From 5ae155a3dea38612f7f57228424f306ec9bded3c Mon Sep 17 00:00:00 2001 From: Ken'ichi Ohmichi Date: Mon, 14 Dec 2015 22:14:40 +0000 Subject: [PATCH] Enable os_inherit of Keystone v3 API os_inherit extension has been implemented since 2 years ago, and the API doc[1] also contains it. However os_inherit extension is disabled on the default. So it is nice to enable the extension for productions, development and testing. This patch comes from the discussion[2]. NOTE: This patch removes a test class which tests the enabled os_inherit because os_inherit becomes enabled on the default. [1]: http://developer.openstack.org/api-ref-identity-v3-ext.html#identity_v3_OS-INHERIT-ext [2]: http://lists.openstack.org/pipermail/openstack-dev/2015-December/081822.html Closes-Bug: 1526660 Change-Id: Ifac71f7415f21c402f6e00c5264e972b0e80388c --- keystone/common/config.py | 7 +- keystone/tests/unit/test_backend_ldap.py | 1 + keystone/tests/unit/test_versions.py | 191 ++++++------------ ...e-inherit-on-default-54ac435230261a6a.yaml | 9 + 4 files changed, 74 insertions(+), 134 deletions(-) create mode 100644 releasenotes/notes/enable-inherit-on-default-54ac435230261a6a.yaml diff --git a/keystone/common/config.py b/keystone/common/config.py index d0d8ec172e..8e6ee94539 100644 --- a/keystone/common/config.py +++ b/keystone/common/config.py @@ -222,10 +222,13 @@ FILE_OPTIONS = { help='Entrypoint for the trust backend driver in the ' 'keystone.trust namespace.')], 'os_inherit': [ - cfg.BoolOpt('enabled', default=False, + cfg.BoolOpt('enabled', default=True, + deprecated_for_removal=True, help='role-assignment inheritance to projects from ' 'owning domain or from projects higher in the ' - 'hierarchy can be optionally enabled.'), + 'hierarchy can be optionally disabled. In the ' + 'future, this option will be removed and the ' + 'hierarchy will be always enabled.'), ], 'fernet_tokens': [ cfg.StrOpt('key_repository', diff --git a/keystone/tests/unit/test_backend_ldap.py b/keystone/tests/unit/test_backend_ldap.py index 0f00000d12..d68af8f4cf 100644 --- a/keystone/tests/unit/test_backend_ldap.py +++ b/keystone/tests/unit/test_backend_ldap.py @@ -125,6 +125,7 @@ class BaseLDAPIdentity(test_backend.IdentityTests): self.load_backends() self.load_fixtures(default_fixtures) + self.config_fixture.config(group='os_inherit', enabled=False) def _get_domain_fixture(self): """Domains in LDAP are read-only, so just return the static one.""" diff --git a/keystone/tests/unit/test_versions.py b/keystone/tests/unit/test_versions.py index 364caf814a..340b0139ef 100644 --- a/keystone/tests/unit/test_versions.py +++ b/keystone/tests/unit/test_versions.py @@ -131,6 +131,10 @@ _build_ep_filter_rel = functools.partial( json_home.build_v3_extension_resource_relation, extension_name='OS-EP-FILTER', extension_version='1.0') +_build_os_inherit_rel = functools.partial( + json_home.build_v3_extension_resource_relation, + extension_name='OS-INHERIT', extension_version='1.0') + TRUST_ID_PARAMETER_RELATION = json_home.build_v3_extension_parameter_relation( 'OS-TRUST', '1.0', 'trust_id') @@ -174,7 +178,7 @@ FEDERATED_AUTH_URL = ('/OS-FEDERATION/identity_providers/{idp_id}' FEDERATED_IDP_SPECIFIC_WEBSSO = ('/auth/OS-FEDERATION/identity_providers/' '{idp_id}/protocols/{protocol_id}/websso') -V3_JSON_HOME_RESOURCES_INHERIT_DISABLED = { +V3_JSON_HOME_RESOURCES = { json_home.build_v3_resource_relation('auth_tokens'): { 'href': '/auth/tokens'}, json_home.build_v3_resource_relation('auth_catalog'): { @@ -507,6 +511,58 @@ V3_JSON_HOME_RESOURCES_INHERIT_DISABLED = { 'href-template': BASE_EP_FILTER + '/projects', 'href-vars': {'endpoint_group_id': ENDPOINT_GROUP_ID_PARAMETER_RELATION, }}, + _build_os_inherit_rel( + resource_name='domain_user_role_inherited_to_projects'): + { + 'href-template': '/OS-INHERIT/domains/{domain_id}/users/' + '{user_id}/roles/{role_id}/inherited_to_projects', + 'href-vars': { + 'domain_id': json_home.Parameters.DOMAIN_ID, + 'role_id': json_home.Parameters.ROLE_ID, + 'user_id': json_home.Parameters.USER_ID, }}, + _build_os_inherit_rel( + resource_name='domain_group_role_inherited_to_projects'): + { + 'href-template': '/OS-INHERIT/domains/{domain_id}/groups/' + '{group_id}/roles/{role_id}/inherited_to_projects', + 'href-vars': { + 'domain_id': json_home.Parameters.DOMAIN_ID, + 'group_id': json_home.Parameters.GROUP_ID, + 'role_id': json_home.Parameters.ROLE_ID, }}, + _build_os_inherit_rel( + resource_name='domain_user_roles_inherited_to_projects'): + { + 'href-template': '/OS-INHERIT/domains/{domain_id}/users/' + '{user_id}/roles/inherited_to_projects', + 'href-vars': { + 'domain_id': json_home.Parameters.DOMAIN_ID, + 'user_id': json_home.Parameters.USER_ID, }}, + _build_os_inherit_rel( + resource_name='domain_group_roles_inherited_to_projects'): + { + 'href-template': '/OS-INHERIT/domains/{domain_id}/groups/' + '{group_id}/roles/inherited_to_projects', + 'href-vars': { + 'domain_id': json_home.Parameters.DOMAIN_ID, + 'group_id': json_home.Parameters.GROUP_ID, }}, + _build_os_inherit_rel( + resource_name='project_user_role_inherited_to_projects'): + { + 'href-template': '/OS-INHERIT/projects/{project_id}/users/' + '{user_id}/roles/{role_id}/inherited_to_projects', + 'href-vars': { + 'project_id': json_home.Parameters.PROJECT_ID, + 'role_id': json_home.Parameters.ROLE_ID, + 'user_id': json_home.Parameters.USER_ID, }}, + _build_os_inherit_rel( + resource_name='project_group_role_inherited_to_projects'): + { + 'href-template': '/OS-INHERIT/projects/{project_id}/groups/' + '{group_id}/roles/{role_id}/inherited_to_projects', + 'href-vars': { + 'project_id': json_home.Parameters.PROJECT_ID, + 'group_id': json_home.Parameters.GROUP_ID, + 'role_id': json_home.Parameters.ROLE_ID, }}, json_home.build_v3_resource_relation('domain_config'): { 'href-template': '/domains/{domain_id}/config', @@ -531,96 +587,6 @@ V3_JSON_HOME_RESOURCES_INHERIT_DISABLED = { } -# with os-inherit enabled, there's some more resources. - -build_os_inherit_relation = functools.partial( - json_home.build_v3_extension_resource_relation, - extension_name='OS-INHERIT', extension_version='1.0') - -V3_JSON_HOME_RESOURCES_INHERIT_ENABLED = dict( - V3_JSON_HOME_RESOURCES_INHERIT_DISABLED) -V3_JSON_HOME_RESOURCES_INHERIT_ENABLED.update( - ( - ( - build_os_inherit_relation( - resource_name='domain_user_role_inherited_to_projects'), - { - 'href-template': '/OS-INHERIT/domains/{domain_id}/users/' - '{user_id}/roles/{role_id}/inherited_to_projects', - 'href-vars': { - 'domain_id': json_home.Parameters.DOMAIN_ID, - 'role_id': json_home.Parameters.ROLE_ID, - 'user_id': json_home.Parameters.USER_ID, - }, - } - ), - ( - build_os_inherit_relation( - resource_name='domain_group_role_inherited_to_projects'), - { - 'href-template': '/OS-INHERIT/domains/{domain_id}/groups/' - '{group_id}/roles/{role_id}/inherited_to_projects', - 'href-vars': { - 'domain_id': json_home.Parameters.DOMAIN_ID, - 'group_id': json_home.Parameters.GROUP_ID, - 'role_id': json_home.Parameters.ROLE_ID, - }, - } - ), - ( - build_os_inherit_relation( - resource_name='domain_user_roles_inherited_to_projects'), - { - 'href-template': '/OS-INHERIT/domains/{domain_id}/users/' - '{user_id}/roles/inherited_to_projects', - 'href-vars': { - 'domain_id': json_home.Parameters.DOMAIN_ID, - 'user_id': json_home.Parameters.USER_ID, - }, - } - ), - ( - build_os_inherit_relation( - resource_name='domain_group_roles_inherited_to_projects'), - { - 'href-template': '/OS-INHERIT/domains/{domain_id}/groups/' - '{group_id}/roles/inherited_to_projects', - 'href-vars': { - 'domain_id': json_home.Parameters.DOMAIN_ID, - 'group_id': json_home.Parameters.GROUP_ID, - }, - } - ), - ( - build_os_inherit_relation( - resource_name='project_user_role_inherited_to_projects'), - { - 'href-template': '/OS-INHERIT/projects/{project_id}/users/' - '{user_id}/roles/{role_id}/inherited_to_projects', - 'href-vars': { - 'project_id': json_home.Parameters.PROJECT_ID, - 'role_id': json_home.Parameters.ROLE_ID, - 'user_id': json_home.Parameters.USER_ID, - }, - } - ), - ( - build_os_inherit_relation( - resource_name='project_group_role_inherited_to_projects'), - { - 'href-template': '/OS-INHERIT/projects/{project_id}/groups/' - '{group_id}/roles/{role_id}/inherited_to_projects', - 'href-vars': { - 'project_id': json_home.Parameters.PROJECT_ID, - 'group_id': json_home.Parameters.GROUP_ID, - 'role_id': json_home.Parameters.ROLE_ID, - }, - } - ), - ) -) - - class TestClient(object): def __init__(self, app=None, token=None): self.app = app @@ -895,7 +861,7 @@ class VersionTestCase(unit.TestCase): # then the server responds with a JSON Home document. exp_json_home_data = { - 'resources': V3_JSON_HOME_RESOURCES_INHERIT_DISABLED} + 'resources': V3_JSON_HOME_RESOURCES} self._test_json_home('/v3', exp_json_home_data) @@ -904,7 +870,7 @@ class VersionTestCase(unit.TestCase): # then the server responds with a JSON Home document. exp_json_home_data = copy.deepcopy({ - 'resources': V3_JSON_HOME_RESOURCES_INHERIT_DISABLED}) + 'resources': V3_JSON_HOME_RESOURCES}) json_home.translate_urls(exp_json_home_data, '/v3') self._test_json_home('/', exp_json_home_data) @@ -1020,45 +986,6 @@ class VersionSingleAppTestCase(unit.TestCase): self._test_version('admin') -class VersionInheritEnabledTestCase(unit.TestCase): - def setUp(self): - super(VersionInheritEnabledTestCase, self).setUp() - self.load_backends() - self.public_app = self.loadapp('keystone', 'main') - self.admin_app = self.loadapp('keystone', 'admin') - - self.config_fixture.config( - public_endpoint='http://localhost:%(public_port)d', - admin_endpoint='http://localhost:%(admin_port)d') - - def config_overrides(self): - super(VersionInheritEnabledTestCase, self).config_overrides() - admin_port = random.randint(10000, 30000) - public_port = random.randint(40000, 60000) - self.config_fixture.config(group='eventlet_server', - public_port=public_port, - admin_port=admin_port) - - self.config_fixture.config(group='os_inherit', enabled=True) - - def test_json_home_v3(self): - # If the request is /v3 and the Accept header is application/json-home - # then the server responds with a JSON Home document. - - client = TestClient(self.public_app) - resp = client.get('/v3/', headers={'Accept': 'application/json-home'}) - - self.assertThat(resp.status, tt_matchers.Equals('200 OK')) - self.assertThat(resp.headers['Content-Type'], - tt_matchers.Equals('application/json-home')) - - exp_json_home_data = { - 'resources': V3_JSON_HOME_RESOURCES_INHERIT_ENABLED} - - self.assertThat(jsonutils.loads(resp.body), - tt_matchers.Equals(exp_json_home_data)) - - class VersionBehindSslTestCase(unit.TestCase): def setUp(self): super(VersionBehindSslTestCase, self).setUp() diff --git a/releasenotes/notes/enable-inherit-on-default-54ac435230261a6a.yaml b/releasenotes/notes/enable-inherit-on-default-54ac435230261a6a.yaml new file mode 100644 index 0000000000..63a0a0192d --- /dev/null +++ b/releasenotes/notes/enable-inherit-on-default-54ac435230261a6a.yaml @@ -0,0 +1,9 @@ +--- +upgrade: + - > + The default setting for the os_inherit configuration option is + changed to True. If it is required to continue with this portion + of the API disabled, then override the default setting by explicitly + specifying the os_inherit option as False. Now this option is marked + as deprecated. In the future, this option will be removed and this + portion of the API will be always enabled.