Removing novaProject from the schema. This change may look odd at first; here's how it works:

Both roles are projects are groupOfNames. Previously, we were differentiating projects from project roles by using the novaProject objectclass on the project, and not on the roles. This change removes novaProject, and uses the owner attribute instead of the projectManager attribute. Only projects should have an owner. We can differentiate projects from project roles by checking for the existence of this attribute. To check for the existence of an attribute in LDAP, a wildcard search is used. The fake LDAP driver did not support wildcard searches, so I put in "all or nothing" support for it. The wildcard search support doesn't work exactly like wildcard searches in LDAP, but will work for the case that's required.
2010-12-08 10:22:29 +00:00
parent beebdc3cb4
commit fc4776319f
6 changed files with 12 additions and 31 deletions
--- a/nova/auth/fakeldap.py
+++ b/nova/auth/fakeldap.py
@@ -119,6 +119,9 @@ def _match(key, value, attrs):
    """Match a given key and value against an attribute list."""
    if key not in attrs:
        return False
+    # This is a wild card search. Implemented as all or nothing for now.
+    if value == "*":
+        return True
    if key != "objectclass":
        return value in attrs[key]
    # it is an objectclass check, so check subclasses
--- a/nova/auth/ldapdriver.py
+++ b/nova/auth/ldapdriver.py
@@ -106,7 +106,7 @@ class LdapDriver(object):
        """Retrieve project by id"""
        dn = 'cn=%s,%s' % (pid,
                           FLAGS.ldap_project_subtree)
-        attr = self.__find_object(dn, '(objectclass=novaProject)')
+        attr = self.__find_object(dn, '(owner=*)')
        return self.__to_project(attr)

    def get_users(self):
@@ -122,7 +122,7 @@ class LdapDriver(object):

    def get_projects(self, uid=None):
        """Retrieve list of projects"""
-        pattern = '(objectclass=novaProject)'
+        pattern = '(owner=*)'
        if uid:
            pattern = "(&%s(member=%s))" % (pattern, self.__uid_to_dn(uid))
        attrs = self.__find_objects(FLAGS.ldap_project_subtree,
@@ -205,10 +205,10 @@ class LdapDriver(object):
        if not manager_dn in members:
            members.append(manager_dn)
        attr = [
-            ('objectclass', ['novaProject']),
+            ('objectclass', ['groupOfNames']),
            ('cn', [name]),
            ('description', [description]),
-            ('projectManager', [manager_dn]),
+            ('owner', [manager_dn]),
            ('member', members)]
        self.conn.add_s('cn=%s,%s' % (name, FLAGS.ldap_project_subtree), attr)
        return self.__to_project(dict(attr))
@@ -224,7 +224,7 @@ class LdapDriver(object):
                                         "manager %s doesn't exist" %
                                         manager_uid)
            manager_dn = self.__uid_to_dn(manager_uid)
-            attr.append((self.ldap.MOD_REPLACE, 'projectManager', manager_dn))
+            attr.append((self.ldap.MOD_REPLACE, 'owner', manager_dn))
        if description:
            attr.append((self.ldap.MOD_REPLACE, 'description', description))
        self.conn.modify_s('cn=%s,%s' % (project_id,
@@ -286,7 +286,7 @@ class LdapDriver(object):
            project_dn = 'cn=%s,%s' % (project_id, FLAGS.ldap_project_subtree)
            roles = self.__find_objects(project_dn,
                                        '(&(&(objectclass=groupOfNames)'
-                                        '(!(objectclass=novaProject)))'
+                                        '(!(owner=*)))'
                                        '(member=%s))' % self.__uid_to_dn(uid))
            return [role['cn'][0] for role in roles]

@@ -385,7 +385,7 @@ class LdapDriver(object):
    def __find_role_dns(self, tree):
        """Find dns of role objects in given tree"""
        return self.__find_dns(tree,
-                '(&(objectclass=groupOfNames)(!(objectclass=novaProject)))')
+                '(&(objectclass=groupOfNames)(!(owner=*)))')

    def __find_group_dns_with_member(self, tree, uid):
        """Find dns of group objects in a given tree that contain member"""
@@ -534,7 +534,7 @@ class LdapDriver(object):
        return {
            'id': attr['cn'][0],
            'name': attr['cn'][0],
-            'project_manager_id': self.__dn_to_uid(attr['projectManager'][0]),
+            'project_manager_id': self.__dn_to_uid(attr['owner'][0]),
            'description': attr.get('description', [None])[0],
            'member_ids': [self.__dn_to_uid(x) for x in member_dns]}

--- a/nova/auth/nova_openldap.schema
+++ b/nova/auth/nova_openldap.schema
@@ -39,13 +39,6 @@ attributetype (
    SINGLE-VALUE
    )

-attributetype (
-    novaAttrs:5
-    NAME 'projectManager'
-    DESC 'Project Managers of a project'
-    SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
-    )
-
 objectClass (
    novaOCs:1
    NAME 'novaUser'
@@ -53,12 +46,3 @@ objectClass (
    AUXILIARY
    MAY  ( accessKey $ secretKey $ isNovaAdmin )
    )
-
-objectClass (
-    novaOCs:3
-    NAME 'novaProject'
-    DESC 'Container for project'
-    SUP groupOfNames
-    STRUCTURAL
-    MUST ( cn $ projectManager )
-    )
--- a/nova/auth/nova_sun.schema
+++ b/nova/auth/nova_sun.schema
@@ -9,6 +9,4 @@ dn: cn=schema
 attributeTypes: ( 1.3.6.1.3.1.666.666.3.1 NAME 'accessKey' DESC 'Key for accessing data' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
 attributeTypes: ( 1.3.6.1.3.1.666.666.3.2 NAME 'secretKey' DESC 'Secret key' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
 attributeTypes: ( 1.3.6.1.3.1.666.666.3.4 NAME 'isNovaAdmin' DESC 'Is user a nova administrator?' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) 
-attributeTypes: ( 1.3.6.1.3.1.666.666.3.5 NAME 'projectManager' DESC 'Project Managers of a project' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
 objectClasses: ( 1.3.6.1.3.1.666.666.4.1 NAME 'novaUser' DESC 'access and secret keys' SUP top AUXILIARY MAY  ( accessKey $ secretKey $ isNovaAdmin ) ) 
-objectClasses: ( 1.3.6.1.3.1.666.666.4.3 NAME 'novaProject' DESC 'Container for project' SUP groupOfNames STRUCTURAL MUST ( cn $ projectManager ) )
--- a/nova/auth/opendj.sh
+++ b/nova/auth/opendj.sh
@@ -30,9 +30,7 @@ fi

 abspath=`dirname "$(cd "${0%/*}" 2>/dev/null; echo "$PWD"/"${0##*/}")"`
 schemapath='/var/opendj/instance/config/schema'
-cp $abspath/openssh-lpk_sun.schema $schemapath/97-openssh-lpk_sun.ldif
 cp $abspath/nova_sun.schema $schemapath/98-nova_sun.ldif
-chown opendj:opendj $schemapath/97-openssh-lpk_sun.ldif
 chown opendj:opendj $schemapath/98-nova_sun.ldif

 cat >/etc/ldap/ldap.conf <<LDAP_CONF_EOF
--- a/nova/auth/slap.sh
+++ b/nova/auth/slap.sh
@@ -21,8 +21,7 @@
 apt-get install -y slapd ldap-utils python-ldap

 abspath=`dirname "$(cd "${0%/*}" 2>/dev/null; echo "$PWD"/"${0##*/}")"`
-cp $abspath/openssh-lpk_openldap.schema /etc/ldap/schema/openssh-lpk_openldap.schema
-cp $abspath/nova_openldap.schema /etc/ldap/schema/nova_openldap.schema
+cp $abspath/nova_openldap.schema /etc/ldap/schema/nova.schema

 mv /etc/ldap/slapd.conf /etc/ldap/slapd.conf.orig
 cat >/etc/ldap/slapd.conf <<SLAPD_CONF_EOF
@@ -33,7 +32,6 @@ cat >/etc/ldap/slapd.conf <<SLAPD_CONF_EOF
 include /etc/ldap/schema/core.schema
 include /etc/ldap/schema/cosine.schema
 include /etc/ldap/schema/inetorgperson.schema
-include /etc/ldap/schema/openssh-lpk_openldap.schema
 include /etc/ldap/schema/nova.schema
 pidfile /var/run/slapd/slapd.pid
 argsfile /var/run/slapd/slapd.args