Remove LDAP Role Backend
The LDAP Role Backend has been removed without the normal deprecation notice in-code however, the Role backend was explicitly called out when the deprecation announcement occured[1] and was explicitly included as part of the deprecation of "assignment"-based LDAP. The LDAP Role backend is not very useful without the other parts of the assignment backend that were deprecated and removed. [1] http://lists.openstack.org/pipermail/openstack/2015-January/011337.html Change-Id: I1bd02d5834814959a93601fe53f115d0f9cc08a8 bp: removed-as-of-mitaka
This commit is contained in:
parent
e6efbe62b8
commit
d78fcc361e
@ -1,157 +0,0 @@
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from __future__ import absolute_import
|
||||
|
||||
from oslo_config import cfg
|
||||
from oslo_log import versionutils
|
||||
|
||||
from keystone import assignment
|
||||
from keystone.common import ldap as common_ldap
|
||||
from keystone.common import models
|
||||
from keystone import exception
|
||||
from keystone.i18n import _
|
||||
from keystone.identity.backends import ldap as ldap_identity
|
||||
|
||||
|
||||
CONF = cfg.CONF
|
||||
|
||||
|
||||
class Role(assignment.RoleDriverV9):
|
||||
@versionutils.deprecated(
|
||||
versionutils.deprecated.MITAKA,
|
||||
what='ldap role',
|
||||
in_favor_of='sql role backend')
|
||||
def __init__(self):
|
||||
super(Role, self).__init__()
|
||||
self.LDAP_URL = CONF.ldap.url
|
||||
self.LDAP_USER = CONF.ldap.user
|
||||
self.LDAP_PASSWORD = CONF.ldap.password
|
||||
self.suffix = CONF.ldap.suffix
|
||||
|
||||
# This is the only deep dependency from resource back
|
||||
# to identity. The assumption is that if you are using
|
||||
# LDAP for resource, you are using it for identity as well.
|
||||
self.user = ldap_identity.UserApi(CONF)
|
||||
self.role = RoleApi(CONF, self.user)
|
||||
|
||||
def get_role(self, role_id):
|
||||
return self.role.get(role_id)
|
||||
|
||||
def list_roles(self, hints):
|
||||
return self.role.get_all()
|
||||
|
||||
def list_roles_from_ids(self, ids):
|
||||
return [self.get_role(id) for id in ids]
|
||||
|
||||
def create_role(self, role_id, role):
|
||||
self.role.check_allow_create()
|
||||
try:
|
||||
self.get_role(role_id)
|
||||
except exception.NotFound: # nosec
|
||||
# The call to self.get_role() raises this exception when a role
|
||||
# with the given ID doesn't exist. This was done to ensure that
|
||||
# a role with the new role's ID doesn't already exist. As such this
|
||||
# exception is expected to happen in the normal case. The abnormal
|
||||
# case would be if the role does already exist. So this exception
|
||||
# is expected to be ignored and there's no security issue with
|
||||
# ignoring it.
|
||||
pass
|
||||
else:
|
||||
msg = _('Duplicate ID, %s.') % role_id
|
||||
raise exception.Conflict(type='role', details=msg)
|
||||
|
||||
try:
|
||||
self.role.get_by_name(role['name'])
|
||||
except exception.NotFound: # nosec
|
||||
# The call to self.role.get_by_name() raises this exception when a
|
||||
# role with the given name doesn't exist. This was done to ensure
|
||||
# that a role with the new role's name doesn't already exist. As
|
||||
# such this exception is expected to happen in the normal case. The
|
||||
# abnormal case would be if a role with the same name does already
|
||||
# exist. So this exception is expected to be ignored and there's no
|
||||
# security issue with ignoring it.
|
||||
pass
|
||||
else:
|
||||
msg = _('Duplicate name, %s.') % role['name']
|
||||
raise exception.Conflict(type='role', details=msg)
|
||||
|
||||
return self.role.create(role)
|
||||
|
||||
def delete_role(self, role_id):
|
||||
self.role.check_allow_delete()
|
||||
return self.role.delete(role_id)
|
||||
|
||||
def update_role(self, role_id, role):
|
||||
self.role.check_allow_update()
|
||||
self.get_role(role_id)
|
||||
return self.role.update(role_id, role)
|
||||
|
||||
def create_implied_role(self, prior_role_id, implied_role_id):
|
||||
raise exception.NotImplemented() # pragma: no cover
|
||||
|
||||
def delete_implied_role(self, prior_role_id, implied_role_id):
|
||||
raise exception.NotImplemented() # pragma: no cover
|
||||
|
||||
def list_implied_roles(self, prior_role_id):
|
||||
raise exception.NotImplemented() # pragma: no cover
|
||||
|
||||
def list_role_inference_rules(self):
|
||||
raise exception.NotImplemented() # pragma: no cover
|
||||
|
||||
def get_implied_role(self, prior_role_id, implied_role_id):
|
||||
raise exception.NotImplemented() # pragma: no cover
|
||||
|
||||
|
||||
# NOTE(henry-nash): A mixin class to enable the sharing of the LDAP structure
|
||||
# between here and the assignment LDAP.
|
||||
class RoleLdapStructureMixin(object):
|
||||
DEFAULT_OU = 'ou=Roles'
|
||||
DEFAULT_STRUCTURAL_CLASSES = []
|
||||
DEFAULT_OBJECTCLASS = 'organizationalRole'
|
||||
DEFAULT_MEMBER_ATTRIBUTE = 'roleOccupant'
|
||||
NotFound = exception.RoleNotFound
|
||||
options_name = 'role'
|
||||
attribute_options_names = {'name': 'name'}
|
||||
immutable_attrs = ['id']
|
||||
model = models.Role
|
||||
|
||||
|
||||
# TODO(termie): turn this into a data object and move logic to driver
|
||||
class RoleApi(RoleLdapStructureMixin, common_ldap.BaseLdap):
|
||||
|
||||
def __init__(self, conf, user_api):
|
||||
super(RoleApi, self).__init__(conf)
|
||||
self._user_api = user_api
|
||||
|
||||
def get(self, role_id, role_filter=None):
|
||||
model = super(RoleApi, self).get(role_id, role_filter)
|
||||
return model
|
||||
|
||||
def create(self, values):
|
||||
return super(RoleApi, self).create(values)
|
||||
|
||||
def update(self, role_id, role):
|
||||
new_name = role.get('name')
|
||||
if new_name is not None:
|
||||
try:
|
||||
old_role = self.get_by_name(new_name)
|
||||
if old_role['id'] != role_id:
|
||||
raise exception.Conflict(
|
||||
_('Cannot duplicate name %s') % old_role)
|
||||
except exception.NotFound: # nosec
|
||||
# Another role with the same name doesn't exist, good.
|
||||
pass
|
||||
return super(RoleApi, self).update(role_id, role)
|
||||
|
||||
def delete(self, role_id):
|
||||
super(RoleApi, self).delete(role_id)
|
@ -646,47 +646,6 @@ FILE_OPTIONS = {
|
||||
'mapping format is <ldap_attr>:<user_attr>, where '
|
||||
'ldap_attr is the attribute in the LDAP entry and '
|
||||
'user_attr is the Identity API attribute.'),
|
||||
|
||||
cfg.StrOpt('role_tree_dn',
|
||||
deprecated_for_removal=True,
|
||||
help='Search base for roles. '
|
||||
'Defaults to the suffix value.'),
|
||||
cfg.StrOpt('role_filter',
|
||||
deprecated_for_removal=True,
|
||||
help='LDAP search filter for roles.'),
|
||||
cfg.StrOpt('role_objectclass', default='organizationalRole',
|
||||
deprecated_for_removal=True,
|
||||
help='LDAP objectclass for roles.'),
|
||||
cfg.StrOpt('role_id_attribute', default='cn',
|
||||
deprecated_for_removal=True,
|
||||
help='LDAP attribute mapped to role id.'),
|
||||
cfg.StrOpt('role_name_attribute', default='ou',
|
||||
deprecated_for_removal=True,
|
||||
help='LDAP attribute mapped to role name.'),
|
||||
cfg.StrOpt('role_member_attribute', default='roleOccupant',
|
||||
deprecated_for_removal=True,
|
||||
help='LDAP attribute mapped to role membership.'),
|
||||
cfg.ListOpt('role_attribute_ignore', default=[],
|
||||
deprecated_for_removal=True,
|
||||
help='List of attributes stripped off the role on '
|
||||
'update.'),
|
||||
cfg.BoolOpt('role_allow_create', default=True,
|
||||
deprecated_for_removal=True,
|
||||
help='Allow role creation in LDAP backend.'),
|
||||
cfg.BoolOpt('role_allow_update', default=True,
|
||||
deprecated_for_removal=True,
|
||||
help='Allow role update in LDAP backend.'),
|
||||
cfg.BoolOpt('role_allow_delete', default=True,
|
||||
deprecated_for_removal=True,
|
||||
help='Allow role deletion in LDAP backend.'),
|
||||
cfg.ListOpt('role_additional_attribute_mapping',
|
||||
deprecated_for_removal=True,
|
||||
default=[],
|
||||
help='Additional attribute mappings for roles. Attribute '
|
||||
'mapping format is <ldap_attr>:<user_attr>, where '
|
||||
'ldap_attr is the attribute in the LDAP entry and '
|
||||
'user_attr is the Identity API attribute.'),
|
||||
|
||||
cfg.StrOpt('group_tree_dn',
|
||||
help='Search base for groups. '
|
||||
'Defaults to the suffix value.'),
|
||||
|
@ -1,72 +0,0 @@
|
||||
# -*- coding: utf-8 -*-
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_config import cfg
|
||||
|
||||
from keystone.tests import unit
|
||||
from keystone.tests.unit.backend import core_ldap
|
||||
from keystone.tests.unit.backend.role import core as core_role
|
||||
|
||||
|
||||
CONF = cfg.CONF
|
||||
|
||||
|
||||
class LdapRoleCommon(core_ldap.BaseBackendLdapCommon, core_role.RoleTests):
|
||||
"""Tests that should be run in every LDAP configuration.
|
||||
|
||||
Include additional tests that are unique to LDAP (or need to be overridden)
|
||||
which should be run for all the various LDAP configurations we test.
|
||||
|
||||
"""
|
||||
|
||||
pass
|
||||
|
||||
|
||||
class LdapRole(LdapRoleCommon, core_ldap.BaseBackendLdap, unit.TestCase):
|
||||
"""Test in an all-LDAP configuration.
|
||||
|
||||
Include additional tests that are unique to LDAP (or need to be overridden)
|
||||
which only need to be run in a basic LDAP configurations.
|
||||
|
||||
"""
|
||||
|
||||
def test_configurable_allowed_role_actions(self):
|
||||
self.skipTest("An all-LDAP configuration is no longer supported")
|
||||
|
||||
def test_configurable_forbidden_role_actions(self):
|
||||
self.skipTest("An all-LDAP configuration is no longer supported")
|
||||
|
||||
def test_role_filter(self):
|
||||
self.skipTest("An all-LDAP configuration is no longer supported")
|
||||
|
||||
def test_role_attribute_mapping(self):
|
||||
self.skipTest("An all-LDAP configuration is no longer supported")
|
||||
|
||||
def test_role_attribute_ignore(self):
|
||||
self.skipTest("An all-LDAP configuration is no longer supported")
|
||||
|
||||
|
||||
class LdapIdentitySqlEverythingElseRole(
|
||||
core_ldap.BaseBackendLdapIdentitySqlEverythingElse, LdapRoleCommon,
|
||||
unit.TestCase):
|
||||
"""Test Identity in LDAP, Everything else in SQL."""
|
||||
|
||||
pass
|
||||
|
||||
|
||||
class LdapIdentitySqlEverythingElseWithMappingRole(
|
||||
LdapIdentitySqlEverythingElseRole,
|
||||
core_ldap.BaseBackendLdapIdentitySqlEverythingElseWithMapping):
|
||||
"""Test ID mapping of default LDAP backend."""
|
||||
|
||||
pass
|
@ -1,7 +0,0 @@
|
||||
---
|
||||
deprecations:
|
||||
- >
|
||||
[`blueprint deprecated-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-mitaka>`_]
|
||||
Deprecated the LDAP backend for the *role* driver. The keystone team
|
||||
suggests using the SQL backend instead. The LDAP role backend will be
|
||||
removed in the 'O' release.
|
@ -34,3 +34,7 @@ other:
|
||||
[`blueprint removed-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/removed-as-of-mitaka>`_]
|
||||
The LDAP backend for Resource has been removed. This was deprecated in
|
||||
the Kilo release.
|
||||
- >
|
||||
[`blueprint removed-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/removed-as-of-mitaka>`_]
|
||||
The LDAP backend for Role has been removed. This was deprecated in the
|
||||
Kilo release.
|
||||
|
@ -133,7 +133,6 @@ keystone.resource.domain_config =
|
||||
sql = keystone.resource.config_backends.sql:DomainConfig
|
||||
|
||||
keystone.role =
|
||||
ldap = keystone.assignment.role_backends.ldap:Role
|
||||
sql = keystone.assignment.role_backends.sql:Role
|
||||
|
||||
keystone.token.persistence =
|
||||
|
Loading…
x
Reference in New Issue
Block a user