From 73a39e1b9e1cbb3ef91d65e3bb9183a6ad34c031 Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Wed, 20 Jan 2016 15:30:32 -0800 Subject: [PATCH] Remove more ldap project references Commit I848bf41022224fec65cd9555a6e82790b296dcbe removed the LDAP resource and assignment backends. As a result, some more items can be removed, namely: * ProjectLdapStructureMixin class is no longer used anywhere. * references to project related ldap attributes in test conf files * removal of references to ldap project attributes in configuration doc Change-Id: I3efb32c39d3077f787e31533ef5407948a5d8cfd --- doc/source/configuration.rst | 39 ++++++------------- keystone/common/ldap/core.py | 21 ---------- .../unit/config_files/backend_liveldap.conf | 3 -- .../config_files/backend_pool_liveldap.conf | 2 - .../config_files/backend_tls_liveldap.conf | 2 - keystone/tests/unit/test_ldap_livetest.py | 3 -- 6 files changed, 11 insertions(+), 59 deletions(-) diff --git a/doc/source/configuration.rst b/doc/source/configuration.rst index cffdc3c3ac..9757f436eb 100644 --- a/doc/source/configuration.rst +++ b/doc/source/configuration.rst @@ -1671,9 +1671,6 @@ The corresponding entries in the Keystone configuration file are: user_tree_dn = ou=Users,dc=openstack,dc=org user_objectclass = inetOrgPerson - project_tree_dn = ou=Projects,dc=openstack,dc=org - project_objectclass = groupOfNames - role_tree_dn = ou=Roles,dc=openstack,dc=org role_objectclass = organizationalRole @@ -1704,10 +1701,6 @@ and you have only read access, in such case the configuration is: user_allow_update = False user_allow_delete = False - project_allow_create = True - project_allow_update = True - project_allow_delete = True - role_allow_create = True role_allow_update = True role_allow_delete = True @@ -1720,7 +1713,6 @@ look like: [ldap] user_filter = (memberof=CN=openstack-users,OU=workgroups,DC=openstack,DC=org) - project_filter = role_filter = In case that the directory server does not have an attribute enabled of type @@ -1761,13 +1753,6 @@ specified classes in the LDAP module so you can configure them like: user_enabled_mask = 2 user_enabled_default = 512 user_attribute_ignore = tenant_id,tenants - project_objectclass = groupOfNames - project_id_attribute = cn - project_member_attribute = member - project_name_attribute = ou - project_desc_attribute = description - project_enabled_attribute = extensionName - project_attribute_ignore = role_objectclass = organizationalRole role_id_attribute = cn role_name_attribute = ou @@ -1797,14 +1782,13 @@ Enabled Emulation ----------------- Some directory servers do not provide any enabled attribute. For these servers, -the ``user_enabled_emulation`` and ``project_enabled_emulation`` attributes -have been created. They are enabled by setting their respective flags to True. -Then the attributes ``user_enabled_emulation_dn`` and -``project_enabled_emulation_dn`` may be set to specify how the enabled users -and projects (tenants) are selected. These attributes work by using a -``groupOfNames`` entry and adding whichever users or projects (tenants) that -you want enabled to the respective group with the ``member`` attribute. For -example, this will mark any user who is a member of ``enabled_users`` as enabled: +the ``user_enabled_emulation`` attribute has been created. It is enabled by +setting the respective flags to True. Then the attribute +``user_enabled_emulation_dn`` may be set to specify how the enabled users are +selected. This attribute works by using a ``groupOfNames`` entry and adding +whichever users or that you want enabled to the respective group with the +``member`` attribute. For example, this will mark any user who is a member of +``enabled_users`` as enabled: .. code-block:: ini @@ -1812,15 +1796,14 @@ example, this will mark any user who is a member of ``enabled_users`` as enabled user_enabled_emulation = True user_enabled_emulation_dn = cn=enabled_users,cn=groups,dc=openstack,dc=org -The default values for user and project (tenant) enabled emulation DN is -``cn=enabled_users,$user_tree_dn`` and ``cn=enabled_tenants,$project_tree_dn`` -respectively. +The default values for user enabled emulation DN is +``cn=enabled_users,$user_tree_dn``. + If a different LDAP schema is used for group membership, it is possible to use the ``group_objectclass`` and ``group_member_attribute`` attributes to determine membership in the enabled emulation group by setting the -``user_enabled_emulation_use_group_config`` and -``project_enabled_emulation_use_group_config`` attributes to True. +``user_enabled_emulation_use_group_config`` attribute to True. Secure Connection ----------------- diff --git a/keystone/common/ldap/core.py b/keystone/common/ldap/core.py index 9c0b7f07eb..d321c7552b 100644 --- a/keystone/common/ldap/core.py +++ b/keystone/common/ldap/core.py @@ -1950,24 +1950,3 @@ class EnabledEmuMixIn(BaseLdap): if self.enabled_emulation: self._remove_enabled(object_id) super(EnabledEmuMixIn, self).delete(object_id) - - -class ProjectLdapStructureMixin(object): - """Project LDAP Structure shared between LDAP backends. - - This is shared between the resource and assignment LDAP backends. - - """ - - DEFAULT_OU = 'ou=Groups' - DEFAULT_STRUCTURAL_CLASSES = [] - DEFAULT_OBJECTCLASS = 'groupOfNames' - DEFAULT_ID_ATTR = 'cn' - NotFound = exception.ProjectNotFound - notfound_arg = 'project_id' # NOTE(yorik-sar): while options_name = tenant - options_name = 'project' - attribute_options_names = {'name': 'name', - 'description': 'desc', - 'enabled': 'enabled', - 'domain_id': 'domain_id'} - immutable_attrs = ['name'] diff --git a/keystone/tests/unit/config_files/backend_liveldap.conf b/keystone/tests/unit/config_files/backend_liveldap.conf index 59cb8577d2..cedc0f1099 100644 --- a/keystone/tests/unit/config_files/backend_liveldap.conf +++ b/keystone/tests/unit/config_files/backend_liveldap.conf @@ -5,10 +5,7 @@ password = test suffix = dc=openstack,dc=org group_tree_dn = ou=UserGroups,dc=openstack,dc=org role_tree_dn = ou=Roles,dc=openstack,dc=org -project_tree_dn = ou=Projects,dc=openstack,dc=org user_tree_dn = ou=Users,dc=openstack,dc=org -project_enabled_emulation = True user_enabled_emulation = True user_mail_attribute = mail use_dumb_member = True - diff --git a/keystone/tests/unit/config_files/backend_pool_liveldap.conf b/keystone/tests/unit/config_files/backend_pool_liveldap.conf index a85f5226eb..0dd023b746 100644 --- a/keystone/tests/unit/config_files/backend_pool_liveldap.conf +++ b/keystone/tests/unit/config_files/backend_pool_liveldap.conf @@ -5,9 +5,7 @@ password = test suffix = dc=openstack,dc=org group_tree_dn = ou=UserGroups,dc=openstack,dc=org role_tree_dn = ou=Roles,dc=openstack,dc=org -project_tree_dn = ou=Projects,dc=openstack,dc=org user_tree_dn = ou=Users,dc=openstack,dc=org -project_enabled_emulation = True user_enabled_emulation = True user_mail_attribute = mail use_dumb_member = True diff --git a/keystone/tests/unit/config_files/backend_tls_liveldap.conf b/keystone/tests/unit/config_files/backend_tls_liveldap.conf index d35b9139f1..2ce21f092b 100644 --- a/keystone/tests/unit/config_files/backend_tls_liveldap.conf +++ b/keystone/tests/unit/config_files/backend_tls_liveldap.conf @@ -5,9 +5,7 @@ password = test suffix = dc=openstack,dc=org group_tree_dn = ou=UserGroups,dc=openstack,dc=org role_tree_dn = ou=Roles,dc=openstack,dc=org -project_tree_dn = ou=Projects,dc=openstack,dc=org user_tree_dn = ou=Users,dc=openstack,dc=org -project_enabled_emulation = True user_enabled_emulation = True user_mail_attribute = mail use_dumb_member = True diff --git a/keystone/tests/unit/test_ldap_livetest.py b/keystone/tests/unit/test_ldap_livetest.py index 8a9d8d35a2..4bce6a7399 100644 --- a/keystone/tests/unit/test_ldap_livetest.py +++ b/keystone/tests/unit/test_ldap_livetest.py @@ -69,9 +69,6 @@ class LiveLDAPIdentity(test_backend_ldap.LDAPIdentity): create_object(CONF.ldap.role_tree_dn, {'objectclass': 'organizationalUnit', 'ou': 'Roles'}) - create_object(CONF.ldap.project_tree_dn, - {'objectclass': 'organizationalUnit', - 'ou': 'Projects'}) create_object(CONF.ldap.group_tree_dn, {'objectclass': 'organizationalUnit', 'ou': 'UserGroups'})