Remove CONF.os_inherit.enabled
CONF.os_inherit.enabled is planed to be removed in Ocata as the deprecated message and this patch removes it. Partially implements bp: removed-as-of-ocata Change-Id: I9072419ba1cfcf3cefb814a224fc499c9067ae30 Needed-by: Id3dd322b3a0585ed95eb2dea4ad35a7949bb9b1f
This commit is contained in:
parent
1c60b1539c
commit
3e5ead0a45
@ -75,7 +75,6 @@ The primary configuration file is organized into the following sections:
|
||||
* ``[ldap]`` - LDAP configuration options
|
||||
* ``[memcache]`` - Memcache configuration options
|
||||
* ``[oauth1]`` - OAuth 1.0a system driver configuration
|
||||
* ``[os_inherit]`` - Inherited role assignment configuration
|
||||
* ``[paste_deploy]`` - Pointer to the PasteDeploy configuration file
|
||||
* ``[policy]`` - Policy system driver configuration for RBAC
|
||||
* ``[resource]`` - Resource system driver configuration
|
||||
@ -1100,21 +1099,6 @@ A secure deployment should have keystone running in a web server (such as
|
||||
Apache httpd), or behind an SSL terminator.
|
||||
|
||||
|
||||
Inherited Role Assignments
|
||||
==========================
|
||||
|
||||
Keystone provides an optional capability to assign roles on a project or domain
|
||||
that, rather than affect the project or domain itself, are instead inherited to
|
||||
the project subtree or to all projects owned by that domain. This capability is
|
||||
enabled by default, but can be disabled by including the following in
|
||||
``keystone.conf``:
|
||||
|
||||
.. code-block:: ini
|
||||
|
||||
[os_inherit]
|
||||
enabled = False
|
||||
|
||||
|
||||
OAuth1 1.0a
|
||||
===========
|
||||
|
||||
|
@ -600,8 +600,7 @@ class GrantAssignmentV3(controller.V3Controller):
|
||||
raise exception.ValidationError(msg)
|
||||
|
||||
def _check_if_inherited(self, context):
|
||||
return (CONF.os_inherit.enabled and
|
||||
context['path'].startswith('/OS-INHERIT') and
|
||||
return (context['path'].startswith('/OS-INHERIT') and
|
||||
context['path'].endswith('/inherited_to_projects'))
|
||||
|
||||
def _check_grant_protection(self, request, protection, role_id=None,
|
||||
|
@ -922,16 +922,7 @@ class Manager(manager.Manager):
|
||||
This stripping can be disabled by specifying strip_domain_roles=False,
|
||||
which is useful for internal calls like trusts which need to examine
|
||||
the full set of roles.
|
||||
|
||||
If OS-INHERIT extension is disabled or the used driver does not support
|
||||
inherited roles retrieval, inherited role assignments will be ignored.
|
||||
|
||||
"""
|
||||
if not CONF.os_inherit.enabled:
|
||||
if inherited:
|
||||
return []
|
||||
inherited = False
|
||||
|
||||
subtree_ids = None
|
||||
if project_id and include_subtree:
|
||||
subtree_ids = (
|
||||
|
@ -200,82 +200,81 @@ class Routers(wsgi.RoutersBase):
|
||||
get_head_action='list_role_assignments_wrapper',
|
||||
rel=json_home.build_v3_resource_relation('role_assignments'))
|
||||
|
||||
if CONF.os_inherit.enabled:
|
||||
self._add_resource(
|
||||
mapper, grant_controller,
|
||||
path='/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/'
|
||||
'{role_id}/inherited_to_projects',
|
||||
get_head_action='check_grant',
|
||||
put_action='create_grant',
|
||||
delete_action='revoke_grant',
|
||||
rel=build_os_inherit_relation(
|
||||
resource_name='domain_user_role_inherited_to_projects'),
|
||||
path_vars={
|
||||
'domain_id': json_home.Parameters.DOMAIN_ID,
|
||||
'role_id': json_home.Parameters.ROLE_ID,
|
||||
'user_id': json_home.Parameters.USER_ID,
|
||||
})
|
||||
self._add_resource(
|
||||
mapper, grant_controller,
|
||||
path='/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/'
|
||||
'{role_id}/inherited_to_projects',
|
||||
get_head_action='check_grant',
|
||||
put_action='create_grant',
|
||||
delete_action='revoke_grant',
|
||||
rel=build_os_inherit_relation(
|
||||
resource_name='domain_group_role_inherited_to_projects'),
|
||||
path_vars={
|
||||
'domain_id': json_home.Parameters.DOMAIN_ID,
|
||||
'group_id': json_home.Parameters.GROUP_ID,
|
||||
'role_id': json_home.Parameters.ROLE_ID,
|
||||
})
|
||||
self._add_resource(
|
||||
mapper, grant_controller,
|
||||
path='/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/'
|
||||
'inherited_to_projects',
|
||||
get_action='list_grants',
|
||||
rel=build_os_inherit_relation(
|
||||
resource_name='domain_group_roles_inherited_to_projects'),
|
||||
path_vars={
|
||||
'domain_id': json_home.Parameters.DOMAIN_ID,
|
||||
'group_id': json_home.Parameters.GROUP_ID,
|
||||
})
|
||||
self._add_resource(
|
||||
mapper, grant_controller,
|
||||
path='/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/'
|
||||
'inherited_to_projects',
|
||||
get_action='list_grants',
|
||||
rel=build_os_inherit_relation(
|
||||
resource_name='domain_user_roles_inherited_to_projects'),
|
||||
path_vars={
|
||||
'domain_id': json_home.Parameters.DOMAIN_ID,
|
||||
'user_id': json_home.Parameters.USER_ID,
|
||||
})
|
||||
self._add_resource(
|
||||
mapper, grant_controller,
|
||||
path='/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/'
|
||||
'{role_id}/inherited_to_projects',
|
||||
get_head_action='check_grant',
|
||||
put_action='create_grant',
|
||||
delete_action='revoke_grant',
|
||||
rel=build_os_inherit_relation(
|
||||
resource_name='project_user_role_inherited_to_projects'),
|
||||
path_vars={
|
||||
'project_id': json_home.Parameters.PROJECT_ID,
|
||||
'user_id': json_home.Parameters.USER_ID,
|
||||
'role_id': json_home.Parameters.ROLE_ID,
|
||||
})
|
||||
self._add_resource(
|
||||
mapper, grant_controller,
|
||||
path='/OS-INHERIT/projects/{project_id}/groups/{group_id}/'
|
||||
'roles/{role_id}/inherited_to_projects',
|
||||
get_head_action='check_grant',
|
||||
put_action='create_grant',
|
||||
delete_action='revoke_grant',
|
||||
rel=build_os_inherit_relation(
|
||||
resource_name='project_group_role_inherited_to_projects'),
|
||||
path_vars={
|
||||
'project_id': json_home.Parameters.PROJECT_ID,
|
||||
'group_id': json_home.Parameters.GROUP_ID,
|
||||
'role_id': json_home.Parameters.ROLE_ID,
|
||||
})
|
||||
self._add_resource(
|
||||
mapper, grant_controller,
|
||||
path='/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/'
|
||||
'{role_id}/inherited_to_projects',
|
||||
get_head_action='check_grant',
|
||||
put_action='create_grant',
|
||||
delete_action='revoke_grant',
|
||||
rel=build_os_inherit_relation(
|
||||
resource_name='domain_user_role_inherited_to_projects'),
|
||||
path_vars={
|
||||
'domain_id': json_home.Parameters.DOMAIN_ID,
|
||||
'role_id': json_home.Parameters.ROLE_ID,
|
||||
'user_id': json_home.Parameters.USER_ID,
|
||||
})
|
||||
self._add_resource(
|
||||
mapper, grant_controller,
|
||||
path='/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/'
|
||||
'{role_id}/inherited_to_projects',
|
||||
get_head_action='check_grant',
|
||||
put_action='create_grant',
|
||||
delete_action='revoke_grant',
|
||||
rel=build_os_inherit_relation(
|
||||
resource_name='domain_group_role_inherited_to_projects'),
|
||||
path_vars={
|
||||
'domain_id': json_home.Parameters.DOMAIN_ID,
|
||||
'group_id': json_home.Parameters.GROUP_ID,
|
||||
'role_id': json_home.Parameters.ROLE_ID,
|
||||
})
|
||||
self._add_resource(
|
||||
mapper, grant_controller,
|
||||
path='/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/'
|
||||
'inherited_to_projects',
|
||||
get_action='list_grants',
|
||||
rel=build_os_inherit_relation(
|
||||
resource_name='domain_group_roles_inherited_to_projects'),
|
||||
path_vars={
|
||||
'domain_id': json_home.Parameters.DOMAIN_ID,
|
||||
'group_id': json_home.Parameters.GROUP_ID,
|
||||
})
|
||||
self._add_resource(
|
||||
mapper, grant_controller,
|
||||
path='/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/'
|
||||
'inherited_to_projects',
|
||||
get_action='list_grants',
|
||||
rel=build_os_inherit_relation(
|
||||
resource_name='domain_user_roles_inherited_to_projects'),
|
||||
path_vars={
|
||||
'domain_id': json_home.Parameters.DOMAIN_ID,
|
||||
'user_id': json_home.Parameters.USER_ID,
|
||||
})
|
||||
self._add_resource(
|
||||
mapper, grant_controller,
|
||||
path='/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/'
|
||||
'{role_id}/inherited_to_projects',
|
||||
get_head_action='check_grant',
|
||||
put_action='create_grant',
|
||||
delete_action='revoke_grant',
|
||||
rel=build_os_inherit_relation(
|
||||
resource_name='project_user_role_inherited_to_projects'),
|
||||
path_vars={
|
||||
'project_id': json_home.Parameters.PROJECT_ID,
|
||||
'user_id': json_home.Parameters.USER_ID,
|
||||
'role_id': json_home.Parameters.ROLE_ID,
|
||||
})
|
||||
self._add_resource(
|
||||
mapper, grant_controller,
|
||||
path='/OS-INHERIT/projects/{project_id}/groups/{group_id}/'
|
||||
'roles/{role_id}/inherited_to_projects',
|
||||
get_head_action='check_grant',
|
||||
put_action='create_grant',
|
||||
delete_action='revoke_grant',
|
||||
rel=build_os_inherit_relation(
|
||||
resource_name='project_group_role_inherited_to_projects'),
|
||||
path_vars={
|
||||
'project_id': json_home.Parameters.PROJECT_ID,
|
||||
'group_id': json_home.Parameters.GROUP_ID,
|
||||
'role_id': json_home.Parameters.ROLE_ID,
|
||||
})
|
||||
|
@ -36,7 +36,6 @@ from keystone.conf import kvs
|
||||
from keystone.conf import ldap
|
||||
from keystone.conf import memcache
|
||||
from keystone.conf import oauth1
|
||||
from keystone.conf import os_inherit
|
||||
from keystone.conf import paste_deploy
|
||||
from keystone.conf import policy
|
||||
from keystone.conf import resource
|
||||
@ -72,7 +71,6 @@ conf_modules = [
|
||||
ldap,
|
||||
memcache,
|
||||
oauth1,
|
||||
os_inherit,
|
||||
paste_deploy,
|
||||
policy,
|
||||
resource,
|
||||
|
@ -1,49 +0,0 @@
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_config import cfg
|
||||
from oslo_log import versionutils
|
||||
|
||||
from keystone.conf import utils
|
||||
|
||||
|
||||
_DEPRECATE_INHERIT_MSG = utils.fmt("""
|
||||
The option to disable the OS-INHERIT functionality has been deprecated in the
|
||||
Mitaka release and will be removed in the Ocata release. Starting in the Ocata
|
||||
release, OS-INHERIT functionality will always be enabled.
|
||||
""")
|
||||
|
||||
|
||||
enabled = cfg.BoolOpt(
|
||||
'enabled',
|
||||
default=True,
|
||||
deprecated_for_removal=True,
|
||||
deprecated_reason=_DEPRECATE_INHERIT_MSG,
|
||||
deprecated_since=versionutils.deprecated.MITAKA,
|
||||
help=utils.fmt("""
|
||||
This allows domain-based role assignments to be inherited to projects owned by
|
||||
that domain, or from parent projects to child projects.
|
||||
"""))
|
||||
|
||||
|
||||
GROUP_NAME = __name__.split('.')[-1]
|
||||
ALL_OPTS = [
|
||||
enabled,
|
||||
]
|
||||
|
||||
|
||||
def register_opts(conf):
|
||||
conf.register_opts(ALL_OPTS, group=GROUP_NAME)
|
||||
|
||||
|
||||
def list_opts():
|
||||
return {GROUP_NAME: ALL_OPTS}
|
@ -1992,20 +1992,9 @@ class AssignmentTests(AssignmentTestHelperMixin):
|
||||
project_id=project2['id'],
|
||||
role_id=role_list[5]['id'])
|
||||
|
||||
# Now get the effective roles for all groups on the Project1. With
|
||||
# inheritance off, we should only get back the direct role.
|
||||
|
||||
self.config_fixture.config(group='os_inherit', enabled=False)
|
||||
role_refs = self.assignment_api.get_roles_for_groups(
|
||||
group_id_list, project_id=project1['id'])
|
||||
|
||||
self.assertThat(role_refs, matchers.HasLength(1))
|
||||
self.assertIn(role_list[2], role_refs)
|
||||
|
||||
# With inheritance on, we should also get back the inherited role from
|
||||
# its owning domain.
|
||||
|
||||
self.config_fixture.config(group='os_inherit', enabled=True)
|
||||
role_refs = self.assignment_api.get_roles_for_groups(
|
||||
group_id_list, project_id=project1['id'])
|
||||
|
||||
@ -2130,24 +2119,11 @@ class AssignmentTests(AssignmentTestHelperMixin):
|
||||
project_id=project4['id'],
|
||||
role_id=role_list[6]['id'])
|
||||
|
||||
# Now get the projects for the groups that have roles on Project1,
|
||||
# Project2 and the inherited role on Domain!. With inheritance off,
|
||||
# we should only get back the projects with direct role.
|
||||
|
||||
self.config_fixture.config(group='os_inherit', enabled=False)
|
||||
group_id_list = [group_list[1]['id'], group_list[2]['id'],
|
||||
group_list[3]['id']]
|
||||
project_refs = (
|
||||
self.assignment_api.list_projects_for_groups(group_id_list))
|
||||
|
||||
self.assertThat(project_refs, matchers.HasLength(2))
|
||||
self.assertIn(project1, project_refs)
|
||||
self.assertIn(project2, project_refs)
|
||||
|
||||
# With inheritance on, we should also get back the Project3 due to the
|
||||
# inherited role from its owning domain.
|
||||
|
||||
self.config_fixture.config(group='os_inherit', enabled=True)
|
||||
project_refs = (
|
||||
self.assignment_api.list_projects_for_groups(group_id_list))
|
||||
|
||||
@ -2497,38 +2473,6 @@ class InheritanceTests(AssignmentTestHelperMixin):
|
||||
'indirect': {'domain': 0}}]}
|
||||
]
|
||||
}
|
||||
self.config_fixture.config(group='os_inherit', enabled=True)
|
||||
self.execute_assignment_plan(test_plan)
|
||||
|
||||
def test_inherited_role_assignments_excluded_if_os_inherit_false(self):
|
||||
test_plan = {
|
||||
'entities': {'domains': {'users': 2, 'groups': 1, 'projects': 1},
|
||||
'roles': 4},
|
||||
'group_memberships': [{'group': 0, 'users': [0]}],
|
||||
'assignments': [{'user': 0, 'role': 0, 'domain': 0},
|
||||
{'user': 0, 'role': 1, 'project': 0},
|
||||
{'user': 0, 'role': 2, 'domain': 0,
|
||||
'inherited_to_projects': True},
|
||||
{'user': 1, 'role': 1, 'project': 0},
|
||||
{'group': 0, 'role': 3, 'project': 0}],
|
||||
'tests': [
|
||||
# List all direct assignments for user[0], since os-inherit is
|
||||
# disabled, we should not see the inherited role
|
||||
{'params': {'user': 0},
|
||||
'results': [{'user': 0, 'role': 0, 'domain': 0},
|
||||
{'user': 0, 'role': 1, 'project': 0}]},
|
||||
# Same in effective mode - inherited roles should not be
|
||||
# included or expanded...but the group role should now
|
||||
# turn up as a user role, since group expansion is not
|
||||
# part of os-inherit.
|
||||
{'params': {'user': 0, 'effective': True},
|
||||
'results': [{'user': 0, 'role': 0, 'domain': 0},
|
||||
{'user': 0, 'role': 1, 'project': 0},
|
||||
{'user': 0, 'role': 3, 'project': 0,
|
||||
'indirect': {'group': 0}}]},
|
||||
]
|
||||
}
|
||||
self.config_fixture.config(group='os_inherit', enabled=False)
|
||||
self.execute_assignment_plan(test_plan)
|
||||
|
||||
def _test_crud_inherited_and_direct_assignment(self, **kwargs):
|
||||
@ -2540,7 +2484,6 @@ class InheritanceTests(AssignmentTestHelperMixin):
|
||||
('project_id' or 'domain_id'), respectively.
|
||||
|
||||
"""
|
||||
self.config_fixture.config(group='os_inherit', enabled=True)
|
||||
# Create a new role to avoid assignments loaded from default fixtures
|
||||
role = unit.new_role_ref()
|
||||
role = self.role_api.create_role(role['id'], role)
|
||||
@ -2622,7 +2565,6 @@ class InheritanceTests(AssignmentTestHelperMixin):
|
||||
inherited should not show up
|
||||
|
||||
"""
|
||||
self.config_fixture.config(group='os_inherit', enabled=True)
|
||||
role_list = []
|
||||
for _ in range(3):
|
||||
role = unit.new_role_ref()
|
||||
@ -2730,7 +2672,6 @@ class InheritanceTests(AssignmentTestHelperMixin):
|
||||
direct and two by virtue of inherited group roles
|
||||
|
||||
"""
|
||||
self.config_fixture.config(group='os_inherit', enabled=True)
|
||||
role_list = []
|
||||
for _ in range(4):
|
||||
role = unit.new_role_ref()
|
||||
@ -2839,7 +2780,6 @@ class InheritanceTests(AssignmentTestHelperMixin):
|
||||
- Get a list of projects for user, should return all three projects
|
||||
|
||||
"""
|
||||
self.config_fixture.config(group='os_inherit', enabled=True)
|
||||
domain = unit.new_domain_ref()
|
||||
self.resource_api.create_domain(domain['id'], domain)
|
||||
user1 = unit.new_user_ref(domain_id=domain['id'])
|
||||
@ -2909,7 +2849,6 @@ class InheritanceTests(AssignmentTestHelperMixin):
|
||||
|
||||
"""
|
||||
# Enable OS-INHERIT extension
|
||||
self.config_fixture.config(group='os_inherit', enabled=True)
|
||||
root_project = unit.new_project_ref(
|
||||
domain_id=CONF.identity.default_domain_id)
|
||||
root_project = self.resource_api.create_project(root_project['id'],
|
||||
@ -2939,13 +2878,6 @@ class InheritanceTests(AssignmentTestHelperMixin):
|
||||
self.assertIn(root_project, user_projects)
|
||||
self.assertIn(leaf_project, user_projects)
|
||||
|
||||
# Disable OS-INHERIT extension
|
||||
self.config_fixture.config(group='os_inherit', enabled=False)
|
||||
# Should get back just root project - due the direct role assignment
|
||||
user_projects = self.assignment_api.list_projects_for_user(user['id'])
|
||||
self.assertEqual(1, len(user_projects))
|
||||
self.assertIn(root_project, user_projects)
|
||||
|
||||
# TODO(henry-nash): The test above uses list_projects_for_user
|
||||
# which may, in a subsequent patch, be re-implemented to call
|
||||
# list_role_assignments and then report only the distinct projects.
|
||||
@ -2974,21 +2906,7 @@ class InheritanceTests(AssignmentTestHelperMixin):
|
||||
'indirect': {'project': 0}}]}
|
||||
]
|
||||
}
|
||||
|
||||
test_plan_with_os_inherit_disabled = {
|
||||
'tests': [
|
||||
# List all effective assignments for user[0] - should only get
|
||||
# back the one direct role.
|
||||
{'params': {'user': 0, 'effective': True},
|
||||
'results': [{'user': 0, 'role': 0, 'project': 0}]}
|
||||
]
|
||||
}
|
||||
self.config_fixture.config(group='os_inherit', enabled=True)
|
||||
test_data = self.execute_assignment_plan(test_plan)
|
||||
self.config_fixture.config(group='os_inherit', enabled=False)
|
||||
# Pass the existing test data in to allow execution of 2nd test plan
|
||||
self.execute_assignment_cases(
|
||||
test_plan_with_os_inherit_disabled, test_data)
|
||||
self.execute_assignment_plan(test_plan)
|
||||
|
||||
def test_list_projects_for_user_with_inherited_group_grants(self):
|
||||
"""Test inherited group roles.
|
||||
@ -3006,7 +2924,6 @@ class InheritanceTests(AssignmentTestHelperMixin):
|
||||
from the domain, plus the one separate project
|
||||
|
||||
"""
|
||||
self.config_fixture.config(group='os_inherit', enabled=True)
|
||||
domain = unit.new_domain_ref()
|
||||
self.resource_api.create_domain(domain['id'], domain)
|
||||
domain2 = unit.new_domain_ref()
|
||||
@ -3105,7 +3022,6 @@ class InheritanceTests(AssignmentTestHelperMixin):
|
||||
- Get a list of projects for user, should return only root project
|
||||
|
||||
"""
|
||||
self.config_fixture.config(group='os_inherit', enabled=True)
|
||||
root_project = unit.new_project_ref(
|
||||
domain_id=CONF.identity.default_domain_id)
|
||||
root_project = self.resource_api.create_project(root_project['id'],
|
||||
@ -3139,13 +3055,6 @@ class InheritanceTests(AssignmentTestHelperMixin):
|
||||
self.assertIn(root_project, user_projects)
|
||||
self.assertIn(leaf_project, user_projects)
|
||||
|
||||
# Disable OS-INHERIT extension
|
||||
self.config_fixture.config(group='os_inherit', enabled=False)
|
||||
# Should get back just root project - due the direct role assignment
|
||||
user_projects = self.assignment_api.list_projects_for_user(user['id'])
|
||||
self.assertEqual(1, len(user_projects))
|
||||
self.assertIn(root_project, user_projects)
|
||||
|
||||
# TODO(henry-nash): The test above uses list_projects_for_user
|
||||
# which may, in a subsequent patch, be re-implemented to call
|
||||
# list_role_assignments and then report only the distinct projects.
|
||||
@ -3177,27 +3086,11 @@ class InheritanceTests(AssignmentTestHelperMixin):
|
||||
'indirect': {'group': 0, 'project': 0}}]}
|
||||
]
|
||||
}
|
||||
|
||||
test_plan_with_os_inherit_disabled = {
|
||||
'tests': [
|
||||
# List all effective assignments for user[0] - should only get
|
||||
# back the one direct role.
|
||||
{'params': {'user': 0, 'effective': True},
|
||||
'results': [{'user': 0, 'role': 0, 'project': 0,
|
||||
'indirect': {'group': 0}}]}
|
||||
]
|
||||
}
|
||||
self.config_fixture.config(group='os_inherit', enabled=True)
|
||||
test_data = self.execute_assignment_plan(test_plan)
|
||||
self.config_fixture.config(group='os_inherit', enabled=False)
|
||||
# Pass the existing test data in to allow execution of 2nd test plan
|
||||
self.execute_assignment_cases(
|
||||
test_plan_with_os_inherit_disabled, test_data)
|
||||
self.execute_assignment_plan(test_plan)
|
||||
|
||||
def test_list_assignments_for_tree(self):
|
||||
"""Test we correctly list direct assignments for a tree."""
|
||||
# Enable OS-INHERIT extension
|
||||
self.config_fixture.config(group='os_inherit', enabled=True)
|
||||
|
||||
test_plan = {
|
||||
# Create a domain with a project hierarchy 3 levels deep:
|
||||
@ -3245,9 +3138,6 @@ class InheritanceTests(AssignmentTestHelperMixin):
|
||||
|
||||
def test_list_effective_assignments_for_tree(self):
|
||||
"""Test we correctly list effective assignments for a tree."""
|
||||
# Enable OS-INHERIT extension
|
||||
self.config_fixture.config(group='os_inherit', enabled=True)
|
||||
|
||||
test_plan = {
|
||||
# Create a domain with a project hierarchy 3 levels deep:
|
||||
#
|
||||
@ -3303,9 +3193,6 @@ class InheritanceTests(AssignmentTestHelperMixin):
|
||||
itself.
|
||||
|
||||
"""
|
||||
# Enable OS-INHERIT extension
|
||||
self.config_fixture.config(group='os_inherit', enabled=True)
|
||||
|
||||
test_plan = {
|
||||
# Create a domain with a project hierarchy 3 levels deep:
|
||||
#
|
||||
@ -3379,9 +3266,6 @@ class InheritanceTests(AssignmentTestHelperMixin):
|
||||
|
||||
def test_list_effective_assignments_for_tree_with_domain_assignments(self):
|
||||
"""Test we correctly honor domain inherited assignments on the tree."""
|
||||
# Enable OS-INHERIT extension
|
||||
self.config_fixture.config(group='os_inherit', enabled=True)
|
||||
|
||||
test_plan = {
|
||||
# Create a domain with a project hierarchy 3 levels deep:
|
||||
#
|
||||
@ -3457,7 +3341,6 @@ class InheritanceTests(AssignmentTestHelperMixin):
|
||||
# Use assignment plan helper to create all the entities and
|
||||
# assignments - then we'll run our own tests using the data
|
||||
test_data = self.execute_assignment_plan(test_plan)
|
||||
self.config_fixture.config(group='os_inherit', enabled=True)
|
||||
user_ids = self.assignment_api.list_user_ids_for_project(
|
||||
test_data['projects'][1]['id'])
|
||||
self.assertThat(user_ids, matchers.HasLength(4))
|
||||
@ -3722,7 +3605,6 @@ class ImpliedRoleTests(AssignmentTestHelperMixin):
|
||||
'indirect': {'domain': 0, 'role': 0}}]},
|
||||
]
|
||||
}
|
||||
self.config_fixture.config(group='os_inherit', enabled=True)
|
||||
self.execute_assignment_plan(test_plan)
|
||||
|
||||
def test_role_assignments_domain_specific_with_implied_roles(self):
|
||||
|
@ -311,7 +311,6 @@ class LDAPTestSetup(unit.TestCase):
|
||||
self.ldapdb = self.useFixture(ldapdb.LDAPDatabase())
|
||||
self.load_backends()
|
||||
self.load_fixtures(default_fixtures)
|
||||
self.config_fixture.config(group='os_inherit', enabled=False)
|
||||
|
||||
|
||||
class BaseLDAPIdentity(IdentityTests, AssignmentTests, ResourceTests):
|
||||
@ -322,7 +321,6 @@ class BaseLDAPIdentity(IdentityTests, AssignmentTests, ResourceTests):
|
||||
|
||||
self.load_backends()
|
||||
self.load_fixtures(default_fixtures)
|
||||
self.config_fixture.config(group='os_inherit', enabled=False)
|
||||
|
||||
def _get_domain_fixture(self):
|
||||
"""Return the static domain, since domains in LDAP are read-only."""
|
||||
|
@ -1054,8 +1054,6 @@ class RoleAssignmentFailureTestCase(RoleAssignmentBaseTestCase):
|
||||
expected_status=http_client.BAD_REQUEST)
|
||||
|
||||
def test_get_role_assignments_by_effective_and_inherited(self):
|
||||
self.config_fixture.config(group='os_inherit', enabled=True)
|
||||
|
||||
self.get_role_assignments(domain_id=self.domain_id, effective=True,
|
||||
inherited_to_projects=True,
|
||||
expected_status=http_client.BAD_REQUEST)
|
||||
@ -1217,10 +1215,6 @@ class RoleAssignmentInheritedTestCase(RoleAssignmentDirectTestCase):
|
||||
|
||||
"""
|
||||
|
||||
def config_overrides(self):
|
||||
super(RoleAssignmentBaseTestCase, self).config_overrides()
|
||||
self.config_fixture.config(group='os_inherit', enabled=True)
|
||||
|
||||
def _test_get_role_assignments(self, **filters):
|
||||
"""Add inherited_to_project filter to expected entity in tests."""
|
||||
super(RoleAssignmentInheritedTestCase,
|
||||
@ -1313,10 +1307,6 @@ class AssignmentInheritanceTestCase(test_v3.RestfulTestCase,
|
||||
test_v3.AssignmentTestMixin):
|
||||
"""Test inheritance crud and its effects."""
|
||||
|
||||
def config_overrides(self):
|
||||
super(AssignmentInheritanceTestCase, self).config_overrides()
|
||||
self.config_fixture.config(group='os_inherit', enabled=True)
|
||||
|
||||
def test_get_token_from_inherited_user_domain_role_grants(self):
|
||||
# Create a new user to ensure that no grant is loaded from sample data
|
||||
user = unit.create_user(self.identity_api, domain_id=self.domain_id)
|
||||
@ -1780,16 +1770,6 @@ class AssignmentInheritanceTestCase(test_v3.RestfulTestCase,
|
||||
|
||||
self.assertRoleAssignmentInListResponse(r, up_entity)
|
||||
|
||||
# Disable the extension and re-check the list, the role inherited
|
||||
# from the project should no longer show up
|
||||
self.config_fixture.config(group='os_inherit', enabled=False)
|
||||
r = self.get(collection_url)
|
||||
self.assertValidRoleAssignmentListResponse(r,
|
||||
expected_length=2,
|
||||
resource_url=collection_url)
|
||||
|
||||
self.assertRoleAssignmentNotInListResponse(r, up_entity)
|
||||
|
||||
def test_list_role_assignments_for_inherited_group_domain_grants(self):
|
||||
"""Call ``GET /role_assignments with inherited group domain grants``.
|
||||
|
||||
@ -2420,32 +2400,6 @@ class AssignmentInheritanceTestCase(test_v3.RestfulTestCase,
|
||||
self.assertRoleAssignmentNotInListResponse(r, inher_up_entity)
|
||||
|
||||
|
||||
class AssignmentInheritanceDisabledTestCase(test_v3.RestfulTestCase):
|
||||
"""Test inheritance crud and its effects."""
|
||||
|
||||
def config_overrides(self):
|
||||
super(AssignmentInheritanceDisabledTestCase, self).config_overrides()
|
||||
self.config_fixture.config(group='os_inherit', enabled=False)
|
||||
|
||||
def test_crud_inherited_role_grants_failed_if_disabled(self):
|
||||
role = unit.new_role_ref()
|
||||
self.role_api.create_role(role['id'], role)
|
||||
|
||||
base_collection_url = (
|
||||
'/OS-INHERIT/domains/%(domain_id)s/users/%(user_id)s/roles' % {
|
||||
'domain_id': self.domain_id,
|
||||
'user_id': self.user['id']})
|
||||
member_url = '%(collection_url)s/%(role_id)s/inherited_to_projects' % {
|
||||
'collection_url': base_collection_url,
|
||||
'role_id': role['id']}
|
||||
collection_url = base_collection_url + '/inherited_to_projects'
|
||||
|
||||
self.put(member_url, expected_status=http_client.NOT_FOUND)
|
||||
self.head(member_url, expected_status=http_client.NOT_FOUND)
|
||||
self.get(collection_url, expected_status=http_client.NOT_FOUND)
|
||||
self.delete(member_url, expected_status=http_client.NOT_FOUND)
|
||||
|
||||
|
||||
class ImpliedRolesTests(test_v3.RestfulTestCase, test_v3.AssignmentTestMixin,
|
||||
unit.TestCase):
|
||||
def _create_role(self):
|
||||
|
@ -1863,7 +1863,6 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin):
|
||||
|
||||
def test_scope_to_project_with_only_inherited_roles(self):
|
||||
"""Try to scope token whose only roles are inherited."""
|
||||
self.config_fixture.config(group='os_inherit', enabled=True)
|
||||
r = self.v3_create_token(
|
||||
self.TOKEN_SCOPE_PROJECT_INHERITED_FROM_CUSTOMER)
|
||||
token_resp = r.result['token']
|
||||
@ -1941,7 +1940,6 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin):
|
||||
self.tokens['EMPLOYEE_ASSERTION'],
|
||||
self.tokens['ADMIN_ASSERTION'])
|
||||
|
||||
self.config_fixture.config(group='os_inherit', enabled=True)
|
||||
projects_refs = (set([self.proj_customers['id'],
|
||||
self.project_inherited['id']]),
|
||||
set([self.proj_employees['id'],
|
||||
@ -1964,9 +1962,6 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin):
|
||||
# have tests specific to this functionality grouped, easing readability and
|
||||
# maintenability.
|
||||
def test_list_projects_for_inherited_project_assignment(self):
|
||||
# Enable os_inherit extension
|
||||
self.config_fixture.config(group='os_inherit', enabled=True)
|
||||
|
||||
# Create a subproject
|
||||
subproject_inherited = unit.new_project_ref(
|
||||
domain_id=self.domainD['id'],
|
||||
|
@ -60,3 +60,6 @@ other:
|
||||
configuration has been removed. Keystone only supports one resource
|
||||
driver and it shouldn't be changed unless you're deploying a custom
|
||||
resource driver.
|
||||
- >
|
||||
Removed the config option ``[os_inherit] enabled`` as the OS-INHERIT
|
||||
extension is now always enabled.
|
||||
|
Loading…
Reference in New Issue
Block a user