From 0116044118409d882ed596c3e7cc63bf3ec74776 Mon Sep 17 00:00:00 2001 From: Morgan Fainberg Date: Thu, 31 Oct 2013 16:48:45 -0700 Subject: [PATCH] Proxy Assignment from Identity Deprecated The identity_api served as a proxy for calling the assignment_api and a majority of this proxy mechanism was removed. This is the second pass on the proxy cleanup fixing up the lingering domain calls from the identity core api. All proxy calls removed in the Icehouse development cycle (so far) have been re-added and now have the @deprecated mechanism used to indicate the support will be removed once development for J release has been opened as discussed at the Icehouse design summit. See https://etherpad.openstack.org/p/icehouse-keystone-internal-apis for information on why these were added back in. closes-bug: #1220913 Change-Id: If28b6d9189fa5879c8dbe131174b8cb8f84d9668 --- keystone/auth/controllers.py | 5 +- keystone/auth/plugins/external.py | 2 +- keystone/auth/plugins/password.py | 9 +- keystone/identity/controllers.py | 10 -- keystone/identity/core.py | 153 ++++++++++++++++++++++++++-- keystone/tests/test_backend.py | 6 +- keystone/tests/test_backend_ldap.py | 12 +-- keystone/tests/test_v3_identity.py | 4 +- keystone/token/controllers.py | 2 +- keystone/token/core.py | 4 +- keystone/token/providers/uuid.py | 2 +- 11 files changed, 169 insertions(+), 40 deletions(-) diff --git a/keystone/auth/controllers.py b/keystone/auth/controllers.py index d5233d759e..f3375d5570 100644 --- a/keystone/auth/controllers.py +++ b/keystone/auth/controllers.py @@ -94,9 +94,10 @@ class AuthInfo(object): target='domain') try: if domain_name: - domain_ref = self.identity_api.get_domain_by_name(domain_name) + domain_ref = self.assignment_api.get_domain_by_name( + domain_name) else: - domain_ref = self.identity_api.get_domain(domain_id) + domain_ref = self.assignment_api.get_domain(domain_id) except exception.DomainNotFound as e: LOG.exception(e) raise exception.Unauthorized(e) diff --git a/keystone/auth/plugins/external.py b/keystone/auth/plugins/external.py index 15f21d0aa3..a6fe1b45a6 100644 --- a/keystone/auth/plugins/external.py +++ b/keystone/auth/plugins/external.py @@ -87,7 +87,7 @@ class Domain(Base): username = names.pop(0) if names: domain_name = names[0] - domain_ref = (auth_info.identity_api. + domain_ref = (auth_info.assignment_api. get_domain_by_name(domain_name)) domain_id = domain_ref['id'] else: diff --git a/keystone/auth/plugins/password.py b/keystone/auth/plugins/password.py index 9531261d85..619010e230 100644 --- a/keystone/auth/plugins/password.py +++ b/keystone/auth/plugins/password.py @@ -24,7 +24,7 @@ METHOD_NAME = 'password' LOG = logging.getLogger(__name__) -@dependency.requires('identity_api') +@dependency.requires('assignment_api', 'identity_api') class UserAuthInfo(object): @staticmethod def create(auth_payload): @@ -58,9 +58,10 @@ class UserAuthInfo(object): target='domain') try: if domain_name: - domain_ref = self.identity_api.get_domain_by_name(domain_name) + domain_ref = self.assignment_api.get_domain_by_name( + domain_name) else: - domain_ref = self.identity_api.get_domain(domain_id) + domain_ref = self.assignment_api.get_domain(domain_id) except exception.DomainNotFound as e: LOG.exception(e) raise exception.Unauthorized(e) @@ -89,7 +90,7 @@ class UserAuthInfo(object): user_name, domain_ref['id']) else: user_ref = self.identity_api.get_user(user_id) - domain_ref = self.identity_api.get_domain( + domain_ref = self.assignment_api.get_domain( user_ref['domain_id']) self._assert_domain_is_enabled(domain_ref) except exception.UserNotFound as e: diff --git a/keystone/identity/controllers.py b/keystone/identity/controllers.py index 158eecb568..50f7b5a569 100644 --- a/keystone/identity/controllers.py +++ b/keystone/identity/controllers.py @@ -605,16 +605,6 @@ class DomainV3(controller.V3Controller): self._delete_domain_contents(context, domain_id) return self.assignment_api.delete_domain(domain_id) - def _get_domain_by_name(self, context, domain_name): - """Get the domain via its unique name. - - For use by token authentication - not for hooking to the identity - router as a public api. - - """ - ref = self.assignment_api.get_domain_by_name(domain_name) - return {'domain': ref} - class ProjectV3(controller.V3Controller): collection_name = 'projects' diff --git a/keystone/identity/core.py b/keystone/identity/core.py index fbdde16630..6a9f90c9d9 100644 --- a/keystone/identity/core.py +++ b/keystone/identity/core.py @@ -27,6 +27,7 @@ from keystone import clean from keystone.common import controller from keystone.common import dependency from keystone.common import manager +from keystone.common import utils from keystone import config from keystone import exception from keystone import notifications @@ -279,7 +280,7 @@ class Manager(manager.Manager): if driver: return driver else: - self.get_domain(domain_id) + self.assignment_api.get_domain(domain_id) return self.driver def _get_domain_conf(self, domain_id): @@ -453,25 +454,161 @@ class Manager(manager.Manager): domain_id, driver = self._get_domain_id_and_driver(domain_scope) return driver.check_user_in_group(user_id, group_id) - # TODO(henry-nash, ayoung) The following cross calls to the assignment - # API should be removed, with the controller and tests making the correct - # calls direct to assignment. - - # NOTE(tellesmvn):The following 4 methods where not removed since ayoung - # told me not to because someone else is working on a new feature involving - # these methods where the idea is to identify in which domain the user is + # TODO(morganfainberg): Remove the following deprecated methods once + # Icehouse is released. Maintain identity -> assignment proxy for 1 + # release. + @utils.deprecated('I', in_favor_of='assignment_api.get_domain_by_name', + remove_in=1, what='identity_api.get_domain_by_name') def get_domain_by_name(self, domain_name): return self.assignment_api.get_domain_by_name(domain_name) + @utils.deprecated('I', in_favor_of='assignment_api.get_domain', + remove_in=1, what='identity_api.get_domain') def get_domain(self, domain_id): return self.assignment_api.get_domain(domain_id) + @utils.deprecated('I', in_favor_of='assignment_api.update_domain', + remove_in=1, what='identity_api.update_domain') def update_domain(self, domain_id, domain): return self.assignment_api.update_domain(domain_id, domain) + @utils.deprecated('I', in_favor_of='assignment_api.list_domains', + remove_in=1, what='identity_api.list_domains') def list_domains(self): return self.assignment_api.list_domains() + @utils.deprecated('I', in_favor_of='assignment_api.delete_domain', + remove_in=1, what='identity_api.delete_domain') + def delete_domain(self, domain_id): + return self.assignment_api.delete_domain(domain_id) + + @utils.deprecated('I', in_favor_of='assignment_api.create_domain', + remove_in=1, what='identity_api.create_domain') + def create_domain(self, domain_id, domain): + return self.assignment_api.create_domain(domain_id, domain) + + @utils.deprecated('I', in_favor_of='assignment_api.list_projects_for_user', + remove_in=1, what='identity_api.list_projects_for_user') + def list_projects_for_user(self, user_id): + return self.assignment_api.list_projects_for_user(user_id) + + @utils.deprecated('I', in_favor_of='assignment_api.add_user_to_project', + remove_in=1, what='identity_api.add_user_to_project') + def add_user_to_project(self, tenant_id, user_id): + return self.assignment_api.add_user_to_project(tenant_id, user_id) + + @utils.deprecated('I', + in_favor_of='assignment_api.remove_user_from_project', + remove_in=1, + what='identity_api.remove_user_from_project') + def remove_user_from_project(self, tenant_id, user_id): + return self.assignment_api.remove_user_from_project(tenant_id, user_id) + + @utils.deprecated('I', in_favor_of='assignment_api.get_project', + remove_in=1, what='identity_api.get_project') + def get_project(self, tenant_id): + return self.assignment_api.get_project(tenant_id) + + @utils.deprecated('I', in_favor_of='assignment_api.list_projects', + remove_in=1, what='identity_api.list_projects') + def list_projects(self, domain_id=None): + return self.assignment_api.list_projects(domain_id) + + @utils.deprecated('I', in_favor_of='assignment_api.get_role', + remove_in=1, what='identity_api.get_role') + def get_role(self, role_id): + return self.assignment_api.get_role(role_id) + + @utils.deprecated('I', in_favor_of='assignment_api.list_roles', + remove_in=1, what='identity_api.list_roles') + def list_roles(self): + return self.assignment_api.list_roles() + + @utils.deprecated('I', in_favor_of='assignment_api.get_project_users', + remove_in=1, what='identity_api.get_project_users') + def get_project_users(self, tenant_id): + return self.assignment_api.get_project_users(tenant_id) + + @utils.deprecated('I', in_favor_of='assignment_api.list_projects_for_user', + remove_in=1, what='identity_api.list_projects_for_user') + def get_roles_for_user_and_project(self, user_id, tenant_id): + return self.assignment_api.get_roles_for_user_and_project( + user_id, tenant_id) + + @utils.deprecated( + 'I', in_favor_of='assignment_api.get_roles_for_user_and_domain', + remove_in=1, what='identity_api.get_roles_for_user_and_domain') + def get_roles_for_user_and_domain(self, user_id, domain_id): + return (self.assignment_api.get_roles_for_user_and_domain + (user_id, domain_id)) + + @utils.deprecated( + 'I', in_favor_of='assignment_api.add_role_to_user_and_project', + remove_in=1, what='identity_api.add_role_to_user_and_project') + def add_role_to_user_and_project(self, user_id, + tenant_id, role_id): + return (self.assignment_api.add_role_to_user_and_project + (user_id, tenant_id, role_id)) + + @utils.deprecated('I', in_favor_of='assignment_api.create_role', + remove_in=1, what='identity_api.create_role') + def create_role(self, role_id, role): + return self.assignment_api.create_role(role_id, role) + + @utils.deprecated('I', in_favor_of='assignment_api.delete_role', + remove_in=1, what='identity_api.delete_role') + def delete_role(self, role_id): + return self.assignment_api.delete_role(role_id) + + @utils.deprecated( + 'I', in_favor_of='assignment_api.remove_role_from_user_and_project', + remove_in=1, what='identity_api.remove_role_from_user_and_project') + def remove_role_from_user_and_project(self, user_id, + tenant_id, role_id): + return (self.assignment_api.remove_role_from_user_and_project + (user_id, tenant_id, role_id)) + + @utils.deprecated('I', in_favor_of='assignment_api.update_role', + remove_in=1, what='identity_api.update_role') + def update_role(self, role_id, role): + return self.assignment_api.update_role(role_id, role) + + @utils.deprecated('I', in_favor_of='assignment_api.create_grant', + remove_in=1, what='identity_api.create_grant') + def create_grant(self, role_id, user_id=None, group_id=None, + domain_id=None, project_id=None, + inherited_to_projects=False): + return (self.assignment_api.create_grant + (role_id, user_id, group_id, domain_id, project_id, + inherited_to_projects)) + + @utils.deprecated('I', in_favor_of='assignment_api.list_grants', + remove_in=1, what='identity_api.list_grants') + def list_grants(self, user_id=None, group_id=None, + domain_id=None, project_id=None, + inherited_to_projects=False): + return (self.assignment_api.list_grants + (user_id, group_id, domain_id, project_id, + inherited_to_projects)) + + @utils.deprecated('I', in_favor_of='assignment_api.get_grant', + remove_in=1, what='identity_api.get_grant') + def get_grant(self, role_id, user_id=None, group_id=None, + domain_id=None, project_id=None, + inherited_to_projects=False): + return (self.assignment_api.get_grant + (role_id, user_id, group_id, domain_id, project_id, + inherited_to_projects)) + + @utils.deprecated('I', in_favor_of='assignment_api.delete_grant', + remove_in=1, what='identity_api.delete_grant') + def delete_grant(self, role_id, user_id=None, group_id=None, + domain_id=None, project_id=None, + inherited_to_projects=False): + return (self.assignment_api.delete_grant + (role_id, user_id, group_id, domain_id, project_id, + inherited_to_projects)) + @six.add_metaclass(abc.ABCMeta) class Driver(object): diff --git a/keystone/tests/test_backend.py b/keystone/tests/test_backend.py index 898048550b..75b6288fc2 100644 --- a/keystone/tests/test_backend.py +++ b/keystone/tests/test_backend.py @@ -2418,17 +2418,17 @@ class IdentityTests(object): domain = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex, 'enabled': True} self.assignment_api.create_domain(domain['id'], domain) - domain_ref = self.identity_api.get_domain(domain['id']) + domain_ref = self.assignment_api.get_domain(domain['id']) self.assertDictEqual(domain_ref, domain) domain['name'] = uuid.uuid4().hex self.assignment_api.update_domain(domain['id'], domain) - domain_ref = self.identity_api.get_domain(domain['id']) + domain_ref = self.assignment_api.get_domain(domain['id']) self.assertDictEqual(domain_ref, domain) self.assignment_api.delete_domain(domain['id']) self.assertRaises(exception.DomainNotFound, - self.identity_api.get_domain, + self.assignment_api.get_domain, domain['id']) def test_create_domain_case_sensitivity(self): diff --git a/keystone/tests/test_backend_ldap.py b/keystone/tests/test_backend_ldap.py index 19ac85d30e..dcdc148e18 100644 --- a/keystone/tests/test_backend_ldap.py +++ b/keystone/tests/test_backend_ldap.py @@ -40,7 +40,7 @@ CONF = config.CONF class BaseLDAPIdentity(test_backend.IdentityTests): def _get_domain_fixture(self): """Domains in LDAP are read-only, so just return the static one.""" - return self.identity_api.get_domain(CONF.identity.default_domain_id) + return self.assignment_api.get_domain(CONF.identity.default_domain_id) def clear_database(self): for shelf in fakeldap.FakeShelves: @@ -267,7 +267,7 @@ class BaseLDAPIdentity(test_backend.IdentityTests): self.assertEqual(res[0]['id'], user_1_id, "Expected user 1 id") def test_list_domains(self): - domains = self.identity_api.list_domains() + domains = self.assignment_api.list_domains() self.assertEqual( domains, [assignment.DEFAULT_DOMAIN]) @@ -729,7 +729,7 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity): CONF.identity.default_domain_id, domain) self.assertRaises(exception.DomainNotFound, - self.identity_api.get_domain, + self.assignment_api.get_domain, domain['id']) domain['description'] = uuid.uuid4().hex @@ -742,7 +742,7 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity): CONF.identity.default_domain_id, domain) self.assertRaises(exception.DomainNotFound, - self.identity_api.get_domain, + self.assignment_api.get_domain, domain['id']) self.assertRaises(exception.DomainNotFound, self.assignment_api.delete_domain, @@ -751,7 +751,7 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity): self.assignment_api.delete_domain, CONF.identity.default_domain_id) self.assertRaises(exception.DomainNotFound, - self.identity_api.get_domain, + self.assignment_api.get_domain, domain['id']) def test_create_domain_case_sensitivity(self): @@ -1004,7 +1004,7 @@ class LdapIdentitySqlAssignment(sql.Base, tests.TestCase, BaseLDAPIdentity): pass def test_list_domains(self): - domains = self.identity_api.list_domains() + domains = self.assignment_api.list_domains() self.assertEqual(domains, [assignment.DEFAULT_DOMAIN]) def test_project_filter(self): diff --git a/keystone/tests/test_v3_identity.py b/keystone/tests/test_v3_identity.py index a686583b36..551a96489c 100644 --- a/keystone/tests/test_v3_identity.py +++ b/keystone/tests/test_v3_identity.py @@ -287,7 +287,7 @@ class IdentityTestCase(test_v3.RestfulTestCase): # Check all the domain2 relevant entities are gone self.assertRaises(exception.DomainNotFound, - self.identity_api.get_domain, + self.assignment_api.get_domain, self.domain2['id']) self.assertRaises(exception.ProjectNotFound, self.assignment_api.get_project, @@ -303,7 +303,7 @@ class IdentityTestCase(test_v3.RestfulTestCase): self.credential2['id']) # ...and that all self.domain entities are still here - r = self.identity_api.get_domain(self.domain['id']) + r = self.assignment_api.get_domain(self.domain['id']) self.assertDictEqual(r, self.domain) r = self.assignment_api.get_project(self.project['id']) self.assertDictEqual(r, self.project) diff --git a/keystone/token/controllers.py b/keystone/token/controllers.py index cff71a87fb..710a2318aa 100644 --- a/keystone/token/controllers.py +++ b/keystone/token/controllers.py @@ -351,7 +351,7 @@ class Auth(controller.V2Controller): domain_name = auth.get('domainName', None) if domain_name: try: - domain_ref = self.identity_api._get_domain_by_name( + domain_ref = self.assignment_api.get_domain_by_name( domain_name) domain_id = domain_ref['id'] except exception.DomainNotFound as e: diff --git a/keystone/token/core.py b/keystone/token/core.py index 8d83c526a7..9518ab26aa 100644 --- a/keystone/token/core.py +++ b/keystone/token/core.py @@ -70,7 +70,7 @@ def validate_auth_info(self, user_ref, tenant_ref): raise exception.Unauthorized(msg) # If the user's domain is disabled don't allow them to authenticate - user_domain_ref = self.identity_api.get_domain( + user_domain_ref = self.assignment_api.get_domain( user_ref['domain_id']) if user_domain_ref and not user_domain_ref.get('enabled', True): msg = 'Domain is disabled: %s' % user_domain_ref['id'] @@ -85,7 +85,7 @@ def validate_auth_info(self, user_ref, tenant_ref): raise exception.Unauthorized(msg) # If the project's domain is disabled don't allow them to authenticate - project_domain_ref = self.identity_api.get_domain( + project_domain_ref = self.assignment_api.get_domain( tenant_ref['domain_id']) if (project_domain_ref and not project_domain_ref.get('enabled', True)): diff --git a/keystone/token/providers/uuid.py b/keystone/token/providers/uuid.py index 5ddc0498bf..90e5a38647 100644 --- a/keystone/token/providers/uuid.py +++ b/keystone/token/providers/uuid.py @@ -140,7 +140,7 @@ class V3TokenDataHelper(object): self.trust_api = trust.Manager() def _get_filtered_domain(self, domain_id): - domain_ref = self.identity_api.get_domain(domain_id) + domain_ref = self.assignment_api.get_domain(domain_id) return {'id': domain_ref['id'], 'name': domain_ref['name']} def _get_filtered_project(self, project_id):