Revert "Add manager support for app cred access rules"
This reverts commit 37fc2b9120
.
In the Train PTG[1] we agreed to defer the access rules config part of
this feature until we had some kind of traceability or discoverability
for APIs. For simplicity of review, this patch reverts the access rules
addition to the app cred manager so that we can reimplement it in a way
that doesn't require using the access_rules_config API provider.
[1] https://etherpad.openstack.org/p/keystone-train-ptg-application-credentials
Change-Id: I65ac52b8730221562391adc8b0dbccd22ea79b16
This commit is contained in:
parent
d7a2dd48e4
commit
25b2f151a7
|
@ -114,15 +114,6 @@ class Manager(manager.Manager):
|
|||
app_cred_ref['roles'])
|
||||
return app_cred_ref
|
||||
|
||||
def _validate_access_rules(self, access_rules):
|
||||
for access_rule in access_rules:
|
||||
valid = PROVIDERS.access_rules_config_api.check_access_rule(
|
||||
access_rule['service'],
|
||||
access_rule['path'],
|
||||
access_rule['method'])
|
||||
if not valid:
|
||||
raise exception.AccessRuleNotAllowed
|
||||
|
||||
def create_application_credential(self, application_credential,
|
||||
initiator=None):
|
||||
"""Create a new application credential.
|
||||
|
@ -136,15 +127,12 @@ class Manager(manager.Manager):
|
|||
user_id = application_credential['user_id']
|
||||
project_id = application_credential['project_id']
|
||||
roles = application_credential.pop('roles', [])
|
||||
access_rules = application_credential.pop('access_rules', None)
|
||||
|
||||
self._assert_limit_not_exceeded(user_id)
|
||||
self._require_user_has_role_in_project(roles, user_id, project_id)
|
||||
if access_rules: # None or []
|
||||
self._validate_access_rules(access_rules)
|
||||
unhashed_secret = application_credential['secret']
|
||||
ref = self.driver.create_application_credential(
|
||||
application_credential, roles, access_rules)
|
||||
application_credential, roles)
|
||||
ref['secret'] = unhashed_secret
|
||||
ref = self._process_app_cred(ref)
|
||||
notifications.Audit.created(
|
||||
|
|
|
@ -554,11 +554,6 @@ class AccessRulesConfigNotFound(NotFound):
|
|||
"Could not find access rules config for service %(service)s.")
|
||||
|
||||
|
||||
class AccessRuleNotAllowed(ValidationError):
|
||||
message_format = _("The operator has not permitted application "
|
||||
"credentials to use the provided access rules.")
|
||||
|
||||
|
||||
class Conflict(Error):
|
||||
message_format = _("Conflict occurred attempting to store %(type)s -"
|
||||
" %(details)s.")
|
||||
|
|
|
@ -19,8 +19,6 @@ from keystone.common import driver_hints
|
|||
from keystone.common import provider_api
|
||||
import keystone.conf
|
||||
from keystone import exception
|
||||
from keystone.tests import unit
|
||||
from keystone.tests.unit.ksfixtures import access_rules_config
|
||||
|
||||
|
||||
CONF = keystone.conf.CONF
|
||||
|
@ -109,40 +107,6 @@ class ApplicationCredentialTests(object):
|
|||
self.app_cred_api.create_application_credential,
|
||||
app_cred)
|
||||
|
||||
def test_create_application_credential_with_access_rules(self):
|
||||
self.config_fixture.config(group='access_rules_config', permissive=True)
|
||||
app_cred = self._new_app_cred_data(self.user_foo['id'],
|
||||
project_id=self.project_bar['id'])
|
||||
app_cred['access_rules'] = [{
|
||||
'service': uuid.uuid4().hex,
|
||||
'path': uuid.uuid4().hex,
|
||||
'method': uuid.uuid4().hex[16:]
|
||||
}]
|
||||
resp = self.app_cred_api.create_application_credential(app_cred)
|
||||
resp.pop('roles')
|
||||
resp_access_rules = resp.pop('access_rules')
|
||||
app_cred.pop('roles')
|
||||
orig_access_rules = app_cred.pop('access_rules')
|
||||
self.assertDictEqual(app_cred, resp)
|
||||
for i, ar in enumerate(resp_access_rules):
|
||||
self.assertDictEqual(orig_access_rules[i], ar)
|
||||
|
||||
def test_create_application_credential_with_invalid_access_rule(self):
|
||||
rules_file = '%s/access_rules.json' % unit.TESTCONF
|
||||
self.useFixture(access_rules_config.AccessRulesConfig(
|
||||
self.config_fixture, rules_file=rules_file))
|
||||
self.load_backends()
|
||||
app_cred = self._new_app_cred_data(self.user_foo['id'],
|
||||
project_id=self.project_bar['id'])
|
||||
app_cred['access_rules'] = [{
|
||||
'service': uuid.uuid4().hex,
|
||||
'path': uuid.uuid4().hex,
|
||||
'method': uuid.uuid4().hex[16:]
|
||||
}]
|
||||
self.assertRaises(exception.AccessRuleNotAllowed,
|
||||
self.app_cred_api.create_application_credential,
|
||||
app_cred)
|
||||
|
||||
def test_get_application_credential(self):
|
||||
app_cred = self._new_app_cred_data(self.user_foo['id'],
|
||||
project_id=self.project_bar['id'])
|
||||
|
|
Loading…
Reference in New Issue