Auth refactor.

Switch to using the self-contained django_openstack_auth
package which is a proper django.contrib.auth pluggable
backend.

Notable functional improvements include:

  * Better overall security via use of standard Django
    auth code (well-vetted by security experts).
  * Token expiration checking.
  * User "enabled" attribute checking.
  * Support for full range of Django auth attributes
    such as is_anonymous, is_active, is_superuser, etc.
  * Improved hooks for RBAC/permission-based acess control.

Regarding the RBAC/permission-based access control, this
patch moves all "role" and "service"-oriented checks to
permission checks. This will make transitioning to
policy-driven checking much easier once that fully lands
in OpenStack.

Implements blueprint move-keystone-support-to-django-auth-backend

Change-Id: I4f3112af797aff8c4c5e9930c6ca33a70e45589d

horizon/templatetags/horizon.py

@@ -29,24 +29,10 @@ register = template.Library()
 @register.filter
 def has_permissions(user, component):
     """
-    Checks if the given user meets the requirements for the component. This
-    includes both user roles and services in the service catalog.
+    Checks if the given user meets the permissions requirements for
+    the component.
     """
-    if hasattr(user, 'roles'):
-        user_roles = set([role['name'].lower() for role in user.roles])
-    else:
-        user_roles = set([])
-    roles_statisfied = set(getattr(component, 'roles', [])) <= user_roles
-
-    if hasattr(user, 'service_catalog'):
-        services = set([service['type'] for service in user.service_catalog])
-    else:
-        services = set([])
-    services_statisfied = set(getattr(component, 'services', [])) <= services
-
-    if roles_statisfied and services_statisfied:
-        return True
-    return False
+    return user.has_perms(getattr(component, 'permissions', set()))
 
 
 @register.filter