openstack/keystone
Code Issues Proposed changes

Cleans up code for is_admin in tokens

Browse Source 
This patch cleans up the code [1] based on comments left in the review.

[1] https://review.openstack.org/#/c/240719/

Change-Id: I972621c22afefa9bd5f32caf67fd1bf3b6822a3d
This commit is contained in:
Samuel de Medeiros Queiroz
2015-12-07 18:22:58 -03:00
parent e7023697a8
commit e923a14afd
4 changed files with 18 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
keystone/common/config.py
View File

@@ -387,11 +387,8 @@ FILE_OPTIONS = {
help='Maximum number of entities that will be returned ' help='Maximum number of entities that will be returned '
'in a resource collection.'), 'in a resource collection.'),
cfg.StrOpt('admin_project_domain_name', cfg.StrOpt('admin_project_domain_name',
help='Name of the domain that contains the special ' help='Name of the domain that owns the '
'project for performing administrative operations on ' '`admin_project_name`. Defaults to None.'),
'remote services. Tokens scoped to this project will '
'contain the key/value `is_admin_project=true`. Defaults '
'to None.'),
cfg.StrOpt('admin_project_name', cfg.StrOpt('admin_project_name',
help='Special project for performing administrative ' help='Special project for performing administrative '
'operations on remote services. Tokens scoped to ' 'operations on remote services. Tokens scoped to '

1
keystone/tests/unit/test_v3.py
View File

@@ -601,6 +601,7 @@ class RestfulTestCase(unit.SQLDriverOverrides, rest.RestfulTestCase,
self.assertIn('name', role) self.assertIn('name', role)
if is_admin_project: if is_admin_project:
# NOTE(samueldmq): We want to explicitly test for boolean
self.assertIs(True, token['is_admin_project']) self.assertIs(True, token['is_admin_project'])
else: else:
self.assertNotIn('is_admin_project', token) self.assertNotIn('is_admin_project', token)

26
keystone/token/providers/common.py
View File

@@ -253,16 +253,6 @@ class V3TokenDataHelper(object):
return filtered_project return filtered_project
def _populate_scope(self, token_data, domain_id, project_id): def _populate_scope(self, token_data, domain_id, project_id):
# TODO(ayoung): Support the ability for a project acting as a domain
# to be the admin project once the rest of the code for domains
# acting as projects is merged. Code will likely be:
# (r.admin_project_name == None and project['is_domain'] == True
# and project['name'] == r.admin_project_domain_name)
def _is_admin_project(project):
r = CONF.resource
return (project['name'] == r.admin_project_name and
project['domain']['name'] == r.admin_project_domain_name)
if 'domain' in token_data or 'project' in token_data: if 'domain' in token_data or 'project' in token_data:
# scope already exist, no need to populate it again # scope already exist, no need to populate it again
return return
@@ -271,8 +261,18 @@ class V3TokenDataHelper(object):
token_data['domain'] = self._get_filtered_domain(domain_id) token_data['domain'] = self._get_filtered_domain(domain_id)
if project_id: if project_id:
token_data['project'] = self._get_filtered_project(project_id) token_data['project'] = self._get_filtered_project(project_id)
if _is_admin_project(token_data['project']):
token_data['is_admin_project'] = True def _populate_is_admin_project(self, token_data):
# TODO(ayoung): Support the ability for a project acting as a domain
# to be the admin project once the rest of the code for projects
# acting as domains is merged. Code will likely be:
# (r.admin_project_name == None and project['is_domain'] == True
# and project['name'] == r.admin_project_domain_name)
project = token_data['project']
r = CONF.resource
if (project['name'] == r.admin_project_name and
project['domain']['name'] == r.admin_project_domain_name):
token_data['is_admin_project'] = True
def _get_roles_for_user(self, user_id, domain_id, project_id): def _get_roles_for_user(self, user_id, domain_id, project_id):
roles = [] roles = []
@@ -490,6 +490,8 @@ class V3TokenDataHelper(object):
token_data['bind'] = bind token_data['bind'] = bind
self._populate_scope(token_data, domain_id, project_id) self._populate_scope(token_data, domain_id, project_id)
if token_data.get('project'):
self._populate_is_admin_project(token_data)
self._populate_user(token_data, user_id, trust) self._populate_user(token_data, user_id, trust)
self._populate_roles(token_data, user_id, domain_id, project_id, trust, self._populate_roles(token_data, user_id, domain_id, project_id, trust,
access_token) access_token)

2
releasenotes/notes/is-admin-24b34238c83b3a82.yaml
View File

@@ -11,4 +11,4 @@ features:
evaluating access control policy for an API. Keystone does not yet evaluating access control policy for an API. Keystone does not yet
support the ability for a project acting as a domain to be the support the ability for a project acting as a domain to be the
admin project. That will be added once the rest of the code for admin project. That will be added once the rest of the code for
domains acting as projects is merged. projects acting as domains is merged.