Enable os_inherit of Keystone v3 API
os_inherit extension has been implemented since 2 years ago, and the
API doc[1] also contains it. However os_inherit extension is disabled
on the default. So it is nice to enable the extension for productions,
development and testing.
This patch comes from the discussion[2].
NOTE: This patch removes a test class which tests the enabled os_inherit
because os_inherit becomes enabled on the default.
[1]: http://developer.openstack.org/api-ref-identity-v3-ext.html#identity_v3_OS-INHERIT-ext
[2]: http://lists.openstack.org/pipermail/openstack-dev/2015-December/081822.html
Closes-Bug: 1526660
Change-Id: Ifac71f7415f21c402f6e00c5264e972b0e80388c
This commit is contained in:
Ken'ichi Ohmichi
parent
4c3071d5f6
commit
5ae155a3de
@ -222,10 +222,13 @@ FILE_OPTIONS = {
|
||||
help='Entrypoint for the trust backend driver in the '
|
||||
'keystone.trust namespace.')],
|
||||
'os_inherit': [
|
||||
cfg.BoolOpt('enabled', default=False,
|
||||
cfg.BoolOpt('enabled', default=True,
|
||||
deprecated_for_removal=True,
|
||||
help='role-assignment inheritance to projects from '
|
||||
'owning domain or from projects higher in the '
|
||||
'hierarchy can be optionally enabled.'),
|
||||
'hierarchy can be optionally disabled. In the '
|
||||
'future, this option will be removed and the '
|
||||
'hierarchy will be always enabled.'),
|
||||
],
|
||||
'fernet_tokens': [
|
||||
cfg.StrOpt('key_repository',
|
||||
|
||||
@ -125,6 +125,7 @@ class BaseLDAPIdentity(test_backend.IdentityTests):
|
||||
|
||||
self.load_backends()
|
||||
self.load_fixtures(default_fixtures)
|
||||
self.config_fixture.config(group='os_inherit', enabled=False)
|
||||
|
||||
def _get_domain_fixture(self):
|
||||
"""Domains in LDAP are read-only, so just return the static one."""
|
||||
|
||||
@ -131,6 +131,10 @@ _build_ep_filter_rel = functools.partial(
|
||||
json_home.build_v3_extension_resource_relation,
|
||||
extension_name='OS-EP-FILTER', extension_version='1.0')
|
||||
|
||||
_build_os_inherit_rel = functools.partial(
|
||||
json_home.build_v3_extension_resource_relation,
|
||||
extension_name='OS-INHERIT', extension_version='1.0')
|
||||
|
||||
TRUST_ID_PARAMETER_RELATION = json_home.build_v3_extension_parameter_relation(
|
||||
'OS-TRUST', '1.0', 'trust_id')
|
||||
|
||||
@ -174,7 +178,7 @@ FEDERATED_AUTH_URL = ('/OS-FEDERATION/identity_providers/{idp_id}'
|
||||
FEDERATED_IDP_SPECIFIC_WEBSSO = ('/auth/OS-FEDERATION/identity_providers/'
|
||||
'{idp_id}/protocols/{protocol_id}/websso')
|
||||
|
||||
V3_JSON_HOME_RESOURCES_INHERIT_DISABLED = {
|
||||
V3_JSON_HOME_RESOURCES = {
|
||||
json_home.build_v3_resource_relation('auth_tokens'): {
|
||||
'href': '/auth/tokens'},
|
||||
json_home.build_v3_resource_relation('auth_catalog'): {
|
||||
@ -507,6 +511,58 @@ V3_JSON_HOME_RESOURCES_INHERIT_DISABLED = {
|
||||
'href-template': BASE_EP_FILTER + '/projects',
|
||||
'href-vars': {'endpoint_group_id':
|
||||
ENDPOINT_GROUP_ID_PARAMETER_RELATION, }},
|
||||
_build_os_inherit_rel(
|
||||
resource_name='domain_user_role_inherited_to_projects'):
|
||||
{
|
||||
'href-template': '/OS-INHERIT/domains/{domain_id}/users/'
|
||||
'{user_id}/roles/{role_id}/inherited_to_projects',
|
||||
'href-vars': {
|
||||
'domain_id': json_home.Parameters.DOMAIN_ID,
|
||||
'role_id': json_home.Parameters.ROLE_ID,
|
||||
'user_id': json_home.Parameters.USER_ID, }},
|
||||
_build_os_inherit_rel(
|
||||
resource_name='domain_group_role_inherited_to_projects'):
|
||||
{
|
||||
'href-template': '/OS-INHERIT/domains/{domain_id}/groups/'
|
||||
'{group_id}/roles/{role_id}/inherited_to_projects',
|
||||
'href-vars': {
|
||||
'domain_id': json_home.Parameters.DOMAIN_ID,
|
||||
'group_id': json_home.Parameters.GROUP_ID,
|
||||
'role_id': json_home.Parameters.ROLE_ID, }},
|
||||
_build_os_inherit_rel(
|
||||
resource_name='domain_user_roles_inherited_to_projects'):
|
||||
{
|
||||
'href-template': '/OS-INHERIT/domains/{domain_id}/users/'
|
||||
'{user_id}/roles/inherited_to_projects',
|
||||
'href-vars': {
|
||||
'domain_id': json_home.Parameters.DOMAIN_ID,
|
||||
'user_id': json_home.Parameters.USER_ID, }},
|
||||
_build_os_inherit_rel(
|
||||
resource_name='domain_group_roles_inherited_to_projects'):
|
||||
{
|
||||
'href-template': '/OS-INHERIT/domains/{domain_id}/groups/'
|
||||
'{group_id}/roles/inherited_to_projects',
|
||||
'href-vars': {
|
||||
'domain_id': json_home.Parameters.DOMAIN_ID,
|
||||
'group_id': json_home.Parameters.GROUP_ID, }},
|
||||
_build_os_inherit_rel(
|
||||
resource_name='project_user_role_inherited_to_projects'):
|
||||
{
|
||||
'href-template': '/OS-INHERIT/projects/{project_id}/users/'
|
||||
'{user_id}/roles/{role_id}/inherited_to_projects',
|
||||
'href-vars': {
|
||||
'project_id': json_home.Parameters.PROJECT_ID,
|
||||
'role_id': json_home.Parameters.ROLE_ID,
|
||||
'user_id': json_home.Parameters.USER_ID, }},
|
||||
_build_os_inherit_rel(
|
||||
resource_name='project_group_role_inherited_to_projects'):
|
||||
{
|
||||
'href-template': '/OS-INHERIT/projects/{project_id}/groups/'
|
||||
'{group_id}/roles/{role_id}/inherited_to_projects',
|
||||
'href-vars': {
|
||||
'project_id': json_home.Parameters.PROJECT_ID,
|
||||
'group_id': json_home.Parameters.GROUP_ID,
|
||||
'role_id': json_home.Parameters.ROLE_ID, }},
|
||||
json_home.build_v3_resource_relation('domain_config'): {
|
||||
'href-template':
|
||||
'/domains/{domain_id}/config',
|
||||
@ -531,96 +587,6 @@ V3_JSON_HOME_RESOURCES_INHERIT_DISABLED = {
|
||||
}
|
||||
|
||||
|
||||
# with os-inherit enabled, there's some more resources.
|
||||
|
||||
build_os_inherit_relation = functools.partial(
|
||||
json_home.build_v3_extension_resource_relation,
|
||||
extension_name='OS-INHERIT', extension_version='1.0')
|
||||
|
||||
V3_JSON_HOME_RESOURCES_INHERIT_ENABLED = dict(
|
||||
V3_JSON_HOME_RESOURCES_INHERIT_DISABLED)
|
||||
V3_JSON_HOME_RESOURCES_INHERIT_ENABLED.update(
|
||||
(
|
||||
(
|
||||
build_os_inherit_relation(
|
||||
resource_name='domain_user_role_inherited_to_projects'),
|
||||
{
|
||||
'href-template': '/OS-INHERIT/domains/{domain_id}/users/'
|
||||
'{user_id}/roles/{role_id}/inherited_to_projects',
|
||||
'href-vars': {
|
||||
'domain_id': json_home.Parameters.DOMAIN_ID,
|
||||
'role_id': json_home.Parameters.ROLE_ID,
|
||||
'user_id': json_home.Parameters.USER_ID,
|
||||
},
|
||||
}
|
||||
),
|
||||
(
|
||||
build_os_inherit_relation(
|
||||
resource_name='domain_group_role_inherited_to_projects'),
|
||||
{
|
||||
'href-template': '/OS-INHERIT/domains/{domain_id}/groups/'
|
||||
'{group_id}/roles/{role_id}/inherited_to_projects',
|
||||
'href-vars': {
|
||||
'domain_id': json_home.Parameters.DOMAIN_ID,
|
||||
'group_id': json_home.Parameters.GROUP_ID,
|
||||
'role_id': json_home.Parameters.ROLE_ID,
|
||||
},
|
||||
}
|
||||
),
|
||||
(
|
||||
build_os_inherit_relation(
|
||||
resource_name='domain_user_roles_inherited_to_projects'),
|
||||
{
|
||||
'href-template': '/OS-INHERIT/domains/{domain_id}/users/'
|
||||
'{user_id}/roles/inherited_to_projects',
|
||||
'href-vars': {
|
||||
'domain_id': json_home.Parameters.DOMAIN_ID,
|
||||
'user_id': json_home.Parameters.USER_ID,
|
||||
},
|
||||
}
|
||||
),
|
||||
(
|
||||
build_os_inherit_relation(
|
||||
resource_name='domain_group_roles_inherited_to_projects'),
|
||||
{
|
||||
'href-template': '/OS-INHERIT/domains/{domain_id}/groups/'
|
||||
'{group_id}/roles/inherited_to_projects',
|
||||
'href-vars': {
|
||||
'domain_id': json_home.Parameters.DOMAIN_ID,
|
||||
'group_id': json_home.Parameters.GROUP_ID,
|
||||
},
|
||||
}
|
||||
),
|
||||
(
|
||||
build_os_inherit_relation(
|
||||
resource_name='project_user_role_inherited_to_projects'),
|
||||
{
|
||||
'href-template': '/OS-INHERIT/projects/{project_id}/users/'
|
||||
'{user_id}/roles/{role_id}/inherited_to_projects',
|
||||
'href-vars': {
|
||||
'project_id': json_home.Parameters.PROJECT_ID,
|
||||
'role_id': json_home.Parameters.ROLE_ID,
|
||||
'user_id': json_home.Parameters.USER_ID,
|
||||
},
|
||||
}
|
||||
),
|
||||
(
|
||||
build_os_inherit_relation(
|
||||
resource_name='project_group_role_inherited_to_projects'),
|
||||
{
|
||||
'href-template': '/OS-INHERIT/projects/{project_id}/groups/'
|
||||
'{group_id}/roles/{role_id}/inherited_to_projects',
|
||||
'href-vars': {
|
||||
'project_id': json_home.Parameters.PROJECT_ID,
|
||||
'group_id': json_home.Parameters.GROUP_ID,
|
||||
'role_id': json_home.Parameters.ROLE_ID,
|
||||
},
|
||||
}
|
||||
),
|
||||
)
|
||||
)
|
||||
|
||||
|
||||
class TestClient(object):
|
||||
def __init__(self, app=None, token=None):
|
||||
self.app = app
|
||||
@ -895,7 +861,7 @@ class VersionTestCase(unit.TestCase):
|
||||
# then the server responds with a JSON Home document.
|
||||
|
||||
exp_json_home_data = {
|
||||
'resources': V3_JSON_HOME_RESOURCES_INHERIT_DISABLED}
|
||||
'resources': V3_JSON_HOME_RESOURCES}
|
||||
|
||||
self._test_json_home('/v3', exp_json_home_data)
|
||||
|
||||
@ -904,7 +870,7 @@ class VersionTestCase(unit.TestCase):
|
||||
# then the server responds with a JSON Home document.
|
||||
|
||||
exp_json_home_data = copy.deepcopy({
|
||||
'resources': V3_JSON_HOME_RESOURCES_INHERIT_DISABLED})
|
||||
'resources': V3_JSON_HOME_RESOURCES})
|
||||
json_home.translate_urls(exp_json_home_data, '/v3')
|
||||
|
||||
self._test_json_home('/', exp_json_home_data)
|
||||
@ -1020,45 +986,6 @@ class VersionSingleAppTestCase(unit.TestCase):
|
||||
self._test_version('admin')
|
||||
|
||||
|
||||
class VersionInheritEnabledTestCase(unit.TestCase):
|
||||
def setUp(self):
|
||||
super(VersionInheritEnabledTestCase, self).setUp()
|
||||
self.load_backends()
|
||||
self.public_app = self.loadapp('keystone', 'main')
|
||||
self.admin_app = self.loadapp('keystone', 'admin')
|
||||
|
||||
self.config_fixture.config(
|
||||
public_endpoint='http://localhost:%(public_port)d',
|
||||
admin_endpoint='http://localhost:%(admin_port)d')
|
||||
|
||||
def config_overrides(self):
|
||||
super(VersionInheritEnabledTestCase, self).config_overrides()
|
||||
admin_port = random.randint(10000, 30000)
|
||||
public_port = random.randint(40000, 60000)
|
||||
self.config_fixture.config(group='eventlet_server',
|
||||
public_port=public_port,
|
||||
admin_port=admin_port)
|
||||
|
||||
self.config_fixture.config(group='os_inherit', enabled=True)
|
||||
|
||||
def test_json_home_v3(self):
|
||||
# If the request is /v3 and the Accept header is application/json-home
|
||||
# then the server responds with a JSON Home document.
|
||||
|
||||
client = TestClient(self.public_app)
|
||||
resp = client.get('/v3/', headers={'Accept': 'application/json-home'})
|
||||
|
||||
self.assertThat(resp.status, tt_matchers.Equals('200 OK'))
|
||||
self.assertThat(resp.headers['Content-Type'],
|
||||
tt_matchers.Equals('application/json-home'))
|
||||
|
||||
exp_json_home_data = {
|
||||
'resources': V3_JSON_HOME_RESOURCES_INHERIT_ENABLED}
|
||||
|
||||
self.assertThat(jsonutils.loads(resp.body),
|
||||
tt_matchers.Equals(exp_json_home_data))
|
||||
|
||||
|
||||
class VersionBehindSslTestCase(unit.TestCase):
|
||||
def setUp(self):
|
||||
super(VersionBehindSslTestCase, self).setUp()
|
||||
|
||||
@ -0,0 +1,9 @@
|
||||
---
|
||||
upgrade:
|
||||
- >
|
||||
The default setting for the os_inherit configuration option is
|
||||
changed to True. If it is required to continue with this portion
|
||||
of the API disabled, then override the default setting by explicitly
|
||||
specifying the os_inherit option as False. Now this option is marked
|
||||
as deprecated. In the future, this option will be removed and this
|
||||
portion of the API will be always enabled.
|
||||
Loading…
Reference in New Issue
Block a user