Merge "deprecate write support for identity LDAP"
This commit is contained in:
commit
4b12da44fe
keystone
releasenotes/notes
@ -626,10 +626,25 @@ FILE_OPTIONS = {
|
|||||||
help='LDAP attribute mapped to default_project_id for '
|
help='LDAP attribute mapped to default_project_id for '
|
||||||
'users.'),
|
'users.'),
|
||||||
cfg.BoolOpt('user_allow_create', default=True,
|
cfg.BoolOpt('user_allow_create', default=True,
|
||||||
|
deprecated_for_removal=True,
|
||||||
|
deprecated_reason="Write support for Identity LDAP "
|
||||||
|
"backends has been deprecated in the M "
|
||||||
|
"release and will be removed in the O "
|
||||||
|
"release.",
|
||||||
help='Allow user creation in LDAP backend.'),
|
help='Allow user creation in LDAP backend.'),
|
||||||
cfg.BoolOpt('user_allow_update', default=True,
|
cfg.BoolOpt('user_allow_update', default=True,
|
||||||
|
deprecated_for_removal=True,
|
||||||
|
deprecated_reason="Write support for Identity LDAP "
|
||||||
|
"backends has been deprecated in the M "
|
||||||
|
"release and will be removed in the O "
|
||||||
|
"release.",
|
||||||
help='Allow user updates in LDAP backend.'),
|
help='Allow user updates in LDAP backend.'),
|
||||||
cfg.BoolOpt('user_allow_delete', default=True,
|
cfg.BoolOpt('user_allow_delete', default=True,
|
||||||
|
deprecated_for_removal=True,
|
||||||
|
deprecated_reason="Write support for Identity LDAP "
|
||||||
|
"backends has been deprecated in the M "
|
||||||
|
"release and will be removed in the O "
|
||||||
|
"release.",
|
||||||
help='Allow user deletion in LDAP backend.'),
|
help='Allow user deletion in LDAP backend.'),
|
||||||
cfg.BoolOpt('user_enabled_emulation', default=False,
|
cfg.BoolOpt('user_enabled_emulation', default=False,
|
||||||
help='If true, Keystone uses an alternative method to '
|
help='If true, Keystone uses an alternative method to '
|
||||||
@ -669,10 +684,25 @@ FILE_OPTIONS = {
|
|||||||
help='List of attributes stripped off the group on '
|
help='List of attributes stripped off the group on '
|
||||||
'update.'),
|
'update.'),
|
||||||
cfg.BoolOpt('group_allow_create', default=True,
|
cfg.BoolOpt('group_allow_create', default=True,
|
||||||
|
deprecated_for_removal=True,
|
||||||
|
deprecated_reason="Write support for Identity LDAP "
|
||||||
|
"backends has been deprecated in the M "
|
||||||
|
"release and will be removed in the O "
|
||||||
|
"release.",
|
||||||
help='Allow group creation in LDAP backend.'),
|
help='Allow group creation in LDAP backend.'),
|
||||||
cfg.BoolOpt('group_allow_update', default=True,
|
cfg.BoolOpt('group_allow_update', default=True,
|
||||||
|
deprecated_for_removal=True,
|
||||||
|
deprecated_reason="Write support for Identity LDAP "
|
||||||
|
"backends has been deprecated in the M "
|
||||||
|
"release and will be removed in the O "
|
||||||
|
"release.",
|
||||||
help='Allow group update in LDAP backend.'),
|
help='Allow group update in LDAP backend.'),
|
||||||
cfg.BoolOpt('group_allow_delete', default=True,
|
cfg.BoolOpt('group_allow_delete', default=True,
|
||||||
|
deprecated_for_removal=True,
|
||||||
|
deprecated_reason="Write support for Identity LDAP "
|
||||||
|
"backends has been deprecated in the M "
|
||||||
|
"release and will be removed in the O "
|
||||||
|
"release.",
|
||||||
help='Allow group deletion in LDAP backend.'),
|
help='Allow group deletion in LDAP backend.'),
|
||||||
cfg.ListOpt('group_additional_attribute_mapping',
|
cfg.ListOpt('group_additional_attribute_mapping',
|
||||||
default=[],
|
default=[],
|
||||||
|
@ -17,6 +17,7 @@ import uuid
|
|||||||
import ldap.filter
|
import ldap.filter
|
||||||
from oslo_config import cfg
|
from oslo_config import cfg
|
||||||
from oslo_log import log
|
from oslo_log import log
|
||||||
|
from oslo_log import versionutils
|
||||||
import six
|
import six
|
||||||
|
|
||||||
from keystone.common import clean
|
from keystone.common import clean
|
||||||
@ -31,6 +32,10 @@ from keystone import identity
|
|||||||
CONF = cfg.CONF
|
CONF = cfg.CONF
|
||||||
LOG = log.getLogger(__name__)
|
LOG = log.getLogger(__name__)
|
||||||
|
|
||||||
|
_DEPRECATION_MSG = _('%s for the LDAP identity backend has been deprecated in '
|
||||||
|
'the Mitaka release in favor of read-only identity LDAP '
|
||||||
|
'access. It will be removed in the "O" release.')
|
||||||
|
|
||||||
|
|
||||||
class Identity(identity.IdentityDriverV8):
|
class Identity(identity.IdentityDriverV8):
|
||||||
def __init__(self, conf=None):
|
def __init__(self, conf=None):
|
||||||
@ -87,11 +92,15 @@ class Identity(identity.IdentityDriverV8):
|
|||||||
|
|
||||||
# CRUD
|
# CRUD
|
||||||
def create_user(self, user_id, user):
|
def create_user(self, user_id, user):
|
||||||
|
msg = _DEPRECATION_MSG % "create_user"
|
||||||
|
versionutils.report_deprecated_feature(LOG, msg)
|
||||||
self.user.check_allow_create()
|
self.user.check_allow_create()
|
||||||
user_ref = self.user.create(user)
|
user_ref = self.user.create(user)
|
||||||
return self.user.filter_attributes(user_ref)
|
return self.user.filter_attributes(user_ref)
|
||||||
|
|
||||||
def update_user(self, user_id, user):
|
def update_user(self, user_id, user):
|
||||||
|
msg = _DEPRECATION_MSG % "update_user"
|
||||||
|
versionutils.report_deprecated_feature(LOG, msg)
|
||||||
self.user.check_allow_update()
|
self.user.check_allow_update()
|
||||||
old_obj = self.user.get(user_id)
|
old_obj = self.user.get(user_id)
|
||||||
if 'name' in user and old_obj.get('name') != user['name']:
|
if 'name' in user and old_obj.get('name') != user['name']:
|
||||||
@ -110,6 +119,8 @@ class Identity(identity.IdentityDriverV8):
|
|||||||
return self.user.get_filtered(user_id)
|
return self.user.get_filtered(user_id)
|
||||||
|
|
||||||
def delete_user(self, user_id):
|
def delete_user(self, user_id):
|
||||||
|
msg = _DEPRECATION_MSG % "delete_user"
|
||||||
|
versionutils.report_deprecated_feature(LOG, msg)
|
||||||
self.user.check_allow_delete()
|
self.user.check_allow_delete()
|
||||||
user = self.user.get(user_id)
|
user = self.user.get(user_id)
|
||||||
user_dn = user['dn']
|
user_dn = user['dn']
|
||||||
@ -122,6 +133,8 @@ class Identity(identity.IdentityDriverV8):
|
|||||||
self.user.delete(user_id)
|
self.user.delete(user_id)
|
||||||
|
|
||||||
def create_group(self, group_id, group):
|
def create_group(self, group_id, group):
|
||||||
|
msg = _DEPRECATION_MSG % "create_group"
|
||||||
|
versionutils.report_deprecated_feature(LOG, msg)
|
||||||
self.group.check_allow_create()
|
self.group.check_allow_create()
|
||||||
group['name'] = clean.group_name(group['name'])
|
group['name'] = clean.group_name(group['name'])
|
||||||
return common_ldap.filter_entity(self.group.create(group))
|
return common_ldap.filter_entity(self.group.create(group))
|
||||||
@ -135,21 +148,29 @@ class Identity(identity.IdentityDriverV8):
|
|||||||
return self.group.get_filtered_by_name(group_name)
|
return self.group.get_filtered_by_name(group_name)
|
||||||
|
|
||||||
def update_group(self, group_id, group):
|
def update_group(self, group_id, group):
|
||||||
|
msg = _DEPRECATION_MSG % "update_group"
|
||||||
|
versionutils.report_deprecated_feature(LOG, msg)
|
||||||
self.group.check_allow_update()
|
self.group.check_allow_update()
|
||||||
if 'name' in group:
|
if 'name' in group:
|
||||||
group['name'] = clean.group_name(group['name'])
|
group['name'] = clean.group_name(group['name'])
|
||||||
return common_ldap.filter_entity(self.group.update(group_id, group))
|
return common_ldap.filter_entity(self.group.update(group_id, group))
|
||||||
|
|
||||||
def delete_group(self, group_id):
|
def delete_group(self, group_id):
|
||||||
|
msg = _DEPRECATION_MSG % "delete_group"
|
||||||
|
versionutils.report_deprecated_feature(LOG, msg)
|
||||||
self.group.check_allow_delete()
|
self.group.check_allow_delete()
|
||||||
return self.group.delete(group_id)
|
return self.group.delete(group_id)
|
||||||
|
|
||||||
def add_user_to_group(self, user_id, group_id):
|
def add_user_to_group(self, user_id, group_id):
|
||||||
|
msg = _DEPRECATION_MSG % "add_user_to_group"
|
||||||
|
versionutils.report_deprecated_feature(LOG, msg)
|
||||||
user_ref = self._get_user(user_id)
|
user_ref = self._get_user(user_id)
|
||||||
user_dn = user_ref['dn']
|
user_dn = user_ref['dn']
|
||||||
self.group.add_user(user_dn, group_id, user_id)
|
self.group.add_user(user_dn, group_id, user_id)
|
||||||
|
|
||||||
def remove_user_from_group(self, user_id, group_id):
|
def remove_user_from_group(self, user_id, group_id):
|
||||||
|
msg = _DEPRECATION_MSG % "remove_user_from_group"
|
||||||
|
versionutils.report_deprecated_feature(LOG, msg)
|
||||||
user_ref = self._get_user(user_id)
|
user_ref = self._get_user(user_id)
|
||||||
user_dn = user_ref['dn']
|
user_dn = user_ref['dn']
|
||||||
self.group.remove_user(user_dn, group_id, user_id)
|
self.group.remove_user(user_dn, group_id, user_id)
|
||||||
|
@ -20,6 +20,7 @@ import uuid
|
|||||||
import ldap
|
import ldap
|
||||||
import mock
|
import mock
|
||||||
from oslo_config import cfg
|
from oslo_config import cfg
|
||||||
|
from oslo_log import versionutils
|
||||||
from oslotest import mockpatch
|
from oslotest import mockpatch
|
||||||
import pkg_resources
|
import pkg_resources
|
||||||
from six.moves import http_client
|
from six.moves import http_client
|
||||||
@ -669,21 +670,46 @@ class BaseLDAPIdentity(test_backend.IdentityTests):
|
|||||||
# do not yet support the update of either group or domain names with LDAP.
|
# do not yet support the update of either group or domain names with LDAP.
|
||||||
# In the tests below, the update is demonstrated by updating description.
|
# In the tests below, the update is demonstrated by updating description.
|
||||||
# Refer to bug 1136403 for more detail.
|
# Refer to bug 1136403 for more detail.
|
||||||
def test_group_crud(self):
|
@mock.patch.object(versionutils, 'report_deprecated_feature')
|
||||||
|
def test_group_crud(self, mock_deprecator):
|
||||||
|
# NOTE(stevemar): As of the Mitaka release, we now check for calls that
|
||||||
|
# the LDAP write functionality has been deprecated.
|
||||||
group = unit.new_group_ref(domain_id=CONF.identity.default_domain_id)
|
group = unit.new_group_ref(domain_id=CONF.identity.default_domain_id)
|
||||||
group = self.identity_api.create_group(group)
|
group = self.identity_api.create_group(group)
|
||||||
|
args, _kwargs = mock_deprecator.call_args
|
||||||
|
self.assertIn("create_group for the LDAP identity backend", args[1])
|
||||||
|
|
||||||
group_ref = self.identity_api.get_group(group['id'])
|
group_ref = self.identity_api.get_group(group['id'])
|
||||||
self.assertDictEqual(group, group_ref)
|
self.assertDictEqual(group, group_ref)
|
||||||
group['description'] = uuid.uuid4().hex
|
group['description'] = uuid.uuid4().hex
|
||||||
self.identity_api.update_group(group['id'], group)
|
self.identity_api.update_group(group['id'], group)
|
||||||
|
args, _kwargs = mock_deprecator.call_args
|
||||||
|
self.assertIn("update_group for the LDAP identity backend", args[1])
|
||||||
|
|
||||||
group_ref = self.identity_api.get_group(group['id'])
|
group_ref = self.identity_api.get_group(group['id'])
|
||||||
self.assertDictEqual(group, group_ref)
|
self.assertDictEqual(group, group_ref)
|
||||||
|
|
||||||
self.identity_api.delete_group(group['id'])
|
self.identity_api.delete_group(group['id'])
|
||||||
|
args, _kwargs = mock_deprecator.call_args
|
||||||
|
self.assertIn("delete_group for the LDAP identity backend", args[1])
|
||||||
self.assertRaises(exception.GroupNotFound,
|
self.assertRaises(exception.GroupNotFound,
|
||||||
self.identity_api.get_group,
|
self.identity_api.get_group,
|
||||||
group['id'])
|
group['id'])
|
||||||
|
|
||||||
|
@mock.patch.object(versionutils, 'report_deprecated_feature')
|
||||||
|
def test_add_remove_user_group_deprecated(self, mock_deprecator):
|
||||||
|
group = unit.new_group_ref(domain_id=CONF.identity.default_domain_id)
|
||||||
|
group = self.identity_api.create_group(group)
|
||||||
|
user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
|
||||||
|
user = self.identity_api.create_user(user)
|
||||||
|
self.identity_api.add_user_to_group(user['id'], group['id'])
|
||||||
|
args, _kwargs = mock_deprecator.call_args
|
||||||
|
self.assertIn("add_user_to_group for the LDAP identity", args[1])
|
||||||
|
|
||||||
|
self.identity_api.remove_user_from_group(user['id'], group['id'])
|
||||||
|
args, _kwargs = mock_deprecator.call_args
|
||||||
|
self.assertIn("remove_user_from_group for the LDAP identity", args[1])
|
||||||
|
|
||||||
@unit.skip_if_cache_disabled('identity')
|
@unit.skip_if_cache_disabled('identity')
|
||||||
def test_cache_layer_group_crud(self):
|
def test_cache_layer_group_crud(self):
|
||||||
group = unit.new_group_ref(domain_id=CONF.identity.default_domain_id)
|
group = unit.new_group_ref(domain_id=CONF.identity.default_domain_id)
|
||||||
@ -1852,10 +1878,16 @@ class LDAPIdentityEnabledEmulation(LDAPIdentity):
|
|||||||
self.resource_api.get_project,
|
self.resource_api.get_project,
|
||||||
project['id'])
|
project['id'])
|
||||||
|
|
||||||
def test_user_crud(self):
|
@mock.patch.object(versionutils, 'report_deprecated_feature')
|
||||||
|
def test_user_crud(self, mock_deprecator):
|
||||||
|
# NOTE(stevemar): As of the Mitaka release, we now check for calls that
|
||||||
|
# the LDAP write functionality has been deprecated.
|
||||||
user_dict = self.new_user_ref(
|
user_dict = self.new_user_ref(
|
||||||
domain_id=CONF.identity.default_domain_id)
|
domain_id=CONF.identity.default_domain_id)
|
||||||
user = self.identity_api.create_user(user_dict)
|
user = self.identity_api.create_user(user_dict)
|
||||||
|
args, _kwargs = mock_deprecator.call_args
|
||||||
|
self.assertIn("create_user for the LDAP identity backend", args[1])
|
||||||
|
|
||||||
del user_dict['password']
|
del user_dict['password']
|
||||||
user_ref = self.identity_api.get_user(user['id'])
|
user_ref = self.identity_api.get_user(user['id'])
|
||||||
user_ref_dict = {x: user_ref[x] for x in user_ref}
|
user_ref_dict = {x: user_ref[x] for x in user_ref}
|
||||||
@ -1863,12 +1895,17 @@ class LDAPIdentityEnabledEmulation(LDAPIdentity):
|
|||||||
|
|
||||||
user_dict['password'] = uuid.uuid4().hex
|
user_dict['password'] = uuid.uuid4().hex
|
||||||
self.identity_api.update_user(user['id'], user_dict)
|
self.identity_api.update_user(user['id'], user_dict)
|
||||||
|
args, _kwargs = mock_deprecator.call_args
|
||||||
|
self.assertIn("update_user for the LDAP identity backend", args[1])
|
||||||
|
|
||||||
del user_dict['password']
|
del user_dict['password']
|
||||||
user_ref = self.identity_api.get_user(user['id'])
|
user_ref = self.identity_api.get_user(user['id'])
|
||||||
user_ref_dict = {x: user_ref[x] for x in user_ref}
|
user_ref_dict = {x: user_ref[x] for x in user_ref}
|
||||||
self.assertDictContainsSubset(user_dict, user_ref_dict)
|
self.assertDictContainsSubset(user_dict, user_ref_dict)
|
||||||
|
|
||||||
self.identity_api.delete_user(user['id'])
|
self.identity_api.delete_user(user['id'])
|
||||||
|
args, _kwargs = mock_deprecator.call_args
|
||||||
|
self.assertIn("delete_user for the LDAP identity backend", args[1])
|
||||||
self.assertRaises(exception.UserNotFound,
|
self.assertRaises(exception.UserNotFound,
|
||||||
self.identity_api.get_user,
|
self.identity_api.get_user,
|
||||||
user['id'])
|
user['id'])
|
||||||
|
@ -6,3 +6,10 @@ deprecations:
|
|||||||
deprecated. They will be removed in the 'O' release. Due to this change,
|
deprecated. They will be removed in the 'O' release. Due to this change,
|
||||||
the ``hash_algorithm`` option in the ``[token]`` section of the
|
the ``hash_algorithm`` option in the ``[token]`` section of the
|
||||||
configuration file has also been deprecated.
|
configuration file has also been deprecated.
|
||||||
|
- >
|
||||||
|
[`blueprint deprecated-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-mitaka>`_]
|
||||||
|
As of the Mitaka release, write support for the LDAP driver of the Identity
|
||||||
|
backend has been deprecated. This includes the following operations: create user,
|
||||||
|
create group, delete user, delete group, update user, update group,
|
||||||
|
add user to group, and remove user from group. These operations will be
|
||||||
|
removed in the 'O' release.
|
||||||
|
Loading…
x
Reference in New Issue
Block a user