Merge "Resource backend is SQL only now"
This commit is contained in:
commit
d20a3e971f
@ -11,6 +11,7 @@
|
||||
# under the License.
|
||||
|
||||
from oslo_config import cfg
|
||||
from oslo_log import versionutils
|
||||
|
||||
from keystone.conf import utils
|
||||
|
||||
@ -18,6 +19,13 @@ from keystone.conf import utils
|
||||
driver = cfg.StrOpt(
|
||||
'driver',
|
||||
default='sql',
|
||||
deprecated_for_removal=True,
|
||||
deprecated_reason='Non-SQL resource cannot be used with SQL Identity and '
|
||||
'has been unable to be used since Ocata. SQL Resource '
|
||||
'backend is a requirement as of Pike. Setting this '
|
||||
'option no longer has an effect on how Keystone '
|
||||
'operates.',
|
||||
deprecated_since=versionutils.deprecated.PIKE,
|
||||
help=utils.fmt("""
|
||||
Entry point for the resource driver in the `keystone.resource` namespace. Only
|
||||
a `sql` driver is supplied by keystone. Unless you are writing proprietary
|
||||
|
@ -22,6 +22,8 @@ LOG = log.getLogger(__name__)
|
||||
|
||||
|
||||
class Resource(base.ResourceDriverBase):
|
||||
# TODO(morgan): Merge all of this code into the manager, Resource backend
|
||||
# is only SQL. There is no configurable driver.
|
||||
|
||||
def default_assignment_driver(self):
|
||||
return 'sql'
|
||||
|
@ -27,6 +27,7 @@ from keystone import exception
|
||||
from keystone.i18n import _
|
||||
from keystone import notifications
|
||||
from keystone.resource.backends import base
|
||||
from keystone.resource.backends import sql as resource_sql
|
||||
from keystone.token import provider as token_provider
|
||||
|
||||
CONF = keystone.conf.CONF
|
||||
@ -51,8 +52,12 @@ class Manager(manager.Manager):
|
||||
_PROJECT = 'project'
|
||||
|
||||
def __init__(self):
|
||||
resource_driver = CONF.resource.driver
|
||||
super(Manager, self).__init__(resource_driver)
|
||||
# NOTE(morgan): The resource driver must be SQL. This is because there
|
||||
# is a FK between identity and resource. Almost every deployment uses
|
||||
# SQL Identity in some form. Even if SQL Identity is not used, there
|
||||
# is almost no reason to have non-SQL Resource. Keystone requires
|
||||
# SQL in a number of ways, this simply codifies it plainly for resource
|
||||
self.driver = resource_sql.Resource()
|
||||
|
||||
def _get_hierarchy_depth(self, parents_list):
|
||||
return len(parents_list) + 1
|
||||
|
@ -1045,8 +1045,7 @@ class LDAPIdentity(BaseLDAPIdentity, unit.TestCase):
|
||||
def assert_backends(self):
|
||||
_assert_backends(self,
|
||||
assignment='sql',
|
||||
identity='ldap',
|
||||
resource='sql')
|
||||
identity='ldap')
|
||||
|
||||
def test_list_domains(self):
|
||||
domains = self.resource_api.list_domains()
|
||||
@ -1756,8 +1755,7 @@ class LDAPLimitTests(unit.TestCase, identity_tests.LimitTests):
|
||||
identity_tests.LimitTests.setUp(self)
|
||||
_assert_backends(self,
|
||||
assignment='sql',
|
||||
identity='ldap',
|
||||
resource='sql')
|
||||
identity='ldap')
|
||||
|
||||
def config_overrides(self):
|
||||
super(LDAPLimitTests, self).config_overrides()
|
||||
@ -2210,8 +2208,7 @@ class MultiLDAPandSQLIdentity(BaseLDAPIdentity, unit.SQLDriverOverrides,
|
||||
self.domain_default['id']: 'ldap',
|
||||
self.domains['domain1']['id']: 'ldap',
|
||||
self.domains['domain2']['id']: 'ldap',
|
||||
},
|
||||
resource='sql')
|
||||
})
|
||||
|
||||
def config_overrides(self):
|
||||
super(MultiLDAPandSQLIdentity, self).config_overrides()
|
||||
@ -2532,8 +2529,7 @@ class MultiLDAPandSQLIdentityDomainConfigsInSQL(MultiLDAPandSQLIdentity):
|
||||
self.domain_default['id']: 'ldap',
|
||||
self.domains['domain1']['id']: 'ldap',
|
||||
self.domains['domain2']['id']: 'ldap',
|
||||
},
|
||||
resource='sql')
|
||||
})
|
||||
|
||||
def enable_multi_domain(self):
|
||||
# The values below are the same as in the domain_configs_multi_ldap
|
||||
@ -2758,8 +2754,7 @@ class DomainSpecificLDAPandSQLIdentity(
|
||||
None: 'ldap',
|
||||
'default': 'ldap',
|
||||
self.domains['domain1']['id']: 'sql',
|
||||
},
|
||||
resource='sql')
|
||||
})
|
||||
|
||||
def config_overrides(self):
|
||||
super(DomainSpecificLDAPandSQLIdentity, self).config_overrides()
|
||||
@ -2927,8 +2922,7 @@ class DomainSpecificSQLIdentity(DomainSpecificLDAPandSQLIdentity):
|
||||
def assert_backends(self):
|
||||
_assert_backends(self,
|
||||
assignment='sql',
|
||||
identity='ldap',
|
||||
resource='sql')
|
||||
identity='ldap')
|
||||
|
||||
def config_overrides(self):
|
||||
super(DomainSpecificSQLIdentity, self).config_overrides()
|
||||
|
@ -0,0 +1,12 @@
|
||||
---
|
||||
upgrade:
|
||||
- |
|
||||
The resource backend cannot be configured to anything but SQL if the SQL
|
||||
Identity backend is being used. The resource backend must now be SQL which
|
||||
allows for the use of Foreign Keys to domains/projects wherever desired.
|
||||
This makes managing project relationships and such much more straight
|
||||
forward. The inability to configure non-SQL resource backends has been
|
||||
in Keystone since at least Ocata. This is eliminating some complexity
|
||||
and preventing the need for some really ugly back-port SQL migrations
|
||||
in favor of a better model. Resource is highly relational and should be
|
||||
SQL based.
|
@ -139,9 +139,6 @@ keystone.policy =
|
||||
rules = keystone.policy.backends.rules:Policy
|
||||
sql = keystone.policy.backends.sql:Policy
|
||||
|
||||
keystone.resource =
|
||||
sql = keystone.resource.backends.sql:Resource
|
||||
|
||||
keystone.resource.domain_config =
|
||||
sql = keystone.resource.config_backends.sql:DomainConfig
|
||||
|
||||
|
Loading…
x
Reference in New Issue
Block a user