From 696c1569e8c2d2f9e3aa490b5d2bbcb037539006 Mon Sep 17 00:00:00 2001 From: Jamie Lennox Date: Mon, 13 Apr 2015 12:59:40 +1000 Subject: [PATCH] Move endpoint policy into keystone core Remove endpoint_policy as an extension and move it to a core resource. For now we leave the database migrations in the extension directory until we have a general policy for merging these into core. DocImpact: You should no longer run the migrations for this extension. Implements: bp replace-extensions Change-Id: I6215b7df497c142a5e73b62543e0d76458c85f64 --- keystone/backends.py | 2 +- keystone/common/config.py | 3 + keystone/contrib/endpoint_policy/__init__.py | 15 -- .../contrib/endpoint_policy/backends/sql.py | 137 ++--------------- keystone/contrib/endpoint_policy/routers.py | 82 ++-------- keystone/endpoint_policy/__init__.py | 14 ++ keystone/endpoint_policy/backends/__init__.py | 0 keystone/endpoint_policy/backends/sql.py | 140 ++++++++++++++++++ .../endpoint_policy/controllers.py | 0 .../{contrib => }/endpoint_policy/core.py | 0 keystone/endpoint_policy/routers.py | 85 +++++++++++ keystone/service.py | 12 +- setup.cfg | 2 +- 13 files changed, 283 insertions(+), 209 deletions(-) create mode 100644 keystone/endpoint_policy/__init__.py create mode 100644 keystone/endpoint_policy/backends/__init__.py create mode 100644 keystone/endpoint_policy/backends/sql.py rename keystone/{contrib => }/endpoint_policy/controllers.py (100%) rename keystone/{contrib => }/endpoint_policy/core.py (100%) create mode 100644 keystone/endpoint_policy/routers.py diff --git a/keystone/backends.py b/keystone/backends.py index 19a68512a..ebe00a817 100644 --- a/keystone/backends.py +++ b/keystone/backends.py @@ -15,11 +15,11 @@ from keystone import auth from keystone import catalog from keystone.common import cache from keystone.contrib import endpoint_filter -from keystone.contrib import endpoint_policy from keystone.contrib import federation from keystone.contrib import oauth1 from keystone.contrib import revoke from keystone import credential +from keystone import endpoint_policy from keystone import identity from keystone import policy from keystone import resource diff --git a/keystone/common/config.py b/keystone/common/config.py index 5caa8c508..31e086832 100644 --- a/keystone/common/config.py +++ b/keystone/common/config.py @@ -526,6 +526,9 @@ FILE_OPTIONS = { 'exists.'), ], 'endpoint_policy': [ + cfg.BoolOpt('enabled', + default=True, + help='Enable endpoint_policy functionality.'), cfg.StrOpt('driver', default='sql', help='Endpoint policy backend driver'), diff --git a/keystone/contrib/endpoint_policy/__init__.py b/keystone/contrib/endpoint_policy/__init__.py index 12722dc58..e69de29bb 100644 --- a/keystone/contrib/endpoint_policy/__init__.py +++ b/keystone/contrib/endpoint_policy/__init__.py @@ -1,15 +0,0 @@ -# Copyright 2014 IBM Corp. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -from keystone.contrib.endpoint_policy.core import * # noqa diff --git a/keystone/contrib/endpoint_policy/backends/sql.py b/keystone/contrib/endpoint_policy/backends/sql.py index 484444f12..2790bb8ee 100644 --- a/keystone/contrib/endpoint_policy/backends/sql.py +++ b/keystone/contrib/endpoint_policy/backends/sql.py @@ -1,5 +1,3 @@ -# Copyright 2014 IBM Corp. -# # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at @@ -12,129 +10,22 @@ # License for the specific language governing permissions and limitations # under the License. -import uuid +import logging -import sqlalchemy +from keystone.endpoint_policy.backends import sql +from keystone.openstack.common import versionutils -from keystone.common import sql -from keystone import exception +LOG = logging.getLogger(__name__) + +_OLD = 'keystone.contrib.endpoint_policy.backends.sql.EndpointPolicy' +_NEW = 'keystone.endpoint_policy.backends.sql.EndpointPolicy' -class PolicyAssociation(sql.ModelBase, sql.ModelDictMixin): - __tablename__ = 'policy_association' - attributes = ['policy_id', 'endpoint_id', 'region_id', 'service_id'] - # The id column is never exposed outside this module. It only exists to - # provide a primary key, given that the real columns we would like to use - # (endpoint_id, service_id, region_id) can be null - id = sql.Column(sql.String(64), primary_key=True) - policy_id = sql.Column(sql.String(64), nullable=False) - endpoint_id = sql.Column(sql.String(64), nullable=True) - service_id = sql.Column(sql.String(64), nullable=True) - region_id = sql.Column(sql.String(64), nullable=True) - __table_args__ = (sql.UniqueConstraint('endpoint_id', 'service_id', - 'region_id'), {}) +class EndpointPolicy(sql.EndpointPolicy): - def to_dict(self): - """Returns the model's attributes as a dictionary. - - We override the standard method in order to hide the id column, - since this only exists to provide the table with a primary key. - - """ - d = {} - for attr in self.__class__.attributes: - d[attr] = getattr(self, attr) - return d - - -class EndpointPolicy(object): - - def create_policy_association(self, policy_id, endpoint_id=None, - service_id=None, region_id=None): - with sql.transaction() as session: - try: - # See if there is already a row for this association, and if - # so, update it with the new policy_id - query = session.query(PolicyAssociation) - query = query.filter_by(endpoint_id=endpoint_id) - query = query.filter_by(service_id=service_id) - query = query.filter_by(region_id=region_id) - association = query.one() - association.policy_id = policy_id - except sql.NotFound: - association = PolicyAssociation(id=uuid.uuid4().hex, - policy_id=policy_id, - endpoint_id=endpoint_id, - service_id=service_id, - region_id=region_id) - session.add(association) - - def check_policy_association(self, policy_id, endpoint_id=None, - service_id=None, region_id=None): - sql_constraints = sqlalchemy.and_( - PolicyAssociation.policy_id == policy_id, - PolicyAssociation.endpoint_id == endpoint_id, - PolicyAssociation.service_id == service_id, - PolicyAssociation.region_id == region_id) - - # NOTE(henry-nash): Getting a single value to save object - # management overhead. - with sql.transaction() as session: - if session.query(PolicyAssociation.id).filter( - sql_constraints).distinct().count() == 0: - raise exception.PolicyAssociationNotFound() - - def delete_policy_association(self, policy_id, endpoint_id=None, - service_id=None, region_id=None): - with sql.transaction() as session: - query = session.query(PolicyAssociation) - query = query.filter_by(policy_id=policy_id) - query = query.filter_by(endpoint_id=endpoint_id) - query = query.filter_by(service_id=service_id) - query = query.filter_by(region_id=region_id) - query.delete() - - def get_policy_association(self, endpoint_id=None, - service_id=None, region_id=None): - sql_constraints = sqlalchemy.and_( - PolicyAssociation.endpoint_id == endpoint_id, - PolicyAssociation.service_id == service_id, - PolicyAssociation.region_id == region_id) - - try: - with sql.transaction() as session: - policy_id = session.query(PolicyAssociation.policy_id).filter( - sql_constraints).distinct().one() - return {'policy_id': policy_id} - except sql.NotFound: - raise exception.PolicyAssociationNotFound() - - def list_associations_for_policy(self, policy_id): - with sql.transaction() as session: - query = session.query(PolicyAssociation) - query = query.filter_by(policy_id=policy_id) - return [ref.to_dict() for ref in query.all()] - - def delete_association_by_endpoint(self, endpoint_id): - with sql.transaction() as session: - query = session.query(PolicyAssociation) - query = query.filter_by(endpoint_id=endpoint_id) - query.delete() - - def delete_association_by_service(self, service_id): - with sql.transaction() as session: - query = session.query(PolicyAssociation) - query = query.filter_by(service_id=service_id) - query.delete() - - def delete_association_by_region(self, region_id): - with sql.transaction() as session: - query = session.query(PolicyAssociation) - query = query.filter_by(region_id=region_id) - query.delete() - - def delete_association_by_policy(self, policy_id): - with sql.transaction() as session: - query = session.query(PolicyAssociation) - query = query.filter_by(policy_id=policy_id) - query.delete() + @versionutils.deprecated(versionutils.deprecated.LIBERTY, + in_favor_of=_NEW, + remove_in=1, + what=_OLD) + def __init__(self, *args, **kwargs): + super(EndpointPolicy, self).__init__(*args, **kwargs) diff --git a/keystone/contrib/endpoint_policy/routers.py b/keystone/contrib/endpoint_policy/routers.py index 999d1eedf..13f73fbcc 100644 --- a/keystone/contrib/endpoint_policy/routers.py +++ b/keystone/contrib/endpoint_policy/routers.py @@ -1,5 +1,3 @@ -# Copyright 2014 IBM Corp. -# # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at @@ -12,74 +10,22 @@ # License for the specific language governing permissions and limitations # under the License. -import functools +import logging -from keystone.common import json_home from keystone.common import wsgi -from keystone.contrib.endpoint_policy import controllers +from keystone.openstack.common import versionutils + +LOG = logging.getLogger(__name__) + +_OLD = 'keystone.contrib.endpoint_policy.routers.EndpointPolicyExtension' +_NEW = 'keystone.endpoint_policy.routers.Routers' -build_resource_relation = functools.partial( - json_home.build_v3_extension_resource_relation, - extension_name='OS-ENDPOINT-POLICY', extension_version='1.0') +class EndpointPolicyExtension(wsgi.Middleware): - -class EndpointPolicyExtension(wsgi.V3ExtensionRouter): - - PATH_PREFIX = '/OS-ENDPOINT-POLICY' - - def add_routes(self, mapper): - endpoint_policy_controller = controllers.EndpointPolicyV3Controller() - - self._add_resource( - mapper, endpoint_policy_controller, - path='/endpoints/{endpoint_id}' + self.PATH_PREFIX + '/policy', - get_head_action='get_policy_for_endpoint', - rel=build_resource_relation(resource_name='endpoint_policy'), - path_vars={'endpoint_id': json_home.Parameters.ENDPOINT_ID}) - self._add_resource( - mapper, endpoint_policy_controller, - path='/policies/{policy_id}' + self.PATH_PREFIX + '/endpoints', - get_action='list_endpoints_for_policy', - rel=build_resource_relation(resource_name='policy_endpoints'), - path_vars={'policy_id': json_home.Parameters.POLICY_ID}) - self._add_resource( - mapper, endpoint_policy_controller, - path=('/policies/{policy_id}' + self.PATH_PREFIX + - '/endpoints/{endpoint_id}'), - get_head_action='check_policy_association_for_endpoint', - put_action='create_policy_association_for_endpoint', - delete_action='delete_policy_association_for_endpoint', - rel=build_resource_relation( - resource_name='endpoint_policy_association'), - path_vars={ - 'policy_id': json_home.Parameters.POLICY_ID, - 'endpoint_id': json_home.Parameters.ENDPOINT_ID, - }) - self._add_resource( - mapper, endpoint_policy_controller, - path=('/policies/{policy_id}' + self.PATH_PREFIX + - '/services/{service_id}'), - get_head_action='check_policy_association_for_service', - put_action='create_policy_association_for_service', - delete_action='delete_policy_association_for_service', - rel=build_resource_relation( - resource_name='service_policy_association'), - path_vars={ - 'policy_id': json_home.Parameters.POLICY_ID, - 'service_id': json_home.Parameters.SERVICE_ID, - }) - self._add_resource( - mapper, endpoint_policy_controller, - path=('/policies/{policy_id}' + self.PATH_PREFIX + - '/services/{service_id}/regions/{region_id}'), - get_head_action='check_policy_association_for_region_and_service', - put_action='create_policy_association_for_region_and_service', - delete_action='delete_policy_association_for_region_and_service', - rel=build_resource_relation( - resource_name='region_and_service_policy_association'), - path_vars={ - 'policy_id': json_home.Parameters.POLICY_ID, - 'service_id': json_home.Parameters.SERVICE_ID, - 'region_id': json_home.Parameters.REGION_ID, - }) + @versionutils.deprecated(versionutils.deprecated.LIBERTY, + in_favor_of=_NEW, + remove_in=1, + what=_OLD) + def __init__(self, *args, **kwargs): + super(EndpointPolicyExtension, self).__init__(*args, **kwargs) diff --git a/keystone/endpoint_policy/__init__.py b/keystone/endpoint_policy/__init__.py new file mode 100644 index 000000000..c8ae5e68b --- /dev/null +++ b/keystone/endpoint_policy/__init__.py @@ -0,0 +1,14 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from keystone.endpoint_policy.core import * # noqa +from keystone.endpoint_policy import routers # noqa diff --git a/keystone/endpoint_policy/backends/__init__.py b/keystone/endpoint_policy/backends/__init__.py new file mode 100644 index 000000000..e69de29bb diff --git a/keystone/endpoint_policy/backends/sql.py b/keystone/endpoint_policy/backends/sql.py new file mode 100644 index 000000000..484444f12 --- /dev/null +++ b/keystone/endpoint_policy/backends/sql.py @@ -0,0 +1,140 @@ +# Copyright 2014 IBM Corp. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import uuid + +import sqlalchemy + +from keystone.common import sql +from keystone import exception + + +class PolicyAssociation(sql.ModelBase, sql.ModelDictMixin): + __tablename__ = 'policy_association' + attributes = ['policy_id', 'endpoint_id', 'region_id', 'service_id'] + # The id column is never exposed outside this module. It only exists to + # provide a primary key, given that the real columns we would like to use + # (endpoint_id, service_id, region_id) can be null + id = sql.Column(sql.String(64), primary_key=True) + policy_id = sql.Column(sql.String(64), nullable=False) + endpoint_id = sql.Column(sql.String(64), nullable=True) + service_id = sql.Column(sql.String(64), nullable=True) + region_id = sql.Column(sql.String(64), nullable=True) + __table_args__ = (sql.UniqueConstraint('endpoint_id', 'service_id', + 'region_id'), {}) + + def to_dict(self): + """Returns the model's attributes as a dictionary. + + We override the standard method in order to hide the id column, + since this only exists to provide the table with a primary key. + + """ + d = {} + for attr in self.__class__.attributes: + d[attr] = getattr(self, attr) + return d + + +class EndpointPolicy(object): + + def create_policy_association(self, policy_id, endpoint_id=None, + service_id=None, region_id=None): + with sql.transaction() as session: + try: + # See if there is already a row for this association, and if + # so, update it with the new policy_id + query = session.query(PolicyAssociation) + query = query.filter_by(endpoint_id=endpoint_id) + query = query.filter_by(service_id=service_id) + query = query.filter_by(region_id=region_id) + association = query.one() + association.policy_id = policy_id + except sql.NotFound: + association = PolicyAssociation(id=uuid.uuid4().hex, + policy_id=policy_id, + endpoint_id=endpoint_id, + service_id=service_id, + region_id=region_id) + session.add(association) + + def check_policy_association(self, policy_id, endpoint_id=None, + service_id=None, region_id=None): + sql_constraints = sqlalchemy.and_( + PolicyAssociation.policy_id == policy_id, + PolicyAssociation.endpoint_id == endpoint_id, + PolicyAssociation.service_id == service_id, + PolicyAssociation.region_id == region_id) + + # NOTE(henry-nash): Getting a single value to save object + # management overhead. + with sql.transaction() as session: + if session.query(PolicyAssociation.id).filter( + sql_constraints).distinct().count() == 0: + raise exception.PolicyAssociationNotFound() + + def delete_policy_association(self, policy_id, endpoint_id=None, + service_id=None, region_id=None): + with sql.transaction() as session: + query = session.query(PolicyAssociation) + query = query.filter_by(policy_id=policy_id) + query = query.filter_by(endpoint_id=endpoint_id) + query = query.filter_by(service_id=service_id) + query = query.filter_by(region_id=region_id) + query.delete() + + def get_policy_association(self, endpoint_id=None, + service_id=None, region_id=None): + sql_constraints = sqlalchemy.and_( + PolicyAssociation.endpoint_id == endpoint_id, + PolicyAssociation.service_id == service_id, + PolicyAssociation.region_id == region_id) + + try: + with sql.transaction() as session: + policy_id = session.query(PolicyAssociation.policy_id).filter( + sql_constraints).distinct().one() + return {'policy_id': policy_id} + except sql.NotFound: + raise exception.PolicyAssociationNotFound() + + def list_associations_for_policy(self, policy_id): + with sql.transaction() as session: + query = session.query(PolicyAssociation) + query = query.filter_by(policy_id=policy_id) + return [ref.to_dict() for ref in query.all()] + + def delete_association_by_endpoint(self, endpoint_id): + with sql.transaction() as session: + query = session.query(PolicyAssociation) + query = query.filter_by(endpoint_id=endpoint_id) + query.delete() + + def delete_association_by_service(self, service_id): + with sql.transaction() as session: + query = session.query(PolicyAssociation) + query = query.filter_by(service_id=service_id) + query.delete() + + def delete_association_by_region(self, region_id): + with sql.transaction() as session: + query = session.query(PolicyAssociation) + query = query.filter_by(region_id=region_id) + query.delete() + + def delete_association_by_policy(self, policy_id): + with sql.transaction() as session: + query = session.query(PolicyAssociation) + query = query.filter_by(policy_id=policy_id) + query.delete() diff --git a/keystone/contrib/endpoint_policy/controllers.py b/keystone/endpoint_policy/controllers.py similarity index 100% rename from keystone/contrib/endpoint_policy/controllers.py rename to keystone/endpoint_policy/controllers.py diff --git a/keystone/contrib/endpoint_policy/core.py b/keystone/endpoint_policy/core.py similarity index 100% rename from keystone/contrib/endpoint_policy/core.py rename to keystone/endpoint_policy/core.py diff --git a/keystone/endpoint_policy/routers.py b/keystone/endpoint_policy/routers.py new file mode 100644 index 000000000..4846bb180 --- /dev/null +++ b/keystone/endpoint_policy/routers.py @@ -0,0 +1,85 @@ +# Copyright 2014 IBM Corp. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import functools + +from keystone.common import json_home +from keystone.common import wsgi +from keystone.endpoint_policy import controllers + + +build_resource_relation = functools.partial( + json_home.build_v3_extension_resource_relation, + extension_name='OS-ENDPOINT-POLICY', extension_version='1.0') + + +class Routers(wsgi.RoutersBase): + + PATH_PREFIX = '/OS-ENDPOINT-POLICY' + + def append_v3_routers(self, mapper, routers): + endpoint_policy_controller = controllers.EndpointPolicyV3Controller() + + self._add_resource( + mapper, endpoint_policy_controller, + path='/endpoints/{endpoint_id}' + self.PATH_PREFIX + '/policy', + get_head_action='get_policy_for_endpoint', + rel=build_resource_relation(resource_name='endpoint_policy'), + path_vars={'endpoint_id': json_home.Parameters.ENDPOINT_ID}) + self._add_resource( + mapper, endpoint_policy_controller, + path='/policies/{policy_id}' + self.PATH_PREFIX + '/endpoints', + get_action='list_endpoints_for_policy', + rel=build_resource_relation(resource_name='policy_endpoints'), + path_vars={'policy_id': json_home.Parameters.POLICY_ID}) + self._add_resource( + mapper, endpoint_policy_controller, + path=('/policies/{policy_id}' + self.PATH_PREFIX + + '/endpoints/{endpoint_id}'), + get_head_action='check_policy_association_for_endpoint', + put_action='create_policy_association_for_endpoint', + delete_action='delete_policy_association_for_endpoint', + rel=build_resource_relation( + resource_name='endpoint_policy_association'), + path_vars={ + 'policy_id': json_home.Parameters.POLICY_ID, + 'endpoint_id': json_home.Parameters.ENDPOINT_ID, + }) + self._add_resource( + mapper, endpoint_policy_controller, + path=('/policies/{policy_id}' + self.PATH_PREFIX + + '/services/{service_id}'), + get_head_action='check_policy_association_for_service', + put_action='create_policy_association_for_service', + delete_action='delete_policy_association_for_service', + rel=build_resource_relation( + resource_name='service_policy_association'), + path_vars={ + 'policy_id': json_home.Parameters.POLICY_ID, + 'service_id': json_home.Parameters.SERVICE_ID, + }) + self._add_resource( + mapper, endpoint_policy_controller, + path=('/policies/{policy_id}' + self.PATH_PREFIX + + '/services/{service_id}/regions/{region_id}'), + get_head_action='check_policy_association_for_region_and_service', + put_action='create_policy_association_for_region_and_service', + delete_action='delete_policy_association_for_region_and_service', + rel=build_resource_relation( + resource_name='region_and_service_policy_association'), + path_vars={ + 'policy_id': json_home.Parameters.POLICY_ID, + 'service_id': json_home.Parameters.SERVICE_ID, + 'region_id': json_home.Parameters.REGION_ID, + }) diff --git a/keystone/service.py b/keystone/service.py index 621afdf83..093f539bf 100644 --- a/keystone/service.py +++ b/keystone/service.py @@ -26,6 +26,7 @@ from keystone import catalog from keystone.common import wsgi from keystone import controllers from keystone import credential +from keystone import endpoint_policy from keystone import identity from keystone import policy from keystone import resource @@ -103,11 +104,20 @@ def v3_app_factory(global_conf, **local_conf): sub_routers = [] _routers = [] - router_modules = [assignment, auth, catalog, credential, identity, policy, + router_modules = [assignment, + auth, + catalog, + credential, + identity, + policy, resource] + if CONF.trust.enabled: router_modules.append(trust) + if CONF.endpoint_policy.enabled: + router_modules.append(endpoint_policy) + for module in router_modules: routers_instance = module.routers.Routers() _routers.append(routers_instance) diff --git a/setup.cfg b/setup.cfg index 52a646f9e..39c10ac88 100644 --- a/setup.cfg +++ b/setup.cfg @@ -120,7 +120,7 @@ keystone.endpoint_filter = sql = keystone.contrib.endpoint_filter.backends.sql:EndpointFilter keystone.endpoint_policy = - sql = keystone.contrib.endpoint_policy.backends.sql:EndpointPolicy + sql = keystone.endpoint_policy.backends.sql:EndpointPolicy keystone.federation = sql = keystone.contrib.federation.backends.sql:Federation