Resource backend is SQL only now
This change has been implemented to avoid the need to backport signficantly impactful Foreign Key dropping backports. Resource is highly relational data and it makes sense to allow the use of FKs from other subsystems to project/domains. Change-Id: Ic3831d1c7ae41fe4d406d60a013770cc1258584f
This commit is contained in:
Morgan Fainberg
parent
99b3641fa0
commit
3d46c8a5d9
@ -11,6 +11,7 @@
|
||||
# under the License.
|
||||
|
||||
from oslo_config import cfg
|
||||
from oslo_log import versionutils
|
||||
|
||||
from keystone.conf import utils
|
||||
|
||||
@ -18,6 +19,13 @@ from keystone.conf import utils
|
||||
driver = cfg.StrOpt(
|
||||
'driver',
|
||||
default='sql',
|
||||
deprecated_for_removal=True,
|
||||
deprecated_reason='Non-SQL resource cannot be used with SQL Identity and '
|
||||
'has been unable to be used since Ocata. SQL Resource '
|
||||
'backend is a requirement as of Pike. Setting this '
|
||||
'option no longer has an effect on how Keystone '
|
||||
'operates.',
|
||||
deprecated_since=versionutils.deprecated.PIKE,
|
||||
help=utils.fmt("""
|
||||
Entry point for the resource driver in the `keystone.resource` namespace. Only
|
||||
a `sql` driver is supplied by keystone. Unless you are writing proprietary
|
||||
|
||||
@ -22,6 +22,8 @@ LOG = log.getLogger(__name__)
|
||||
|
||||
|
||||
class Resource(base.ResourceDriverBase):
|
||||
# TODO(morgan): Merge all of this code into the manager, Resource backend
|
||||
# is only SQL. There is no configurable driver.
|
||||
|
||||
def default_assignment_driver(self):
|
||||
return 'sql'
|
||||
|
||||
@ -27,6 +27,7 @@ from keystone import exception
|
||||
from keystone.i18n import _
|
||||
from keystone import notifications
|
||||
from keystone.resource.backends import base
|
||||
from keystone.resource.backends import sql as resource_sql
|
||||
from keystone.token import provider as token_provider
|
||||
|
||||
CONF = keystone.conf.CONF
|
||||
@ -51,8 +52,12 @@ class Manager(manager.Manager):
|
||||
_PROJECT = 'project'
|
||||
|
||||
def __init__(self):
|
||||
resource_driver = CONF.resource.driver
|
||||
super(Manager, self).__init__(resource_driver)
|
||||
# NOTE(morgan): The resource driver must be SQL. This is because there
|
||||
# is a FK between identity and resource. Almost every deployment uses
|
||||
# SQL Identity in some form. Even if SQL Identity is not used, there
|
||||
# is almost no reason to have non-SQL Resource. Keystone requires
|
||||
# SQL in a number of ways, this simply codifies it plainly for resource
|
||||
self.driver = resource_sql.Resource()
|
||||
|
||||
def _get_hierarchy_depth(self, parents_list):
|
||||
return len(parents_list) + 1
|
||||
|
||||
@ -1045,8 +1045,7 @@ class LDAPIdentity(BaseLDAPIdentity, unit.TestCase):
|
||||
def assert_backends(self):
|
||||
_assert_backends(self,
|
||||
assignment='sql',
|
||||
identity='ldap',
|
||||
resource='sql')
|
||||
identity='ldap')
|
||||
|
||||
def test_list_domains(self):
|
||||
domains = self.resource_api.list_domains()
|
||||
@ -1756,8 +1755,7 @@ class LDAPLimitTests(unit.TestCase, identity_tests.LimitTests):
|
||||
identity_tests.LimitTests.setUp(self)
|
||||
_assert_backends(self,
|
||||
assignment='sql',
|
||||
identity='ldap',
|
||||
resource='sql')
|
||||
identity='ldap')
|
||||
|
||||
def config_overrides(self):
|
||||
super(LDAPLimitTests, self).config_overrides()
|
||||
@ -2210,8 +2208,7 @@ class MultiLDAPandSQLIdentity(BaseLDAPIdentity, unit.SQLDriverOverrides,
|
||||
self.domain_default['id']: 'ldap',
|
||||
self.domains['domain1']['id']: 'ldap',
|
||||
self.domains['domain2']['id']: 'ldap',
|
||||
},
|
||||
resource='sql')
|
||||
})
|
||||
|
||||
def config_overrides(self):
|
||||
super(MultiLDAPandSQLIdentity, self).config_overrides()
|
||||
@ -2532,8 +2529,7 @@ class MultiLDAPandSQLIdentityDomainConfigsInSQL(MultiLDAPandSQLIdentity):
|
||||
self.domain_default['id']: 'ldap',
|
||||
self.domains['domain1']['id']: 'ldap',
|
||||
self.domains['domain2']['id']: 'ldap',
|
||||
},
|
||||
resource='sql')
|
||||
})
|
||||
|
||||
def enable_multi_domain(self):
|
||||
# The values below are the same as in the domain_configs_multi_ldap
|
||||
@ -2758,8 +2754,7 @@ class DomainSpecificLDAPandSQLIdentity(
|
||||
None: 'ldap',
|
||||
'default': 'ldap',
|
||||
self.domains['domain1']['id']: 'sql',
|
||||
},
|
||||
resource='sql')
|
||||
})
|
||||
|
||||
def config_overrides(self):
|
||||
super(DomainSpecificLDAPandSQLIdentity, self).config_overrides()
|
||||
@ -2927,8 +2922,7 @@ class DomainSpecificSQLIdentity(DomainSpecificLDAPandSQLIdentity):
|
||||
def assert_backends(self):
|
||||
_assert_backends(self,
|
||||
assignment='sql',
|
||||
identity='ldap',
|
||||
resource='sql')
|
||||
identity='ldap')
|
||||
|
||||
def config_overrides(self):
|
||||
super(DomainSpecificSQLIdentity, self).config_overrides()
|
||||
|
||||
@ -0,0 +1,12 @@
|
||||
---
|
||||
upgrade:
|
||||
- |
|
||||
The resource backend cannot be configured to anything but SQL if the SQL
|
||||
Identity backend is being used. The resource backend must now be SQL which
|
||||
allows for the use of Foreign Keys to domains/projects wherever desired.
|
||||
This makes managing project relationships and such much more straight
|
||||
forward. The inability to configure non-SQL resource backends has been
|
||||
in Keystone since at least Ocata. This is eliminating some complexity
|
||||
and preventing the need for some really ugly back-port SQL migrations
|
||||
in favor of a better model. Resource is highly relational and should be
|
||||
SQL based.
|
||||
@ -139,9 +139,6 @@ keystone.policy =
|
||||
rules = keystone.policy.backends.rules:Policy
|
||||
sql = keystone.policy.backends.sql:Policy
|
||||
|
||||
keystone.resource =
|
||||
sql = keystone.resource.backends.sql:Resource
|
||||
|
||||
keystone.resource.domain_config =
|
||||
sql = keystone.resource.config_backends.sql:DomainConfig
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user