openstack/keystone
Code Issues Proposed changes

tenant to project in the apis

Browse Source 
Change-Id: I1f6fdf304ca3ff0b6e0e05a71fd944189105c5b6
This commit is contained in:
Adam Young 2013-01-25 17:19:16 -05:00
parent 31660b119e
commit 4b2b3af2e3
21 changed files with 442 additions and 468 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
keystone/clean.py
View File

@ -49,8 +49,8 @@ def domain_name(name):
return check_name('Domain', name) return check_name('Domain', name)
def tenant_name(name): def project_name(name):
return check_name('Tenant', name) return check_name('Project', name)
def user_name(name): def user_name(name):

25
keystone/common/sql/legacy.py
View File

@ -59,12 +59,12 @@ class LegacyMigration(object):
self.ec2_driver = ec2_sql.Ec2() self.ec2_driver = ec2_sql.Ec2()
self._data = {} self._data = {}
self._user_map = {} self._user_map = {}
self._tenant_map = {} self._project_map = {}
self._role_map = {} self._role_map = {}
def migrate_all(self): def migrate_all(self):
self._export_legacy_db() self._export_legacy_db()
self._migrate_tenants() self._migrate_projects()
self._migrate_users() self._migrate_users()
self._migrate_roles() self._migrate_roles()
self._migrate_user_roles() self._migrate_user_roles()
@ -98,7 +98,7 @@ class LegacyMigration(object):
def _export_legacy_db(self): def _export_legacy_db(self):
self._data = export_db(self.db) self._data = export_db(self.db)
def _migrate_tenants(self): def _migrate_projects(self):
for x in self._data['tenants']: for x in self._data['tenants']:
# map # map
new_dict = {'description': x.get('desc', ''), new_dict = {'description': x.get('desc', ''),
@ -106,10 +106,10 @@ class LegacyMigration(object):
'enabled': x.get('enabled', True)} 'enabled': x.get('enabled', True)}
new_dict['name'] = x.get('name', new_dict.get('id')) new_dict['name'] = x.get('name', new_dict.get('id'))
# track internal ids # track internal ids
self._tenant_map[x.get('id')] = new_dict['id'] self._project_map[x.get('id')] = new_dict['id']
# create # create
#print 'create_tenant(%s, %s)' % (new_dict['id'], new_dict) #print 'create_project(%s, %s)' % (new_dict['id'], new_dict)
self.identity_driver.create_tenant(new_dict['id'], new_dict) self.identity_driver.create_project(new_dict['id'], new_dict)
def _migrate_users(self): def _migrate_users(self):
for x in self._data['users']: for x in self._data['users']:
@ -119,7 +119,7 @@ class LegacyMigration(object):
'id': x.get('uid', x.get('id')), 'id': x.get('uid', x.get('id')),
'enabled': x.get('enabled', True)} 'enabled': x.get('enabled', True)}
if x.get('tenant_id'): if x.get('tenant_id'):
new_dict['tenant_id'] = self._tenant_map.get(x['tenant_id']) new_dict['tenant_id'] = self._project_map.get(x['tenant_id'])
new_dict['name'] = x.get('name', new_dict.get('id')) new_dict['name'] = x.get('name', new_dict.get('id'))
# track internal ids # track internal ids
self._user_map[x.get('id')] = new_dict['id'] self._user_map[x.get('id')] = new_dict['id']
@ -127,8 +127,9 @@ class LegacyMigration(object):
#print 'create_user(%s, %s)' % (new_dict['id'], new_dict) #print 'create_user(%s, %s)' % (new_dict['id'], new_dict)
self.identity_driver.create_user(new_dict['id'], new_dict) self.identity_driver.create_user(new_dict['id'], new_dict)
if new_dict.get('tenant_id'): if new_dict.get('tenant_id'):
self.identity_driver.add_user_to_tenant(new_dict['tenant_id'], self.identity_driver.add_user_to_project(
new_dict['id']) new_dict['tenant_id'],
new_dict['id'])
def _migrate_roles(self): def _migrate_roles(self):
for x in self._data['roles']: for x in self._data['roles']:
@ -148,15 +149,15 @@ class LegacyMigration(object):
or not x.get('role_id')): or not x.get('role_id')):
continue continue
user_id = self._user_map[x['user_id']] user_id = self._user_map[x['user_id']]
tenant_id = self._tenant_map[x['tenant_id']] tenant_id = self._project_map[x['tenant_id']]
role_id = self._role_map[x['role_id']] role_id = self._role_map[x['role_id']]
try: try:
self.identity_driver.add_user_to_tenant(tenant_id, user_id) self.identity_driver.add_user_to_project(tenant_id, user_id)
except Exception: except Exception:
pass pass
self.identity_driver.add_role_to_user_and_tenant( self.identity_driver.add_role_to_user_and_project(
user_id, tenant_id, role_id) user_id, tenant_id, role_id)
def _migrate_tokens(self): def _migrate_tokens(self):

12
keystone/common/sql/nova.py
View File

@ -28,7 +28,7 @@ LOG = logging.getLogger(__name__)
def import_auth(data): def import_auth(data):
identity_api = identity_sql.Identity() identity_api = identity_sql.Identity()
tenant_map = _create_tenants(identity_api, data['tenants']) tenant_map = _create_projects(identity_api, data['tenants'])
user_map = _create_users(identity_api, data['users']) user_map = _create_users(identity_api, data['users'])
_create_memberships(identity_api, data['user_tenant_list'], _create_memberships(identity_api, data['user_tenant_list'],
user_map, tenant_map) user_map, tenant_map)
@ -45,7 +45,7 @@ def _generate_uuid():
return uuid.uuid4().hex return uuid.uuid4().hex
def _create_tenants(api, tenants): def _create_projects(api, tenants):
tenant_map = {} tenant_map = {}
for tenant in tenants: for tenant in tenants:
tenant_dict = { tenant_dict = {
@ -56,7 +56,7 @@ def _create_tenants(api, tenants):
} }
tenant_map[tenant['id']] = tenant_dict['id'] tenant_map[tenant['id']] = tenant_dict['id']
LOG.debug(_('Create tenant %s') % tenant_dict) LOG.debug(_('Create tenant %s') % tenant_dict)
api.create_tenant(tenant_dict['id'], tenant_dict) api.create_project(tenant_dict['id'], tenant_dict)
return tenant_map return tenant_map
@ -81,7 +81,7 @@ def _create_memberships(api, memberships, user_map, tenant_map):
user_id = user_map[membership['user_id']] user_id = user_map[membership['user_id']]
tenant_id = tenant_map[membership['tenant_id']] tenant_id = tenant_map[membership['tenant_id']]
LOG.debug(_('Add user %s to tenant %s') % (user_id, tenant_id)) LOG.debug(_('Add user %s to tenant %s') % (user_id, tenant_id))
api.add_user_to_tenant(tenant_id, user_id) api.add_user_to_project(tenant_id, user_id)
def _create_roles(api, roles): def _create_roles(api, roles):
@ -107,13 +107,13 @@ def _assign_roles(api, assignments, role_map, user_map, tenant_map):
tenant_id = tenant_map[assignment['tenant_id']] tenant_id = tenant_map[assignment['tenant_id']]
LOG.debug(_('Assign role %s to user %s on tenant %s') % LOG.debug(_('Assign role %s to user %s on tenant %s') %
(role_id, user_id, tenant_id)) (role_id, user_id, tenant_id))
api.add_role_to_user_and_tenant(user_id, tenant_id, role_id) api.add_role_to_user_and_project(user_id, tenant_id, role_id)
def _create_ec2_creds(ec2_api, identity_api, ec2_creds, user_map): def _create_ec2_creds(ec2_api, identity_api, ec2_creds, user_map):
for ec2_cred in ec2_creds: for ec2_cred in ec2_creds:
user_id = user_map[ec2_cred['user_id']] user_id = user_map[ec2_cred['user_id']]
for tenant_id in identity_api.get_tenants_for_user(user_id): for tenant_id in identity_api.get_projects_for_user(user_id):
cred_dict = { cred_dict = {
'access': '%s:%s' % (tenant_id, ec2_cred['access_key']), 'access': '%s:%s' % (tenant_id, ec2_cred['access_key']),
'secret': ec2_cred['secret_key'], 'secret': ec2_cred['secret_key'],

12
keystone/contrib/admin_crud/core.py
View File

@ -36,22 +36,22 @@ class CrudExtension(wsgi.ExtensionRouter):
mapper.connect( mapper.connect(
'/tenants', '/tenants',
controller=tenant_controller, controller=tenant_controller,
action='create_tenant', action='create_project',
conditions=dict(method=['POST'])) conditions=dict(method=['POST']))
mapper.connect( mapper.connect(
'/tenants/{tenant_id}', '/tenants/{tenant_id}',
controller=tenant_controller, controller=tenant_controller,
action='update_tenant', action='update_project',
conditions=dict(method=['PUT', 'POST'])) conditions=dict(method=['PUT', 'POST']))
mapper.connect( mapper.connect(
'/tenants/{tenant_id}', '/tenants/{tenant_id}',
controller=tenant_controller, controller=tenant_controller,
action='delete_tenant', action='delete_project',
conditions=dict(method=['DELETE'])) conditions=dict(method=['DELETE']))
mapper.connect( mapper.connect(
'/tenants/{tenant_id}/users', '/tenants/{tenant_id}/users',
controller=tenant_controller, controller=tenant_controller,
action='get_tenant_users', action='get_project_users',
conditions=dict(method=['GET'])) conditions=dict(method=['GET']))
# User Operations # User Operations
@ -93,12 +93,12 @@ class CrudExtension(wsgi.ExtensionRouter):
mapper.connect( mapper.connect(
'/users/{user_id}/tenant', '/users/{user_id}/tenant',
controller=user_controller, controller=user_controller,
action='update_user_tenant', action='update_user_project',
conditions=dict(method=['PUT'])) conditions=dict(method=['PUT']))
mapper.connect( mapper.connect(
'/users/{user_id}/OS-KSADM/tenant', '/users/{user_id}/OS-KSADM/tenant',
controller=user_controller, controller=user_controller,
action='update_user_tenant', action='update_user_project',
conditions=dict(method=['PUT'])) conditions=dict(method=['PUT']))
# COMPAT(diablo): the copy with no OS-KSADM is from diablo # COMPAT(diablo): the copy with no OS-KSADM is from diablo

8
keystone/contrib/ec2/core.py
View File

@ -150,7 +150,7 @@ class Ec2Controller(controller.V2Controller):
# TODO(termie): don't create new tokens every time # TODO(termie): don't create new tokens every time
# TODO(termie): this is copied from TokenController.authenticate # TODO(termie): this is copied from TokenController.authenticate
token_id = uuid.uuid4().hex token_id = uuid.uuid4().hex
tenant_ref = self.identity_api.get_tenant( tenant_ref = self.identity_api.get_project(
context=context, context=context,
tenant_id=creds_ref['tenant_id']) tenant_id=creds_ref['tenant_id'])
user_ref = self.identity_api.get_user( user_ref = self.identity_api.get_user(
@ -203,7 +203,7 @@ class Ec2Controller(controller.V2Controller):
self._assert_identity(context, user_id) self._assert_identity(context, user_id)
self._assert_valid_user_id(context, user_id) self._assert_valid_user_id(context, user_id)
self._assert_valid_tenant_id(context, tenant_id) self._assert_valid_project_id(context, tenant_id)
cred_ref = {'user_id': user_id, cred_ref = {'user_id': user_id,
'tenant_id': tenant_id, 'tenant_id': tenant_id,
@ -330,7 +330,7 @@ class Ec2Controller(controller.V2Controller):
if not user_ref: if not user_ref:
raise exception.UserNotFound(user_id=user_id) raise exception.UserNotFound(user_id=user_id)
def _assert_valid_tenant_id(self, context, tenant_id): def _assert_valid_project_id(self, context, tenant_id):
"""Ensure a valid tenant id. """Ensure a valid tenant id.
:param context: standard context :param context: standard context
@ -338,7 +338,7 @@ class Ec2Controller(controller.V2Controller):
:raises exception.ProjectNotFound: on failure :raises exception.ProjectNotFound: on failure
""" """
tenant_ref = self.identity_api.get_tenant( tenant_ref = self.identity_api.get_project(
context=context, context=context,
tenant_id=tenant_id) tenant_id=tenant_id)
if not tenant_ref: if not tenant_ref:

82
keystone/identity/backends/kvs.py
View File

@ -43,11 +43,11 @@ class Identity(kvs.Base, identity.Driver):
raise AssertionError('Invalid user / password') raise AssertionError('Invalid user / password')
if tenant_id is not None: if tenant_id is not None:
if tenant_id not in self.get_tenants_for_user(user_id): if tenant_id not in self.get_projects_for_user(user_id):
raise AssertionError('Invalid tenant') raise AssertionError('Invalid tenant')
try: try:
tenant_ref = self.get_tenant(tenant_id) tenant_ref = self.get_project(tenant_id)
metadata_ref = self.get_metadata(user_id, tenant_id) metadata_ref = self.get_metadata(user_id, tenant_id)
except exception.ProjectNotFound: except exception.ProjectNotFound:
tenant_ref = None tenant_ref = None
@ -57,24 +57,24 @@ class Identity(kvs.Base, identity.Driver):
return (identity.filter_user(user_ref), tenant_ref, metadata_ref) return (identity.filter_user(user_ref), tenant_ref, metadata_ref)
def get_tenant(self, tenant_id): def get_project(self, tenant_id):
try: try:
return self.db.get('tenant-%s' % tenant_id) return self.db.get('tenant-%s' % tenant_id)
except exception.NotFound: except exception.NotFound:
raise exception.ProjectNotFound(project_id=tenant_id) raise exception.ProjectNotFound(project_id=tenant_id)
def get_tenants(self): def get_projects(self):
tenant_keys = filter(lambda x: x.startswith("tenant-"), self.db.keys()) tenant_keys = filter(lambda x: x.startswith("tenant-"), self.db.keys())
return [self.db.get(key) for key in tenant_keys] return [self.db.get(key) for key in tenant_keys]
def get_tenant_by_name(self, tenant_name): def get_project_by_name(self, tenant_name):
try: try:
return self.db.get('tenant_name-%s' % tenant_name) return self.db.get('tenant_name-%s' % tenant_name)
except exception.NotFound: except exception.NotFound:
raise exception.ProjectNotFound(project_id=tenant_name) raise exception.ProjectNotFound(project_id=tenant_name)
def get_tenant_users(self, tenant_id): def get_project_users(self, tenant_id):
self.get_tenant(tenant_id) self.get_project(tenant_id)
user_keys = filter(lambda x: x.startswith("user-"), self.db.keys()) user_keys = filter(lambda x: x.startswith("user-"), self.db.keys())
user_refs = [self.db.get(key) for key in user_keys] user_refs = [self.db.get(key) for key in user_keys]
return filter(lambda x: tenant_id in x['tenants'], user_refs) return filter(lambda x: tenant_id in x['tenants'], user_refs)
@ -122,15 +122,15 @@ class Identity(kvs.Base, identity.Driver):
return [self.get_role(x) for x in role_ids] return [self.get_role(x) for x in role_ids]
# These should probably be part of the high-level API # These should probably be part of the high-level API
def add_user_to_tenant(self, tenant_id, user_id): def add_user_to_project(self, tenant_id, user_id):
self.get_tenant(tenant_id) self.get_project(tenant_id)
user_ref = self._get_user(user_id) user_ref = self._get_user(user_id)
tenants = set(user_ref.get('tenants', [])) tenants = set(user_ref.get('tenants', []))
tenants.add(tenant_id) tenants.add(tenant_id)
self.update_user(user_id, {'tenants': list(tenants)}) self.update_user(user_id, {'tenants': list(tenants)})
def remove_user_from_tenant(self, tenant_id, user_id): def remove_user_from_project(self, tenant_id, user_id):
self.get_tenant(tenant_id) self.get_project(tenant_id)
user_ref = self._get_user(user_id) user_ref = self._get_user(user_id)
tenants = set(user_ref.get('tenants', [])) tenants = set(user_ref.get('tenants', []))
try: try:
@ -139,22 +139,22 @@ class Identity(kvs.Base, identity.Driver):
raise exception.NotFound('User not found in tenant') raise exception.NotFound('User not found in tenant')
self.update_user(user_id, {'tenants': list(tenants)}) self.update_user(user_id, {'tenants': list(tenants)})
def get_tenants_for_user(self, user_id): def get_projects_for_user(self, user_id):
user_ref = self._get_user(user_id) user_ref = self._get_user(user_id)
return user_ref.get('tenants', []) return user_ref.get('tenants', [])
def get_roles_for_user_and_tenant(self, user_id, tenant_id): def get_roles_for_user_and_project(self, user_id, tenant_id):
self.get_user(user_id) self.get_user(user_id)
self.get_tenant(tenant_id) self.get_project(tenant_id)
try: try:
metadata_ref = self.get_metadata(user_id, tenant_id) metadata_ref = self.get_metadata(user_id, tenant_id)
except exception.MetadataNotFound: except exception.MetadataNotFound:
metadata_ref = {} metadata_ref = {}
return metadata_ref.get('roles', []) return metadata_ref.get('roles', [])
def add_role_to_user_and_tenant(self, user_id, tenant_id, role_id): def add_role_to_user_and_project(self, user_id, tenant_id, role_id):
self.get_user(user_id) self.get_user(user_id)
self.get_tenant(tenant_id) self.get_project(tenant_id)
self.get_role(role_id) self.get_role(role_id)
try: try:
metadata_ref = self.get_metadata(user_id, tenant_id) metadata_ref = self.get_metadata(user_id, tenant_id)
@ -169,7 +169,7 @@ class Identity(kvs.Base, identity.Driver):
metadata_ref['roles'] = list(roles) metadata_ref['roles'] = list(roles)
self.update_metadata(user_id, tenant_id, metadata_ref) self.update_metadata(user_id, tenant_id, metadata_ref)
def remove_role_from_user_and_tenant(self, user_id, tenant_id, role_id): def remove_role_from_user_and_project(self, user_id, tenant_id, role_id):
try: try:
metadata_ref = self.get_metadata(user_id, tenant_id) metadata_ref = self.get_metadata(user_id, tenant_id)
except exception.MetadataNotFound: except exception.MetadataNotFound:
@ -283,10 +283,10 @@ class Identity(kvs.Base, identity.Driver):
user_list.remove(user_id) user_list.remove(user_id)
self.db.set('user_list', list(user_list)) self.db.set('user_list', list(user_list))
def create_tenant(self, tenant_id, tenant): def create_project(self, tenant_id, tenant):
tenant['name'] = clean.tenant_name(tenant['name']) tenant['name'] = clean.project_name(tenant['name'])
try: try:
self.get_tenant(tenant_id) self.get_project(tenant_id)
except exception.ProjectNotFound: except exception.ProjectNotFound:
pass pass
else: else:
@ -294,7 +294,7 @@ class Identity(kvs.Base, identity.Driver):
raise exception.Conflict(type='tenant', details=msg) raise exception.Conflict(type='tenant', details=msg)
try: try:
self.get_tenant_by_name(tenant['name']) self.get_project_by_name(tenant['name'])
except exception.ProjectNotFound: except exception.ProjectNotFound:
pass pass
else: else:
@ -305,9 +305,9 @@ class Identity(kvs.Base, identity.Driver):
self.db.set('tenant_name-%s' % tenant['name'], tenant) self.db.set('tenant_name-%s' % tenant['name'], tenant)
return tenant return tenant
def update_tenant(self, tenant_id, tenant): def update_project(self, tenant_id, tenant):
if 'name' in tenant: if 'name' in tenant:
tenant['name'] = clean.tenant_name(tenant['name']) tenant['name'] = clean.project_name(tenant['name'])
try: try:
existing = self.db.get('tenant_name-%s' % tenant['name']) existing = self.db.get('tenant_name-%s' % tenant['name'])
if existing and tenant_id != existing['id']: if existing and tenant_id != existing['id']:
@ -317,23 +317,23 @@ class Identity(kvs.Base, identity.Driver):
pass pass
# get the old name and delete it too # get the old name and delete it too
try: try:
old_tenant = self.db.get('tenant-%s' % tenant_id) old_project = self.db.get('tenant-%s' % tenant_id)
except exception.NotFound: except exception.NotFound:
raise exception.ProjectNotFound(project_id=tenant_id) raise exception.ProjectNotFound(project_id=tenant_id)
new_tenant = old_tenant.copy() new_project = old_project.copy()
new_tenant.update(tenant) new_project.update(tenant)
new_tenant['id'] = tenant_id new_project['id'] = tenant_id
self.db.delete('tenant_name-%s' % old_tenant['name']) self.db.delete('tenant_name-%s' % old_project['name'])
self.db.set('tenant-%s' % tenant_id, new_tenant) self.db.set('tenant-%s' % tenant_id, new_project)
self.db.set('tenant_name-%s' % new_tenant['name'], new_tenant) self.db.set('tenant_name-%s' % new_project['name'], new_project)
return new_tenant return new_project
def delete_tenant(self, tenant_id): def delete_project(self, tenant_id):
try: try:
old_tenant = self.db.get('tenant-%s' % tenant_id) old_project = self.db.get('tenant-%s' % tenant_id)
except exception.NotFound: except exception.NotFound:
raise exception.ProjectNotFound(project_id=tenant_id) raise exception.ProjectNotFound(project_id=tenant_id)
self.db.delete('tenant_name-%s' % old_tenant['name']) self.db.delete('tenant_name-%s' % old_project['name'])
self.db.delete('tenant-%s' % tenant_id) self.db.delete('tenant-%s' % tenant_id)
def create_metadata(self, user_id, tenant_id, metadata, def create_metadata(self, user_id, tenant_id, metadata,
@ -396,9 +396,9 @@ class Identity(kvs.Base, identity.Driver):
tenant_id = key.split('-')[1] tenant_id = key.split('-')[1]
user_id = key.split('-')[2] user_id = key.split('-')[2]
try: try:
self.remove_role_from_user_and_tenant(user_id, self.remove_role_from_user_and_project(user_id,
tenant_id, tenant_id,
role_id) role_id)
except exception.RoleNotFound: except exception.RoleNotFound:
pass pass
except exception.NotFound: except exception.NotFound:
@ -418,7 +418,7 @@ class Identity(kvs.Base, identity.Driver):
if domain_id: if domain_id:
self.get_domain(domain_id) self.get_domain(domain_id)
if project_id: if project_id:
self.get_tenant(project_id) self.get_project(project_id)
try: try:
metadata_ref = self.get_metadata(user_id, project_id, metadata_ref = self.get_metadata(user_id, project_id,
@ -440,7 +440,7 @@ class Identity(kvs.Base, identity.Driver):
if domain_id: if domain_id:
self.get_domain(domain_id) self.get_domain(domain_id)
if project_id: if project_id:
self.get_tenant(project_id) self.get_project(project_id)
try: try:
metadata_ref = self.get_metadata(user_id, project_id, metadata_ref = self.get_metadata(user_id, project_id,
@ -459,7 +459,7 @@ class Identity(kvs.Base, identity.Driver):
if domain_id: if domain_id:
self.get_domain(domain_id) self.get_domain(domain_id)
if project_id: if project_id:
self.get_tenant(project_id) self.get_project(project_id)
try: try:
metadata_ref = self.get_metadata(user_id, project_id, metadata_ref = self.get_metadata(user_id, project_id,
@ -481,7 +481,7 @@ class Identity(kvs.Base, identity.Driver):
if domain_id: if domain_id:
self.get_domain(domain_id) self.get_domain(domain_id)
if project_id: if project_id:
self.get_tenant(project_id) self.get_project(project_id)
try: try:
metadata_ref = self.get_metadata(user_id, project_id, metadata_ref = self.get_metadata(user_id, project_id,

140
keystone/identity/backends/ldap/core.py
View File

@ -41,7 +41,7 @@ class Identity(identity.Driver):
self.suffix = CONF.ldap.suffix self.suffix = CONF.ldap.suffix
self.user = UserApi(CONF) self.user = UserApi(CONF)
self.tenant = ProjectApi(CONF) self.project = ProjectApi(CONF)
self.role = RoleApi(CONF) self.role = RoleApi(CONF)
self.group = GroupApi(CONF) self.group = GroupApi(CONF)
@ -81,11 +81,11 @@ class Identity(identity.Driver):
raise AssertionError('Invalid user / password') raise AssertionError('Invalid user / password')
if tenant_id is not None: if tenant_id is not None:
if tenant_id not in self.get_tenants_for_user(user_id): if tenant_id not in self.get_projects_for_user(user_id):
raise AssertionError('Invalid tenant') raise AssertionError('Invalid tenant')
try: try:
tenant_ref = self.get_tenant(tenant_id) tenant_ref = self.get_project(tenant_id)
# TODO(termie): this should probably be made into a # TODO(termie): this should probably be made into a
# get roles call # get roles call
metadata_ref = self.get_metadata(user_id, tenant_id) metadata_ref = self.get_metadata(user_id, tenant_id)
@ -97,18 +97,18 @@ class Identity(identity.Driver):
return (identity.filter_user(user_ref), tenant_ref, metadata_ref) return (identity.filter_user(user_ref), tenant_ref, metadata_ref)
def get_tenant(self, tenant_id): def get_project(self, tenant_id):
try: try:
return self.tenant.get(tenant_id) return self.project.get(tenant_id)
except exception.NotFound: except exception.NotFound:
raise exception.ProjectNotFound(project_id=tenant_id) raise exception.ProjectNotFound(project_id=tenant_id)
def get_tenants(self): def get_projects(self):
return self.tenant.get_all() return self.project.get_all()
def get_tenant_by_name(self, tenant_name): def get_project_by_name(self, tenant_name):
try: try:
return self.tenant.get_by_name(tenant_name) return self.project.get_by_name(tenant_name)
except exception.NotFound: except exception.NotFound:
raise exception.ProjectNotFound(project_id=tenant_name) raise exception.ProjectNotFound(project_id=tenant_name)
@ -131,10 +131,10 @@ class Identity(identity.Driver):
raise exception.UserNotFound(user_id=user_name) raise exception.UserNotFound(user_id=user_name)
def get_metadata(self, user_id, tenant_id): def get_metadata(self, user_id, tenant_id):
if not self.get_tenant(tenant_id) or not self.get_user(user_id): if not self.get_project(tenant_id) or not self.get_user(user_id):
return {} return {}
metadata_ref = self.get_roles_for_user_and_tenant(user_id, tenant_id) metadata_ref = self.get_roles_for_user_and_project(user_id, tenant_id)
if not metadata_ref: if not metadata_ref:
return {} return {}
return {'roles': metadata_ref} return {'roles': metadata_ref}
@ -149,30 +149,28 @@ class Identity(identity.Driver):
return self.role.get_all() return self.role.get_all()
# These should probably be part of the high-level API # These should probably be part of the high-level API
# When this happens, then change TenantAPI.add_user to not ignore def add_user_to_project(self, tenant_id, user_id):
# ldap.TYPE_OR_VALUE_EXISTS self.get_project(tenant_id)
def add_user_to_tenant(self, tenant_id, user_id):
self.get_tenant(tenant_id)
self.get_user(user_id) self.get_user(user_id)
return self.tenant.add_user(tenant_id, user_id) return self.project.add_user(tenant_id, user_id)
def get_tenants_for_user(self, user_id): def get_projects_for_user(self, user_id):
self.get_user(user_id) self.get_user(user_id)
tenant_list = [] tenant_list = []
for tenant in self.tenant.get_user_tenants(user_id): for tenant in self.project.get_user_projects(user_id):
tenant_list.append(tenant['id']) tenant_list.append(tenant['id'])
return tenant_list return tenant_list
def get_tenant_users(self, tenant_id): def get_project_users(self, tenant_id):
self.get_tenant(tenant_id) self.get_project(tenant_id)
user_list = [] user_list = []
for user in self.tenant.get_users(tenant_id): for user in self.project.get_users(tenant_id):
user_list.append(user) user_list.append(user)
return user_list return user_list
def get_roles_for_user_and_tenant(self, user_id, tenant_id): def get_roles_for_user_and_project(self, user_id, tenant_id):
self.get_user(user_id) self.get_user(user_id)
self.get_tenant(tenant_id) self.get_project(tenant_id)
assignments = self.role.get_role_assignments(tenant_id) assignments = self.role.get_role_assignments(tenant_id)
roles = [] roles = []
for assignment in assignments: for assignment in assignments:
@ -180,9 +178,9 @@ class Identity(identity.Driver):
roles.append(assignment.role_id) roles.append(assignment.role_id)
return roles return roles
def add_role_to_user_and_tenant(self, user_id, tenant_id, role_id): def add_role_to_user_and_project(self, user_id, tenant_id, role_id):
self.get_user(user_id) self.get_user(user_id)
self.get_tenant(tenant_id) self.get_project(tenant_id)
self.get_role(role_id) self.get_role(role_id)
self.role.add_user(role_id, user_id, tenant_id) self.role.add_user(role_id, user_id, tenant_id)
@ -196,17 +194,17 @@ class Identity(identity.Driver):
user['name'] = clean.user_name(user['name']) user['name'] = clean.user_name(user['name'])
return self.user.update(user_id, user) return self.user.update(user_id, user)
def create_tenant(self, tenant_id, tenant): def create_project(self, tenant_id, tenant):
tenant['name'] = clean.tenant_name(tenant['name']) tenant['name'] = clean.project_name(tenant['name'])
data = tenant.copy() data = tenant.copy()
if 'id' not in data or data['id'] is None: if 'id' not in data or data['id'] is None:
data['id'] = str(uuid.uuid4().hex) data['id'] = str(uuid.uuid4().hex)
return self.tenant.create(tenant) return self.project.create(tenant)
def update_tenant(self, tenant_id, tenant): def update_project(self, tenant_id, tenant):
if 'name' in tenant: if 'name' in tenant:
tenant['name'] = clean.tenant_name(tenant['name']) tenant['name'] = clean.project_name(tenant['name'])
return self.tenant.update(tenant_id, tenant) return self.project.update(tenant_id, tenant)
def create_metadata(self, user_id, tenant_id, metadata): def create_metadata(self, user_id, tenant_id, metadata):
return {} return {}
@ -236,9 +234,9 @@ class Identity(identity.Driver):
except ldap.NO_SUCH_OBJECT: except ldap.NO_SUCH_OBJECT:
raise exception.RoleNotFound(role_id=role_id) raise exception.RoleNotFound(role_id=role_id)
def delete_tenant(self, tenant_id): def delete_project(self, tenant_id):
try: try:
return self.tenant.delete(tenant_id) return self.project.delete(tenant_id)
except ldap.NO_SUCH_OBJECT: except ldap.NO_SUCH_OBJECT:
raise exception.ProjectNotFound(project_id=tenant_id) raise exception.ProjectNotFound(project_id=tenant_id)
@ -248,13 +246,13 @@ class Identity(identity.Driver):
except ldap.NO_SUCH_OBJECT: except ldap.NO_SUCH_OBJECT:
raise exception.UserNotFound(user_id=user_id) raise exception.UserNotFound(user_id=user_id)
def remove_role_from_user_and_tenant(self, user_id, tenant_id, role_id): def remove_role_from_user_and_project(self, user_id, tenant_id, role_id):
return self.role.delete_user(role_id, user_id, tenant_id) return self.role.delete_user(role_id, user_id, tenant_id)
def remove_user_from_tenant(self, tenant_id, user_id): def remove_user_from_project(self, tenant_id, user_id):
self.get_user(user_id) self.get_user(user_id)
self.get_tenant(tenant_id) self.get_project(tenant_id)
return self.tenant.remove_user(tenant_id, user_id) return self.project.remove_user(tenant_id, user_id)
def update_role(self, role_id, role): def update_role(self, role_id, role):
self.get_role(role_id) self.get_role(role_id)
@ -291,7 +289,7 @@ class ApiShim(object):
""" """
_role = None _role = None
_tenant = None _project = None
_user = None _user = None
_group = None _group = None
@ -305,10 +303,10 @@ class ApiShim(object):
return self._role return self._role
@property @property
def tenant(self): def project(self):
if not self._tenant: if not self._project:
self._tenant = ProjectApi(self.conf) self._project = ProjectApi(self.conf)
return self._tenant return self._project
@property @property
def user(self): def user(self):
@ -333,7 +331,7 @@ class ApiShimMixin(object):
@property @property
def project_api(self): def project_api(self):
return self.api.tenant return self.api.project
@property @property
def user_api(self): def user_api(self):
@ -425,15 +423,15 @@ class UserApi(common_ldap.BaseLdap, ApiShimMixin):
if old_obj.get('name') != values['name']: if old_obj.get('name') != values['name']:
raise exception.Conflict('Cannot change user name') raise exception.Conflict('Cannot change user name')
try: try:
new_tenant = values['tenant_id'] new_project = values['tenant_id']
except KeyError: except KeyError:
pass pass
else: else:
if old_obj.get('tenant_id') != new_tenant: if old_obj.get('tenant_id') != new_project:
if old_obj['tenant_id']: if old_obj['tenant_id']:
self.project_api.remove_user(old_obj['tenant_id'], id) self.project_api.remove_user(old_obj['tenant_id'], id)
if new_tenant: if new_project:
self.project_api.add_user(new_tenant, id) self.project_api.add_user(new_project, id)
values = utils.hash_ldap_user_password(values) values = utils.hash_ldap_user_password(values)
if self.enabled_mask: if self.enabled_mask:
@ -451,7 +449,7 @@ class UserApi(common_ldap.BaseLdap, ApiShimMixin):
for ref in self.role_api.list_global_roles_for_user(id): for ref in self.role_api.list_global_roles_for_user(id):
self.role_api.rolegrant_delete(ref.id) self.role_api.rolegrant_delete(ref.id)
for ref in self.role_api.list_tenant_roles_for_user(id): for ref in self.role_api.list_project_roles_for_user(id):
self.role_api.rolegrant_delete(ref.id) self.role_api.rolegrant_delete(ref.id)
def get_by_email(self, email): def get_by_email(self, email):
@ -463,10 +461,10 @@ class UserApi(common_ldap.BaseLdap, ApiShimMixin):
except IndexError: except IndexError:
return None return None
def user_roles_by_tenant(self, user_id, tenant_id): def user_roles_by_project(self, user_id, tenant_id):
return self.role_api.list_tenant_roles_for_user(user_id, tenant_id) return self.role_api.list_project_roles_for_user(user_id, tenant_id)
def get_by_tenant(self, user_id, tenant_id): def get_by_project(self, user_id, tenant_id):
user_dn = self._id_to_dn(user_id) user_dn = self._id_to_dn(user_id)
user = self.get(user_id) user = self.get(user_id)
tenant = self.project_api._ldap_get(tenant_id, tenant = self.project_api._ldap_get(tenant_id,
@ -474,7 +472,7 @@ class UserApi(common_ldap.BaseLdap, ApiShimMixin):
if tenant is not None: if tenant is not None:
return user return user
else: else:
if self.role_api.list_tenant_roles_for_user(user_id, tenant_id): if self.role_api.list_project_roles_for_user(user_id, tenant_id):
return user return user
return None return None
@ -488,13 +486,13 @@ class UserApi(common_ldap.BaseLdap, ApiShimMixin):
def users_get_page_markers(self, marker, limit): def users_get_page_markers(self, marker, limit):
return self.get_page_markers(marker, limit) return self.get_page_markers(marker, limit)
def users_get_by_tenant_get_page(self, tenant_id, role_id, marker, limit): def users_get_by_project_get_page(self, tenant_id, role_id, marker, limit):
return self._get_page(marker, return self._get_page(marker,
limit, limit,
self.project_api.get_users(tenant_id, role_id)) self.project_api.get_users(tenant_id, role_id))
def users_get_by_tenant_get_page_markers(self, tenant_id, role_id, marker, def users_get_by_project_get_page_markers(self, tenant_id, role_id,
limit): marker, limit):
return self._get_page_markers( return self._get_page_markers(
marker, limit, self.project_api.get_users(tenant_id, role_id)) marker, limit, self.project_api.get_users(tenant_id, role_id))
@ -553,7 +551,7 @@ class ProjectApi(common_ldap.BaseLdap, ApiShimMixin):
data['id'] = uuid.uuid4().hex data['id'] = uuid.uuid4().hex
return super(ProjectApi, self).create(data) return super(ProjectApi, self).create(data)
def get_user_tenants(self, user_id): def get_user_projects(self, user_id):
"""Returns list of tenants a user has access to """Returns list of tenants a user has access to
Always includes default tenants. Always includes default tenants.
@ -564,11 +562,13 @@ class ProjectApi(common_ldap.BaseLdap, ApiShimMixin):
return memberships return memberships
def list_for_user_get_page(self, user, marker, limit): def list_for_user_get_page(self, user, marker, limit):
return self._get_page(marker, limit, self.get_user_tenants(user['id'])) return self._get_page(marker,
limit,
self.get_user_projects(user['id']))
def list_for_user_get_page_markers(self, user, marker, limit): def list_for_user_get_page_markers(self, user, marker, limit):
return self._get_page_markers( return self._get_page_markers(
marker, limit, self.get_user_tenants(user['id'])) marker, limit, self.get_user_projects(user['id']))
def is_empty(self, id): def is_empty(self, id):
tenant = self._ldap_get(id) tenant = self._ldap_get(id)
@ -627,7 +627,7 @@ class ProjectApi(common_ldap.BaseLdap, ApiShimMixin):
if self.subtree_delete_enabled: if self.subtree_delete_enabled:
super(ProjectApi, self).deleteTree(id) super(ProjectApi, self).deleteTree(id)
else: else:
self.role_api.roles_delete_subtree_by_tenant(id) self.role_api.roles_delete_subtree_by_project(id)
super(ProjectApi, self).delete(id) super(ProjectApi, self).delete(id)
def update(self, id, values): def update(self, id, values):
@ -648,7 +648,7 @@ class UserRoleAssociation(object):
*args, **kw): *args, **kw):
self.user_id = str(user_id) self.user_id = str(user_id)
self.role_id = role_id self.role_id = role_id
self.tenant_id = str(tenant_id) self.project_id = str(tenant_id)
class GroupRoleAssociation(object): class GroupRoleAssociation(object):
@ -658,7 +658,7 @@ class GroupRoleAssociation(object):
*args, **kw): *args, **kw):
self.group_id = str(group_id) self.group_id = str(group_id)
self.role_id = role_id self.role_id = role_id
self.tenant_id = str(tenant_id) self.project_id = str(tenant_id)
# TODO(termie): turn this into a data object and move logic to driver # TODO(termie): turn this into a data object and move logic to driver
@ -698,12 +698,12 @@ class RoleApi(common_ldap.BaseLdap, ApiShimMixin):
def _explode_ref(rolegrant): def _explode_ref(rolegrant):
a = rolegrant.split('-', 2) a = rolegrant.split('-', 2)
len_role = int(a[0]) len_role = int(a[0])
len_tenant = int(a[1]) len_project = int(a[1])
role_id = a[2][:len_role] role_id = a[2][:len_role]
role_id = None if len(role_id) == 0 else str(role_id) role_id = None if len(role_id) == 0 else str(role_id)
tenant_id = a[2][len_role:len_tenant + len_role] tenant_id = a[2][len_role:len_project + len_role]
tenant_id = None if len(tenant_id) == 0 else str(tenant_id) tenant_id = None if len(tenant_id) == 0 else str(tenant_id)
user_id = a[2][len_tenant + len_role:] user_id = a[2][len_project + len_role:]
user_id = None if len(user_id) == 0 else str(user_id) user_id = None if len(user_id) == 0 else str(user_id)
return role_id, tenant_id, user_id return role_id, tenant_id, user_id
@ -837,7 +837,7 @@ class RoleApi(common_ldap.BaseLdap, ApiShimMixin):
role_id=role.id, role_id=role.id,
user_id=user_id) for role in roles] user_id=user_id) for role in roles]
def list_tenant_roles_for_user(self, user_id, tenant_id=None): def list_project_roles_for_user(self, user_id, tenant_id=None):
conn = self.get_connection() conn = self.get_connection()
user_dn = self.user_api._id_to_dn(user_id) user_dn = self.user_api._id_to_dn(user_id)
query = '(&(objectClass=%s)(%s=%s))' % (self.object_class, query = '(&(objectClass=%s)(%s=%s))' % (self.object_class,
@ -912,8 +912,8 @@ class RoleApi(common_ldap.BaseLdap, ApiShimMixin):
all_roles += self.list_global_roles_for_user(user_id) all_roles += self.list_global_roles_for_user(user_id)
else: else:
for tenant in self.project_api.get_all(): for tenant in self.project_api.get_all():
all_roles += self.list_tenant_roles_for_user(user_id, all_roles += self.list_project_roles_for_user(user_id,
tenant['id']) tenant['id'])
return self._get_page(marker, limit, all_roles) return self._get_page(marker, limit, all_roles)
def rolegrant_get_page_markers(self, user_id, tenant_id, marker, limit): def rolegrant_get_page_markers(self, user_id, tenant_id, marker, limit):
@ -922,8 +922,8 @@ class RoleApi(common_ldap.BaseLdap, ApiShimMixin):
all_roles = self.list_global_roles_for_user(user_id) all_roles = self.list_global_roles_for_user(user_id)
else: else:
for tenant in self.project_api.get_all(): for tenant in self.project_api.get_all():
all_roles += self.list_tenant_roles_for_user(user_id, all_roles += self.list_project_roles_for_user(user_id,
tenant['id']) tenant['id'])
return self._get_page_markers(marker, limit, all_roles) return self._get_page_markers(marker, limit, all_roles)
def get_by_service_get_page(self, service_id, marker, limit): def get_by_service_get_page(self, service_id, marker, limit):
@ -965,7 +965,7 @@ class RoleApi(common_ldap.BaseLdap, ApiShimMixin):
tenant_id=tenant_id)) tenant_id=tenant_id))
return res return res
def roles_delete_subtree_by_tenant(self, tenant_id): def roles_delete_subtree_by_project(self, tenant_id):
conn = self.get_connection() conn = self.get_connection()
query = '(objectClass=%s)' % self.object_class query = '(objectClass=%s)' % self.object_class
tenant_dn = self.project_api._id_to_dn(tenant_id) tenant_dn = self.project_api._id_to_dn(tenant_id)

24
keystone/identity/backends/pam.py
View File

@ -71,10 +71,10 @@ class PamIdentity(identity.Driver):
return (user, tenant, metadata) return (user, tenant, metadata)
def get_tenant(self, tenant_id): def get_project(self, tenant_id):
return {'id': tenant_id, 'name': tenant_id} return {'id': tenant_id, 'name': tenant_id}
def get_tenant_by_name(self, tenant_name): def get_project_by_name(self, tenant_name):
return {'id': tenant_name, 'name': tenant_name} return {'id': tenant_name, 'name': tenant_name}
def get_user(self, user_id): def get_user(self, user_id):
@ -92,25 +92,25 @@ class PamIdentity(identity.Driver):
def list_roles(self): def list_roles(self):
raise NotImplementedError() raise NotImplementedError()
def add_user_to_tenant(self, tenant_id, user_id): def add_user_to_project(self, tenant_id, user_id):
pass pass
def remove_user_from_tenant(self, tenant_id, user_id): def remove_user_from_project(self, tenant_id, user_id):
pass pass
def get_all_tenants(self): def get_all_projects(self):
raise NotImplementedError() raise NotImplementedError()
def get_tenants_for_user(self, user_id): def get_projects_for_user(self, user_id):
return [user_id] return [user_id]
def get_roles_for_user_and_tenant(self, user_id, tenant_id): def get_roles_for_user_and_project(self, user_id, tenant_id):
raise NotImplementedError() raise NotImplementedError()
def add_role_to_user_and_tenant(self, user_id, tenant_id, role_id): def add_role_to_user_and_project(self, user_id, tenant_id, role_id):
raise NotImplementedError() raise NotImplementedError()
def remove_role_from_user_and_tenant(self, user_id, tenant_id, role_id): def remove_role_from_user_and_project(self, user_id, tenant_id, role_id):
raise NotImplementedError() raise NotImplementedError()
def create_user(self, user_id, user): def create_user(self, user_id, user):
@ -122,13 +122,13 @@ class PamIdentity(identity.Driver):
def delete_user(self, user_id): def delete_user(self, user_id):
raise NotImplementedError() raise NotImplementedError()
def create_tenant(self, tenant_id, tenant): def create_project(self, tenant_id, tenant):
raise NotImplementedError() raise NotImplementedError()
def update_tenant(self, tenant_id, tenant): def update_project(self, tenant_id, tenant):
raise NotImplementedError() raise NotImplementedError()
def delete_tenant(self, tenant_id, tenant): def delete_project(self, tenant_id, tenant):
raise NotImplementedError() raise NotImplementedError()
def get_metadata(self, user_id, tenant_id): def get_metadata(self, user_id, tenant_id):

106
keystone/identity/backends/sql.py
View File

@ -200,11 +200,11 @@ class Identity(sql.Base, identity.Driver):
raise AssertionError('Invalid user / password') raise AssertionError('Invalid user / password')
if tenant_id is not None: if tenant_id is not None:
if tenant_id not in self.get_tenants_for_user(user_id): if tenant_id not in self.get_projects_for_user(user_id):
raise AssertionError('Invalid tenant') raise AssertionError('Invalid tenant')
try: try:
tenant_ref = self.get_tenant(tenant_id) tenant_ref = self.get_project(tenant_id)
metadata_ref = self.get_metadata(user_id, tenant_id) metadata_ref = self.get_metadata(user_id, tenant_id)
except exception.ProjectNotFound: except exception.ProjectNotFound:
tenant_ref = None tenant_ref = None
@ -214,23 +214,23 @@ class Identity(sql.Base, identity.Driver):
return (identity.filter_user(user_ref), tenant_ref, metadata_ref) return (identity.filter_user(user_ref), tenant_ref, metadata_ref)
def get_tenant(self, tenant_id): def get_project(self, tenant_id):
session = self.get_session() session = self.get_session()
tenant_ref = session.query(Project).filter_by(id=tenant_id).first() tenant_ref = session.query(Project).filter_by(id=tenant_id).first()
if tenant_ref is None: if tenant_ref is None:
raise exception.ProjectNotFound(project_id=tenant_id) raise exception.ProjectNotFound(project_id=tenant_id)
return tenant_ref.to_dict() return tenant_ref.to_dict()
def get_tenant_by_name(self, tenant_name): def get_project_by_name(self, tenant_name):
session = self.get_session() session = self.get_session()
tenant_ref = session.query(Project).filter_by(name=tenant_name).first() tenant_ref = session.query(Project).filter_by(name=tenant_name).first()
if not tenant_ref: if not tenant_ref:
raise exception.ProjectNotFound(project_id=tenant_name) raise exception.ProjectNotFound(project_id=tenant_name)
return tenant_ref.to_dict() return tenant_ref.to_dict()
def get_tenant_users(self, tenant_id): def get_project_users(self, tenant_id):
session = self.get_session() session = self.get_session()
self.get_tenant(tenant_id) self.get_project(tenant_id)
query = session.query(User) query = session.query(User)
query = query.join(UserProjectMembership) query = query.join(UserProjectMembership)
query = query.filter(UserProjectMembership.tenant_id == tenant_id) query = query.filter(UserProjectMembership.tenant_id == tenant_id)
@ -274,7 +274,7 @@ class Identity(sql.Base, identity.Driver):
if domain_id: if domain_id:
self.get_domain(domain_id) self.get_domain(domain_id)
if project_id: if project_id:
self.get_tenant(project_id) self.get_project(project_id)
try: try:
metadata_ref = self.get_metadata(user_id, project_id, metadata_ref = self.get_metadata(user_id, project_id,
@ -302,7 +302,7 @@ class Identity(sql.Base, identity.Driver):
if domain_id: if domain_id:
self.get_domain(domain_id) self.get_domain(domain_id)
if project_id: if project_id:
self.get_tenant(project_id) self.get_project(project_id)
try: try:
metadata_ref = self.get_metadata(user_id, project_id, metadata_ref = self.get_metadata(user_id, project_id,
@ -321,7 +321,7 @@ class Identity(sql.Base, identity.Driver):
if domain_id: if domain_id:
self.get_domain(domain_id) self.get_domain(domain_id)
if project_id: if project_id:
self.get_tenant(project_id) self.get_project(project_id)
try: try:
metadata_ref = self.get_metadata(user_id, project_id, metadata_ref = self.get_metadata(user_id, project_id,
@ -343,7 +343,7 @@ class Identity(sql.Base, identity.Driver):
if domain_id: if domain_id:
self.get_domain(domain_id) self.get_domain(domain_id)
if project_id: if project_id:
self.get_tenant(project_id) self.get_project(project_id)
try: try:
metadata_ref = self.get_metadata(user_id, project_id, metadata_ref = self.get_metadata(user_id, project_id,
@ -366,9 +366,9 @@ class Identity(sql.Base, identity.Driver):
domain_id, group_id) domain_id, group_id)
# These should probably be part of the high-level API # These should probably be part of the high-level API
def add_user_to_tenant(self, tenant_id, user_id): def add_user_to_project(self, tenant_id, user_id):
session = self.get_session() session = self.get_session()
self.get_tenant(tenant_id) self.get_project(tenant_id)
self.get_user(user_id) self.get_user(user_id)
query = session.query(UserProjectMembership) query = session.query(UserProjectMembership)
query = query.filter_by(user_id=user_id) query = query.filter_by(user_id=user_id)
@ -382,9 +382,9 @@ class Identity(sql.Base, identity.Driver):
tenant_id=tenant_id)) tenant_id=tenant_id))
session.flush() session.flush()
def remove_user_from_tenant(self, tenant_id, user_id): def remove_user_from_project(self, tenant_id, user_id):
session = self.get_session() session = self.get_session()
self.get_tenant(tenant_id) self.get_project(tenant_id)
self.get_user(user_id) self.get_user(user_id)
query = session.query(UserProjectMembership) query = session.query(UserProjectMembership)
query = query.filter_by(user_id=user_id) query = query.filter_by(user_id=user_id)
@ -396,12 +396,15 @@ class Identity(sql.Base, identity.Driver):
session.delete(membership_ref) session.delete(membership_ref)
session.flush() session.flush()
def get_tenants(self): def get_projects(self):
session = self.get_session() session = self.get_session()
tenant_refs = session.query(Project).all() tenant_refs = session.query(Project).all()
return [tenant_ref.to_dict() for tenant_ref in tenant_refs] return [tenant_ref.to_dict() for tenant_ref in tenant_refs]
def get_tenants_for_user(self, user_id): def list_projects(self):
return self.get_projects()
def get_projects_for_user(self, user_id):
session = self.get_session() session = self.get_session()
self.get_user(user_id) self.get_user(user_id)
query = session.query(UserProjectMembership) query = session.query(UserProjectMembership)
@ -409,18 +412,18 @@ class Identity(sql.Base, identity.Driver):
membership_refs = query.all() membership_refs = query.all()
return [x.tenant_id for x in membership_refs] return [x.tenant_id for x in membership_refs]
def get_roles_for_user_and_tenant(self, user_id, tenant_id): def get_roles_for_user_and_project(self, user_id, tenant_id):
self.get_user(user_id) self.get_user(user_id)
self.get_tenant(tenant_id) self.get_project(tenant_id)
try: try:
metadata_ref = self.get_metadata(user_id, tenant_id) metadata_ref = self.get_metadata(user_id, tenant_id)
except exception.MetadataNotFound: except exception.MetadataNotFound:
metadata_ref = {} metadata_ref = {}
return metadata_ref.get('roles', []) return metadata_ref.get('roles', [])
def add_role_to_user_and_tenant(self, user_id, tenant_id, role_id): def add_role_to_user_and_project(self, user_id, tenant_id, role_id):
self.get_user(user_id) self.get_user(user_id)
self.get_tenant(tenant_id) self.get_project(tenant_id)
self.get_role(role_id) self.get_role(role_id)
try: try:
metadata_ref = self.get_metadata(user_id, tenant_id) metadata_ref = self.get_metadata(user_id, tenant_id)
@ -440,7 +443,7 @@ class Identity(sql.Base, identity.Driver):
else: else:
self.update_metadata(user_id, tenant_id, metadata_ref) self.update_metadata(user_id, tenant_id, metadata_ref)
def remove_role_from_user_and_tenant(self, user_id, tenant_id, role_id): def remove_role_from_user_and_project(self, user_id, tenant_id, role_id):
try: try:
metadata_ref = self.get_metadata(user_id, tenant_id) metadata_ref = self.get_metadata(user_id, tenant_id)
is_new = False is_new = False
@ -460,9 +463,9 @@ class Identity(sql.Base, identity.Driver):
self.update_metadata(user_id, tenant_id, metadata_ref) self.update_metadata(user_id, tenant_id, metadata_ref)
# CRUD # CRUD
@handle_conflicts(type='tenant') @handle_conflicts(type='project')
def create_tenant(self, tenant_id, tenant): def create_project(self, tenant_id, tenant):
tenant['name'] = clean.tenant_name(tenant['name']) tenant['name'] = clean.project_name(tenant['name'])
session = self.get_session() session = self.get_session()
with session.begin(): with session.begin():
tenant_ref = Project.from_dict(tenant) tenant_ref = Project.from_dict(tenant)
@ -470,29 +473,29 @@ class Identity(sql.Base, identity.Driver):
session.flush() session.flush()
return tenant_ref.to_dict() return tenant_ref.to_dict()
@handle_conflicts(type='tenant') @handle_conflicts(type='project')
def update_tenant(self, tenant_id, tenant): def update_project(self, tenant_id, tenant):
session = self.get_session() session = self.get_session()
if 'name' in tenant: if 'name' in tenant:
tenant['name'] = clean.tenant_name(tenant['name']) tenant['name'] = clean.project_name(tenant['name'])
try: try:
tenant_ref = session.query(Project).filter_by(id=tenant_id).one() tenant_ref = session.query(Project).filter_by(id=tenant_id).one()
except sql.NotFound: except sql.NotFound:
raise exception.ProjectNotFound(project_id=tenant_id) raise exception.ProjectNotFound(project_id=tenant_id)
with session.begin(): with session.begin():
old_tenant_dict = tenant_ref.to_dict() old_project_dict = tenant_ref.to_dict()
for k in tenant: for k in tenant:
old_tenant_dict[k] = tenant[k] old_project_dict[k] = tenant[k]
new_tenant = Project.from_dict(old_tenant_dict) new_project = Project.from_dict(old_project_dict)
tenant_ref.name = new_tenant.name tenant_ref.name = new_project.name
tenant_ref.extra = new_tenant.extra tenant_ref.extra = new_project.extra
session.flush() session.flush()
return tenant_ref.to_dict(include_extra_dict=True) return tenant_ref.to_dict(include_extra_dict=True)
def delete_tenant(self, tenant_id): @handle_conflicts(type='project')
def delete_project(self, tenant_id):
session = self.get_session() session = self.get_session()
try: try:
@ -626,39 +629,6 @@ class Identity(sql.Base, identity.Driver):
session.delete(ref) session.delete(ref)
session.flush() session.flush()
# project crud
@handle_conflicts(type='project')
def create_project(self, project_id, project):
return self.create_tenant(project_id, project)
def get_project(self, project_id):
return self.get_tenant(project_id)
def list_projects(self):
return self.get_tenants()
@handle_conflicts(type='project')
def update_project(self, project_id, project):
session = self.get_session()
with session.begin():
ref = session.query(Project).filter_by(id=project_id).first()
if ref is None:
raise exception.ProjectNotFound(project_id=project_id)
old_dict = ref.to_dict()
for k in project:
old_dict[k] = project[k]
new_project = Project.from_dict(old_dict)
for attr in Project.attributes:
if attr != 'id':
setattr(ref, attr, getattr(new_project, attr))
ref.extra = new_project.extra
session.flush()
return ref.to_dict()
def delete_project(self, project_id):
return self.delete_tenant(project_id)
def list_user_projects(self, user_id): def list_user_projects(self, user_id):
session = self.get_session() session = self.get_session()
user = self.get_user(user_id) user = self.get_user(user_id)
@ -1003,7 +973,7 @@ class Identity(sql.Base, identity.Driver):
for metadata_ref in session.query(UserProjectGrant): for metadata_ref in session.query(UserProjectGrant):
metadata = metadata_ref.to_dict() metadata = metadata_ref.to_dict()
try: try:
self.remove_role_from_user_and_tenant( self.remove_role_from_user_and_project(
metadata['user_id'], metadata['tenant_id'], role_id) metadata['user_id'], metadata['tenant_id'], role_id)
except exception.RoleNotFound: except exception.RoleNotFound:
pass pass

76
keystone/identity/controllers.py
View File

@ -29,21 +29,21 @@ LOG = logging.getLogger(__name__)
class Tenant(controller.V2Controller): class Tenant(controller.V2Controller):
def get_all_tenants(self, context, **kw): def get_all_projects(self, context, **kw):
"""Gets a list of all tenants for an admin user.""" """Gets a list of all tenants for an admin user."""
if 'name' in context['query_string']: if 'name' in context['query_string']:
return self.get_tenant_by_name( return self.get_project_by_name(
context, context['query_string'].get('name')) context, context['query_string'].get('name'))
self.assert_admin(context) self.assert_admin(context)
tenant_refs = self.identity_api.get_tenants(context) tenant_refs = self.identity_api.get_projects(context)
params = { params = {
'limit': context['query_string'].get('limit'), 'limit': context['query_string'].get('limit'),
'marker': context['query_string'].get('marker'), 'marker': context['query_string'].get('marker'),
} }
return self._format_tenant_list(tenant_refs, **params) return self._format_project_list(tenant_refs, **params)
def get_tenants_for_token(self, context, **kw): def get_projects_for_token(self, context, **kw):
"""Get valid tenants for token based on token used to authenticate. """Get valid tenants for token based on token used to authenticate.
Pulls the token from the context, validates it and gets the valid Pulls the token from the context, validates it and gets the valid
@ -60,31 +60,31 @@ class Tenant(controller.V2Controller):
raise exception.Unauthorized(e) raise exception.Unauthorized(e)
user_ref = token_ref['user'] user_ref = token_ref['user']
tenant_ids = self.identity_api.get_tenants_for_user( tenant_ids = self.identity_api.get_projects_for_user(
context, user_ref['id']) context, user_ref['id'])
tenant_refs = [] tenant_refs = []
for tenant_id in tenant_ids: for tenant_id in tenant_ids:
tenant_refs.append(self.identity_api.get_tenant( tenant_refs.append(self.identity_api.get_project(
context=context, context=context,
tenant_id=tenant_id)) tenant_id=tenant_id))
params = { params = {
'limit': context['query_string'].get('limit'), 'limit': context['query_string'].get('limit'),
'marker': context['query_string'].get('marker'), 'marker': context['query_string'].get('marker'),
} }
return self._format_tenant_list(tenant_refs, **params) return self._format_project_list(tenant_refs, **params)
def get_tenant(self, context, tenant_id): def get_project(self, context, tenant_id):
# TODO(termie): this stuff should probably be moved to middleware # TODO(termie): this stuff should probably be moved to middleware
self.assert_admin(context) self.assert_admin(context)
return {'tenant': self.identity_api.get_tenant(context, tenant_id)} return {'tenant': self.identity_api.get_project(context, tenant_id)}
def get_tenant_by_name(self, context, tenant_name): def get_project_by_name(self, context, tenant_name):
self.assert_admin(context) self.assert_admin(context)
return {'tenant': self.identity_api.get_tenant_by_name( return {'tenant': self.identity_api.get_project_by_name(
context, tenant_name)} context, tenant_name)}
# CRUD Extension # CRUD Extension
def create_tenant(self, context, tenant): def create_project(self, context, tenant):
tenant_ref = self._normalize_dict(tenant) tenant_ref = self._normalize_dict(tenant)
if not 'name' in tenant_ref or not tenant_ref['name']: if not 'name' in tenant_ref or not tenant_ref['name']:
@ -93,26 +93,26 @@ class Tenant(controller.V2Controller):
self.assert_admin(context) self.assert_admin(context)
tenant_ref['id'] = tenant_ref.get('id', uuid.uuid4().hex) tenant_ref['id'] = tenant_ref.get('id', uuid.uuid4().hex)
tenant = self.identity_api.create_tenant( tenant = self.identity_api.create_project(
context, tenant_ref['id'], tenant_ref) context, tenant_ref['id'], tenant_ref)
return {'tenant': tenant} return {'tenant': tenant}
def update_tenant(self, context, tenant_id, tenant): def update_project(self, context, tenant_id, tenant):
self.assert_admin(context) self.assert_admin(context)
tenant_ref = self.identity_api.update_tenant( tenant_ref = self.identity_api.update_project(
context, tenant_id, tenant) context, tenant_id, tenant)
return {'tenant': tenant_ref} return {'tenant': tenant_ref}
def delete_tenant(self, context, tenant_id): def delete_project(self, context, tenant_id):
self.assert_admin(context) self.assert_admin(context)
self.identity_api.delete_tenant(context, tenant_id) self.identity_api.delete_project(context, tenant_id)
def get_tenant_users(self, context, tenant_id, **kw): def get_project_users(self, context, tenant_id, **kw):
self.assert_admin(context) self.assert_admin(context)
user_refs = self.identity_api.get_tenant_users(context, tenant_id) user_refs = self.identity_api.get_project_users(context, tenant_id)
return {'users': user_refs} return {'users': user_refs}
def _format_tenant_list(self, tenant_refs, **kwargs): def _format_project_list(self, tenant_refs, **kwargs):
marker = kwargs.get('marker') marker = kwargs.get('marker')
first_index = 0 first_index = 0
if marker is not None: if marker is not None:
@ -177,7 +177,7 @@ class User(controller.V2Controller):
tenant_id = user.get('tenantId', None) tenant_id = user.get('tenantId', None)
if (tenant_id is not None if (tenant_id is not None
and self.identity_api.get_tenant(context, tenant_id) is None): and self.identity_api.get_project(context, tenant_id) is None):
raise exception.ProjectNotFound(project_id=tenant_id) raise exception.ProjectNotFound(project_id=tenant_id)
user_id = uuid.uuid4().hex user_id = uuid.uuid4().hex
user_ref = user.copy() user_ref = user.copy()
@ -185,7 +185,7 @@ class User(controller.V2Controller):
new_user_ref = self.identity_api.create_user( new_user_ref = self.identity_api.create_user(
context, user_id, user_ref) context, user_id, user_ref)
if tenant_id: if tenant_id:
self.identity_api.add_user_to_tenant(context, tenant_id, user_id) self.identity_api.add_user_to_project(context, tenant_id, user_id)
return {'user': new_user_ref} return {'user': new_user_ref}
def update_user(self, context, user_id, user): def update_user(self, context, user_id, user):
@ -215,12 +215,12 @@ class User(controller.V2Controller):
def set_user_password(self, context, user_id, user): def set_user_password(self, context, user_id, user):
return self.update_user(context, user_id, user) return self.update_user(context, user_id, user)
def update_user_tenant(self, context, user_id, user): def update_user_project(self, context, user_id, user):
"""Update the default tenant.""" """Update the default tenant."""
self.assert_admin(context) self.assert_admin(context)
# ensure that we're a member of that tenant # ensure that we're a member of that tenant
tenant_id = user.get('tenantId') tenant_id = user.get('tenantId')
self.identity_api.add_user_to_tenant(context, tenant_id, user_id) self.identity_api.add_user_to_project(context, tenant_id, user_id)
return self.update_user(context, user_id, user) return self.update_user(context, user_id, user)
@ -238,7 +238,7 @@ class Role(controller.V2Controller):
raise exception.NotImplemented(message='User roles not supported: ' raise exception.NotImplemented(message='User roles not supported: '
'tenant ID required') 'tenant ID required')
roles = self.identity_api.get_roles_for_user_and_tenant( roles = self.identity_api.get_roles_for_user_and_project(
context, user_id, tenant_id) context, user_id, tenant_id)
return {'roles': [self.identity_api.get_role(context, x) return {'roles': [self.identity_api.get_role(context, x)
for x in roles]} for x in roles]}
@ -283,8 +283,8 @@ class Role(controller.V2Controller):
# This still has the weird legacy semantics that adding a role to # This still has the weird legacy semantics that adding a role to
# a user also adds them to a tenant # a user also adds them to a tenant
self.identity_api.add_user_to_tenant(context, tenant_id, user_id) self.identity_api.add_user_to_project(context, tenant_id, user_id)
self.identity_api.add_role_to_user_and_tenant( self.identity_api.add_role_to_user_and_project(
context, user_id, tenant_id, role_id) context, user_id, tenant_id, role_id)
self.token_api.revoke_tokens(context, user_id, tenant_id) self.token_api.revoke_tokens(context, user_id, tenant_id)
@ -305,12 +305,12 @@ class Role(controller.V2Controller):
# This still has the weird legacy semantics that adding a role to # This still has the weird legacy semantics that adding a role to
# a user also adds them to a tenant, so we must follow up on that # a user also adds them to a tenant, so we must follow up on that
self.identity_api.remove_role_from_user_and_tenant( self.identity_api.remove_role_from_user_and_project(
context, user_id, tenant_id, role_id) context, user_id, tenant_id, role_id)
roles = self.identity_api.get_roles_for_user_and_tenant( roles = self.identity_api.get_roles_for_user_and_project(
context, user_id, tenant_id) context, user_id, tenant_id)
if not roles: if not roles:
self.identity_api.remove_user_from_tenant( self.identity_api.remove_user_from_project(
context, tenant_id, user_id) context, tenant_id, user_id)
self.token_api.revoke_tokens(context, user_id, tenant_id) self.token_api.revoke_tokens(context, user_id, tenant_id)
@ -327,10 +327,10 @@ class Role(controller.V2Controller):
self.assert_admin(context) self.assert_admin(context)
# Ensure user exists by getting it first. # Ensure user exists by getting it first.
self.identity_api.get_user(context, user_id) self.identity_api.get_user(context, user_id)
tenant_ids = self.identity_api.get_tenants_for_user(context, user_id) tenant_ids = self.identity_api.get_projects_for_user(context, user_id)
o = [] o = []
for tenant_id in tenant_ids: for tenant_id in tenant_ids:
role_ids = self.identity_api.get_roles_for_user_and_tenant( role_ids = self.identity_api.get_roles_for_user_and_project(
context, user_id, tenant_id) context, user_id, tenant_id)
for role_id in role_ids: for role_id in role_ids:
ref = {'roleId': role_id, ref = {'roleId': role_id,
@ -352,8 +352,8 @@ class Role(controller.V2Controller):
# TODO(termie): for now we're ignoring the actual role # TODO(termie): for now we're ignoring the actual role
tenant_id = role.get('tenantId') tenant_id = role.get('tenantId')
role_id = role.get('roleId') role_id = role.get('roleId')
self.identity_api.add_user_to_tenant(context, tenant_id, user_id) self.identity_api.add_user_to_project(context, tenant_id, user_id)
self.identity_api.add_role_to_user_and_tenant( self.identity_api.add_role_to_user_and_project(
context, user_id, tenant_id, role_id) context, user_id, tenant_id, role_id)
self.token_api.revoke_tokens(context, user_id, tenant_id) self.token_api.revoke_tokens(context, user_id, tenant_id)
@ -377,12 +377,12 @@ class Role(controller.V2Controller):
role_ref_ref = urlparse.parse_qs(role_ref_id) role_ref_ref = urlparse.parse_qs(role_ref_id)
tenant_id = role_ref_ref.get('tenantId')[0] tenant_id = role_ref_ref.get('tenantId')[0]
role_id = role_ref_ref.get('roleId')[0] role_id = role_ref_ref.get('roleId')[0]
self.identity_api.remove_role_from_user_and_tenant( self.identity_api.remove_role_from_user_and_project(
context, user_id, tenant_id, role_id) context, user_id, tenant_id, role_id)
roles = self.identity_api.get_roles_for_user_and_tenant( roles = self.identity_api.get_roles_for_user_and_project(
context, user_id, tenant_id) context, user_id, tenant_id)
if not roles: if not roles:
self.identity_api.remove_user_from_tenant( self.identity_api.remove_user_from_project(
context, tenant_id, user_id) context, tenant_id, user_id)
self.token_api.revoke_tokens(context, user_id, tenant_id) self.token_api.revoke_tokens(context, user_id, tenant_id)

32
keystone/identity/core.py
View File

@ -72,7 +72,7 @@ class Driver(object):
""" """
raise exception.NotImplemented() raise exception.NotImplemented()
def get_tenant(self, tenant_id): def get_project(self, tenant_id):
"""Get a tenant by id. """Get a tenant by id.
:returns: tenant_ref :returns: tenant_ref
@ -81,7 +81,7 @@ class Driver(object):
""" """
raise exception.NotImplemented() raise exception.NotImplemented()
def get_tenant_by_name(self, tenant_name): def get_project_by_name(self, tenant_name):
"""Get a tenant by name. """Get a tenant by name.
:returns: tenant_ref :returns: tenant_ref
@ -99,7 +99,7 @@ class Driver(object):
""" """
raise exception.NotImplemented() raise exception.NotImplemented()
def add_user_to_tenant(self, tenant_id, user_id): def add_user_to_project(self, tenant_id, user_id):
"""Add user to a tenant without an explicit role relationship. """Add user to a tenant without an explicit role relationship.
:raises: keystone.exception.ProjectNotFound, :raises: keystone.exception.ProjectNotFound,
@ -108,7 +108,7 @@ class Driver(object):
""" """
raise exception.NotImplemented() raise exception.NotImplemented()
def remove_user_from_tenant(self, tenant_id, user_id): def remove_user_from_project(self, tenant_id, user_id):
"""Remove user from a tenant without an explicit role relationship. """Remove user from a tenant without an explicit role relationship.
:raises: keystone.exception.ProjectNotFound, :raises: keystone.exception.ProjectNotFound,
@ -117,11 +117,11 @@ class Driver(object):
""" """
raise exception.NotImplemented() raise exception.NotImplemented()
def get_all_tenants(self): def get_all_projects(self):
"""FIXME(dolph): Lists all tenants in the system? I'm not sure how this """FIXME(dolph): Lists all tenants in the system? I'm not sure how this
is different from get_tenants, why get_tenants isn't is different from get_projects, why get_projects isn't
documented as part of the driver, or why it's called documented as part of the driver, or why it's called
get_tenants instead of list_tenants (i.e. list_roles get_projects instead of list_projects (i.e. list_roles
and list_users)... and list_users)...
:returns: a list of ... FIXME(dolph): tenant_refs or tenant_id's? :returns: a list of ... FIXME(dolph): tenant_refs or tenant_id's?
@ -129,17 +129,17 @@ class Driver(object):
""" """
raise exception.NotImplemented() raise exception.NotImplemented()
def get_tenant_users(self, tenant_id): def get_project_users(self, tenant_id):
"""FIXME(dolph): Lists all users with a relationship to the specified """FIXME(dolph): Lists all users with a relationship to the specified
tenant? tenant?
:returns: a list of ... FIXME(dolph): user_refs or user_id's? :returns: a list of ... FIXME(dolph): user_refs or user_id's?
:raises: keystone.exception.UserNotFound :raises: keystone.exception.ProjectNotFound
""" """
raise exception.NotImplemented() raise exception.NotImplemented()
def get_tenants_for_user(self, user_id): def get_projects_for_user(self, user_id):
"""Get the tenants associated with a given user. """Get the tenants associated with a given user.
:returns: a list of tenant_id's. :returns: a list of tenant_id's.
@ -148,7 +148,7 @@ class Driver(object):
""" """
raise exception.NotImplemented() raise exception.NotImplemented()
def get_roles_for_user_and_tenant(self, user_id, tenant_id): def get_roles_for_user_and_project(self, user_id, tenant_id):
"""Get the roles associated with a user within given tenant. """Get the roles associated with a user within given tenant.
:returns: a list of role ids. :returns: a list of role ids.
@ -158,7 +158,7 @@ class Driver(object):
""" """
raise exception.NotImplemented() raise exception.NotImplemented()
def add_role_to_user_and_tenant(self, user_id, tenant_id, role_id): def add_role_to_user_and_project(self, user_id, tenant_id, role_id):
"""Add a role to a user within given tenant. """Add a role to a user within given tenant.
:raises: keystone.exception.UserNotFound, :raises: keystone.exception.UserNotFound,
@ -167,7 +167,7 @@ class Driver(object):
""" """
raise exception.NotImplemented() raise exception.NotImplemented()
def remove_role_from_user_and_tenant(self, user_id, tenant_id, role_id): def remove_role_from_user_and_project(self, user_id, tenant_id, role_id):
"""Remove a role from a user within given tenant. """Remove a role from a user within given tenant.
:raises: keystone.exception.UserNotFound, :raises: keystone.exception.UserNotFound,
@ -178,7 +178,7 @@ class Driver(object):
raise exception.NotImplemented() raise exception.NotImplemented()
# tenant crud # tenant crud
def create_tenant(self, tenant_id, tenant): def create_project(self, tenant_id, tenant):
"""Creates a new tenant. """Creates a new tenant.
:raises: keystone.exception.Conflict :raises: keystone.exception.Conflict
@ -186,7 +186,7 @@ class Driver(object):
""" """
raise exception.NotImplemented() raise exception.NotImplemented()
def update_tenant(self, tenant_id, tenant): def update_project(self, tenant_id, tenant):
"""Updates an existing tenant. """Updates an existing tenant.
:raises: keystone.exception.ProjectNotFound, :raises: keystone.exception.ProjectNotFound,
@ -195,7 +195,7 @@ class Driver(object):
""" """
raise exception.NotImplemented() raise exception.NotImplemented()
def delete_tenant(self, tenant_id): def delete_project(self, tenant_id):
"""Deletes an existing tenant. """Deletes an existing tenant.
:raises: keystone.exception.ProjectNotFound :raises: keystone.exception.ProjectNotFound

6
keystone/identity/routers.py
View File

@ -24,7 +24,7 @@ class Public(wsgi.ComposableRouter):
tenant_controller = controllers.Tenant() tenant_controller = controllers.Tenant()
mapper.connect('/tenants', mapper.connect('/tenants',
controller=tenant_controller, controller=tenant_controller,
action='get_tenants_for_token', action='get_projects_for_token',
conditions=dict(method=['GET'])) conditions=dict(method=['GET']))
@ -34,11 +34,11 @@ class Admin(wsgi.ComposableRouter):
tenant_controller = controllers.Tenant() tenant_controller = controllers.Tenant()
mapper.connect('/tenants', mapper.connect('/tenants',
controller=tenant_controller, controller=tenant_controller,
action='get_all_tenants', action='get_all_projects',
conditions=dict(method=['GET'])) conditions=dict(method=['GET']))
mapper.connect('/tenants/{tenant_id}', mapper.connect('/tenants/{tenant_id}',
controller=tenant_controller, controller=tenant_controller,
action='get_tenant', action='get_project',
conditions=dict(method=['GET'])) conditions=dict(method=['GET']))
# User Operations # User Operations

5
keystone/test.py
View File

@ -233,7 +233,7 @@ class TestCase(NoModule, unittest.TestCase):
# loaddata will be much preferred. # loaddata will be much preferred.
if hasattr(self, 'identity_api'): if hasattr(self, 'identity_api'):
for tenant in fixtures.TENANTS: for tenant in fixtures.TENANTS:
rv = self.identity_api.create_tenant(tenant['id'], tenant) rv = self.identity_api.create_project(tenant['id'], tenant)
setattr(self, 'tenant_%s' % tenant['id'], rv) setattr(self, 'tenant_%s' % tenant['id'], rv)
for user in fixtures.USERS: for user in fixtures.USERS:
@ -242,7 +242,8 @@ class TestCase(NoModule, unittest.TestCase):
rv = self.identity_api.create_user(user['id'], rv = self.identity_api.create_user(user['id'],
user_copy.copy()) user_copy.copy())
for tenant_id in tenants: for tenant_id in tenants:
self.identity_api.add_user_to_tenant(tenant_id, user['id']) self.identity_api.add_user_to_project(tenant_id,
user['id'])
setattr(self, 'user_%s' % user['id'], user_copy) setattr(self, 'user_%s' % user['id'], user_copy)
for role in fixtures.ROLES: for role in fixtures.ROLES:

22
keystone/token/controllers.py
View File

@ -169,9 +169,9 @@ class Auth(controller.V2Controller):
current_user_ref = self.identity_api.get_user(context=context, current_user_ref = self.identity_api.get_user(context=context,
user_id=user_id) user_id=user_id)
tenant_id = self._get_tenant_id_from_auth(context, auth) tenant_id = self._get_project_id_from_auth(context, auth)
tenant_ref = self._get_tenant_ref(context, user_id, tenant_id) tenant_ref = self._get_project_ref(context, user_id, tenant_id)
metadata_ref = self._get_metadata_ref(context, user_id, tenant_id) metadata_ref = self._get_metadata_ref(context, user_id, tenant_id)
self._append_roles(metadata_ref, self._append_roles(metadata_ref,
@ -222,7 +222,7 @@ class Auth(controller.V2Controller):
except exception.UserNotFound as e: except exception.UserNotFound as e:
raise exception.Unauthorized(e) raise exception.Unauthorized(e)
tenant_id = self._get_tenant_id_from_auth(context, auth) tenant_id = self._get_project_id_from_auth(context, auth)
try: try:
auth_info = self.identity_api.authenticate( auth_info = self.identity_api.authenticate(
@ -266,9 +266,9 @@ class Auth(controller.V2Controller):
except exception.UserNotFound as e: except exception.UserNotFound as e:
raise exception.Unauthorized(e) raise exception.Unauthorized(e)
tenant_id = self._get_tenant_id_from_auth(context, auth) tenant_id = self._get_project_id_from_auth(context, auth)
tenant_ref = self._get_tenant_ref(context, user_id, tenant_id) tenant_ref = self._get_project_ref(context, user_id, tenant_id)
metadata_ref = self._get_metadata_ref(context, user_id, tenant_id) metadata_ref = self._get_metadata_ref(context, user_id, tenant_id)
self._append_roles(metadata_ref, self._append_roles(metadata_ref,
@ -293,7 +293,7 @@ class Auth(controller.V2Controller):
metadata=metadata, metadata=metadata,
expires=expiry)) expires=expiry))
def _get_tenant_id_from_auth(self, context, auth): def _get_project_id_from_auth(self, context, auth):
"""Extract tenant information from auth dict. """Extract tenant information from auth dict.
Returns a valid tenant_id if it exists, or None if not specified. Returns a valid tenant_id if it exists, or None if not specified.
@ -302,18 +302,18 @@ class Auth(controller.V2Controller):
tenant_name = auth.get('tenantName', None) tenant_name = auth.get('tenantName', None)
if tenant_name: if tenant_name:
try: try:
tenant_ref = self.identity_api.get_tenant_by_name( tenant_ref = self.identity_api.get_project_by_name(
context=context, tenant_name=tenant_name) context=context, tenant_name=tenant_name)
tenant_id = tenant_ref['id'] tenant_id = tenant_ref['id']
except exception.ProjectNotFound as e: except exception.ProjectNotFound as e:
raise exception.Unauthorized(e) raise exception.Unauthorized(e)
return tenant_id return tenant_id
def _get_tenant_ref(self, context, user_id, tenant_id): def _get_project_ref(self, context, user_id, tenant_id):
"""Returns the tenant_ref for the user's tenant""" """Returns the tenant_ref for the user's tenant"""
tenant_ref = None tenant_ref = None
if tenant_id: if tenant_id:
tenants = self.identity_api.get_tenants_for_user(context, user_id) tenants = self.identity_api.get_projects_for_user(context, user_id)
if tenant_id not in tenants: if tenant_id not in tenants:
msg = 'User %s is unauthorized for tenant %s' % ( msg = 'User %s is unauthorized for tenant %s' % (
user_id, tenant_id) user_id, tenant_id)
@ -321,8 +321,8 @@ class Auth(controller.V2Controller):
raise exception.Unauthorized(msg) raise exception.Unauthorized(msg)
try: try:
tenant_ref = self.identity_api.get_tenant(context=context, tenant_ref = self.identity_api.get_project(context=context,
tenant_id=tenant_id) tenant_id=tenant_id)
except exception.ProjectNotFound as e: except exception.ProjectNotFound as e:
exception.Unauthorized(e) exception.Unauthorized(e)
return tenant_ref return tenant_ref

10
tests/test_auth.py
View File

@ -150,7 +150,7 @@ class AuthWithToken(AuthTest):
self.api.authenticate, self.api.authenticate,
{}, body_dict) {}, body_dict)
def test_auth_unscoped_token_no_tenant(self): def test_auth_unscoped_token_no_project(self):
"""Verify getting an unscoped token with an unscoped token""" """Verify getting an unscoped token with an unscoped token"""
body_dict = _build_user_auth( body_dict = _build_user_auth(
username='FOO', username='FOO',
@ -163,10 +163,10 @@ class AuthWithToken(AuthTest):
self.assertEqualTokens(unscoped_token, unscoped_token_2) self.assertEqualTokens(unscoped_token, unscoped_token_2)
def test_auth_unscoped_token_tenant(self): def test_auth_unscoped_token_project(self):
"""Verify getting a token in a tenant with an unscoped token""" """Verify getting a token in a tenant with an unscoped token"""
# Add a role in so we can check we get this back # Add a role in so we can check we get this back
self.identity_api.add_role_to_user_and_tenant( self.identity_api.add_role_to_user_and_project(
self.user_foo['id'], self.user_foo['id'],
self.tenant_bar['id'], self.tenant_bar['id'],
self.role_member['id']) self.role_member['id'])
@ -186,10 +186,10 @@ class AuthWithToken(AuthTest):
self.assertEquals(tenant["id"], self.tenant_bar['id']) self.assertEquals(tenant["id"], self.tenant_bar['id'])
self.assertEquals(roles[0], self.role_member['id']) self.assertEquals(roles[0], self.role_member['id'])
def test_auth_token_tenant_group_role(self): def test_auth_token_project_group_role(self):
"""Verify getting a token in a tenant with group roles""" """Verify getting a token in a tenant with group roles"""
# Add a v2 style role in so we can check we get this back # Add a v2 style role in so we can check we get this back
self.identity_api.add_role_to_user_and_tenant( self.identity_api.add_role_to_user_and_project(
self.user_foo['id'], self.user_foo['id'],
self.tenant_bar['id'], self.tenant_bar['id'],
self.role_member['id']) self.role_member['id'])

238
tests/test_backend.py
View File

@ -39,14 +39,14 @@ class IdentityTests(object):
tenant_id=self.tenant_bar['id'], tenant_id=self.tenant_bar['id'],
password=uuid.uuid4().hex) password=uuid.uuid4().hex)
def test_authenticate_bad_tenant(self): def test_authenticate_bad_project(self):
self.assertRaises(AssertionError, self.assertRaises(AssertionError,
self.identity_api.authenticate, self.identity_api.authenticate,
user_id=self.user_foo['id'], user_id=self.user_foo['id'],
tenant_id=uuid.uuid4().hex, tenant_id=uuid.uuid4().hex,
password=self.user_foo['password']) password=self.user_foo['password'])
def test_authenticate_no_tenant(self): def test_authenticate_no_project(self):
user_ref, tenant_ref, metadata_ref = self.identity_api.authenticate( user_ref, tenant_ref, metadata_ref = self.identity_api.authenticate(
user_id=self.user_foo['id'], user_id=self.user_foo['id'],
password=self.user_foo['password']) password=self.user_foo['password'])
@ -72,7 +72,7 @@ class IdentityTests(object):
self.assertDictEqual(metadata_ref, self.metadata_foobar) self.assertDictEqual(metadata_ref, self.metadata_foobar)
def test_authenticate_role_return(self): def test_authenticate_role_return(self):
self.identity_api.add_role_to_user_and_tenant( self.identity_api.add_role_to_user_and_project(
self.user_foo['id'], self.tenant_bar['id'], 'keystone_admin') self.user_foo['id'], self.tenant_bar['id'], 'keystone_admin')
user_ref, tenant_ref, metadata_ref = self.identity_api.authenticate( user_ref, tenant_ref, metadata_ref = self.identity_api.authenticate(
user_id=self.user_foo['id'], user_id=self.user_foo['id'],
@ -88,7 +88,8 @@ class IdentityTests(object):
'password': 'no_meta2', 'password': 'no_meta2',
} }
self.identity_api.create_user(user['id'], user) self.identity_api.create_user(user['id'], user)
self.identity_api.add_user_to_tenant(self.tenant_baz['id'], user['id']) self.identity_api.add_user_to_project(self.tenant_baz['id'],
user['id'])
user_ref, tenant_ref, metadata_ref = self.identity_api.authenticate( user_ref, tenant_ref, metadata_ref = self.identity_api.authenticate(
user_id=user['id'], user_id=user['id'],
tenant_id=self.tenant_baz['id'], tenant_id=self.tenant_baz['id'],
@ -105,29 +106,29 @@ class IdentityTests(object):
user_ref = self.identity_api._get_user(self.user_foo['id']) user_ref = self.identity_api._get_user(self.user_foo['id'])
self.assertNotEqual(user_ref['password'], self.user_foo['password']) self.assertNotEqual(user_ref['password'], self.user_foo['password'])
def test_get_tenant(self): def test_get_project(self):
tenant_ref = self.identity_api.get_tenant( tenant_ref = self.identity_api.get_project(
tenant_id=self.tenant_bar['id']) tenant_id=self.tenant_bar['id'])
self.assertDictEqual(tenant_ref, self.tenant_bar) self.assertDictEqual(tenant_ref, self.tenant_bar)
def test_get_tenant_404(self): def test_get_project_404(self):
self.assertRaises(exception.ProjectNotFound, self.assertRaises(exception.ProjectNotFound,
self.identity_api.get_tenant, self.identity_api.get_project,
tenant_id=uuid.uuid4().hex) tenant_id=uuid.uuid4().hex)
def test_get_tenant_by_name(self): def test_get_project_by_name(self):
tenant_ref = self.identity_api.get_tenant_by_name( tenant_ref = self.identity_api.get_project_by_name(
tenant_name=self.tenant_bar['name']) tenant_name=self.tenant_bar['name'])
self.assertDictEqual(tenant_ref, self.tenant_bar) self.assertDictEqual(tenant_ref, self.tenant_bar)
def test_get_tenant_by_name_404(self): def test_get_project_by_name_404(self):
self.assertRaises(exception.ProjectNotFound, self.assertRaises(exception.ProjectNotFound,
self.identity_api.get_tenant, self.identity_api.get_project,
tenant_id=uuid.uuid4().hex) tenant_id=uuid.uuid4().hex)
def test_get_tenant_users_404(self): def test_get_project_users_404(self):
self.assertRaises(exception.ProjectNotFound, self.assertRaises(exception.ProjectNotFound,
self.identity_api.get_tenant_users, self.identity_api.get_project_users,
tenant_id=uuid.uuid4().hex) tenant_id=uuid.uuid4().hex)
def test_get_user(self): def test_get_user(self):
@ -271,116 +272,116 @@ class IdentityTests(object):
self.identity_api.get_user, self.identity_api.get_user,
'fake2') 'fake2')
def test_create_duplicate_tenant_id_fails(self): def test_create_duplicate_project_id_fails(self):
tenant = {'id': 'fake1', 'name': 'fake1'} tenant = {'id': 'fake1', 'name': 'fake1'}
self.identity_api.create_tenant('fake1', tenant) self.identity_api.create_project('fake1', tenant)
tenant['name'] = 'fake2' tenant['name'] = 'fake2'
self.assertRaises(exception.Conflict, self.assertRaises(exception.Conflict,
self.identity_api.create_tenant, self.identity_api.create_project,
'fake1', 'fake1',
tenant) tenant)
def test_create_duplicate_tenant_name_fails(self): def test_create_duplicate_project_name_fails(self):
tenant = {'id': 'fake1', 'name': 'fake'} tenant = {'id': 'fake1', 'name': 'fake'}
self.identity_api.create_tenant('fake1', tenant) self.identity_api.create_project('fake1', tenant)
tenant['id'] = 'fake2' tenant['id'] = 'fake2'
self.assertRaises(exception.Conflict, self.assertRaises(exception.Conflict,
self.identity_api.create_tenant, self.identity_api.create_project,
'fake1', 'fake1',
tenant) tenant)
def test_rename_duplicate_tenant_name_fails(self): def test_rename_duplicate_project_name_fails(self):
tenant1 = {'id': 'fake1', 'name': 'fake1'} tenant1 = {'id': 'fake1', 'name': 'fake1'}
tenant2 = {'id': 'fake2', 'name': 'fake2'} tenant2 = {'id': 'fake2', 'name': 'fake2'}
self.identity_api.create_tenant('fake1', tenant1) self.identity_api.create_project('fake1', tenant1)
self.identity_api.create_tenant('fake2', tenant2) self.identity_api.create_project('fake2', tenant2)
tenant2['name'] = 'fake1' tenant2['name'] = 'fake1'
self.assertRaises(exception.Error, self.assertRaises(exception.Error,
self.identity_api.update_tenant, self.identity_api.update_project,
'fake2', 'fake2',
tenant2) tenant2)
def test_update_tenant_id_does_nothing(self): def test_update_project_id_does_nothing(self):
tenant = {'id': 'fake1', 'name': 'fake1'} tenant = {'id': 'fake1', 'name': 'fake1'}
self.identity_api.create_tenant('fake1', tenant) self.identity_api.create_project('fake1', tenant)
tenant['id'] = 'fake2' tenant['id'] = 'fake2'
self.identity_api.update_tenant('fake1', tenant) self.identity_api.update_project('fake1', tenant)
tenant_ref = self.identity_api.get_tenant('fake1') tenant_ref = self.identity_api.get_project('fake1')
self.assertEqual(tenant_ref['id'], 'fake1') self.assertEqual(tenant_ref['id'], 'fake1')
self.assertRaises(exception.ProjectNotFound, self.assertRaises(exception.ProjectNotFound,
self.identity_api.get_tenant, self.identity_api.get_project,
'fake2') 'fake2')
def test_add_duplicate_role_grant(self): def test_add_duplicate_role_grant(self):
roles_ref = self.identity_api.get_roles_for_user_and_tenant( roles_ref = self.identity_api.get_roles_for_user_and_project(
self.user_foo['id'], self.tenant_bar['id']) self.user_foo['id'], self.tenant_bar['id'])
self.assertNotIn('keystone_admin', roles_ref) self.assertNotIn('keystone_admin', roles_ref)
self.identity_api.add_role_to_user_and_tenant( self.identity_api.add_role_to_user_and_project(
self.user_foo['id'], self.tenant_bar['id'], 'keystone_admin') self.user_foo['id'], self.tenant_bar['id'], 'keystone_admin')
self.assertRaises(exception.Conflict, self.assertRaises(exception.Conflict,
self.identity_api.add_role_to_user_and_tenant, self.identity_api.add_role_to_user_and_project,
self.user_foo['id'], self.user_foo['id'],
self.tenant_bar['id'], self.tenant_bar['id'],
'keystone_admin') 'keystone_admin')
def test_get_role_by_user_and_tenant(self): def test_get_role_by_user_and_project(self):
roles_ref = self.identity_api.get_roles_for_user_and_tenant( roles_ref = self.identity_api.get_roles_for_user_and_project(
self.user_foo['id'], self.tenant_bar['id']) self.user_foo['id'], self.tenant_bar['id'])
self.assertNotIn('keystone_admin', roles_ref) self.assertNotIn('keystone_admin', roles_ref)
self.identity_api.add_role_to_user_and_tenant( self.identity_api.add_role_to_user_and_project(
self.user_foo['id'], self.tenant_bar['id'], 'keystone_admin') self.user_foo['id'], self.tenant_bar['id'], 'keystone_admin')
roles_ref = self.identity_api.get_roles_for_user_and_tenant( roles_ref = self.identity_api.get_roles_for_user_and_project(
self.user_foo['id'], self.tenant_bar['id']) self.user_foo['id'], self.tenant_bar['id'])
self.assertIn('keystone_admin', roles_ref) self.assertIn('keystone_admin', roles_ref)
self.assertNotIn('member', roles_ref) self.assertNotIn('member', roles_ref)
self.identity_api.add_role_to_user_and_tenant( self.identity_api.add_role_to_user_and_project(
self.user_foo['id'], self.tenant_bar['id'], 'member') self.user_foo['id'], self.tenant_bar['id'], 'member')
roles_ref = self.identity_api.get_roles_for_user_and_tenant( roles_ref = self.identity_api.get_roles_for_user_and_project(
self.user_foo['id'], self.tenant_bar['id']) self.user_foo['id'], self.tenant_bar['id'])
self.assertIn('keystone_admin', roles_ref) self.assertIn('keystone_admin', roles_ref)
self.assertIn('member', roles_ref) self.assertIn('member', roles_ref)
def test_get_roles_for_user_and_tenant_404(self): def test_get_roles_for_user_and_project_404(self):
self.assertRaises(exception.UserNotFound, self.assertRaises(exception.UserNotFound,
self.identity_api.get_roles_for_user_and_tenant, self.identity_api.get_roles_for_user_and_project,
uuid.uuid4().hex, uuid.uuid4().hex,
self.tenant_bar['id']) self.tenant_bar['id'])
self.assertRaises(exception.ProjectNotFound, self.assertRaises(exception.ProjectNotFound,
self.identity_api.get_roles_for_user_and_tenant, self.identity_api.get_roles_for_user_and_project,
self.user_foo['id'], self.user_foo['id'],
uuid.uuid4().hex) uuid.uuid4().hex)
def test_add_role_to_user_and_tenant_404(self): def test_add_role_to_user_and_project_404(self):
self.assertRaises(exception.UserNotFound, self.assertRaises(exception.UserNotFound,
self.identity_api.add_role_to_user_and_tenant, self.identity_api.add_role_to_user_and_project,
uuid.uuid4().hex, uuid.uuid4().hex,
self.tenant_bar['id'], self.tenant_bar['id'],
'keystone_admin') 'keystone_admin')
self.assertRaises(exception.ProjectNotFound, self.assertRaises(exception.ProjectNotFound,
self.identity_api.add_role_to_user_and_tenant, self.identity_api.add_role_to_user_and_project,
self.user_foo['id'], self.user_foo['id'],
uuid.uuid4().hex, uuid.uuid4().hex,
'keystone_admin') 'keystone_admin')
self.assertRaises(exception.RoleNotFound, self.assertRaises(exception.RoleNotFound,
self.identity_api.add_role_to_user_and_tenant, self.identity_api.add_role_to_user_and_project,
self.user_foo['id'], self.user_foo['id'],
self.tenant_bar['id'], self.tenant_bar['id'],
uuid.uuid4().hex) uuid.uuid4().hex)
def test_remove_role_from_user_and_tenant(self): def test_remove_role_from_user_and_project(self):
self.identity_api.add_role_to_user_and_tenant( self.identity_api.add_role_to_user_and_project(
self.user_foo['id'], self.tenant_bar['id'], 'member') self.user_foo['id'], self.tenant_bar['id'], 'member')
self.identity_api.remove_role_from_user_and_tenant( self.identity_api.remove_role_from_user_and_project(
self.user_foo['id'], self.tenant_bar['id'], 'member') self.user_foo['id'], self.tenant_bar['id'], 'member')
roles_ref = self.identity_api.get_roles_for_user_and_tenant( roles_ref = self.identity_api.get_roles_for_user_and_project(
self.user_foo['id'], self.tenant_bar['id']) self.user_foo['id'], self.tenant_bar['id'])
self.assertNotIn('member', roles_ref) self.assertNotIn('member', roles_ref)
self.assertRaises(exception.NotFound, self.assertRaises(exception.NotFound,
self.identity_api.remove_role_from_user_and_tenant, self.identity_api.remove_role_from_user_and_project,
self.user_foo['id'], self.user_foo['id'],
self.tenant_bar['id'], self.tenant_bar['id'],
'member') 'member')
@ -589,61 +590,61 @@ class IdentityTests(object):
role['id'], role['id'],
role) role)
def test_add_user_to_tenant(self): def test_add_user_to_project(self):
self.identity_api.add_user_to_tenant(self.tenant_bar['id'], self.identity_api.add_user_to_project(self.tenant_bar['id'],
self.user_foo['id']) self.user_foo['id'])
tenants = self.identity_api.get_tenants_for_user(self.user_foo['id']) tenants = self.identity_api.get_projects_for_user(self.user_foo['id'])
self.assertIn(self.tenant_bar['id'], tenants) self.assertIn(self.tenant_bar['id'], tenants)
def test_add_user_to_tenant_404(self): def test_add_user_to_project_404(self):
self.assertRaises(exception.ProjectNotFound, self.assertRaises(exception.ProjectNotFound,
self.identity_api.add_user_to_tenant, self.identity_api.add_user_to_project,
uuid.uuid4().hex, uuid.uuid4().hex,
self.user_foo['id']) self.user_foo['id'])
self.assertRaises(exception.UserNotFound, self.assertRaises(exception.UserNotFound,
self.identity_api.add_user_to_tenant, self.identity_api.add_user_to_project,
self.tenant_bar['id'], self.tenant_bar['id'],
uuid.uuid4().hex) uuid.uuid4().hex)
def test_remove_user_from_tenant(self): def test_remove_user_from_project(self):
self.identity_api.add_user_to_tenant(self.tenant_bar['id'], self.identity_api.add_user_to_project(self.tenant_bar['id'],
self.user_foo['id']) self.user_foo['id'])
self.identity_api.remove_user_from_tenant(self.tenant_bar['id'], self.identity_api.remove_user_from_project(self.tenant_bar['id'],
self.user_foo['id']) self.user_foo['id'])
tenants = self.identity_api.get_tenants_for_user(self.user_foo['id']) tenants = self.identity_api.get_projects_for_user(self.user_foo['id'])
self.assertNotIn(self.tenant_bar['id'], tenants) self.assertNotIn(self.tenant_bar['id'], tenants)
def test_remove_user_from_tenant_404(self): def test_remove_user_from_project_404(self):
self.assertRaises(exception.ProjectNotFound, self.assertRaises(exception.ProjectNotFound,
self.identity_api.remove_user_from_tenant, self.identity_api.remove_user_from_project,
uuid.uuid4().hex, uuid.uuid4().hex,
self.user_foo['id']) self.user_foo['id'])
self.assertRaises(exception.UserNotFound, self.assertRaises(exception.UserNotFound,
self.identity_api.remove_user_from_tenant, self.identity_api.remove_user_from_project,
self.tenant_bar['id'], self.tenant_bar['id'],
uuid.uuid4().hex) uuid.uuid4().hex)
self.assertRaises(exception.NotFound, self.assertRaises(exception.NotFound,
self.identity_api.remove_user_from_tenant, self.identity_api.remove_user_from_project,
self.tenant_baz['id'], self.tenant_baz['id'],
self.user_foo['id']) self.user_foo['id'])
def test_get_tenants_for_user_404(self): def test_get_projects_for_user_404(self):
self.assertRaises(exception.UserNotFound, self.assertRaises(exception.UserNotFound,
self.identity_api.get_tenants_for_user, self.identity_api.get_projects_for_user,
uuid.uuid4().hex) uuid.uuid4().hex)
def test_update_tenant_404(self): def test_update_project_404(self):
self.assertRaises(exception.ProjectNotFound, self.assertRaises(exception.ProjectNotFound,
self.identity_api.update_tenant, self.identity_api.update_project,
uuid.uuid4().hex, uuid.uuid4().hex,
dict()) dict())
def test_delete_tenant_404(self): def test_delete_project_404(self):
self.assertRaises(exception.ProjectNotFound, self.assertRaises(exception.ProjectNotFound,
self.identity_api.delete_tenant, self.identity_api.delete_project,
uuid.uuid4().hex) uuid.uuid4().hex)
def test_update_user_404(self): def test_update_user_404(self):
@ -653,16 +654,16 @@ class IdentityTests(object):
user_id, user_id,
{'id': user_id}) {'id': user_id})
def test_delete_user_with_tenant_association(self): def test_delete_user_with_project_association(self):
user = {'id': uuid.uuid4().hex, user = {'id': uuid.uuid4().hex,
'name': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
'password': uuid.uuid4().hex} 'password': uuid.uuid4().hex}
self.identity_api.create_user(user['id'], user) self.identity_api.create_user(user['id'], user)
self.identity_api.add_user_to_tenant(self.tenant_bar['id'], self.identity_api.add_user_to_project(self.tenant_bar['id'],
user['id']) user['id'])
self.identity_api.delete_user(user['id']) self.identity_api.delete_user(user['id'])
self.assertRaises(exception.UserNotFound, self.assertRaises(exception.UserNotFound,
self.identity_api.get_tenants_for_user, self.identity_api.get_projects_for_user,
user['id']) user['id'])
def test_delete_user_404(self): def test_delete_user_404(self):
@ -675,62 +676,62 @@ class IdentityTests(object):
self.identity_api.delete_role, self.identity_api.delete_role,
uuid.uuid4().hex) uuid.uuid4().hex)
def test_create_tenant_long_name_fails(self): def test_create_project_long_name_fails(self):
tenant = {'id': 'fake1', 'name': 'a' * 65} tenant = {'id': 'fake1', 'name': 'a' * 65}
self.assertRaises(exception.ValidationError, self.assertRaises(exception.ValidationError,
self.identity_api.create_tenant, self.identity_api.create_project,
tenant['id'], tenant['id'],
tenant) tenant)
def test_create_tenant_blank_name_fails(self): def test_create_project_blank_name_fails(self):
tenant = {'id': 'fake1', 'name': ''} tenant = {'id': 'fake1', 'name': ''}
self.assertRaises(exception.ValidationError, self.assertRaises(exception.ValidationError,
self.identity_api.create_tenant, self.identity_api.create_project,
tenant['id'], tenant['id'],
tenant) tenant)
def test_create_tenant_invalid_name_fails(self): def test_create_project_invalid_name_fails(self):
tenant = {'id': 'fake1', 'name': None} tenant = {'id': 'fake1', 'name': None}
self.assertRaises(exception.ValidationError, self.assertRaises(exception.ValidationError,
self.identity_api.create_tenant, self.identity_api.create_project,
tenant['id'], tenant['id'],
tenant) tenant)
tenant = {'id': 'fake1', 'name': 123} tenant = {'id': 'fake1', 'name': 123}
self.assertRaises(exception.ValidationError, self.assertRaises(exception.ValidationError,
self.identity_api.create_tenant, self.identity_api.create_project,
tenant['id'], tenant['id'],
tenant) tenant)
def test_update_tenant_blank_name_fails(self): def test_update_project_blank_name_fails(self):
tenant = {'id': 'fake1', 'name': 'fake1'} tenant = {'id': 'fake1', 'name': 'fake1'}
self.identity_api.create_tenant('fake1', tenant) self.identity_api.create_project('fake1', tenant)
tenant['name'] = '' tenant['name'] = ''
self.assertRaises(exception.ValidationError, self.assertRaises(exception.ValidationError,
self.identity_api.update_tenant, self.identity_api.update_project,
tenant['id'], tenant['id'],
tenant) tenant)
def test_update_tenant_long_name_fails(self): def test_update_project_long_name_fails(self):
tenant = {'id': 'fake1', 'name': 'fake1'} tenant = {'id': 'fake1', 'name': 'fake1'}
self.identity_api.create_tenant('fake1', tenant) self.identity_api.create_project('fake1', tenant)
tenant['name'] = 'a' * 65 tenant['name'] = 'a' * 65
self.assertRaises(exception.ValidationError, self.assertRaises(exception.ValidationError,
self.identity_api.update_tenant, self.identity_api.update_project,
tenant['id'], tenant['id'],
tenant) tenant)
def test_update_tenant_invalid_name_fails(self): def test_update_project_invalid_name_fails(self):
tenant = {'id': 'fake1', 'name': 'fake1'} tenant = {'id': 'fake1', 'name': 'fake1'}
self.identity_api.create_tenant('fake1', tenant) self.identity_api.create_project('fake1', tenant)
tenant['name'] = None tenant['name'] = None
self.assertRaises(exception.ValidationError, self.assertRaises(exception.ValidationError,
self.identity_api.update_tenant, self.identity_api.update_project,
tenant['id'], tenant['id'],
tenant) tenant)
tenant['name'] = 123 tenant['name'] = 123
self.assertRaises(exception.ValidationError, self.assertRaises(exception.ValidationError,
self.identity_api.update_tenant, self.identity_api.update_project,
tenant['id'], tenant['id'],
tenant) tenant)
@ -805,19 +806,20 @@ class IdentityTests(object):
for test_role in default_fixtures.ROLES: for test_role in default_fixtures.ROLES:
self.assertTrue(x for x in roles if x['id'] == test_role['id']) self.assertTrue(x for x in roles if x['id'] == test_role['id'])
def test_get_tenants(self): def test_get_projects(self):
tenants = self.identity_api.get_tenants() tenants = self.identity_api.get_projects()
for test_tenant in default_fixtures.TENANTS: for test_project in default_fixtures.TENANTS:
self.assertTrue(x for x in tenants if x['id'] == test_tenant['id']) self.assertTrue(x for x in tenants
if x['id'] == test_project['id'])
def test_delete_tenant_with_role_assignments(self): def test_delete_project_with_role_assignments(self):
tenant = {'id': 'fake1', 'name': 'fake1'} tenant = {'id': 'fake1', 'name': 'fake1'}
self.identity_api.create_tenant('fake1', tenant) self.identity_api.create_project('fake1', tenant)
self.identity_api.add_role_to_user_and_tenant( self.identity_api.add_role_to_user_and_project(
self.user_foo['id'], tenant['id'], 'member') self.user_foo['id'], tenant['id'], 'member')
self.identity_api.delete_tenant(tenant['id']) self.identity_api.delete_project(tenant['id'])
self.assertRaises(exception.NotFound, self.assertRaises(exception.NotFound,
self.identity_api.get_tenant, self.identity_api.get_project,
tenant['id']) tenant['id'])
def test_delete_role_check_role_grant(self): def test_delete_role_check_role_grant(self):
@ -825,21 +827,21 @@ class IdentityTests(object):
alt_role = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} alt_role = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
self.identity_api.create_role(role['id'], role) self.identity_api.create_role(role['id'], role)
self.identity_api.create_role(alt_role['id'], alt_role) self.identity_api.create_role(alt_role['id'], alt_role)
self.identity_api.add_role_to_user_and_tenant( self.identity_api.add_role_to_user_and_project(
self.user_foo['id'], self.tenant_bar['id'], role['id']) self.user_foo['id'], self.tenant_bar['id'], role['id'])
self.identity_api.add_role_to_user_and_tenant( self.identity_api.add_role_to_user_and_project(
self.user_foo['id'], self.tenant_bar['id'], alt_role['id']) self.user_foo['id'], self.tenant_bar['id'], alt_role['id'])
self.identity_api.delete_role(role['id']) self.identity_api.delete_role(role['id'])
roles_ref = self.identity_api.get_roles_for_user_and_tenant( roles_ref = self.identity_api.get_roles_for_user_and_project(
self.user_foo['id'], self.tenant_bar['id']) self.user_foo['id'], self.tenant_bar['id'])
self.assertNotIn(role['id'], roles_ref) self.assertNotIn(role['id'], roles_ref)
self.assertIn(alt_role['id'], roles_ref) self.assertIn(alt_role['id'], roles_ref)
def test_create_tenant_doesnt_modify_passed_in_dict(self): def test_create_project_doesnt_modify_passed_in_dict(self):
new_tenant = {'id': 'tenant_id', 'name': 'new_tenant'} new_project = {'id': 'tenant_id', 'name': 'new_project'}
original_tenant = new_tenant.copy() original_project = new_project.copy()
self.identity_api.create_tenant('tenant_id', new_tenant) self.identity_api.create_project('tenant_id', new_project)
self.assertDictEqual(original_tenant, new_tenant) self.assertDictEqual(original_project, new_project)
def test_create_user_doesnt_modify_passed_in_dict(self): def test_create_user_doesnt_modify_passed_in_dict(self):
new_user = {'id': 'user_id', 'name': 'new_user', new_user = {'id': 'user_id', 'name': 'new_user',
@ -864,20 +866,20 @@ class IdentityTests(object):
user_ref = self.identity_api.get_user('fake1') user_ref = self.identity_api.get_user('fake1')
self.assertEqual(user_ref['enabled'], user['enabled']) self.assertEqual(user_ref['enabled'], user['enabled'])
def test_update_tenant_enable(self): def test_update_project_enable(self):
tenant = {'id': 'fake1', 'name': 'fake1', 'enabled': True} tenant = {'id': 'fake1', 'name': 'fake1', 'enabled': True}
self.identity_api.create_tenant('fake1', tenant) self.identity_api.create_project('fake1', tenant)
tenant_ref = self.identity_api.get_tenant('fake1') tenant_ref = self.identity_api.get_project('fake1')
self.assertEqual(tenant_ref['enabled'], True) self.assertEqual(tenant_ref['enabled'], True)
tenant['enabled'] = False tenant['enabled'] = False
self.identity_api.update_tenant('fake1', tenant) self.identity_api.update_project('fake1', tenant)
tenant_ref = self.identity_api.get_tenant('fake1') tenant_ref = self.identity_api.get_project('fake1')
self.assertEqual(tenant_ref['enabled'], tenant['enabled']) self.assertEqual(tenant_ref['enabled'], tenant['enabled'])
tenant['enabled'] = True tenant['enabled'] = True
self.identity_api.update_tenant('fake1', tenant) self.identity_api.update_project('fake1', tenant)
tenant_ref = self.identity_api.get_tenant('fake1') tenant_ref = self.identity_api.get_project('fake1')
self.assertEqual(tenant_ref['enabled'], tenant['enabled']) self.assertEqual(tenant_ref['enabled'], tenant['enabled'])
def test_add_user_to_group(self): def test_add_user_to_group(self):

36
tests/test_backend_ldap.py
View File

@ -116,26 +116,26 @@ class LDAPIdentity(test.TestCase, test_backend.IdentityTests):
self.identity_api.delete_user, self.identity_api.delete_user,
self.user_foo['id']) self.user_foo['id'])
def test_configurable_allowed_tenant_actions(self): def test_configurable_allowed_project_actions(self):
self.config([test.etcdir('keystone.conf.sample'), self.config([test.etcdir('keystone.conf.sample'),
test.testsdir('test_overrides.conf'), test.testsdir('test_overrides.conf'),
test.testsdir('backend_ldap.conf')]) test.testsdir('backend_ldap.conf')])
self.identity_api = identity_ldap.Identity() self.identity_api = identity_ldap.Identity()
tenant = {'id': 'fake1', 'name': 'fake1', 'enabled': True} tenant = {'id': 'fake1', 'name': 'fake1', 'enabled': True}
self.identity_api.create_tenant('fake1', tenant) self.identity_api.create_project('fake1', tenant)
tenant_ref = self.identity_api.get_tenant('fake1') tenant_ref = self.identity_api.get_project('fake1')
self.assertEqual(tenant_ref['id'], 'fake1') self.assertEqual(tenant_ref['id'], 'fake1')
tenant['enabled'] = 'False' tenant['enabled'] = 'False'
self.identity_api.update_tenant('fake1', tenant) self.identity_api.update_project('fake1', tenant)
self.identity_api.delete_tenant('fake1') self.identity_api.delete_project('fake1')
self.assertRaises(exception.ProjectNotFound, self.assertRaises(exception.ProjectNotFound,
self.identity_api.get_tenant, self.identity_api.get_project,
'fake1') 'fake1')
def test_configurable_forbidden_tenant_actions(self): def test_configurable_forbidden_project_actions(self):
self.config([test.etcdir('keystone.conf.sample'), self.config([test.etcdir('keystone.conf.sample'),
test.testsdir('test_overrides.conf'), test.testsdir('test_overrides.conf'),
test.testsdir('backend_ldap.conf')]) test.testsdir('backend_ldap.conf')])
@ -146,17 +146,17 @@ class LDAPIdentity(test.TestCase, test_backend.IdentityTests):
tenant = {'id': 'fake1', 'name': 'fake1'} tenant = {'id': 'fake1', 'name': 'fake1'}
self.assertRaises(exception.ForbiddenAction, self.assertRaises(exception.ForbiddenAction,
self.identity_api.create_tenant, self.identity_api.create_project,
'fake1', 'fake1',
tenant) tenant)
self.tenant_bar['enabled'] = 'False' self.tenant_bar['enabled'] = 'False'
self.assertRaises(exception.ForbiddenAction, self.assertRaises(exception.ForbiddenAction,
self.identity_api.update_tenant, self.identity_api.update_project,
self.tenant_bar['id'], self.tenant_bar['id'],
self.tenant_bar) self.tenant_bar)
self.assertRaises(exception.ForbiddenAction, self.assertRaises(exception.ForbiddenAction,
self.identity_api.delete_tenant, self.identity_api.delete_project,
self.tenant_bar['id']) self.tenant_bar['id'])
def test_configurable_allowed_role_actions(self): def test_configurable_allowed_role_actions(self):
@ -217,17 +217,17 @@ class LDAPIdentity(test.TestCase, test_backend.IdentityTests):
self.identity_api.get_user, self.identity_api.get_user,
self.user_foo['id']) self.user_foo['id'])
def test_tenant_filter(self): def test_project_filter(self):
self.config([test.etcdir('keystone.conf.sample'), self.config([test.etcdir('keystone.conf.sample'),
test.testsdir('test_overrides.conf'), test.testsdir('test_overrides.conf'),
test.testsdir('backend_ldap.conf')]) test.testsdir('backend_ldap.conf')])
tenant_ref = self.identity_api.get_tenant(self.tenant_bar['id']) tenant_ref = self.identity_api.get_project(self.tenant_bar['id'])
self.assertDictEqual(tenant_ref, self.tenant_bar) self.assertDictEqual(tenant_ref, self.tenant_bar)
CONF.ldap.tenant_filter = '(CN=DOES_NOT_MATCH)' CONF.ldap.tenant_filter = '(CN=DOES_NOT_MATCH)'
self.identity_api = identity_ldap.Identity() self.identity_api = identity_ldap.Identity()
self.assertRaises(exception.ProjectNotFound, self.assertRaises(exception.ProjectNotFound,
self.identity_api.get_tenant, self.identity_api.get_project,
self.tenant_bar['id']) self.tenant_bar['id'])
def test_role_filter(self): def test_role_filter(self):
@ -299,7 +299,7 @@ class LDAPIdentity(test.TestCase, test_backend.IdentityTests):
self.assertNotIn('enabled', user_ref) self.assertNotIn('enabled', user_ref)
self.assertNotIn('tenants', user_ref) self.assertNotIn('tenants', user_ref)
def test_tenant_attribute_mapping(self): def test_project_attribute_mapping(self):
self.config([test.etcdir('keystone.conf.sample'), self.config([test.etcdir('keystone.conf.sample'),
test.testsdir('test_overrides.conf'), test.testsdir('test_overrides.conf'),
test.testsdir('backend_ldap.conf')]) test.testsdir('backend_ldap.conf')])
@ -309,7 +309,7 @@ class LDAPIdentity(test.TestCase, test_backend.IdentityTests):
clear_database() clear_database()
self.identity_api = identity_ldap.Identity() self.identity_api = identity_ldap.Identity()
self.load_fixtures(default_fixtures) self.load_fixtures(default_fixtures)
tenant_ref = self.identity_api.get_tenant(self.tenant_baz['id']) tenant_ref = self.identity_api.get_project(self.tenant_baz['id'])
self.assertEqual(tenant_ref['id'], self.tenant_baz['id']) self.assertEqual(tenant_ref['id'], self.tenant_baz['id'])
self.assertEqual(tenant_ref['name'], self.tenant_baz['name']) self.assertEqual(tenant_ref['name'], self.tenant_baz['name'])
self.assertEqual( self.assertEqual(
@ -320,13 +320,13 @@ class LDAPIdentity(test.TestCase, test_backend.IdentityTests):
CONF.ldap.tenant_name_attribute = 'desc' CONF.ldap.tenant_name_attribute = 'desc'
CONF.ldap.tenant_desc_attribute = 'ou' CONF.ldap.tenant_desc_attribute = 'ou'
self.identity_api = identity_ldap.Identity() self.identity_api = identity_ldap.Identity()
tenant_ref = self.identity_api.get_tenant(self.tenant_baz['id']) tenant_ref = self.identity_api.get_project(self.tenant_baz['id'])
self.assertEqual(tenant_ref['id'], self.tenant_baz['id']) self.assertEqual(tenant_ref['id'], self.tenant_baz['id'])
self.assertEqual(tenant_ref['name'], self.tenant_baz['description']) self.assertEqual(tenant_ref['name'], self.tenant_baz['description'])
self.assertEqual(tenant_ref['description'], self.tenant_baz['name']) self.assertEqual(tenant_ref['description'], self.tenant_baz['name'])
self.assertEqual(tenant_ref['enabled'], self.tenant_baz['enabled']) self.assertEqual(tenant_ref['enabled'], self.tenant_baz['enabled'])
def test_tenant_attribute_ignore(self): def test_project_attribute_ignore(self):
self.config([test.etcdir('keystone.conf.sample'), self.config([test.etcdir('keystone.conf.sample'),
test.testsdir('test_overrides.conf'), test.testsdir('test_overrides.conf'),
test.testsdir('backend_ldap.conf')]) test.testsdir('backend_ldap.conf')])
@ -336,7 +336,7 @@ class LDAPIdentity(test.TestCase, test_backend.IdentityTests):
clear_database() clear_database()
self.identity_api = identity_ldap.Identity() self.identity_api = identity_ldap.Identity()
self.load_fixtures(default_fixtures) self.load_fixtures(default_fixtures)
tenant_ref = self.identity_api.get_tenant(self.tenant_baz['id']) tenant_ref = self.identity_api.get_project(self.tenant_baz['id'])
self.assertEqual(tenant_ref['id'], self.tenant_baz['id']) self.assertEqual(tenant_ref['id'], self.tenant_baz['id'])
self.assertNotIn('name', tenant_ref) self.assertNotIn('name', tenant_ref)
self.assertNotIn('description', tenant_ref) self.assertNotIn('description', tenant_ref)

8
tests/test_backend_pam.py
View File

@ -35,13 +35,13 @@ class PamIdentity(test.TestCase):
self.tenant_in = {'id': id, 'name': id} self.tenant_in = {'id': id, 'name': id}
self.user_in = {'id': CONF.pam.userid, 'name': CONF.pam.userid} self.user_in = {'id': CONF.pam.userid, 'name': CONF.pam.userid}
def test_get_tenant(self): def test_get_project(self):
tenant_out = self.identity_api.get_tenant(self.tenant_in['id']) tenant_out = self.identity_api.get_project(self.tenant_in['id'])
self.assertDictEqual(self.tenant_in, tenant_out) self.assertDictEqual(self.tenant_in, tenant_out)
def test_get_tenant_by_name(self): def test_get_project_by_name(self):
tenant_in_name = self.tenant_in['name'] tenant_in_name = self.tenant_in['name']
tenant_out = self.identity_api.get_tenant_by_name(tenant_in_name) tenant_out = self.identity_api.get_project_by_name(tenant_in_name)
self.assertDictEqual(self.tenant_in, tenant_out) self.assertDictEqual(self.tenant_in, tenant_out)
def test_get_user(self): def test_get_user(self):

36
tests/test_backend_sql.py
View File

@ -62,16 +62,16 @@ class SqlTests(test.TestCase):
class SqlIdentity(SqlTests, test_backend.IdentityTests): class SqlIdentity(SqlTests, test_backend.IdentityTests):
def test_delete_user_with_tenant_association(self): def test_delete_user_with_project_association(self):
user = {'id': uuid.uuid4().hex, user = {'id': uuid.uuid4().hex,
'name': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
'password': uuid.uuid4().hex} 'password': uuid.uuid4().hex}
self.identity_api.create_user(user['id'], user) self.identity_api.create_user(user['id'], user)
self.identity_api.add_user_to_tenant(self.tenant_bar['id'], self.identity_api.add_user_to_project(self.tenant_bar['id'],
user['id']) user['id'])
self.identity_api.delete_user(user['id']) self.identity_api.delete_user(user['id'])
self.assertRaises(exception.UserNotFound, self.assertRaises(exception.UserNotFound,
self.identity_api.get_tenants_for_user, self.identity_api.get_projects_for_user,
user['id']) user['id'])
def test_create_null_user_name(self): def test_create_null_user_name(self):
@ -89,18 +89,18 @@ class SqlIdentity(SqlTests, test_backend.IdentityTests):
self.identity_api.get_user_by_name, self.identity_api.get_user_by_name,
user['name']) user['name'])
def test_create_null_tenant_name(self): def test_create_null_project_name(self):
tenant = {'id': uuid.uuid4().hex, tenant = {'id': uuid.uuid4().hex,
'name': None} 'name': None}
self.assertRaises(exception.ValidationError, self.assertRaises(exception.ValidationError,
self.identity_api.create_tenant, self.identity_api.create_project,
tenant['id'], tenant['id'],
tenant) tenant)
self.assertRaises(exception.ProjectNotFound, self.assertRaises(exception.ProjectNotFound,
self.identity_api.get_tenant, self.identity_api.get_project,
tenant['id']) tenant['id'])
self.assertRaises(exception.ProjectNotFound, self.assertRaises(exception.ProjectNotFound,
self.identity_api.get_tenant_by_name, self.identity_api.get_project_by_name,
tenant['name']) tenant['name'])
def test_create_null_role_name(self): def test_create_null_role_name(self):
@ -114,15 +114,15 @@ class SqlIdentity(SqlTests, test_backend.IdentityTests):
self.identity_api.get_role, self.identity_api.get_role,
role['id']) role['id'])
def test_delete_tenant_with_user_association(self): def test_delete_project_with_user_association(self):
user = {'id': 'fake', user = {'id': 'fake',
'name': 'fakeuser', 'name': 'fakeuser',
'password': 'passwd'} 'password': 'passwd'}
self.identity_api.create_user('fake', user) self.identity_api.create_user('fake', user)
self.identity_api.add_user_to_tenant(self.tenant_bar['id'], self.identity_api.add_user_to_project(self.tenant_bar['id'],
user['id']) user['id'])
self.identity_api.delete_tenant(self.tenant_bar['id']) self.identity_api.delete_project(self.tenant_bar['id'])
tenants = self.identity_api.get_tenants_for_user(user['id']) tenants = self.identity_api.get_projects_for_user(user['id'])
self.assertEquals(tenants, []) self.assertEquals(tenants, [])
def test_delete_user_with_metadata(self): def test_delete_user_with_metadata(self):
@ -139,7 +139,7 @@ class SqlIdentity(SqlTests, test_backend.IdentityTests):
user['id'], user['id'],
self.tenant_bar['id']) self.tenant_bar['id'])
def test_delete_tenant_with_metadata(self): def test_delete_project_with_metadata(self):
user = {'id': 'fake', user = {'id': 'fake',
'name': 'fakeuser', 'name': 'fakeuser',
'password': 'passwd'} 'password': 'passwd'}
@ -147,13 +147,13 @@ class SqlIdentity(SqlTests, test_backend.IdentityTests):
self.identity_api.create_metadata(user['id'], self.identity_api.create_metadata(user['id'],
self.tenant_bar['id'], self.tenant_bar['id'],
{'extra': 'extra'}) {'extra': 'extra'})
self.identity_api.delete_tenant(self.tenant_bar['id']) self.identity_api.delete_project(self.tenant_bar['id'])
self.assertRaises(exception.MetadataNotFound, self.assertRaises(exception.MetadataNotFound,
self.identity_api.get_metadata, self.identity_api.get_metadata,
user['id'], user['id'],
self.tenant_bar['id']) self.tenant_bar['id'])
def test_update_tenant_returns_extra(self): def test_update_project_returns_extra(self):
"""This tests for backwards-compatibility with an essex/folsom bug. """This tests for backwards-compatibility with an essex/folsom bug.
Non-indexed attributes were returned in an 'extra' attribute, instead Non-indexed attributes were returned in an 'extra' attribute, instead
@ -170,12 +170,12 @@ class SqlIdentity(SqlTests, test_backend.IdentityTests):
'id': tenant_id, 'id': tenant_id,
'name': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
arbitrary_key: arbitrary_value} arbitrary_key: arbitrary_value}
ref = self.identity_api.create_tenant(tenant_id, tenant) ref = self.identity_api.create_project(tenant_id, tenant)
self.assertEqual(arbitrary_value, ref[arbitrary_key]) self.assertEqual(arbitrary_value, ref[arbitrary_key])
self.assertIsNone(ref.get('extra')) self.assertIsNone(ref.get('extra'))
tenant['name'] = uuid.uuid4().hex tenant['name'] = uuid.uuid4().hex
ref = self.identity_api.update_tenant(tenant_id, tenant) ref = self.identity_api.update_project(tenant_id, tenant)
self.assertEqual(arbitrary_value, ref[arbitrary_key]) self.assertEqual(arbitrary_value, ref[arbitrary_key])
self.assertEqual(arbitrary_value, ref['extra'][arbitrary_key]) self.assertEqual(arbitrary_value, ref['extra'][arbitrary_key])

12
tests/test_keystoneclient.py
View File

@ -863,9 +863,9 @@ class KcMasterTestCase(CompatTestCase, KeystoneClientTests):
for i in range(2): for i in range(2):
tenant_id = uuid.uuid4().hex tenant_id = uuid.uuid4().hex
tenant = {'name': 'tenant-%s' % tenant_id, 'id': tenant_id} tenant = {'name': 'tenant-%s' % tenant_id, 'id': tenant_id}
self.identity_api.create_tenant(tenant_id, tenant) self.identity_api.create_project(tenant_id, tenant)
self.identity_api.add_user_to_tenant(tenant_id, self.identity_api.add_user_to_project(tenant_id,
self.user_foo['id']) self.user_foo['id'])
tenants = client.tenants.list() tenants = client.tenants.list()
self.assertEqual(len(tenants), 3) self.assertEqual(len(tenants), 3)
@ -889,9 +889,9 @@ class KcMasterTestCase(CompatTestCase, KeystoneClientTests):
for i in range(2): for i in range(2):
tenant_id = uuid.uuid4().hex tenant_id = uuid.uuid4().hex
tenant = {'name': 'tenant-%s' % tenant_id, 'id': tenant_id} tenant = {'name': 'tenant-%s' % tenant_id, 'id': tenant_id}
self.identity_api.create_tenant(tenant_id, tenant) self.identity_api.create_project(tenant_id, tenant)
self.identity_api.add_user_to_tenant(tenant_id, self.identity_api.add_user_to_project(tenant_id,
self.user_foo['id']) self.user_foo['id'])
tenants = client.tenants.list() tenants = client.tenants.list()
self.assertEqual(len(tenants), 3) self.assertEqual(len(tenants), 3)

16
tests/test_migrate_nova_auth.py
View File

@ -96,7 +96,7 @@ class MigrateNovaAuth(test.TestCase):
tenants = {} tenants = {}
for tenant in ['proj1', 'proj2', 'proj4']: for tenant in ['proj1', 'proj2', 'proj4']:
tenants[tenant] = self.identity_api.get_tenant_by_name(tenant) tenants[tenant] = self.identity_api.get_project_by_name(tenant)
membership_map = { membership_map = {
'user1': ['proj1'], 'user1': ['proj1'],
@ -105,10 +105,10 @@ class MigrateNovaAuth(test.TestCase):
'user4': ['proj4'], 'user4': ['proj4'],
} }
for (old_user, old_tenants) in membership_map.iteritems(): for (old_user, old_projects) in membership_map.iteritems():
user = users[old_user] user = users[old_user]
membership = self.identity_api.get_tenants_for_user(user['id']) membership = self.identity_api.get_projects_for_user(user['id'])
expected = [tenants[t]['id'] for t in old_tenants] expected = [tenants[t]['id'] for t in old_projects]
self.assertEqual(set(expected), set(membership)) self.assertEqual(set(expected), set(membership))
for tenant_id in membership: for tenant_id in membership:
password = None password = None
@ -119,7 +119,7 @@ class MigrateNovaAuth(test.TestCase):
for ec2_cred in FIXTURE['ec2_credentials']: for ec2_cred in FIXTURE['ec2_credentials']:
user_id = users[ec2_cred['user_id']]['id'] user_id = users[ec2_cred['user_id']]['id']
for tenant_id in self.identity_api.get_tenants_for_user(user_id): for tenant_id in self.identity_api.get_projects_for_user(user_id):
access = '%s:%s' % (tenant_id, ec2_cred['access_key']) access = '%s:%s' % (tenant_id, ec2_cred['access_key'])
cred = self.ec2_api.get_credential(access) cred = self.ec2_api.get_credential(access)
actual = cred['secret'] actual = cred['secret']
@ -137,14 +137,14 @@ class MigrateNovaAuth(test.TestCase):
'user4': {'proj4': ['role1']}, 'user4': {'proj4': ['role1']},
} }
for (old_user, old_tenant_map) in assignment_map.iteritems(): for (old_user, old_project_map) in assignment_map.iteritems():
tenant_names = ['proj1', 'proj2', 'proj4'] tenant_names = ['proj1', 'proj2', 'proj4']
for tenant_name in tenant_names: for tenant_name in tenant_names:
user = users[old_user] user = users[old_user]
tenant = tenants[tenant_name] tenant = tenants[tenant_name]
roles = self.identity_api.get_roles_for_user_and_tenant( roles = self.identity_api.get_roles_for_user_and_project(
user['id'], tenant['id']) user['id'], tenant['id'])
actual = [self.identity_api.get_role(role_id)['name'] actual = [self.identity_api.get_role(role_id)['name']
for role_id in roles] for role_id in roles]
expected = old_tenant_map.get(tenant_name, []) expected = old_project_map.get(tenant_name, [])
self.assertEqual(set(actual), set(expected)) self.assertEqual(set(actual), set(expected))