Enable os_inherit of Keystone v3 API

os_inherit extension has been implemented since 2 years ago, and the
API doc[1] also contains it. However os_inherit extension is disabled
on the default. So it is nice to enable the extension for productions,
development and testing.
This patch comes from the discussion[2].

NOTE: This patch removes a test class which tests the enabled os_inherit
      because os_inherit becomes enabled on the default.

[1]: http://developer.openstack.org/api-ref-identity-v3-ext.html#identity_v3_OS-INHERIT-ext
[2]: http://lists.openstack.org/pipermail/openstack-dev/2015-December/081822.html

Closes-Bug: 1526660

Change-Id: Ifac71f7415f21c402f6e00c5264e972b0e80388c
This commit is contained in:
Ken'ichi Ohmichi 2015-12-14 22:14:40 +00:00
parent 4c3071d5f6
commit 5ae155a3de
4 changed files with 74 additions and 134 deletions

View File

@ -222,10 +222,13 @@ FILE_OPTIONS = {
help='Entrypoint for the trust backend driver in the ' help='Entrypoint for the trust backend driver in the '
'keystone.trust namespace.')], 'keystone.trust namespace.')],
'os_inherit': [ 'os_inherit': [
cfg.BoolOpt('enabled', default=False, cfg.BoolOpt('enabled', default=True,
deprecated_for_removal=True,
help='role-assignment inheritance to projects from ' help='role-assignment inheritance to projects from '
'owning domain or from projects higher in the ' 'owning domain or from projects higher in the '
'hierarchy can be optionally enabled.'), 'hierarchy can be optionally disabled. In the '
'future, this option will be removed and the '
'hierarchy will be always enabled.'),
], ],
'fernet_tokens': [ 'fernet_tokens': [
cfg.StrOpt('key_repository', cfg.StrOpt('key_repository',

View File

@ -125,6 +125,7 @@ class BaseLDAPIdentity(test_backend.IdentityTests):
self.load_backends() self.load_backends()
self.load_fixtures(default_fixtures) self.load_fixtures(default_fixtures)
self.config_fixture.config(group='os_inherit', enabled=False)
def _get_domain_fixture(self): def _get_domain_fixture(self):
"""Domains in LDAP are read-only, so just return the static one.""" """Domains in LDAP are read-only, so just return the static one."""

View File

@ -131,6 +131,10 @@ _build_ep_filter_rel = functools.partial(
json_home.build_v3_extension_resource_relation, json_home.build_v3_extension_resource_relation,
extension_name='OS-EP-FILTER', extension_version='1.0') extension_name='OS-EP-FILTER', extension_version='1.0')
_build_os_inherit_rel = functools.partial(
json_home.build_v3_extension_resource_relation,
extension_name='OS-INHERIT', extension_version='1.0')
TRUST_ID_PARAMETER_RELATION = json_home.build_v3_extension_parameter_relation( TRUST_ID_PARAMETER_RELATION = json_home.build_v3_extension_parameter_relation(
'OS-TRUST', '1.0', 'trust_id') 'OS-TRUST', '1.0', 'trust_id')
@ -174,7 +178,7 @@ FEDERATED_AUTH_URL = ('/OS-FEDERATION/identity_providers/{idp_id}'
FEDERATED_IDP_SPECIFIC_WEBSSO = ('/auth/OS-FEDERATION/identity_providers/' FEDERATED_IDP_SPECIFIC_WEBSSO = ('/auth/OS-FEDERATION/identity_providers/'
'{idp_id}/protocols/{protocol_id}/websso') '{idp_id}/protocols/{protocol_id}/websso')
V3_JSON_HOME_RESOURCES_INHERIT_DISABLED = { V3_JSON_HOME_RESOURCES = {
json_home.build_v3_resource_relation('auth_tokens'): { json_home.build_v3_resource_relation('auth_tokens'): {
'href': '/auth/tokens'}, 'href': '/auth/tokens'},
json_home.build_v3_resource_relation('auth_catalog'): { json_home.build_v3_resource_relation('auth_catalog'): {
@ -507,6 +511,58 @@ V3_JSON_HOME_RESOURCES_INHERIT_DISABLED = {
'href-template': BASE_EP_FILTER + '/projects', 'href-template': BASE_EP_FILTER + '/projects',
'href-vars': {'endpoint_group_id': 'href-vars': {'endpoint_group_id':
ENDPOINT_GROUP_ID_PARAMETER_RELATION, }}, ENDPOINT_GROUP_ID_PARAMETER_RELATION, }},
_build_os_inherit_rel(
resource_name='domain_user_role_inherited_to_projects'):
{
'href-template': '/OS-INHERIT/domains/{domain_id}/users/'
'{user_id}/roles/{role_id}/inherited_to_projects',
'href-vars': {
'domain_id': json_home.Parameters.DOMAIN_ID,
'role_id': json_home.Parameters.ROLE_ID,
'user_id': json_home.Parameters.USER_ID, }},
_build_os_inherit_rel(
resource_name='domain_group_role_inherited_to_projects'):
{
'href-template': '/OS-INHERIT/domains/{domain_id}/groups/'
'{group_id}/roles/{role_id}/inherited_to_projects',
'href-vars': {
'domain_id': json_home.Parameters.DOMAIN_ID,
'group_id': json_home.Parameters.GROUP_ID,
'role_id': json_home.Parameters.ROLE_ID, }},
_build_os_inherit_rel(
resource_name='domain_user_roles_inherited_to_projects'):
{
'href-template': '/OS-INHERIT/domains/{domain_id}/users/'
'{user_id}/roles/inherited_to_projects',
'href-vars': {
'domain_id': json_home.Parameters.DOMAIN_ID,
'user_id': json_home.Parameters.USER_ID, }},
_build_os_inherit_rel(
resource_name='domain_group_roles_inherited_to_projects'):
{
'href-template': '/OS-INHERIT/domains/{domain_id}/groups/'
'{group_id}/roles/inherited_to_projects',
'href-vars': {
'domain_id': json_home.Parameters.DOMAIN_ID,
'group_id': json_home.Parameters.GROUP_ID, }},
_build_os_inherit_rel(
resource_name='project_user_role_inherited_to_projects'):
{
'href-template': '/OS-INHERIT/projects/{project_id}/users/'
'{user_id}/roles/{role_id}/inherited_to_projects',
'href-vars': {
'project_id': json_home.Parameters.PROJECT_ID,
'role_id': json_home.Parameters.ROLE_ID,
'user_id': json_home.Parameters.USER_ID, }},
_build_os_inherit_rel(
resource_name='project_group_role_inherited_to_projects'):
{
'href-template': '/OS-INHERIT/projects/{project_id}/groups/'
'{group_id}/roles/{role_id}/inherited_to_projects',
'href-vars': {
'project_id': json_home.Parameters.PROJECT_ID,
'group_id': json_home.Parameters.GROUP_ID,
'role_id': json_home.Parameters.ROLE_ID, }},
json_home.build_v3_resource_relation('domain_config'): { json_home.build_v3_resource_relation('domain_config'): {
'href-template': 'href-template':
'/domains/{domain_id}/config', '/domains/{domain_id}/config',
@ -531,96 +587,6 @@ V3_JSON_HOME_RESOURCES_INHERIT_DISABLED = {
} }
# with os-inherit enabled, there's some more resources.
build_os_inherit_relation = functools.partial(
json_home.build_v3_extension_resource_relation,
extension_name='OS-INHERIT', extension_version='1.0')
V3_JSON_HOME_RESOURCES_INHERIT_ENABLED = dict(
V3_JSON_HOME_RESOURCES_INHERIT_DISABLED)
V3_JSON_HOME_RESOURCES_INHERIT_ENABLED.update(
(
(
build_os_inherit_relation(
resource_name='domain_user_role_inherited_to_projects'),
{
'href-template': '/OS-INHERIT/domains/{domain_id}/users/'
'{user_id}/roles/{role_id}/inherited_to_projects',
'href-vars': {
'domain_id': json_home.Parameters.DOMAIN_ID,
'role_id': json_home.Parameters.ROLE_ID,
'user_id': json_home.Parameters.USER_ID,
},
}
),
(
build_os_inherit_relation(
resource_name='domain_group_role_inherited_to_projects'),
{
'href-template': '/OS-INHERIT/domains/{domain_id}/groups/'
'{group_id}/roles/{role_id}/inherited_to_projects',
'href-vars': {
'domain_id': json_home.Parameters.DOMAIN_ID,
'group_id': json_home.Parameters.GROUP_ID,
'role_id': json_home.Parameters.ROLE_ID,
},
}
),
(
build_os_inherit_relation(
resource_name='domain_user_roles_inherited_to_projects'),
{
'href-template': '/OS-INHERIT/domains/{domain_id}/users/'
'{user_id}/roles/inherited_to_projects',
'href-vars': {
'domain_id': json_home.Parameters.DOMAIN_ID,
'user_id': json_home.Parameters.USER_ID,
},
}
),
(
build_os_inherit_relation(
resource_name='domain_group_roles_inherited_to_projects'),
{
'href-template': '/OS-INHERIT/domains/{domain_id}/groups/'
'{group_id}/roles/inherited_to_projects',
'href-vars': {
'domain_id': json_home.Parameters.DOMAIN_ID,
'group_id': json_home.Parameters.GROUP_ID,
},
}
),
(
build_os_inherit_relation(
resource_name='project_user_role_inherited_to_projects'),
{
'href-template': '/OS-INHERIT/projects/{project_id}/users/'
'{user_id}/roles/{role_id}/inherited_to_projects',
'href-vars': {
'project_id': json_home.Parameters.PROJECT_ID,
'role_id': json_home.Parameters.ROLE_ID,
'user_id': json_home.Parameters.USER_ID,
},
}
),
(
build_os_inherit_relation(
resource_name='project_group_role_inherited_to_projects'),
{
'href-template': '/OS-INHERIT/projects/{project_id}/groups/'
'{group_id}/roles/{role_id}/inherited_to_projects',
'href-vars': {
'project_id': json_home.Parameters.PROJECT_ID,
'group_id': json_home.Parameters.GROUP_ID,
'role_id': json_home.Parameters.ROLE_ID,
},
}
),
)
)
class TestClient(object): class TestClient(object):
def __init__(self, app=None, token=None): def __init__(self, app=None, token=None):
self.app = app self.app = app
@ -895,7 +861,7 @@ class VersionTestCase(unit.TestCase):
# then the server responds with a JSON Home document. # then the server responds with a JSON Home document.
exp_json_home_data = { exp_json_home_data = {
'resources': V3_JSON_HOME_RESOURCES_INHERIT_DISABLED} 'resources': V3_JSON_HOME_RESOURCES}
self._test_json_home('/v3', exp_json_home_data) self._test_json_home('/v3', exp_json_home_data)
@ -904,7 +870,7 @@ class VersionTestCase(unit.TestCase):
# then the server responds with a JSON Home document. # then the server responds with a JSON Home document.
exp_json_home_data = copy.deepcopy({ exp_json_home_data = copy.deepcopy({
'resources': V3_JSON_HOME_RESOURCES_INHERIT_DISABLED}) 'resources': V3_JSON_HOME_RESOURCES})
json_home.translate_urls(exp_json_home_data, '/v3') json_home.translate_urls(exp_json_home_data, '/v3')
self._test_json_home('/', exp_json_home_data) self._test_json_home('/', exp_json_home_data)
@ -1020,45 +986,6 @@ class VersionSingleAppTestCase(unit.TestCase):
self._test_version('admin') self._test_version('admin')
class VersionInheritEnabledTestCase(unit.TestCase):
def setUp(self):
super(VersionInheritEnabledTestCase, self).setUp()
self.load_backends()
self.public_app = self.loadapp('keystone', 'main')
self.admin_app = self.loadapp('keystone', 'admin')
self.config_fixture.config(
public_endpoint='http://localhost:%(public_port)d',
admin_endpoint='http://localhost:%(admin_port)d')
def config_overrides(self):
super(VersionInheritEnabledTestCase, self).config_overrides()
admin_port = random.randint(10000, 30000)
public_port = random.randint(40000, 60000)
self.config_fixture.config(group='eventlet_server',
public_port=public_port,
admin_port=admin_port)
self.config_fixture.config(group='os_inherit', enabled=True)
def test_json_home_v3(self):
# If the request is /v3 and the Accept header is application/json-home
# then the server responds with a JSON Home document.
client = TestClient(self.public_app)
resp = client.get('/v3/', headers={'Accept': 'application/json-home'})
self.assertThat(resp.status, tt_matchers.Equals('200 OK'))
self.assertThat(resp.headers['Content-Type'],
tt_matchers.Equals('application/json-home'))
exp_json_home_data = {
'resources': V3_JSON_HOME_RESOURCES_INHERIT_ENABLED}
self.assertThat(jsonutils.loads(resp.body),
tt_matchers.Equals(exp_json_home_data))
class VersionBehindSslTestCase(unit.TestCase): class VersionBehindSslTestCase(unit.TestCase):
def setUp(self): def setUp(self):
super(VersionBehindSslTestCase, self).setUp() super(VersionBehindSslTestCase, self).setUp()

View File

@ -0,0 +1,9 @@
---
upgrade:
- >
The default setting for the os_inherit configuration option is
changed to True. If it is required to continue with this portion
of the API disabled, then override the default setting by explicitly
specifying the os_inherit option as False. Now this option is marked
as deprecated. In the future, this option will be removed and this
portion of the API will be always enabled.