Merge "Make domain_id immutable by default"

This commit is contained in:
Jenkins 2014-03-21 08:22:32 +00:00 committed by Gerrit Code Review
commit 2e720b5723
3 changed files with 27 additions and 27 deletions

@ -98,13 +98,13 @@
# appropriate section (e.g. [assignment]). (integer value)
#list_limit=<None>
# Set this to true if you want to disable the ability for
# Set this to false if you want to enable the ability for
# user, group and project entities to be moved between domains
# by updating their domain_id. This can be used to further
# restrict scope of a domain admin, in conjunction with an
# appropriate policy file (see policy.v3cloudsample as an
# example). (boolean value)
#domain_id_immutable=false
# by updating their domain_id. Allowing such movement is not
# recommended if the scope of a domain admin is being
# restricted by use of an appropriate policy file (see
# policy.v3cloudsample as an example). (boolean value)
#domain_id_immutable=true
#

@ -109,14 +109,14 @@ FILE_OPTIONS = {
'global limit may be then overridden for a specific '
'driver, by specifying a list_limit in the '
'appropriate section (e.g. [assignment]).'),
cfg.BoolOpt('domain_id_immutable', default=False,
help='Set this to true if you want to disable the '
cfg.BoolOpt('domain_id_immutable', default=True,
help='Set this to false if you want to enable the '
'ability for user, group and project entities '
'to be moved between domains by updating their '
'domain_id. This can be used to further restrict '
'scope of a domain admin, in conjunction with an '
'appropriate policy file (see policy.v3cloudsample '
'as an example).')],
'domain_id. Allowing such movement is not '
'recommended if the scope of a domain admin is being '
'restricted by use of an appropriate policy file '
'(see policy.v3cloudsample as an example).')],
'identity': [
cfg.StrOpt('default_domain_id', default='default',
help='This references the domain to use for all '

@ -428,14 +428,14 @@ class IdentityTestCase(test_v3.RestfulTestCase):
project['domain_id'] = CONF.identity.default_domain_id
r = self.patch('/projects/%(project_id)s' % {
'project_id': project['id']},
body={'project': project})
self.assertValidProjectResponse(r, project)
self.config_fixture.config(domain_id_immutable=True)
body={'project': project},
expected_status=exception.ValidationError.code)
self.config_fixture.config(domain_id_immutable=False)
project['domain_id'] = self.domain['id']
r = self.patch('/projects/%(project_id)s' % {
'project_id': project['id']},
body={'project': project},
expected_status=exception.ValidationError.code)
body={'project': project})
self.assertValidProjectResponse(r, project)
def test_delete_project(self):
"""Call ``DELETE /projects/{project_id}``
@ -600,14 +600,14 @@ class IdentityTestCase(test_v3.RestfulTestCase):
user['domain_id'] = CONF.identity.default_domain_id
r = self.patch('/users/%(user_id)s' % {
'user_id': user['id']},
body={'user': user})
self.assertValidUserResponse(r, user)
self.config_fixture.config(domain_id_immutable=True)
body={'user': user},
expected_status=exception.ValidationError.code)
self.config_fixture.config(domain_id_immutable=False)
user['domain_id'] = self.domain['id']
r = self.patch('/users/%(user_id)s' % {
'user_id': user['id']},
body={'user': user},
expected_status=exception.ValidationError.code)
body={'user': user})
self.assertValidUserResponse(r, user)
def test_delete_user(self):
"""Call ``DELETE /users/{user_id}``.
@ -707,14 +707,14 @@ class IdentityTestCase(test_v3.RestfulTestCase):
group['domain_id'] = CONF.identity.default_domain_id
r = self.patch('/groups/%(group_id)s' % {
'group_id': group['id']},
body={'group': group})
self.assertValidGroupResponse(r, group)
self.config_fixture.config(domain_id_immutable=True)
body={'group': group},
expected_status=exception.ValidationError.code)
self.config_fixture.config(domain_id_immutable=False)
group['domain_id'] = self.domain['id']
r = self.patch('/groups/%(group_id)s' % {
'group_id': group['id']},
body={'group': group},
expected_status=exception.ValidationError.code)
body={'group': group})
self.assertValidGroupResponse(r, group)
def test_delete_group(self):
"""Call ``DELETE /groups/{group_id}``."""