deprecate LDAP config options for 'tenants'

This deprecates all config options using the term 'tenant' in favor of
new options using the term 'project'.

Change-Id: I7eb6819de33f4d94a8bae75286bb02436152c64b
Closes-Bug: 1283841

doc/source/configuration.rst

@@ -1332,8 +1332,8 @@ The corresponding entries in the Keystone configuration file are::
   user_tree_dn = ou=Users,dc=openstack,dc=org
   user_objectclass = inetOrgPerson
 
-  tenant_tree_dn = ou=Projects,dc=openstack,dc=org
+  project_tree_dn = ou=Projects,dc=openstack,dc=org
-  tenant_objectclass = groupOfNames
+  project_objectclass = groupOfNames
 
   role_tree_dn = ou=Roles,dc=openstack,dc=org
   role_objectclass = organizationalRole
@@ -1362,9 +1362,9 @@ is::
   user_allow_update = False
   user_allow_delete = False
 
-  tenant_allow_create = True
+  project_allow_create = True
-  tenant_allow_update = True
+  project_allow_update = True
-  tenant_allow_delete = True
+  project_allow_delete = True
 
   role_allow_create = True
   role_allow_update = True
@@ -1376,7 +1376,7 @@ will look like::
 
   [ldap]
   user_filter = (memberof=CN=openstack-users,OU=workgroups,DC=openstack,DC=org)
-  tenant_filter =
+  project_filter =
   role_filter =
 
 In case that the directory server does not have an attribute enabled of type
@@ -1404,36 +1404,36 @@ In case of Active Directory the classes and attributes could not match the
 specified classes in the LDAP module so you can configure them like::
 
   [ldap]
-  user_objectclass         = person
+  user_objectclass          = person
-  user_id_attribute        = cn
+  user_id_attribute         = cn
-  user_name_attribute      = cn
+  user_name_attribute       = cn
-  user_mail_attribute      = mail
+  user_mail_attribute       = mail
-  user_enabled_attribute   = userAccountControl
+  user_enabled_attribute    = userAccountControl
-  user_enabled_mask        = 2
+  user_enabled_mask         = 2
-  user_enabled_default     = 512
+  user_enabled_default      = 512
-  user_attribute_ignore    = tenant_id,tenants
+  user_attribute_ignore     = tenant_id,tenants
-  tenant_objectclass       = groupOfNames
+  project_objectclass       = groupOfNames
-  tenant_id_attribute      = cn
+  project_id_attribute      = cn
-  tenant_member_attribute  = member
+  project_member_attribute  = member
-  tenant_name_attribute    = ou
+  project_name_attribute    = ou
-  tenant_desc_attribute    = description
+  project_desc_attribute    = description
-  tenant_enabled_attribute = extensionName
+  project_enabled_attribute = extensionName
-  tenant_attribute_ignore  =
+  project_attribute_ignore  =
-  role_objectclass         = organizationalRole
+  role_objectclass          = organizationalRole
-  role_id_attribute        = cn
+  role_id_attribute         = cn
-  role_name_attribute      = ou
+  role_name_attribute       = ou
-  role_member_attribute    = roleOccupant
+  role_member_attribute     = roleOccupant
-  role_attribute_ignore    =
+  role_attribute_ignore     =
 
 
 Enabled Emulation
 -----------------
 
 Some directory servers do not provide any enabled attribute. For these
-servers, the ``user_enabled_emulation`` and ``tenant_enabled_emulation``
+servers, the ``user_enabled_emulation`` and ``project_enabled_emulation``
 attributes have been created. They are enabled by setting their respective
 flags to True. Then the attributes ``user_enabled_emulation_dn`` and
-``tenant_enabled_emulation_dn`` may be set to specify how the enabled users
+``project_enabled_emulation_dn`` may be set to specify how the enabled users
 and projects (tenants) are selected.  These attributes work by using a
 ``groupOfNames`` and adding whichever users or projects (tenants) that
 you want enabled to the respective group. For example, this will
@@ -1444,7 +1444,7 @@ mark any user who is a member of ``enabled_users`` as enabled::
   user_enabled_emulation_dn = cn=enabled_users,cn=groups,dc=openstack,dc=org
 
 The default values for user and project (tenant) enabled emulation DN is
-``cn=enabled_users,$user_tree_dn`` and ``cn=enabled_tenants,$tenant_tree_dn``
+``cn=enabled_users,$user_tree_dn`` and ``cn=enabled_tenants,$project_tree_dn``
 respectively.
 
 Secure Connection

etc/keystone.conf.sample

@@ -948,60 +948,60 @@
 #user_additional_attribute_mapping=
 
 # Search base for projects (string value)
-#tenant_tree_dn=<None>
+#project_tree_dn=<None>
 
 # LDAP search filter for projects. (string value)
-#tenant_filter=<None>
+#project_filter=<None>
 
 # LDAP objectclass for projects. (string value)
-#tenant_objectclass=groupOfNames
+#project_objectclass=groupOfNames
 
 # LDAP attribute mapped to project id. (string value)
-#tenant_id_attribute=cn
+#project_id_attribute=cn
 
 # LDAP attribute mapped to project membership for user.
 # (string value)
-#tenant_member_attribute=member
+#project_member_attribute=member
 
 # LDAP attribute mapped to project name. (string value)
-#tenant_name_attribute=ou
+#project_name_attribute=ou
 
 # LDAP attribute mapped to project description. (string value)
-#tenant_desc_attribute=description
+#project_desc_attribute=description
 
 # LDAP attribute mapped to project enabled. (string value)
-#tenant_enabled_attribute=enabled
+#project_enabled_attribute=enabled
 
 # LDAP attribute mapped to project domain_id. (string value)
-#tenant_domain_id_attribute=businessCategory
+#project_domain_id_attribute=businessCategory
 
 # List of attributes stripped off the project on update. (list
 # value)
-#tenant_attribute_ignore=
+#project_attribute_ignore=
 
 # Allow project creation in LDAP backend. (boolean value)
-#tenant_allow_create=true
+#project_allow_create=true
 
 # Allow project update in LDAP backend. (boolean value)
-#tenant_allow_update=true
+#project_allow_update=true
 
 # Allow project deletion in LDAP backend. (boolean value)
-#tenant_allow_delete=true
+#project_allow_delete=true
 
 # If true, Keystone uses an alternative method to determine if
 # a project is enabled or not by checking if they are a member
-# of the "tenant_enabled_emulation_dn" group. (boolean value)
+# of the "project_enabled_emulation_dn" group. (boolean value)
-#tenant_enabled_emulation=false
+#project_enabled_emulation=false
 
 # DN of the group entry to hold enabled projects when using
 # enabled emulation. (string value)
-#tenant_enabled_emulation_dn=<None>
+#project_enabled_emulation_dn=<None>
 
 # Additional attribute mappings for projects. Attribute
 # mapping format is <ldap_attr>:<user_attr>, where ldap_attr
 # is the attribute in the LDAP entry and user_attr is the
 # Identity API attribute. (list value)
-#tenant_additional_attribute_mapping=
+#project_additional_attribute_mapping=
 
 # Search base for roles. (string value)
 #role_tree_dn=<None>

keystone/assignment/backends/ldap.py

@@ -409,7 +409,7 @@ class ProjectApi(common_ldap.EnabledEmuMixIn, common_ldap.BaseLdap):
     DEFAULT_MEMBER_ATTRIBUTE = 'member'
     NotFound = exception.ProjectNotFound
     notfound_arg = 'project_id'  # NOTE(yorik-sar): while options_name = tenant
-    options_name = 'tenant'
+    options_name = 'project'
     attribute_options_names = {'name': 'name',
                                'description': 'desc',
                                'enabled': 'enabled',
@@ -419,7 +419,7 @@ class ProjectApi(common_ldap.EnabledEmuMixIn, common_ldap.BaseLdap):
 
     def __init__(self, conf):
         super(ProjectApi, self).__init__(conf)
-        self.member_attribute = (getattr(conf.ldap, 'tenant_member_attribute')
+        self.member_attribute = (getattr(conf.ldap, 'project_member_attribute')
                                  or self.DEFAULT_MEMBER_ATTRIBUTE)
 
     def create(self, values):

keystone/common/config.py

@@ -527,44 +527,76 @@ FILE_OPTIONS = {
                          'ldap_attr is the attribute in the LDAP entry and '
                          'user_attr is the Identity API attribute.'),
 
-        cfg.StrOpt('tenant_tree_dn', default=None,
+        cfg.StrOpt('project_tree_dn', default=None,
+                   deprecated_opts=[cfg.DeprecatedOpt(
+                       'tenant_tree_dn', group='ldap')],
                    help='Search base for projects'),
-        cfg.StrOpt('tenant_filter', default=None,
+        cfg.StrOpt('project_filter', default=None,
+                   deprecated_opts=[cfg.DeprecatedOpt(
+                       'tenant_filter', group='ldap')],
                    help='LDAP search filter for projects.'),
-        cfg.StrOpt('tenant_objectclass', default='groupOfNames',
+        cfg.StrOpt('project_objectclass', default='groupOfNames',
+                   deprecated_opts=[cfg.DeprecatedOpt(
+                       'tenant_objectclass', group='ldap')],
                    help='LDAP objectclass for projects.'),
-        cfg.StrOpt('tenant_id_attribute', default='cn',
+        cfg.StrOpt('project_id_attribute', default='cn',
+                   deprecated_opts=[cfg.DeprecatedOpt(
+                       'tenant_id_attribute', group='ldap')],
                    help='LDAP attribute mapped to project id.'),
-        cfg.StrOpt('tenant_member_attribute', default='member',
+        cfg.StrOpt('project_member_attribute', default='member',
+                   deprecated_opts=[cfg.DeprecatedOpt(
+                       'tenant_member_attribute', group='ldap')],
                    help='LDAP attribute mapped to project membership for '
                         'user.'),
-        cfg.StrOpt('tenant_name_attribute', default='ou',
+        cfg.StrOpt('project_name_attribute', default='ou',
+                   deprecated_opts=[cfg.DeprecatedOpt(
+                       'tenant_name_attribute', group='ldap')],
                    help='LDAP attribute mapped to project name.'),
-        cfg.StrOpt('tenant_desc_attribute', default='description',
+        cfg.StrOpt('project_desc_attribute', default='description',
+                   deprecated_opts=[cfg.DeprecatedOpt(
+                       'tenant_desc_attribute', group='ldap')],
                    help='LDAP attribute mapped to project description.'),
-        cfg.StrOpt('tenant_enabled_attribute', default='enabled',
+        cfg.StrOpt('project_enabled_attribute', default='enabled',
+                   deprecated_opts=[cfg.DeprecatedOpt(
+                       'tenant_enabled_attribute', group='ldap')],
                    help='LDAP attribute mapped to project enabled.'),
-        cfg.StrOpt('tenant_domain_id_attribute',
+        cfg.StrOpt('project_domain_id_attribute',
+                   deprecated_opts=[cfg.DeprecatedOpt(
+                       'tenant_domain_id_attribute', group='ldap')],
                    default='businessCategory',
                    help='LDAP attribute mapped to project domain_id.'),
-        cfg.ListOpt('tenant_attribute_ignore', default=[],
+        cfg.ListOpt('project_attribute_ignore', default=[],
+                    deprecated_opts=[cfg.DeprecatedOpt(
+                        'tenant_attribute_ignore', group='ldap')],
                     help='List of attributes stripped off the project on '
                          'update.'),
-        cfg.BoolOpt('tenant_allow_create', default=True,
+        cfg.BoolOpt('project_allow_create', default=True,
+                    deprecated_opts=[cfg.DeprecatedOpt(
+                        'tenant_allow_create', group='ldap')],
                     help='Allow project creation in LDAP backend.'),
-        cfg.BoolOpt('tenant_allow_update', default=True,
+        cfg.BoolOpt('project_allow_update', default=True,
+                    deprecated_opts=[cfg.DeprecatedOpt(
+                        'tenant_allow_update', group='ldap')],
                     help='Allow project update in LDAP backend.'),
-        cfg.BoolOpt('tenant_allow_delete', default=True,
+        cfg.BoolOpt('project_allow_delete', default=True,
+                    deprecated_opts=[cfg.DeprecatedOpt(
+                        'tenant_allow_delete', group='ldap')],
                     help='Allow project deletion in LDAP backend.'),
-        cfg.BoolOpt('tenant_enabled_emulation', default=False,
+        cfg.BoolOpt('project_enabled_emulation', default=False,
+                    deprecated_opts=[cfg.DeprecatedOpt(
+                        'tenant_enabled_emulation', group='ldap')],
                     help='If true, Keystone uses an alternative method to '
                          'determine if a project is enabled or not by '
                          'checking if they are a member of the '
-                         '"tenant_enabled_emulation_dn" group.'),
+                         '"project_enabled_emulation_dn" group.'),
-        cfg.StrOpt('tenant_enabled_emulation_dn', default=None,
+        cfg.StrOpt('project_enabled_emulation_dn', default=None,
+                   deprecated_opts=[cfg.DeprecatedOpt(
+                       'tenant_enabled_emulation_dn', group='ldap')],
                    help='DN of the group entry to hold enabled projects when '
                         'using enabled emulation.'),
-        cfg.ListOpt('tenant_additional_attribute_mapping',
+        cfg.ListOpt('project_additional_attribute_mapping',
+                    deprecated_opts=[cfg.DeprecatedOpt(
+                        'tenant_additional_attribute_mapping', group='ldap')],
                     default=[],
                     help='Additional attribute mappings for projects. '
                          'Attribute mapping format is '

keystone/tests/config_files/backend_liveldap.conf

@@ -5,9 +5,9 @@ password = test
 suffix = dc=openstack,dc=org
 group_tree_dn = ou=UserGroups,dc=openstack,dc=org
 role_tree_dn = ou=Roles,dc=openstack,dc=org
-tenant_tree_dn = ou=Projects,dc=openstack,dc=org
+project_tree_dn = ou=Projects,dc=openstack,dc=org
 user_tree_dn = ou=Users,dc=openstack,dc=org
-tenant_enabled_emulation = True
+project_enabled_emulation = True
 user_enabled_emulation = True
 user_mail_attribute = mail
 use_dumb_member = True

keystone/tests/config_files/backend_tls_liveldap.conf

@@ -5,9 +5,9 @@ password = test
 suffix = dc=openstack,dc=org
 group_tree_dn = ou=UserGroups,dc=openstack,dc=org
 role_tree_dn = ou=Roles,dc=openstack,dc=org
-tenant_tree_dn = ou=Projects,dc=openstack,dc=org
+project_tree_dn = ou=Projects,dc=openstack,dc=org
 user_tree_dn = ou=Users,dc=openstack,dc=org
-tenant_enabled_emulation = True
+project_enabled_emulation = True
 user_enabled_emulation = True
 user_mail_attribute = mail
 use_dumb_member = True

keystone/tests/test_backend_ldap.py

@@ -800,8 +800,8 @@ class LDAPIdentity(BaseLDAPIdentity, tests.TestCase):
 
     def test_configurable_forbidden_project_actions(self):
         self.config_fixture.config(
-            group='ldap', tenant_allow_create=False, tenant_allow_update=False,
+            group='ldap', project_allow_create=False,
-            tenant_allow_delete=False)
+            project_allow_update=False, project_allow_delete=False)
         self.load_backends()
 
         tenant = {'id': u'fäké1', 'name': u'fäké1'}
@@ -860,9 +860,9 @@ class LDAPIdentity(BaseLDAPIdentity, tests.TestCase):
         self.assertDictEqual(tenant_ref, self.tenant_bar)
 
         self.config_fixture.config(group='ldap',
-                                   tenant_filter='(CN=DOES_NOT_MATCH)')
+                                   project_filter='(CN=DOES_NOT_MATCH)')
         self.load_backends()
-        # NOTE(morganfainberg): CONF.ldap.tenant_filter  will not be
+        # NOTE(morganfainberg): CONF.ldap.project_filter  will not be
         # dynamically changed at runtime. This invalidate is a work-around for
         # the expectation that it is safe to change config values in tests that
         # could affect what the drivers would return up to the manager.  This
@@ -908,15 +908,15 @@ class LDAPIdentity(BaseLDAPIdentity, tests.TestCase):
 
     def test_project_attribute_mapping(self):
         self.config_fixture.config(
-            group='ldap', tenant_name_attribute='ou',
+            group='ldap', project_name_attribute='ou',
-            tenant_desc_attribute='description',
+            project_desc_attribute='description',
-            tenant_enabled_attribute='enabled')
+            project_enabled_attribute='enabled')
         self.clear_database()
         self.load_backends()
         self.load_fixtures(default_fixtures)
-        # NOTE(morganfainberg): CONF.ldap.tenant_name_attribute,
+        # NOTE(morganfainberg): CONF.ldap.project_name_attribute,
-        # CONF.ldap.tenant_desc_attribute, and
+        # CONF.ldap.project_desc_attribute, and
-        # CONF.ldap.tenant_enabled_attribute will not be
+        # CONF.ldap.project_enabled_attribute will not be
         # dynamically changed at runtime. This invalidate is a work-around for
         # the expectation that it is safe to change config values in tests that
         # could affect what the drivers would return up to the manager.  This
@@ -933,12 +933,12 @@ class LDAPIdentity(BaseLDAPIdentity, tests.TestCase):
         self.assertEqual(self.tenant_baz['enabled'], tenant_ref['enabled'])
 
         self.config_fixture.config(group='ldap',
-                                   tenant_name_attribute='description',
+                                   project_name_attribute='description',
-                                   tenant_desc_attribute='ou')
+                                   project_desc_attribute='ou')
         self.load_backends()
-        # NOTE(morganfainberg): CONF.ldap.tenant_name_attribute,
+        # NOTE(morganfainberg): CONF.ldap.project_name_attribute,
-        # CONF.ldap.tenant_desc_attribute, and
+        # CONF.ldap.project_desc_attribute, and
-        # CONF.ldap.tenant_enabled_attribute will not be
+        # CONF.ldap.project_enabled_attribute will not be
         # dynamically changed at runtime. This invalidate is a work-around for
         # the expectation that it is safe to change config values in tests that
         # could affect what the drivers would return up to the manager.  This
@@ -955,11 +955,11 @@ class LDAPIdentity(BaseLDAPIdentity, tests.TestCase):
     def test_project_attribute_ignore(self):
         self.config_fixture.config(
             group='ldap',
-            tenant_attribute_ignore=['name', 'description', 'enabled'])
+            project_attribute_ignore=['name', 'description', 'enabled'])
         self.clear_database()
         self.load_backends()
         self.load_fixtures(default_fixtures)
-        # NOTE(morganfainberg): CONF.ldap.tenant_attribute_ignore will not be
+        # NOTE(morganfainberg): CONF.ldap.project_attribute_ignore will not be
         # dynamically changed at runtime. This invalidate is a work-around for
         # the expectation that it is safe to change configs values in tests
         # that could affect what the drivers would return up to the manager.
@@ -1551,7 +1551,7 @@ class LDAPIdentityEnabledEmulation(LDAPIdentity):
         super(LDAPIdentityEnabledEmulation, self).config_overrides()
         self.config_fixture.config(group='ldap',
                                    user_enabled_emulation=True,
-                                   tenant_enabled_emulation=True)
+                                   project_enabled_emulation=True)
 
     def test_project_crud(self):
         # NOTE(topol): LDAPIdentityEnabledEmulation will create an

keystone/tests/test_ldap_livetest.py

@@ -68,7 +68,7 @@ class LiveLDAPIdentity(test_backend_ldap.LDAPIdentity):
         create_object(CONF.ldap.role_tree_dn,
                       {'objectclass': 'organizationalUnit',
                        'ou': 'Roles'})
-        create_object(CONF.ldap.tenant_tree_dn,
+        create_object(CONF.ldap.project_tree_dn,
                       {'objectclass': 'organizationalUnit',
                        'ou': 'Projects'})
         create_object(CONF.ldap.group_tree_dn,