deprecate LDAP config options for 'tenants'
This deprecates all config options using the term 'tenant' in favor of new options using the term 'project'. Change-Id: I7eb6819de33f4d94a8bae75286bb02436152c64b Closes-Bug: 1283841
This commit is contained in:
parent
db0519dfa0
commit
58fb797815
doc/source
etc
keystone
assignment/backends
common
tests
@ -1332,8 +1332,8 @@ The corresponding entries in the Keystone configuration file are::
|
||||
user_tree_dn = ou=Users,dc=openstack,dc=org
|
||||
user_objectclass = inetOrgPerson
|
||||
|
||||
tenant_tree_dn = ou=Projects,dc=openstack,dc=org
|
||||
tenant_objectclass = groupOfNames
|
||||
project_tree_dn = ou=Projects,dc=openstack,dc=org
|
||||
project_objectclass = groupOfNames
|
||||
|
||||
role_tree_dn = ou=Roles,dc=openstack,dc=org
|
||||
role_objectclass = organizationalRole
|
||||
@ -1362,9 +1362,9 @@ is::
|
||||
user_allow_update = False
|
||||
user_allow_delete = False
|
||||
|
||||
tenant_allow_create = True
|
||||
tenant_allow_update = True
|
||||
tenant_allow_delete = True
|
||||
project_allow_create = True
|
||||
project_allow_update = True
|
||||
project_allow_delete = True
|
||||
|
||||
role_allow_create = True
|
||||
role_allow_update = True
|
||||
@ -1376,7 +1376,7 @@ will look like::
|
||||
|
||||
[ldap]
|
||||
user_filter = (memberof=CN=openstack-users,OU=workgroups,DC=openstack,DC=org)
|
||||
tenant_filter =
|
||||
project_filter =
|
||||
role_filter =
|
||||
|
||||
In case that the directory server does not have an attribute enabled of type
|
||||
@ -1404,36 +1404,36 @@ In case of Active Directory the classes and attributes could not match the
|
||||
specified classes in the LDAP module so you can configure them like::
|
||||
|
||||
[ldap]
|
||||
user_objectclass = person
|
||||
user_id_attribute = cn
|
||||
user_name_attribute = cn
|
||||
user_mail_attribute = mail
|
||||
user_enabled_attribute = userAccountControl
|
||||
user_enabled_mask = 2
|
||||
user_enabled_default = 512
|
||||
user_attribute_ignore = tenant_id,tenants
|
||||
tenant_objectclass = groupOfNames
|
||||
tenant_id_attribute = cn
|
||||
tenant_member_attribute = member
|
||||
tenant_name_attribute = ou
|
||||
tenant_desc_attribute = description
|
||||
tenant_enabled_attribute = extensionName
|
||||
tenant_attribute_ignore =
|
||||
role_objectclass = organizationalRole
|
||||
role_id_attribute = cn
|
||||
role_name_attribute = ou
|
||||
role_member_attribute = roleOccupant
|
||||
role_attribute_ignore =
|
||||
user_objectclass = person
|
||||
user_id_attribute = cn
|
||||
user_name_attribute = cn
|
||||
user_mail_attribute = mail
|
||||
user_enabled_attribute = userAccountControl
|
||||
user_enabled_mask = 2
|
||||
user_enabled_default = 512
|
||||
user_attribute_ignore = tenant_id,tenants
|
||||
project_objectclass = groupOfNames
|
||||
project_id_attribute = cn
|
||||
project_member_attribute = member
|
||||
project_name_attribute = ou
|
||||
project_desc_attribute = description
|
||||
project_enabled_attribute = extensionName
|
||||
project_attribute_ignore =
|
||||
role_objectclass = organizationalRole
|
||||
role_id_attribute = cn
|
||||
role_name_attribute = ou
|
||||
role_member_attribute = roleOccupant
|
||||
role_attribute_ignore =
|
||||
|
||||
|
||||
Enabled Emulation
|
||||
-----------------
|
||||
|
||||
Some directory servers do not provide any enabled attribute. For these
|
||||
servers, the ``user_enabled_emulation`` and ``tenant_enabled_emulation``
|
||||
servers, the ``user_enabled_emulation`` and ``project_enabled_emulation``
|
||||
attributes have been created. They are enabled by setting their respective
|
||||
flags to True. Then the attributes ``user_enabled_emulation_dn`` and
|
||||
``tenant_enabled_emulation_dn`` may be set to specify how the enabled users
|
||||
``project_enabled_emulation_dn`` may be set to specify how the enabled users
|
||||
and projects (tenants) are selected. These attributes work by using a
|
||||
``groupOfNames`` and adding whichever users or projects (tenants) that
|
||||
you want enabled to the respective group. For example, this will
|
||||
@ -1444,7 +1444,7 @@ mark any user who is a member of ``enabled_users`` as enabled::
|
||||
user_enabled_emulation_dn = cn=enabled_users,cn=groups,dc=openstack,dc=org
|
||||
|
||||
The default values for user and project (tenant) enabled emulation DN is
|
||||
``cn=enabled_users,$user_tree_dn`` and ``cn=enabled_tenants,$tenant_tree_dn``
|
||||
``cn=enabled_users,$user_tree_dn`` and ``cn=enabled_tenants,$project_tree_dn``
|
||||
respectively.
|
||||
|
||||
Secure Connection
|
||||
|
@ -948,60 +948,60 @@
|
||||
#user_additional_attribute_mapping=
|
||||
|
||||
# Search base for projects (string value)
|
||||
#tenant_tree_dn=<None>
|
||||
#project_tree_dn=<None>
|
||||
|
||||
# LDAP search filter for projects. (string value)
|
||||
#tenant_filter=<None>
|
||||
#project_filter=<None>
|
||||
|
||||
# LDAP objectclass for projects. (string value)
|
||||
#tenant_objectclass=groupOfNames
|
||||
#project_objectclass=groupOfNames
|
||||
|
||||
# LDAP attribute mapped to project id. (string value)
|
||||
#tenant_id_attribute=cn
|
||||
#project_id_attribute=cn
|
||||
|
||||
# LDAP attribute mapped to project membership for user.
|
||||
# (string value)
|
||||
#tenant_member_attribute=member
|
||||
#project_member_attribute=member
|
||||
|
||||
# LDAP attribute mapped to project name. (string value)
|
||||
#tenant_name_attribute=ou
|
||||
#project_name_attribute=ou
|
||||
|
||||
# LDAP attribute mapped to project description. (string value)
|
||||
#tenant_desc_attribute=description
|
||||
#project_desc_attribute=description
|
||||
|
||||
# LDAP attribute mapped to project enabled. (string value)
|
||||
#tenant_enabled_attribute=enabled
|
||||
#project_enabled_attribute=enabled
|
||||
|
||||
# LDAP attribute mapped to project domain_id. (string value)
|
||||
#tenant_domain_id_attribute=businessCategory
|
||||
#project_domain_id_attribute=businessCategory
|
||||
|
||||
# List of attributes stripped off the project on update. (list
|
||||
# value)
|
||||
#tenant_attribute_ignore=
|
||||
#project_attribute_ignore=
|
||||
|
||||
# Allow project creation in LDAP backend. (boolean value)
|
||||
#tenant_allow_create=true
|
||||
#project_allow_create=true
|
||||
|
||||
# Allow project update in LDAP backend. (boolean value)
|
||||
#tenant_allow_update=true
|
||||
#project_allow_update=true
|
||||
|
||||
# Allow project deletion in LDAP backend. (boolean value)
|
||||
#tenant_allow_delete=true
|
||||
#project_allow_delete=true
|
||||
|
||||
# If true, Keystone uses an alternative method to determine if
|
||||
# a project is enabled or not by checking if they are a member
|
||||
# of the "tenant_enabled_emulation_dn" group. (boolean value)
|
||||
#tenant_enabled_emulation=false
|
||||
# of the "project_enabled_emulation_dn" group. (boolean value)
|
||||
#project_enabled_emulation=false
|
||||
|
||||
# DN of the group entry to hold enabled projects when using
|
||||
# enabled emulation. (string value)
|
||||
#tenant_enabled_emulation_dn=<None>
|
||||
#project_enabled_emulation_dn=<None>
|
||||
|
||||
# Additional attribute mappings for projects. Attribute
|
||||
# mapping format is <ldap_attr>:<user_attr>, where ldap_attr
|
||||
# is the attribute in the LDAP entry and user_attr is the
|
||||
# Identity API attribute. (list value)
|
||||
#tenant_additional_attribute_mapping=
|
||||
#project_additional_attribute_mapping=
|
||||
|
||||
# Search base for roles. (string value)
|
||||
#role_tree_dn=<None>
|
||||
|
@ -409,7 +409,7 @@ class ProjectApi(common_ldap.EnabledEmuMixIn, common_ldap.BaseLdap):
|
||||
DEFAULT_MEMBER_ATTRIBUTE = 'member'
|
||||
NotFound = exception.ProjectNotFound
|
||||
notfound_arg = 'project_id' # NOTE(yorik-sar): while options_name = tenant
|
||||
options_name = 'tenant'
|
||||
options_name = 'project'
|
||||
attribute_options_names = {'name': 'name',
|
||||
'description': 'desc',
|
||||
'enabled': 'enabled',
|
||||
@ -419,7 +419,7 @@ class ProjectApi(common_ldap.EnabledEmuMixIn, common_ldap.BaseLdap):
|
||||
|
||||
def __init__(self, conf):
|
||||
super(ProjectApi, self).__init__(conf)
|
||||
self.member_attribute = (getattr(conf.ldap, 'tenant_member_attribute')
|
||||
self.member_attribute = (getattr(conf.ldap, 'project_member_attribute')
|
||||
or self.DEFAULT_MEMBER_ATTRIBUTE)
|
||||
|
||||
def create(self, values):
|
||||
|
@ -527,44 +527,76 @@ FILE_OPTIONS = {
|
||||
'ldap_attr is the attribute in the LDAP entry and '
|
||||
'user_attr is the Identity API attribute.'),
|
||||
|
||||
cfg.StrOpt('tenant_tree_dn', default=None,
|
||||
cfg.StrOpt('project_tree_dn', default=None,
|
||||
deprecated_opts=[cfg.DeprecatedOpt(
|
||||
'tenant_tree_dn', group='ldap')],
|
||||
help='Search base for projects'),
|
||||
cfg.StrOpt('tenant_filter', default=None,
|
||||
cfg.StrOpt('project_filter', default=None,
|
||||
deprecated_opts=[cfg.DeprecatedOpt(
|
||||
'tenant_filter', group='ldap')],
|
||||
help='LDAP search filter for projects.'),
|
||||
cfg.StrOpt('tenant_objectclass', default='groupOfNames',
|
||||
cfg.StrOpt('project_objectclass', default='groupOfNames',
|
||||
deprecated_opts=[cfg.DeprecatedOpt(
|
||||
'tenant_objectclass', group='ldap')],
|
||||
help='LDAP objectclass for projects.'),
|
||||
cfg.StrOpt('tenant_id_attribute', default='cn',
|
||||
cfg.StrOpt('project_id_attribute', default='cn',
|
||||
deprecated_opts=[cfg.DeprecatedOpt(
|
||||
'tenant_id_attribute', group='ldap')],
|
||||
help='LDAP attribute mapped to project id.'),
|
||||
cfg.StrOpt('tenant_member_attribute', default='member',
|
||||
cfg.StrOpt('project_member_attribute', default='member',
|
||||
deprecated_opts=[cfg.DeprecatedOpt(
|
||||
'tenant_member_attribute', group='ldap')],
|
||||
help='LDAP attribute mapped to project membership for '
|
||||
'user.'),
|
||||
cfg.StrOpt('tenant_name_attribute', default='ou',
|
||||
cfg.StrOpt('project_name_attribute', default='ou',
|
||||
deprecated_opts=[cfg.DeprecatedOpt(
|
||||
'tenant_name_attribute', group='ldap')],
|
||||
help='LDAP attribute mapped to project name.'),
|
||||
cfg.StrOpt('tenant_desc_attribute', default='description',
|
||||
cfg.StrOpt('project_desc_attribute', default='description',
|
||||
deprecated_opts=[cfg.DeprecatedOpt(
|
||||
'tenant_desc_attribute', group='ldap')],
|
||||
help='LDAP attribute mapped to project description.'),
|
||||
cfg.StrOpt('tenant_enabled_attribute', default='enabled',
|
||||
cfg.StrOpt('project_enabled_attribute', default='enabled',
|
||||
deprecated_opts=[cfg.DeprecatedOpt(
|
||||
'tenant_enabled_attribute', group='ldap')],
|
||||
help='LDAP attribute mapped to project enabled.'),
|
||||
cfg.StrOpt('tenant_domain_id_attribute',
|
||||
cfg.StrOpt('project_domain_id_attribute',
|
||||
deprecated_opts=[cfg.DeprecatedOpt(
|
||||
'tenant_domain_id_attribute', group='ldap')],
|
||||
default='businessCategory',
|
||||
help='LDAP attribute mapped to project domain_id.'),
|
||||
cfg.ListOpt('tenant_attribute_ignore', default=[],
|
||||
cfg.ListOpt('project_attribute_ignore', default=[],
|
||||
deprecated_opts=[cfg.DeprecatedOpt(
|
||||
'tenant_attribute_ignore', group='ldap')],
|
||||
help='List of attributes stripped off the project on '
|
||||
'update.'),
|
||||
cfg.BoolOpt('tenant_allow_create', default=True,
|
||||
cfg.BoolOpt('project_allow_create', default=True,
|
||||
deprecated_opts=[cfg.DeprecatedOpt(
|
||||
'tenant_allow_create', group='ldap')],
|
||||
help='Allow project creation in LDAP backend.'),
|
||||
cfg.BoolOpt('tenant_allow_update', default=True,
|
||||
cfg.BoolOpt('project_allow_update', default=True,
|
||||
deprecated_opts=[cfg.DeprecatedOpt(
|
||||
'tenant_allow_update', group='ldap')],
|
||||
help='Allow project update in LDAP backend.'),
|
||||
cfg.BoolOpt('tenant_allow_delete', default=True,
|
||||
cfg.BoolOpt('project_allow_delete', default=True,
|
||||
deprecated_opts=[cfg.DeprecatedOpt(
|
||||
'tenant_allow_delete', group='ldap')],
|
||||
help='Allow project deletion in LDAP backend.'),
|
||||
cfg.BoolOpt('tenant_enabled_emulation', default=False,
|
||||
cfg.BoolOpt('project_enabled_emulation', default=False,
|
||||
deprecated_opts=[cfg.DeprecatedOpt(
|
||||
'tenant_enabled_emulation', group='ldap')],
|
||||
help='If true, Keystone uses an alternative method to '
|
||||
'determine if a project is enabled or not by '
|
||||
'checking if they are a member of the '
|
||||
'"tenant_enabled_emulation_dn" group.'),
|
||||
cfg.StrOpt('tenant_enabled_emulation_dn', default=None,
|
||||
'"project_enabled_emulation_dn" group.'),
|
||||
cfg.StrOpt('project_enabled_emulation_dn', default=None,
|
||||
deprecated_opts=[cfg.DeprecatedOpt(
|
||||
'tenant_enabled_emulation_dn', group='ldap')],
|
||||
help='DN of the group entry to hold enabled projects when '
|
||||
'using enabled emulation.'),
|
||||
cfg.ListOpt('tenant_additional_attribute_mapping',
|
||||
cfg.ListOpt('project_additional_attribute_mapping',
|
||||
deprecated_opts=[cfg.DeprecatedOpt(
|
||||
'tenant_additional_attribute_mapping', group='ldap')],
|
||||
default=[],
|
||||
help='Additional attribute mappings for projects. '
|
||||
'Attribute mapping format is '
|
||||
|
@ -5,9 +5,9 @@ password = test
|
||||
suffix = dc=openstack,dc=org
|
||||
group_tree_dn = ou=UserGroups,dc=openstack,dc=org
|
||||
role_tree_dn = ou=Roles,dc=openstack,dc=org
|
||||
tenant_tree_dn = ou=Projects,dc=openstack,dc=org
|
||||
project_tree_dn = ou=Projects,dc=openstack,dc=org
|
||||
user_tree_dn = ou=Users,dc=openstack,dc=org
|
||||
tenant_enabled_emulation = True
|
||||
project_enabled_emulation = True
|
||||
user_enabled_emulation = True
|
||||
user_mail_attribute = mail
|
||||
use_dumb_member = True
|
||||
|
@ -5,9 +5,9 @@ password = test
|
||||
suffix = dc=openstack,dc=org
|
||||
group_tree_dn = ou=UserGroups,dc=openstack,dc=org
|
||||
role_tree_dn = ou=Roles,dc=openstack,dc=org
|
||||
tenant_tree_dn = ou=Projects,dc=openstack,dc=org
|
||||
project_tree_dn = ou=Projects,dc=openstack,dc=org
|
||||
user_tree_dn = ou=Users,dc=openstack,dc=org
|
||||
tenant_enabled_emulation = True
|
||||
project_enabled_emulation = True
|
||||
user_enabled_emulation = True
|
||||
user_mail_attribute = mail
|
||||
use_dumb_member = True
|
||||
|
@ -800,8 +800,8 @@ class LDAPIdentity(BaseLDAPIdentity, tests.TestCase):
|
||||
|
||||
def test_configurable_forbidden_project_actions(self):
|
||||
self.config_fixture.config(
|
||||
group='ldap', tenant_allow_create=False, tenant_allow_update=False,
|
||||
tenant_allow_delete=False)
|
||||
group='ldap', project_allow_create=False,
|
||||
project_allow_update=False, project_allow_delete=False)
|
||||
self.load_backends()
|
||||
|
||||
tenant = {'id': u'fäké1', 'name': u'fäké1'}
|
||||
@ -860,9 +860,9 @@ class LDAPIdentity(BaseLDAPIdentity, tests.TestCase):
|
||||
self.assertDictEqual(tenant_ref, self.tenant_bar)
|
||||
|
||||
self.config_fixture.config(group='ldap',
|
||||
tenant_filter='(CN=DOES_NOT_MATCH)')
|
||||
project_filter='(CN=DOES_NOT_MATCH)')
|
||||
self.load_backends()
|
||||
# NOTE(morganfainberg): CONF.ldap.tenant_filter will not be
|
||||
# NOTE(morganfainberg): CONF.ldap.project_filter will not be
|
||||
# dynamically changed at runtime. This invalidate is a work-around for
|
||||
# the expectation that it is safe to change config values in tests that
|
||||
# could affect what the drivers would return up to the manager. This
|
||||
@ -908,15 +908,15 @@ class LDAPIdentity(BaseLDAPIdentity, tests.TestCase):
|
||||
|
||||
def test_project_attribute_mapping(self):
|
||||
self.config_fixture.config(
|
||||
group='ldap', tenant_name_attribute='ou',
|
||||
tenant_desc_attribute='description',
|
||||
tenant_enabled_attribute='enabled')
|
||||
group='ldap', project_name_attribute='ou',
|
||||
project_desc_attribute='description',
|
||||
project_enabled_attribute='enabled')
|
||||
self.clear_database()
|
||||
self.load_backends()
|
||||
self.load_fixtures(default_fixtures)
|
||||
# NOTE(morganfainberg): CONF.ldap.tenant_name_attribute,
|
||||
# CONF.ldap.tenant_desc_attribute, and
|
||||
# CONF.ldap.tenant_enabled_attribute will not be
|
||||
# NOTE(morganfainberg): CONF.ldap.project_name_attribute,
|
||||
# CONF.ldap.project_desc_attribute, and
|
||||
# CONF.ldap.project_enabled_attribute will not be
|
||||
# dynamically changed at runtime. This invalidate is a work-around for
|
||||
# the expectation that it is safe to change config values in tests that
|
||||
# could affect what the drivers would return up to the manager. This
|
||||
@ -933,12 +933,12 @@ class LDAPIdentity(BaseLDAPIdentity, tests.TestCase):
|
||||
self.assertEqual(self.tenant_baz['enabled'], tenant_ref['enabled'])
|
||||
|
||||
self.config_fixture.config(group='ldap',
|
||||
tenant_name_attribute='description',
|
||||
tenant_desc_attribute='ou')
|
||||
project_name_attribute='description',
|
||||
project_desc_attribute='ou')
|
||||
self.load_backends()
|
||||
# NOTE(morganfainberg): CONF.ldap.tenant_name_attribute,
|
||||
# CONF.ldap.tenant_desc_attribute, and
|
||||
# CONF.ldap.tenant_enabled_attribute will not be
|
||||
# NOTE(morganfainberg): CONF.ldap.project_name_attribute,
|
||||
# CONF.ldap.project_desc_attribute, and
|
||||
# CONF.ldap.project_enabled_attribute will not be
|
||||
# dynamically changed at runtime. This invalidate is a work-around for
|
||||
# the expectation that it is safe to change config values in tests that
|
||||
# could affect what the drivers would return up to the manager. This
|
||||
@ -955,11 +955,11 @@ class LDAPIdentity(BaseLDAPIdentity, tests.TestCase):
|
||||
def test_project_attribute_ignore(self):
|
||||
self.config_fixture.config(
|
||||
group='ldap',
|
||||
tenant_attribute_ignore=['name', 'description', 'enabled'])
|
||||
project_attribute_ignore=['name', 'description', 'enabled'])
|
||||
self.clear_database()
|
||||
self.load_backends()
|
||||
self.load_fixtures(default_fixtures)
|
||||
# NOTE(morganfainberg): CONF.ldap.tenant_attribute_ignore will not be
|
||||
# NOTE(morganfainberg): CONF.ldap.project_attribute_ignore will not be
|
||||
# dynamically changed at runtime. This invalidate is a work-around for
|
||||
# the expectation that it is safe to change configs values in tests
|
||||
# that could affect what the drivers would return up to the manager.
|
||||
@ -1551,7 +1551,7 @@ class LDAPIdentityEnabledEmulation(LDAPIdentity):
|
||||
super(LDAPIdentityEnabledEmulation, self).config_overrides()
|
||||
self.config_fixture.config(group='ldap',
|
||||
user_enabled_emulation=True,
|
||||
tenant_enabled_emulation=True)
|
||||
project_enabled_emulation=True)
|
||||
|
||||
def test_project_crud(self):
|
||||
# NOTE(topol): LDAPIdentityEnabledEmulation will create an
|
||||
|
@ -68,7 +68,7 @@ class LiveLDAPIdentity(test_backend_ldap.LDAPIdentity):
|
||||
create_object(CONF.ldap.role_tree_dn,
|
||||
{'objectclass': 'organizationalUnit',
|
||||
'ou': 'Roles'})
|
||||
create_object(CONF.ldap.tenant_tree_dn,
|
||||
create_object(CONF.ldap.project_tree_dn,
|
||||
{'objectclass': 'organizationalUnit',
|
||||
'ou': 'Projects'})
|
||||
create_object(CONF.ldap.group_tree_dn,
|
||||
|
Loading…
x
Reference in New Issue
Block a user