Merge "Cleanup keystone service parameters"

2019-07-10 18:40:04 +00:00 · 2019-07-10 18:40:04 +00:00 · 11de89dc71
parent c57f93a2d3 dc61f84b34
commit 11de89dc71
6 changed files with 0 additions and 365 deletions
--- a/sysinv/sysinv/sysinv/sysinv/api/controllers/v1/service_parameter.py
+++ b/sysinv/sysinv/sysinv/sysinv/api/controllers/v1/service_parameter.py
@ -624,31 +624,6 @@ class ServiceParameterController(rest.RestController):
                pass
            raise wsme.exc.ClientSideError(str(e.value))

-    @staticmethod
-    def _service_parameter_apply_semantic_check_identity():
-        """ Perform checks for the Identity Service Type."""
-        identity_driver = pecan.request.dbapi.service_parameter_get_one(
-            service=constants.SERVICE_TYPE_IDENTITY,
-            section=constants.SERVICE_PARAM_SECTION_IDENTITY_IDENTITY,
-            name=constants.SERVICE_PARAM_IDENTITY_DRIVER)
-
-        # Check that the LDAP URL is specified if the identity backend is LDAP
-        if (identity_driver.value ==
-                constants.SERVICE_PARAM_IDENTITY_IDENTITY_DRIVER_LDAP):
-            try:
-                pecan.request.dbapi.service_parameter_get_one(
-                    service=constants.SERVICE_TYPE_IDENTITY,
-                    section=constants.SERVICE_PARAM_SECTION_IDENTITY_LDAP,
-                    name=service_parameter.SERVICE_PARAM_IDENTITY_LDAP_URL)
-            except exception.NotFound:
-                msg = _("Unable to apply service parameters. "
-                        "Missing service parameter '%s' for service '%s' "
-                        "in section '%s'." % (
-                            service_parameter.SERVICE_PARAM_IDENTITY_LDAP_URL,
-                            constants.SERVICE_TYPE_IDENTITY,
-                            constants.SERVICE_PARAM_SECTION_IDENTITY_LDAP))
-                raise wsme.exc.ClientSideError(msg)
-
    @staticmethod
    def _service_parameter_apply_semantic_check_mtce():
        """Semantic checks for the Platform Maintenance Service Type """
@ -718,9 +693,6 @@ class ServiceParameterController(rest.RestController):
                    raise wsme.exc.ClientSideError(msg)

        # Apply service specific semantic checks
-        if service == constants.SERVICE_TYPE_IDENTITY:
-            self._service_parameter_apply_semantic_check_identity()
-
        if service == constants.SERVICE_TYPE_PLATFORM:
            self._service_parameter_apply_semantic_check_mtce()

--- a/sysinv/sysinv/sysinv/sysinv/common/constants.py
+++ b/sysinv/sysinv/sysinv/sysinv/common/constants.py
@ -909,9 +909,6 @@ SERVICE_TYPE_OPENSTACK = 'openstack'
 SERVICE_PARAM_SECTION_IRONIC_NEUTRON = 'neutron'
 SERVICE_PARAM_SECTION_IRONIC_PXE = 'pxe'

-SERVICE_PARAM_SECTION_IDENTITY_ASSIGNMENT = 'assignment'
-SERVICE_PARAM_SECTION_IDENTITY_IDENTITY = 'identity'
-SERVICE_PARAM_SECTION_IDENTITY_LDAP = 'ldap'
 SERVICE_PARAM_SECTION_IDENTITY_CONFIG = 'config'

 SERVICE_PARAM_IDENTITY_CONFIG_TOKEN_EXPIRATION = 'token_expiration'
@ -931,17 +928,6 @@ SERVICE_PARAM_NAME_IRONIC_CONTROLLER_1_NIC = 'controller_1_if'
 SERVICE_PARAM_NAME_IRONIC_NETMASK = 'netmask'
 SERVICE_PARAM_NAME_IRONIC_PROVISIONING_NETWORK = 'provisioning_network'
 SERVICE_PARAM_SECTION_HORIZON_AUTH = 'auth'
-SERVICE_PARAM_ASSIGNMENT_DRIVER = 'driver'
-SERVICE_PARAM_IDENTITY_DRIVER = 'driver'
-
-SERVICE_PARAM_IDENTITY_SERVICE_BACKEND_SQL = 'sql'
-SERVICE_PARAM_IDENTITY_SERVICE_BACKEND_LDAP = 'ldap'
-
-SERVICE_PARAM_IDENTITY_ASSIGNMENT_DRIVER_SQL = 'sql'
-SERVICE_PARAM_IDENTITY_ASSIGNMENT_DRIVER_LDAP = 'ldap'
-
-SERVICE_PARAM_IDENTITY_IDENTITY_DRIVER_SQL = 'sql'
-SERVICE_PARAM_IDENTITY_IDENTITY_DRIVER_LDAP = 'ldap'

 SERVICE_PARAM_HORIZON_AUTH_LOCKOUT_PERIOD_SEC = \
    'lockout_seconds'
--- a/sysinv/sysinv/sysinv/sysinv/common/service_parameter.py
+++ b/sysinv/sysinv/sysinv/sysinv/common/service_parameter.py
@ -7,8 +7,6 @@
 # coding=utf-8
 #

-import ldap
-import ldapurl
 import netaddr
 import pecan
 import re
@ -99,54 +97,6 @@ def _validate_zero_or_range(name, value, min, max):
            "Parameter '%s' must be an integer value." % name))


-def _validate_ldap_url(name, value):
-
-    url = urlparse(value)
-
-    if cutils.is_valid_ip(url.hostname):
-        try:
-            ip_addr = netaddr.IPNetwork(url.hostname)
-        except netaddr.core.AddrFormatError:
-            raise wsme.exc.ClientSideError(_(
-                "Invalid IP address for LDAP url"))
-        if ip_addr.is_loopback():
-            raise wsme.exc.ClientSideError(_(
-                "LDAP server must not be loopback."))
-    elif url.hostname:
-        if constants.LOCALHOST_HOSTNAME in url.hostname.lower():
-            raise wsme.exc.ClientSideError(_(
-                "LDAP server must not be localhost."))
-
-    try:
-        ldapurl.LDAPUrl(value)
-    except ValueError as ve:
-        raise wsme.exc.ClientSideError(_(
-            "Invalid LDAP url format: %s" % str(ve)))
-
-
-def _validate_ldap_dn(name, value):
-    try:
-        ldap.dn.str2dn(value)
-    except ldap.DECODING_ERROR:
-        raise wsme.exc.ClientSideError(_(
-            "Parameter '%s' must be a valid LDAP DN value" % name))
-
-
-def _validate_assignment_driver(name, value):
-    values = [constants.SERVICE_PARAM_IDENTITY_ASSIGNMENT_DRIVER_SQL]
-    if value not in values:
-        raise wsme.exc.ClientSideError(_(
-            "Identity assignment driver must be one of: %s" % values))
-
-
-def _validate_identity_driver(name, value):
-    values = [constants.SERVICE_PARAM_IDENTITY_IDENTITY_DRIVER_SQL,
-              constants.SERVICE_PARAM_IDENTITY_IDENTITY_DRIVER_LDAP]
-    if value not in values:
-        raise wsme.exc.ClientSideError(_(
-            "Identity identity driver must be one of: %s" % values))
-
-
 def _validate_neutron_ml2_mech(name, value):
    allowed = constants.SERVICE_PARAM_NETWORK_ML2_MECH_DRIVERS
    # can accept multiple comma separated values
@ -467,65 +417,8 @@ def _validate_domain(name, value):
            (name, value)))


-# LDAP Identity Service Parameters (mandatory)
-SERVICE_PARAM_IDENTITY_LDAP_URL = 'url'
-
-IDENTITY_ASSIGNMENT_PARAMETER_MANDATORY = [
-    'driver'
-]
-
-IDENTITY_IDENTITY_PARAMETER_MANDATORY = [
-    'driver'
-]
-
-# LDAP Identity Service Parameters (optional)
-IDENTITY_LDAP_PARAMETER_OPTIONAL = [
-    'url', 'user', 'password', 'suffix',
-    'user_tree_dn', 'user_objectclass',
-    'use_dumb_member', 'dumb_member',
-    'query_scope', 'page_size', 'debug_level',
-
-    'user_filter', 'user_id_attribute',
-    'user_name_attribute', 'user_mail_attribute',
-    'user_enabled_attribute', 'user_enabled_mask',
-    'user_enabled_default', 'user_enabled_invert',
-    'user_attribute_ignore',
-    'user_default_project_id_attribute',
-    'user_allow_create', 'user_allow_update', 'user_allow_delete',
-    'user_pass_attribute', 'user_enabled_emulation',
-    'user_enabled_emulation_dn',
-    'user_additional_attribute_mapping',
-
-    'group_tree_dn', 'group_filter',
-    'group_objectclass', 'group_id_attribute',
-    'group_name_attribute', 'group_member_attribute',
-    'group_desc_attribute', 'group_attribute_ignore',
-    'group_allow_create', 'group_allow_update', 'group_allow_delete',
-    'group_additional_attribute_mapping',
-
-    'use_tls', 'tls_cacertdir',
-    'tls_cacertfile', 'tls_req_cert',
-
-    'use_pool', 'pool_size',
-    'pool_retry_max', 'pool_retry_delay',
-    'pool_connection_timeout', 'pool_connection_lifetime',
-    'use_auth_pool', 'auth_pool_size',
-    'auth_pool_connection_lifetime',
-]
-
-# obfuscate these fields on list/show operations
-IDENTITY_LDAP_PROTECTED_PARAMETERS = ['password']
-
-IDENTITY_IDENTITY_PARAMETER_DATA_FORMAT = {
-    constants.SERVICE_PARAM_IDENTITY_DRIVER: SERVICE_PARAMETER_DATA_FORMAT_SKIP,
-}
-
 NETWORK_ODL_PROTECTED_PARAMETERS = [constants.SERVICE_PARAM_NAME_ML2_ODL_PASSWORD]

-IDENTITY_ADMIN_ENDPOINT_TYPE_PARAMETER_OPTIONAL = [
-    constants.SERVICE_PARAM_PARAMETER_NAME_EXTERNAL_ADMINURL,
-]
-
 IRONIC_NEUTRON_PARAMETER_OPTIONAL = [
    constants.SERVICE_PARAM_NAME_IRONIC_PROVISIONING_NETWORK,
 ]
@ -612,88 +505,6 @@ IDENTITY_CONFIG_PARAMETER_OPTIONAL = [
    constants.SERVICE_PARAM_IDENTITY_CONFIG_TOKEN_EXPIRATION,
 ]

-
-# LDAP Identity Service Parameters Validator
-IDENTITY_LDAP_PARAMETER_VALIDATOR = {
-    'url': _validate_ldap_url,
-    'use_dumb_member': _validate_boolean,
-    'user_enabled_invert': _validate_boolean,
-    'user_enabled_emulation': _validate_boolean,
-    'user_allow_create': _validate_boolean,
-    'user_allow_update': _validate_boolean,
-    'user_allow_delete': _validate_boolean,
-    'group_allow_create': _validate_boolean,
-    'group_allow_update': _validate_boolean,
-    'group_allow_delete': _validate_boolean,
-    'use_tls': _validate_boolean,
-    'use_pool': _validate_boolean,
-    'pool_size': _validate_integer,
-    'pool_retry_max': _validate_integer,
-    'pool_retry_delay': _validate_float,
-    'pool_connection_timeout': _validate_integer,
-    'pool_connection_lifetime': _validate_integer,
-    'use_auth_pool': _validate_boolean,
-    'auth_pool_size': _validate_integer,
-    'auth_pool_connection_lifetime': _validate_integer,
-    'user': _validate_ldap_dn,
-    'suffix': _validate_ldap_dn,
-    'dumb_member': _validate_ldap_dn,
-    'user_tree_dn': _validate_ldap_dn,
-    'user_enabled_emulation_dn': _validate_ldap_dn,
-}
-
-IDENTITY_LDAP_PARAMETER_RESOURCE = {
-    'url': None,
-    'use_dumb_member': None,
-    'user_enabled_invert': None,
-    'user_enabled_emulation': None,
-    'user_allow_create': None,
-    'user_allow_update': None,
-    'user_allow_delete': None,
-    'group_allow_create': None,
-    'group_allow_update': None,
-    'group_allow_delete': None,
-    'use_tls': None,
-    'use_pool': None,
-    'pool_size': None,
-    'pool_retry_max': None,
-    'pool_retry_delay': None,
-    'pool_connection_timeout': None,
-    'pool_connection_lifetime': None,
-    'use_auth_pool': None,
-    'auth_pool_size': None,
-    'auth_pool_connection_lifetime': None,
-    'user': None,
-    'suffix': None,
-    'dumb_member': None,
-    'user_tree_dn': None,
-    'user_enabled_emulation_dn': None,
-}
-
-IDENTITY_ASSIGNMENT_PARAMETER_VALIDATOR = {
-    constants.SERVICE_PARAM_ASSIGNMENT_DRIVER: _validate_assignment_driver,
-}
-
-IDENTITY_ASSIGNMENT_PARAMETER_RESOURCE = {
-    constants.SERVICE_PARAM_ASSIGNMENT_DRIVER: None,
-}
-
-IDENTITY_IDENTITY_PARAMETER_VALIDATOR = {
-    constants.SERVICE_PARAM_IDENTITY_DRIVER: _validate_identity_driver,
-}
-
-IDENTITY_IDENTITY_PARAMETER_RESOURCE = {
-    constants.SERVICE_PARAM_IDENTITY_DRIVER: 'keystone::ldap::identity_driver',
-}
-
-IDENTITY_ADMIN_ENDPOINT_TYPE_PARAMETER_VALIDATOR = {
-    constants.SERVICE_PARAM_PARAMETER_NAME_EXTERNAL_ADMINURL: cutils.validate_yes_no,
-}
-
-IDENTITY_ADMIN_ENDPOINT_TYPE_PARAMETER_RESOURCE = {
-    constants.SERVICE_PARAM_PARAMETER_NAME_EXTERNAL_ADMINURL: None,
-}
-
 IDENTITY_CONFIG_PARAMETER_VALIDATOR = {
    constants.SERVICE_PARAM_IDENTITY_CONFIG_TOKEN_EXPIRATION:
        _validate_token_expiry_time,
@ -1047,23 +858,6 @@ SERVICE_VALUE_PROTECTION_MASK = "****"

 SERVICE_PARAMETER_SCHEMA = {
    constants.SERVICE_TYPE_IDENTITY: {
-        constants.SERVICE_PARAM_SECTION_IDENTITY_ASSIGNMENT: {
-            SERVICE_PARAM_MANDATORY: IDENTITY_ASSIGNMENT_PARAMETER_MANDATORY,
-            SERVICE_PARAM_VALIDATOR: IDENTITY_ASSIGNMENT_PARAMETER_VALIDATOR,
-            SERVICE_PARAM_RESOURCE: IDENTITY_ASSIGNMENT_PARAMETER_RESOURCE,
-        },
-        constants.SERVICE_PARAM_SECTION_IDENTITY_IDENTITY: {
-            SERVICE_PARAM_MANDATORY: IDENTITY_IDENTITY_PARAMETER_MANDATORY,
-            SERVICE_PARAM_VALIDATOR: IDENTITY_IDENTITY_PARAMETER_VALIDATOR,
-            SERVICE_PARAM_RESOURCE: IDENTITY_IDENTITY_PARAMETER_RESOURCE,
-            SERVICE_PARAM_DATA_FORMAT: IDENTITY_IDENTITY_PARAMETER_DATA_FORMAT,
-        },
-        constants.SERVICE_PARAM_SECTION_IDENTITY_LDAP: {
-            SERVICE_PARAM_OPTIONAL: IDENTITY_LDAP_PARAMETER_OPTIONAL,
-            SERVICE_PARAM_VALIDATOR: IDENTITY_LDAP_PARAMETER_VALIDATOR,
-            SERVICE_PARAM_RESOURCE: IDENTITY_LDAP_PARAMETER_RESOURCE,
-            SERVICE_PARAM_PROTECTED: IDENTITY_LDAP_PROTECTED_PARAMETERS,
-        },
        constants.SERVICE_PARAM_SECTION_IDENTITY_CONFIG: {
            SERVICE_PARAM_OPTIONAL: IDENTITY_CONFIG_PARAMETER_OPTIONAL,
            SERVICE_PARAM_VALIDATOR: IDENTITY_CONFIG_PARAMETER_VALIDATOR,
--- a/sysinv/sysinv/sysinv/sysinv/conductor/manager.py
+++ b/sysinv/sysinv/sysinv/sysinv/conductor/manager.py
@ -408,16 +408,6 @@ class ConductorManager(service.PeriodicService):
            self._generate_dnsmasq_hosts_file()

    DEFAULT_PARAMETERS = [
-        {'service': constants.SERVICE_TYPE_IDENTITY,
-         'section': constants.SERVICE_PARAM_SECTION_IDENTITY_ASSIGNMENT,
-         'name': constants.SERVICE_PARAM_ASSIGNMENT_DRIVER,
-         'value': constants.SERVICE_PARAM_IDENTITY_ASSIGNMENT_DRIVER_SQL
-         },
-        {'service': constants.SERVICE_TYPE_IDENTITY,
-         'section': constants.SERVICE_PARAM_SECTION_IDENTITY_IDENTITY,
-         'name': constants.SERVICE_PARAM_IDENTITY_DRIVER,
-         'value': constants.SERVICE_PARAM_IDENTITY_IDENTITY_DRIVER_SQL
-         },
        {'service': constants.SERVICE_TYPE_IDENTITY,
         'section': constants.SERVICE_PARAM_SECTION_IDENTITY_CONFIG,
         'name': constants.SERVICE_PARAM_IDENTITY_CONFIG_TOKEN_EXPIRATION,
--- a/sysinv/sysinv/sysinv/sysinv/puppet/keystone.py
+++ b/sysinv/sysinv/sysinv/sysinv/puppet/keystone.py
@ -156,13 +156,7 @@ class KeystonePuppet(openstack.OpenstackBasePuppet):
        if service_parameters is None:
            return {}

-        identity_backend = self._service_parameter_lookup_one(
-            service_parameters,
-            constants.SERVICE_PARAM_SECTION_IDENTITY_IDENTITY,
-            constants.SERVICE_PARAM_IDENTITY_DRIVER,
-            constants.SERVICE_PARAM_IDENTITY_IDENTITY_DRIVER_SQL)
        config = {
-            'keystone::ldap::identity_driver': identity_backend,
            'openstack::keystone::params::token_expiration':
                self._service_parameter_lookup_one(
                    service_parameters,
@ -171,64 +165,6 @@ class KeystonePuppet(openstack.OpenstackBasePuppet):
                    constants.SERVICE_PARAM_IDENTITY_CONFIG_TOKEN_EXPIRATION_DEFAULT),
        }

-        if identity_backend == constants.SERVICE_PARAM_IDENTITY_IDENTITY_DRIVER_LDAP:
-            # If Keystone's Identity backend has been specified as
-            # LDAP, then redirect that to Titanium's Hybrid driver
-            # which is an abstraction over both the SQL and LDAP backends,
-            # since we still need to support SQL backend operations, without
-            # necessarily moving it into a separate domain
-            config['keystone::ldap::identity_driver'] = 'hybrid'
-
-            basic_options = ['url', 'suffix', 'user', 'password',
-                             'user_tree_dn', 'user_objectclass',
-                             'query_scope',
-                             'page_size', 'debug_level']
-            use_tls = self._service_parameter_lookup_one(
-                service_parameters,
-                constants.SERVICE_PARAM_SECTION_IDENTITY_LDAP,
-                'use_tls', False)
-            if use_tls:
-                tls_options = ['use_tls', 'tls_cacertdir', 'tls_cacertfile',
-                               'tls_req_cert']
-                basic_options.extend(tls_options)
-
-            user_options = ['user_filter', 'user_id_attribute',
-                            'user_name_attribute', 'user_mail_attribute',
-                            'user_enabled_attribute', 'user_enabled_mask',
-                            'user_enabled_default', 'user_enabled_invert',
-                            'user_attribute_ignore',
-                            'user_default_project_id_attribute',
-                            'user_pass_attribute',
-                            'user_enabled_emulation',
-                            'user_enabled_emulation_dn',
-                            'user_additional_attribute_mapping']
-            basic_options.extend(user_options)
-
-            group_options = ['group_tree_dn', 'group_filter',
-                             'group_objectclass', 'group_id_attribute',
-                             'group_name_attribute', 'group_member_attribute',
-                             'group_desc_attribute', 'group_attribute_ignore',
-                             'group_additional_attribute_mapping']
-            basic_options.extend(group_options)
-
-            use_pool = self._service_parameter_lookup_one(
-                service_parameters,
-                constants.SERVICE_PARAM_SECTION_IDENTITY_LDAP,
-                'use_pool', False)
-            if use_pool:
-                pool_options = ['use_pool', 'pool_size', 'pool_retry_max',
-                                'pool_retry_delay', 'pool_connection_timeout',
-                                'pool_connection_lifetime', 'use_auth_pool',
-                                'auth_pool_size',
-                                'auth_pool_connection_lifetime']
-                basic_options.extend(pool_options)
-
-            for opt in basic_options:
-                config.update(self._format_service_parameter(
-                    service_parameters,
-                    constants.SERVICE_PARAM_SECTION_IDENTITY_LDAP,
-                    'keystone::ldap::', opt))
-
        return config

    @staticmethod
--- a/sysinv/sysinv/sysinv/sysinv/tests/test_utils.py
+++ b/sysinv/sysinv/sysinv/sysinv/tests/test_utils.py
@ -20,7 +20,6 @@ import mock
 import os
 import os.path
 import tempfile
-import wsme

 import netaddr
 from oslo_config import cfg
@ -28,7 +27,6 @@ from oslo_config import cfg
 from mox3 import mox
 from six.moves import builtins
 from sysinv.common import exception
-from sysinv.common import service_parameter
 from sysinv.common import utils
 from sysinv.tests import base

@ -360,44 +358,3 @@ class IntLikeTestCase(base.TestCase):
        self.assertFalse(
            utils.is_int_like("0cc3346e-9fef-4445-abe6-5d2b2690ec64"))
        self.assertFalse(utils.is_int_like("a1"))
-
-
-class LDAPTestCase(base.TestCase):
-
-    def test_ldapurl(self):
-        # Bad Network address is not acceptable as ldap url
-        ldap_url = 'ldap://127'
-        self.assertRaises(wsme.exc.ClientSideError,
-                          service_parameter._validate_ldap_url,
-                          'foo',
-                          ldap_url)
-
-        # loopback is not acceptable as ldap url
-        ldap_url = 'ldap://127.0.0.1'
-        self.assertRaises(wsme.exc.ClientSideError,
-                          service_parameter._validate_ldap_url,
-                          'foo',
-                          ldap_url)
-
-        # localhost is not acceptable as ldap url
-        ldap_url = 'ldap://localhost:1234'
-        self.assertRaises(wsme.exc.ClientSideError,
-                          service_parameter._validate_ldap_url,
-                          'foo',
-                          ldap_url)
-
-        # A valid ldap URL should not raise an exception
-        ldap_url = 'ldap://dns.example.com:389'
-        service_parameter._validate_ldap_url('foo', ldap_url)
-
-    def test_ldap_dn(self):
-        # A poorly formatted ldap DN will raise a ClientSideError
-        ldap_dn = 'this is not a valid ldap dn'
-        self.assertRaises(wsme.exc.ClientSideError,
-                          service_parameter._validate_ldap_dn,
-                          'foo',
-                          ldap_dn)
-
-        # A valid DN will not raise a ClientSideError
-        ldap_dn = 'uid=john.doe,ou=People,dc=example,dc=com'
-        service_parameter._validate_ldap_dn('foo', ldap_dn)