Cleans up code for is_admin in tokens
This patch cleans up the code [1] based on comments left in the review. [1] https://review.openstack.org/#/c/240719/ Change-Id: I972621c22afefa9bd5f32caf67fd1bf3b6822a3d
This commit is contained in:
Samuel de Medeiros Queiroz
parent
e7023697a8
commit
e923a14afd
@ -387,11 +387,8 @@ FILE_OPTIONS = {
|
||||
help='Maximum number of entities that will be returned '
|
||||
'in a resource collection.'),
|
||||
cfg.StrOpt('admin_project_domain_name',
|
||||
help='Name of the domain that contains the special '
|
||||
'project for performing administrative operations on '
|
||||
'remote services. Tokens scoped to this project will '
|
||||
'contain the key/value `is_admin_project=true`. Defaults '
|
||||
'to None.'),
|
||||
help='Name of the domain that owns the '
|
||||
'`admin_project_name`. Defaults to None.'),
|
||||
cfg.StrOpt('admin_project_name',
|
||||
help='Special project for performing administrative '
|
||||
'operations on remote services. Tokens scoped to '
|
||||
|
||||
@ -601,6 +601,7 @@ class RestfulTestCase(unit.SQLDriverOverrides, rest.RestfulTestCase,
|
||||
self.assertIn('name', role)
|
||||
|
||||
if is_admin_project:
|
||||
# NOTE(samueldmq): We want to explicitly test for boolean
|
||||
self.assertIs(True, token['is_admin_project'])
|
||||
else:
|
||||
self.assertNotIn('is_admin_project', token)
|
||||
|
||||
@ -253,16 +253,6 @@ class V3TokenDataHelper(object):
|
||||
return filtered_project
|
||||
|
||||
def _populate_scope(self, token_data, domain_id, project_id):
|
||||
# TODO(ayoung): Support the ability for a project acting as a domain
|
||||
# to be the admin project once the rest of the code for domains
|
||||
# acting as projects is merged. Code will likely be:
|
||||
# (r.admin_project_name == None and project['is_domain'] == True
|
||||
# and project['name'] == r.admin_project_domain_name)
|
||||
def _is_admin_project(project):
|
||||
r = CONF.resource
|
||||
return (project['name'] == r.admin_project_name and
|
||||
project['domain']['name'] == r.admin_project_domain_name)
|
||||
|
||||
if 'domain' in token_data or 'project' in token_data:
|
||||
# scope already exist, no need to populate it again
|
||||
return
|
||||
@ -271,8 +261,18 @@ class V3TokenDataHelper(object):
|
||||
token_data['domain'] = self._get_filtered_domain(domain_id)
|
||||
if project_id:
|
||||
token_data['project'] = self._get_filtered_project(project_id)
|
||||
if _is_admin_project(token_data['project']):
|
||||
token_data['is_admin_project'] = True
|
||||
|
||||
def _populate_is_admin_project(self, token_data):
|
||||
# TODO(ayoung): Support the ability for a project acting as a domain
|
||||
# to be the admin project once the rest of the code for projects
|
||||
# acting as domains is merged. Code will likely be:
|
||||
# (r.admin_project_name == None and project['is_domain'] == True
|
||||
# and project['name'] == r.admin_project_domain_name)
|
||||
project = token_data['project']
|
||||
r = CONF.resource
|
||||
if (project['name'] == r.admin_project_name and
|
||||
project['domain']['name'] == r.admin_project_domain_name):
|
||||
token_data['is_admin_project'] = True
|
||||
|
||||
def _get_roles_for_user(self, user_id, domain_id, project_id):
|
||||
roles = []
|
||||
@ -490,6 +490,8 @@ class V3TokenDataHelper(object):
|
||||
token_data['bind'] = bind
|
||||
|
||||
self._populate_scope(token_data, domain_id, project_id)
|
||||
if token_data.get('project'):
|
||||
self._populate_is_admin_project(token_data)
|
||||
self._populate_user(token_data, user_id, trust)
|
||||
self._populate_roles(token_data, user_id, domain_id, project_id, trust,
|
||||
access_token)
|
||||
|
||||
@ -11,4 +11,4 @@ features:
|
||||
evaluating access control policy for an API. Keystone does not yet
|
||||
support the ability for a project acting as a domain to be the
|
||||
admin project. That will be added once the rest of the code for
|
||||
domains acting as projects is merged.
|
||||
projects acting as domains is merged.
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user