Enable os_inherit of Keystone v3 API
os_inherit extension has been implemented since 2 years ago, and the API doc[1] also contains it. However os_inherit extension is disabled on the default. So it is nice to enable the extension for productions, development and testing. This patch comes from the discussion[2]. NOTE: This patch removes a test class which tests the enabled os_inherit because os_inherit becomes enabled on the default. [1]: http://developer.openstack.org/api-ref-identity-v3-ext.html#identity_v3_OS-INHERIT-ext [2]: http://lists.openstack.org/pipermail/openstack-dev/2015-December/081822.html Closes-Bug: 1526660 Change-Id: Ifac71f7415f21c402f6e00c5264e972b0e80388c
This commit is contained in:
parent
4c3071d5f6
commit
5ae155a3de
@ -222,10 +222,13 @@ FILE_OPTIONS = {
|
|||||||
help='Entrypoint for the trust backend driver in the '
|
help='Entrypoint for the trust backend driver in the '
|
||||||
'keystone.trust namespace.')],
|
'keystone.trust namespace.')],
|
||||||
'os_inherit': [
|
'os_inherit': [
|
||||||
cfg.BoolOpt('enabled', default=False,
|
cfg.BoolOpt('enabled', default=True,
|
||||||
|
deprecated_for_removal=True,
|
||||||
help='role-assignment inheritance to projects from '
|
help='role-assignment inheritance to projects from '
|
||||||
'owning domain or from projects higher in the '
|
'owning domain or from projects higher in the '
|
||||||
'hierarchy can be optionally enabled.'),
|
'hierarchy can be optionally disabled. In the '
|
||||||
|
'future, this option will be removed and the '
|
||||||
|
'hierarchy will be always enabled.'),
|
||||||
],
|
],
|
||||||
'fernet_tokens': [
|
'fernet_tokens': [
|
||||||
cfg.StrOpt('key_repository',
|
cfg.StrOpt('key_repository',
|
||||||
|
@ -125,6 +125,7 @@ class BaseLDAPIdentity(test_backend.IdentityTests):
|
|||||||
|
|
||||||
self.load_backends()
|
self.load_backends()
|
||||||
self.load_fixtures(default_fixtures)
|
self.load_fixtures(default_fixtures)
|
||||||
|
self.config_fixture.config(group='os_inherit', enabled=False)
|
||||||
|
|
||||||
def _get_domain_fixture(self):
|
def _get_domain_fixture(self):
|
||||||
"""Domains in LDAP are read-only, so just return the static one."""
|
"""Domains in LDAP are read-only, so just return the static one."""
|
||||||
|
@ -131,6 +131,10 @@ _build_ep_filter_rel = functools.partial(
|
|||||||
json_home.build_v3_extension_resource_relation,
|
json_home.build_v3_extension_resource_relation,
|
||||||
extension_name='OS-EP-FILTER', extension_version='1.0')
|
extension_name='OS-EP-FILTER', extension_version='1.0')
|
||||||
|
|
||||||
|
_build_os_inherit_rel = functools.partial(
|
||||||
|
json_home.build_v3_extension_resource_relation,
|
||||||
|
extension_name='OS-INHERIT', extension_version='1.0')
|
||||||
|
|
||||||
TRUST_ID_PARAMETER_RELATION = json_home.build_v3_extension_parameter_relation(
|
TRUST_ID_PARAMETER_RELATION = json_home.build_v3_extension_parameter_relation(
|
||||||
'OS-TRUST', '1.0', 'trust_id')
|
'OS-TRUST', '1.0', 'trust_id')
|
||||||
|
|
||||||
@ -174,7 +178,7 @@ FEDERATED_AUTH_URL = ('/OS-FEDERATION/identity_providers/{idp_id}'
|
|||||||
FEDERATED_IDP_SPECIFIC_WEBSSO = ('/auth/OS-FEDERATION/identity_providers/'
|
FEDERATED_IDP_SPECIFIC_WEBSSO = ('/auth/OS-FEDERATION/identity_providers/'
|
||||||
'{idp_id}/protocols/{protocol_id}/websso')
|
'{idp_id}/protocols/{protocol_id}/websso')
|
||||||
|
|
||||||
V3_JSON_HOME_RESOURCES_INHERIT_DISABLED = {
|
V3_JSON_HOME_RESOURCES = {
|
||||||
json_home.build_v3_resource_relation('auth_tokens'): {
|
json_home.build_v3_resource_relation('auth_tokens'): {
|
||||||
'href': '/auth/tokens'},
|
'href': '/auth/tokens'},
|
||||||
json_home.build_v3_resource_relation('auth_catalog'): {
|
json_home.build_v3_resource_relation('auth_catalog'): {
|
||||||
@ -507,6 +511,58 @@ V3_JSON_HOME_RESOURCES_INHERIT_DISABLED = {
|
|||||||
'href-template': BASE_EP_FILTER + '/projects',
|
'href-template': BASE_EP_FILTER + '/projects',
|
||||||
'href-vars': {'endpoint_group_id':
|
'href-vars': {'endpoint_group_id':
|
||||||
ENDPOINT_GROUP_ID_PARAMETER_RELATION, }},
|
ENDPOINT_GROUP_ID_PARAMETER_RELATION, }},
|
||||||
|
_build_os_inherit_rel(
|
||||||
|
resource_name='domain_user_role_inherited_to_projects'):
|
||||||
|
{
|
||||||
|
'href-template': '/OS-INHERIT/domains/{domain_id}/users/'
|
||||||
|
'{user_id}/roles/{role_id}/inherited_to_projects',
|
||||||
|
'href-vars': {
|
||||||
|
'domain_id': json_home.Parameters.DOMAIN_ID,
|
||||||
|
'role_id': json_home.Parameters.ROLE_ID,
|
||||||
|
'user_id': json_home.Parameters.USER_ID, }},
|
||||||
|
_build_os_inherit_rel(
|
||||||
|
resource_name='domain_group_role_inherited_to_projects'):
|
||||||
|
{
|
||||||
|
'href-template': '/OS-INHERIT/domains/{domain_id}/groups/'
|
||||||
|
'{group_id}/roles/{role_id}/inherited_to_projects',
|
||||||
|
'href-vars': {
|
||||||
|
'domain_id': json_home.Parameters.DOMAIN_ID,
|
||||||
|
'group_id': json_home.Parameters.GROUP_ID,
|
||||||
|
'role_id': json_home.Parameters.ROLE_ID, }},
|
||||||
|
_build_os_inherit_rel(
|
||||||
|
resource_name='domain_user_roles_inherited_to_projects'):
|
||||||
|
{
|
||||||
|
'href-template': '/OS-INHERIT/domains/{domain_id}/users/'
|
||||||
|
'{user_id}/roles/inherited_to_projects',
|
||||||
|
'href-vars': {
|
||||||
|
'domain_id': json_home.Parameters.DOMAIN_ID,
|
||||||
|
'user_id': json_home.Parameters.USER_ID, }},
|
||||||
|
_build_os_inherit_rel(
|
||||||
|
resource_name='domain_group_roles_inherited_to_projects'):
|
||||||
|
{
|
||||||
|
'href-template': '/OS-INHERIT/domains/{domain_id}/groups/'
|
||||||
|
'{group_id}/roles/inherited_to_projects',
|
||||||
|
'href-vars': {
|
||||||
|
'domain_id': json_home.Parameters.DOMAIN_ID,
|
||||||
|
'group_id': json_home.Parameters.GROUP_ID, }},
|
||||||
|
_build_os_inherit_rel(
|
||||||
|
resource_name='project_user_role_inherited_to_projects'):
|
||||||
|
{
|
||||||
|
'href-template': '/OS-INHERIT/projects/{project_id}/users/'
|
||||||
|
'{user_id}/roles/{role_id}/inherited_to_projects',
|
||||||
|
'href-vars': {
|
||||||
|
'project_id': json_home.Parameters.PROJECT_ID,
|
||||||
|
'role_id': json_home.Parameters.ROLE_ID,
|
||||||
|
'user_id': json_home.Parameters.USER_ID, }},
|
||||||
|
_build_os_inherit_rel(
|
||||||
|
resource_name='project_group_role_inherited_to_projects'):
|
||||||
|
{
|
||||||
|
'href-template': '/OS-INHERIT/projects/{project_id}/groups/'
|
||||||
|
'{group_id}/roles/{role_id}/inherited_to_projects',
|
||||||
|
'href-vars': {
|
||||||
|
'project_id': json_home.Parameters.PROJECT_ID,
|
||||||
|
'group_id': json_home.Parameters.GROUP_ID,
|
||||||
|
'role_id': json_home.Parameters.ROLE_ID, }},
|
||||||
json_home.build_v3_resource_relation('domain_config'): {
|
json_home.build_v3_resource_relation('domain_config'): {
|
||||||
'href-template':
|
'href-template':
|
||||||
'/domains/{domain_id}/config',
|
'/domains/{domain_id}/config',
|
||||||
@ -531,96 +587,6 @@ V3_JSON_HOME_RESOURCES_INHERIT_DISABLED = {
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
# with os-inherit enabled, there's some more resources.
|
|
||||||
|
|
||||||
build_os_inherit_relation = functools.partial(
|
|
||||||
json_home.build_v3_extension_resource_relation,
|
|
||||||
extension_name='OS-INHERIT', extension_version='1.0')
|
|
||||||
|
|
||||||
V3_JSON_HOME_RESOURCES_INHERIT_ENABLED = dict(
|
|
||||||
V3_JSON_HOME_RESOURCES_INHERIT_DISABLED)
|
|
||||||
V3_JSON_HOME_RESOURCES_INHERIT_ENABLED.update(
|
|
||||||
(
|
|
||||||
(
|
|
||||||
build_os_inherit_relation(
|
|
||||||
resource_name='domain_user_role_inherited_to_projects'),
|
|
||||||
{
|
|
||||||
'href-template': '/OS-INHERIT/domains/{domain_id}/users/'
|
|
||||||
'{user_id}/roles/{role_id}/inherited_to_projects',
|
|
||||||
'href-vars': {
|
|
||||||
'domain_id': json_home.Parameters.DOMAIN_ID,
|
|
||||||
'role_id': json_home.Parameters.ROLE_ID,
|
|
||||||
'user_id': json_home.Parameters.USER_ID,
|
|
||||||
},
|
|
||||||
}
|
|
||||||
),
|
|
||||||
(
|
|
||||||
build_os_inherit_relation(
|
|
||||||
resource_name='domain_group_role_inherited_to_projects'),
|
|
||||||
{
|
|
||||||
'href-template': '/OS-INHERIT/domains/{domain_id}/groups/'
|
|
||||||
'{group_id}/roles/{role_id}/inherited_to_projects',
|
|
||||||
'href-vars': {
|
|
||||||
'domain_id': json_home.Parameters.DOMAIN_ID,
|
|
||||||
'group_id': json_home.Parameters.GROUP_ID,
|
|
||||||
'role_id': json_home.Parameters.ROLE_ID,
|
|
||||||
},
|
|
||||||
}
|
|
||||||
),
|
|
||||||
(
|
|
||||||
build_os_inherit_relation(
|
|
||||||
resource_name='domain_user_roles_inherited_to_projects'),
|
|
||||||
{
|
|
||||||
'href-template': '/OS-INHERIT/domains/{domain_id}/users/'
|
|
||||||
'{user_id}/roles/inherited_to_projects',
|
|
||||||
'href-vars': {
|
|
||||||
'domain_id': json_home.Parameters.DOMAIN_ID,
|
|
||||||
'user_id': json_home.Parameters.USER_ID,
|
|
||||||
},
|
|
||||||
}
|
|
||||||
),
|
|
||||||
(
|
|
||||||
build_os_inherit_relation(
|
|
||||||
resource_name='domain_group_roles_inherited_to_projects'),
|
|
||||||
{
|
|
||||||
'href-template': '/OS-INHERIT/domains/{domain_id}/groups/'
|
|
||||||
'{group_id}/roles/inherited_to_projects',
|
|
||||||
'href-vars': {
|
|
||||||
'domain_id': json_home.Parameters.DOMAIN_ID,
|
|
||||||
'group_id': json_home.Parameters.GROUP_ID,
|
|
||||||
},
|
|
||||||
}
|
|
||||||
),
|
|
||||||
(
|
|
||||||
build_os_inherit_relation(
|
|
||||||
resource_name='project_user_role_inherited_to_projects'),
|
|
||||||
{
|
|
||||||
'href-template': '/OS-INHERIT/projects/{project_id}/users/'
|
|
||||||
'{user_id}/roles/{role_id}/inherited_to_projects',
|
|
||||||
'href-vars': {
|
|
||||||
'project_id': json_home.Parameters.PROJECT_ID,
|
|
||||||
'role_id': json_home.Parameters.ROLE_ID,
|
|
||||||
'user_id': json_home.Parameters.USER_ID,
|
|
||||||
},
|
|
||||||
}
|
|
||||||
),
|
|
||||||
(
|
|
||||||
build_os_inherit_relation(
|
|
||||||
resource_name='project_group_role_inherited_to_projects'),
|
|
||||||
{
|
|
||||||
'href-template': '/OS-INHERIT/projects/{project_id}/groups/'
|
|
||||||
'{group_id}/roles/{role_id}/inherited_to_projects',
|
|
||||||
'href-vars': {
|
|
||||||
'project_id': json_home.Parameters.PROJECT_ID,
|
|
||||||
'group_id': json_home.Parameters.GROUP_ID,
|
|
||||||
'role_id': json_home.Parameters.ROLE_ID,
|
|
||||||
},
|
|
||||||
}
|
|
||||||
),
|
|
||||||
)
|
|
||||||
)
|
|
||||||
|
|
||||||
|
|
||||||
class TestClient(object):
|
class TestClient(object):
|
||||||
def __init__(self, app=None, token=None):
|
def __init__(self, app=None, token=None):
|
||||||
self.app = app
|
self.app = app
|
||||||
@ -895,7 +861,7 @@ class VersionTestCase(unit.TestCase):
|
|||||||
# then the server responds with a JSON Home document.
|
# then the server responds with a JSON Home document.
|
||||||
|
|
||||||
exp_json_home_data = {
|
exp_json_home_data = {
|
||||||
'resources': V3_JSON_HOME_RESOURCES_INHERIT_DISABLED}
|
'resources': V3_JSON_HOME_RESOURCES}
|
||||||
|
|
||||||
self._test_json_home('/v3', exp_json_home_data)
|
self._test_json_home('/v3', exp_json_home_data)
|
||||||
|
|
||||||
@ -904,7 +870,7 @@ class VersionTestCase(unit.TestCase):
|
|||||||
# then the server responds with a JSON Home document.
|
# then the server responds with a JSON Home document.
|
||||||
|
|
||||||
exp_json_home_data = copy.deepcopy({
|
exp_json_home_data = copy.deepcopy({
|
||||||
'resources': V3_JSON_HOME_RESOURCES_INHERIT_DISABLED})
|
'resources': V3_JSON_HOME_RESOURCES})
|
||||||
json_home.translate_urls(exp_json_home_data, '/v3')
|
json_home.translate_urls(exp_json_home_data, '/v3')
|
||||||
|
|
||||||
self._test_json_home('/', exp_json_home_data)
|
self._test_json_home('/', exp_json_home_data)
|
||||||
@ -1020,45 +986,6 @@ class VersionSingleAppTestCase(unit.TestCase):
|
|||||||
self._test_version('admin')
|
self._test_version('admin')
|
||||||
|
|
||||||
|
|
||||||
class VersionInheritEnabledTestCase(unit.TestCase):
|
|
||||||
def setUp(self):
|
|
||||||
super(VersionInheritEnabledTestCase, self).setUp()
|
|
||||||
self.load_backends()
|
|
||||||
self.public_app = self.loadapp('keystone', 'main')
|
|
||||||
self.admin_app = self.loadapp('keystone', 'admin')
|
|
||||||
|
|
||||||
self.config_fixture.config(
|
|
||||||
public_endpoint='http://localhost:%(public_port)d',
|
|
||||||
admin_endpoint='http://localhost:%(admin_port)d')
|
|
||||||
|
|
||||||
def config_overrides(self):
|
|
||||||
super(VersionInheritEnabledTestCase, self).config_overrides()
|
|
||||||
admin_port = random.randint(10000, 30000)
|
|
||||||
public_port = random.randint(40000, 60000)
|
|
||||||
self.config_fixture.config(group='eventlet_server',
|
|
||||||
public_port=public_port,
|
|
||||||
admin_port=admin_port)
|
|
||||||
|
|
||||||
self.config_fixture.config(group='os_inherit', enabled=True)
|
|
||||||
|
|
||||||
def test_json_home_v3(self):
|
|
||||||
# If the request is /v3 and the Accept header is application/json-home
|
|
||||||
# then the server responds with a JSON Home document.
|
|
||||||
|
|
||||||
client = TestClient(self.public_app)
|
|
||||||
resp = client.get('/v3/', headers={'Accept': 'application/json-home'})
|
|
||||||
|
|
||||||
self.assertThat(resp.status, tt_matchers.Equals('200 OK'))
|
|
||||||
self.assertThat(resp.headers['Content-Type'],
|
|
||||||
tt_matchers.Equals('application/json-home'))
|
|
||||||
|
|
||||||
exp_json_home_data = {
|
|
||||||
'resources': V3_JSON_HOME_RESOURCES_INHERIT_ENABLED}
|
|
||||||
|
|
||||||
self.assertThat(jsonutils.loads(resp.body),
|
|
||||||
tt_matchers.Equals(exp_json_home_data))
|
|
||||||
|
|
||||||
|
|
||||||
class VersionBehindSslTestCase(unit.TestCase):
|
class VersionBehindSslTestCase(unit.TestCase):
|
||||||
def setUp(self):
|
def setUp(self):
|
||||||
super(VersionBehindSslTestCase, self).setUp()
|
super(VersionBehindSslTestCase, self).setUp()
|
||||||
|
@ -0,0 +1,9 @@
|
|||||||
|
---
|
||||||
|
upgrade:
|
||||||
|
- >
|
||||||
|
The default setting for the os_inherit configuration option is
|
||||||
|
changed to True. If it is required to continue with this portion
|
||||||
|
of the API disabled, then override the default setting by explicitly
|
||||||
|
specifying the os_inherit option as False. Now this option is marked
|
||||||
|
as deprecated. In the future, this option will be removed and this
|
||||||
|
portion of the API will be always enabled.
|
Loading…
Reference in New Issue
Block a user