Proxy Assignment from Identity Deprecated

The identity_api served as a proxy for calling the assignment_api
and a majority of this proxy mechanism was removed.  This is the
second pass on the proxy cleanup fixing up the lingering domain
calls from the identity core api.

All proxy calls removed in the Icehouse development cycle (so far)
have been re-added and now have the @deprecated mechanism used to
indicate the support will be removed once development for J release
has been opened as discussed at the Icehouse design summit. See
https://etherpad.openstack.org/p/icehouse-keystone-internal-apis
for information on why these were added back in.

closes-bug: #1220913
Change-Id: If28b6d9189fa5879c8dbe131174b8cb8f84d9668
changes/44/54844/4
Morgan Fainberg 9 years ago
parent e5416c493f
commit 0116044118
  1. 5
      keystone/auth/controllers.py
  2. 2
      keystone/auth/plugins/external.py
  3. 9
      keystone/auth/plugins/password.py
  4. 10
      keystone/identity/controllers.py
  5. 153
      keystone/identity/core.py
  6. 6
      keystone/tests/test_backend.py
  7. 12
      keystone/tests/test_backend_ldap.py
  8. 4
      keystone/tests/test_v3_identity.py
  9. 2
      keystone/token/controllers.py
  10. 4
      keystone/token/core.py
  11. 2
      keystone/token/providers/uuid.py

@ -94,9 +94,10 @@ class AuthInfo(object):
target='domain')
try:
if domain_name:
domain_ref = self.identity_api.get_domain_by_name(domain_name)
domain_ref = self.assignment_api.get_domain_by_name(
domain_name)
else:
domain_ref = self.identity_api.get_domain(domain_id)
domain_ref = self.assignment_api.get_domain(domain_id)
except exception.DomainNotFound as e:
LOG.exception(e)
raise exception.Unauthorized(e)

@ -87,7 +87,7 @@ class Domain(Base):
username = names.pop(0)
if names:
domain_name = names[0]
domain_ref = (auth_info.identity_api.
domain_ref = (auth_info.assignment_api.
get_domain_by_name(domain_name))
domain_id = domain_ref['id']
else:

@ -24,7 +24,7 @@ METHOD_NAME = 'password'
LOG = logging.getLogger(__name__)
@dependency.requires('identity_api')
@dependency.requires('assignment_api', 'identity_api')
class UserAuthInfo(object):
@staticmethod
def create(auth_payload):
@ -58,9 +58,10 @@ class UserAuthInfo(object):
target='domain')
try:
if domain_name:
domain_ref = self.identity_api.get_domain_by_name(domain_name)
domain_ref = self.assignment_api.get_domain_by_name(
domain_name)
else:
domain_ref = self.identity_api.get_domain(domain_id)
domain_ref = self.assignment_api.get_domain(domain_id)
except exception.DomainNotFound as e:
LOG.exception(e)
raise exception.Unauthorized(e)
@ -89,7 +90,7 @@ class UserAuthInfo(object):
user_name, domain_ref['id'])
else:
user_ref = self.identity_api.get_user(user_id)
domain_ref = self.identity_api.get_domain(
domain_ref = self.assignment_api.get_domain(
user_ref['domain_id'])
self._assert_domain_is_enabled(domain_ref)
except exception.UserNotFound as e:

@ -605,16 +605,6 @@ class DomainV3(controller.V3Controller):
self._delete_domain_contents(context, domain_id)
return self.assignment_api.delete_domain(domain_id)
def _get_domain_by_name(self, context, domain_name):
"""Get the domain via its unique name.
For use by token authentication - not for hooking to the identity
router as a public api.
"""
ref = self.assignment_api.get_domain_by_name(domain_name)
return {'domain': ref}
class ProjectV3(controller.V3Controller):
collection_name = 'projects'

@ -27,6 +27,7 @@ from keystone import clean
from keystone.common import controller
from keystone.common import dependency
from keystone.common import manager
from keystone.common import utils
from keystone import config
from keystone import exception
from keystone import notifications
@ -279,7 +280,7 @@ class Manager(manager.Manager):
if driver:
return driver
else:
self.get_domain(domain_id)
self.assignment_api.get_domain(domain_id)
return self.driver
def _get_domain_conf(self, domain_id):
@ -453,25 +454,161 @@ class Manager(manager.Manager):
domain_id, driver = self._get_domain_id_and_driver(domain_scope)
return driver.check_user_in_group(user_id, group_id)
# TODO(henry-nash, ayoung) The following cross calls to the assignment
# API should be removed, with the controller and tests making the correct
# calls direct to assignment.
# NOTE(tellesmvn):The following 4 methods where not removed since ayoung
# told me not to because someone else is working on a new feature involving
# these methods where the idea is to identify in which domain the user is
# TODO(morganfainberg): Remove the following deprecated methods once
# Icehouse is released. Maintain identity -> assignment proxy for 1
# release.
@utils.deprecated('I', in_favor_of='assignment_api.get_domain_by_name',
remove_in=1, what='identity_api.get_domain_by_name')
def get_domain_by_name(self, domain_name):
return self.assignment_api.get_domain_by_name(domain_name)
@utils.deprecated('I', in_favor_of='assignment_api.get_domain',
remove_in=1, what='identity_api.get_domain')
def get_domain(self, domain_id):
return self.assignment_api.get_domain(domain_id)
@utils.deprecated('I', in_favor_of='assignment_api.update_domain',
remove_in=1, what='identity_api.update_domain')
def update_domain(self, domain_id, domain):
return self.assignment_api.update_domain(domain_id, domain)
@utils.deprecated('I', in_favor_of='assignment_api.list_domains',
remove_in=1, what='identity_api.list_domains')
def list_domains(self):
return self.assignment_api.list_domains()
@utils.deprecated('I', in_favor_of='assignment_api.delete_domain',
remove_in=1, what='identity_api.delete_domain')
def delete_domain(self, domain_id):
return self.assignment_api.delete_domain(domain_id)
@utils.deprecated('I', in_favor_of='assignment_api.create_domain',
remove_in=1, what='identity_api.create_domain')
def create_domain(self, domain_id, domain):
return self.assignment_api.create_domain(domain_id, domain)
@utils.deprecated('I', in_favor_of='assignment_api.list_projects_for_user',
remove_in=1, what='identity_api.list_projects_for_user')
def list_projects_for_user(self, user_id):
return self.assignment_api.list_projects_for_user(user_id)
@utils.deprecated('I', in_favor_of='assignment_api.add_user_to_project',
remove_in=1, what='identity_api.add_user_to_project')
def add_user_to_project(self, tenant_id, user_id):
return self.assignment_api.add_user_to_project(tenant_id, user_id)
@utils.deprecated('I',
in_favor_of='assignment_api.remove_user_from_project',
remove_in=1,
what='identity_api.remove_user_from_project')
def remove_user_from_project(self, tenant_id, user_id):
return self.assignment_api.remove_user_from_project(tenant_id, user_id)
@utils.deprecated('I', in_favor_of='assignment_api.get_project',
remove_in=1, what='identity_api.get_project')
def get_project(self, tenant_id):
return self.assignment_api.get_project(tenant_id)
@utils.deprecated('I', in_favor_of='assignment_api.list_projects',
remove_in=1, what='identity_api.list_projects')
def list_projects(self, domain_id=None):
return self.assignment_api.list_projects(domain_id)
@utils.deprecated('I', in_favor_of='assignment_api.get_role',
remove_in=1, what='identity_api.get_role')
def get_role(self, role_id):
return self.assignment_api.get_role(role_id)
@utils.deprecated('I', in_favor_of='assignment_api.list_roles',
remove_in=1, what='identity_api.list_roles')
def list_roles(self):
return self.assignment_api.list_roles()
@utils.deprecated('I', in_favor_of='assignment_api.get_project_users',
remove_in=1, what='identity_api.get_project_users')
def get_project_users(self, tenant_id):
return self.assignment_api.get_project_users(tenant_id)
@utils.deprecated('I', in_favor_of='assignment_api.list_projects_for_user',
remove_in=1, what='identity_api.list_projects_for_user')
def get_roles_for_user_and_project(self, user_id, tenant_id):
return self.assignment_api.get_roles_for_user_and_project(
user_id, tenant_id)
@utils.deprecated(
'I', in_favor_of='assignment_api.get_roles_for_user_and_domain',
remove_in=1, what='identity_api.get_roles_for_user_and_domain')
def get_roles_for_user_and_domain(self, user_id, domain_id):
return (self.assignment_api.get_roles_for_user_and_domain
(user_id, domain_id))
@utils.deprecated(
'I', in_favor_of='assignment_api.add_role_to_user_and_project',
remove_in=1, what='identity_api.add_role_to_user_and_project')
def add_role_to_user_and_project(self, user_id,
tenant_id, role_id):
return (self.assignment_api.add_role_to_user_and_project
(user_id, tenant_id, role_id))
@utils.deprecated('I', in_favor_of='assignment_api.create_role',
remove_in=1, what='identity_api.create_role')
def create_role(self, role_id, role):
return self.assignment_api.create_role(role_id, role)
@utils.deprecated('I', in_favor_of='assignment_api.delete_role',
remove_in=1, what='identity_api.delete_role')
def delete_role(self, role_id):
return self.assignment_api.delete_role(role_id)
@utils.deprecated(
'I', in_favor_of='assignment_api.remove_role_from_user_and_project',
remove_in=1, what='identity_api.remove_role_from_user_and_project')
def remove_role_from_user_and_project(self, user_id,
tenant_id, role_id):
return (self.assignment_api.remove_role_from_user_and_project
(user_id, tenant_id, role_id))
@utils.deprecated('I', in_favor_of='assignment_api.update_role',
remove_in=1, what='identity_api.update_role')
def update_role(self, role_id, role):
return self.assignment_api.update_role(role_id, role)
@utils.deprecated('I', in_favor_of='assignment_api.create_grant',
remove_in=1, what='identity_api.create_grant')
def create_grant(self, role_id, user_id=None, group_id=None,
domain_id=None, project_id=None,
inherited_to_projects=False):
return (self.assignment_api.create_grant
(role_id, user_id, group_id, domain_id, project_id,
inherited_to_projects))
@utils.deprecated('I', in_favor_of='assignment_api.list_grants',
remove_in=1, what='identity_api.list_grants')
def list_grants(self, user_id=None, group_id=None,
domain_id=None, project_id=None,
inherited_to_projects=False):
return (self.assignment_api.list_grants
(user_id, group_id, domain_id, project_id,
inherited_to_projects))
@utils.deprecated('I', in_favor_of='assignment_api.get_grant',
remove_in=1, what='identity_api.get_grant')
def get_grant(self, role_id, user_id=None, group_id=None,
domain_id=None, project_id=None,
inherited_to_projects=False):
return (self.assignment_api.get_grant
(role_id, user_id, group_id, domain_id, project_id,
inherited_to_projects))
@utils.deprecated('I', in_favor_of='assignment_api.delete_grant',
remove_in=1, what='identity_api.delete_grant')
def delete_grant(self, role_id, user_id=None, group_id=None,
domain_id=None, project_id=None,
inherited_to_projects=False):
return (self.assignment_api.delete_grant
(role_id, user_id, group_id, domain_id, project_id,
inherited_to_projects))
@six.add_metaclass(abc.ABCMeta)
class Driver(object):

@ -2418,17 +2418,17 @@ class IdentityTests(object):
domain = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
'enabled': True}
self.assignment_api.create_domain(domain['id'], domain)
domain_ref = self.identity_api.get_domain(domain['id'])
domain_ref = self.assignment_api.get_domain(domain['id'])
self.assertDictEqual(domain_ref, domain)
domain['name'] = uuid.uuid4().hex
self.assignment_api.update_domain(domain['id'], domain)
domain_ref = self.identity_api.get_domain(domain['id'])
domain_ref = self.assignment_api.get_domain(domain['id'])
self.assertDictEqual(domain_ref, domain)
self.assignment_api.delete_domain(domain['id'])
self.assertRaises(exception.DomainNotFound,
self.identity_api.get_domain,
self.assignment_api.get_domain,
domain['id'])
def test_create_domain_case_sensitivity(self):

@ -40,7 +40,7 @@ CONF = config.CONF
class BaseLDAPIdentity(test_backend.IdentityTests):
def _get_domain_fixture(self):
"""Domains in LDAP are read-only, so just return the static one."""
return self.identity_api.get_domain(CONF.identity.default_domain_id)
return self.assignment_api.get_domain(CONF.identity.default_domain_id)
def clear_database(self):
for shelf in fakeldap.FakeShelves:
@ -267,7 +267,7 @@ class BaseLDAPIdentity(test_backend.IdentityTests):
self.assertEqual(res[0]['id'], user_1_id, "Expected user 1 id")
def test_list_domains(self):
domains = self.identity_api.list_domains()
domains = self.assignment_api.list_domains()
self.assertEqual(
domains,
[assignment.DEFAULT_DOMAIN])
@ -729,7 +729,7 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity):
CONF.identity.default_domain_id,
domain)
self.assertRaises(exception.DomainNotFound,
self.identity_api.get_domain,
self.assignment_api.get_domain,
domain['id'])
domain['description'] = uuid.uuid4().hex
@ -742,7 +742,7 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity):
CONF.identity.default_domain_id,
domain)
self.assertRaises(exception.DomainNotFound,
self.identity_api.get_domain,
self.assignment_api.get_domain,
domain['id'])
self.assertRaises(exception.DomainNotFound,
self.assignment_api.delete_domain,
@ -751,7 +751,7 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity):
self.assignment_api.delete_domain,
CONF.identity.default_domain_id)
self.assertRaises(exception.DomainNotFound,
self.identity_api.get_domain,
self.assignment_api.get_domain,
domain['id'])
def test_create_domain_case_sensitivity(self):
@ -1004,7 +1004,7 @@ class LdapIdentitySqlAssignment(sql.Base, tests.TestCase, BaseLDAPIdentity):
pass
def test_list_domains(self):
domains = self.identity_api.list_domains()
domains = self.assignment_api.list_domains()
self.assertEqual(domains, [assignment.DEFAULT_DOMAIN])
def test_project_filter(self):

@ -287,7 +287,7 @@ class IdentityTestCase(test_v3.RestfulTestCase):
# Check all the domain2 relevant entities are gone
self.assertRaises(exception.DomainNotFound,
self.identity_api.get_domain,
self.assignment_api.get_domain,
self.domain2['id'])
self.assertRaises(exception.ProjectNotFound,
self.assignment_api.get_project,
@ -303,7 +303,7 @@ class IdentityTestCase(test_v3.RestfulTestCase):
self.credential2['id'])
# ...and that all self.domain entities are still here
r = self.identity_api.get_domain(self.domain['id'])
r = self.assignment_api.get_domain(self.domain['id'])
self.assertDictEqual(r, self.domain)
r = self.assignment_api.get_project(self.project['id'])
self.assertDictEqual(r, self.project)

@ -351,7 +351,7 @@ class Auth(controller.V2Controller):
domain_name = auth.get('domainName', None)
if domain_name:
try:
domain_ref = self.identity_api._get_domain_by_name(
domain_ref = self.assignment_api.get_domain_by_name(
domain_name)
domain_id = domain_ref['id']
except exception.DomainNotFound as e:

@ -70,7 +70,7 @@ def validate_auth_info(self, user_ref, tenant_ref):
raise exception.Unauthorized(msg)
# If the user's domain is disabled don't allow them to authenticate
user_domain_ref = self.identity_api.get_domain(
user_domain_ref = self.assignment_api.get_domain(
user_ref['domain_id'])
if user_domain_ref and not user_domain_ref.get('enabled', True):
msg = 'Domain is disabled: %s' % user_domain_ref['id']
@ -85,7 +85,7 @@ def validate_auth_info(self, user_ref, tenant_ref):
raise exception.Unauthorized(msg)
# If the project's domain is disabled don't allow them to authenticate
project_domain_ref = self.identity_api.get_domain(
project_domain_ref = self.assignment_api.get_domain(
tenant_ref['domain_id'])
if (project_domain_ref and
not project_domain_ref.get('enabled', True)):

@ -140,7 +140,7 @@ class V3TokenDataHelper(object):
self.trust_api = trust.Manager()
def _get_filtered_domain(self, domain_id):
domain_ref = self.identity_api.get_domain(domain_id)
domain_ref = self.assignment_api.get_domain(domain_id)
return {'id': domain_ref['id'], 'name': domain_ref['name']}
def _get_filtered_project(self, project_id):

Loading…
Cancel
Save