Adding support for choosing a schema version, so that users can more easily migrate from an old schema to the new schema.

nova/auth/ldapdriver.py

@@ -32,6 +32,8 @@ from nova import flags
 
 
 FLAGS = flags.FLAGS
+flags.DEFINE_integer('ldap_schema_version', 1,
+                     'Current version of the LDAP schema')
 flags.DEFINE_string('ldap_url', 'ldap://localhost',
                     'Point this at your ldap server')
 flags.DEFINE_string('ldap_password', 'changeme', 'LDAP password')
@@ -75,10 +77,20 @@ class LdapDriver(object):
     Defines enter and exit and therefore supports the with/as syntax.
     """
 
+    project_pattern = '(owner=*)'
+    isadmin_attribute = 'isNovaAdmin'
+    project_attribute = 'owner'
+    project_objectclass = 'groupOfNames'
+
     def __init__(self):
         """Imports the LDAP module"""
         self.ldap = __import__('ldap')
         self.conn = None
+        if FLAGS.ldap_schema_version == 1:
+            LdapDriver.project_pattern = '(objectclass=novaProject)'
+            LdapDriver.isadmin_attribute = 'isAdmin'
+            LdapDriver.project_attribute = 'projectManager'
+            LdapDriver.project_objectclass = 'novaProject'
 
     def __enter__(self):
         """Creates the connection to LDAP"""
@@ -106,7 +118,7 @@ class LdapDriver(object):
         """Retrieve project by id"""
         dn = 'cn=%s,%s' % (pid,
                            FLAGS.ldap_project_subtree)
-        attr = self.__find_object(dn, '(owner=*)')
+        attr = self.__find_object(dn, LdapDriver.project_pattern)
         return self.__to_project(attr)
 
     def get_users(self):
@@ -122,7 +134,7 @@ class LdapDriver(object):
 
     def get_projects(self, uid=None):
         """Retrieve list of projects"""
-        pattern = '(owner=*)'
+        pattern = LdapDriver.project_pattern
         if uid:
             pattern = "(&%s(member=%s))" % (pattern, self.__uid_to_dn(uid))
         attrs = self.__find_objects(FLAGS.ldap_project_subtree,
@@ -152,11 +164,11 @@ class LdapDriver(object):
                 else:
                     attr.append((self.ldap.MOD_ADD, 'accessKey', \
                     [access_key]))
-                if 'isNovaAdmin' in user.keys():
-                    attr.append((self.ldap.MOD_REPLACE, 'isNovaAdmin', \
+                if LdapDriver.isadmin_attribute in user.keys():
+                    attr.append((self.ldap.MOD_REPLACE, LdapDriver.isadmin_attribute, \
                     [str(is_admin).upper()]))
                 else:
-                    attr.append((self.ldap.MOD_ADD, 'isNovaAdmin', \
+                    attr.append((self.ldap.MOD_ADD, LdapDriver.isadmin_attribute, \
                     [str(is_admin).upper()]))
                 self.conn.modify_s(self.__uid_to_dn(name), attr)
                 return self.get_user(name)
@@ -175,7 +187,7 @@ class LdapDriver(object):
                 (FLAGS.ldap_user_name_attribute, [name]),
                 ('secretKey', [secret_key]),
                 ('accessKey', [access_key]),
-                ('isNovaAdmin', [str(is_admin).upper()]),
+                (LdapDriver.isadmin_attribute, [str(is_admin).upper()]),
             ]
             self.conn.add_s(self.__uid_to_dn(name), attr)
             return self.__to_user(dict(attr))
@@ -205,10 +217,10 @@ class LdapDriver(object):
         if not manager_dn in members:
             members.append(manager_dn)
         attr = [
-            ('objectclass', ['groupOfNames']),
+            ('objectclass', [LdapDriver.project_objectclass]),
             ('cn', [name]),
             ('description', [description]),
-            ('owner', [manager_dn]),
+            (LdapDriver.project_attribute, [manager_dn]),
             ('member', members)]
         self.conn.add_s('cn=%s,%s' % (name, FLAGS.ldap_project_subtree), attr)
         return self.__to_project(dict(attr))
@@ -224,7 +236,7 @@ class LdapDriver(object):
                                          "manager %s doesn't exist" %
                                          manager_uid)
             manager_dn = self.__uid_to_dn(manager_uid)
-            attr.append((self.ldap.MOD_REPLACE, 'owner', manager_dn))
+            attr.append((self.ldap.MOD_REPLACE, LdapDriver.project_attribute, manager_dn))
         if description:
             attr.append((self.ldap.MOD_REPLACE, 'description', description))
         self.conn.modify_s('cn=%s,%s' % (project_id,
@@ -284,10 +296,9 @@ class LdapDriver(object):
             return roles
         else:
             project_dn = 'cn=%s,%s' % (project_id, FLAGS.ldap_project_subtree)
-            roles = self.__find_objects(project_dn,
-                                        '(&(&(objectclass=groupOfNames)'
-                                        '(!(owner=*)))'
-                                        '(member=%s))' % self.__uid_to_dn(uid))
+            query = ('(&(&(objectclass=groupOfNames)(!%s))(member=%s))' %
+                      (LdapDriver.project_pattern, self.__uid_to_dn(uid)))
+            roles = self.__find_objects(project_dn, query)
             return [role['cn'][0] for role in roles]
 
     def delete_user(self, uid):
@@ -306,9 +317,9 @@ class LdapDriver(object):
             if 'accessKey' in user.keys():
                 attr.append((self.ldap.MOD_DELETE, 'accessKey', \
                 user['accessKey']))
-            if 'isNovaAdmin' in user.keys():
-                attr.append((self.ldap.MOD_DELETE, 'isNovaAdmin', \
-                user['isNovaAdmin']))
+            if LdapDriver.isadmin_attribute in user.keys():
+                attr.append((self.ldap.MOD_DELETE, LdapDriver.isadmin_attribute, \
+                user[LdapDriver.isadmin_attribute]))
             self.conn.modify_s(self.__uid_to_dn(uid), attr)
         else:
             # Delete entry
@@ -330,7 +341,7 @@ class LdapDriver(object):
         if secret_key:
             attr.append((self.ldap.MOD_REPLACE, 'secretKey', secret_key))
         if admin is not None:
-            attr.append((self.ldap.MOD_REPLACE, 'isNovaAdmin', str(admin).upper()))
+            attr.append((self.ldap.MOD_REPLACE, LdapDriver.isadmin_attribute, str(admin).upper()))
         self.conn.modify_s(self.__uid_to_dn(uid), attr)
 
     def __user_exists(self, uid):
@@ -384,19 +395,20 @@ class LdapDriver(object):
 
     def __find_role_dns(self, tree):
         """Find dns of role objects in given tree"""
-        return self.__find_dns(tree,
-                '(&(objectclass=groupOfNames)(!(owner=*)))')
+        query = '(&(objectclass=groupOfNames)(!%s))' % LdapDriver.project_pattern
+        return self.__find_dns(tree, query)
 
     def __find_group_dns_with_member(self, tree, uid):
         """Find dns of group objects in a given tree that contain member"""
-        dns = self.__find_dns(tree,
-                            '(&(objectclass=groupOfNames)(member=%s))' %
-                            self.__uid_to_dn(uid))
+        query = ('(&(objectclass=groupOfNames)(member=%s))' %
+                  self.__uid_to_dn(uid))
+        dns = self.__find_dns(tree, query)
         return dns
 
     def __group_exists(self, dn):
         """Check if group exists"""
-        return self.__find_object(dn, '(objectclass=groupOfNames)') is not None
+        query = '(objectclass=groupOfNames)'
+        return self.__find_object(dn, query) is not None
 
     @staticmethod
     def __role_to_dn(role, project_id=None):
@@ -435,7 +447,7 @@ class LdapDriver(object):
         """Check if user is in group"""
         if not self.__user_exists(uid):
             raise exception.NotFound("User %s can't be searched in group "
-                    "becuase the user doesn't exist" % (uid,))
+                    "because the user doesn't exist" % uid)
         if not self.__group_exists(group_dn):
             return False
         res = self.__find_object(group_dn,
@@ -447,10 +459,10 @@ class LdapDriver(object):
         """Add user to group"""
         if not self.__user_exists(uid):
             raise exception.NotFound("User %s can't be added to the group "
-                    "becuase the user doesn't exist" % (uid,))
+                    "because the user doesn't exist" % uid)
         if not self.__group_exists(group_dn):
             raise exception.NotFound("The group at dn %s doesn't exist" %
-                                     (group_dn,))
+                                     group_dn)
         if self.__is_in_group(uid, group_dn):
             raise exception.Duplicate("User %s is already a member of "
                                       "the group %s" % (uid, group_dn))
@@ -461,13 +473,13 @@ class LdapDriver(object):
         """Remove user from group"""
         if not self.__group_exists(group_dn):
             raise exception.NotFound("The group at dn %s doesn't exist" %
-                                     (group_dn,))
+                                     group_dn)
         if not self.__user_exists(uid):
             raise exception.NotFound("User %s can't be removed from the "
-                    "group because the user doesn't exist" % (uid,))
+                    "group because the user doesn't exist" % uid)
         if not self.__is_in_group(uid, group_dn):
             raise exception.NotFound("User %s is not a member of the group" %
-                                     (uid,))
+                                     uid)
         # NOTE(vish): remove user from group and any sub_groups
         sub_dns = self.__find_group_dns_with_member(
                 group_dn, uid)
@@ -489,7 +501,7 @@ class LdapDriver(object):
         """Remove user from all roles and projects"""
         if not self.__user_exists(uid):
             raise exception.NotFound("User %s can't be removed from all "
-                    "because the user doesn't exist" % (uid,))
+                    "because the user doesn't exist" % uid)
         role_dns = self.__find_group_dns_with_member(
                 FLAGS.role_project_subtree, uid)
         for role_dn in role_dns:
@@ -516,13 +528,13 @@ class LdapDriver(object):
         if attr is None:
             return None
         if ('accessKey' in attr.keys() and 'secretKey' in attr.keys() \
-            and 'isNovaAdmin' in attr.keys()):
+            and LdapDriver.isadmin_attribute in attr.keys()):
             return {
                 'id': attr[FLAGS.ldap_user_id_attribute][0],
                 'name': attr[FLAGS.ldap_user_name_attribute][0],
                 'access': attr['accessKey'][0],
                 'secret': attr['secretKey'][0],
-                'admin': (attr['isNovaAdmin'][0] == 'TRUE')}
+                'admin': (attr[LdapDriver.isadmin_attribute][0] == 'TRUE')}
         else:
             return None
 
@@ -534,7 +546,8 @@ class LdapDriver(object):
         return {
             'id': attr['cn'][0],
             'name': attr['cn'][0],
-            'project_manager_id': self.__dn_to_uid(attr['owner'][0]),
+            'project_manager_id':
+                self.__dn_to_uid(attr[LdapDriver.project_attribute][0]),
             'description': attr.get('description', [None])[0],
             'member_ids': [self.__dn_to_uid(x) for x in member_dns]}
 

nova/auth/nova_openldap.schema

@@ -1,7 +1,9 @@
 #
 # Person object for Nova
 # inetorgperson with extra attributes
-# Author: Vishvananda Ishaya <vishvananda@yahoo.com>
+# Schema version: 2
+# Authors: Vishvananda Ishaya <vishvananda@yahoo.com>
+#          Ryan Lane <rlane@wikimedia.org>
 #
 #
 

nova/auth/nova_sun.schema

@@ -1,8 +1,9 @@
 #
 # Person object for Nova
 # inetorgperson with extra attributes
-# Author: Vishvananda Ishaya <vishvananda@yahoo.com>
-# Modified for strict RFC 4512 compatibility by: Ryan Lane <ryan@ryandlane.com>
+# Schema version: 2
+# Authors: Vishvananda Ishaya <vishvananda@yahoo.com>
+#          Ryan Lane <rlane@wikimedia.org>
 #
 # using internet experimental oid arc as per BP64 3.1
 dn: cn=schema