openstack
/
keystone
Code Issues Proposed changes

tenant to project in the apis 

Change-Id: I1f6fdf304ca3ff0b6e0e05a71fd944189105c5b6
This commit is contained in:
Adam Young 2013-01-25 17:19:16 -05:00
parent 31660b119e
commit 4b2b3af2e3
21 changed files with 442 additions and 468 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
keystone/clean.py
View File

@ -49,8 +49,8 @@ def domain_name(name):
return check_name('Domain', name)
def tenant_name(name):
return check_name('Tenant', name)
def project_name(name):
return check_name('Project', name)
def user_name(name):

25
keystone/common/sql/legacy.py
View File

@ -59,12 +59,12 @@ class LegacyMigration(object):
self.ec2_driver = ec2_sql.Ec2()
self._data = {}
self._user_map = {}
self._tenant_map = {}
self._project_map = {}
self._role_map = {}
def migrate_all(self):
self._export_legacy_db()
self._migrate_tenants()
self._migrate_projects()
self._migrate_users()
self._migrate_roles()
self._migrate_user_roles()
@ -98,7 +98,7 @@ class LegacyMigration(object):
def _export_legacy_db(self):
self._data = export_db(self.db)
def _migrate_tenants(self):
def _migrate_projects(self):
for x in self._data['tenants']:
# map
new_dict = {'description': x.get('desc', ''),
@ -106,10 +106,10 @@ class LegacyMigration(object):
'enabled': x.get('enabled', True)}
new_dict['name'] = x.get('name', new_dict.get('id'))
# track internal ids
self._tenant_map[x.get('id')] = new_dict['id']
self._project_map[x.get('id')] = new_dict['id']
# create
#print 'create_tenant(%s, %s)' % (new_dict['id'], new_dict)
self.identity_driver.create_tenant(new_dict['id'], new_dict)
#print 'create_project(%s, %s)' % (new_dict['id'], new_dict)
self.identity_driver.create_project(new_dict['id'], new_dict)
def _migrate_users(self):
for x in self._data['users']:
@ -119,7 +119,7 @@ class LegacyMigration(object):
'id': x.get('uid', x.get('id')),
'enabled': x.get('enabled', True)}
if x.get('tenant_id'):
new_dict['tenant_id'] = self._tenant_map.get(x['tenant_id'])
new_dict['tenant_id'] = self._project_map.get(x['tenant_id'])
new_dict['name'] = x.get('name', new_dict.get('id'))
# track internal ids
self._user_map[x.get('id')] = new_dict['id']
@ -127,8 +127,9 @@ class LegacyMigration(object):
#print 'create_user(%s, %s)' % (new_dict['id'], new_dict)
self.identity_driver.create_user(new_dict['id'], new_dict)
if new_dict.get('tenant_id'):
self.identity_driver.add_user_to_tenant(new_dict['tenant_id'],
new_dict['id'])
self.identity_driver.add_user_to_project(
new_dict['tenant_id'],
new_dict['id'])
def _migrate_roles(self):
for x in self._data['roles']:
@ -148,15 +149,15 @@ class LegacyMigration(object):
or not x.get('role_id')):
continue
user_id = self._user_map[x['user_id']]
tenant_id = self._tenant_map[x['tenant_id']]
tenant_id = self._project_map[x['tenant_id']]
role_id = self._role_map[x['role_id']]
try:
self.identity_driver.add_user_to_tenant(tenant_id, user_id)
self.identity_driver.add_user_to_project(tenant_id, user_id)
except Exception:
pass
self.identity_driver.add_role_to_user_and_tenant(
self.identity_driver.add_role_to_user_and_project(
user_id, tenant_id, role_id)
def _migrate_tokens(self):

12
keystone/common/sql/nova.py
View File

@ -28,7 +28,7 @@ LOG = logging.getLogger(__name__)
def import_auth(data):
identity_api = identity_sql.Identity()
tenant_map = _create_tenants(identity_api, data['tenants'])
tenant_map = _create_projects(identity_api, data['tenants'])
user_map = _create_users(identity_api, data['users'])
_create_memberships(identity_api, data['user_tenant_list'],
user_map, tenant_map)
@ -45,7 +45,7 @@ def _generate_uuid():
return uuid.uuid4().hex
def _create_tenants(api, tenants):
def _create_projects(api, tenants):
tenant_map = {}
for tenant in tenants:
tenant_dict = {
@ -56,7 +56,7 @@ def _create_tenants(api, tenants):
}
tenant_map[tenant['id']] = tenant_dict['id']
LOG.debug(_('Create tenant %s') % tenant_dict)
api.create_tenant(tenant_dict['id'], tenant_dict)
api.create_project(tenant_dict['id'], tenant_dict)
return tenant_map
@ -81,7 +81,7 @@ def _create_memberships(api, memberships, user_map, tenant_map):
user_id = user_map[membership['user_id']]
tenant_id = tenant_map[membership['tenant_id']]
LOG.debug(_('Add user %s to tenant %s') % (user_id, tenant_id))
api.add_user_to_tenant(tenant_id, user_id)
api.add_user_to_project(tenant_id, user_id)
def _create_roles(api, roles):
@ -107,13 +107,13 @@ def _assign_roles(api, assignments, role_map, user_map, tenant_map):
tenant_id = tenant_map[assignment['tenant_id']]
LOG.debug(_('Assign role %s to user %s on tenant %s') %
(role_id, user_id, tenant_id))
api.add_role_to_user_and_tenant(user_id, tenant_id, role_id)
api.add_role_to_user_and_project(user_id, tenant_id, role_id)
def _create_ec2_creds(ec2_api, identity_api, ec2_creds, user_map):
for ec2_cred in ec2_creds:
user_id = user_map[ec2_cred['user_id']]
for tenant_id in identity_api.get_tenants_for_user(user_id):
for tenant_id in identity_api.get_projects_for_user(user_id):
cred_dict = {
'access': '%s:%s' % (tenant_id, ec2_cred['access_key']),
'secret': ec2_cred['secret_key'],

12
keystone/contrib/admin_crud/core.py
View File

@ -36,22 +36,22 @@ class CrudExtension(wsgi.ExtensionRouter):
mapper.connect(
'/tenants',
controller=tenant_controller,
action='create_tenant',
action='create_project',
conditions=dict(method=['POST']))
mapper.connect(
'/tenants/{tenant_id}',
controller=tenant_controller,
action='update_tenant',
action='update_project',
conditions=dict(method=['PUT', 'POST']))
mapper.connect(
'/tenants/{tenant_id}',
controller=tenant_controller,
action='delete_tenant',
action='delete_project',
conditions=dict(method=['DELETE']))
mapper.connect(
'/tenants/{tenant_id}/users',
controller=tenant_controller,
action='get_tenant_users',
action='get_project_users',
conditions=dict(method=['GET']))
# User Operations
@ -93,12 +93,12 @@ class CrudExtension(wsgi.ExtensionRouter):
mapper.connect(
'/users/{user_id}/tenant',
controller=user_controller,
action='update_user_tenant',
action='update_user_project',
conditions=dict(method=['PUT']))
mapper.connect(
'/users/{user_id}/OS-KSADM/tenant',
controller=user_controller,
action='update_user_tenant',
action='update_user_project',
conditions=dict(method=['PUT']))
# COMPAT(diablo): the copy with no OS-KSADM is from diablo

8
keystone/contrib/ec2/core.py
View File

@ -150,7 +150,7 @@ class Ec2Controller(controller.V2Controller):
# TODO(termie): don't create new tokens every time
# TODO(termie): this is copied from TokenController.authenticate
token_id = uuid.uuid4().hex
tenant_ref = self.identity_api.get_tenant(
tenant_ref = self.identity_api.get_project(
context=context,
tenant_id=creds_ref['tenant_id'])
user_ref = self.identity_api.get_user(
@ -203,7 +203,7 @@ class Ec2Controller(controller.V2Controller):
self._assert_identity(context, user_id)
self._assert_valid_user_id(context, user_id)
self._assert_valid_tenant_id(context, tenant_id)
self._assert_valid_project_id(context, tenant_id)
cred_ref = {'user_id': user_id,
'tenant_id': tenant_id,
@ -330,7 +330,7 @@ class Ec2Controller(controller.V2Controller):
if not user_ref:
raise exception.UserNotFound(user_id=user_id)
def _assert_valid_tenant_id(self, context, tenant_id):
def _assert_valid_project_id(self, context, tenant_id):
"""Ensure a valid tenant id.
:param context: standard context
@ -338,7 +338,7 @@ class Ec2Controller(controller.V2Controller):
:raises exception.ProjectNotFound: on failure
"""
tenant_ref = self.identity_api.get_tenant(
tenant_ref = self.identity_api.get_project(
context=context,
tenant_id=tenant_id)
if not tenant_ref:

82
keystone/identity/backends/kvs.py
View File

@ -43,11 +43,11 @@ class Identity(kvs.Base, identity.Driver):
raise AssertionError('Invalid user / password')
if tenant_id is not None:
if tenant_id not in self.get_tenants_for_user(user_id):
if tenant_id not in self.get_projects_for_user(user_id):
raise AssertionError('Invalid tenant')
try:
tenant_ref = self.get_tenant(tenant_id)
tenant_ref = self.get_project(tenant_id)
metadata_ref = self.get_metadata(user_id, tenant_id)
except exception.ProjectNotFound:
tenant_ref = None
@ -57,24 +57,24 @@ class Identity(kvs.Base, identity.Driver):
return (identity.filter_user(user_ref), tenant_ref, metadata_ref)
def get_tenant(self, tenant_id):
def get_project(self, tenant_id):
try:
return self.db.get('tenant-%s' % tenant_id)
except exception.NotFound:
raise exception.ProjectNotFound(project_id=tenant_id)
def get_tenants(self):
def get_projects(self):
tenant_keys = filter(lambda x: x.startswith("tenant-"), self.db.keys())
return [self.db.get(key) for key in tenant_keys]
def get_tenant_by_name(self, tenant_name):
def get_project_by_name(self, tenant_name):
try:
return self.db.get('tenant_name-%s' % tenant_name)
except exception.NotFound:
raise exception.ProjectNotFound(project_id=tenant_name)
def get_tenant_users(self, tenant_id):
self.get_tenant(tenant_id)
def get_project_users(self, tenant_id):
self.get_project(tenant_id)
user_keys = filter(lambda x: x.startswith("user-"), self.db.keys())
user_refs = [self.db.get(key) for key in user_keys]
return filter(lambda x: tenant_id in x['tenants'], user_refs)
@ -122,15 +122,15 @@ class Identity(kvs.Base, identity.Driver):
return [self.get_role(x) for x in role_ids]
# These should probably be part of the high-level API
def add_user_to_tenant(self, tenant_id, user_id):
self.get_tenant(tenant_id)
def add_user_to_project(self, tenant_id, user_id):
self.get_project(tenant_id)
user_ref = self._get_user(user_id)
tenants = set(user_ref.get('tenants', []))
tenants.add(tenant_id)
self.update_user(user_id, {'tenants': list(tenants)})
def remove_user_from_tenant(self, tenant_id, user_id):
self.get_tenant(tenant_id)
def remove_user_from_project(self, tenant_id, user_id):
self.get_project(tenant_id)
user_ref = self._get_user(user_id)
tenants = set(user_ref.get('tenants', []))
try:
@ -139,22 +139,22 @@ class Identity(kvs.Base, identity.Driver):
raise exception.NotFound('User not found in tenant')
self.update_user(user_id, {'tenants': list(tenants)})
def get_tenants_for_user(self, user_id):
def get_projects_for_user(self, user_id):
user_ref = self._get_user(user_id)
return user_ref.get('tenants', [])
def get_roles_for_user_and_tenant(self, user_id, tenant_id):
def get_roles_for_user_and_project(self, user_id, tenant_id):
self.get_user(user_id)
self.get_tenant(tenant_id)
self.get_project(tenant_id)
try:
metadata_ref = self.get_metadata(user_id, tenant_id)
except exception.MetadataNotFound:
metadata_ref = {}
return metadata_ref.get('roles', [])
def add_role_to_user_and_tenant(self, user_id, tenant_id, role_id):
def add_role_to_user_and_project(self, user_id, tenant_id, role_id):
self.get_user(user_id)
self.get_tenant(tenant_id)
self.get_project(tenant_id)
self.get_role(role_id)
try:
metadata_ref = self.get_metadata(user_id, tenant_id)
@ -169,7 +169,7 @@ class Identity(kvs.Base, identity.Driver):
metadata_ref['roles'] = list(roles)
self.update_metadata(user_id, tenant_id, metadata_ref)
def remove_role_from_user_and_tenant(self, user_id, tenant_id, role_id):
def remove_role_from_user_and_project(self, user_id, tenant_id, role_id):
try:
metadata_ref = self.get_metadata(user_id, tenant_id)
except exception.MetadataNotFound:
@ -283,10 +283,10 @@ class Identity(kvs.Base, identity.Driver):
user_list.remove(user_id)
self.db.set('user_list', list(user_list))
def create_tenant(self, tenant_id, tenant):
tenant['name'] = clean.tenant_name(tenant['name'])
def create_project(self, tenant_id, tenant):
tenant['name'] = clean.project_name(tenant['name'])
try:
self.get_tenant(tenant_id)
self.get_project(tenant_id)
except exception.ProjectNotFound:
pass
else:
@ -294,7 +294,7 @@ class Identity(kvs.Base, identity.Driver):
raise exception.Conflict(type='tenant', details=msg)
try:
self.get_tenant_by_name(tenant['name'])
self.get_project_by_name(tenant['name'])
except exception.ProjectNotFound:
pass
else:
@ -305,9 +305,9 @@ class Identity(kvs.Base, identity.Driver):
self.db.set('tenant_name-%s' % tenant['name'], tenant)
return tenant
def update_tenant(self, tenant_id, tenant):
def update_project(self, tenant_id, tenant):
if 'name' in tenant:
tenant['name'] = clean.tenant_name(tenant['name'])
tenant['name'] = clean.project_name(tenant['name'])
try:
existing = self.db.get('tenant_name-%s' % tenant['name'])
if existing and tenant_id != existing['id']:
@ -317,23 +317,23 @@ class Identity(kvs.Base, identity.Driver):
pass
# get the old name and delete it too
try:
old_tenant = self.db.get('tenant-%s' % tenant_id)
old_project = self.db.get('tenant-%s' % tenant_id)
except exception.NotFound:
raise exception.ProjectNotFound(project_id=tenant_id)
new_tenant = old_tenant.copy()
new_tenant.update(tenant)
new_tenant['id'] = tenant_id
self.db.delete('tenant_name-%s' % old_tenant['name'])
self.db.set('tenant-%s' % tenant_id, new_tenant)
self.db.set('tenant_name-%s' % new_tenant['name'], new_tenant)
return new_tenant
new_project = old_project.copy()
new_project.update(tenant)
new_project['id'] = tenant_id
self.db.delete('tenant_name-%s' % old_project['name'])
self.db.set('tenant-%s' % tenant_id, new_project)
self.db.set('tenant_name-%s' % new_project['name'], new_project)
return new_project
def delete_tenant(self, tenant_id):
def delete_project(self, tenant_id):
try:
old_tenant = self.db.get('tenant-%s' % tenant_id)
old_project = self.db.get('tenant-%s' % tenant_id)
except exception.NotFound:
raise exception.ProjectNotFound(project_id=tenant_id)
self.db.delete('tenant_name-%s' % old_tenant['name'])
self.db.delete('tenant_name-%s' % old_project['name'])
self.db.delete('tenant-%s' % tenant_id)
def create_metadata(self, user_id, tenant_id, metadata,
@ -396,9 +396,9 @@ class Identity(kvs.Base, identity.Driver):
tenant_id = key.split('-')[1]
user_id = key.split('-')[2]
try:
self.remove_role_from_user_and_tenant(user_id,
tenant_id,
role_id)
self.remove_role_from_user_and_project(user_id,
tenant_id,
role_id)
except exception.RoleNotFound:
pass
except exception.NotFound:
@ -418,7 +418,7 @@ class Identity(kvs.Base, identity.Driver):
if domain_id:
self.get_domain(domain_id)
if project_id:
self.get_tenant(project_id)
self.get_project(project_id)
try:
metadata_ref = self.get_metadata(user_id, project_id,
@ -440,7 +440,7 @@ class Identity(kvs.Base, identity.Driver):
if domain_id:
self.get_domain(domain_id)
if project_id:
self.get_tenant(project_id)
self.get_project(project_id)
try:
metadata_ref = self.get_metadata(user_id, project_id,
@ -459,7 +459,7 @@ class Identity(kvs.Base, identity.Driver):
if domain_id:
self.get_domain(domain_id)
if project_id:
self.get_tenant(project_id)
self.get_project(project_id)
try:
metadata_ref = self.get_metadata(user_id, project_id,
@ -481,7 +481,7 @@ class Identity(kvs.Base, identity.Driver):
if domain_id:
self.get_domain(domain_id)
if project_id:
self.get_tenant(project_id)
self.get_project(project_id)
try:
metadata_ref = self.get_metadata(user_id, project_id,

140
keystone/identity/backends/ldap/core.py
View File

@ -41,7 +41,7 @@ class Identity(identity.Driver):
self.suffix = CONF.ldap.suffix
self.user = UserApi(CONF)
self.tenant = ProjectApi(CONF)
self.project = ProjectApi(CONF)
self.role = RoleApi(CONF)
self.group = GroupApi(CONF)
@ -81,11 +81,11 @@ class Identity(identity.Driver):
raise AssertionError('Invalid user / password')
if tenant_id is not None:
if tenant_id not in self.get_tenants_for_user(user_id):
if tenant_id not in self.get_projects_for_user(user_id):
raise AssertionError('Invalid tenant')
try:
tenant_ref = self.get_tenant(tenant_id)
tenant_ref = self.get_project(tenant_id)
# TODO(termie): this should probably be made into a
# get roles call
metadata_ref = self.get_metadata(user_id, tenant_id)
@ -97,18 +97,18 @@ class Identity(identity.Driver):
return (identity.filter_user(user_ref), tenant_ref, metadata_ref)
def get_tenant(self, tenant_id):
def get_project(self, tenant_id):
try:
return self.tenant.get(tenant_id)
return self.project.get(tenant_id)
except exception.NotFound:
raise exception.ProjectNotFound(project_id=tenant_id)
def get_tenants(self):
return self.tenant.get_all()
def get_projects(self):
return self.project.get_all()
def get_tenant_by_name(self, tenant_name):
def get_project_by_name(self, tenant_name):
try:
return self.tenant.get_by_name(tenant_name)
return self.project.get_by_name(tenant_name)
except exception.NotFound:
raise exception.ProjectNotFound(project_id=tenant_name)
@ -131,10 +131,10 @@ class Identity(identity.Driver):
raise exception.UserNotFound(user_id=user_name)
def get_metadata(self, user_id, tenant_id):
if not self.get_tenant(tenant_id) or not self.get_user(user_id):
if not self.get_project(tenant_id) or not self.get_user(user_id):
return {}
metadata_ref = self.get_roles_for_user_and_tenant(user_id, tenant_id)
metadata_ref = self.get_roles_for_user_and_project(user_id, tenant_id)
if not metadata_ref:
return {}
return {'roles': metadata_ref}
@ -149,30 +149,28 @@ class Identity(identity.Driver):
return self.role.get_all()
# These should probably be part of the high-level API
# When this happens, then change TenantAPI.add_user to not ignore
# ldap.TYPE_OR_VALUE_EXISTS
def add_user_to_tenant(self, tenant_id, user_id):
self.get_tenant(tenant_id)
def add_user_to_project(self, tenant_id, user_id):
self.get_project(tenant_id)
self.get_user(user_id)
return self.tenant.add_user(tenant_id, user_id)
return self.project.add_user(tenant_id, user_id)
def get_tenants_for_user(self, user_id):
def get_projects_for_user(self, user_id):
self.get_user(user_id)
tenant_list = []
for tenant in self.tenant.get_user_tenants(user_id):
for tenant in self.project.get_user_projects(user_id):
tenant_list.append(tenant['id'])
return tenant_list
def get_tenant_users(self, tenant_id):
self.get_tenant(tenant_id)
def get_project_users(self, tenant_id):
self.get_project(tenant_id)
user_list = []
for user in self.tenant.get_users(tenant_id):
for user in self.project.get_users(tenant_id):
user_list.append(user)
return user_list
def get_roles_for_user_and_tenant(self, user_id, tenant_id):
def get_roles_for_user_and_project(self, user_id, tenant_id):
self.get_user(user_id)
self.get_tenant(tenant_id)
self.get_project(tenant_id)
assignments = self.role.get_role_assignments(tenant_id)
roles = []
for assignment in assignments:
@ -180,9 +178,9 @@ class Identity(identity.Driver):
roles.append(assignment.role_id)
return roles
def add_role_to_user_and_tenant(self, user_id, tenant_id, role_id):
def add_role_to_user_and_project(self, user_id, tenant_id, role_id):
self.get_user(user_id)
self.get_tenant(tenant_id)
self.get_project(tenant_id)
self.get_role(role_id)
self.role.add_user(role_id, user_id, tenant_id)
@ -196,17 +194,17 @@ class Identity(identity.Driver):
user['name'] = clean.user_name(user['name'])
return self.user.update(user_id, user)
def create_tenant(self, tenant_id, tenant):
tenant['name'] = clean.tenant_name(tenant['name'])
def create_project(self, tenant_id, tenant):
tenant['name'] = clean.project_name(tenant['name'])
data = tenant.copy()
if 'id' not in data or data['id'] is None:
data['id'] = str(uuid.uuid4().hex)
return self.tenant.create(tenant)
return self.project.create(tenant)
def update_tenant(self, tenant_id, tenant):
def update_project(self, tenant_id, tenant):
if 'name' in tenant:
tenant['name'] = clean.tenant_name(tenant['name'])
return self.tenant.update(tenant_id, tenant)
tenant['name'] = clean.project_name(tenant['name'])
return self.project.update(tenant_id, tenant)
def create_metadata(self, user_id, tenant_id, metadata):
return {}
@ -236,9 +234,9 @@ class Identity(identity.Driver):
except ldap.NO_SUCH_OBJECT:
raise exception.RoleNotFound(role_id=role_id)
def delete_tenant(self, tenant_id):
def delete_project(self, tenant_id):
try:
return self.tenant.delete(tenant_id)
return self.project.delete(tenant_id)
except ldap.NO_SUCH_OBJECT:
raise exception.ProjectNotFound(project_id=tenant_id)
@ -248,13 +246,13 @@ class Identity(identity.Driver):
except ldap.NO_SUCH_OBJECT:
raise exception.UserNotFound(user_id=user_id)
def remove_role_from_user_and_tenant(self, user_id, tenant_id, role_id):
def remove_role_from_user_and_project(self, user_id, tenant_id, role_id):
return self.role.delete_user(role_id, user_id, tenant_id)
def remove_user_from_tenant(self, tenant_id, user_id):
def remove_user_from_project(self, tenant_id, user_id):
self.get_user(user_id)
self.get_tenant(tenant_id)
return self.tenant.remove_user(tenant_id, user_id)
self.get_project(tenant_id)
return self.project.remove_user(tenant_id, user_id)
def update_role(self, role_id, role):
self.get_role(role_id)
@ -291,7 +289,7 @@ class ApiShim(object):
"""
_role = None
_tenant = None
_project = None
_user = None
_group = None
@ -305,10 +303,10 @@ class ApiShim(object):
return self._role
@property
def tenant(self):
if not self._tenant:
self._tenant = ProjectApi(self.conf)
return self._tenant
def project(self):
if not self._project:
self._project = ProjectApi(self.conf)
return self._project
@property
def user(self):
@ -333,7 +331,7 @@ class ApiShimMixin(object):
@property
def project_api(self):
return self.api.tenant
return self.api.project
@property
def user_api(self):
@ -425,15 +423,15 @@ class UserApi(common_ldap.BaseLdap, ApiShimMixin):
if old_obj.get('name') != values['name']:
raise exception.Conflict('Cannot change user name')
try:
new_tenant = values['tenant_id']
new_project = values['tenant_id']
except KeyError:
pass
else:
if old_obj.get('tenant_id') != new_tenant:
if old_obj.get('tenant_id') != new_project:
if old_obj['tenant_id']:
self.project_api.remove_user(old_obj['tenant_id'], id)
if new_tenant:
self.project_api.add_user(new_tenant, id)
if new_project:
self.project_api.add_user(new_project, id)
values = utils.hash_ldap_user_password(values)
if self.enabled_mask:
@ -451,7 +449,7 @@ class UserApi(common_ldap.BaseLdap, ApiShimMixin):
for ref in self.role_api.list_global_roles_for_user(id):
self.role_api.rolegrant_delete(ref.id)
for ref in self.role_api.list_tenant_roles_for_user(id):
for ref in self.role_api.list_project_roles_for_user(id):
self.role_api.rolegrant_delete(ref.id)
def get_by_email(self, email):
@ -463,10 +461,10 @@ class UserApi(common_ldap.BaseLdap, ApiShimMixin):
except IndexError:
return None
def user_roles_by_tenant(self, user_id, tenant_id):
return self.role_api.list_tenant_roles_for_user(user_id, tenant_id)
def user_roles_by_project(self, user_id, tenant_id):
return self.role_api.list_project_roles_for_user(user_id, tenant_id)
def get_by_tenant(self, user_id, tenant_id):
def get_by_project(self, user_id, tenant_id):
user_dn = self._id_to_dn(user_id)
user = self.get(user_id)
tenant = self.project_api._ldap_get(tenant_id,
@ -474,7 +472,7 @@ class UserApi(common_ldap.BaseLdap, ApiShimMixin):
if tenant is not None:
return user
else:
if self.role_api.list_tenant_roles_for_user(user_id, tenant_id):
if self.role_api.list_project_roles_for_user(user_id, tenant_id):
return user
return None
@ -488,13 +486,13 @@ class UserApi(common_ldap.BaseLdap, ApiShimMixin):
def users_get_page_markers(self, marker, limit):
return self.get_page_markers(marker, limit)
def users_get_by_tenant_get_page(self, tenant_id, role_id, marker, limit):
def users_get_by_project_get_page(self, tenant_id, role_id, marker, limit):
return self._get_page(marker,
limit,
self.project_api.get_users(tenant_id, role_id))
def users_get_by_tenant_get_page_markers(self, tenant_id, role_id, marker,
limit):
def users_get_by_project_get_page_markers(self, tenant_id, role_id,
marker, limit):
return self._get_page_markers(
marker, limit, self.project_api.get_users(tenant_id, role_id))
@ -553,7 +551,7 @@ class ProjectApi(common_ldap.BaseLdap, ApiShimMixin):
data['id'] = uuid.uuid4().hex
return super(ProjectApi, self).create(data)
def get_user_tenants(self, user_id):
def get_user_projects(self, user_id):
"""Returns list of tenants a user has access to
Always includes default tenants.
@ -564,11 +562,13 @@ class ProjectApi(common_ldap.BaseLdap, ApiShimMixin):
return memberships
def list_for_user_get_page(self, user, marker, limit):
return self._get_page(marker, limit, self.get_user_tenants(user['id']))
return self._get_page(marker,
limit,
self.get_user_projects(user['id']))
def list_for_user_get_page_markers(self, user, marker, limit):
return self._get_page_markers(
marker, limit, self.get_user_tenants(user['id']))
marker, limit, self.get_user_projects(user['id']))
def is_empty(self, id):
tenant = self._ldap_get(id)
@ -627,7 +627,7 @@ class ProjectApi(common_ldap.BaseLdap, ApiShimMixin):
if self.subtree_delete_enabled:
super(ProjectApi, self).deleteTree(id)
else:
self.role_api.roles_delete_subtree_by_tenant(id)
self.role_api.roles_delete_subtree_by_project(id)
super(ProjectApi, self).delete(id)
def update(self, id, values):
@ -648,7 +648,7 @@ class UserRoleAssociation(object):
*args, **kw):
self.user_id = str(user_id)
self.role_id = role_id
self.tenant_id = str(tenant_id)
self.project_id = str(tenant_id)
class GroupRoleAssociation(object):
@ -658,7 +658,7 @@ class GroupRoleAssociation(object):
*args, **kw):
self.group_id = str(group_id)
self.role_id = role_id
self.tenant_id = str(tenant_id)
self.project_id = str(tenant_id)
# TODO(termie): turn this into a data object and move logic to driver
@ -698,12 +698,12 @@ class RoleApi(common_ldap.BaseLdap, ApiShimMixin):
def _explode_ref(rolegrant):
a = rolegrant.split('-', 2)
len_role = int(a[0])
len_tenant = int(a[1])
len_project = int(a[1])
role_id = a[2][:len_role]
role_id = None if len(role_id) == 0 else str(role_id)
tenant_id = a[2][len_role:len_tenant + len_role]
tenant_id = a[2][len_role:len_project + len_role]
tenant_id = None if len(tenant_id) == 0 else str(tenant_id)
user_id = a[2][len_tenant + len_role:]
user_id = a[2][len_project + len_role:]
user_id = None if len(user_id) == 0 else str(user_id)
return role_id, tenant_id, user_id
@ -837,7 +837,7 @@ class RoleApi(common_ldap.BaseLdap, ApiShimMixin):
role_id=role.id,
user_id=user_id) for role in roles]
def list_tenant_roles_for_user(self, user_id, tenant_id=None):
def list_project_roles_for_user(self, user_id, tenant_id=None):
conn = self.get_connection()
user_dn = self.user_api._id_to_dn(user_id)
query = '(&(objectClass=%s)(%s=%s))' % (self.object_class,
@ -912,8 +912,8 @@ class RoleApi(common_ldap.BaseLdap, ApiShimMixin):
all_roles += self.list_global_roles_for_user(user_id)
else:
for tenant in self.project_api.get_all():
all_roles += self.list_tenant_roles_for_user(user_id,
tenant['id'])
all_roles += self.list_project_roles_for_user(user_id,
tenant['id'])
return self._get_page(marker, limit, all_roles)
def rolegrant_get_page_markers(self, user_id, tenant_id, marker, limit):
@ -922,8 +922,8 @@ class RoleApi(common_ldap.BaseLdap, ApiShimMixin):
all_roles = self.list_global_roles_for_user(user_id)
else:
for tenant in self.project_api.get_all():
all_roles += self.list_tenant_roles_for_user(user_id,
tenant['id'])
all_roles += self.list_project_roles_for_user(user_id,
tenant['id'])
return self._get_page_markers(marker, limit, all_roles)
def get_by_service_get_page(self, service_id, marker, limit):
@ -965,7 +965,7 @@ class RoleApi(common_ldap.BaseLdap, ApiShimMixin):
tenant_id=tenant_id))
return res
def roles_delete_subtree_by_tenant(self, tenant_id):
def roles_delete_subtree_by_project(self, tenant_id):
conn = self.get_connection()
query = '(objectClass=%s)' % self.object_class
tenant_dn = self.project_api._id_to_dn(tenant_id)

24
keystone/identity/backends/pam.py
View File

@ -71,10 +71,10 @@ class PamIdentity(identity.Driver):
return (user, tenant, metadata)
def get_tenant(self, tenant_id):
def get_project(self, tenant_id):
return {'id': tenant_id, 'name': tenant_id}
def get_tenant_by_name(self, tenant_name):
def get_project_by_name(self, tenant_name):
return {'id': tenant_name, 'name': tenant_name}
def get_user(self, user_id):
@ -92,25 +92,25 @@ class PamIdentity(identity.Driver):
def list_roles(self):
raise NotImplementedError()
def add_user_to_tenant(self, tenant_id, user_id):
def add_user_to_project(self, tenant_id, user_id):
pass
def remove_user_from_tenant(self, tenant_id, user_id):
def remove_user_from_project(self, tenant_id, user_id):
pass
def get_all_tenants(self):
def get_all_projects(self):
raise NotImplementedError()
def get_tenants_for_user(self, user_id):
def get_projects_for_user(self, user_id):
return [user_id]
def get_roles_for_user_and_tenant(self, user_id, tenant_id):
def get_roles_for_user_and_project(self, user_id, tenant_id):
raise NotImplementedError()
def add_role_to_user_and_tenant(self, user_id, tenant_id, role_id):
def add_role_to_user_and_project(self, user_id, tenant_id, role_id):
raise NotImplementedError()
def remove_role_from_user_and_tenant(self, user_id, tenant_id, role_id):
def remove_role_from_user_and_project(self, user_id, tenant_id, role_id):
raise NotImplementedError()
def create_user(self, user_id, user):
@ -122,13 +122,13 @@ class PamIdentity(identity.Driver):
def delete_user(self, user_id):
raise NotImplementedError()
def create_tenant(self, tenant_id, tenant):
def create_project(self, tenant_id, tenant):
raise NotImplementedError()
def update_tenant(self, tenant_id, tenant):
def update_project(self, tenant_id, tenant):
raise NotImplementedError()
def delete_tenant(self, tenant_id, tenant):
def delete_project(self, tenant_id, tenant):
raise NotImplementedError()
def get_metadata(self, user_id, tenant_id):

106
keystone/identity/backends/sql.py
View File

@ -200,11 +200,11 @@ class Identity(sql.Base, identity.Driver):
raise AssertionError('Invalid user / password')
if tenant_id is not None:
if tenant_id not in self.get_tenants_for_user(user_id):
if tenant_id not in self.get_projects_for_user(user_id):
raise AssertionError('Invalid tenant')
try:
tenant_ref = self.get_tenant(tenant_id)
tenant_ref = self.get_project(tenant_id)
metadata_ref = self.get_metadata(user_id, tenant_id)
except exception.ProjectNotFound:
tenant_ref = None
@ -214,23 +214,23 @@ class Identity(sql.Base, identity.Driver):
return (identity.filter_user(user_ref), tenant_ref, metadata_ref)
def get_tenant(self, tenant_id):
def get_project(self, tenant_id):
session = self.get_session()
tenant_ref = session.query(Project).filter_by(id=tenant_id).first()
if tenant_ref is None:
raise exception.ProjectNotFound(project_id=tenant_id)
return tenant_ref.to_dict()
def get_tenant_by_name(self, tenant_name):
def get_project_by_name(self, tenant_name):
session = self.get_session()
tenant_ref = session.query(Project).filter_by(name=tenant_name).first()
if not tenant_ref:
raise exception.ProjectNotFound(project_id=tenant_name)
return tenant_ref.to_dict()
def get_tenant_users(self, tenant_id):
def get_project_users(self, tenant_id):
session = self.get_session()
self.get_tenant(tenant_id)
self.get_project(tenant_id)
query = session.query(User)
query = query.join(UserProjectMembership)
query = query.filter(UserProjectMembership.tenant_id == tenant_id)
@ -274,7 +274,7 @@ class Identity(sql.Base, identity.Driver):
if domain_id:
self.get_domain(domain_id)
if project_id:
self.get_tenant(project_id)
self.get_project(project_id)
try:
metadata_ref = self.get_metadata(user_id, project_id,
@ -302,7 +302,7 @@ class Identity(sql.Base, identity.Driver):
if domain_id:
self.get_domain(domain_id)
if project_id:
self.get_tenant(project_id)
self.get_project(project_id)
try:
metadata_ref = self.get_metadata(user_id, project_id,
@ -321,7 +321,7 @@ class Identity(sql.Base, identity.Driver):
if domain_id:
self.get_domain(domain_id)
if project_id:
self.get_tenant(project_id)
self.get_project(project_id)
try:
metadata_ref = self.get_metadata(user_id, project_id,
@ -343,7 +343,7 @@ class Identity(sql.Base, identity.Driver):
if domain_id:
self.get_domain(domain_id)
if project_id:
self.get_tenant(project_id)
self.get_project(project_id)
try:
metadata_ref = self.get_metadata(user_id, project_id,
@ -366,9 +366,9 @@ class Identity(sql.Base, identity.Driver):
domain_id, group_id)
# These should probably be part of the high-level API
def add_user_to_tenant(self, tenant_id, user_id):
def add_user_to_project(self, tenant_id, user_id):
session = self.get_session()
self.get_tenant(tenant_id)
self.get_project(tenant_id)
self.get_user(user_id)
query = session.query(UserProjectMembership)
query = query.filter_by(user_id=user_id)
@ -382,9 +382,9 @@ class Identity(sql.Base, identity.Driver):
tenant_id=tenant_id))
session.flush()
def remove_user_from_tenant(self, tenant_id, user_id):
def remove_user_from_project(self, tenant_id, user_id):
session = self.get_session()
self.get_tenant(tenant_id)
self.get_project(tenant_id)
self.get_user(user_id)
query = session.query(UserProjectMembership)
query = query.filter_by(user_id=user_id)
@ -396,12 +396,15 @@ class Identity(sql.Base, identity.Driver):
session.delete(membership_ref)
session.flush()
def get_tenants(self):
def get_projects(self):
session = self.get_session()
tenant_refs = session.query(Project).all()
return [tenant_ref.to_dict() for tenant_ref in tenant_refs]
def get_tenants_for_user(self, user_id):
def list_projects(self):
return self.get_projects()
def get_projects_for_user(self, user_id):
session = self.get_session()
self.get_user(user_id)
query = session.query(UserProjectMembership)
@ -409,18 +412,18 @@ class Identity(sql.Base, identity.Driver):
membership_refs = query.all()
return [x.tenant_id for x in membership_refs]
def get_roles_for_user_and_tenant(self, user_id, tenant_id):
def get_roles_for_user_and_project(self, user_id, tenant_id):
self.get_user(user_id)
self.get_tenant(tenant_id)
self.get_project(tenant_id)
try:
metadata_ref = self.get_metadata(user_id, tenant_id)
except exception.MetadataNotFound:
metadata_ref = {}
return metadata_ref.get('roles', [])
def add_role_to_user_and_tenant(self, user_id, tenant_id, role_id):
def add_role_to_user_and_project(self, user_id, tenant_id, role_id):
self.get_user(user_id)
self.get_tenant(tenant_id)
self.get_project(tenant_id)
self.get_role(role_id)
try:
metadata_ref = self.get_metadata(user_id, tenant_id)
@ -440,7 +443,7 @@ class Identity(sql.Base, identity.Driver):
else:
self.update_metadata(user_id, tenant_id, metadata_ref)
def remove_role_from_user_and_tenant(self, user_id, tenant_id, role_id):
def remove_role_from_user_and_project(self, user_id, tenant_id, role_id):
try:
metadata_ref = self.get_metadata(user_id, tenant_id)
is_new = False
@ -460,9 +463,9 @@ class Identity(sql.Base, identity.Driver):
self.update_metadata(user_id, tenant_id, metadata_ref)
# CRUD
@handle_conflicts(type='tenant')
def create_tenant(self, tenant_id, tenant):
tenant['name'] = clean.tenant_name(tenant['name'])
@handle_conflicts(type='project')
def create_project(self, tenant_id, tenant):
tenant['name'] = clean.project_name(tenant['name'])
session = self.get_session()
with session.begin():
tenant_ref = Project.from_dict(tenant)
@ -470,29 +473,29 @@ class Identity(sql.Base, identity.Driver):
session.flush()
return tenant_ref.to_dict()
@handle_conflicts(type='tenant')
def update_tenant(self, tenant_id, tenant):
@handle_conflicts(type='project')
def update_project(self, tenant_id, tenant):
session = self.get_session()
if 'name' in tenant:
tenant['name'] = clean.tenant_name(tenant['name'])
tenant['name'] = clean.project_name(tenant['name'])
try:
tenant_ref = session.query(Project).filter_by(id=tenant_id).one()
except sql.NotFound:
raise exception.ProjectNotFound(project_id=tenant_id)
with session.begin():
old_tenant_dict = tenant_ref.to_dict()
old_project_dict = tenant_ref.to_dict()
for k in tenant:
old_tenant_dict[k] = tenant[k]
new_tenant = Project.from_dict(old_tenant_dict)
tenant_ref.name = new_tenant.name
tenant_ref.extra = new_tenant.extra
old_project_dict[k] = tenant[k]
new_project = Project.from_dict(old_project_dict)
tenant_ref.name = new_project.name
tenant_ref.extra = new_project.extra
session.flush()
return tenant_ref.to_dict(include_extra_dict=True)
def delete_tenant(self, tenant_id):
@handle_conflicts(type='project')
def delete_project(self, tenant_id):
session = self.get_session()
try:
@ -626,39 +629,6 @@ class Identity(sql.Base, identity.Driver):
session.delete(ref)
session.flush()
# project crud
@handle_conflicts(type='project')
def create_project(self, project_id, project):
return self.create_tenant(project_id, project)
def get_project(self, project_id):
return self.get_tenant(project_id)
def list_projects(self):
return self.get_tenants()
@handle_conflicts(type='project')
def update_project(self, project_id, project):
session = self.get_session()
with session.begin():
ref = session.query(Project).filter_by(id=project_id).first()
if ref is None:
raise exception.ProjectNotFound(project_id=project_id)
old_dict = ref.to_dict()
for k in project:
old_dict[k] = project[k]
new_project = Project.from_dict(old_dict)
for attr in Project.attributes:
if attr != 'id':
setattr(ref, attr, getattr(new_project, attr))
ref.extra = new_project.extra
session.flush()
return ref.to_dict()
def delete_project(self, project_id):
return self.delete_tenant(project_id)
def list_user_projects(self, user_id):
session = self.get_session()
user = self.get_user(user_id)
@ -1003,7 +973,7 @@ class Identity(sql.Base, identity.Driver):
for metadata_ref in session.query(UserProjectGrant):
metadata = metadata_ref.to_dict()
try:
self.remove_role_from_user_and_tenant(
self.remove_role_from_user_and_project(
metadata['user_id'], metadata['tenant_id'], role_id)
except exception.RoleNotFound:
pass

76
keystone/identity/controllers.py
View File

@ -29,21 +29,21 @@ LOG = logging.getLogger(__name__)
class Tenant(controller.V2Controller):
def get_all_tenants(self, context, **kw):
def get_all_projects(self, context, **kw):
"""Gets a list of all tenants for an admin user."""
if 'name' in context['query_string']:
return self.get_tenant_by_name(
return self.get_project_by_name(
context, context['query_string'].get('name'))
self.assert_admin(context)
tenant_refs = self.identity_api.get_tenants(context)
tenant_refs = self.identity_api.get_projects(context)
params = {
'limit': context['query_string'].get('limit'),
'marker': context['query_string'].get('marker'),
}
return self._format_tenant_list(tenant_refs, **params)
return self._format_project_list(tenant_refs, **params)
def get_tenants_for_token(self, context, **kw):
def get_projects_for_token(self, context, **kw):
"""Get valid tenants for token based on token used to authenticate.
Pulls the token from the context, validates it and gets the valid
@ -60,31 +60,31 @@ class Tenant(controller.V2Controller):
raise exception.Unauthorized(e)
user_ref = token_ref['user']
tenant_ids = self.identity_api.get_tenants_for_user(
tenant_ids = self.identity_api.get_projects_for_user(
context, user_ref['id'])
tenant_refs = []
for tenant_id in tenant_ids:
tenant_refs.append(self.identity_api.get_tenant(
tenant_refs.append(self.identity_api.get_project(
context=context,
tenant_id=tenant_id))
params = {
'limit': context['query_string'].get('limit'),
'marker': context['query_string'].get('marker'),
}
return self._format_tenant_list(tenant_refs, **params)
return self._format_project_list(tenant_refs, **params)
def get_tenant(self, context, tenant_id):
def get_project(self, context, tenant_id):
# TODO(termie): this stuff should probably be moved to middleware
self.assert_admin(context)
return {'tenant': self.identity_api.get_tenant(context, tenant_id)}
return {'tenant': self.identity_api.get_project(context, tenant_id)}
def get_tenant_by_name(self, context, tenant_name):
def get_project_by_name(self, context, tenant_name):
self.assert_admin(context)
return {'tenant': self.identity_api.get_tenant_by_name(
return {'tenant': self.identity_api.get_project_by_name(
context, tenant_name)}
# CRUD Extension
def create_tenant(self, context, tenant):
def create_project(self, context, tenant):
tenant_ref = self._normalize_dict(tenant)
if not 'name' in tenant_ref or not tenant_ref['name']:
@ -93,26 +93,26 @@ class Tenant(controller.V2Controller):
self.assert_admin(context)
tenant_ref['id'] = tenant_ref.get('id', uuid.uuid4().hex)
tenant = self.identity_api.create_tenant(
tenant = self.identity_api.create_project(
context, tenant_ref['id'], tenant_ref)
return {'tenant': tenant}
def update_tenant(self, context, tenant_id, tenant):
def update_project(self, context, tenant_id, tenant):
self.assert_admin(context)
tenant_ref = self.identity_api.update_tenant(
tenant_ref = self.identity_api.update_project(
context, tenant_id, tenant)
return {'tenant': tenant_ref}
def delete_tenant(self, context, tenant_id):
def delete_project(self, context, tenant_id):
self.assert_admin(context)
self.identity_api.delete_tenant(context, tenant_id)
self.identity_api.delete_project(context, tenant_id)
def get_tenant_users(self, context, tenant_id, **kw):
def get_project_users(self, context, tenant_id, **kw):
self.assert_admin(context)
user_refs = self.identity_api.get_tenant_users(context, tenant_id)
user_refs = self.identity_api.get_project_users(context, tenant_id)
return {'users': user_refs}
def _format_tenant_list(self, tenant_refs, **kwargs):
def _format_project_list(self, tenant_refs, **kwargs):
marker = kwargs.get('marker')
first_index = 0
if marker is not None:
@ -177,7 +177,7 @@ class User(controller.V2Controller):
tenant_id = user.get('tenantId', None)
if (tenant_id is not None
and self.identity_api.get_tenant(context, tenant_id) is None):
and self.identity_api.get_project(context, tenant_id) is None):
raise exception.ProjectNotFound(project_id=tenant_id)
user_id = uuid.uuid4().hex
user_ref = user.copy()
@ -185,7 +185,7 @@ class User(controller.V2Controller):
new_user_ref = self.identity_api.create_user(
context, user_id, user_ref)
if tenant_id:
self.identity_api.add_user_to_tenant(context, tenant_id, user_id)
self.identity_api.add_user_to_project(context, tenant_id, user_id)
return {'user': new_user_ref}
def update_user(self, context, user_id, user):
@ -215,12 +215,12 @@ class User(controller.V2Controller):
def set_user_password(self, context, user_id, user):
return self.update_user(context, user_id, user)
def update_user_tenant(self, context, user_id, user):
def update_user_project(self, context, user_id, user):
"""Update the default tenant."""
self.assert_admin(context)
# ensure that we're a member of that tenant
tenant_id = user.get('tenantId')
self.identity_api.add_user_to_tenant(context, tenant_id, user_id)
self.identity_api.add_user_to_project(context, tenant_id, user_id)
return self.update_user(context, user_id, user)
@ -238,7 +238,7 @@ class Role(controller.V2Controller):
raise exception.NotImplemented(message='User roles not supported: '
'tenant ID required')
roles = self.identity_api.get_roles_for_user_and_tenant(
roles = self.identity_api.get_roles_for_user_and_project(
context, user_id, tenant_id)
return {'roles': [self.identity_api.get_role(context, x)
for x in roles]}
@ -283,8 +283,8 @@ class Role(controller.V2Controller):
# This still has the weird legacy semantics that adding a role to
# a user also adds them to a tenant
self.identity_api.add_user_to_tenant(context, tenant_id, user_id)
self.identity_api.add_role_to_user_and_tenant(
self.identity_api.add_user_to_project(context, tenant_id, user_id)
self.identity_api.add_role_to_user_and_project(
context, user_id, tenant_id, role_id)
self.token_api.revoke_tokens(context, user_id, tenant_id)
@ -305,12 +305,12 @@ class Role(controller.V2Controller):
# This still has the weird legacy semantics that adding a role to
# a user also adds them to a tenant, so we must follow up on that
self.identity_api.remove_role_from_user_and_tenant(
self.identity_api.remove_role_from_user_and_project(
context, user_id, tenant_id, role_id)
roles = self.identity_api.get_roles_for_user_and_tenant(
roles = self.identity_api.get_roles_for_user_and_project(
context, user_id, tenant_id)
if not roles:
self.identity_api.remove_user_from_tenant(
self.identity_api.remove_user_from_project(
context, tenant_id, user_id)
self.token_api.revoke_tokens(context, user_id, tenant_id)
@ -327,10 +327,10 @@ class Role(controller.V2Controller):
self.assert_admin(context)
# Ensure user exists by getting it first.
self.identity_api.get_user(context, user_id)
tenant_ids = self.identity_api.get_tenants_for_user(context, user_id)
tenant_ids = self.identity_api.get_projects_for_user(context, user_id)
o = []
for tenant_id in tenant_ids:
role_ids = self.identity_api.get_roles_for_user_and_tenant(
role_ids = self.identity_api.get_roles_for_user_and_project(
context, user_id, tenant_id)
for role_id in role_ids:
ref = {'roleId': role_id,
@ -352,8 +352,8 @@ class Role(controller.V2Controller):
# TODO(termie): for now we're ignoring the actual role
tenant_id = role.get('tenantId')
role_id = role.get('roleId')
self.identity_api.add_user_to_tenant(context, tenant_id, user_id)
self.identity_api.add_role_to_user_and_tenant(
self.identity_api.add_user_to_project(context, tenant_id, user_id)
self.identity_api.add_role_to_user_and_project(
context, user_id, tenant_id, role_id)
self.token_api.revoke_tokens(context, user_id, tenant_id)
@ -377,12 +377,12 @@ class Role(controller.V2Controller):
role_ref_ref = urlparse.parse_qs(role_ref_id)
tenant_id = role_ref_ref.get('tenantId')[0]
role_id = role_ref_ref.get('roleId')[0]
self.identity_api.remove_role_from_user_and_tenant(
self.identity_api.remove_role_from_user_and_project(
context, user_id, tenant_id, role_id)
roles = self.identity_api.get_roles_for_user_and_tenant(
roles = self.identity_api.get_roles_for_user_and_project(
context, user_id, tenant_id)
if not roles:
self.identity_api.remove_user_from_tenant(
self.identity_api.remove_user_from_project(
context, tenant_id, user_id)
self.token_api.revoke_tokens(context, user_id, tenant_id)

32
keystone/identity/core.py
View File

@ -72,7 +72,7 @@ class Driver(object):
"""
raise exception.NotImplemented()
def get_tenant(self, tenant_id):
def get_project(self, tenant_id):
"""Get a tenant by id.
:returns: tenant_ref
@ -81,7 +81,7 @@ class Driver(object):
"""
raise exception.NotImplemented()
def get_tenant_by_name(self, tenant_name):
def get_project_by_name(self, tenant_name):
"""Get a tenant by name.
:returns: tenant_ref
@ -99,7 +99,7 @@ class Driver(object):
"""
raise exception.NotImplemented()
def add_user_to_tenant(self, tenant_id, user_id):
def add_user_to_project(self, tenant_id, user_id):
"""Add user to a tenant without an explicit role relationship.
:raises: keystone.exception.ProjectNotFound,
@ -108,7 +108,7 @@ class Driver(object):
"""
raise exception.NotImplemented()
def remove_user_from_tenant(self, tenant_id, user_id):
def remove_user_from_project(self, tenant_id, user_id):
"""Remove user from a tenant without an explicit role relationship.
:raises: keystone.exception.ProjectNotFound,
@ -117,11 +117,11 @@ class Driver(object):
"""
raise exception.NotImplemented()
def get_all_tenants(self):
def get_all_projects(self):
"""FIXME(dolph): Lists all tenants in the system? I'm not sure how this
is different from get_tenants, why get_tenants isn't
is different from get_projects, why get_projects isn't
documented as part of the driver, or why it's called
get_tenants instead of list_tenants (i.e. list_roles
get_projects instead of list_projects (i.e. list_roles
and list_users)...
:returns: a list of ... FIXME(dolph): tenant_refs or tenant_id's?
@ -129,17 +129,17 @@ class Driver(object):
"""
raise exception.NotImplemented()
def get_tenant_users(self, tenant_id):
def get_project_users(self, tenant_id):
"""FIXME(dolph): Lists all users with a relationship to the specified
tenant?
:returns: a list of ... FIXME(dolph): user_refs or user_id's?
:raises: keystone.exception.UserNotFound
:raises: keystone.exception.ProjectNotFound
"""
raise exception.NotImplemented()
def get_tenants_for_user(self, user_id):
def get_projects_for_user(self, user_id):
"""Get the tenants associated with a given user.
:returns: a list of tenant_id's.
@ -148,7 +148,7 @@ class Driver(object):
"""
raise exception.NotImplemented()
def get_roles_for_user_and_tenant(self, user_id, tenant_id):
def get_roles_for_user_and_project(self, user_id, tenant_id):
"""Get the roles associated with a user within given tenant.
:returns: a list of role ids.
@ -158,7 +158,7 @@ class Driver(object):
"""
raise exception.NotImplemented()
def add_role_to_user_and_tenant(self, user_id, tenant_id, role_id):
def add_role_to_user_and_project(self, user_id, tenant_id, role_id):
"""Add a role to a user within given tenant.
:raises: keystone.exception.UserNotFound,
@ -167,7 +167,7 @@ class Driver(object):
"""
raise exception.NotImplemented()
def remove_role_from_user_and_tenant(self, user_id, tenant_id, role_id):
def remove_role_from_user_and_project(self, user_id, tenant_id, role_id):
"""Remove a role from a user within given tenant.
:raises: keystone.exception.UserNotFound,
@ -178,7 +178,7 @@ class Driver(object):
raise exception.NotImplemented()
# tenant crud
def create_tenant(self, tenant_id, tenant):
def create_project(self, tenant_id, tenant):
"""Creates a new tenant.
:raises: keystone.exception.Conflict
@ -186,7 +186,7 @@ class Driver(object):
"""
raise exception.NotImplemented()
def update_tenant(self, tenant_id, tenant):
def update_project(self, tenant_id, tenant):
"""Updates an existing tenant.
:raises: keystone.exception.ProjectNotFound,
@ -195,7 +195,7 @@ class Driver(object):
"""
raise exception.NotImplemented()
def delete_tenant(self, tenant_id):
def delete_project(self, tenant_id):
"""Deletes an existing tenant.
:raises: keystone.exception.ProjectNotFound

6
keystone/identity/routers.py
View File

@ -24,7 +24,7 @@ class Public(wsgi.ComposableRouter):
tenant_controller = controllers.Tenant()
mapper.connect('/tenants',
controller=tenant_controller,
action='get_tenants_for_token',
action='get_projects_for_token',
conditions=dict(method=['GET']))
@ -34,11 +34,11 @@ class Admin(wsgi.ComposableRouter):
tenant_controller = controllers.Tenant()
mapper.connect('/tenants',
controller=tenant_controller,
action='get_all_tenants',
action='get_all_projects',
conditions=dict(method=['GET']))
mapper.connect('/tenants/{tenant_id}',
controller=tenant_controller,
action='get_tenant',
action='get_project',
conditions=dict(method=['GET']))
# User Operations

5
keystone/test.py
View File

@ -233,7 +233,7 @@ class TestCase(NoModule, unittest.TestCase):
# loaddata will be much preferred.
if hasattr(self, 'identity_api'):
for tenant in fixtures.TENANTS:
rv = self.identity_api.create_tenant(tenant['id'], tenant)
rv = self.identity_api.create_project(tenant['id'], tenant)
setattr(self, 'tenant_%s' % tenant['id'], rv)
for user in fixtures.USERS:
@ -242,7 +242,8 @@ class TestCase(NoModule, unittest.TestCase):
rv = self.identity_api.create_user(user['id'],
user_copy.copy())
for tenant_id in tenants:
self.identity_api.add_user_to_tenant(tenant_id, user['id'])
self.identity_api.add_user_to_project(tenant_id,
user['id'])
setattr(self, 'user_%s' % user['id'], user_copy)
for role in fixtures.ROLES:

22
keystone/token/controllers.py
View File

@ -169,9 +169,9 @@ class Auth(controller.V2Controller):
current_user_ref = self.identity_api.get_user(context=context,
user_id=user_id)
tenant_id = self._get_tenant_id_from_auth(context, auth)
tenant_id = self._get_project_id_from_auth(context, auth)
tenant_ref = self._get_tenant_ref(context, user_id, tenant_id)
tenant_ref = self._get_project_ref(context, user_id, tenant_id)
metadata_ref = self._get_metadata_ref(context, user_id, tenant_id)
self._append_roles(metadata_ref,
@ -222,7 +222,7 @@ class Auth(controller.V2Controller):
except exception.UserNotFound as e:
raise exception.Unauthorized(e)
tenant_id = self._get_tenant_id_from_auth(context, auth)
tenant_id = self._get_project_id_from_auth(context, auth)
try:
auth_info = self.identity_api.authenticate(
@ -266,9 +266,9 @@ class Auth(controller.V2Controller):
except exception.UserNotFound as e:
raise exception.Unauthorized(e)
tenant_id = self._get_tenant_id_from_auth(context, auth)
tenant_id = self._get_project_id_from_auth(context, auth)
tenant_ref = self._get_tenant_ref(context, user_id, tenant_id)
tenant_ref = self._get_project_ref(context, user_id, tenant_id)
metadata_ref = self._get_metadata_ref(context, user_id, tenant_id)
self._append_roles(metadata_ref,
@ -293,7 +293,7 @@ class Auth(controller.V2Controller):
metadata=metadata,
expires=expiry))
def _get_tenant_id_from_auth(self, context, auth):
def _get_project_id_from_auth(self, context, auth):
"""Extract tenant information from auth dict.
Returns a valid tenant_id if it exists, or None if not specified.
@ -302,18 +302,18 @@ class Auth(controller.V2Controller):
tenant_name = auth.get('tenantName', None)
if tenant_name:
try:
tenant_ref = self.identity_api.get_tenant_by_name(
tenant_ref = self.identity_api.get_project_by_name(
context=context, tenant_name=tenant_name)
tenant_id = tenant_ref['id']
except exception.ProjectNotFound as e:
raise exception.Unauthorized(e)
return tenant_id
def _get_tenant_ref(self, context, user_id, tenant_id):
def _get_project_ref(self, context, user_id, tenant_id):
"""Returns the tenant_ref for the user's tenant"""
tenant_ref = None
if tenant_id:
tenants = self.identity_api.get_tenants_for_user(context, user_id)
tenants = self.identity_api.get_projects_for_user(context, user_id)
if tenant_id not in tenants:
msg = 'User %s is unauthorized for tenant %s' % (
user_id, tenant_id)
@ -321,8 +321,8 @@ class Auth(controller.V2Controller):
raise exception.Unauthorized(msg)
try:
tenant_ref = self.identity_api.get_tenant(context=context,
tenant_id=tenant_id)
tenant_ref = self.identity_api.get_project(context=context,
tenant_id=tenant_id)
except exception.ProjectNotFound as e:
exception.Unauthorized(e)
return tenant_ref

10
tests/test_auth.py
View File

@ -150,7 +150,7 @@ class AuthWithToken(AuthTest):
self.api.authenticate,
{}, body_dict)
def test_auth_unscoped_token_no_tenant(self):
def test_auth_unscoped_token_no_project(self):
"""Verify getting an unscoped token with an unscoped token"""
body_dict = _build_user_auth(
username='FOO',
@ -163,10 +163,10 @@ class AuthWithToken(AuthTest):
self.assertEqualTokens(unscoped_token, unscoped_token_2)
def test_auth_unscoped_token_tenant(self):
def test_auth_unscoped_token_project(self):
"""Verify getting a token in a tenant with an unscoped token"""
# Add a role in so we can check we get this back
self.identity_api.add_role_to_user_and_tenant(
self.identity_api.add_role_to_user_and_project(
self.user_foo['id'],
self.tenant_bar['id'],
self.role_member['id'])
@ -186,10 +186,10 @@ class AuthWithToken(AuthTest):
self.assertEquals(tenant["id"], self.tenant_bar['id'])
self.assertEquals(roles[0], self.role_member['id'])
def test_auth_token_tenant_group_role(self):
def test_auth_token_project_group_role(self):
"""Verify getting a token in a tenant with group roles"""
# Add a v2 style role in so we can check we get this back
self.identity_api.add_role_to_user_and_tenant(
self.identity_api.add_role_to_user_and_project(
self.user_foo['id'],
self.tenant_bar['id'],
self.role_member['id'])

238
tests/test_backend.py
View File

@ -39,14 +39,14 @@ class IdentityTests(object):
tenant_id=self.tenant_bar['id'],
password=uuid.uuid4().hex)
def test_authenticate_bad_tenant(self):
def test_authenticate_bad_project(self):
self.assertRaises(AssertionError,
self.identity_api.authenticate,
user_id=self.user_foo['id'],
tenant_id=uuid.uuid4().hex,
password=self.user_foo['password'])
def test_authenticate_no_tenant(self):
def test_authenticate_no_project(self):
user_ref, tenant_ref, metadata_ref = self.identity_api.authenticate(
user_id=self.user_foo['id'],
password=self.user_foo['password'])
@ -72,7 +72,7 @@ class IdentityTests(object):
self.assertDictEqual(metadata_ref, self.metadata_foobar)
def test_authenticate_role_return(self):
self.identity_api.add_role_to_user_and_tenant(
self.identity_api.add_role_to_user_and_project(
self.user_foo['id'], self.tenant_bar['id'], 'keystone_admin')
user_ref, tenant_ref, metadata_ref = self.identity_api.authenticate(
user_id=self.user_foo['id'],
@ -88,7 +88,8 @@ class IdentityTests(object):
'password': 'no_meta2',
}
self.identity_api.create_user(user['id'], user)
self.identity_api.add_user_to_tenant(self.tenant_baz['id'], user['id'])
self.identity_api.add_user_to_project(self.tenant_baz['id'],
user['id'])
user_ref, tenant_ref, metadata_ref = self.identity_api.authenticate(
user_id=user['id'],
tenant_id=self.tenant_baz['id'],
@ -105,29 +106,29 @@ class IdentityTests(object):
user_ref = self.identity_api._get_user(self.user_foo['id'])
self.assertNotEqual(user_ref['password'], self.user_foo['password'])
def test_get_tenant(self):
tenant_ref = self.identity_api.get_tenant(
def test_get_project(self):
tenant_ref = self.identity_api.get_project(
tenant_id=self.tenant_bar['id'])
self.assertDictEqual(tenant_ref, self.tenant_bar)
def test_get_tenant_404(self):
def test_get_project_404(self):
self.assertRaises(exception.ProjectNotFound,
self.identity_api.get_tenant,
self.identity_api.get_project,
tenant_id=uuid.uuid4().hex)
def test_get_tenant_by_name(self):
tenant_ref = self.identity_api.get_tenant_by_name(
def test_get_project_by_name(self):
tenant_ref = self.identity_api.get_project_by_name(
tenant_name=self.tenant_bar['name'])
self.assertDictEqual(tenant_ref, self.tenant_bar)
def test_get_tenant_by_name_404(self):
def test_get_project_by_name_404(self):
self.assertRaises(exception.ProjectNotFound,
self.identity_api.get_tenant,
self.identity_api.get_project,
tenant_id=uuid.uuid4().hex)
def test_get_tenant_users_404(self):
def test_get_project_users_404(self):
self.assertRaises(exception.ProjectNotFound,
self.identity_api.get_tenant_users,
self.identity_api.get_project_users,
tenant_id=uuid.uuid4().hex)
def test_get_user(self):
@ -271,116 +272,116 @@ class IdentityTests(object):
self.identity_api.get_user,
'fake2')
def test_create_duplicate_tenant_id_fails(self):
def test_create_duplicate_project_id_fails(self):
tenant = {'id': 'fake1', 'name': 'fake1'}
self.identity_api.create_tenant('fake1', tenant)
self.identity_api.create_project('fake1', tenant)
tenant['name'] = 'fake2'
self.assertRaises(exception.Conflict,
self.identity_api.create_tenant,
self.identity_api.create_project,
'fake1',
tenant)
def test_create_duplicate_tenant_name_fails(self):
def test_create_duplicate_project_name_fails(self):
tenant = {'id': 'fake1', 'name': 'fake'}
self.identity_api.create_tenant('fake1', tenant)
self.identity_api.create_project('fake1', tenant)
tenant['id'] = 'fake2'
self.assertRaises(exception.Conflict,
self.identity_api.create_tenant,
self.identity_api.create_project,
'fake1',
tenant)
def test_rename_duplicate_tenant_name_fails(self):
def test_rename_duplicate_project_name_fails(self):
tenant1 = {'id': 'fake1', 'name': 'fake1'}
tenant2 = {'id': 'fake2', 'name': 'fake2'}
self.identity_api.create_tenant('fake1', tenant1)
self.identity_api.create_tenant('fake2', tenant2)
self.identity_api.create_project('fake1', tenant1)
self.identity_api.create_project('fake2', tenant2)
tenant2['name'] = 'fake1'
self.assertRaises(exception.Error,
self.identity_api.update_tenant,
self.identity_api.update_project,
'fake2',
tenant2)
def test_update_tenant_id_does_nothing(self):
def test_update_project_id_does_nothing(self):
tenant = {'id': 'fake1', 'name': 'fake1'}
self.identity_api.create_tenant('fake1', tenant)
self.identity_api.create_project('fake1', tenant)
tenant['id'] = 'fake2'
self.identity_api.update_tenant('fake1', tenant)
tenant_ref = self.identity_api.get_tenant('fake1')
self.identity_api.update_project('fake1', tenant)
tenant_ref = self.identity_api.get_project('fake1')
self.assertEqual(tenant_ref['id'], 'fake1')
self.assertRaises(exception.ProjectNotFound,
self.identity_api.get_tenant,
self.identity_api.get_project,
'fake2')
def test_add_duplicate_role_grant(self):
roles_ref = self.identity_api.get_roles_for_user_and_tenant(
roles_ref = self.identity_api.get_roles_for_user_and_project(
self.user_foo['id'], self.tenant_bar['id'])
self.assertNotIn('keystone_admin', roles_ref)
self.identity_api.add_role_to_user_and_tenant(
self.identity_api.add_role_to_user_and_project(
self.user_foo['id'], self.tenant_bar['id'], 'keystone_admin')
self.assertRaises(exception.Conflict,
self.identity_api.add_role_to_user_and_tenant,
self.identity_api.add_role_to_user_and_project,
self.user_foo['id'],
self.tenant_bar['id'],
'keystone_admin')
def test_get_role_by_user_and_tenant(self):
roles_ref = self.identity_api.get_roles_for_user_and_tenant(
def test_get_role_by_user_and_project(self):
roles_ref = self.identity_api.get_roles_for_user_and_project(
self.user_foo['id'], self.tenant_bar['id'])
self.assertNotIn('keystone_admin', roles_ref)
self.identity_api.add_role_to_user_and_tenant(
self.identity_api.add_role_to_user_and_project(
self.user_foo['id'], self.tenant_bar['id'], 'keystone_admin')
roles_ref = self.identity_api.get_roles_for_user_and_tenant(
roles_ref = self.identity_api.get_roles_for_user_and_project(
self.user_foo['id'], self.tenant_bar['id'])
self.assertIn('keystone_admin', roles_ref)
self.assertNotIn('member', roles_ref)
self.identity_api.add_role_to_user_and_tenant(
self.identity_api.add_role_to_user_and_project(
self.user_foo['id'], self.tenant_bar['id'], 'member')
roles_ref = self.identity_api.get_roles_for_user_and_tenant(
roles_ref = self.identity_api.get_roles_for_user_and_project(
self.user_foo['id'], self.tenant_bar['id'])
self.assertIn('keystone_admin', roles_ref)
self.assertIn('member', roles_ref)
def test_get_roles_for_user_and_tenant_404(self):
def test_get_roles_for_user_and_project_404(self):
self.assertRaises(exception.UserNotFound,
self.identity_api.get_roles_for_user_and_tenant,
self.identity_api.get_roles_for_user_and_project,
uuid.uuid4().hex,
self.tenant_bar['id'])
self.assertRaises(exception.ProjectNotFound,
self.identity_api.get_roles_for_user_and_tenant,
self.identity_api.get_roles_for_user_and_project,
self.user_foo['id'],
uuid.uuid4().hex)
def test_add_role_to_user_and_tenant_404(self):
def test_add_role_to_user_and_project_404(self):
self.assertRaises(exception.UserNotFound,
self.identity_api.add_role_to_user_and_tenant,
self.identity_api.add_role_to_user_and_project,
uuid.uuid4().hex,
self.tenant_bar['id'],
'keystone_admin')
self.assertRaises(exception.ProjectNotFound,
self.identity_api.add_role_to_user_and_tenant,
self.identity_api.add_role_to_user_and_project,
self.user_foo['id'],
uuid.uuid4().hex,
'keystone_admin')
self.assertRaises(exception.RoleNotFound,
self.identity_api.add_role_to_user_and_tenant,
self.identity_api.add_role_to_user_and_project,
self.user_foo['id'],
self.tenant_bar['id'],
uuid.uuid4().hex)
def test_remove_role_from_user_and_tenant(self):
self.identity_api.add_role_to_user_and_tenant(
def test_remove_role_from_user_and_project(self):
self.identity_api.add_role_to_user_and_project(
self.user_foo['id'], self.tenant_bar['id'], 'member')
self.identity_api.remove_role_from_user_and_tenant(
self.identity_api.remove_role_from_user_and_project(
self.user_foo['id'], self.tenant_bar['id'], 'member')
roles_ref = self.identity_api.get_roles_for_user_and_tenant(
roles_ref = self.identity_api.get_roles_for_user_and_project(
self.user_foo['id'], self.tenant_bar['id'])
self.assertNotIn('member', roles_ref)
self.assertRaises(exception.NotFound,
self.identity_api.remove_role_from_user_and_tenant,
self.identity_api.remove_role_from_user_and_project,
self.user_foo['id'],
self.tenant_bar['id'],
'member')
@ -589,61 +590,61 @@ class IdentityTests(object):
role['id'],
role)
def test_add_user_to_tenant(self):
self.identity_api.add_user_to_tenant(self.tenant_bar['id'],
self.user_foo['id'])
tenants = self.identity_api.get_tenants_for_user(self.user_foo['id'])
def test_add_user_to_project(self):
self.identity_api.add_user_to_project(self.tenant_bar['id'],
self.user_foo['id'])
tenants = self.identity_api.get_projects_for_user(self.user_foo['id'])
self.assertIn(self.tenant_bar['id'], tenants)
def test_add_user_to_tenant_404(self):
def test_add_user_to_project_404(self):
self.assertRaises(exception.ProjectNotFound,
self.identity_api.add_user_to_tenant,
self.identity_api.add_user_to_project,
uuid.uuid4().hex,
self.user_foo['id'])
self.assertRaises(exception.UserNotFound,
self.identity_api.add_user_to_tenant,
self.identity_api.add_user_to_project,
self.tenant_bar['id'],
uuid.uuid4().hex)
def test_remove_user_from_tenant(self):
self.identity_api.add_user_to_tenant(self.tenant_bar['id'],
self.user_foo['id'])
self.identity_api.remove_user_from_tenant(self.tenant_bar['id'],
self.user_foo['id'])
tenants = self.identity_api.get_tenants_for_user(self.user_foo['id'])
def test_remove_user_from_project(self):
self.identity_api.add_user_to_project(self.tenant_bar['id'],
self.user_foo['id'])
self.identity_api.remove_user_from_project(self.tenant_bar['id'],
self.user_foo['id'])
tenants = self.identity_api.get_projects_for_user(self.user_foo['id'])
self.assertNotIn(self.tenant_bar['id'], tenants)
def test_remove_user_from_tenant_404(self):
def test_remove_user_from_project_404(self):
self.assertRaises(exception.ProjectNotFound,
self.identity_api.remove_user_from_tenant,
self.identity_api.remove_user_from_project,
uuid.uuid4().hex,
self.user_foo['id'])
self.assertRaises(exception.UserNotFound,
self.identity_api.remove_user_from_tenant,
self.identity_api.remove_user_from_project,
self.tenant_bar['id'],
uuid.uuid4().hex)
self.assertRaises(exception.NotFound,
self.identity_api.remove_user_from_tenant,
self.identity_api.remove_user_from_project,
self.tenant_baz['id'],
self.user_foo['id'])
def test_get_tenants_for_user_404(self):
def test_get_projects_for_user_404(self):
self.assertRaises(exception.UserNotFound,
self.identity_api.get_tenants_for_user,
self.identity_api.get_projects_for_user,
uuid.uuid4().hex)
def test_update_tenant_404(self):
def test_update_project_404(self):
self.assertRaises(exception.ProjectNotFound,
self.identity_api.update_tenant,
self.identity_api.update_project,
uuid.uuid4().hex,
dict())
def test_delete_tenant_404(self):
def test_delete_project_404(self):
self.assertRaises(exception.ProjectNotFound,
self.identity_api.delete_tenant,
self.identity_api.delete_project,
uuid.uuid4().hex)
def test_update_user_404(self):
@ -653,16 +654,16 @@ class IdentityTests(object):
user_id,
{'id': user_id})
def test_delete_user_with_tenant_association(self):
def test_delete_user_with_project_association(self):
user = {'id': uuid.uuid4().hex,
'name': uuid.uuid4().hex,
'password': uuid.uuid4().hex}
self.identity_api.create_user(user['id'], user)
self.identity_api.add_user_to_tenant(self.tenant_bar['id'],
user['id'])
self.identity_api.add_user_to_project(self.tenant_bar['id'],
user['id'])
self.identity_api.delete_user(user['id'])
self.assertRaises(exception.UserNotFound,
self.identity_api.get_tenants_for_user,
self.identity_api.get_projects_for_user,
user['id'])
def test_delete_user_404(self):
@ -675,62 +676,62 @@ class IdentityTests(object):
self.identity_api.delete_role,
uuid.uuid4().hex)
def test_create_tenant_long_name_fails(self):
def test_create_project_long_name_fails(self):
tenant = {'id': 'fake1', 'name': 'a' * 65}
self.assertRaises(exception.ValidationError,
self.identity_api.create_tenant,
self.identity_api.create_project,
tenant['id'],
tenant)
def test_create_tenant_blank_name_fails(self):
def test_create_project_blank_name_fails(self):
tenant = {'id': 'fake1', 'name': ''}
self.assertRaises(exception.ValidationError,
self.identity_api.create_tenant,
self.identity_api.create_project,
tenant['id'],
tenant)
def test_create_tenant_invalid_name_fails(self):
def test_create_project_invalid_name_fails(self):
tenant = {'id': 'fake1', 'name': None}
self.assertRaises(exception.ValidationError,
self.identity_api.create_tenant,
self.identity_api.create_project,
tenant['id'],
tenant)
tenant = {'id': 'fake1', 'name': 123}
self.assertRaises(exception.ValidationError,
self.identity_api.create_tenant,
self.identity_api.create_project,
tenant['id'],
tenant)
def test_update_tenant_blank_name_fails(self):
def test_update_project_blank_name_fails(self):
tenant = {'id': 'fake1', 'name': 'fake1'}
self.identity_api.create_tenant('fake1', tenant)
self.identity_api.create_project('fake1', tenant)
tenant['name'] = ''
self.assertRaises(exception.ValidationError,
self.identity_api.update_tenant,
self.identity_api.update_project,
tenant['id'],
tenant)
def test_update_tenant_long_name_fails(self):
def test_update_project_long_name_fails(self):
tenant = {'id': 'fake1', 'name': 'fake1'}
self.identity_api.create_tenant('fake1', tenant)
self.identity_api.create_project('fake1', tenant)
tenant['name'] = 'a' * 65
self.assertRaises(exception.ValidationError,
self.identity_api.update_tenant,
self.identity_api.update_project,
tenant['id'],
tenant)
def test_update_tenant_invalid_name_fails(self):
def test_update_project_invalid_name_fails(self):
tenant = {'id': 'fake1', 'name': 'fake1'}
self.identity_api.create_tenant('fake1', tenant)
self.identity_api.create_project('fake1', tenant)
tenant['name'] = None
self.assertRaises(exception.ValidationError,
self.identity_api.update_tenant,
self.identity_api.update_project,
tenant['id'],
tenant)
tenant['name'] = 123
self.assertRaises(exception.ValidationError,
self.identity_api.update_tenant,
self.identity_api.update_project,
tenant['id'],
tenant)
@ -805,19 +806,20 @@ class IdentityTests(object):
for test_role in default_fixtures.ROLES:
self.assertTrue(x for x in roles if x['id'] == test_role['id'])
def test_get_tenants(self):
tenants = self.identity_api.get_tenants()
for test_tenant in default_fixtures.TENANTS:
self.assertTrue(x for x in tenants if x['id'] == test_tenant['id'])
def test_get_projects(self):
tenants = self.identity_api.get_projects()
for test_project in default_fixtures.TENANTS:
self.assertTrue(x for x in tenants
if x['id'] == test_project['id'])
def test_delete_tenant_with_role_assignments(self):
def test_delete_project_with_role_assignments(self):
tenant = {'id': 'fake1', 'name': 'fake1'}
self.identity_api.create_tenant('fake1', tenant)
self.identity_api.add_role_to_user_and_tenant(
self.identity_api.create_project('fake1', tenant)
self.identity_api.add_role_to_user_and_project(
self.user_foo['id'], tenant['id'], 'member')
self.identity_api.delete_tenant(tenant['id'])
self.identity_api.delete_project(tenant['id'])
self.assertRaises(exception.NotFound,
self.identity_api.get_tenant,
self.identity_api.get_project,
tenant['id'])
def test_delete_role_check_role_grant(self):
@ -825,21 +827,21 @@ class IdentityTests(object):
alt_role = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
self.identity_api.create_role(role['id'], role)
self.identity_api.create_role(alt_role['id'], alt_role)
self.identity_api.add_role_to_user_and_tenant(
self.identity_api.add_role_to_user_and_project(
self.user_foo['id'], self.tenant_bar['id'], role['id'])
self.identity_api.add_role_to_user_and_tenant(
self.identity_api.add_role_to_user_and_project(
self.user_foo['id'], self.tenant_bar['id'], alt_role['id'])
self.identity_api.delete_role(role['id'])
roles_ref = self.identity_api.get_roles_for_user_and_tenant(
roles_ref = self.identity_api.get_roles_for_user_and_project(
self.user_foo['id'], self.tenant_bar['id'])
self.assertNotIn(role['id'], roles_ref)
self.assertIn(alt_role['id'], roles_ref)
def test_create_tenant_doesnt_modify_passed_in_dict(self):
new_tenant = {'id': 'tenant_id', 'name': 'new_tenant'}
original_tenant = new_tenant.copy()
self.identity_api.create_tenant('tenant_id', new_tenant)
self.assertDictEqual(original_tenant, new_tenant)
def test_create_project_doesnt_modify_passed_in_dict(self):
new_project = {'id': 'tenant_id', 'name': 'new_project'}
original_project = new_project.copy()
self.identity_api.create_project('tenant_id', new_project)
self.assertDictEqual(original_project, new_project)
def test_create_user_doesnt_modify_passed_in_dict(self):
new_user = {'id': 'user_id', 'name': 'new_user',
@ -864,20 +866,20 @@ class IdentityTests(object):
user_ref = self.identity_api.get_user('fake1')
self.assertEqual(user_ref['enabled'], user['enabled'])
def test_update_tenant_enable(self):
def test_update_project_enable(self):
tenant = {'id': 'fake1', 'name': 'fake1', 'enabled': True}
self.identity_api.create_tenant('fake1', tenant)
tenant_ref = self.identity_api.get_tenant('fake1')
self.identity_api.create_project('fake1', tenant)
tenant_ref = self.identity_api.get_project('fake1')
self.assertEqual(tenant_ref['enabled'], True)
tenant['enabled'] = False
self.identity_api.update_tenant('fake1', tenant)
tenant_ref = self.identity_api.get_tenant('fake1')
self.identity_api.update_project('fake1', tenant)
tenant_ref = self.identity_api.get_project('fake1')
self.assertEqual(tenant_ref['enabled'], tenant['enabled'])
tenant['enabled'] = True
self.identity_api.update_tenant('fake1', tenant)
tenant_ref = self.identity_api.get_tenant('fake1')
self.identity_api.update_project('fake1', tenant)
tenant_ref = self.identity_api.get_project('fake1')
self.assertEqual(tenant_ref['enabled'], tenant['enabled'])
def test_add_user_to_group(self):

36
tests/test_backend_ldap.py
View File

@ -116,26 +116,26 @@ class LDAPIdentity(test.TestCase, test_backend.IdentityTests):
self.identity_api.delete_user,
self.user_foo['id'])
def test_configurable_allowed_tenant_actions(self):
def test_configurable_allowed_project_actions(self):
self.config([test.etcdir('keystone.conf.sample'),
test.testsdir('test_overrides.conf'),
test.testsdir('backend_ldap.conf')])
self.identity_api = identity_ldap.Identity()
tenant = {'id': 'fake1', 'name': 'fake1', 'enabled': True}
self.identity_api.create_tenant('fake1', tenant)
tenant_ref = self.identity_api.get_tenant('fake1')
self.identity_api.create_project('fake1', tenant)
tenant_ref = self.identity_api.get_project('fake1')
self.assertEqual(tenant_ref['id'], 'fake1')
tenant['enabled'] = 'False'
self.identity_api.update_tenant('fake1', tenant)
self.identity_api.update_project('fake1', tenant)
self.identity_api.delete_tenant('fake1')
self.identity_api.delete_project('fake1')
self.assertRaises(exception.ProjectNotFound,
self.identity_api.get_tenant,
self.identity_api.get_project,
'fake1')
def test_configurable_forbidden_tenant_actions(self):
def test_configurable_forbidden_project_actions(self):
self.config([test.etcdir('keystone.conf.sample'),
test.testsdir('test_overrides.conf'),
test.testsdir('backend_ldap.conf')])
@ -146,17 +146,17 @@ class LDAPIdentity(test.TestCase, test_backend.IdentityTests):
tenant = {'id': 'fake1', 'name': 'fake1'}
self.assertRaises(exception.ForbiddenAction,
self.identity_api.create_tenant,
self.identity_api.create_project,
'fake1',
tenant)
self.tenant_bar['enabled'] = 'False'
self.assertRaises(exception.ForbiddenAction,
self.identity_api.update_tenant,
self.identity_api.update_project,
self.tenant_bar['id'],
self.tenant_bar)
self.assertRaises(exception.ForbiddenAction,
self.identity_api.delete_tenant,
self.identity_api.delete_project,
self.tenant_bar['id'])
def test_configurable_allowed_role_actions(self):
@ -217,17 +217,17 @@ class LDAPIdentity(test.TestCase, test_backend.IdentityTests):
self.identity_api.get_user,
self.user_foo['id'])
def test_tenant_filter(self):
def test_project_filter(self):
self.config([test.etcdir('keystone.conf.sample'),
test.testsdir('test_overrides.conf'),
test.testsdir('backend_ldap.conf')])
tenant_ref = self.identity_api.get_tenant(self.tenant_bar['id'])
tenant_ref = self.identity_api.get_project(self.tenant_bar['id'])
self.assertDictEqual(tenant_ref, self.tenant_bar)
CONF.ldap.tenant_filter = '(CN=DOES_NOT_MATCH)'
self.identity_api = identity_ldap.Identity()
self.assertRaises(exception.ProjectNotFound,
self.identity_api.get_tenant,
self.identity_api.get_project,
self.tenant_bar['id'])
def test_role_filter(self):
@ -299,7 +299,7 @@ class LDAPIdentity(test.TestCase, test_backend.IdentityTests):
self.assertNotIn('enabled', user_ref)
self.assertNotIn('tenants', user_ref)
def test_tenant_attribute_mapping(self):
def test_project_attribute_mapping(self):
self.config([test.etcdir('keystone.conf.sample'),
test.testsdir('test_overrides.conf'),
test.testsdir('backend_ldap.conf')])
@ -309,7 +309,7 @@ class LDAPIdentity(test.TestCase, test_backend.IdentityTests):
clear_database()
self.identity_api = identity_ldap.Identity()
self.load_fixtures(default_fixtures)
tenant_ref = self.identity_api.get_tenant(self.tenant_baz['id'])
tenant_ref = self.identity_api.get_project(self.tenant_baz['id'])
self.assertEqual(tenant_ref['id'], self.tenant_baz['id'])
self.assertEqual(tenant_ref['name'], self.tenant_baz['name'])
self.assertEqual(
@ -320,13 +320,13 @@ class LDAPIdentity(test.TestCase, test_backend.IdentityTests):
CONF.ldap.tenant_name_attribute = 'desc'
CONF.ldap.tenant_desc_attribute = 'ou'
self.identity_api = identity_ldap.Identity()
tenant_ref = self.identity_api.get_tenant(self.tenant_baz['id'])
tenant_ref = self.identity_api.get_project(self.tenant_baz['id'])
self.assertEqual(tenant_ref['id'], self.tenant_baz['id'])
self.assertEqual(tenant_ref['name'], self.tenant_baz['description'])
self.assertEqual(tenant_ref['description'], self.tenant_baz['name'])
self.assertEqual(tenant_ref['enabled'], self.tenant_baz['enabled'])
def test_tenant_attribute_ignore(self):
def test_project_attribute_ignore(self):
self.config([test.etcdir('keystone.conf.sample'),
test.testsdir('test_overrides.conf'),
test.testsdir('backend_ldap.conf')])
@ -336,7 +336,7 @@ class LDAPIdentity(test.TestCase, test_backend.IdentityTests):
clear_database()
self.identity_api = identity_ldap.Identity()
self.load_fixtures(default_fixtures)
tenant_ref = self.identity_api.get_tenant(self.tenant_baz['id'])
tenant_ref = self.identity_api.get_project(self.tenant_baz['id'])
self.assertEqual(tenant_ref['id'], self.tenant_baz['id'])
self.assertNotIn('name', tenant_ref)
self.assertNotIn('description', tenant_ref)

8
tests/test_backend_pam.py
View File

@ -35,13 +35,13 @@ class PamIdentity(test.TestCase):
self.tenant_in = {'id': id, 'name': id}
self.user_in = {'id': CONF.pam.userid, 'name': CONF.pam.userid}
def test_get_tenant(self):
tenant_out = self.identity_api.get_tenant(self.tenant_in['id'])
def test_get_project(self):
tenant_out = self.identity_api.get_project(self.tenant_in['id'])
self.assertDictEqual(self.tenant_in, tenant_out)
def test_get_tenant_by_name(self):
def test_get_project_by_name(self):
tenant_in_name = self.tenant_in['name']
tenant_out = self.identity_api.get_tenant_by_name(tenant_in_name)
tenant_out = self.identity_api.get_project_by_name(tenant_in_name)
self.assertDictEqual(self.tenant_in, tenant_out)
def test_get_user(self):

36
tests/test_backend_sql.py
View File

@ -62,16 +62,16 @@ class SqlTests(test.TestCase):
class SqlIdentity(SqlTests, test_backend.IdentityTests):
def test_delete_user_with_tenant_association(self):
def test_delete_user_with_project_association(self):
user = {'id': uuid.uuid4().hex,
'name': uuid.uuid4().hex,
'password': uuid.uuid4().hex}
self.identity_api.create_user(user['id'], user)
self.identity_api.add_user_to_tenant(self.tenant_bar['id'],
user['id'])
self.identity_api.add_user_to_project(self.tenant_bar['id'],
user['id'])
self.identity_api.delete_user(user['id'])
self.assertRaises(exception.UserNotFound,
self.identity_api.get_tenants_for_user,
self.identity_api.get_projects_for_user,
user['id'])
def test_create_null_user_name(self):
@ -89,18 +89,18 @@ class SqlIdentity(SqlTests, test_backend.IdentityTests):
self.identity_api.get_user_by_name,
user['name'])
def test_create_null_tenant_name(self):
def test_create_null_project_name(self):
tenant = {'id': uuid.uuid4().hex,
'name': None}
self.assertRaises(exception.ValidationError,
self.identity_api.create_tenant,
self.identity_api.create_project,
tenant['id'],
tenant)
self.assertRaises(exception.ProjectNotFound,
self.identity_api.get_tenant,
self.identity_api.get_project,
tenant['id'])
self.assertRaises(exception.ProjectNotFound,
self.identity_api.get_tenant_by_name,
self.identity_api.get_project_by_name,
tenant['name'])
def test_create_null_role_name(self):
@ -114,15 +114,15 @@ class SqlIdentity(SqlTests, test_backend.IdentityTests):
self.identity_api.get_role,
role['id'])
def test_delete_tenant_with_user_association(self):
def test_delete_project_with_user_association(self):
user = {'id': 'fake',
'name': 'fakeuser',
'password': 'passwd'}
self.identity_api.create_user('fake', user)
self.identity_api.add_user_to_tenant(self.tenant_bar['id'],
user['id'])
self.identity_api.delete_tenant(self.tenant_bar['id'])
tenants = self.identity_api.get_tenants_for_user(user['id'])
self.identity_api.add_user_to_project(self.tenant_bar['id'],
user['id'])
self.identity_api.delete_project(self.tenant_bar['id'])
tenants = self.identity_api.get_projects_for_user(user['id'])
self.assertEquals(tenants, [])
def test_delete_user_with_metadata(self):
@ -139,7 +139,7 @@ class SqlIdentity(SqlTests, test_backend.IdentityTests):
user['id'],
self.tenant_bar['id'])
def test_delete_tenant_with_metadata(self):
def test_delete_project_with_metadata(self):
user = {'id': 'fake',
'name': 'fakeuser',
'password': 'passwd'}
@ -147,13 +147,13 @@ class SqlIdentity(SqlTests, test_backend.IdentityTests):
self.identity_api.create_metadata(user['id'],
self.tenant_bar['id'],
{'extra': 'extra'})
self.identity_api.delete_tenant(self.tenant_bar['id'])
self.identity_api.delete_project(self.tenant_bar['id'])
self.assertRaises(exception.MetadataNotFound,
self.identity_api.get_metadata,
user['id'],
self.tenant_bar['id'])
def test_update_tenant_returns_extra(self):
def test_update_project_returns_extra(self):
"""This tests for backwards-compatibility with an essex/folsom bug.
Non-indexed attributes were returned in an 'extra' attribute, instead
@ -170,12 +170,12 @@ class SqlIdentity(SqlTests, test_backend.IdentityTests):
'id': tenant_id,
'name': uuid.uuid4().hex,
arbitrary_key: arbitrary_value}
ref = self.identity_api.create_tenant(tenant_id, tenant)
ref = self.identity_api.create_project(tenant_id, tenant)
self.assertEqual(arbitrary_value, ref[arbitrary_key])
self.assertIsNone(ref.get('extra'))
tenant['name'] = uuid.uuid4().hex
ref = self.identity_api.update_tenant(tenant_id, tenant)
ref = self.identity_api.update_project(tenant_id, tenant)
self.assertEqual(arbitrary_value, ref[arbitrary_key])
self.assertEqual(arbitrary_value, ref['extra'][arbitrary_key])

12
tests/test_keystoneclient.py
View File

@ -863,9 +863,9 @@ class KcMasterTestCase(CompatTestCase, KeystoneClientTests):
for i in range(2):
tenant_id = uuid.uuid4().hex
tenant = {'name': 'tenant-%s' % tenant_id, 'id': tenant_id}
self.identity_api.create_tenant(tenant_id, tenant)
self.identity_api.add_user_to_tenant(tenant_id,
self.user_foo['id'])
self.identity_api.create_project(tenant_id, tenant)
self.identity_api.add_user_to_project(tenant_id,
self.user_foo['id'])
tenants = client.tenants.list()
self.assertEqual(len(tenants), 3)
@ -889,9 +889,9 @@ class KcMasterTestCase(CompatTestCase, KeystoneClientTests):
for i in range(2):
tenant_id = uuid.uuid4().hex
tenant = {'name': 'tenant-%s' % tenant_id, 'id': tenant_id}
self.identity_api.create_tenant(tenant_id, tenant)
self.identity_api.add_user_to_tenant(tenant_id,
self.user_foo['id'])
self.identity_api.create_project(tenant_id, tenant)
self.identity_api.add_user_to_project(tenant_id,
self.user_foo['id'])
tenants = client.tenants.list()
self.assertEqual(len(tenants), 3)

16
tests/test_migrate_nova_auth.py
View File

@ -96,7 +96,7 @@ class MigrateNovaAuth(test.TestCase):
tenants = {}
for tenant in ['proj1', 'proj2', 'proj4']:
tenants[tenant] = self.identity_api.get_tenant_by_name(tenant)
tenants[tenant] = self.identity_api.get_project_by_name(tenant)
membership_map = {
'user1': ['proj1'],
@ -105,10 +105,10 @@ class MigrateNovaAuth(test.TestCase):
'user4': ['proj4'],
}
for (old_user, old_tenants) in membership_map.iteritems():
for (old_user, old_projects) in membership_map.iteritems():
user = users[old_user]
membership = self.identity_api.get_tenants_for_user(user['id'])
expected = [tenants[t]['id'] for t in old_tenants]
membership = self.identity_api.get_projects_for_user(user['id'])
expected = [tenants[t]['id'] for t in old_projects]
self.assertEqual(set(expected), set(membership))
for tenant_id in membership:
password = None
@ -119,7 +119,7 @@ class MigrateNovaAuth(test.TestCase):
for ec2_cred in FIXTURE['ec2_credentials']:
user_id = users[ec2_cred['user_id']]['id']
for tenant_id in self.identity_api.get_tenants_for_user(user_id):
for tenant_id in self.identity_api.get_projects_for_user(user_id):
access = '%s:%s' % (tenant_id, ec2_cred['access_key'])
cred = self.ec2_api.get_credential(access)
actual = cred['secret']
@ -137,14 +137,14 @@ class MigrateNovaAuth(test.TestCase):
'user4': {'proj4': ['role1']},
}
for (old_user, old_tenant_map) in assignment_map.iteritems():
for (old_user, old_project_map) in assignment_map.iteritems():
tenant_names = ['proj1', 'proj2', 'proj4']
for tenant_name in tenant_names:
user = users[old_user]
tenant = tenants[tenant_name]
roles = self.identity_api.get_roles_for_user_and_tenant(
roles = self.identity_api.get_roles_for_user_and_project(
user['id'], tenant['id'])
actual = [self.identity_api.get_role(role_id)['name']
for role_id in roles]
expected = old_tenant_map.get(tenant_name, [])
expected = old_project_map.get(tenant_name, [])
self.assertEqual(set(actual), set(expected))