Keystone backend preparation for domain-scoping
These changes lay the ground work for the implmentation of domain-scoping, but are benign in that they don't change the token. They include making domain_id a first-class attribute in the user and project entity (i.e. move it out of the 'extra' attribute), filling in domain grant and project support for the kvs backend and fixing a series of issues in the mirgation to make it work for both MySQL, Postgresql and sqlite. A further, separate, commit will actually provide the code to update the actual tokens once the v3 token support has been added. blueprint domain-scoping blueprint default-domain Change-Id: I55ab7947a6a1efbab003bd234856bd3805bb4a63
This commit is contained in:
parent
f1defe8f62
commit
8a89464d62
@ -10,6 +10,7 @@ from keystone import exception
|
|||||||
|
|
||||||
LOG = logging.getLogger(__name__)
|
LOG = logging.getLogger(__name__)
|
||||||
CONF = config.CONF
|
CONF = config.CONF
|
||||||
|
DEFAULT_DOMAIN_ID = CONF.identity.default_domain_id
|
||||||
|
|
||||||
|
|
||||||
def protected(f):
|
def protected(f):
|
||||||
@ -68,6 +69,21 @@ class V2Controller(wsgi.Application):
|
|||||||
msg = '%s field is required and cannot be empty' % attr
|
msg = '%s field is required and cannot be empty' % attr
|
||||||
raise exception.ValidationError(message=msg)
|
raise exception.ValidationError(message=msg)
|
||||||
|
|
||||||
|
def _normalize_domain_id(self, context, ref):
|
||||||
|
"""Fill in domain_id since v2 calls are not domain-aware.
|
||||||
|
|
||||||
|
This will overwrite any domain_id that was inadvertently
|
||||||
|
specified in the v2 call.
|
||||||
|
|
||||||
|
"""
|
||||||
|
ref['domain_id'] = DEFAULT_DOMAIN_ID
|
||||||
|
return ref
|
||||||
|
|
||||||
|
def _filter_domain_id(self, ref):
|
||||||
|
"""Remove domain_id since v2 calls are not domain-aware."""
|
||||||
|
ref.pop('domain_id', None)
|
||||||
|
return ref
|
||||||
|
|
||||||
|
|
||||||
class V3Controller(V2Controller):
|
class V3Controller(V2Controller):
|
||||||
"""Base controller class for Identity API v3.
|
"""Base controller class for Identity API v3.
|
||||||
@ -148,3 +164,37 @@ class V3Controller(V2Controller):
|
|||||||
value = context['query_string'][attr]
|
value = context['query_string'][attr]
|
||||||
return [r for r in refs if r[attr] == value]
|
return [r for r in refs if r[attr] == value]
|
||||||
return refs
|
return refs
|
||||||
|
|
||||||
|
def _normalize_domain_id(self, context, ref):
|
||||||
|
"""Fill in domain_id if not specified in a v3 call."""
|
||||||
|
|
||||||
|
if 'domain_id' not in ref:
|
||||||
|
if context['is_admin']:
|
||||||
|
ref['domain_id'] = DEFAULT_DOMAIN_ID
|
||||||
|
else:
|
||||||
|
# Fish the domain_id out of the token
|
||||||
|
#
|
||||||
|
# We could make this more efficient by loading the domain_id
|
||||||
|
# into the context in the wrapper function above (since
|
||||||
|
# this version of normalize_domain will only be called inside
|
||||||
|
# a v3 protected call). However, given that we only use this
|
||||||
|
# for creating entities, this optimization is probably not
|
||||||
|
# worth the duplication of state
|
||||||
|
try:
|
||||||
|
token_ref = self.token_api.get_token(
|
||||||
|
context=context, token_id=context['token_id'])
|
||||||
|
except exception.TokenNotFound:
|
||||||
|
LOG.warning(_('Invalid token in normalize_domain_id'))
|
||||||
|
raise exception.Unauthorized()
|
||||||
|
|
||||||
|
if 'domain' in token_ref:
|
||||||
|
ref['domain_id'] = token_ref['domain']['id']
|
||||||
|
else:
|
||||||
|
# FIXME(henry-nash) Revisit this once v3 token scoping
|
||||||
|
# across domains has been hashed out
|
||||||
|
ref['domain_id'] = DEFAULT_DOMAIN_ID
|
||||||
|
return ref
|
||||||
|
|
||||||
|
def _filter_domain_id(self, ref):
|
||||||
|
"""Override v2 filter to let domain_id out for v3 calls."""
|
||||||
|
return ref
|
||||||
|
@ -87,6 +87,7 @@ class User(Model):
|
|||||||
Required keys:
|
Required keys:
|
||||||
id
|
id
|
||||||
name
|
name
|
||||||
|
domain_id
|
||||||
|
|
||||||
Optional keys:
|
Optional keys:
|
||||||
password
|
password
|
||||||
@ -95,7 +96,7 @@ class User(Model):
|
|||||||
enabled (bool, default True)
|
enabled (bool, default True)
|
||||||
"""
|
"""
|
||||||
|
|
||||||
required_keys = ('id', 'name')
|
required_keys = ('id', 'name', 'domain_id')
|
||||||
optional_keys = ('password', 'description', 'email', 'enabled')
|
optional_keys = ('password', 'description', 'email', 'enabled')
|
||||||
|
|
||||||
|
|
||||||
@ -105,15 +106,16 @@ class Group(Model):
|
|||||||
Required keys:
|
Required keys:
|
||||||
id
|
id
|
||||||
name
|
name
|
||||||
|
domain_id
|
||||||
|
|
||||||
Optional keys:
|
Optional keys:
|
||||||
domain_id
|
|
||||||
description
|
description
|
||||||
|
|
||||||
"""
|
"""
|
||||||
|
|
||||||
required_keys = ('id', 'name')
|
required_keys = ('id', 'name', 'domain_id')
|
||||||
optional_keys = ('domain_id', 'description')
|
optional_keys = ('description')
|
||||||
|
|
||||||
|
|
||||||
class Project(Model):
|
class Project(Model):
|
||||||
@ -122,6 +124,7 @@ class Project(Model):
|
|||||||
Required keys:
|
Required keys:
|
||||||
id
|
id
|
||||||
name
|
name
|
||||||
|
domain_id
|
||||||
|
|
||||||
Optional Keys:
|
Optional Keys:
|
||||||
description
|
description
|
||||||
@ -129,7 +132,7 @@ class Project(Model):
|
|||||||
|
|
||||||
"""
|
"""
|
||||||
|
|
||||||
required_keys = ('id', 'name')
|
required_keys = ('id', 'name', 'domain_id')
|
||||||
optional_keys = ('description', 'enabled')
|
optional_keys = ('description', 'enabled')
|
||||||
|
|
||||||
|
|
||||||
|
@ -22,9 +22,12 @@ from sqlalchemy import exc
|
|||||||
from keystone.common import logging
|
from keystone.common import logging
|
||||||
from keystone.contrib.ec2.backends import sql as ec2_sql
|
from keystone.contrib.ec2.backends import sql as ec2_sql
|
||||||
from keystone.identity.backends import sql as identity_sql
|
from keystone.identity.backends import sql as identity_sql
|
||||||
|
from keystone import config
|
||||||
|
|
||||||
|
|
||||||
LOG = logging.getLogger(__name__)
|
LOG = logging.getLogger(__name__)
|
||||||
|
CONF = config.CONF
|
||||||
|
DEFAULT_DOMAIN_ID = CONF.identity.default_domain_id
|
||||||
|
|
||||||
|
|
||||||
def export_db(db):
|
def export_db(db):
|
||||||
@ -103,7 +106,8 @@ class LegacyMigration(object):
|
|||||||
# map
|
# map
|
||||||
new_dict = {'description': x.get('desc', ''),
|
new_dict = {'description': x.get('desc', ''),
|
||||||
'id': x.get('uid', x.get('id')),
|
'id': x.get('uid', x.get('id')),
|
||||||
'enabled': x.get('enabled', True)}
|
'enabled': x.get('enabled', True),
|
||||||
|
'domain_id': x.get('domain_id', DEFAULT_DOMAIN_ID)}
|
||||||
new_dict['name'] = x.get('name', new_dict.get('id'))
|
new_dict['name'] = x.get('name', new_dict.get('id'))
|
||||||
# track internal ids
|
# track internal ids
|
||||||
self._project_map[x.get('id')] = new_dict['id']
|
self._project_map[x.get('id')] = new_dict['id']
|
||||||
@ -117,7 +121,8 @@ class LegacyMigration(object):
|
|||||||
new_dict = {'email': x.get('email', ''),
|
new_dict = {'email': x.get('email', ''),
|
||||||
'password': x.get('password', None),
|
'password': x.get('password', None),
|
||||||
'id': x.get('uid', x.get('id')),
|
'id': x.get('uid', x.get('id')),
|
||||||
'enabled': x.get('enabled', True)}
|
'enabled': x.get('enabled', True),
|
||||||
|
'domain_id': x.get('domain_id', DEFAULT_DOMAIN_ID)}
|
||||||
if x.get('tenant_id'):
|
if x.get('tenant_id'):
|
||||||
new_dict['tenant_id'] = self._project_map.get(x['tenant_id'])
|
new_dict['tenant_id'] = self._project_map.get(x['tenant_id'])
|
||||||
new_dict['name'] = x.get('name', new_dict.get('id'))
|
new_dict['name'] = x.get('name', new_dict.get('id'))
|
||||||
|
@ -22,7 +22,7 @@ from keystone import config
|
|||||||
|
|
||||||
|
|
||||||
CONF = config.CONF
|
CONF = config.CONF
|
||||||
DEFAULT_DOMAIN_ID = CONF['identity']['default_domain_id']
|
DEFAULT_DOMAIN_ID = CONF.identity.default_domain_id
|
||||||
|
|
||||||
|
|
||||||
def upgrade(migrate_engine):
|
def upgrade(migrate_engine):
|
||||||
|
@ -32,26 +32,21 @@ def is_enabled(enabled):
|
|||||||
return bool(enabled)
|
return bool(enabled)
|
||||||
|
|
||||||
|
|
||||||
def downgrade_user_table(meta, migrate_engine):
|
def downgrade_user_table(meta, migrate_engine, session):
|
||||||
user_table = Table('user', meta, autoload=True)
|
user_table = Table('user', meta, autoload=True)
|
||||||
maker = sessionmaker(bind=migrate_engine)
|
|
||||||
session = maker()
|
|
||||||
for user in session.query(user_table).all():
|
for user in session.query(user_table).all():
|
||||||
extra = json.loads(user.extra)
|
extra = json.loads(user.extra)
|
||||||
extra['password'] = user.password
|
extra['password'] = user.password
|
||||||
extra['enabled'] = '%r' % user.enabled
|
extra['enabled'] = '%r' % user.enabled
|
||||||
values = {'extra': json.dumps(extra)}
|
values = {'extra': json.dumps(extra)}
|
||||||
update = user_table.update().\
|
update = user_table.update().\
|
||||||
where(user_table.c.id == user.id).\
|
where(user_table.c.id == user.id).\
|
||||||
values(values)
|
values(values)
|
||||||
migrate_engine.execute(update)
|
migrate_engine.execute(update)
|
||||||
session.commit()
|
|
||||||
|
|
||||||
|
|
||||||
def downgrade_tenant_table(meta, migrate_engine):
|
def downgrade_tenant_table(meta, migrate_engine, session):
|
||||||
tenant_table = Table('tenant', meta, autoload=True)
|
tenant_table = Table('tenant', meta, autoload=True)
|
||||||
maker = sessionmaker(bind=migrate_engine)
|
|
||||||
session = maker()
|
|
||||||
for tenant in session.query(tenant_table).all():
|
for tenant in session.query(tenant_table).all():
|
||||||
extra = json.loads(tenant.extra)
|
extra = json.loads(tenant.extra)
|
||||||
extra['description'] = tenant.description
|
extra['description'] = tenant.description
|
||||||
@ -61,13 +56,10 @@ def downgrade_tenant_table(meta, migrate_engine):
|
|||||||
where(tenant_table.c.id == tenant.id).\
|
where(tenant_table.c.id == tenant.id).\
|
||||||
values(values)
|
values(values)
|
||||||
migrate_engine.execute(update)
|
migrate_engine.execute(update)
|
||||||
session.commit()
|
|
||||||
|
|
||||||
|
|
||||||
def upgrade_user_table(meta, migrate_engine):
|
def upgrade_user_table(meta, migrate_engine, session):
|
||||||
user_table = Table('user', meta, autoload=True)
|
user_table = Table('user', meta, autoload=True)
|
||||||
maker = sessionmaker(bind=migrate_engine)
|
|
||||||
session = maker()
|
|
||||||
for user in session.query(user_table).all():
|
for user in session.query(user_table).all():
|
||||||
extra = json.loads(user.extra)
|
extra = json.loads(user.extra)
|
||||||
values = {'password': extra.pop('password', None),
|
values = {'password': extra.pop('password', None),
|
||||||
@ -77,14 +69,10 @@ def upgrade_user_table(meta, migrate_engine):
|
|||||||
where(user_table.c.id == user.id).\
|
where(user_table.c.id == user.id).\
|
||||||
values(values)
|
values(values)
|
||||||
migrate_engine.execute(update)
|
migrate_engine.execute(update)
|
||||||
session.commit()
|
|
||||||
|
|
||||||
|
|
||||||
def upgrade_tenant_table(meta, migrate_engine):
|
def upgrade_tenant_table(meta, migrate_engine, session):
|
||||||
tenant_table = Table('tenant', meta, autoload=True)
|
tenant_table = Table('tenant', meta, autoload=True)
|
||||||
|
|
||||||
maker = sessionmaker(bind=migrate_engine)
|
|
||||||
session = maker()
|
|
||||||
for tenant in session.query(tenant_table):
|
for tenant in session.query(tenant_table):
|
||||||
extra = json.loads(tenant.extra)
|
extra = json.loads(tenant.extra)
|
||||||
values = {'description': extra.pop('description', None),
|
values = {'description': extra.pop('description', None),
|
||||||
@ -94,18 +82,21 @@ def upgrade_tenant_table(meta, migrate_engine):
|
|||||||
where(tenant_table.c.id == tenant.id).\
|
where(tenant_table.c.id == tenant.id).\
|
||||||
values(values)
|
values(values)
|
||||||
migrate_engine.execute(update)
|
migrate_engine.execute(update)
|
||||||
session.commit()
|
|
||||||
|
|
||||||
|
|
||||||
def upgrade(migrate_engine):
|
def upgrade(migrate_engine):
|
||||||
meta = MetaData()
|
meta = MetaData()
|
||||||
meta.bind = migrate_engine
|
meta.bind = migrate_engine
|
||||||
upgrade_user_table(meta, migrate_engine)
|
session = sessionmaker(bind=migrate_engine)()
|
||||||
upgrade_tenant_table(meta, migrate_engine)
|
upgrade_user_table(meta, migrate_engine, session)
|
||||||
|
upgrade_tenant_table(meta, migrate_engine, session)
|
||||||
|
session.commit()
|
||||||
|
|
||||||
|
|
||||||
def downgrade(migrate_engine):
|
def downgrade(migrate_engine):
|
||||||
meta = MetaData()
|
meta = MetaData()
|
||||||
meta.bind = migrate_engine
|
meta.bind = migrate_engine
|
||||||
downgrade_user_table(meta, migrate_engine)
|
session = sessionmaker(bind=migrate_engine)()
|
||||||
downgrade_tenant_table(meta, migrate_engine)
|
downgrade_user_table(meta, migrate_engine, session)
|
||||||
|
downgrade_tenant_table(meta, migrate_engine, session)
|
||||||
|
session.commit()
|
||||||
|
@ -48,13 +48,10 @@ def upgrade(migrate_engine):
|
|||||||
'url': urls[interface],
|
'url': urls[interface],
|
||||||
'extra': json.dumps(extra),
|
'extra': json.dumps(extra),
|
||||||
}
|
}
|
||||||
session.execute(
|
insert = new_table.insert().values(endpoint)
|
||||||
'INSERT INTO `%s` (%s) VALUES (%s)' % (
|
migrate_engine.execute(insert)
|
||||||
new_table.name,
|
|
||||||
', '.join('%s' % k for k in endpoint.keys()),
|
|
||||||
', '.join([':%s' % k for k in endpoint.keys()])),
|
|
||||||
endpoint)
|
|
||||||
session.commit()
|
session.commit()
|
||||||
|
session.close()
|
||||||
|
|
||||||
|
|
||||||
def downgrade(migrate_engine):
|
def downgrade(migrate_engine):
|
||||||
@ -67,31 +64,31 @@ def downgrade(migrate_engine):
|
|||||||
|
|
||||||
session = orm.sessionmaker(bind=migrate_engine)()
|
session = orm.sessionmaker(bind=migrate_engine)()
|
||||||
for ref in session.query(new_table).all():
|
for ref in session.query(new_table).all():
|
||||||
extra = json.loads(ref.extra)
|
q = session.query(legacy_table)
|
||||||
extra['%surl' % ref.interface] = ref.url
|
q = q.filter_by(id=ref.legacy_endpoint_id)
|
||||||
endpoint = {
|
legacy_ref = q.first()
|
||||||
'id': ref.legacy_endpoint_id,
|
if legacy_ref:
|
||||||
'region': ref.region,
|
# We already have one, so just update the extra
|
||||||
'service_id': ref.service_id,
|
# attribute with the urls.
|
||||||
'extra': json.dumps(extra),
|
|
||||||
}
|
|
||||||
|
|
||||||
try:
|
|
||||||
session.execute(
|
|
||||||
'INSERT INTO `%s` (%s) VALUES (%s)' % (
|
|
||||||
legacy_table.name,
|
|
||||||
', '.join('%s' % k for k in endpoint.keys()),
|
|
||||||
', '.join([':%s' % k for k in endpoint.keys()])),
|
|
||||||
endpoint)
|
|
||||||
except sql.exc.IntegrityError:
|
|
||||||
q = session.query(legacy_table)
|
|
||||||
q = q.filter_by(id=ref.legacy_endpoint_id)
|
|
||||||
legacy_ref = q.one()
|
|
||||||
extra = json.loads(legacy_ref.extra)
|
extra = json.loads(legacy_ref.extra)
|
||||||
extra['%surl' % ref.interface] = ref.url
|
extra['%surl' % ref.interface] = ref.url
|
||||||
|
values = {'extra': json.dumps(extra)}
|
||||||
session.execute(
|
update = legacy_table.update().\
|
||||||
'UPDATE `%s` SET extra=:extra WHERE id=:id' % (
|
where(legacy_table.c.id == legacy_ref.id).\
|
||||||
legacy_table.name),
|
values(values)
|
||||||
{'extra': json.dumps(extra), 'id': legacy_ref.id})
|
migrate_engine.execute(update)
|
||||||
session.commit()
|
else:
|
||||||
|
# This is the first one of this legacy ID, so
|
||||||
|
# we can insert instead.
|
||||||
|
extra = json.loads(ref.extra)
|
||||||
|
extra['%surl' % ref.interface] = ref.url
|
||||||
|
endpoint = {
|
||||||
|
'id': ref.legacy_endpoint_id,
|
||||||
|
'region': ref.region,
|
||||||
|
'service_id': ref.service_id,
|
||||||
|
'extra': json.dumps(extra),
|
||||||
|
}
|
||||||
|
insert = legacy_table.insert().values(endpoint)
|
||||||
|
migrate_engine.execute(insert)
|
||||||
|
session.commit()
|
||||||
|
session.close()
|
||||||
|
@ -26,7 +26,8 @@ def upgrade(migrate_engine):
|
|||||||
'group',
|
'group',
|
||||||
meta,
|
meta,
|
||||||
sql.Column('id', sql.String(64), primary_key=True),
|
sql.Column('id', sql.String(64), primary_key=True),
|
||||||
sql.Column('domain_id', sql.String(64), sql.ForeignKey('domain.id')),
|
sql.Column('domain_id', sql.String(64), sql.ForeignKey('domain.id'),
|
||||||
|
nullable=False),
|
||||||
sql.Column('name', sql.String(64), unique=True, nullable=False),
|
sql.Column('name', sql.String(64), unique=True, nullable=False),
|
||||||
sql.Column('description', sql.Text()),
|
sql.Column('description', sql.Text()),
|
||||||
sql.Column('extra', sql.Text()))
|
sql.Column('extra', sql.Text()))
|
||||||
|
@ -11,7 +11,6 @@ def upgrade(migrate_engine):
|
|||||||
|
|
||||||
|
|
||||||
def downgrade(migrate_engine):
|
def downgrade(migrate_engine):
|
||||||
"""Replace API-version specific endpoint tables with one based on v2."""
|
|
||||||
meta = sql.MetaData()
|
meta = sql.MetaData()
|
||||||
meta.bind = migrate_engine
|
meta.bind = migrate_engine
|
||||||
upgrade_table = sql.Table('project', meta, autoload=True)
|
upgrade_table = sql.Table('project', meta, autoload=True)
|
||||||
|
@ -0,0 +1,414 @@
|
|||||||
|
# vim: tabstop=4 shiftwidth=4 softtabstop=4
|
||||||
|
|
||||||
|
# Copyright 2012 OpenStack LLC
|
||||||
|
# Copyright 2013 IBM
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
"""
|
||||||
|
Normalize for domain_id, i.e. ensure User and Project entities have the
|
||||||
|
domain_id as a first class attribute.
|
||||||
|
|
||||||
|
Both User and Project (as well as Group) entities are owned by a
|
||||||
|
domain, which is implemented as each having a domain_id foreign key
|
||||||
|
in their sql representation that points back to the respective
|
||||||
|
domain in the domain table. This domain_id attribute should also
|
||||||
|
be required (i.e. not nullable)
|
||||||
|
|
||||||
|
Adding a non_nullable foreign key attribute to a table with existing
|
||||||
|
data causes a few problems since not all DB engines support the
|
||||||
|
ability to either control the triggering of integrity constraints
|
||||||
|
or the ability to modify columns after they are created.
|
||||||
|
|
||||||
|
To get round the above inconsistencies, two versions of the
|
||||||
|
upgrade/downgrade functions are supplied, one for those engines
|
||||||
|
that support dropping columns, and one for those that don't. For
|
||||||
|
the latter we are forced to do table copy AND control the triggering
|
||||||
|
of integrity constraints.
|
||||||
|
"""
|
||||||
|
|
||||||
|
import sqlalchemy as sql
|
||||||
|
from sqlalchemy.orm import sessionmaker
|
||||||
|
from keystone import config
|
||||||
|
|
||||||
|
|
||||||
|
CONF = config.CONF
|
||||||
|
DEFAULT_DOMAIN_ID = CONF.identity.default_domain_id
|
||||||
|
|
||||||
|
|
||||||
|
def _disable_foreign_constraints(session, migrate_engine):
|
||||||
|
if migrate_engine.name == 'mysql':
|
||||||
|
session.execute('SET foreign_key_checks = 0;')
|
||||||
|
|
||||||
|
|
||||||
|
def _enable_foreign_constraints(session, migrate_engine):
|
||||||
|
if migrate_engine.name == 'mysql':
|
||||||
|
session.execute('SET foreign_key_checks = 1;')
|
||||||
|
|
||||||
|
|
||||||
|
def upgrade_user_table_with_copy(meta, migrate_engine, session):
|
||||||
|
# We want to add the domain_id attribute to the user table. Since
|
||||||
|
# it is non nullable and the table may have data, easiest way is
|
||||||
|
# a table copy. Further, in order to keep foreign key constraints
|
||||||
|
# pointing at the right table, we need to be able and do a table
|
||||||
|
# DROP then CREATE, rather than ALTERing the name of the table.
|
||||||
|
|
||||||
|
# First make a copy of the user table
|
||||||
|
temp_user_table = sql.Table(
|
||||||
|
'temp_user',
|
||||||
|
meta,
|
||||||
|
sql.Column('id', sql.String(64), primary_key=True),
|
||||||
|
sql.Column('name', sql.String(64), unique=True, nullable=False),
|
||||||
|
sql.Column('extra', sql.Text()),
|
||||||
|
sql.Column("password", sql.String(128)),
|
||||||
|
sql.Column("enabled", sql.Boolean, default=True))
|
||||||
|
temp_user_table.create(migrate_engine, checkfirst=True)
|
||||||
|
|
||||||
|
user_table = sql.Table('user', meta, autoload=True)
|
||||||
|
for user in session.query(user_table):
|
||||||
|
session.execute("insert into temp_user (id, name, extra, "
|
||||||
|
"password, enabled) "
|
||||||
|
"values ( :id, :name, :extra, "
|
||||||
|
":password, :enabled);",
|
||||||
|
{'id': user.id,
|
||||||
|
'name': user.name,
|
||||||
|
'extra': user.extra,
|
||||||
|
'password': user.password,
|
||||||
|
'enabled': user.enabled})
|
||||||
|
|
||||||
|
# Now switch off constraints while we drop and then re-create the
|
||||||
|
# user table, with the additional domain_id column
|
||||||
|
_disable_foreign_constraints(session, migrate_engine)
|
||||||
|
session.execute('drop table user;')
|
||||||
|
# Need to create a new metadata stream since we are going to load a
|
||||||
|
# different version of the user table
|
||||||
|
meta2 = sql.MetaData()
|
||||||
|
meta2.bind = migrate_engine
|
||||||
|
domain_table = sql.Table('domain', meta2, autoload=True)
|
||||||
|
user_table = sql.Table(
|
||||||
|
'user',
|
||||||
|
meta2,
|
||||||
|
sql.Column('id', sql.String(64), primary_key=True),
|
||||||
|
sql.Column('name', sql.String(64), unique=True, nullable=False),
|
||||||
|
sql.Column('extra', sql.Text()),
|
||||||
|
sql.Column("password", sql.String(128)),
|
||||||
|
sql.Column("enabled", sql.Boolean, default=True),
|
||||||
|
sql.Column('domain_id', sql.String(64), sql.ForeignKey('domain.id'),
|
||||||
|
nullable=False))
|
||||||
|
user_table.create(migrate_engine, checkfirst=True)
|
||||||
|
|
||||||
|
# Finally copy in the data from our temp table and then clean
|
||||||
|
# up by deleting our temp table
|
||||||
|
for user in session.query(temp_user_table):
|
||||||
|
session.execute("insert into user (id, name, extra, "
|
||||||
|
"password, enabled, domain_id) "
|
||||||
|
"values ( :id, :name, :extra, "
|
||||||
|
":password, :enabled, :domain_id);",
|
||||||
|
{'id': user.id,
|
||||||
|
'name': user.name,
|
||||||
|
'extra': user.extra,
|
||||||
|
'password': user.password,
|
||||||
|
'enabled': user.enabled,
|
||||||
|
'domain_id': DEFAULT_DOMAIN_ID})
|
||||||
|
_enable_foreign_constraints(session, migrate_engine)
|
||||||
|
session.execute("drop table temp_user;")
|
||||||
|
|
||||||
|
|
||||||
|
def upgrade_project_table_with_copy(meta, migrate_engine, session):
|
||||||
|
# We want to add the domain_id attribute to the project table. Since
|
||||||
|
# it is non nullable and the table may have data, easiest way is
|
||||||
|
# a table copy. Further, in order to keep foreign key constraints
|
||||||
|
# pointing at the right table, we need to be able and do a table
|
||||||
|
# DROP then CREATE, rather than ALTERing the name of the table.
|
||||||
|
|
||||||
|
# Fist make a copy of the project table
|
||||||
|
temp_project_table = sql.Table(
|
||||||
|
'temp_project',
|
||||||
|
meta,
|
||||||
|
sql.Column('id', sql.String(64), primary_key=True),
|
||||||
|
sql.Column('name', sql.String(64), unique=True, nullable=False),
|
||||||
|
sql.Column('extra', sql.Text()),
|
||||||
|
sql.Column("description", sql.Text()),
|
||||||
|
sql.Column("enabled", sql.Boolean, default=True))
|
||||||
|
temp_project_table.create(migrate_engine, checkfirst=True)
|
||||||
|
|
||||||
|
project_table = sql.Table('project', meta, autoload=True)
|
||||||
|
for project in session.query(project_table):
|
||||||
|
session.execute("insert into temp_project (id, name, extra, "
|
||||||
|
"description, enabled) "
|
||||||
|
"values ( :id, :name, :extra, "
|
||||||
|
":description, :enabled);",
|
||||||
|
{'id': project.id,
|
||||||
|
'name': project.name,
|
||||||
|
'extra': project.extra,
|
||||||
|
'description': project.description,
|
||||||
|
'enabled': project.enabled})
|
||||||
|
|
||||||
|
# Now switch off constraints while we drop and then re-create the
|
||||||
|
# project table, with the additional domain_id column
|
||||||
|
_disable_foreign_constraints(session, migrate_engine)
|
||||||
|
session.execute("drop table project;")
|
||||||
|
# Need to create a new metadata stream since we are going to load a
|
||||||
|
# different version of the project table
|
||||||
|
meta2 = sql.MetaData()
|
||||||
|
meta2.bind = migrate_engine
|
||||||
|
domain_table = sql.Table('domain', meta2, autoload=True)
|
||||||
|
project_table = sql.Table(
|
||||||
|
'project',
|
||||||
|
meta2,
|
||||||
|
sql.Column('id', sql.String(64), primary_key=True),
|
||||||
|
sql.Column('name', sql.String(64), unique=True, nullable=False),
|
||||||
|
sql.Column('extra', sql.Text()),
|
||||||
|
sql.Column('description', sql.Text()),
|
||||||
|
sql.Column("enabled", sql.Boolean, default=True),
|
||||||
|
sql.Column('domain_id', sql.String(64), sql.ForeignKey('domain.id'),
|
||||||
|
nullable=False))
|
||||||
|
project_table.create(migrate_engine, checkfirst=True)
|
||||||
|
|
||||||
|
# Finally copy in the data from our temp table and then clean
|
||||||
|
# up by deleting our temp table
|
||||||
|
for project in session.query(temp_project_table):
|
||||||
|
session.execute("insert into project (id, name, extra, "
|
||||||
|
"description, enabled, domain_id) "
|
||||||
|
"values ( :id, :name, :extra, "
|
||||||
|
":description, :enabled, :domain_id);",
|
||||||
|
{'id': project.id,
|
||||||
|
'name': project.name,
|
||||||
|
'extra': project.extra,
|
||||||
|
'description': project.description,
|
||||||
|
'enabled': project.enabled,
|
||||||
|
'domain_id': DEFAULT_DOMAIN_ID})
|
||||||
|
_enable_foreign_constraints(session, migrate_engine)
|
||||||
|
session.execute("drop table temp_project;")
|
||||||
|
|
||||||
|
|
||||||
|
def downgrade_user_table_with_copy(meta, migrate_engine, session):
|
||||||
|
# For engines that don't support dropping columns, we need to do this
|
||||||
|
# as a table copy. Further, in order to keep foreign key constraints
|
||||||
|
# pointing at the right table, we need to be able and do a table
|
||||||
|
# DROP then CREATE, rather than ALTERing the name of the table.
|
||||||
|
|
||||||
|
# Fist make a copy of the user table
|
||||||
|
temp_user_table = sql.Table(
|
||||||
|
'temp_user',
|
||||||
|
meta,
|
||||||
|
sql.Column('id', sql.String(64), primary_key=True),
|
||||||
|
sql.Column('name', sql.String(64), unique=True, nullable=False),
|
||||||
|
# Temporary table, so no need to make it a foreign key
|
||||||
|
sql.Column('domain_id', sql.String(64), nullable=False),
|
||||||
|
sql.Column("password", sql.String(128)),
|
||||||
|
sql.Column("enabled", sql.Boolean, default=True),
|
||||||
|
sql.Column('extra', sql.Text()))
|
||||||
|
temp_user_table.create(migrate_engine, checkfirst=True)
|
||||||
|
|
||||||
|
user_table = sql.Table('user', meta, autoload=True)
|
||||||
|
for user in session.query(user_table):
|
||||||
|
session.execute("insert into temp_user (id, name, domain_id, "
|
||||||
|
"password, enabled, extra) "
|
||||||
|
"values ( :id, :name, :domain_id, "
|
||||||
|
":password, :enabled, :extra);",
|
||||||
|
{'id': user.id,
|
||||||
|
'name': user.name,
|
||||||
|
'domain_id': user.domain_id,
|
||||||
|
'password': user.password,
|
||||||
|
'enabled': user.enabled,
|
||||||
|
'extra': user.extra})
|
||||||
|
|
||||||
|
# Now switch off constraints while we drop and then re-create the
|
||||||
|
# user table, less the columns we wanted to drop
|
||||||
|
_disable_foreign_constraints(session, migrate_engine)
|
||||||
|
session.execute("drop table user;")
|
||||||
|
# Need to create a new metadata stream since we are going to load a
|
||||||
|
# different version of the user table
|
||||||
|
meta2 = sql.MetaData()
|
||||||
|
meta2.bind = migrate_engine
|
||||||
|
user_table = sql.Table(
|
||||||
|
'user',
|
||||||
|
meta2,
|
||||||
|
sql.Column('id', sql.String(64), primary_key=True),
|
||||||
|
sql.Column('name', sql.String(64), unique=True, nullable=False),
|
||||||
|
sql.Column('extra', sql.Text()),
|
||||||
|
sql.Column("password", sql.String(128)),
|
||||||
|
sql.Column("enabled", sql.Boolean, default=True))
|
||||||
|
user_table.create(migrate_engine, checkfirst=True)
|
||||||
|
_enable_foreign_constraints(session, migrate_engine)
|
||||||
|
|
||||||
|
# Finally copy in the data from our temp table and then clean
|
||||||
|
# up by deleting our temp table
|
||||||
|
for user in session.query(temp_user_table):
|
||||||
|
session.execute("insert into user (id, name, extra, "
|
||||||
|
"password, enabled) "
|
||||||
|
"values ( :id, :name, :extra, "
|
||||||
|
":password, :enabled);",
|
||||||
|
{'id': user.id,
|
||||||
|
'name': user.name,
|
||||||
|
'extra': user.extra,
|
||||||
|
'password': user.password,
|
||||||
|
'enabled': user.enabled})
|
||||||
|
session.execute("drop table temp_user;")
|
||||||
|
|
||||||
|
|
||||||
|
def downgrade_project_table_with_copy(meta, migrate_engine, session):
|
||||||
|
# For engines that don't support dropping columns, we need to do this
|
||||||
|
# as a table copy. Further, in order to keep foreign key constraints
|
||||||
|
# pointing at the right table, we need to be able and do a table
|
||||||
|
# DROP then CREATE, rather than ALTERing the name of the table.
|
||||||
|
|
||||||
|
# Fist make a copy of the project table
|
||||||
|
temp_project_table = sql.Table(
|
||||||
|
'temp_project',
|
||||||
|
meta,
|
||||||
|
sql.Column('id', sql.String(64), primary_key=True),
|
||||||
|
sql.Column('name', sql.String(64), unique=True, nullable=False),
|
||||||
|
# Temporary table, so no need to make it a foreign key
|
||||||
|
sql.Column('domain_id', sql.String(64), nullable=False),
|
||||||
|
sql.Column('description', sql.Text()),
|
||||||
|
sql.Column("enabled", sql.Boolean, default=True),
|
||||||
|
sql.Column('extra', sql.Text()))
|
||||||
|
temp_project_table.create(migrate_engine, checkfirst=True)
|
||||||
|
|
||||||
|
project_table = sql.Table('project', meta, autoload=True)
|
||||||
|
for project in session.query(project_table):
|
||||||
|
session.execute("insert into temp_project (id, name, domain_id, "
|
||||||
|
"description, enabled, extra) "
|
||||||
|
"values ( :id, :name, :domain_id, "
|
||||||
|
":description, :enabled, :extra);",
|
||||||
|
{'id': project.id,
|
||||||
|
'name': project.name,
|
||||||
|
'domain_id': project.domain_id,
|
||||||
|
'description': project.description,
|
||||||
|
'enabled': project.enabled,
|
||||||
|
'extra': project.extra})
|
||||||
|
|
||||||
|
# Now switch off constraints while we drop and then re-create the
|
||||||
|
# project table, less the columns we wanted to drop
|
||||||
|
_disable_foreign_constraints(session, migrate_engine)
|
||||||
|
session.execute("drop table project;")
|
||||||
|
# Need to create a new metadata stream since we are going to load a
|
||||||
|
# different version of the project table
|
||||||
|
meta2 = sql.MetaData()
|
||||||
|
meta2.bind = migrate_engine
|
||||||
|
project_table = sql.Table(
|
||||||
|
'project',
|
||||||
|
meta2,
|
||||||
|
sql.Column('id', sql.String(64), primary_key=True),
|
||||||
|
sql.Column('name', sql.String(64), unique=True, nullable=False),
|
||||||
|
sql.Column('extra', sql.Text()),
|
||||||
|
sql.Column("description", sql.Text()),
|
||||||
|
sql.Column("enabled", sql.Boolean, default=True))
|
||||||
|
project_table.create(migrate_engine, checkfirst=True)
|
||||||
|
_enable_foreign_constraints(session, migrate_engine)
|
||||||
|
|
||||||
|
# Finally copy in the data from our temp table and then clean
|
||||||
|
# up by deleting our temp table
|
||||||
|
for project in session.query(temp_project_table):
|
||||||
|
session.execute("insert into project (id, name, extra, "
|
||||||
|
"description, enabled) "
|
||||||
|
"values ( :id, :name, :extra, "
|
||||||
|
":description, :enabled);",
|
||||||
|
{'id': project.id,
|
||||||
|
'name': project.name,
|
||||||
|
'extra': project.extra,
|
||||||
|
'description': project.description,
|
||||||
|
'enabled': project.enabled})
|
||||||
|
session.execute("drop table temp_project;")
|
||||||
|
|
||||||
|
|
||||||
|
def upgrade_user_table_with_col_create(meta, migrate_engine, session):
|
||||||
|
# Create the domain_id column. We want this to be not nullable
|
||||||
|
# but also a foreign key. We can't create this right off the
|
||||||
|
# bat since any existing rows would cause an Integrity Error.
|
||||||
|
# We therefore create it nullable, fill the column with the
|
||||||
|
# default data and then set it to non nullable.
|
||||||
|
domain_table = sql.Table('domain', meta, autoload=True)
|
||||||
|
user_table = sql.Table('user', meta, autoload=True)
|
||||||
|
user_table.create_column(
|
||||||
|
sql.Column('domain_id', sql.String(64),
|
||||||
|
sql.ForeignKey('domain.id'), nullable=True))
|
||||||
|
for user in session.query(user_table).all():
|
||||||
|
values = {'domain_id': DEFAULT_DOMAIN_ID}
|
||||||
|
update = user_table.update().\
|
||||||
|
where(user_table.c.id == user.id).\
|
||||||
|
values(values)
|
||||||
|
migrate_engine.execute(update)
|
||||||
|
# Need to commit this or setting nullable to False will fail
|
||||||
|
session.commit()
|
||||||
|
user_table.columns.domain_id.alter(nullable=False)
|
||||||
|
|
||||||
|
|
||||||
|
def upgrade_project_table_with_col_create(meta, migrate_engine, session):
|
||||||
|
# Create the domain_id column. We want this to be not nullable
|
||||||
|
# but also a foreign key. We can't create this right off the
|
||||||
|
# bat since any existing rows would cause an Integrity Error.
|
||||||
|
# We therefore create it nullable, fill the column with the
|
||||||
|
# default data and then set it to non nullable.
|
||||||
|
domain_table = sql.Table('domain', meta, autoload=True)
|
||||||
|
project_table = sql.Table('project', meta, autoload=True)
|
||||||
|
project_table.create_column(
|
||||||
|
sql.Column('domain_id', sql.String(64),
|
||||||
|
sql.ForeignKey('domain.id'), nullable=True))
|
||||||
|
for project in session.query(project_table).all():
|
||||||
|
values = {'domain_id': DEFAULT_DOMAIN_ID}
|
||||||
|
update = project_table.update().\
|
||||||
|
where(project_table.c.id == project.id).\
|
||||||
|
values(values)
|
||||||
|
migrate_engine.execute(update)
|
||||||
|
# Need to commit this or setting nullable to False will fail
|
||||||
|
session.commit()
|
||||||
|
project_table.columns.domain_id.alter(nullable=False)
|
||||||
|
|
||||||
|
|
||||||
|
def downgrade_user_table_with_col_drop(meta, migrate_engine):
|
||||||
|
domain_table = sql.Table('domain', meta, autoload=True)
|
||||||
|
user_table = sql.Table('user', meta, autoload=True)
|
||||||
|
column = sql.Column('domain_id', sql.String(64),
|
||||||
|
sql.ForeignKey('domain.id'), nullable=False)
|
||||||
|
column.drop(user_table)
|
||||||
|
|
||||||
|
|
||||||
|
def downgrade_project_table_with_col_drop(meta, migrate_engine):
|
||||||
|
domain_table = sql.Table('domain', meta, autoload=True)
|
||||||
|
project_table = sql.Table('project', meta, autoload=True)
|
||||||
|
column = sql.Column('domain_id', sql.String(64),
|
||||||
|
sql.ForeignKey('domain.id'), nullable=False)
|
||||||
|
column.drop(project_table)
|
||||||
|
|
||||||
|
|
||||||
|
def upgrade(migrate_engine):
|
||||||
|
meta = sql.MetaData()
|
||||||
|
meta.bind = migrate_engine
|
||||||
|
session = sessionmaker(bind=migrate_engine)()
|
||||||
|
if migrate_engine.name in ['sqlite', 'mysql']:
|
||||||
|
upgrade_user_table_with_copy(meta, migrate_engine, session)
|
||||||
|
upgrade_project_table_with_copy(meta, migrate_engine, session)
|
||||||
|
else:
|
||||||
|
upgrade_user_table_with_col_create(meta, migrate_engine, session)
|
||||||
|
upgrade_project_table_with_col_create(meta, migrate_engine, session)
|
||||||
|
session.commit()
|
||||||
|
session.close()
|
||||||
|
|
||||||
|
|
||||||
|
def downgrade(migrate_engine):
|
||||||
|
meta = sql.MetaData()
|
||||||
|
meta.bind = migrate_engine
|
||||||
|
session = sessionmaker(bind=migrate_engine)()
|
||||||
|
if migrate_engine.name in ['sqlite', 'mysql']:
|
||||||
|
downgrade_user_table_with_copy(meta, migrate_engine, session)
|
||||||
|
downgrade_project_table_with_copy(meta, migrate_engine, session)
|
||||||
|
else:
|
||||||
|
# MySQL should in theory be able to use this path, but seems to
|
||||||
|
# have problems dropping columns which are foreign keys
|
||||||
|
downgrade_user_table_with_col_drop(meta, migrate_engine)
|
||||||
|
downgrade_project_table_with_col_drop(meta, migrate_engine)
|
||||||
|
session.commit()
|
||||||
|
session.close()
|
@ -18,12 +18,15 @@
|
|||||||
|
|
||||||
import uuid
|
import uuid
|
||||||
|
|
||||||
|
from keystone import config
|
||||||
from keystone.common import logging
|
from keystone.common import logging
|
||||||
from keystone.contrib.ec2.backends import sql as ec2_sql
|
from keystone.contrib.ec2.backends import sql as ec2_sql
|
||||||
from keystone.identity.backends import sql as identity_sql
|
from keystone.identity.backends import sql as identity_sql
|
||||||
|
|
||||||
|
|
||||||
LOG = logging.getLogger(__name__)
|
LOG = logging.getLogger(__name__)
|
||||||
|
CONF = config.CONF
|
||||||
|
DEFAULT_DOMAIN_ID = CONF.identity.default_domain_id
|
||||||
|
|
||||||
|
|
||||||
def import_auth(data):
|
def import_auth(data):
|
||||||
@ -51,6 +54,7 @@ def _create_projects(api, tenants):
|
|||||||
tenant_dict = {
|
tenant_dict = {
|
||||||
'id': _generate_uuid(),
|
'id': _generate_uuid(),
|
||||||
'name': tenant['id'],
|
'name': tenant['id'],
|
||||||
|
'domain_id': tenant.get('domain_id', DEFAULT_DOMAIN_ID),
|
||||||
'description': tenant['description'],
|
'description': tenant['description'],
|
||||||
'enabled': True,
|
'enabled': True,
|
||||||
}
|
}
|
||||||
@ -66,6 +70,7 @@ def _create_users(api, users):
|
|||||||
user_dict = {
|
user_dict = {
|
||||||
'id': _generate_uuid(),
|
'id': _generate_uuid(),
|
||||||
'name': user['id'],
|
'name': user['id'],
|
||||||
|
'domain_id': user.get('domain_id', DEFAULT_DOMAIN_ID),
|
||||||
'email': '',
|
'email': '',
|
||||||
'password': user['password'],
|
'password': user['password'],
|
||||||
'enabled': True,
|
'enabled': True,
|
||||||
|
@ -256,6 +256,7 @@ register_str('user_name_attribute', group='ldap', default='sn')
|
|||||||
register_str('user_mail_attribute', group='ldap', default='email')
|
register_str('user_mail_attribute', group='ldap', default='email')
|
||||||
register_str('user_pass_attribute', group='ldap', default='userPassword')
|
register_str('user_pass_attribute', group='ldap', default='userPassword')
|
||||||
register_str('user_enabled_attribute', group='ldap', default='enabled')
|
register_str('user_enabled_attribute', group='ldap', default='enabled')
|
||||||
|
register_str('user_domain_id_attribute', group='ldap', default='domain_id')
|
||||||
register_int('user_enabled_mask', group='ldap', default=0)
|
register_int('user_enabled_mask', group='ldap', default=0)
|
||||||
register_str('user_enabled_default', group='ldap', default='True')
|
register_str('user_enabled_default', group='ldap', default='True')
|
||||||
register_list('user_attribute_ignore', group='ldap',
|
register_list('user_attribute_ignore', group='ldap',
|
||||||
@ -272,6 +273,7 @@ register_str('tenant_member_attribute', group='ldap', default='member')
|
|||||||
register_str('tenant_name_attribute', group='ldap', default='ou')
|
register_str('tenant_name_attribute', group='ldap', default='ou')
|
||||||
register_str('tenant_desc_attribute', group='ldap', default='desc')
|
register_str('tenant_desc_attribute', group='ldap', default='desc')
|
||||||
register_str('tenant_enabled_attribute', group='ldap', default='enabled')
|
register_str('tenant_enabled_attribute', group='ldap', default='enabled')
|
||||||
|
register_str('tenant_domain_id_attribute', group='ldap', default='domain_id')
|
||||||
register_list('tenant_attribute_ignore', group='ldap', default='')
|
register_list('tenant_attribute_ignore', group='ldap', default='')
|
||||||
register_bool('tenant_allow_create', group='ldap', default=True)
|
register_bool('tenant_allow_create', group='ldap', default=True)
|
||||||
register_bool('tenant_allow_update', group='ldap', default=True)
|
register_bool('tenant_allow_update', group='ldap', default=True)
|
||||||
@ -295,6 +297,7 @@ register_str('group_id_attribute', group='ldap', default='cn')
|
|||||||
register_str('group_name_attribute', group='ldap', default='ou')
|
register_str('group_name_attribute', group='ldap', default='ou')
|
||||||
register_str('group_member_attribute', group='ldap', default='member')
|
register_str('group_member_attribute', group='ldap', default='member')
|
||||||
register_str('group_desc_attribute', group='ldap', default='desc')
|
register_str('group_desc_attribute', group='ldap', default='desc')
|
||||||
|
register_str('group_domain_id_attribute', group='ldap', default='domain_id')
|
||||||
register_list('group_attribute_ignore', group='ldap', default='')
|
register_list('group_attribute_ignore', group='ldap', default='')
|
||||||
register_bool('group_allow_create', group='ldap', default=True)
|
register_bool('group_allow_create', group='ldap', default=True)
|
||||||
register_bool('group_allow_update', group='ldap', default=True)
|
register_bool('group_allow_update', group='ldap', default=True)
|
||||||
|
@ -67,7 +67,7 @@ class Identity(kvs.Base, identity.Driver):
|
|||||||
tenant_keys = filter(lambda x: x.startswith("tenant-"), self.db.keys())
|
tenant_keys = filter(lambda x: x.startswith("tenant-"), self.db.keys())
|
||||||
return [self.db.get(key) for key in tenant_keys]
|
return [self.db.get(key) for key in tenant_keys]
|
||||||
|
|
||||||
def get_project_by_name(self, tenant_name):
|
def get_project_by_name(self, tenant_name, domain_id):
|
||||||
try:
|
try:
|
||||||
return self.db.get('tenant_name-%s' % tenant_name)
|
return self.db.get('tenant_name-%s' % tenant_name)
|
||||||
except exception.NotFound:
|
except exception.NotFound:
|
||||||
@ -85,7 +85,7 @@ class Identity(kvs.Base, identity.Driver):
|
|||||||
except exception.NotFound:
|
except exception.NotFound:
|
||||||
raise exception.UserNotFound(user_id=user_id)
|
raise exception.UserNotFound(user_id=user_id)
|
||||||
|
|
||||||
def _get_user_by_name(self, user_name):
|
def _get_user_by_name(self, user_name, domain_id):
|
||||||
try:
|
try:
|
||||||
return self.db.get('user_name-%s' % user_name)
|
return self.db.get('user_name-%s' % user_name)
|
||||||
except exception.NotFound:
|
except exception.NotFound:
|
||||||
@ -94,16 +94,27 @@ class Identity(kvs.Base, identity.Driver):
|
|||||||
def get_user(self, user_id):
|
def get_user(self, user_id):
|
||||||
return identity.filter_user(self._get_user(user_id))
|
return identity.filter_user(self._get_user(user_id))
|
||||||
|
|
||||||
def get_user_by_name(self, user_name):
|
def get_user_by_name(self, user_name, domain_id):
|
||||||
return identity.filter_user(self._get_user_by_name(user_name))
|
return identity.filter_user(
|
||||||
|
self._get_user_by_name(user_name, domain_id))
|
||||||
|
|
||||||
def get_metadata(self, user_id=None, tenant_id=None,
|
def get_metadata(self, user_id=None, tenant_id=None,
|
||||||
domain_id=None, group_id=None):
|
domain_id=None, group_id=None):
|
||||||
try:
|
try:
|
||||||
if user_id:
|
if user_id:
|
||||||
return self.db.get('metadata-%s-%s' % (tenant_id, user_id))
|
if tenant_id:
|
||||||
|
return self.db.get('metadata-%s-%s' % (tenant_id,
|
||||||
|
user_id))
|
||||||
|
else:
|
||||||
|
return self.db.get('metadata-%s-%s' % (domain_id,
|
||||||
|
user_id))
|
||||||
else:
|
else:
|
||||||
return self.db.get('metadata-%s-%s' % (tenant_id, group_id))
|
if tenant_id:
|
||||||
|
return self.db.get('metadata-%s-%s' % (tenant_id,
|
||||||
|
group_id))
|
||||||
|
else:
|
||||||
|
return self.db.get('metadata-%s-%s' % (domain_id,
|
||||||
|
group_id))
|
||||||
except exception.NotFound:
|
except exception.NotFound:
|
||||||
raise exception.MetadataNotFound()
|
raise exception.MetadataNotFound()
|
||||||
|
|
||||||
@ -195,7 +206,7 @@ class Identity(kvs.Base, identity.Driver):
|
|||||||
raise exception.Conflict(type='user', details=msg)
|
raise exception.Conflict(type='user', details=msg)
|
||||||
|
|
||||||
try:
|
try:
|
||||||
self.get_user_by_name(user['name'])
|
self.get_user_by_name(user['name'], user['domain_id'])
|
||||||
except exception.UserNotFound:
|
except exception.UserNotFound:
|
||||||
pass
|
pass
|
||||||
else:
|
else:
|
||||||
@ -294,7 +305,7 @@ class Identity(kvs.Base, identity.Driver):
|
|||||||
raise exception.Conflict(type='tenant', details=msg)
|
raise exception.Conflict(type='tenant', details=msg)
|
||||||
|
|
||||||
try:
|
try:
|
||||||
self.get_project_by_name(tenant['name'])
|
self.get_project_by_name(tenant['name'], tenant['domain_id'])
|
||||||
except exception.ProjectNotFound:
|
except exception.ProjectNotFound:
|
||||||
pass
|
pass
|
||||||
else:
|
else:
|
||||||
@ -338,18 +349,22 @@ class Identity(kvs.Base, identity.Driver):
|
|||||||
|
|
||||||
def create_metadata(self, user_id, tenant_id, metadata,
|
def create_metadata(self, user_id, tenant_id, metadata,
|
||||||
domain_id=None, group_id=None):
|
domain_id=None, group_id=None):
|
||||||
if user_id:
|
|
||||||
self.db.set('metadata-%s-%s' % (tenant_id, user_id), metadata)
|
return self.update_metadata(user_id, tenant_id, metadata,
|
||||||
else:
|
domain_id, group_id)
|
||||||
self.db.set('metadata-%s-%s' % (tenant_id, group_id), metadata)
|
|
||||||
return metadata
|
|
||||||
|
|
||||||
def update_metadata(self, user_id, tenant_id, metadata,
|
def update_metadata(self, user_id, tenant_id, metadata,
|
||||||
domain_id=None, group_id=None):
|
domain_id=None, group_id=None):
|
||||||
if user_id:
|
if user_id:
|
||||||
self.db.set('metadata-%s-%s' % (tenant_id, user_id), metadata)
|
if tenant_id:
|
||||||
|
self.db.set('metadata-%s-%s' % (tenant_id, user_id), metadata)
|
||||||
|
else:
|
||||||
|
self.db.set('metadata-%s-%s' % (domain_id, user_id), metadata)
|
||||||
else:
|
else:
|
||||||
self.db.set('metadata-%s-%s' % (tenant_id, group_id), metadata)
|
if tenant_id:
|
||||||
|
self.db.set('metadata-%s-%s' % (tenant_id, group_id), metadata)
|
||||||
|
else:
|
||||||
|
self.db.set('metadata-%s-%s' % (domain_id, group_id), metadata)
|
||||||
return metadata
|
return metadata
|
||||||
|
|
||||||
def create_role(self, role_id, role):
|
def create_role(self, role_id, role):
|
||||||
@ -500,7 +515,24 @@ class Identity(kvs.Base, identity.Driver):
|
|||||||
# domain crud
|
# domain crud
|
||||||
|
|
||||||
def create_domain(self, domain_id, domain):
|
def create_domain(self, domain_id, domain):
|
||||||
|
try:
|
||||||
|
self.get_domain(domain_id)
|
||||||
|
except exception.DomainNotFound:
|
||||||
|
pass
|
||||||
|
else:
|
||||||
|
msg = 'Duplicate ID, %s.' % domain_id
|
||||||
|
raise exception.Conflict(type='domain', details=msg)
|
||||||
|
|
||||||
|
try:
|
||||||
|
self.get_domain_by_name(domain['name'])
|
||||||
|
except exception.DomainNotFound:
|
||||||
|
pass
|
||||||
|
else:
|
||||||
|
msg = 'Duplicate name, %s.' % domain['name']
|
||||||
|
raise exception.Conflict(type='domain', details=msg)
|
||||||
|
|
||||||
self.db.set('domain-%s' % domain_id, domain)
|
self.db.set('domain-%s' % domain_id, domain)
|
||||||
|
self.db.set('domain_name-%s' % domain['name'], domain)
|
||||||
domain_list = set(self.db.get('domain_list', []))
|
domain_list = set(self.db.get('domain_list', []))
|
||||||
domain_list.add(domain_id)
|
domain_list.add(domain_id)
|
||||||
self.db.set('domain_list', list(domain_list))
|
self.db.set('domain_list', list(domain_list))
|
||||||
@ -510,14 +542,30 @@ class Identity(kvs.Base, identity.Driver):
|
|||||||
return self.db.get('domain_list', [])
|
return self.db.get('domain_list', [])
|
||||||
|
|
||||||
def get_domain(self, domain_id):
|
def get_domain(self, domain_id):
|
||||||
return self.db.get('domain-%s' % domain_id)
|
try:
|
||||||
|
return self.db.get('domain-%s' % domain_id)
|
||||||
|
except exception.NotFound:
|
||||||
|
raise exception.DomainNotFound(domain_id=domain_id)
|
||||||
|
|
||||||
|
def get_domain_by_name(self, domain_name):
|
||||||
|
try:
|
||||||
|
return self.db.get('domain_name-%s' % domain_name)
|
||||||
|
except exception.NotFound:
|
||||||
|
raise exception.DomainNotFound(domain_id=domain_name)
|
||||||
|
|
||||||
def update_domain(self, domain_id, domain):
|
def update_domain(self, domain_id, domain):
|
||||||
|
orig_domain = self.get_domain(domain_id)
|
||||||
|
domain['id'] = domain_id
|
||||||
self.db.set('domain-%s' % domain_id, domain)
|
self.db.set('domain-%s' % domain_id, domain)
|
||||||
|
self.db.set('domain_name-%s' % domain['name'], domain)
|
||||||
|
if domain['name'] != orig_domain['name']:
|
||||||
|
self.db.delete('domain_name-%s' % orig_domain['name'])
|
||||||
return domain
|
return domain
|
||||||
|
|
||||||
def delete_domain(self, domain_id):
|
def delete_domain(self, domain_id):
|
||||||
|
domain = self.get_domain(domain_id)
|
||||||
self.db.delete('domain-%s' % domain_id)
|
self.db.delete('domain-%s' % domain_id)
|
||||||
|
self.db.delete('domain_name-%s' % domain['name'])
|
||||||
domain_list = set(self.db.get('domain_list', []))
|
domain_list = set(self.db.get('domain_list', []))
|
||||||
domain_list.remove(domain_id)
|
domain_list.remove(domain_id)
|
||||||
self.db.set('domain_list', list(domain_list))
|
self.db.set('domain_list', list(domain_list))
|
||||||
|
@ -106,7 +106,9 @@ class Identity(identity.Driver):
|
|||||||
def get_projects(self):
|
def get_projects(self):
|
||||||
return self.project.get_all()
|
return self.project.get_all()
|
||||||
|
|
||||||
def get_project_by_name(self, tenant_name):
|
def get_project_by_name(self, tenant_name, domain_id):
|
||||||
|
# TODO(henry-nash): Use domain_id once domains are implemented
|
||||||
|
# in LDAP backend
|
||||||
try:
|
try:
|
||||||
return self.project.get_by_name(tenant_name)
|
return self.project.get_by_name(tenant_name)
|
||||||
except exception.NotFound:
|
except exception.NotFound:
|
||||||
@ -124,7 +126,9 @@ class Identity(identity.Driver):
|
|||||||
def list_users(self):
|
def list_users(self):
|
||||||
return self.user.get_all()
|
return self.user.get_all()
|
||||||
|
|
||||||
def get_user_by_name(self, user_name):
|
def get_user_by_name(self, user_name, domain_id):
|
||||||
|
# TODO(henry-nash): Use domain_id once domains are implemented
|
||||||
|
# in LDAP backend
|
||||||
try:
|
try:
|
||||||
return identity.filter_user(self.user.get_by_name(user_name))
|
return identity.filter_user(self.user.get_by_name(user_name))
|
||||||
except exception.NotFound:
|
except exception.NotFound:
|
||||||
@ -353,7 +357,8 @@ class UserApi(common_ldap.BaseLdap, ApiShimMixin):
|
|||||||
attribute_mapping = {'password': 'userPassword',
|
attribute_mapping = {'password': 'userPassword',
|
||||||
'email': 'mail',
|
'email': 'mail',
|
||||||
'name': 'sn',
|
'name': 'sn',
|
||||||
'enabled': 'enabled'}
|
'enabled': 'enabled',
|
||||||
|
'domain_id': 'domain_id'}
|
||||||
|
|
||||||
model = models.User
|
model = models.User
|
||||||
|
|
||||||
@ -363,6 +368,8 @@ class UserApi(common_ldap.BaseLdap, ApiShimMixin):
|
|||||||
self.attribute_mapping['email'] = conf.ldap.user_mail_attribute
|
self.attribute_mapping['email'] = conf.ldap.user_mail_attribute
|
||||||
self.attribute_mapping['password'] = conf.ldap.user_pass_attribute
|
self.attribute_mapping['password'] = conf.ldap.user_pass_attribute
|
||||||
self.attribute_mapping['enabled'] = conf.ldap.user_enabled_attribute
|
self.attribute_mapping['enabled'] = conf.ldap.user_enabled_attribute
|
||||||
|
self.attribute_mapping['domain_id'] = (
|
||||||
|
conf.ldap.user_domain_id_attribute)
|
||||||
self.enabled_mask = conf.ldap.user_enabled_mask
|
self.enabled_mask = conf.ldap.user_enabled_mask
|
||||||
self.enabled_default = conf.ldap.user_enabled_default
|
self.enabled_default = conf.ldap.user_enabled_default
|
||||||
self.attribute_ignore = (getattr(conf.ldap, 'user_attribute_ignore')
|
self.attribute_ignore = (getattr(conf.ldap, 'user_attribute_ignore')
|
||||||
@ -510,7 +517,8 @@ class ProjectApi(common_ldap.BaseLdap, ApiShimMixin):
|
|||||||
attribute_mapping = {'name': 'ou',
|
attribute_mapping = {'name': 'ou',
|
||||||
'description': 'desc',
|
'description': 'desc',
|
||||||
'tenantId': 'cn',
|
'tenantId': 'cn',
|
||||||
'enabled': 'enabled'}
|
'enabled': 'enabled',
|
||||||
|
'domain_id': 'domain_id'}
|
||||||
model = models.Project
|
model = models.Project
|
||||||
|
|
||||||
def __init__(self, conf):
|
def __init__(self, conf):
|
||||||
@ -519,6 +527,8 @@ class ProjectApi(common_ldap.BaseLdap, ApiShimMixin):
|
|||||||
self.attribute_mapping['name'] = conf.ldap.tenant_name_attribute
|
self.attribute_mapping['name'] = conf.ldap.tenant_name_attribute
|
||||||
self.attribute_mapping['description'] = conf.ldap.tenant_desc_attribute
|
self.attribute_mapping['description'] = conf.ldap.tenant_desc_attribute
|
||||||
self.attribute_mapping['enabled'] = conf.ldap.tenant_enabled_attribute
|
self.attribute_mapping['enabled'] = conf.ldap.tenant_enabled_attribute
|
||||||
|
self.attribute_mapping['domain_id'] = (
|
||||||
|
conf.ldap.tenant_domain_id_attribute)
|
||||||
self.member_attribute = (getattr(conf.ldap, 'tenant_member_attribute')
|
self.member_attribute = (getattr(conf.ldap, 'tenant_member_attribute')
|
||||||
or self.DEFAULT_MEMBER_ATTRIBUTE)
|
or self.DEFAULT_MEMBER_ATTRIBUTE)
|
||||||
self.attribute_ignore = (getattr(conf.ldap, 'tenant_attribute_ignore')
|
self.attribute_ignore = (getattr(conf.ldap, 'tenant_attribute_ignore')
|
||||||
@ -1070,7 +1080,8 @@ class GroupApi(common_ldap.BaseLdap, ApiShimMixin):
|
|||||||
options_name = 'group'
|
options_name = 'group'
|
||||||
attribute_mapping = {'name': 'ou',
|
attribute_mapping = {'name': 'ou',
|
||||||
'description': 'desc',
|
'description': 'desc',
|
||||||
'groupId': 'cn'}
|
'groupId': 'cn',
|
||||||
|
'domain_id': 'domain_id'}
|
||||||
model = models.Group
|
model = models.Group
|
||||||
|
|
||||||
def __init__(self, conf):
|
def __init__(self, conf):
|
||||||
@ -1078,6 +1089,8 @@ class GroupApi(common_ldap.BaseLdap, ApiShimMixin):
|
|||||||
self.api = ApiShim(conf)
|
self.api = ApiShim(conf)
|
||||||
self.attribute_mapping['name'] = conf.ldap.group_name_attribute
|
self.attribute_mapping['name'] = conf.ldap.group_name_attribute
|
||||||
self.attribute_mapping['description'] = conf.ldap.group_desc_attribute
|
self.attribute_mapping['description'] = conf.ldap.group_desc_attribute
|
||||||
|
self.attribute_mapping['domain_id'] = (
|
||||||
|
conf.ldap.group_domain_id_attribute)
|
||||||
self.member_attribute = (getattr(conf.ldap, 'group_member_attribute')
|
self.member_attribute = (getattr(conf.ldap, 'group_member_attribute')
|
||||||
or self.DEFAULT_MEMBER_ATTRIBUTE)
|
or self.DEFAULT_MEMBER_ATTRIBUTE)
|
||||||
self.attribute_ignore = (getattr(conf.ldap, 'group_attribute_ignore')
|
self.attribute_ignore = (getattr(conf.ldap, 'group_attribute_ignore')
|
||||||
|
@ -74,13 +74,17 @@ class PamIdentity(identity.Driver):
|
|||||||
def get_project(self, tenant_id):
|
def get_project(self, tenant_id):
|
||||||
return {'id': tenant_id, 'name': tenant_id}
|
return {'id': tenant_id, 'name': tenant_id}
|
||||||
|
|
||||||
def get_project_by_name(self, tenant_name):
|
def get_project_by_name(self, tenant_name, domain_id):
|
||||||
|
# TODO(henry-nash): Used domain_id once domains are implemented
|
||||||
|
# in LDAP backend
|
||||||
return {'id': tenant_name, 'name': tenant_name}
|
return {'id': tenant_name, 'name': tenant_name}
|
||||||
|
|
||||||
def get_user(self, user_id):
|
def get_user(self, user_id):
|
||||||
return {'id': user_id, 'name': user_id}
|
return {'id': user_id, 'name': user_id}
|
||||||
|
|
||||||
def get_user_by_name(self, user_name):
|
def get_user_by_name(self, user_name, domain_id):
|
||||||
|
# TODO(henry-nash): Used domain_id once domains are implemented
|
||||||
|
# in LDAP backend
|
||||||
return {'id': user_name, 'name': user_name}
|
return {'id': user_name, 'name': user_name}
|
||||||
|
|
||||||
def get_role(self, role_id):
|
def get_role(self, role_id):
|
||||||
|
@ -39,9 +39,11 @@ def handle_conflicts(type='object'):
|
|||||||
|
|
||||||
class User(sql.ModelBase, sql.DictBase):
|
class User(sql.ModelBase, sql.DictBase):
|
||||||
__tablename__ = 'user'
|
__tablename__ = 'user'
|
||||||
attributes = ['id', 'name', 'password', 'enabled']
|
attributes = ['id', 'name', 'domain_id', 'password', 'enabled']
|
||||||
id = sql.Column(sql.String(64), primary_key=True)
|
id = sql.Column(sql.String(64), primary_key=True)
|
||||||
name = sql.Column(sql.String(64), unique=True, nullable=False)
|
name = sql.Column(sql.String(64), unique=True, nullable=False)
|
||||||
|
domain_id = sql.Column(sql.String(64), sql.ForeignKey('domain.id'),
|
||||||
|
nullable=False)
|
||||||
password = sql.Column(sql.String(128))
|
password = sql.Column(sql.String(128))
|
||||||
enabled = sql.Column(sql.Boolean)
|
enabled = sql.Column(sql.Boolean)
|
||||||
extra = sql.Column(sql.JsonBlob())
|
extra = sql.Column(sql.JsonBlob())
|
||||||
@ -52,7 +54,8 @@ class Group(sql.ModelBase, sql.DictBase):
|
|||||||
attributes = ['id', 'name', 'domain_id']
|
attributes = ['id', 'name', 'domain_id']
|
||||||
id = sql.Column(sql.String(64), primary_key=True)
|
id = sql.Column(sql.String(64), primary_key=True)
|
||||||
name = sql.Column(sql.String(64), unique=True, nullable=False)
|
name = sql.Column(sql.String(64), unique=True, nullable=False)
|
||||||
domain_id = sql.Column(sql.String(64), sql.ForeignKey('domain.id'))
|
domain_id = sql.Column(sql.String(64), sql.ForeignKey('domain.id'),
|
||||||
|
nullable=False)
|
||||||
description = sql.Column(sql.Text())
|
description = sql.Column(sql.Text())
|
||||||
extra = sql.Column(sql.JsonBlob())
|
extra = sql.Column(sql.JsonBlob())
|
||||||
|
|
||||||
@ -82,9 +85,11 @@ class Domain(sql.ModelBase, sql.DictBase):
|
|||||||
# TODO(dolph): rename to Project
|
# TODO(dolph): rename to Project
|
||||||
class Project(sql.ModelBase, sql.DictBase):
|
class Project(sql.ModelBase, sql.DictBase):
|
||||||
__tablename__ = 'project'
|
__tablename__ = 'project'
|
||||||
attributes = ['id', 'name']
|
attributes = ['id', 'name', 'domain_id']
|
||||||
id = sql.Column(sql.String(64), primary_key=True)
|
id = sql.Column(sql.String(64), primary_key=True)
|
||||||
name = sql.Column(sql.String(64), unique=True, nullable=False)
|
name = sql.Column(sql.String(64), unique=True, nullable=False)
|
||||||
|
domain_id = sql.Column(sql.String(64), sql.ForeignKey('domain.id'),
|
||||||
|
nullable=False)
|
||||||
description = sql.Column(sql.Text())
|
description = sql.Column(sql.Text())
|
||||||
enabled = sql.Column(sql.Boolean)
|
enabled = sql.Column(sql.Boolean)
|
||||||
extra = sql.Column(sql.JsonBlob())
|
extra = sql.Column(sql.JsonBlob())
|
||||||
@ -222,12 +227,16 @@ class Identity(sql.Base, identity.Driver):
|
|||||||
raise exception.ProjectNotFound(project_id=tenant_id)
|
raise exception.ProjectNotFound(project_id=tenant_id)
|
||||||
return tenant_ref.to_dict()
|
return tenant_ref.to_dict()
|
||||||
|
|
||||||
def get_project_by_name(self, tenant_name):
|
def get_project_by_name(self, tenant_name, domain_id):
|
||||||
session = self.get_session()
|
session = self.get_session()
|
||||||
tenant_ref = session.query(Project).filter_by(name=tenant_name).first()
|
query = session.query(Project)
|
||||||
if not tenant_ref:
|
query = query.filter_by(name=tenant_name)
|
||||||
|
query = query.filter_by(domain_id=domain_id)
|
||||||
|
try:
|
||||||
|
project_ref = query.one()
|
||||||
|
except sql.NotFound:
|
||||||
raise exception.ProjectNotFound(project_id=tenant_name)
|
raise exception.ProjectNotFound(project_id=tenant_name)
|
||||||
return tenant_ref.to_dict()
|
return project_ref.to_dict()
|
||||||
|
|
||||||
def get_project_users(self, tenant_id):
|
def get_project_users(self, tenant_id):
|
||||||
session = self.get_session()
|
session = self.get_session()
|
||||||
@ -484,7 +493,8 @@ class Identity(sql.Base, identity.Driver):
|
|||||||
tenant_ref = session.query(Project).filter_by(id=tenant_id).one()
|
tenant_ref = session.query(Project).filter_by(id=tenant_id).one()
|
||||||
except sql.NotFound:
|
except sql.NotFound:
|
||||||
raise exception.ProjectNotFound(project_id=tenant_id)
|
raise exception.ProjectNotFound(project_id=tenant_id)
|
||||||
|
# FIXME(henry-nash) Think about how we detect potential name clash
|
||||||
|
# when we move domains
|
||||||
with session.begin():
|
with session.begin():
|
||||||
old_project_dict = tenant_ref.to_dict()
|
old_project_dict = tenant_ref.to_dict()
|
||||||
for k in tenant:
|
for k in tenant:
|
||||||
@ -603,6 +613,14 @@ class Identity(sql.Base, identity.Driver):
|
|||||||
raise exception.DomainNotFound(domain_id=domain_id)
|
raise exception.DomainNotFound(domain_id=domain_id)
|
||||||
return ref.to_dict()
|
return ref.to_dict()
|
||||||
|
|
||||||
|
def get_domain_by_name(self, domain_name):
|
||||||
|
session = self.get_session()
|
||||||
|
try:
|
||||||
|
ref = session.query(Domain).filter_by(name=domain_name).one()
|
||||||
|
except sql.NotFound:
|
||||||
|
raise exception.DomainNotFound(domain_id=domain_name)
|
||||||
|
return ref.to_dict()
|
||||||
|
|
||||||
@handle_conflicts(type='domain')
|
@handle_conflicts(type='domain')
|
||||||
def update_domain(self, domain_id, domain):
|
def update_domain(self, domain_id, domain):
|
||||||
session = self.get_session()
|
session = self.get_session()
|
||||||
@ -674,18 +692,23 @@ class Identity(sql.Base, identity.Driver):
|
|||||||
raise exception.UserNotFound(user_id=user_id)
|
raise exception.UserNotFound(user_id=user_id)
|
||||||
return user_ref.to_dict()
|
return user_ref.to_dict()
|
||||||
|
|
||||||
def _get_user_by_name(self, user_name):
|
def _get_user_by_name(self, user_name, domain_id):
|
||||||
session = self.get_session()
|
session = self.get_session()
|
||||||
user_ref = session.query(User).filter_by(name=user_name).first()
|
query = session.query(User)
|
||||||
if not user_ref:
|
query = query.filter_by(name=user_name)
|
||||||
|
query = query.filter_by(domain_id=domain_id)
|
||||||
|
try:
|
||||||
|
user_ref = query.one()
|
||||||
|
except sql.NotFound:
|
||||||
raise exception.UserNotFound(user_id=user_name)
|
raise exception.UserNotFound(user_id=user_name)
|
||||||
return user_ref.to_dict()
|
return user_ref.to_dict()
|
||||||
|
|
||||||
def get_user(self, user_id):
|
def get_user(self, user_id):
|
||||||
return identity.filter_user(self._get_user(user_id))
|
return identity.filter_user(self._get_user(user_id))
|
||||||
|
|
||||||
def get_user_by_name(self, user_name):
|
def get_user_by_name(self, user_name, domain_id):
|
||||||
return identity.filter_user(self._get_user_by_name(user_name))
|
return identity.filter_user(
|
||||||
|
self._get_user_by_name(user_name, domain_id))
|
||||||
|
|
||||||
@handle_conflicts(type='user')
|
@handle_conflicts(type='user')
|
||||||
def update_user(self, user_id, user):
|
def update_user(self, user_id, user):
|
||||||
@ -694,6 +717,8 @@ class Identity(sql.Base, identity.Driver):
|
|||||||
session = self.get_session()
|
session = self.get_session()
|
||||||
if 'id' in user and user_id != user['id']:
|
if 'id' in user and user_id != user['id']:
|
||||||
raise exception.ValidationError('Cannot change user ID')
|
raise exception.ValidationError('Cannot change user ID')
|
||||||
|
# FIXME(henry-nash) Think about how we detect potential name clash
|
||||||
|
# when we move domains
|
||||||
with session.begin():
|
with session.begin():
|
||||||
user_ref = session.query(User).filter_by(id=user_id).first()
|
user_ref = session.query(User).filter_by(id=user_id).first()
|
||||||
if user_ref is None:
|
if user_ref is None:
|
||||||
@ -826,6 +851,8 @@ class Identity(sql.Base, identity.Driver):
|
|||||||
@handle_conflicts(type='group')
|
@handle_conflicts(type='group')
|
||||||
def update_group(self, group_id, group):
|
def update_group(self, group_id, group):
|
||||||
session = self.get_session()
|
session = self.get_session()
|
||||||
|
# FIXME(henry-nash) Think about how we detect potential name clash
|
||||||
|
# when we move domains
|
||||||
with session.begin():
|
with session.begin():
|
||||||
ref = session.query(Group).filter_by(id=group_id).first()
|
ref = session.query(Group).filter_by(id=group_id).first()
|
||||||
if ref is None:
|
if ref is None:
|
||||||
|
@ -27,7 +27,7 @@ from keystone import exception
|
|||||||
|
|
||||||
|
|
||||||
CONF = config.CONF
|
CONF = config.CONF
|
||||||
DEFAULT_DOMAIN_ID = CONF['identity']['default_domain_id']
|
DEFAULT_DOMAIN_ID = CONF.identity.default_domain_id
|
||||||
LOG = logging.getLogger(__name__)
|
LOG = logging.getLogger(__name__)
|
||||||
|
|
||||||
|
|
||||||
@ -40,6 +40,8 @@ class Tenant(controller.V2Controller):
|
|||||||
|
|
||||||
self.assert_admin(context)
|
self.assert_admin(context)
|
||||||
tenant_refs = self.identity_api.get_projects(context)
|
tenant_refs = self.identity_api.get_projects(context)
|
||||||
|
for tenant_ref in tenant_refs:
|
||||||
|
tenant_ref = self._filter_domain_id(tenant_ref)
|
||||||
params = {
|
params = {
|
||||||
'limit': context['query_string'].get('limit'),
|
'limit': context['query_string'].get('limit'),
|
||||||
'marker': context['query_string'].get('marker'),
|
'marker': context['query_string'].get('marker'),
|
||||||
@ -67,9 +69,9 @@ class Tenant(controller.V2Controller):
|
|||||||
context, user_ref['id'])
|
context, user_ref['id'])
|
||||||
tenant_refs = []
|
tenant_refs = []
|
||||||
for tenant_id in tenant_ids:
|
for tenant_id in tenant_ids:
|
||||||
tenant_refs.append(self.identity_api.get_project(
|
ref = self.identity_api.get_project(
|
||||||
context=context,
|
context=context, tenant_id=tenant_id)
|
||||||
tenant_id=tenant_id))
|
tenant_refs.append(self._filter_domain_id(ref))
|
||||||
params = {
|
params = {
|
||||||
'limit': context['query_string'].get('limit'),
|
'limit': context['query_string'].get('limit'),
|
||||||
'marker': context['query_string'].get('marker'),
|
'marker': context['query_string'].get('marker'),
|
||||||
@ -79,12 +81,14 @@ class Tenant(controller.V2Controller):
|
|||||||
def get_project(self, context, tenant_id):
|
def get_project(self, context, tenant_id):
|
||||||
# TODO(termie): this stuff should probably be moved to middleware
|
# TODO(termie): this stuff should probably be moved to middleware
|
||||||
self.assert_admin(context)
|
self.assert_admin(context)
|
||||||
return {'tenant': self.identity_api.get_project(context, tenant_id)}
|
ref = self.identity_api.get_project(context, tenant_id)
|
||||||
|
return {'tenant': self._filter_domain_id(ref)}
|
||||||
|
|
||||||
def get_project_by_name(self, context, tenant_name):
|
def get_project_by_name(self, context, tenant_name):
|
||||||
self.assert_admin(context)
|
self.assert_admin(context)
|
||||||
return {'tenant': self.identity_api.get_project_by_name(
|
ref = self.identity_api.get_project_by_name(
|
||||||
context, tenant_name)}
|
context, tenant_name, DEFAULT_DOMAIN_ID)
|
||||||
|
return {'tenant': self._filter_domain_id(ref)}
|
||||||
|
|
||||||
# CRUD Extension
|
# CRUD Extension
|
||||||
def create_project(self, context, tenant):
|
def create_project(self, context, tenant):
|
||||||
@ -97,13 +101,18 @@ class Tenant(controller.V2Controller):
|
|||||||
self.assert_admin(context)
|
self.assert_admin(context)
|
||||||
tenant_ref['id'] = tenant_ref.get('id', uuid.uuid4().hex)
|
tenant_ref['id'] = tenant_ref.get('id', uuid.uuid4().hex)
|
||||||
tenant = self.identity_api.create_project(
|
tenant = self.identity_api.create_project(
|
||||||
context, tenant_ref['id'], tenant_ref)
|
context, tenant_ref['id'],
|
||||||
return {'tenant': tenant}
|
self._normalize_domain_id(context, tenant_ref))
|
||||||
|
return {'tenant': self._filter_domain_id(tenant)}
|
||||||
|
|
||||||
def update_project(self, context, tenant_id, tenant):
|
def update_project(self, context, tenant_id, tenant):
|
||||||
self.assert_admin(context)
|
self.assert_admin(context)
|
||||||
|
# Remove domain_id if specified - a v2 api caller should not
|
||||||
|
# be specifying that
|
||||||
|
clean_tenant = tenant.copy()
|
||||||
|
clean_tenant.pop('domain_id', None)
|
||||||
tenant_ref = self.identity_api.update_project(
|
tenant_ref = self.identity_api.update_project(
|
||||||
context, tenant_id, tenant)
|
context, tenant_id, clean_tenant)
|
||||||
return {'tenant': tenant_ref}
|
return {'tenant': tenant_ref}
|
||||||
|
|
||||||
def delete_project(self, context, tenant_id):
|
def delete_project(self, context, tenant_id):
|
||||||
@ -113,6 +122,8 @@ class Tenant(controller.V2Controller):
|
|||||||
def get_project_users(self, context, tenant_id, **kw):
|
def get_project_users(self, context, tenant_id, **kw):
|
||||||
self.assert_admin(context)
|
self.assert_admin(context)
|
||||||
user_refs = self.identity_api.get_project_users(context, tenant_id)
|
user_refs = self.identity_api.get_project_users(context, tenant_id)
|
||||||
|
for user_ref in user_refs:
|
||||||
|
self._filter_domain_id(user_ref)
|
||||||
return {'users': user_refs}
|
return {'users': user_refs}
|
||||||
|
|
||||||
def _format_project_list(self, tenant_refs, **kwargs):
|
def _format_project_list(self, tenant_refs, **kwargs):
|
||||||
@ -153,7 +164,8 @@ class Tenant(controller.V2Controller):
|
|||||||
class User(controller.V2Controller):
|
class User(controller.V2Controller):
|
||||||
def get_user(self, context, user_id):
|
def get_user(self, context, user_id):
|
||||||
self.assert_admin(context)
|
self.assert_admin(context)
|
||||||
return {'user': self.identity_api.get_user(context, user_id)}
|
ref = self.identity_api.get_user(context, user_id)
|
||||||
|
return {'user': self._filter_domain_id(ref)}
|
||||||
|
|
||||||
def get_users(self, context):
|
def get_users(self, context):
|
||||||
# NOTE(termie): i can't imagine that this really wants all the data
|
# NOTE(termie): i can't imagine that this really wants all the data
|
||||||
@ -163,11 +175,16 @@ class User(controller.V2Controller):
|
|||||||
context, context['query_string'].get('name'))
|
context, context['query_string'].get('name'))
|
||||||
|
|
||||||
self.assert_admin(context)
|
self.assert_admin(context)
|
||||||
return {'users': self.identity_api.list_users(context)}
|
user_list = self.identity_api.list_users(context)
|
||||||
|
for x in user_list:
|
||||||
|
self._filter_domain_id(x)
|
||||||
|
return {'users': user_list}
|
||||||
|
|
||||||
def get_user_by_name(self, context, user_name):
|
def get_user_by_name(self, context, user_name):
|
||||||
self.assert_admin(context)
|
self.assert_admin(context)
|
||||||
return {'user': self.identity_api.get_user_by_name(context, user_name)}
|
ref = self.identity_api.get_user_by_name(
|
||||||
|
context, user_name, DEFAULT_DOMAIN_ID)
|
||||||
|
return {'user': self._filter_domain_id(ref)}
|
||||||
|
|
||||||
# CRUD extension
|
# CRUD extension
|
||||||
def create_user(self, context, user):
|
def create_user(self, context, user):
|
||||||
@ -178,18 +195,20 @@ class User(controller.V2Controller):
|
|||||||
msg = 'Name field is required and cannot be empty'
|
msg = 'Name field is required and cannot be empty'
|
||||||
raise exception.ValidationError(message=msg)
|
raise exception.ValidationError(message=msg)
|
||||||
|
|
||||||
tenant_id = user.get('tenantId', None)
|
default_tenant_id = user.get('tenantId', None)
|
||||||
if (tenant_id is not None
|
if (default_tenant_id is not None
|
||||||
and self.identity_api.get_project(context, tenant_id) is None):
|
and self.identity_api.get_project(context,
|
||||||
raise exception.ProjectNotFound(project_id=tenant_id)
|
default_tenant_id) is None):
|
||||||
|
raise exception.ProjectNotFound(project_id=default_tenant_id)
|
||||||
user_id = uuid.uuid4().hex
|
user_id = uuid.uuid4().hex
|
||||||
user_ref = user.copy()
|
user_ref = self._normalize_domain_id(context, user.copy())
|
||||||
user_ref['id'] = user_id
|
user_ref['id'] = user_id
|
||||||
new_user_ref = self.identity_api.create_user(
|
new_user_ref = self.identity_api.create_user(
|
||||||
context, user_id, user_ref)
|
context, user_id, user_ref)
|
||||||
if tenant_id:
|
if default_tenant_id:
|
||||||
self.identity_api.add_user_to_project(context, tenant_id, user_id)
|
self.identity_api.add_user_to_project(context,
|
||||||
return {'user': new_user_ref}
|
default_tenant_id, user_id)
|
||||||
|
return {'user': self._filter_domain_id(new_user_ref)}
|
||||||
|
|
||||||
def update_user(self, context, user_id, user):
|
def update_user(self, context, user_id, user):
|
||||||
# NOTE(termie): this is really more of a patch than a put
|
# NOTE(termie): this is really more of a patch than a put
|
||||||
@ -206,7 +225,7 @@ class User(controller.V2Controller):
|
|||||||
# backends that can't list tokens for users
|
# backends that can't list tokens for users
|
||||||
LOG.warning('User %s status has changed, but existing tokens '
|
LOG.warning('User %s status has changed, but existing tokens '
|
||||||
'remain valid' % user_id)
|
'remain valid' % user_id)
|
||||||
return {'user': user_ref}
|
return {'user': self._filter_domain_id(user_ref)}
|
||||||
|
|
||||||
def delete_user(self, context, user_id):
|
def delete_user(self, context, user_id):
|
||||||
self.assert_admin(context)
|
self.assert_admin(context)
|
||||||
@ -222,8 +241,9 @@ class User(controller.V2Controller):
|
|||||||
"""Update the default tenant."""
|
"""Update the default tenant."""
|
||||||
self.assert_admin(context)
|
self.assert_admin(context)
|
||||||
# ensure that we're a member of that tenant
|
# ensure that we're a member of that tenant
|
||||||
tenant_id = user.get('tenantId')
|
default_tenant_id = user.get('tenantId')
|
||||||
self.identity_api.add_user_to_project(context, tenant_id, user_id)
|
self.identity_api.add_user_to_project(context,
|
||||||
|
default_tenant_id, user_id)
|
||||||
return self.update_user(context, user_id, user)
|
return self.update_user(context, user_id, user)
|
||||||
|
|
||||||
|
|
||||||
@ -403,6 +423,7 @@ class DomainV3(controller.V3Controller):
|
|||||||
@controller.protected
|
@controller.protected
|
||||||
def list_domains(self, context):
|
def list_domains(self, context):
|
||||||
refs = self.identity_api.list_domains(context)
|
refs = self.identity_api.list_domains(context)
|
||||||
|
refs = self._filter_by_attribute(context, refs, 'name')
|
||||||
return DomainV3.wrap_collection(context, refs)
|
return DomainV3.wrap_collection(context, refs)
|
||||||
|
|
||||||
@controller.protected
|
@controller.protected
|
||||||
@ -456,6 +477,17 @@ class DomainV3(controller.V3Controller):
|
|||||||
|
|
||||||
return self.identity_api.delete_domain(context, domain_id)
|
return self.identity_api.delete_domain(context, domain_id)
|
||||||
|
|
||||||
|
def _get_domain_by_name(self, context, domain_name):
|
||||||
|
"""Get the domain via its unique name.
|
||||||
|
|
||||||
|
For use by token authentication - not for hooking to the identity
|
||||||
|
router as a public api.
|
||||||
|
|
||||||
|
"""
|
||||||
|
ref = self.identity_api.get_domain_by_name(
|
||||||
|
context, domain_name)
|
||||||
|
return {'domain': ref}
|
||||||
|
|
||||||
|
|
||||||
class ProjectV3(controller.V3Controller):
|
class ProjectV3(controller.V3Controller):
|
||||||
collection_name = 'projects'
|
collection_name = 'projects'
|
||||||
@ -464,6 +496,7 @@ class ProjectV3(controller.V3Controller):
|
|||||||
@controller.protected
|
@controller.protected
|
||||||
def create_project(self, context, project):
|
def create_project(self, context, project):
|
||||||
ref = self._assign_unique_id(self._normalize_dict(project))
|
ref = self._assign_unique_id(self._normalize_dict(project))
|
||||||
|
ref = self._normalize_domain_id(context, ref)
|
||||||
ref = self.identity_api.create_project(context, ref['id'], ref)
|
ref = self.identity_api.create_project(context, ref['id'], ref)
|
||||||
return ProjectV3.wrap_member(context, ref)
|
return ProjectV3.wrap_member(context, ref)
|
||||||
|
|
||||||
@ -501,6 +534,7 @@ class UserV3(controller.V3Controller):
|
|||||||
@controller.protected
|
@controller.protected
|
||||||
def create_user(self, context, user):
|
def create_user(self, context, user):
|
||||||
ref = self._assign_unique_id(self._normalize_dict(user))
|
ref = self._assign_unique_id(self._normalize_dict(user))
|
||||||
|
ref = self._normalize_domain_id(context, ref)
|
||||||
ref = self.identity_api.create_user(context, ref['id'], ref)
|
ref = self.identity_api.create_user(context, ref['id'], ref)
|
||||||
return UserV3.wrap_member(context, ref)
|
return UserV3.wrap_member(context, ref)
|
||||||
|
|
||||||
@ -560,6 +594,7 @@ class GroupV3(controller.V3Controller):
|
|||||||
@controller.protected
|
@controller.protected
|
||||||
def create_group(self, context, group):
|
def create_group(self, context, group):
|
||||||
ref = self._assign_unique_id(self._normalize_dict(group))
|
ref = self._assign_unique_id(self._normalize_dict(group))
|
||||||
|
ref = self._normalize_domain_id(context, ref)
|
||||||
ref = self.identity_api.create_group(context, ref['id'], ref)
|
ref = self.identity_api.create_group(context, ref['id'], ref)
|
||||||
return GroupV3.wrap_member(context, ref)
|
return GroupV3.wrap_member(context, ref)
|
||||||
|
|
||||||
|
@ -29,7 +29,9 @@ LOG = logging.getLogger(__name__)
|
|||||||
|
|
||||||
|
|
||||||
def filter_user(user_ref):
|
def filter_user(user_ref):
|
||||||
"""Filter out private items in a user dict ('password' and 'tenants')
|
"""Filter out private items in a user dict.
|
||||||
|
|
||||||
|
'password', 'tenants' and 'groups' are never returned.
|
||||||
|
|
||||||
:returns: user_ref
|
:returns: user_ref
|
||||||
|
|
||||||
@ -81,7 +83,7 @@ class Driver(object):
|
|||||||
"""
|
"""
|
||||||
raise exception.NotImplemented()
|
raise exception.NotImplemented()
|
||||||
|
|
||||||
def get_project_by_name(self, tenant_name):
|
def get_project_by_name(self, tenant_name, domain_id):
|
||||||
"""Get a tenant by name.
|
"""Get a tenant by name.
|
||||||
|
|
||||||
:returns: tenant_ref
|
:returns: tenant_ref
|
||||||
@ -90,7 +92,7 @@ class Driver(object):
|
|||||||
"""
|
"""
|
||||||
raise exception.NotImplemented()
|
raise exception.NotImplemented()
|
||||||
|
|
||||||
def get_user_by_name(self, user_name):
|
def get_user_by_name(self, user_name, domain_id):
|
||||||
"""Get a user by name.
|
"""Get a user by name.
|
||||||
|
|
||||||
:returns: user_ref
|
:returns: user_ref
|
||||||
@ -252,7 +254,16 @@ class Driver(object):
|
|||||||
def get_domain(self, domain_id):
|
def get_domain(self, domain_id):
|
||||||
"""Get a domain by ID.
|
"""Get a domain by ID.
|
||||||
|
|
||||||
:returns: user_ref
|
:returns: domain_ref
|
||||||
|
:raises: keystone.exception.DomainNotFound
|
||||||
|
|
||||||
|
"""
|
||||||
|
raise exception.NotImplemented()
|
||||||
|
|
||||||
|
def get_domain_by_name(self, domain_name):
|
||||||
|
"""Get a domain by name.
|
||||||
|
|
||||||
|
:returns: domain_ref
|
||||||
:raises: keystone.exception.DomainNotFound
|
:raises: keystone.exception.DomainNotFound
|
||||||
|
|
||||||
"""
|
"""
|
||||||
|
@ -13,6 +13,7 @@ from keystone.token import core
|
|||||||
|
|
||||||
CONF = config.CONF
|
CONF = config.CONF
|
||||||
LOG = logging.getLogger(__name__)
|
LOG = logging.getLogger(__name__)
|
||||||
|
DEFAULT_DOMAIN_ID = CONF.identity.default_domain_id
|
||||||
|
|
||||||
|
|
||||||
class ExternalAuthNotApplicable(Exception):
|
class ExternalAuthNotApplicable(Exception):
|
||||||
@ -64,19 +65,26 @@ class Auth(controller.V2Controller):
|
|||||||
|
|
||||||
if "token" in auth:
|
if "token" in auth:
|
||||||
# Try to authenticate using a token
|
# Try to authenticate using a token
|
||||||
auth_token_data, auth_info = self._authenticate_token(
|
auth_info = self._authenticate_token(
|
||||||
context, auth)
|
context, auth)
|
||||||
else:
|
else:
|
||||||
# Try external authentication
|
# Try external authentication
|
||||||
try:
|
try:
|
||||||
auth_token_data, auth_info = self._authenticate_external(
|
auth_info = self._authenticate_external(
|
||||||
context, auth)
|
context, auth)
|
||||||
except ExternalAuthNotApplicable:
|
except ExternalAuthNotApplicable:
|
||||||
# Try local authentication
|
# Try local authentication
|
||||||
auth_token_data, auth_info = self._authenticate_local(
|
auth_info = self._authenticate_local(
|
||||||
context, auth)
|
context, auth)
|
||||||
|
|
||||||
user_ref, tenant_ref, metadata_ref = auth_info
|
user_ref, tenant_ref, metadata_ref, expiry = auth_info
|
||||||
|
user_ref = self._filter_domain_id(user_ref)
|
||||||
|
if tenant_ref:
|
||||||
|
tenant_ref = self._filter_domain_id(tenant_ref)
|
||||||
|
auth_token_data = self._get_auth_token_data(user_ref,
|
||||||
|
tenant_ref,
|
||||||
|
metadata_ref,
|
||||||
|
expiry)
|
||||||
|
|
||||||
# If the user is disabled don't allow them to authenticate
|
# If the user is disabled don't allow them to authenticate
|
||||||
if not user_ref.get('enabled', True):
|
if not user_ref.get('enabled', True):
|
||||||
@ -202,21 +210,15 @@ class Auth(controller.V2Controller):
|
|||||||
tenant_ref = self._get_project_ref(context, user_id, tenant_id)
|
tenant_ref = self._get_project_ref(context, user_id, tenant_id)
|
||||||
metadata_ref = self._get_metadata_ref(context, user_id, tenant_id)
|
metadata_ref = self._get_metadata_ref(context, user_id, tenant_id)
|
||||||
|
|
||||||
|
# TODO (henry-nash) If no tenant was specified, instead check
|
||||||
|
# for a domain and find any related user/group roles
|
||||||
|
|
||||||
self._append_roles(metadata_ref,
|
self._append_roles(metadata_ref,
|
||||||
self._get_group_metadata_ref(
|
self._get_group_metadata_ref(
|
||||||
context, user_id, tenant_id))
|
context, user_id, tenant_id))
|
||||||
|
|
||||||
self._append_roles(metadata_ref,
|
|
||||||
self._get_domain_metadata_ref(
|
|
||||||
context, user_id, tenant_id))
|
|
||||||
|
|
||||||
expiry = old_token_ref['expires']
|
expiry = old_token_ref['expires']
|
||||||
auth_token_data = self._get_auth_token_data(current_user_ref,
|
return (current_user_ref, tenant_ref, metadata_ref, expiry)
|
||||||
tenant_ref,
|
|
||||||
metadata_ref,
|
|
||||||
expiry)
|
|
||||||
|
|
||||||
return auth_token_data, (current_user_ref, tenant_ref, metadata_ref)
|
|
||||||
|
|
||||||
def _authenticate_local(self, context, auth):
|
def _authenticate_local(self, context, auth):
|
||||||
"""Try to authenticate against the identity backend.
|
"""Try to authenticate against the identity backend.
|
||||||
@ -256,7 +258,8 @@ class Auth(controller.V2Controller):
|
|||||||
if username:
|
if username:
|
||||||
try:
|
try:
|
||||||
user_ref = self.identity_api.get_user_by_name(
|
user_ref = self.identity_api.get_user_by_name(
|
||||||
context=context, user_name=username)
|
context=context, user_name=username,
|
||||||
|
domain_id=DEFAULT_DOMAIN_ID)
|
||||||
user_id = user_ref['id']
|
user_id = user_ref['id']
|
||||||
except exception.UserNotFound as e:
|
except exception.UserNotFound as e:
|
||||||
raise exception.Unauthorized(e)
|
raise exception.Unauthorized(e)
|
||||||
@ -273,21 +276,19 @@ class Auth(controller.V2Controller):
|
|||||||
raise exception.Unauthorized(e)
|
raise exception.Unauthorized(e)
|
||||||
(user_ref, tenant_ref, metadata_ref) = auth_info
|
(user_ref, tenant_ref, metadata_ref) = auth_info
|
||||||
|
|
||||||
|
# By now we will have authorized and if a tenant/project was
|
||||||
|
# specified, we will have obtained its metadata. In this case
|
||||||
|
# we just need to add in any group roles.
|
||||||
|
#
|
||||||
|
# TODO (henry-nash) If no tenant was specified, instead check
|
||||||
|
# for a domain and find any related user/group roles
|
||||||
|
|
||||||
self._append_roles(metadata_ref,
|
self._append_roles(metadata_ref,
|
||||||
self._get_group_metadata_ref(
|
self._get_group_metadata_ref(
|
||||||
context, user_id, tenant_id))
|
context, user_id, tenant_id))
|
||||||
|
|
||||||
self._append_roles(metadata_ref,
|
|
||||||
self._get_domain_metadata_ref(
|
|
||||||
context, user_id, tenant_id))
|
|
||||||
|
|
||||||
expiry = core.default_expire_time()
|
expiry = core.default_expire_time()
|
||||||
auth_token_data = self._get_auth_token_data(user_ref,
|
return (user_ref, tenant_ref, metadata_ref, expiry)
|
||||||
tenant_ref,
|
|
||||||
metadata_ref,
|
|
||||||
expiry)
|
|
||||||
|
|
||||||
return auth_token_data, (user_ref, tenant_ref, metadata_ref)
|
|
||||||
|
|
||||||
def _authenticate_external(self, context, auth):
|
def _authenticate_external(self, context, auth):
|
||||||
"""Try to authenticate an external user via REMOTE_USER variable.
|
"""Try to authenticate an external user via REMOTE_USER variable.
|
||||||
@ -300,7 +301,8 @@ class Auth(controller.V2Controller):
|
|||||||
username = context['REMOTE_USER']
|
username = context['REMOTE_USER']
|
||||||
try:
|
try:
|
||||||
user_ref = self.identity_api.get_user_by_name(
|
user_ref = self.identity_api.get_user_by_name(
|
||||||
context=context, user_name=username)
|
context=context, user_name=username,
|
||||||
|
domain_id=DEFAULT_DOMAIN_ID)
|
||||||
user_id = user_ref['id']
|
user_id = user_ref['id']
|
||||||
except exception.UserNotFound as e:
|
except exception.UserNotFound as e:
|
||||||
raise exception.Unauthorized(e)
|
raise exception.Unauthorized(e)
|
||||||
@ -310,21 +312,15 @@ class Auth(controller.V2Controller):
|
|||||||
tenant_ref = self._get_project_ref(context, user_id, tenant_id)
|
tenant_ref = self._get_project_ref(context, user_id, tenant_id)
|
||||||
metadata_ref = self._get_metadata_ref(context, user_id, tenant_id)
|
metadata_ref = self._get_metadata_ref(context, user_id, tenant_id)
|
||||||
|
|
||||||
|
# TODO (henry-nash) If no tenant was specified, instead check
|
||||||
|
# for a domain and find any related user/group roles
|
||||||
|
|
||||||
self._append_roles(metadata_ref,
|
self._append_roles(metadata_ref,
|
||||||
self._get_group_metadata_ref(
|
self._get_group_metadata_ref(
|
||||||
context, user_id, tenant_id))
|
context, user_id, tenant_id))
|
||||||
|
|
||||||
self._append_roles(metadata_ref,
|
|
||||||
self._get_domain_metadata_ref(
|
|
||||||
context, user_id, tenant_id))
|
|
||||||
|
|
||||||
expiry = core.default_expire_time()
|
expiry = core.default_expire_time()
|
||||||
auth_token_data = self._get_auth_token_data(user_ref,
|
return (user_ref, tenant_ref, metadata_ref, expiry)
|
||||||
tenant_ref,
|
|
||||||
metadata_ref,
|
|
||||||
expiry)
|
|
||||||
|
|
||||||
return auth_token_data, (user_ref, tenant_ref, metadata_ref)
|
|
||||||
|
|
||||||
def _get_auth_token_data(self, user, tenant, metadata, expiry):
|
def _get_auth_token_data(self, user, tenant, metadata, expiry):
|
||||||
return dict(dict(user=user,
|
return dict(dict(user=user,
|
||||||
@ -350,12 +346,32 @@ class Auth(controller.V2Controller):
|
|||||||
if tenant_name:
|
if tenant_name:
|
||||||
try:
|
try:
|
||||||
tenant_ref = self.identity_api.get_project_by_name(
|
tenant_ref = self.identity_api.get_project_by_name(
|
||||||
context=context, tenant_name=tenant_name)
|
context=context, tenant_name=tenant_name,
|
||||||
|
domain_id=DEFAULT_DOMAIN_ID)
|
||||||
tenant_id = tenant_ref['id']
|
tenant_id = tenant_ref['id']
|
||||||
except exception.ProjectNotFound as e:
|
except exception.ProjectNotFound as e:
|
||||||
raise exception.Unauthorized(e)
|
raise exception.Unauthorized(e)
|
||||||
return tenant_id
|
return tenant_id
|
||||||
|
|
||||||
|
def _get_domain_id_from_auth(self, context, auth):
|
||||||
|
"""Extract domain information from v3 auth dict.
|
||||||
|
|
||||||
|
Returns a valid domain_id if it exists, or None if not specified.
|
||||||
|
"""
|
||||||
|
# FIXME(henry-nash): This is a placeholder that needs to be
|
||||||
|
# only called in the v3 context, and the auth.get calls
|
||||||
|
# converted to the v3 format
|
||||||
|
domain_id = auth.get('domainId', None)
|
||||||
|
domain_name = auth.get('domainName', None)
|
||||||
|
if domain_name:
|
||||||
|
try:
|
||||||
|
domain_ref = self.identity_api._get_domain_by_name(
|
||||||
|
context=context, domain_name=domain_name)
|
||||||
|
domain_id = domain_ref['id']
|
||||||
|
except exception.DomainNotFound as e:
|
||||||
|
raise exception.Unauthorized(e)
|
||||||
|
return domain_id
|
||||||
|
|
||||||
def _get_project_ref(self, context, user_id, tenant_id):
|
def _get_project_ref(self, context, user_id, tenant_id):
|
||||||
"""Returns the tenant_ref for the user's tenant"""
|
"""Returns the tenant_ref for the user's tenant"""
|
||||||
tenant_ref = None
|
tenant_ref = None
|
||||||
@ -375,43 +391,32 @@ class Auth(controller.V2Controller):
|
|||||||
return tenant_ref
|
return tenant_ref
|
||||||
|
|
||||||
def _get_metadata_ref(self, context, user_id=None, tenant_id=None,
|
def _get_metadata_ref(self, context, user_id=None, tenant_id=None,
|
||||||
group_id=None):
|
domain_id=None, group_id=None):
|
||||||
"""Returns the metadata_ref for a user or group in a tenant"""
|
"""Returns metadata_ref for a user or group in a tenant or domain"""
|
||||||
metadata_ref = {}
|
|
||||||
if tenant_id:
|
|
||||||
try:
|
|
||||||
if user_id:
|
|
||||||
metadata_ref = self.identity_api.get_metadata(
|
|
||||||
context=context,
|
|
||||||
user_id=user_id,
|
|
||||||
tenant_id=tenant_id)
|
|
||||||
elif group_id:
|
|
||||||
metadata_ref = self.identity_api.get_metadata(
|
|
||||||
context=context,
|
|
||||||
group_id=group_id,
|
|
||||||
tenant_id=tenant_id)
|
|
||||||
except exception.MetadataNotFound:
|
|
||||||
metadata_ref = {}
|
|
||||||
|
|
||||||
|
metadata_ref = {}
|
||||||
|
if (user_id or group_id) and (tenant_id or domain_id):
|
||||||
|
try:
|
||||||
|
metadata_ref = self.identity_api.get_metadata(
|
||||||
|
context=context, user_id=user_id, tenant_id=tenant_id,
|
||||||
|
domain_id=domain_id, group_id=group_id)
|
||||||
|
except exception.MetadataNotFound:
|
||||||
|
pass
|
||||||
return metadata_ref
|
return metadata_ref
|
||||||
|
|
||||||
def _get_group_metadata_ref(self, context, user_id, tenant_id):
|
def _get_group_metadata_ref(self, context, user_id,
|
||||||
"""Return any metadata for this project due to group grants"""
|
tenant_id=None, domain_id=None):
|
||||||
|
"""Return any metadata for this project/domain due to group grants"""
|
||||||
group_refs = self.identity_api.list_groups_for_user(context=context,
|
group_refs = self.identity_api.list_groups_for_user(context=context,
|
||||||
user_id=user_id)
|
user_id=user_id)
|
||||||
metadata_ref = {}
|
metadata_ref = {}
|
||||||
for x in group_refs:
|
for x in group_refs:
|
||||||
metadata_ref.update(self._get_metadata_ref(context,
|
metadata_ref.update(self._get_metadata_ref(context,
|
||||||
group_id=x['id'],
|
group_id=x['id'],
|
||||||
tenant_id=tenant_id))
|
tenant_id=tenant_id,
|
||||||
|
domain_id=domain_id))
|
||||||
return metadata_ref
|
return metadata_ref
|
||||||
|
|
||||||
def _get_domain_metadata_ref(self, context, user_id, tenant_id):
|
|
||||||
"""Return any metadata for this project due to domain grants"""
|
|
||||||
# TODO (henry-nashe) Get the domain for this tenant...and then see if
|
|
||||||
# any domain grants apply. Bug #1093248
|
|
||||||
return {}
|
|
||||||
|
|
||||||
def _append_roles(self, metadata, additional_metadata):
|
def _append_roles(self, metadata, additional_metadata):
|
||||||
"""
|
"""
|
||||||
Update the roles in metadata to be the union of the roles from
|
Update the roles in metadata to be the union of the roles from
|
||||||
|
@ -17,13 +17,21 @@
|
|||||||
# NOTE(dolph): please try to avoid additional fixtures if possible; test suite
|
# NOTE(dolph): please try to avoid additional fixtures if possible; test suite
|
||||||
# performance may be negatively affected.
|
# performance may be negatively affected.
|
||||||
|
|
||||||
|
from keystone import config
|
||||||
|
|
||||||
|
|
||||||
|
DEFAULT_DOMAIN_ID = config.CONF.identity.default_domain_id
|
||||||
|
|
||||||
|
|
||||||
TENANTS = [
|
TENANTS = [
|
||||||
{
|
{
|
||||||
'id': 'bar',
|
'id': 'bar',
|
||||||
'name': 'BAR',
|
'name': 'BAR',
|
||||||
|
'domain_id': DEFAULT_DOMAIN_ID,
|
||||||
}, {
|
}, {
|
||||||
'id': 'baz',
|
'id': 'baz',
|
||||||
'name': 'BAZ',
|
'name': 'BAZ',
|
||||||
|
'domain_id': DEFAULT_DOMAIN_ID,
|
||||||
'description': 'description',
|
'description': 'description',
|
||||||
'enabled': True,
|
'enabled': True,
|
||||||
}
|
}
|
||||||
@ -34,11 +42,13 @@ USERS = [
|
|||||||
{
|
{
|
||||||
'id': 'foo',
|
'id': 'foo',
|
||||||
'name': 'FOO',
|
'name': 'FOO',
|
||||||
|
'domain_id': DEFAULT_DOMAIN_ID,
|
||||||
'password': 'foo2',
|
'password': 'foo2',
|
||||||
'tenants': ['bar']
|
'tenants': ['bar']
|
||||||
}, {
|
}, {
|
||||||
'id': 'two',
|
'id': 'two',
|
||||||
'name': 'TWO',
|
'name': 'TWO',
|
||||||
|
'domain_id': DEFAULT_DOMAIN_ID,
|
||||||
'password': 'two2',
|
'password': 'two2',
|
||||||
'email': 'two@example.com',
|
'email': 'two@example.com',
|
||||||
'enabled': True,
|
'enabled': True,
|
||||||
@ -47,6 +57,7 @@ USERS = [
|
|||||||
}, {
|
}, {
|
||||||
'id': 'badguy',
|
'id': 'badguy',
|
||||||
'name': 'BadGuy',
|
'name': 'BadGuy',
|
||||||
|
'domain_id': DEFAULT_DOMAIN_ID,
|
||||||
'password': 'bad',
|
'password': 'bad',
|
||||||
'email': 'bad@guy.com',
|
'email': 'bad@guy.com',
|
||||||
'enabled': False,
|
'enabled': False,
|
||||||
|
@ -21,9 +21,14 @@ import uuid
|
|||||||
from keystone.catalog import core
|
from keystone.catalog import core
|
||||||
from keystone import exception
|
from keystone import exception
|
||||||
from keystone.openstack.common import timeutils
|
from keystone.openstack.common import timeutils
|
||||||
|
from keystone import config
|
||||||
from keystone import test
|
from keystone import test
|
||||||
|
|
||||||
|
|
||||||
|
CONF = config.CONF
|
||||||
|
DEFAULT_DOMAIN_ID = CONF.identity.default_domain_id
|
||||||
|
|
||||||
|
|
||||||
class IdentityTests(object):
|
class IdentityTests(object):
|
||||||
def test_authenticate_bad_user(self):
|
def test_authenticate_bad_user(self):
|
||||||
self.assertRaises(AssertionError,
|
self.assertRaises(AssertionError,
|
||||||
@ -85,6 +90,7 @@ class IdentityTests(object):
|
|||||||
user = {
|
user = {
|
||||||
'id': 'no_meta',
|
'id': 'no_meta',
|
||||||
'name': 'NO_META',
|
'name': 'NO_META',
|
||||||
|
'domain_id': DEFAULT_DOMAIN_ID,
|
||||||
'password': 'no_meta2',
|
'password': 'no_meta2',
|
||||||
}
|
}
|
||||||
self.identity_api.create_user(user['id'], user)
|
self.identity_api.create_user(user['id'], user)
|
||||||
@ -118,13 +124,15 @@ class IdentityTests(object):
|
|||||||
|
|
||||||
def test_get_project_by_name(self):
|
def test_get_project_by_name(self):
|
||||||
tenant_ref = self.identity_api.get_project_by_name(
|
tenant_ref = self.identity_api.get_project_by_name(
|
||||||
tenant_name=self.tenant_bar['name'])
|
tenant_name=self.tenant_bar['name'],
|
||||||
|
domain_id=DEFAULT_DOMAIN_ID)
|
||||||
self.assertDictEqual(tenant_ref, self.tenant_bar)
|
self.assertDictEqual(tenant_ref, self.tenant_bar)
|
||||||
|
|
||||||
def test_get_project_by_name_404(self):
|
def test_get_project_by_name_404(self):
|
||||||
self.assertRaises(exception.ProjectNotFound,
|
self.assertRaises(exception.ProjectNotFound,
|
||||||
self.identity_api.get_project,
|
self.identity_api.get_project_by_name,
|
||||||
tenant_id=uuid.uuid4().hex)
|
tenant_name=uuid.uuid4().hex,
|
||||||
|
domain_id=DEFAULT_DOMAIN_ID)
|
||||||
|
|
||||||
def test_get_project_users_404(self):
|
def test_get_project_users_404(self):
|
||||||
self.assertRaises(exception.ProjectNotFound,
|
self.assertRaises(exception.ProjectNotFound,
|
||||||
@ -146,7 +154,8 @@ class IdentityTests(object):
|
|||||||
|
|
||||||
def test_get_user_by_name(self):
|
def test_get_user_by_name(self):
|
||||||
user_ref = self.identity_api.get_user_by_name(
|
user_ref = self.identity_api.get_user_by_name(
|
||||||
user_name=self.user_foo['name'])
|
user_name=self.user_foo['name'],
|
||||||
|
domain_id=DEFAULT_DOMAIN_ID)
|
||||||
# NOTE(termie): the password field is left in user_foo to make
|
# NOTE(termie): the password field is left in user_foo to make
|
||||||
# it easier to authenticate in tests, but should
|
# it easier to authenticate in tests, but should
|
||||||
# not be returned by the api
|
# not be returned by the api
|
||||||
@ -156,7 +165,8 @@ class IdentityTests(object):
|
|||||||
def test_get_user_by_name_404(self):
|
def test_get_user_by_name_404(self):
|
||||||
self.assertRaises(exception.UserNotFound,
|
self.assertRaises(exception.UserNotFound,
|
||||||
self.identity_api.get_user_by_name,
|
self.identity_api.get_user_by_name,
|
||||||
user_name=uuid.uuid4().hex)
|
user_name=uuid.uuid4().hex,
|
||||||
|
domain_id=DEFAULT_DOMAIN_ID)
|
||||||
|
|
||||||
def test_get_metadata(self):
|
def test_get_metadata(self):
|
||||||
metadata_ref = self.identity_api.get_metadata(
|
metadata_ref = self.identity_api.get_metadata(
|
||||||
@ -217,6 +227,7 @@ class IdentityTests(object):
|
|||||||
def test_create_duplicate_user_id_fails(self):
|
def test_create_duplicate_user_id_fails(self):
|
||||||
user = {'id': 'fake1',
|
user = {'id': 'fake1',
|
||||||
'name': 'fake1',
|
'name': 'fake1',
|
||||||
|
'domain_id': DEFAULT_DOMAIN_ID,
|
||||||
'password': 'fakepass',
|
'password': 'fakepass',
|
||||||
'tenants': ['bar']}
|
'tenants': ['bar']}
|
||||||
self.identity_api.create_user('fake1', user)
|
self.identity_api.create_user('fake1', user)
|
||||||
@ -229,6 +240,7 @@ class IdentityTests(object):
|
|||||||
def test_create_duplicate_user_name_fails(self):
|
def test_create_duplicate_user_name_fails(self):
|
||||||
user = {'id': 'fake1',
|
user = {'id': 'fake1',
|
||||||
'name': 'fake1',
|
'name': 'fake1',
|
||||||
|
'domain_id': DEFAULT_DOMAIN_ID,
|
||||||
'password': 'fakepass',
|
'password': 'fakepass',
|
||||||
'tenants': ['bar']}
|
'tenants': ['bar']}
|
||||||
self.identity_api.create_user('fake1', user)
|
self.identity_api.create_user('fake1', user)
|
||||||
@ -241,10 +253,12 @@ class IdentityTests(object):
|
|||||||
def test_rename_duplicate_user_name_fails(self):
|
def test_rename_duplicate_user_name_fails(self):
|
||||||
user1 = {'id': 'fake1',
|
user1 = {'id': 'fake1',
|
||||||
'name': 'fake1',
|
'name': 'fake1',
|
||||||
|
'domain_id': DEFAULT_DOMAIN_ID,
|
||||||
'password': 'fakepass',
|
'password': 'fakepass',
|
||||||
'tenants': ['bar']}
|
'tenants': ['bar']}
|
||||||
user2 = {'id': 'fake2',
|
user2 = {'id': 'fake2',
|
||||||
'name': 'fake2',
|
'name': 'fake2',
|
||||||
|
'domain_id': DEFAULT_DOMAIN_ID,
|
||||||
'password': 'fakepass',
|
'password': 'fakepass',
|
||||||
'tenants': ['bar']}
|
'tenants': ['bar']}
|
||||||
self.identity_api.create_user('fake1', user1)
|
self.identity_api.create_user('fake1', user1)
|
||||||
@ -258,6 +272,7 @@ class IdentityTests(object):
|
|||||||
def test_update_user_id_fails(self):
|
def test_update_user_id_fails(self):
|
||||||
user = {'id': 'fake1',
|
user = {'id': 'fake1',
|
||||||
'name': 'fake1',
|
'name': 'fake1',
|
||||||
|
'domain_id': DEFAULT_DOMAIN_ID,
|
||||||
'password': 'fakepass',
|
'password': 'fakepass',
|
||||||
'tenants': ['bar']}
|
'tenants': ['bar']}
|
||||||
self.identity_api.create_user('fake1', user)
|
self.identity_api.create_user('fake1', user)
|
||||||
@ -273,7 +288,8 @@ class IdentityTests(object):
|
|||||||
'fake2')
|
'fake2')
|
||||||
|
|
||||||
def test_create_duplicate_project_id_fails(self):
|
def test_create_duplicate_project_id_fails(self):
|
||||||
tenant = {'id': 'fake1', 'name': 'fake1'}
|
tenant = {'id': 'fake1', 'name': 'fake1',
|
||||||
|
'domain_id': DEFAULT_DOMAIN_ID}
|
||||||
self.identity_api.create_project('fake1', tenant)
|
self.identity_api.create_project('fake1', tenant)
|
||||||
tenant['name'] = 'fake2'
|
tenant['name'] = 'fake2'
|
||||||
self.assertRaises(exception.Conflict,
|
self.assertRaises(exception.Conflict,
|
||||||
@ -282,7 +298,8 @@ class IdentityTests(object):
|
|||||||
tenant)
|
tenant)
|
||||||
|
|
||||||
def test_create_duplicate_project_name_fails(self):
|
def test_create_duplicate_project_name_fails(self):
|
||||||
tenant = {'id': 'fake1', 'name': 'fake'}
|
tenant = {'id': 'fake1', 'name': 'fake',
|
||||||
|
'domain_id': DEFAULT_DOMAIN_ID}
|
||||||
self.identity_api.create_project('fake1', tenant)
|
self.identity_api.create_project('fake1', tenant)
|
||||||
tenant['id'] = 'fake2'
|
tenant['id'] = 'fake2'
|
||||||
self.assertRaises(exception.Conflict,
|
self.assertRaises(exception.Conflict,
|
||||||
@ -291,8 +308,10 @@ class IdentityTests(object):
|
|||||||
tenant)
|
tenant)
|
||||||
|
|
||||||
def test_rename_duplicate_project_name_fails(self):
|
def test_rename_duplicate_project_name_fails(self):
|
||||||
tenant1 = {'id': 'fake1', 'name': 'fake1'}
|
tenant1 = {'id': 'fake1', 'name': 'fake1',
|
||||||
tenant2 = {'id': 'fake2', 'name': 'fake2'}
|
'domain_id': DEFAULT_DOMAIN_ID}
|
||||||
|
tenant2 = {'id': 'fake2', 'name': 'fake2',
|
||||||
|
'domain_id': DEFAULT_DOMAIN_ID}
|
||||||
self.identity_api.create_project('fake1', tenant1)
|
self.identity_api.create_project('fake1', tenant1)
|
||||||
self.identity_api.create_project('fake2', tenant2)
|
self.identity_api.create_project('fake2', tenant2)
|
||||||
tenant2['name'] = 'fake1'
|
tenant2['name'] = 'fake1'
|
||||||
@ -302,7 +321,8 @@ class IdentityTests(object):
|
|||||||
tenant2)
|
tenant2)
|
||||||
|
|
||||||
def test_update_project_id_does_nothing(self):
|
def test_update_project_id_does_nothing(self):
|
||||||
tenant = {'id': 'fake1', 'name': 'fake1'}
|
tenant = {'id': 'fake1', 'name': 'fake1',
|
||||||
|
'domain_id': DEFAULT_DOMAIN_ID}
|
||||||
self.identity_api.create_project('fake1', tenant)
|
self.identity_api.create_project('fake1', tenant)
|
||||||
tenant['id'] = 'fake2'
|
tenant['id'] = 'fake2'
|
||||||
self.identity_api.update_project('fake1', tenant)
|
self.identity_api.update_project('fake1', tenant)
|
||||||
@ -465,11 +485,14 @@ class IdentityTests(object):
|
|||||||
role_id='member')
|
role_id='member')
|
||||||
|
|
||||||
def test_get_and_remove_role_grant_by_group_and_project(self):
|
def test_get_and_remove_role_grant_by_group_and_project(self):
|
||||||
|
new_domain = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
|
||||||
|
self.identity_api.create_domain(new_domain['id'], new_domain)
|
||||||
new_group = {'id': uuid.uuid4().hex, 'domain_id': uuid.uuid4().hex,
|
new_group = {'id': uuid.uuid4().hex, 'domain_id': uuid.uuid4().hex,
|
||||||
'name': uuid.uuid4().hex}
|
'name': uuid.uuid4().hex}
|
||||||
self.identity_api.create_group(new_group['id'], new_group)
|
self.identity_api.create_group(new_group['id'], new_group)
|
||||||
new_user = {'id': uuid.uuid4().hex, 'name': 'new_user',
|
new_user = {'id': uuid.uuid4().hex, 'name': 'new_user',
|
||||||
'password': 'secret', 'enabled': True}
|
'password': 'secret', 'enabled': True,
|
||||||
|
'domain_id': new_domain['id']}
|
||||||
self.identity_api.create_user(new_user['id'], new_user)
|
self.identity_api.create_user(new_user['id'], new_user)
|
||||||
self.identity_api.add_user_to_group(new_user['id'],
|
self.identity_api.add_user_to_group(new_user['id'],
|
||||||
new_group['id'])
|
new_group['id'])
|
||||||
@ -505,17 +528,82 @@ class IdentityTests(object):
|
|||||||
'name': uuid.uuid4().hex}
|
'name': uuid.uuid4().hex}
|
||||||
self.identity_api.create_group(new_group['id'], new_group)
|
self.identity_api.create_group(new_group['id'], new_group)
|
||||||
new_user = {'id': uuid.uuid4().hex, 'name': 'new_user',
|
new_user = {'id': uuid.uuid4().hex, 'name': 'new_user',
|
||||||
'password': 'secret', 'enabled': True}
|
'password': uuid.uuid4().hex, 'enabled': True,
|
||||||
|
'domain_id': new_domain['id']}
|
||||||
self.identity_api.create_user(new_user['id'], new_user)
|
self.identity_api.create_user(new_user['id'], new_user)
|
||||||
self.identity_api.add_user_to_group(new_user['id'],
|
self.identity_api.add_user_to_group(new_user['id'],
|
||||||
new_group['id'])
|
new_group['id'])
|
||||||
|
|
||||||
roles_ref = self.identity_api.list_grants(
|
roles_ref = self.identity_api.list_grants(
|
||||||
group_id=new_group['id'],
|
group_id=new_group['id'],
|
||||||
domain_id=new_domain['id'])
|
domain_id=new_domain['id'])
|
||||||
self.assertEquals(len(roles_ref), 0)
|
self.assertEquals(len(roles_ref), 0)
|
||||||
|
|
||||||
self.identity_api.create_grant(group_id=new_group['id'],
|
self.identity_api.create_grant(group_id=new_group['id'],
|
||||||
domain_id=new_domain['id'],
|
domain_id=new_domain['id'],
|
||||||
role_id='member')
|
role_id='member')
|
||||||
|
|
||||||
|
roles_ref = self.identity_api.list_grants(
|
||||||
|
group_id=new_group['id'],
|
||||||
|
domain_id=new_domain['id'])
|
||||||
|
self.assertDictEqual(roles_ref[0], self.role_member)
|
||||||
|
|
||||||
|
self.identity_api.delete_grant(group_id=new_group['id'],
|
||||||
|
domain_id=new_domain['id'],
|
||||||
|
role_id='member')
|
||||||
|
roles_ref = self.identity_api.list_grants(
|
||||||
|
group_id=new_group['id'],
|
||||||
|
domain_id=new_domain['id'])
|
||||||
|
self.assertEquals(len(roles_ref), 0)
|
||||||
|
self.assertRaises(exception.NotFound,
|
||||||
|
self.identity_api.delete_grant,
|
||||||
|
group_id=new_group['id'],
|
||||||
|
domain_id=new_domain['id'],
|
||||||
|
role_id='member')
|
||||||
|
|
||||||
|
def test_get_and_remove_correct_role_grant_from_a_mix(self):
|
||||||
|
new_domain = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
|
||||||
|
self.identity_api.create_domain(new_domain['id'], new_domain)
|
||||||
|
new_project = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
|
||||||
|
'domain_id': new_domain['id']}
|
||||||
|
self.identity_api.create_project(new_project['id'], new_project)
|
||||||
|
new_group = {'id': uuid.uuid4().hex, 'domain_id': new_domain['id'],
|
||||||
|
'name': uuid.uuid4().hex}
|
||||||
|
self.identity_api.create_group(new_group['id'], new_group)
|
||||||
|
new_group2 = {'id': uuid.uuid4().hex, 'domain_id': new_domain['id'],
|
||||||
|
'name': uuid.uuid4().hex}
|
||||||
|
self.identity_api.create_group(new_group2['id'], new_group2)
|
||||||
|
new_user = {'id': uuid.uuid4().hex, 'name': 'new_user',
|
||||||
|
'password': uuid.uuid4().hex, 'enabled': True,
|
||||||
|
'domain_id': new_domain['id']}
|
||||||
|
self.identity_api.create_user(new_user['id'], new_user)
|
||||||
|
new_user2 = {'id': uuid.uuid4().hex, 'name': 'new_user2',
|
||||||
|
'password': uuid.uuid4().hex, 'enabled': True,
|
||||||
|
'domain_id': new_domain['id']}
|
||||||
|
self.identity_api.create_user(new_user2['id'], new_user2)
|
||||||
|
self.identity_api.add_user_to_group(new_user['id'],
|
||||||
|
new_group['id'])
|
||||||
|
# First check we have no grants
|
||||||
|
roles_ref = self.identity_api.list_grants(
|
||||||
|
group_id=new_group['id'],
|
||||||
|
domain_id=new_domain['id'])
|
||||||
|
self.assertEquals(len(roles_ref), 0)
|
||||||
|
# Now add the grant we are going to test for, and some others as
|
||||||
|
# well just to make sure we get back the right one
|
||||||
|
self.identity_api.create_grant(group_id=new_group['id'],
|
||||||
|
domain_id=new_domain['id'],
|
||||||
|
role_id='member')
|
||||||
|
|
||||||
|
self.identity_api.create_grant(group_id=new_group2['id'],
|
||||||
|
domain_id=new_domain['id'],
|
||||||
|
role_id='keystone_admin')
|
||||||
|
self.identity_api.create_grant(user_id=new_user2['id'],
|
||||||
|
domain_id=new_domain['id'],
|
||||||
|
role_id='keystone_admin')
|
||||||
|
self.identity_api.create_grant(group_id=new_group['id'],
|
||||||
|
project_id=new_project['id'],
|
||||||
|
role_id='keystone_admin')
|
||||||
|
|
||||||
roles_ref = self.identity_api.list_grants(
|
roles_ref = self.identity_api.list_grants(
|
||||||
group_id=new_group['id'],
|
group_id=new_group['id'],
|
||||||
domain_id=new_domain['id'])
|
domain_id=new_domain['id'])
|
||||||
@ -538,7 +626,8 @@ class IdentityTests(object):
|
|||||||
new_domain = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
|
new_domain = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
|
||||||
self.identity_api.create_domain(new_domain['id'], new_domain)
|
self.identity_api.create_domain(new_domain['id'], new_domain)
|
||||||
new_user = {'id': uuid.uuid4().hex, 'name': 'new_user',
|
new_user = {'id': uuid.uuid4().hex, 'name': 'new_user',
|
||||||
'password': 'secret', 'enabled': True}
|
'password': 'secret', 'enabled': True,
|
||||||
|
'domain_id': new_domain['id']}
|
||||||
self.identity_api.create_user(new_user['id'], new_user)
|
self.identity_api.create_user(new_user['id'], new_user)
|
||||||
roles_ref = self.identity_api.list_grants(
|
roles_ref = self.identity_api.list_grants(
|
||||||
user_id=new_user['id'],
|
user_id=new_user['id'],
|
||||||
@ -657,6 +746,7 @@ class IdentityTests(object):
|
|||||||
def test_delete_user_with_project_association(self):
|
def test_delete_user_with_project_association(self):
|
||||||
user = {'id': uuid.uuid4().hex,
|
user = {'id': uuid.uuid4().hex,
|
||||||
'name': uuid.uuid4().hex,
|
'name': uuid.uuid4().hex,
|
||||||
|
'domain_id': DEFAULT_DOMAIN_ID,
|
||||||
'password': uuid.uuid4().hex}
|
'password': uuid.uuid4().hex}
|
||||||
self.identity_api.create_user(user['id'], user)
|
self.identity_api.create_user(user['id'], user)
|
||||||
self.identity_api.add_user_to_project(self.tenant_bar['id'],
|
self.identity_api.add_user_to_project(self.tenant_bar['id'],
|
||||||
@ -669,6 +759,7 @@ class IdentityTests(object):
|
|||||||
def test_delete_user_with_project_roles(self):
|
def test_delete_user_with_project_roles(self):
|
||||||
user = {'id': uuid.uuid4().hex,
|
user = {'id': uuid.uuid4().hex,
|
||||||
'name': uuid.uuid4().hex,
|
'name': uuid.uuid4().hex,
|
||||||
|
'domain_id': DEFAULT_DOMAIN_ID,
|
||||||
'password': uuid.uuid4().hex}
|
'password': uuid.uuid4().hex}
|
||||||
self.identity_api.create_user(user['id'], user)
|
self.identity_api.create_user(user['id'], user)
|
||||||
self.identity_api.add_role_to_user_and_project(
|
self.identity_api.add_role_to_user_and_project(
|
||||||
@ -691,33 +782,38 @@ class IdentityTests(object):
|
|||||||
uuid.uuid4().hex)
|
uuid.uuid4().hex)
|
||||||
|
|
||||||
def test_create_project_long_name_fails(self):
|
def test_create_project_long_name_fails(self):
|
||||||
tenant = {'id': 'fake1', 'name': 'a' * 65}
|
tenant = {'id': 'fake1', 'name': 'a' * 65,
|
||||||
|
'domain_id': DEFAULT_DOMAIN_ID}
|
||||||
self.assertRaises(exception.ValidationError,
|
self.assertRaises(exception.ValidationError,
|
||||||
self.identity_api.create_project,
|
self.identity_api.create_project,
|
||||||
tenant['id'],
|
tenant['id'],
|
||||||
tenant)
|
tenant)
|
||||||
|
|
||||||
def test_create_project_blank_name_fails(self):
|
def test_create_project_blank_name_fails(self):
|
||||||
tenant = {'id': 'fake1', 'name': ''}
|
tenant = {'id': 'fake1', 'name': '',
|
||||||
|
'domain_id': DEFAULT_DOMAIN_ID}
|
||||||
self.assertRaises(exception.ValidationError,
|
self.assertRaises(exception.ValidationError,
|
||||||
self.identity_api.create_project,
|
self.identity_api.create_project,
|
||||||
tenant['id'],
|
tenant['id'],
|
||||||
tenant)
|
tenant)
|
||||||
|
|
||||||
def test_create_project_invalid_name_fails(self):
|
def test_create_project_invalid_name_fails(self):
|
||||||
tenant = {'id': 'fake1', 'name': None}
|
tenant = {'id': 'fake1', 'name': None,
|
||||||
|
'domain_id': DEFAULT_DOMAIN_ID}
|
||||||
self.assertRaises(exception.ValidationError,
|
self.assertRaises(exception.ValidationError,
|
||||||
self.identity_api.create_project,
|
self.identity_api.create_project,
|
||||||
tenant['id'],
|
tenant['id'],
|
||||||
tenant)
|
tenant)
|
||||||
tenant = {'id': 'fake1', 'name': 123}
|
tenant = {'id': 'fake1', 'name': 123,
|
||||||
|
'domain_id': DEFAULT_DOMAIN_ID}
|
||||||
self.assertRaises(exception.ValidationError,
|
self.assertRaises(exception.ValidationError,
|
||||||
self.identity_api.create_project,
|
self.identity_api.create_project,
|
||||||
tenant['id'],
|
tenant['id'],
|
||||||
tenant)
|
tenant)
|
||||||
|
|
||||||
def test_update_project_blank_name_fails(self):
|
def test_update_project_blank_name_fails(self):
|
||||||
tenant = {'id': 'fake1', 'name': 'fake1'}
|
tenant = {'id': 'fake1', 'name': 'fake1',
|
||||||
|
'domain_id': DEFAULT_DOMAIN_ID}
|
||||||
self.identity_api.create_project('fake1', tenant)
|
self.identity_api.create_project('fake1', tenant)
|
||||||
tenant['name'] = ''
|
tenant['name'] = ''
|
||||||
self.assertRaises(exception.ValidationError,
|
self.assertRaises(exception.ValidationError,
|
||||||
@ -726,7 +822,8 @@ class IdentityTests(object):
|
|||||||
tenant)
|
tenant)
|
||||||
|
|
||||||
def test_update_project_long_name_fails(self):
|
def test_update_project_long_name_fails(self):
|
||||||
tenant = {'id': 'fake1', 'name': 'fake1'}
|
tenant = {'id': 'fake1', 'name': 'fake1',
|
||||||
|
'domain_id': DEFAULT_DOMAIN_ID}
|
||||||
self.identity_api.create_project('fake1', tenant)
|
self.identity_api.create_project('fake1', tenant)
|
||||||
tenant['name'] = 'a' * 65
|
tenant['name'] = 'a' * 65
|
||||||
self.assertRaises(exception.ValidationError,
|
self.assertRaises(exception.ValidationError,
|
||||||
@ -735,7 +832,8 @@ class IdentityTests(object):
|
|||||||
tenant)
|
tenant)
|
||||||
|
|
||||||
def test_update_project_invalid_name_fails(self):
|
def test_update_project_invalid_name_fails(self):
|
||||||
tenant = {'id': 'fake1', 'name': 'fake1'}
|
tenant = {'id': 'fake1', 'name': 'fake1',
|
||||||
|
'domain_id': DEFAULT_DOMAIN_ID}
|
||||||
self.identity_api.create_project('fake1', tenant)
|
self.identity_api.create_project('fake1', tenant)
|
||||||
tenant['name'] = None
|
tenant['name'] = None
|
||||||
self.assertRaises(exception.ValidationError,
|
self.assertRaises(exception.ValidationError,
|
||||||
@ -750,34 +848,39 @@ class IdentityTests(object):
|
|||||||
tenant)
|
tenant)
|
||||||
|
|
||||||
def test_create_user_long_name_fails(self):
|
def test_create_user_long_name_fails(self):
|
||||||
user = {'id': 'fake1', 'name': 'a' * 65}
|
user = {'id': 'fake1', 'name': 'a' * 65,
|
||||||
|
'domain_id': DEFAULT_DOMAIN_ID}
|
||||||
self.assertRaises(exception.ValidationError,
|
self.assertRaises(exception.ValidationError,
|
||||||
self.identity_api.create_user,
|
self.identity_api.create_user,
|
||||||
'fake1',
|
'fake1',
|
||||||
user)
|
user)
|
||||||
|
|
||||||
def test_create_user_blank_name_fails(self):
|
def test_create_user_blank_name_fails(self):
|
||||||
user = {'id': 'fake1', 'name': ''}
|
user = {'id': 'fake1', 'name': '',
|
||||||
|
'domain_id': DEFAULT_DOMAIN_ID}
|
||||||
self.assertRaises(exception.ValidationError,
|
self.assertRaises(exception.ValidationError,
|
||||||
self.identity_api.create_user,
|
self.identity_api.create_user,
|
||||||
'fake1',
|
'fake1',
|
||||||
user)
|
user)
|
||||||
|
|
||||||
def test_create_user_invalid_name_fails(self):
|
def test_create_user_invalid_name_fails(self):
|
||||||
user = {'id': 'fake1', 'name': None}
|
user = {'id': 'fake1', 'name': None,
|
||||||
|
'domain_id': DEFAULT_DOMAIN_ID}
|
||||||
self.assertRaises(exception.ValidationError,
|
self.assertRaises(exception.ValidationError,
|
||||||
self.identity_api.create_user,
|
self.identity_api.create_user,
|
||||||
'fake1',
|
'fake1',
|
||||||
user)
|
user)
|
||||||
|
|
||||||
user = {'id': 'fake1', 'name': 123}
|
user = {'id': 'fake1', 'name': 123,
|
||||||
|
'domain_id': DEFAULT_DOMAIN_ID}
|
||||||
self.assertRaises(exception.ValidationError,
|
self.assertRaises(exception.ValidationError,
|
||||||
self.identity_api.create_user,
|
self.identity_api.create_user,
|
||||||
'fake1',
|
'fake1',
|
||||||
user)
|
user)
|
||||||
|
|
||||||
def test_update_user_long_name_fails(self):
|
def test_update_user_long_name_fails(self):
|
||||||
user = {'id': 'fake1', 'name': 'fake1'}
|
user = {'id': 'fake1', 'name': 'fake1',
|
||||||
|
'domain_id': DEFAULT_DOMAIN_ID}
|
||||||
self.identity_api.create_user('fake1', user)
|
self.identity_api.create_user('fake1', user)
|
||||||
user['name'] = 'a' * 65
|
user['name'] = 'a' * 65
|
||||||
self.assertRaises(exception.ValidationError,
|
self.assertRaises(exception.ValidationError,
|
||||||
@ -786,7 +889,8 @@ class IdentityTests(object):
|
|||||||
user)
|
user)
|
||||||
|
|
||||||
def test_update_user_blank_name_fails(self):
|
def test_update_user_blank_name_fails(self):
|
||||||
user = {'id': 'fake1', 'name': 'fake1'}
|
user = {'id': 'fake1', 'name': 'fake1',
|
||||||
|
'domain_id': DEFAULT_DOMAIN_ID}
|
||||||
self.identity_api.create_user('fake1', user)
|
self.identity_api.create_user('fake1', user)
|
||||||
user['name'] = ''
|
user['name'] = ''
|
||||||
self.assertRaises(exception.ValidationError,
|
self.assertRaises(exception.ValidationError,
|
||||||
@ -795,7 +899,8 @@ class IdentityTests(object):
|
|||||||
user)
|
user)
|
||||||
|
|
||||||
def test_update_user_invalid_name_fails(self):
|
def test_update_user_invalid_name_fails(self):
|
||||||
user = {'id': 'fake1', 'name': 'fake1'}
|
user = {'id': 'fake1', 'name': 'fake1',
|
||||||
|
'domain_id': DEFAULT_DOMAIN_ID}
|
||||||
self.identity_api.create_user('fake1', user)
|
self.identity_api.create_user('fake1', user)
|
||||||
|
|
||||||
user['name'] = None
|
user['name'] = None
|
||||||
@ -827,8 +932,9 @@ class IdentityTests(object):
|
|||||||
if x['id'] == test_project['id'])
|
if x['id'] == test_project['id'])
|
||||||
|
|
||||||
def test_delete_project_with_role_assignments(self):
|
def test_delete_project_with_role_assignments(self):
|
||||||
tenant = {'id': 'fake1', 'name': 'fake1'}
|
tenant = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
|
||||||
self.identity_api.create_project('fake1', tenant)
|
'domain_id': DEFAULT_DOMAIN_ID}
|
||||||
|
self.identity_api.create_project(tenant['id'], tenant)
|
||||||
self.identity_api.add_role_to_user_and_project(
|
self.identity_api.add_role_to_user_and_project(
|
||||||
self.user_foo['id'], tenant['id'], 'member')
|
self.user_foo['id'], tenant['id'], 'member')
|
||||||
self.identity_api.delete_project(tenant['id'])
|
self.identity_api.delete_project(tenant['id'])
|
||||||
@ -852,20 +958,23 @@ class IdentityTests(object):
|
|||||||
self.assertIn(alt_role['id'], roles_ref)
|
self.assertIn(alt_role['id'], roles_ref)
|
||||||
|
|
||||||
def test_create_project_doesnt_modify_passed_in_dict(self):
|
def test_create_project_doesnt_modify_passed_in_dict(self):
|
||||||
new_project = {'id': 'tenant_id', 'name': 'new_project'}
|
new_project = {'id': 'tenant_id', 'name': uuid.uuid4().hex,
|
||||||
|
'domain_id': DEFAULT_DOMAIN_ID}
|
||||||
original_project = new_project.copy()
|
original_project = new_project.copy()
|
||||||
self.identity_api.create_project('tenant_id', new_project)
|
self.identity_api.create_project('tenant_id', new_project)
|
||||||
self.assertDictEqual(original_project, new_project)
|
self.assertDictEqual(original_project, new_project)
|
||||||
|
|
||||||
def test_create_user_doesnt_modify_passed_in_dict(self):
|
def test_create_user_doesnt_modify_passed_in_dict(self):
|
||||||
new_user = {'id': 'user_id', 'name': 'new_user',
|
new_user = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
|
||||||
'password': 'secret', 'enabled': True}
|
'password': uuid.uuid4().hex, 'enabled': True,
|
||||||
|
'domain_id': DEFAULT_DOMAIN_ID}
|
||||||
original_user = new_user.copy()
|
original_user = new_user.copy()
|
||||||
self.identity_api.create_user('user_id', new_user)
|
self.identity_api.create_user('user_id', new_user)
|
||||||
self.assertDictEqual(original_user, new_user)
|
self.assertDictEqual(original_user, new_user)
|
||||||
|
|
||||||
def test_update_user_enable(self):
|
def test_update_user_enable(self):
|
||||||
user = {'id': 'fake1', 'name': 'fake1', 'enabled': True}
|
user = {'id': 'fake1', 'name': 'fake1', 'enabled': True,
|
||||||
|
'domain_id': DEFAULT_DOMAIN_ID}
|
||||||
self.identity_api.create_user('fake1', user)
|
self.identity_api.create_user('fake1', user)
|
||||||
user_ref = self.identity_api.get_user('fake1')
|
user_ref = self.identity_api.get_user('fake1')
|
||||||
self.assertEqual(user_ref['enabled'], True)
|
self.assertEqual(user_ref['enabled'], True)
|
||||||
@ -881,7 +990,8 @@ class IdentityTests(object):
|
|||||||
self.assertEqual(user_ref['enabled'], user['enabled'])
|
self.assertEqual(user_ref['enabled'], user['enabled'])
|
||||||
|
|
||||||
def test_update_project_enable(self):
|
def test_update_project_enable(self):
|
||||||
tenant = {'id': 'fake1', 'name': 'fake1', 'enabled': True}
|
tenant = {'id': 'fake1', 'name': 'fake1', 'enabled': True,
|
||||||
|
'domain_id': DEFAULT_DOMAIN_ID}
|
||||||
self.identity_api.create_project('fake1', tenant)
|
self.identity_api.create_project('fake1', tenant)
|
||||||
tenant_ref = self.identity_api.get_project('fake1')
|
tenant_ref = self.identity_api.get_project('fake1')
|
||||||
self.assertEqual(tenant_ref['enabled'], True)
|
self.assertEqual(tenant_ref['enabled'], True)
|
||||||
@ -897,11 +1007,14 @@ class IdentityTests(object):
|
|||||||
self.assertEqual(tenant_ref['enabled'], tenant['enabled'])
|
self.assertEqual(tenant_ref['enabled'], tenant['enabled'])
|
||||||
|
|
||||||
def test_add_user_to_group(self):
|
def test_add_user_to_group(self):
|
||||||
|
domain = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
|
||||||
|
self.identity_api.create_domain(domain['id'], domain)
|
||||||
new_group = {'id': uuid.uuid4().hex, 'domain_id': uuid.uuid4().hex,
|
new_group = {'id': uuid.uuid4().hex, 'domain_id': uuid.uuid4().hex,
|
||||||
'name': uuid.uuid4().hex}
|
'name': uuid.uuid4().hex}
|
||||||
self.identity_api.create_group(new_group['id'], new_group)
|
self.identity_api.create_group(new_group['id'], new_group)
|
||||||
new_user = {'id': uuid.uuid4().hex, 'name': 'new_user',
|
new_user = {'id': uuid.uuid4().hex, 'name': 'new_user',
|
||||||
'password': 'secret', 'enabled': True}
|
'password': uuid.uuid4().hex, 'enabled': True,
|
||||||
|
'domain_id': domain['id']}
|
||||||
self.identity_api.create_user(new_user['id'], new_user)
|
self.identity_api.create_user(new_user['id'], new_user)
|
||||||
self.identity_api.add_user_to_group(new_user['id'],
|
self.identity_api.add_user_to_group(new_user['id'],
|
||||||
new_group['id'])
|
new_group['id'])
|
||||||
@ -914,8 +1027,11 @@ class IdentityTests(object):
|
|||||||
self.assertTrue(found)
|
self.assertTrue(found)
|
||||||
|
|
||||||
def test_add_user_to_group_404(self):
|
def test_add_user_to_group_404(self):
|
||||||
|
domain = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
|
||||||
|
self.identity_api.create_domain(domain['id'], domain)
|
||||||
new_user = {'id': uuid.uuid4().hex, 'name': 'new_user',
|
new_user = {'id': uuid.uuid4().hex, 'name': 'new_user',
|
||||||
'password': 'secret', 'enabled': True}
|
'password': uuid.uuid4().hex, 'enabled': True,
|
||||||
|
'domain_id': domain['id']}
|
||||||
self.identity_api.create_user(new_user['id'], new_user)
|
self.identity_api.create_user(new_user['id'], new_user)
|
||||||
self.assertRaises(exception.GroupNotFound,
|
self.assertRaises(exception.GroupNotFound,
|
||||||
self.identity_api.add_user_to_group,
|
self.identity_api.add_user_to_group,
|
||||||
@ -931,11 +1047,14 @@ class IdentityTests(object):
|
|||||||
new_group['id'])
|
new_group['id'])
|
||||||
|
|
||||||
def test_check_user_in_group(self):
|
def test_check_user_in_group(self):
|
||||||
|
domain = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
|
||||||
|
self.identity_api.create_domain(domain['id'], domain)
|
||||||
new_group = {'id': uuid.uuid4().hex, 'domain_id': uuid.uuid4().hex,
|
new_group = {'id': uuid.uuid4().hex, 'domain_id': uuid.uuid4().hex,
|
||||||
'name': uuid.uuid4().hex}
|
'name': uuid.uuid4().hex}
|
||||||
self.identity_api.create_group(new_group['id'], new_group)
|
self.identity_api.create_group(new_group['id'], new_group)
|
||||||
new_user = {'id': uuid.uuid4().hex, 'name': 'new_user',
|
new_user = {'id': uuid.uuid4().hex, 'name': 'new_user',
|
||||||
'password': 'secret', 'enabled': True}
|
'password': uuid.uuid4().hex, 'enabled': True,
|
||||||
|
'domain_id': domain['id']}
|
||||||
self.identity_api.create_user(new_user['id'], new_user)
|
self.identity_api.create_user(new_user['id'], new_user)
|
||||||
self.identity_api.add_user_to_group(new_user['id'],
|
self.identity_api.add_user_to_group(new_user['id'],
|
||||||
new_group['id'])
|
new_group['id'])
|
||||||
@ -951,11 +1070,14 @@ class IdentityTests(object):
|
|||||||
new_group['id'])
|
new_group['id'])
|
||||||
|
|
||||||
def test_list_users_in_group(self):
|
def test_list_users_in_group(self):
|
||||||
|
domain = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
|
||||||
|
self.identity_api.create_domain(domain['id'], domain)
|
||||||
new_group = {'id': uuid.uuid4().hex, 'domain_id': uuid.uuid4().hex,
|
new_group = {'id': uuid.uuid4().hex, 'domain_id': uuid.uuid4().hex,
|
||||||
'name': uuid.uuid4().hex}
|
'name': uuid.uuid4().hex}
|
||||||
self.identity_api.create_group(new_group['id'], new_group)
|
self.identity_api.create_group(new_group['id'], new_group)
|
||||||
new_user = {'id': uuid.uuid4().hex, 'name': 'new_user',
|
new_user = {'id': uuid.uuid4().hex, 'name': 'new_user',
|
||||||
'password': 'secret', 'enabled': True}
|
'password': uuid.uuid4().hex, 'enabled': True,
|
||||||
|
'domain_id': domain['id']}
|
||||||
self.identity_api.create_user(new_user['id'], new_user)
|
self.identity_api.create_user(new_user['id'], new_user)
|
||||||
self.identity_api.add_user_to_group(new_user['id'],
|
self.identity_api.add_user_to_group(new_user['id'],
|
||||||
new_group['id'])
|
new_group['id'])
|
||||||
@ -967,11 +1089,14 @@ class IdentityTests(object):
|
|||||||
self.assertTrue(found)
|
self.assertTrue(found)
|
||||||
|
|
||||||
def test_remove_user_from_group(self):
|
def test_remove_user_from_group(self):
|
||||||
|
domain = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
|
||||||
|
self.identity_api.create_domain(domain['id'], domain)
|
||||||
new_group = {'id': uuid.uuid4().hex, 'domain_id': uuid.uuid4().hex,
|
new_group = {'id': uuid.uuid4().hex, 'domain_id': uuid.uuid4().hex,
|
||||||
'name': uuid.uuid4().hex}
|
'name': uuid.uuid4().hex}
|
||||||
self.identity_api.create_group(new_group['id'], new_group)
|
self.identity_api.create_group(new_group['id'], new_group)
|
||||||
new_user = {'id': uuid.uuid4().hex, 'name': 'new_user',
|
new_user = {'id': uuid.uuid4().hex, 'name': 'new_user',
|
||||||
'password': 'secret', 'enabled': True}
|
'password': uuid.uuid4().hex, 'enabled': True,
|
||||||
|
'domain_id': domain['id']}
|
||||||
self.identity_api.create_user(new_user['id'], new_user)
|
self.identity_api.create_user(new_user['id'], new_user)
|
||||||
self.identity_api.add_user_to_group(new_user['id'],
|
self.identity_api.add_user_to_group(new_user['id'],
|
||||||
new_group['id'])
|
new_group['id'])
|
||||||
@ -983,8 +1108,11 @@ class IdentityTests(object):
|
|||||||
self.assertFalse(x['id'] == new_group['id'])
|
self.assertFalse(x['id'] == new_group['id'])
|
||||||
|
|
||||||
def test_remove_user_from_group_404(self):
|
def test_remove_user_from_group_404(self):
|
||||||
|
domain = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
|
||||||
|
self.identity_api.create_domain(domain['id'], domain)
|
||||||
new_user = {'id': uuid.uuid4().hex, 'name': 'new_user',
|
new_user = {'id': uuid.uuid4().hex, 'name': 'new_user',
|
||||||
'password': 'secret', 'enabled': True}
|
'password': uuid.uuid4().hex, 'enabled': True,
|
||||||
|
'domain_id': domain['id']}
|
||||||
self.identity_api.create_user(new_user['id'], new_user)
|
self.identity_api.create_user(new_user['id'], new_user)
|
||||||
new_group = {'id': uuid.uuid4().hex, 'domain_id': uuid.uuid4().hex,
|
new_group = {'id': uuid.uuid4().hex, 'domain_id': uuid.uuid4().hex,
|
||||||
'name': uuid.uuid4().hex}
|
'name': uuid.uuid4().hex}
|
||||||
@ -1009,20 +1137,52 @@ class IdentityTests(object):
|
|||||||
'name': uuid.uuid4().hex}
|
'name': uuid.uuid4().hex}
|
||||||
self.identity_api.create_group(group['id'], group)
|
self.identity_api.create_group(group['id'], group)
|
||||||
group_ref = self.identity_api.get_group(group['id'])
|
group_ref = self.identity_api.get_group(group['id'])
|
||||||
group_ref_dict = dict((x, group_ref[x]) for x in group_ref)
|
self.assertDictEqual(group_ref, group)
|
||||||
self.assertDictEqual(group_ref_dict, group)
|
|
||||||
|
|
||||||
group['name'] = uuid.uuid4().hex
|
group['name'] = uuid.uuid4().hex
|
||||||
self.identity_api.update_group(group['id'], group)
|
self.identity_api.update_group(group['id'], group)
|
||||||
group_ref = self.identity_api.get_group(group['id'])
|
group_ref = self.identity_api.get_group(group['id'])
|
||||||
group_ref_dict = dict((x, group_ref[x]) for x in group_ref)
|
self.assertDictEqual(group_ref, group)
|
||||||
self.assertDictEqual(group_ref_dict, group)
|
|
||||||
|
|
||||||
self.identity_api.delete_group(group['id'])
|
self.identity_api.delete_group(group['id'])
|
||||||
self.assertRaises(exception.GroupNotFound,
|
self.assertRaises(exception.GroupNotFound,
|
||||||
self.identity_api.get_group,
|
self.identity_api.get_group,
|
||||||
group['id'])
|
group['id'])
|
||||||
|
|
||||||
|
def test_project_crud(self):
|
||||||
|
project = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
|
||||||
|
'domain_id': uuid.uuid4().hex}
|
||||||
|
self.identity_api.create_project(project['id'], project)
|
||||||
|
project_ref = self.identity_api.get_project(project['id'])
|
||||||
|
self.assertDictEqual(project_ref, project)
|
||||||
|
|
||||||
|
project['name'] = uuid.uuid4().hex
|
||||||
|
self.identity_api.update_project(project['id'], project)
|
||||||
|
project_ref = self.identity_api.get_project(project['id'])
|
||||||
|
self.assertDictEqual(project_ref, project)
|
||||||
|
|
||||||
|
self.identity_api.delete_project(project['id'])
|
||||||
|
self.assertRaises(exception.ProjectNotFound,
|
||||||
|
self.identity_api.get_project,
|
||||||
|
project['id'])
|
||||||
|
|
||||||
|
def test_domain_crud(self):
|
||||||
|
domain = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
|
||||||
|
'enabled': True}
|
||||||
|
self.identity_api.create_domain(domain['id'], domain)
|
||||||
|
domain_ref = self.identity_api.get_domain(domain['id'])
|
||||||
|
self.assertDictEqual(domain_ref, domain)
|
||||||
|
|
||||||
|
domain['name'] = uuid.uuid4().hex
|
||||||
|
self.identity_api.update_domain(domain['id'], domain)
|
||||||
|
domain_ref = self.identity_api.get_domain(domain['id'])
|
||||||
|
self.assertDictEqual(domain_ref, domain)
|
||||||
|
|
||||||
|
self.identity_api.delete_domain(domain['id'])
|
||||||
|
self.assertRaises(exception.DomainNotFound,
|
||||||
|
self.identity_api.get_domain,
|
||||||
|
domain['id'])
|
||||||
|
|
||||||
|
|
||||||
class TokenTests(object):
|
class TokenTests(object):
|
||||||
def test_token_crud(self):
|
def test_token_crud(self):
|
||||||
|
@ -15,6 +15,7 @@
|
|||||||
# under the License.
|
# under the License.
|
||||||
|
|
||||||
import uuid
|
import uuid
|
||||||
|
import nose.exc
|
||||||
|
|
||||||
from keystone.common.ldap import fakeldap
|
from keystone.common.ldap import fakeldap
|
||||||
from keystone import config
|
from keystone import config
|
||||||
@ -413,48 +414,57 @@ class LDAPIdentity(test.TestCase, test_backend.IdentityTests):
|
|||||||
user_api.get_connection(user=None, password=None)
|
user_api.get_connection(user=None, password=None)
|
||||||
|
|
||||||
# TODO (henry-nash) These need to be removed when the full LDAP implementation
|
# TODO (henry-nash) These need to be removed when the full LDAP implementation
|
||||||
# is submitted - see BugL #1092187
|
# is submitted - see Bugs 1092187, 1101287, 1101276, 1101289
|
||||||
def test_group_crud(self):
|
def test_group_crud(self):
|
||||||
pass
|
raise nose.exc.SkipTest('Blocked by bug 1092187')
|
||||||
|
|
||||||
def test_add_user_to_group(self):
|
def test_add_user_to_group(self):
|
||||||
pass
|
raise nose.exc.SkipTest('Blocked by bug 1092187')
|
||||||
|
|
||||||
def test_add_user_to_group_404(self):
|
def test_add_user_to_group_404(self):
|
||||||
pass
|
raise nose.exc.SkipTest('Blocked by bug 1092187')
|
||||||
|
|
||||||
def test_check_user_in_group(self):
|
def test_check_user_in_group(self):
|
||||||
pass
|
raise nose.exc.SkipTest('Blocked by bug 1092187')
|
||||||
|
|
||||||
def test_check_user_not_in_group(self):
|
def test_check_user_not_in_group(self):
|
||||||
pass
|
raise nose.exc.SkipTest('Blocked by bug 1092187')
|
||||||
|
|
||||||
def test_list_users_in_group(self):
|
def test_list_users_in_group(self):
|
||||||
pass
|
raise nose.exc.SkipTest('Blocked by bug 1092187')
|
||||||
|
|
||||||
def test_remove_user_from_group(self):
|
def test_remove_user_from_group(self):
|
||||||
pass
|
raise nose.exc.SkipTest('Blocked by bug 1092187')
|
||||||
|
|
||||||
def test_remove_user_from_group_404(self):
|
def test_remove_user_from_group_404(self):
|
||||||
pass
|
raise nose.exc.SkipTest('Blocked by bug 1092187')
|
||||||
|
|
||||||
def test_get_role_grant_by_user_and_project(self):
|
def test_get_role_grant_by_user_and_project(self):
|
||||||
pass
|
raise nose.exc.SkipTest('Blocked by bug 1101287')
|
||||||
|
|
||||||
def test_get_role_grants_for_user_and_project_404(self):
|
def test_get_role_grants_for_user_and_project_404(self):
|
||||||
pass
|
raise nose.exc.SkipTest('Blocked by bug 1101287')
|
||||||
|
|
||||||
def test_add_role_grant_to_user_and_project_404(self):
|
def test_add_role_grant_to_user_and_project_404(self):
|
||||||
pass
|
raise nose.exc.SkipTest('Blocked by bug 1101287')
|
||||||
|
|
||||||
def test_remove_role_grant_from_user_and_project(self):
|
def test_remove_role_grant_from_user_and_project(self):
|
||||||
pass
|
raise nose.exc.SkipTest('Blocked by bug 1101287')
|
||||||
|
|
||||||
def test_get_and_remove_role_grant_by_group_and_project(self):
|
def test_get_and_remove_role_grant_by_group_and_project(self):
|
||||||
pass
|
raise nose.exc.SkipTest('Blocked by bug 1101287')
|
||||||
|
|
||||||
def test_get_and_remove_role_grant_by_group_and_domain(self):
|
def test_get_and_remove_role_grant_by_group_and_domain(self):
|
||||||
pass
|
raise nose.exc.SkipTest('Blocked by bug 1101287')
|
||||||
|
|
||||||
def test_get_and_remove_role_grant_by_user_and_domain(self):
|
def test_get_and_remove_role_grant_by_user_and_domain(self):
|
||||||
pass
|
raise nose.exc.SkipTest('Blocked by bug 1101287')
|
||||||
|
|
||||||
|
def test_get_and_remove_correct_role_grant_from_a_mix(self):
|
||||||
|
raise nose.exc.SkipTest('Blocked by bug 1101287')
|
||||||
|
|
||||||
|
def test_domain_crud(self):
|
||||||
|
raise nose.exc.SkipTest('Blocked by bug 1101276')
|
||||||
|
|
||||||
|
def test_project_crud(self):
|
||||||
|
raise nose.exc.SkipTest('Blocked by bug 1101289')
|
||||||
|
@ -22,6 +22,7 @@ from keystone import test
|
|||||||
|
|
||||||
|
|
||||||
CONF = config.CONF
|
CONF = config.CONF
|
||||||
|
DEFAULT_DOMAIN_ID = CONF.identity.default_domain_id
|
||||||
|
|
||||||
|
|
||||||
class PamIdentity(test.TestCase):
|
class PamIdentity(test.TestCase):
|
||||||
@ -41,7 +42,8 @@ class PamIdentity(test.TestCase):
|
|||||||
|
|
||||||
def test_get_project_by_name(self):
|
def test_get_project_by_name(self):
|
||||||
tenant_in_name = self.tenant_in['name']
|
tenant_in_name = self.tenant_in['name']
|
||||||
tenant_out = self.identity_api.get_project_by_name(tenant_in_name)
|
tenant_out = self.identity_api.get_project_by_name(
|
||||||
|
tenant_in_name, DEFAULT_DOMAIN_ID)
|
||||||
self.assertDictEqual(self.tenant_in, tenant_out)
|
self.assertDictEqual(self.tenant_in, tenant_out)
|
||||||
|
|
||||||
def test_get_user(self):
|
def test_get_user(self):
|
||||||
@ -49,7 +51,8 @@ class PamIdentity(test.TestCase):
|
|||||||
self.assertDictEqual(self.user_in, user_out)
|
self.assertDictEqual(self.user_in, user_out)
|
||||||
|
|
||||||
def test_get_user_by_name(self):
|
def test_get_user_by_name(self):
|
||||||
user_out = self.identity_api.get_user_by_name(self.user_in['name'])
|
user_out = self.identity_api.get_user_by_name(
|
||||||
|
self.user_in['name'], DEFAULT_DOMAIN_ID)
|
||||||
self.assertDictEqual(self.user_in, user_out)
|
self.assertDictEqual(self.user_in, user_out)
|
||||||
|
|
||||||
def test_get_metadata_for_non_root(self):
|
def test_get_metadata_for_non_root(self):
|
||||||
|
@ -28,8 +28,8 @@ from keystone import token
|
|||||||
import default_fixtures
|
import default_fixtures
|
||||||
import test_backend
|
import test_backend
|
||||||
|
|
||||||
|
|
||||||
CONF = config.CONF
|
CONF = config.CONF
|
||||||
|
DEFAULT_DOMAIN_ID = CONF.identity.default_domain_id
|
||||||
|
|
||||||
|
|
||||||
class SqlTests(test.TestCase):
|
class SqlTests(test.TestCase):
|
||||||
@ -65,6 +65,7 @@ class SqlIdentity(SqlTests, test_backend.IdentityTests):
|
|||||||
def test_delete_user_with_project_association(self):
|
def test_delete_user_with_project_association(self):
|
||||||
user = {'id': uuid.uuid4().hex,
|
user = {'id': uuid.uuid4().hex,
|
||||||
'name': uuid.uuid4().hex,
|
'name': uuid.uuid4().hex,
|
||||||
|
'domain_id': DEFAULT_DOMAIN_ID,
|
||||||
'password': uuid.uuid4().hex}
|
'password': uuid.uuid4().hex}
|
||||||
self.identity_api.create_user(user['id'], user)
|
self.identity_api.create_user(user['id'], user)
|
||||||
self.identity_api.add_user_to_project(self.tenant_bar['id'],
|
self.identity_api.add_user_to_project(self.tenant_bar['id'],
|
||||||
@ -77,6 +78,7 @@ class SqlIdentity(SqlTests, test_backend.IdentityTests):
|
|||||||
def test_create_null_user_name(self):
|
def test_create_null_user_name(self):
|
||||||
user = {'id': uuid.uuid4().hex,
|
user = {'id': uuid.uuid4().hex,
|
||||||
'name': None,
|
'name': None,
|
||||||
|
'domain_id': DEFAULT_DOMAIN_ID,
|
||||||
'password': uuid.uuid4().hex}
|
'password': uuid.uuid4().hex}
|
||||||
self.assertRaises(exception.ValidationError,
|
self.assertRaises(exception.ValidationError,
|
||||||
self.identity_api.create_user,
|
self.identity_api.create_user,
|
||||||
@ -87,11 +89,13 @@ class SqlIdentity(SqlTests, test_backend.IdentityTests):
|
|||||||
user['id'])
|
user['id'])
|
||||||
self.assertRaises(exception.UserNotFound,
|
self.assertRaises(exception.UserNotFound,
|
||||||
self.identity_api.get_user_by_name,
|
self.identity_api.get_user_by_name,
|
||||||
user['name'])
|
user['name'],
|
||||||
|
DEFAULT_DOMAIN_ID)
|
||||||
|
|
||||||
def test_create_null_project_name(self):
|
def test_create_null_project_name(self):
|
||||||
tenant = {'id': uuid.uuid4().hex,
|
tenant = {'id': uuid.uuid4().hex,
|
||||||
'name': None}
|
'name': None,
|
||||||
|
'domain_id': DEFAULT_DOMAIN_ID}
|
||||||
self.assertRaises(exception.ValidationError,
|
self.assertRaises(exception.ValidationError,
|
||||||
self.identity_api.create_project,
|
self.identity_api.create_project,
|
||||||
tenant['id'],
|
tenant['id'],
|
||||||
@ -101,7 +105,8 @@ class SqlIdentity(SqlTests, test_backend.IdentityTests):
|
|||||||
tenant['id'])
|
tenant['id'])
|
||||||
self.assertRaises(exception.ProjectNotFound,
|
self.assertRaises(exception.ProjectNotFound,
|
||||||
self.identity_api.get_project_by_name,
|
self.identity_api.get_project_by_name,
|
||||||
tenant['name'])
|
tenant['name'],
|
||||||
|
DEFAULT_DOMAIN_ID)
|
||||||
|
|
||||||
def test_create_null_role_name(self):
|
def test_create_null_role_name(self):
|
||||||
role = {'id': uuid.uuid4().hex,
|
role = {'id': uuid.uuid4().hex,
|
||||||
@ -117,6 +122,7 @@ class SqlIdentity(SqlTests, test_backend.IdentityTests):
|
|||||||
def test_delete_project_with_user_association(self):
|
def test_delete_project_with_user_association(self):
|
||||||
user = {'id': 'fake',
|
user = {'id': 'fake',
|
||||||
'name': 'fakeuser',
|
'name': 'fakeuser',
|
||||||
|
'domain_id': DEFAULT_DOMAIN_ID,
|
||||||
'password': 'passwd'}
|
'password': 'passwd'}
|
||||||
self.identity_api.create_user('fake', user)
|
self.identity_api.create_user('fake', user)
|
||||||
self.identity_api.add_user_to_project(self.tenant_bar['id'],
|
self.identity_api.add_user_to_project(self.tenant_bar['id'],
|
||||||
@ -128,6 +134,7 @@ class SqlIdentity(SqlTests, test_backend.IdentityTests):
|
|||||||
def test_delete_user_with_metadata(self):
|
def test_delete_user_with_metadata(self):
|
||||||
user = {'id': 'fake',
|
user = {'id': 'fake',
|
||||||
'name': 'fakeuser',
|
'name': 'fakeuser',
|
||||||
|
'domain_id': DEFAULT_DOMAIN_ID,
|
||||||
'password': 'passwd'}
|
'password': 'passwd'}
|
||||||
self.identity_api.create_user('fake', user)
|
self.identity_api.create_user('fake', user)
|
||||||
self.identity_api.create_metadata(user['id'],
|
self.identity_api.create_metadata(user['id'],
|
||||||
@ -142,6 +149,7 @@ class SqlIdentity(SqlTests, test_backend.IdentityTests):
|
|||||||
def test_delete_project_with_metadata(self):
|
def test_delete_project_with_metadata(self):
|
||||||
user = {'id': 'fake',
|
user = {'id': 'fake',
|
||||||
'name': 'fakeuser',
|
'name': 'fakeuser',
|
||||||
|
'domain_id': DEFAULT_DOMAIN_ID,
|
||||||
'password': 'passwd'}
|
'password': 'passwd'}
|
||||||
self.identity_api.create_user('fake', user)
|
self.identity_api.create_user('fake', user)
|
||||||
self.identity_api.create_metadata(user['id'],
|
self.identity_api.create_metadata(user['id'],
|
||||||
@ -169,6 +177,7 @@ class SqlIdentity(SqlTests, test_backend.IdentityTests):
|
|||||||
tenant = {
|
tenant = {
|
||||||
'id': tenant_id,
|
'id': tenant_id,
|
||||||
'name': uuid.uuid4().hex,
|
'name': uuid.uuid4().hex,
|
||||||
|
'domain_id': DEFAULT_DOMAIN_ID,
|
||||||
arbitrary_key: arbitrary_value}
|
arbitrary_key: arbitrary_value}
|
||||||
ref = self.identity_api.create_project(tenant_id, tenant)
|
ref = self.identity_api.create_project(tenant_id, tenant)
|
||||||
self.assertEqual(arbitrary_value, ref[arbitrary_key])
|
self.assertEqual(arbitrary_value, ref[arbitrary_key])
|
||||||
@ -195,6 +204,7 @@ class SqlIdentity(SqlTests, test_backend.IdentityTests):
|
|||||||
user = {
|
user = {
|
||||||
'id': user_id,
|
'id': user_id,
|
||||||
'name': uuid.uuid4().hex,
|
'name': uuid.uuid4().hex,
|
||||||
|
'domain_id': DEFAULT_DOMAIN_ID,
|
||||||
'password': uuid.uuid4().hex,
|
'password': uuid.uuid4().hex,
|
||||||
arbitrary_key: arbitrary_value}
|
arbitrary_key: arbitrary_value}
|
||||||
ref = self.identity_api.create_user(user_id, user)
|
ref = self.identity_api.create_user(user_id, user)
|
||||||
|
@ -22,11 +22,13 @@ import nose.exc
|
|||||||
|
|
||||||
from keystone.openstack.common import jsonutils
|
from keystone.openstack.common import jsonutils
|
||||||
from keystone.openstack.common import timeutils
|
from keystone.openstack.common import timeutils
|
||||||
|
from keystone import config
|
||||||
from keystone import test
|
from keystone import test
|
||||||
|
|
||||||
|
|
||||||
import default_fixtures
|
import default_fixtures
|
||||||
|
|
||||||
|
CONF = config.CONF
|
||||||
|
DEFAULT_DOMAIN_ID = CONF.identity.default_domain_id
|
||||||
OPENSTACK_REPO = 'https://review.openstack.org/p/openstack'
|
OPENSTACK_REPO = 'https://review.openstack.org/p/openstack'
|
||||||
KEYSTONECLIENT_REPO = '%s/python-keystoneclient.git' % OPENSTACK_REPO
|
KEYSTONECLIENT_REPO = '%s/python-keystoneclient.git' % OPENSTACK_REPO
|
||||||
|
|
||||||
@ -862,7 +864,8 @@ class KcMasterTestCase(CompatTestCase, KeystoneClientTests):
|
|||||||
# Add two arbitrary tenants to user for testing purposes
|
# Add two arbitrary tenants to user for testing purposes
|
||||||
for i in range(2):
|
for i in range(2):
|
||||||
tenant_id = uuid.uuid4().hex
|
tenant_id = uuid.uuid4().hex
|
||||||
tenant = {'name': 'tenant-%s' % tenant_id, 'id': tenant_id}
|
tenant = {'name': 'tenant-%s' % tenant_id, 'id': tenant_id,
|
||||||
|
'domain_id': DEFAULT_DOMAIN_ID}
|
||||||
self.identity_api.create_project(tenant_id, tenant)
|
self.identity_api.create_project(tenant_id, tenant)
|
||||||
self.identity_api.add_user_to_project(tenant_id,
|
self.identity_api.add_user_to_project(tenant_id,
|
||||||
self.user_foo['id'])
|
self.user_foo['id'])
|
||||||
@ -888,7 +891,8 @@ class KcMasterTestCase(CompatTestCase, KeystoneClientTests):
|
|||||||
# Add two arbitrary tenants to user for testing purposes
|
# Add two arbitrary tenants to user for testing purposes
|
||||||
for i in range(2):
|
for i in range(2):
|
||||||
tenant_id = uuid.uuid4().hex
|
tenant_id = uuid.uuid4().hex
|
||||||
tenant = {'name': 'tenant-%s' % tenant_id, 'id': tenant_id}
|
tenant = {'name': 'tenant-%s' % tenant_id, 'id': tenant_id,
|
||||||
|
'domain_id': DEFAULT_DOMAIN_ID}
|
||||||
self.identity_api.create_project(tenant_id, tenant)
|
self.identity_api.create_project(tenant_id, tenant)
|
||||||
self.identity_api.add_user_to_project(tenant_id,
|
self.identity_api.add_user_to_project(tenant_id,
|
||||||
self.user_foo['id'])
|
self.user_foo['id'])
|
||||||
|
@ -25,6 +25,7 @@ from keystone import test
|
|||||||
|
|
||||||
|
|
||||||
CONF = config.CONF
|
CONF = config.CONF
|
||||||
|
DEFAULT_DOMAIN_ID = CONF.identity.default_domain_id
|
||||||
|
|
||||||
|
|
||||||
FIXTURE = {
|
FIXTURE = {
|
||||||
@ -92,11 +93,13 @@ class MigrateNovaAuth(test.TestCase):
|
|||||||
|
|
||||||
users = {}
|
users = {}
|
||||||
for user in ['user1', 'user2', 'user3', 'user4']:
|
for user in ['user1', 'user2', 'user3', 'user4']:
|
||||||
users[user] = self.identity_api.get_user_by_name(user)
|
users[user] = self.identity_api.get_user_by_name(
|
||||||
|
user, DEFAULT_DOMAIN_ID)
|
||||||
|
|
||||||
tenants = {}
|
tenants = {}
|
||||||
for tenant in ['proj1', 'proj2', 'proj4']:
|
for tenant in ['proj1', 'proj2', 'proj4']:
|
||||||
tenants[tenant] = self.identity_api.get_project_by_name(tenant)
|
tenants[tenant] = self.identity_api.get_project_by_name(
|
||||||
|
tenant, DEFAULT_DOMAIN_ID)
|
||||||
|
|
||||||
membership_map = {
|
membership_map = {
|
||||||
'user1': ['proj1'],
|
'user1': ['proj1'],
|
||||||
|
@ -35,12 +35,14 @@ import sqlalchemy
|
|||||||
from keystone.common import sql
|
from keystone.common import sql
|
||||||
from keystone.common.sql import migration
|
from keystone.common.sql import migration
|
||||||
from keystone import config
|
from keystone import config
|
||||||
|
from keystone import exception
|
||||||
from keystone import test
|
from keystone import test
|
||||||
|
|
||||||
import default_fixtures
|
import default_fixtures
|
||||||
|
|
||||||
|
|
||||||
CONF = config.CONF
|
CONF = config.CONF
|
||||||
|
DEFAULT_DOMAIN_ID = CONF.identity.default_domain_id
|
||||||
|
|
||||||
|
|
||||||
class SqlUpgradeTests(test.TestCase):
|
class SqlUpgradeTests(test.TestCase):
|
||||||
@ -129,8 +131,8 @@ class SqlUpgradeTests(test.TestCase):
|
|||||||
self.populate_tenant_table()
|
self.populate_tenant_table()
|
||||||
self.upgrade(10)
|
self.upgrade(10)
|
||||||
self.assertTableColumns("user",
|
self.assertTableColumns("user",
|
||||||
["id", "name", "extra", "password",
|
["id", "name", "extra",
|
||||||
"enabled"])
|
"password", "enabled"])
|
||||||
self.assertTableColumns("tenant",
|
self.assertTableColumns("tenant",
|
||||||
["id", "name", "extra", "description",
|
["id", "name", "extra", "description",
|
||||||
"enabled"])
|
"enabled"])
|
||||||
@ -152,17 +154,33 @@ class SqlUpgradeTests(test.TestCase):
|
|||||||
a_tenant = session.query(tenant_table).filter("id='baz'").one()
|
a_tenant = session.query(tenant_table).filter("id='baz'").one()
|
||||||
self.assertEqual(a_tenant.description, 'description')
|
self.assertEqual(a_tenant.description, 'description')
|
||||||
session.commit()
|
session.commit()
|
||||||
|
session.close()
|
||||||
|
|
||||||
def test_downgrade_10_to_8(self):
|
def test_downgrade_10_to_8(self):
|
||||||
self.upgrade(8)
|
|
||||||
self.populate_user_table()
|
|
||||||
self.populate_tenant_table()
|
|
||||||
self.upgrade(10)
|
self.upgrade(10)
|
||||||
|
self.populate_user_table(with_pass_enab=True)
|
||||||
|
self.populate_tenant_table(with_desc_enab=True)
|
||||||
self.downgrade(8)
|
self.downgrade(8)
|
||||||
|
self.assertTableColumns('user',
|
||||||
|
['id', 'name', 'extra'])
|
||||||
|
self.assertTableColumns('tenant',
|
||||||
|
['id', 'name', 'extra'])
|
||||||
|
session = self.Session()
|
||||||
|
user_table = sqlalchemy.Table("user",
|
||||||
|
self.metadata,
|
||||||
|
autoload=True)
|
||||||
|
a_user = session.query(user_table).filter("id='badguy'").one()
|
||||||
|
self.assertEqual(a_user.name, default_fixtures.USERS[2]['name'])
|
||||||
|
tenant_table = sqlalchemy.Table("tenant",
|
||||||
|
self.metadata,
|
||||||
|
autoload=True)
|
||||||
|
a_tenant = session.query(tenant_table).filter("id='baz'").one()
|
||||||
|
self.assertEqual(a_tenant.name, default_fixtures.TENANTS[1]['name'])
|
||||||
|
session.commit()
|
||||||
|
session.close()
|
||||||
|
|
||||||
def test_upgrade_10_to_13(self):
|
def test_upgrade_10_to_13(self):
|
||||||
self.upgrade(10)
|
self.upgrade(10)
|
||||||
|
|
||||||
service_extra = {
|
service_extra = {
|
||||||
'name': uuid.uuid4().hex,
|
'name': uuid.uuid4().hex,
|
||||||
}
|
}
|
||||||
@ -187,9 +205,9 @@ class SqlUpgradeTests(test.TestCase):
|
|||||||
self.insert_dict(session, 'service', service)
|
self.insert_dict(session, 'service', service)
|
||||||
self.insert_dict(session, 'endpoint', endpoint)
|
self.insert_dict(session, 'endpoint', endpoint)
|
||||||
session.commit()
|
session.commit()
|
||||||
|
session.close()
|
||||||
|
|
||||||
self.upgrade(13)
|
self.upgrade(13)
|
||||||
|
|
||||||
self.assertTableColumns(
|
self.assertTableColumns(
|
||||||
'service',
|
'service',
|
||||||
['id', 'type', 'extra'])
|
['id', 'type', 'extra'])
|
||||||
@ -215,6 +233,8 @@ class SqlUpgradeTests(test.TestCase):
|
|||||||
self.assertEqual(ref.service_id, endpoint['service_id'])
|
self.assertEqual(ref.service_id, endpoint['service_id'])
|
||||||
self.assertEqual(ref.url, endpoint_extra['%surl' % interface])
|
self.assertEqual(ref.url, endpoint_extra['%surl' % interface])
|
||||||
self.assertEqual(ref.extra, '{}')
|
self.assertEqual(ref.extra, '{}')
|
||||||
|
session.commit()
|
||||||
|
session.close()
|
||||||
|
|
||||||
def assertTenantTables(self):
|
def assertTenantTables(self):
|
||||||
self.assertTableExists('tenant')
|
self.assertTableExists('tenant')
|
||||||
@ -235,6 +255,12 @@ class SqlUpgradeTests(test.TestCase):
|
|||||||
self.assertProjectTables()
|
self.assertProjectTables()
|
||||||
|
|
||||||
def test_downgrade_project_to_tenant(self):
|
def test_downgrade_project_to_tenant(self):
|
||||||
|
# TODO(henry-nash): Debug why we need to re-load the tenant
|
||||||
|
# or user_tenant_membership ahead of upgrading to project
|
||||||
|
# in order for the assertProjectTables to work on sqlite
|
||||||
|
# (MySQL is fine without it)
|
||||||
|
self.upgrade(14)
|
||||||
|
self.assertTenantTables()
|
||||||
self.upgrade(15)
|
self.upgrade(15)
|
||||||
self.assertProjectTables()
|
self.assertProjectTables()
|
||||||
self.downgrade(14)
|
self.downgrade(14)
|
||||||
@ -248,6 +274,59 @@ class SqlUpgradeTests(test.TestCase):
|
|||||||
self.assertTableExists('group_domain_metadata')
|
self.assertTableExists('group_domain_metadata')
|
||||||
self.assertTableExists('user_group_membership')
|
self.assertTableExists('user_group_membership')
|
||||||
|
|
||||||
|
def test_upgrade_14_to_16(self):
|
||||||
|
self.upgrade(14)
|
||||||
|
self.populate_user_table(with_pass_enab=True)
|
||||||
|
self.populate_tenant_table(with_desc_enab=True)
|
||||||
|
self.upgrade(16)
|
||||||
|
self.assertTableColumns("user",
|
||||||
|
["id", "name", "extra",
|
||||||
|
"password", "enabled", "domain_id"])
|
||||||
|
session = self.Session()
|
||||||
|
user_table = sqlalchemy.Table("user",
|
||||||
|
self.metadata,
|
||||||
|
autoload=True)
|
||||||
|
a_user = session.query(user_table).filter("id='foo'").one()
|
||||||
|
self.assertTrue(a_user.enabled)
|
||||||
|
self.assertEqual(a_user.domain_id, DEFAULT_DOMAIN_ID)
|
||||||
|
a_user = session.query(user_table).filter("id='badguy'").one()
|
||||||
|
self.assertEqual(a_user.name, default_fixtures.USERS[2]['name'])
|
||||||
|
self.assertEqual(a_user.domain_id, DEFAULT_DOMAIN_ID)
|
||||||
|
project_table = sqlalchemy.Table("project",
|
||||||
|
self.metadata,
|
||||||
|
autoload=True)
|
||||||
|
a_project = session.query(project_table).filter("id='baz'").one()
|
||||||
|
self.assertEqual(a_project.description,
|
||||||
|
default_fixtures.TENANTS[1]['description'])
|
||||||
|
self.assertEqual(a_project.domain_id, DEFAULT_DOMAIN_ID)
|
||||||
|
session.commit()
|
||||||
|
session.close()
|
||||||
|
|
||||||
|
def test_downgrade_16_to_14(self):
|
||||||
|
self.upgrade(16)
|
||||||
|
self.populate_user_table(with_pass_enab_domain=True)
|
||||||
|
self.populate_tenant_table(with_desc_enab_domain=True)
|
||||||
|
self.downgrade(14)
|
||||||
|
self.assertTableColumns("user",
|
||||||
|
["id", "name", "extra",
|
||||||
|
"password", "enabled"])
|
||||||
|
session = self.Session()
|
||||||
|
user_table = sqlalchemy.Table("user",
|
||||||
|
self.metadata,
|
||||||
|
autoload=True)
|
||||||
|
a_user = session.query(user_table).filter("id='foo'").one()
|
||||||
|
self.assertTrue(a_user.enabled)
|
||||||
|
a_user = session.query(user_table).filter("id='badguy'").one()
|
||||||
|
self.assertEqual(a_user.name, default_fixtures.USERS[2]['name'])
|
||||||
|
tenant_table = sqlalchemy.Table("tenant",
|
||||||
|
self.metadata,
|
||||||
|
autoload=True)
|
||||||
|
a_tenant = session.query(tenant_table).filter("id='baz'").one()
|
||||||
|
self.assertEqual(a_tenant.description,
|
||||||
|
default_fixtures.TENANTS[1]['description'])
|
||||||
|
session.commit()
|
||||||
|
session.close()
|
||||||
|
|
||||||
def test_downgrade_14_to_13(self):
|
def test_downgrade_14_to_13(self):
|
||||||
self.upgrade(14)
|
self.upgrade(14)
|
||||||
self.downgrade(13)
|
self.downgrade(13)
|
||||||
@ -298,6 +377,7 @@ class SqlUpgradeTests(test.TestCase):
|
|||||||
endpoint.update(common_endpoint_attrs)
|
endpoint.update(common_endpoint_attrs)
|
||||||
self.insert_dict(session, 'endpoint', endpoint)
|
self.insert_dict(session, 'endpoint', endpoint)
|
||||||
session.commit()
|
session.commit()
|
||||||
|
session.close()
|
||||||
|
|
||||||
self.downgrade(9)
|
self.downgrade(9)
|
||||||
|
|
||||||
@ -323,14 +403,15 @@ class SqlUpgradeTests(test.TestCase):
|
|||||||
for interface in ['public', 'internal', 'admin']:
|
for interface in ['public', 'internal', 'admin']:
|
||||||
expected_url = endpoints[interface]['url']
|
expected_url = endpoints[interface]['url']
|
||||||
self.assertEqual(extra['%surl' % interface], expected_url)
|
self.assertEqual(extra['%surl' % interface], expected_url)
|
||||||
|
session.commit()
|
||||||
|
session.close()
|
||||||
|
|
||||||
def insert_dict(self, session, table_name, d):
|
def insert_dict(self, session, table_name, d):
|
||||||
"""Naively inserts key-value pairs into a table, given a dictionary."""
|
"""Naively inserts key-value pairs into a table, given a dictionary."""
|
||||||
session.execute(
|
this_table = sqlalchemy.Table(table_name, self.metadata, autoload=True)
|
||||||
'INSERT INTO `%s` (%s) VALUES (%s)' % (
|
insert = this_table.insert()
|
||||||
table_name,
|
insert.execute(d)
|
||||||
', '.join('%s' % k for k in d.keys()),
|
session.commit()
|
||||||
', '.join("'%s'" % v for v in d.values())))
|
|
||||||
|
|
||||||
def test_downgrade_to_0(self):
|
def test_downgrade_to_0(self):
|
||||||
self.upgrade(self.max_version)
|
self.upgrade(self.max_version)
|
||||||
@ -355,28 +436,103 @@ class SqlUpgradeTests(test.TestCase):
|
|||||||
self.assertTableColumns('user_domain_metadata',
|
self.assertTableColumns('user_domain_metadata',
|
||||||
['user_id', 'domain_id', 'data'])
|
['user_id', 'domain_id', 'data'])
|
||||||
|
|
||||||
def populate_user_table(self):
|
def populate_user_table(self, with_pass_enab=False,
|
||||||
user_table = sqlalchemy.Table('user',
|
with_pass_enab_domain=False):
|
||||||
|
# Populate the appropriate fields in the user
|
||||||
|
# table, depending on the parameters:
|
||||||
|
#
|
||||||
|
# Default: id, name, extra
|
||||||
|
# pass_enab: Add password, enabled as well
|
||||||
|
# pass_enab_domain: Add password, enabled and domain as well
|
||||||
|
#
|
||||||
|
this_table = sqlalchemy.Table("user",
|
||||||
self.metadata,
|
self.metadata,
|
||||||
autoload=True)
|
autoload=True)
|
||||||
session = self.Session()
|
|
||||||
insert = user_table.insert()
|
|
||||||
for user in default_fixtures.USERS:
|
for user in default_fixtures.USERS:
|
||||||
extra = copy.deepcopy(user)
|
extra = copy.deepcopy(user)
|
||||||
extra.pop('id')
|
extra.pop('id')
|
||||||
extra.pop('name')
|
extra.pop('name')
|
||||||
user['extra'] = json.dumps(extra)
|
|
||||||
insert.execute(user)
|
|
||||||
|
|
||||||
def populate_tenant_table(self):
|
if with_pass_enab:
|
||||||
|
password = extra.pop('password', None)
|
||||||
|
enabled = extra.pop('enabled', True)
|
||||||
|
ins = this_table.insert().values(
|
||||||
|
{'id': user['id'],
|
||||||
|
'name': user['name'],
|
||||||
|
'password': password,
|
||||||
|
'enabled': bool(enabled),
|
||||||
|
'extra': json.dumps(extra)})
|
||||||
|
else:
|
||||||
|
if with_pass_enab_domain:
|
||||||
|
password = extra.pop('password', None)
|
||||||
|
enabled = extra.pop('enabled', True)
|
||||||
|
extra.pop('domain_id')
|
||||||
|
ins = this_table.insert().values(
|
||||||
|
{'id': user['id'],
|
||||||
|
'name': user['name'],
|
||||||
|
'domain_id': user['domain_id'],
|
||||||
|
'password': password,
|
||||||
|
'enabled': bool(enabled),
|
||||||
|
'extra': json.dumps(extra)})
|
||||||
|
else:
|
||||||
|
ins = this_table.insert().values(
|
||||||
|
{'id': user['id'],
|
||||||
|
'name': user['name'],
|
||||||
|
'extra': json.dumps(extra)})
|
||||||
|
self.engine.execute(ins)
|
||||||
|
|
||||||
|
def populate_tenant_table(self, with_desc_enab=False,
|
||||||
|
with_desc_enab_domain=False):
|
||||||
|
# Populate the appropriate fields in the tenant or
|
||||||
|
# project table, depending on the parameters
|
||||||
|
#
|
||||||
|
# Default: id, name, extra
|
||||||
|
# desc_enab: Add description, enabled as well
|
||||||
|
# desc_enab_domain: Add description, enabled and domain as well,
|
||||||
|
# plus use project instead of tenant
|
||||||
|
#
|
||||||
|
if with_desc_enab_domain:
|
||||||
|
# By this time tenants are now projects
|
||||||
|
this_table = sqlalchemy.Table("project",
|
||||||
|
self.metadata,
|
||||||
|
autoload=True)
|
||||||
|
else:
|
||||||
|
this_table = sqlalchemy.Table("tenant",
|
||||||
|
self.metadata,
|
||||||
|
autoload=True)
|
||||||
|
|
||||||
for tenant in default_fixtures.TENANTS:
|
for tenant in default_fixtures.TENANTS:
|
||||||
extra = copy.deepcopy(tenant)
|
extra = copy.deepcopy(tenant)
|
||||||
extra.pop('id')
|
extra.pop('id')
|
||||||
extra.pop('name')
|
extra.pop('name')
|
||||||
self.engine.execute("insert into tenant values ('%s', '%s', '%s')"
|
|
||||||
% (tenant['id'],
|
if with_desc_enab:
|
||||||
tenant['name'],
|
desc = extra.pop('description', None)
|
||||||
json.dumps(extra)))
|
enabled = extra.pop('enabled', True)
|
||||||
|
ins = this_table.insert().values(
|
||||||
|
{'id': tenant['id'],
|
||||||
|
'name': tenant['name'],
|
||||||
|
'description': desc,
|
||||||
|
'enabled': bool(enabled),
|
||||||
|
'extra': json.dumps(extra)})
|
||||||
|
else:
|
||||||
|
if with_desc_enab_domain:
|
||||||
|
desc = extra.pop('description', None)
|
||||||
|
enabled = extra.pop('enabled', True)
|
||||||
|
extra.pop('domain_id')
|
||||||
|
ins = this_table.insert().values(
|
||||||
|
{'id': tenant['id'],
|
||||||
|
'name': tenant['name'],
|
||||||
|
'domain_id': tenant['domain_id'],
|
||||||
|
'description': desc,
|
||||||
|
'enabled': bool(enabled),
|
||||||
|
'extra': json.dumps(extra)})
|
||||||
|
else:
|
||||||
|
ins = this_table.insert().values(
|
||||||
|
{'id': tenant['id'],
|
||||||
|
'name': tenant['name'],
|
||||||
|
'extra': json.dumps(extra)})
|
||||||
|
self.engine.execute(ins)
|
||||||
|
|
||||||
def select_table(self, name):
|
def select_table(self, name):
|
||||||
table = sqlalchemy.Table(name,
|
table = sqlalchemy.Table(name,
|
||||||
@ -387,16 +543,21 @@ class SqlUpgradeTests(test.TestCase):
|
|||||||
|
|
||||||
def assertTableExists(self, table_name):
|
def assertTableExists(self, table_name):
|
||||||
try:
|
try:
|
||||||
#TODO ayoung: make quoting work for postgres
|
self.select_table(table_name)
|
||||||
self.engine.execute("select count(*) from '%s'" % table_name)
|
except sqlalchemy.exc.NoSuchTableError:
|
||||||
except:
|
|
||||||
raise AssertionError('Table "%s" does not exist' % table_name)
|
raise AssertionError('Table "%s" does not exist' % table_name)
|
||||||
|
|
||||||
def assertTableDoesNotExist(self, table_name):
|
def assertTableDoesNotExist(self, table_name):
|
||||||
"""Asserts that a given table exists cannot be selected by name."""
|
"""Asserts that a given table exists cannot be selected by name."""
|
||||||
|
# Switch to a different metadata otherwise you might still
|
||||||
|
# detect renamed or dropped tables
|
||||||
try:
|
try:
|
||||||
self.assertTableExists(table_name)
|
temp_metadata = sqlalchemy.MetaData()
|
||||||
except AssertionError:
|
temp_metadata.bind = self.engine
|
||||||
|
table = sqlalchemy.Table(table_name,
|
||||||
|
temp_metadata,
|
||||||
|
autoload=True)
|
||||||
|
except sqlalchemy.exc.NoSuchTableError:
|
||||||
pass
|
pass
|
||||||
else:
|
else:
|
||||||
raise AssertionError('Table "%s" already exists' % table_name)
|
raise AssertionError('Table "%s" already exists' % table_name)
|
||||||
|
Loading…
Reference in New Issue
Block a user