disabled don't allow them to authenticate
|
||||
project_domain_ref = self.identity_api.get_domain(
|
||||
project_domain_ref = self.assignment_api.get_domain(
|
||||
tenant_ref['domain_id'])
|
||||
if (project_domain_ref and
|
||||
not project_domain_ref.get('enabled', True)):
|
||||
|
@ -140,7 +140,7 @@ class V3TokenDataHelper(object):
|
||||
self.trust_api = trust.Manager()
|
||||
|
||||
def _get_filtered_domain(self, domain_id):
|
||||
domain_ref = self.identity_api.get_domain(domain_id)
|
||||
domain_ref = self.assignment_api.get_domain(domain_id)
|
||||
return {'id': domain_ref['id'], 'name': domain_ref['name']}
|
||||
|
||||
def _get_filtered_project(self, project_id):
|
||||
|
Loading…
Reference in New Issue
Block a user