There is nothing backend specific in geting the list of roles
for a user-domain, so we should move this function into backends
core. This also has the affect of now ensuring that the kvs and ldap
support will work, provided the specific backend supports roles on
users and domains. This is true today for kvs, but support in ldap
for domains is gated by other bugs.
Fixes bug #1131769
Change-Id: Id99accb33fd7cd8d6c37e64e140552c5bfe68349
Only do the lookup if the scope is not ONELEVEL
For ONELEVEL, there is no point in paying the price of the lookup.
If the object is not found for scoped queries, return the top level
DN so the object can be created.
Bug 1131265
Change-Id: I1ca41bf87c3bdea30fbdf607b19192f37dd0bfd6
Creates a separate name space for each domain for the name attribute of
user, groups and projects - meaning that the names of these entities
only have to be unique within that domain.
Implementation of this within the SQL backends is handled by simply
changing the uniqueness constraints on the relevant attributes. KVS
and LDAP backends do not yet support domain separation (blocked by
existing restrictions, already raised as bugs).
An issue exists for the downward migration with this change in that
if the database has been used and populated with the name space in place
then the downward migration may fail due to clashing names when you
try and revert to a global name space (raised as a separate bug)
This patch also improves the group support in the KVS backend and
cleans up string quoting in the 016 migration fucntions, and fixes an
issue where the SQL update_project was not updating a change in domain_id.
Change-Id: I8f0df0e1bf84bfd26b8ef5505fe5fafd930dc78b
add list_projects
mod list_groups, list_domains, get_project_users to match sql response
not adding list_user_projects
fix list_projects to return refs
drop get_projects and get_all_projects
Change-Id: Ifa1433918b8770cd7d59f36f71f2e6b935625ae5
These changes lay the ground work for the implmentation of
domain-scoping, but are benign in that they don't change the token.
They include making domain_id a first-class attribute in the user
and project entity (i.e. move it out of the 'extra' attribute),
filling in domain grant and project support for the kvs backend and
fixing a series of issues in the mirgation to make it work for both
MySQL, Postgresql and sqlite.
A further, separate, commit will actually provide the code to
update the actual tokens once the v3 token support has been added.
blueprint domain-scoping
blueprint default-domain
Change-Id: I55ab7947a6a1efbab003bd234856bd3805bb4a63
A continuation of the process to convert the term tenant
to project. These changes should only be visible in the
error messages produced, but should otherwise be
undetectable by calling programs.
Removes the TenantNotFound exception which propagates changes through
the code that calls the backends as well
Change-Id: I998a44bfd6aa85f67d58904bd7af25a56c73d48a
This implements the server side of groups of users. This
set of code provides all the crud functionality for groups as
well as the corresponding support for role assignments.
blueprint user-groups
The following deficiencies existing with the current version and
will be corrected ahead of the final Grizzly release:
1) There is only placeholder support for LDAP (Bug #1092187)
2) Domain role grants are accepted but not yet honored (Bug #1093248)
3) Token invalidation does not occur with group changes (Bug #1093493)
This update also fills in missing v3 grant unit testing and v3 grant
support within the kvs backend. In addition, there is a fix for
Bug #1092200 (uncaught exception when listing grants)
DocImpact
Change-Id: Ibd1783b04b2d7804eff90312e5ef591dca4d0695
Fixtures are created before every test, so each fixture adds a
considerable amount of overhead to the overall test suite.
This patch attempts to eliminate fixtures utilized by only a few tests
in favor of re-cycling as many fixtures as possible. As a result, a few
tests are refactored to depend on different fixtures.
Change-Id: Idd4dcef5e38e304d19110c61886887fb64b4d658
implementations of delete_tenant, delete_user,
remove_role_from_user_and_tenant, get_tenant_users
role.delete_user and remove_role_from_user_and_tenant
remove_user_from_tenant, change_ role
clean up LDAP sample data for live LDAP
properly check for existance of tenant_id in user.
Some tests expected the functions to be unimplemented. Those hid the
failuers on the LDAP Identity provider and have been removed.
Make live tests extend the standard LDAP tests, so they test the same features.
Bug 1021315
Change-Id: I2866ff40fdc13040ba10d189ea2d95440eb4395c
Fixes bug 1022575
Making change to tests/*py to pass pep8 tests.
pep8 tests started failing following
39b20acc933cb0fdf73075ddb9a9d82665b84b23 update pep8 to 1.3.3
04df79b64e5f2296df03579700535774e158f623 include tests dir in pep8 tests
Change-Id: I2d7dec0a87f1ae9b5f828d7f321b65bf8c06a421
Fixes bug 1021508
Test code should be as pep8 compliant as source code, however right now
'run_tests.sh' only runs pep8 for source code.
Change-Id: I877493a8bf6f28bef71fe2aca6f188a75798225f
instead of
cn=example,cn=com,ou=Users
code now generates
ou=Users,cn=example,cn=com
Getting stricter in testing and adding some regression testing
Fixes Bug 980209
Change-Id: Ib97e6cb00848ea183c7e1f2b2589b25924a08caa
The goal is to move the responsibility of reference checks away from
controllers and into the underlying managers & drivers, which can
handle the task with equal or greater efficiency.
- Tenant references from create_user/update_user are NOT tested
due to inconsistencies between backends
- Additional test coverage improvements
Also fixes bug 999209, bug 999608, bug 1006029, bug 1006055, bug 1006287,
bug 1006334, and bug 1006344.
Change-Id: I7de592e7dd4518038436b9a9fdaab559b00a0537
ldap was accidentally supplying some of its own values rather than using
the built-in fixtures, so it was providing the incorrect interface for a
couple calls.
also adds a test for get_user_by_name (skipped for ldap) and
standardizes the kvs and ldap authenticate calls
fix user authentication live ldap tests
Change-Id: If1ccce1fd9c84622bb89344bc5d5c59b059d03ae
Bug 933852
Merged over the code from the legacy keystone implementation, updated
style and streamlined the API a bit.
* Unit tests can be run against a live OpenLDAP server
* Password hashing done via passlib. Only does salted sha1, which is what simple_bind requires, but is not secure.
* Added pip dependencies
Change-Id: I5296d94f6b7d0a7c7dbc887cdae872171e34bb5f
