diff options
author | Dolph Mathews <dolph.mathews@gmail.com> | 2013-01-15 21:26:57 -0600 |
---|---|---|
committer | Gerrit Code Review <review@openstack.org> | 2013-01-31 21:48:39 +0000 |
commit | 5bc46d861e9c8f355d2bdd68912be3e64c2dc9e9 (patch) | |
tree | 661928f1675b88458fe4124e7b91bcad0f41471f | |
parent | d3f28ed56c218ed7275c66eb647e581ce1654083 (diff) | |
download | keystone-5bc46d861e9c8f355d2bdd68912be3e64c2dc9e9.tar.gz keystone-5bc46d861e9c8f355d2bdd68912be3e64c2dc9e9.tar.xz keystone-5bc46d861e9c8f355d2bdd68912be3e64c2dc9e9.zip |
Create a default domain (bp default-domain)
This changes rewrites some of our migration history since the folsom
release so that we can create a default domain prior to creating
non-nullable foreignkey's in the user and project tables in migration
9 (numbered according to this change).
DocImpact
Change-Id: I807f7b1dca1d6a895f7417c316bcbce24ada61c0
-rw-r--r-- | etc/keystone.conf.sample | 8 | ||||
-rw-r--r-- | keystone/common/sql/migrate_repo/versions/008_create_default_domain.py | 63 | ||||
-rw-r--r-- | keystone/common/sql/migrate_repo/versions/009_normalize_identity.py (renamed from keystone/common/sql/migrate_repo/versions/008_normalize_identity.py) | 0 | ||||
-rw-r--r-- | keystone/common/sql/migrate_repo/versions/010_normalize_identity_migration.py (renamed from keystone/common/sql/migrate_repo/versions/009_normalize_identity_migration.py) | 0 | ||||
-rw-r--r-- | keystone/common/sql/migrate_repo/versions/011_endpoints_v3.py (renamed from keystone/common/sql/migrate_repo/versions/010_endpoints_v3.py) | 0 | ||||
-rw-r--r-- | keystone/common/sql/migrate_repo/versions/012_populate_endpoint_type.py (renamed from keystone/common/sql/migrate_repo/versions/011_populate_endpoint_type.py) | 0 | ||||
-rw-r--r-- | keystone/common/sql/migrate_repo/versions/013_drop_legacy_endpoints.py (renamed from keystone/common/sql/migrate_repo/versions/012_drop_legacy_endpoints.py) | 0 | ||||
-rw-r--r-- | keystone/common/sql/migrate_repo/versions/014_add_group_tables.py (renamed from keystone/common/sql/migrate_repo/versions/013_add_group_tables.py) | 0 | ||||
-rw-r--r-- | keystone/common/sql/migrate_repo/versions/015_tenant_to_project.py (renamed from keystone/common/sql/migrate_repo/versions/014_tenant_to_project.py) | 0 | ||||
-rw-r--r-- | keystone/config.py | 3 | ||||
-rw-r--r-- | keystone/identity/controllers.py | 9 | ||||
-rw-r--r-- | tests/test_sql_upgrade.py | 44 |
12 files changed, 105 insertions, 22 deletions
diff --git a/etc/keystone.conf.sample b/etc/keystone.conf.sample index 3b67b300..489f83d7 100644 --- a/etc/keystone.conf.sample +++ b/etc/keystone.conf.sample @@ -76,6 +76,14 @@ [identity] # driver = keystone.identity.backends.sql.Identity +# This references the domain to use for all Identity API v2 requests (which are +# not aware of domains). A domain with this ID will be created for you by +# keystone-manage db_sync in migration 008. The domain referenced by this ID +# cannot be deleted on the v3 API, to prevent accidentally breaking the v2 API. +# There is nothing special about this domain, other than the fact that it must +# exist to order to maintain support for your v2 clients. +# default_domain_id = default + [catalog] # dynamic, sql-based backend (supports API/CLI-based management commands) # driver = keystone.catalog.backends.sql.Catalog diff --git a/keystone/common/sql/migrate_repo/versions/008_create_default_domain.py b/keystone/common/sql/migrate_repo/versions/008_create_default_domain.py new file mode 100644 index 00000000..27d4b28b --- /dev/null +++ b/keystone/common/sql/migrate_repo/versions/008_create_default_domain.py @@ -0,0 +1,63 @@ +# vim: tabstop=4 shiftwidth=4 softtabstop=4 + +# Copyright 2012 OpenStack LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import json + +import sqlalchemy as sql +from sqlalchemy import orm +from keystone import config + + +CONF = config.CONF +DEFAULT_DOMAIN_ID = CONF['identity']['default_domain_id'] + + +def upgrade(migrate_engine): + """Creates the default domain.""" + meta = sql.MetaData() + meta.bind = migrate_engine + + domain_table = sql.Table('domain', meta, autoload=True) + + domain = { + 'id': DEFAULT_DOMAIN_ID, + 'name': 'Default', + 'enabled': True, + 'extra': json.dumps({ + 'description': 'Owns users and tenants (i.e. projects) available ' + 'on Identity API v2.'})} + + session = orm.sessionmaker(bind=migrate_engine)() + + session.execute( + 'INSERT INTO `%s` (%s) VALUES (%s)' % ( + domain_table.name, + ', '.join(['`%s`' % k for k in domain.keys()]), + ', '.join([':%s' % k for k in domain.keys()])), + domain) + session.commit() + + +def downgrade(migrate_engine): + """Delete the default domain.""" + meta = sql.MetaData() + meta.bind = migrate_engine + + sql.Table('domain', meta, autoload=True) + session = orm.sessionmaker(bind=migrate_engine)() + session.execute( + 'DELETE FROM `domain` WHERE `id`=:id', {'id': DEFAULT_DOMAIN_ID}) + session.commit() diff --git a/keystone/common/sql/migrate_repo/versions/008_normalize_identity.py b/keystone/common/sql/migrate_repo/versions/009_normalize_identity.py index 3f5ae3b8..3f5ae3b8 100644 --- a/keystone/common/sql/migrate_repo/versions/008_normalize_identity.py +++ b/keystone/common/sql/migrate_repo/versions/009_normalize_identity.py diff --git a/keystone/common/sql/migrate_repo/versions/009_normalize_identity_migration.py b/keystone/common/sql/migrate_repo/versions/010_normalize_identity_migration.py index 4ad4db74..4ad4db74 100644 --- a/keystone/common/sql/migrate_repo/versions/009_normalize_identity_migration.py +++ b/keystone/common/sql/migrate_repo/versions/010_normalize_identity_migration.py diff --git a/keystone/common/sql/migrate_repo/versions/010_endpoints_v3.py b/keystone/common/sql/migrate_repo/versions/011_endpoints_v3.py index 31117486..31117486 100644 --- a/keystone/common/sql/migrate_repo/versions/010_endpoints_v3.py +++ b/keystone/common/sql/migrate_repo/versions/011_endpoints_v3.py diff --git a/keystone/common/sql/migrate_repo/versions/011_populate_endpoint_type.py b/keystone/common/sql/migrate_repo/versions/012_populate_endpoint_type.py index abfe728a..abfe728a 100644 --- a/keystone/common/sql/migrate_repo/versions/011_populate_endpoint_type.py +++ b/keystone/common/sql/migrate_repo/versions/012_populate_endpoint_type.py diff --git a/keystone/common/sql/migrate_repo/versions/012_drop_legacy_endpoints.py b/keystone/common/sql/migrate_repo/versions/013_drop_legacy_endpoints.py index f75ce3c0..f75ce3c0 100644 --- a/keystone/common/sql/migrate_repo/versions/012_drop_legacy_endpoints.py +++ b/keystone/common/sql/migrate_repo/versions/013_drop_legacy_endpoints.py diff --git a/keystone/common/sql/migrate_repo/versions/013_add_group_tables.py b/keystone/common/sql/migrate_repo/versions/014_add_group_tables.py index a42b5772..a42b5772 100644 --- a/keystone/common/sql/migrate_repo/versions/013_add_group_tables.py +++ b/keystone/common/sql/migrate_repo/versions/014_add_group_tables.py diff --git a/keystone/common/sql/migrate_repo/versions/014_tenant_to_project.py b/keystone/common/sql/migrate_repo/versions/015_tenant_to_project.py index 9b413338..9b413338 100644 --- a/keystone/common/sql/migrate_repo/versions/014_tenant_to_project.py +++ b/keystone/common/sql/migrate_repo/versions/015_tenant_to_project.py diff --git a/keystone/config.py b/keystone/config.py index ce79ddd5..e7f31394 100644 --- a/keystone/config.py +++ b/keystone/config.py @@ -142,6 +142,9 @@ register_str('policy_default_rule', default=None) #default max request size is 112k register_int('max_request_body_size', default=114688) +# identity +register_str('default_domain_id', group='identity', default='default') + #ssl options register_bool('enable', group='ssl', default=False) register_str('certfile', group='ssl', default=None) diff --git a/keystone/identity/controllers.py b/keystone/identity/controllers.py index 4751a691..9e8d9f3f 100644 --- a/keystone/identity/controllers.py +++ b/keystone/identity/controllers.py @@ -22,9 +22,12 @@ import uuid from keystone.common import controller from keystone.common import logging +from keystone import config from keystone import exception +CONF = config.CONF +DEFAULT_DOMAIN_ID = CONF['identity']['default_domain_id'] LOG = logging.getLogger(__name__) @@ -442,6 +445,12 @@ class DomainV3(controller.V3Controller): @controller.protected def delete_domain(self, context, domain_id): + # explicitly forbid deleting the default domain (this should be a + # carefully orchestrated manual process involving configuration + # changes, etc) + if domain_id == DEFAULT_DOMAIN_ID: + raise exception.ForbiddenAction(action='delete the default domain') + return self.identity_api.delete_domain(context, domain_id) diff --git a/tests/test_sql_upgrade.py b/tests/test_sql_upgrade.py index 4acda07b..e04fc3e5 100644 --- a/tests/test_sql_upgrade.py +++ b/tests/test_sql_upgrade.py @@ -119,11 +119,11 @@ class SqlUpgradeTests(test.TestCase): self.assertTableExists('policy') self.assertTableColumns('policy', ['id', 'type', 'blob', 'extra']) - def test_upgrade_7_to_9(self): - self.upgrade(7) + def test_upgrade_8_to_10(self): + self.upgrade(8) self.populate_user_table() self.populate_tenant_table() - self.upgrade(9) + self.upgrade(10) self.assertTableColumns("user", ["id", "name", "extra", "password", "enabled"]) @@ -149,15 +149,15 @@ class SqlUpgradeTests(test.TestCase): self.assertEqual(a_tenant.description, 'description') session.commit() - def test_downgrade_9_to_7(self): - self.upgrade(7) + def test_downgrade_10_to_8(self): + self.upgrade(8) self.populate_user_table() self.populate_tenant_table() - self.upgrade(9) - self.downgrade(7) + self.upgrade(10) + self.downgrade(8) - def test_upgrade_9_to_12(self): - self.upgrade(9) + def test_upgrade_10_to_13(self): + self.upgrade(10) service_extra = { 'name': uuid.uuid4().hex, @@ -184,7 +184,7 @@ class SqlUpgradeTests(test.TestCase): self.insert_dict(session, 'endpoint', endpoint) session.commit() - self.upgrade(12) + self.upgrade(13) self.assertTableColumns( 'service', @@ -225,35 +225,35 @@ class SqlUpgradeTests(test.TestCase): self.assertTableDoesNotExist('user_tenant_membership') def test_upgrade_tenant_to_project(self): - self.upgrade(13) - self.assertTenantTables() self.upgrade(14) + self.assertTenantTables() + self.upgrade(15) self.assertProjectTables() def test_downgrade_project_to_tenant(self): - self.upgrade(14) + self.upgrade(15) self.assertProjectTables() - self.downgrade(13) + self.downgrade(14) self.assertTenantTables() - def test_upgrade_12_to_13(self): - self.upgrade(12) + def test_upgrade_13_to_14(self): self.upgrade(13) + self.upgrade(14) self.assertTableExists('group') self.assertTableExists('group_project_metadata') self.assertTableExists('group_domain_metadata') self.assertTableExists('user_group_membership') - def test_downgrade_13_to_12(self): - self.upgrade(13) - self.downgrade(12) + def test_downgrade_14_to_13(self): + self.upgrade(14) + self.downgrade(13) self.assertTableDoesNotExist('group') self.assertTableDoesNotExist('group_project_metadata') self.assertTableDoesNotExist('group_domain_metadata') self.assertTableDoesNotExist('user_group_membership') - def test_downgrade_12_to_9(self): - self.upgrade(12) + def test_downgrade_13_to_10(self): + self.upgrade(13) service_extra = { 'name': uuid.uuid4().hex, @@ -295,7 +295,7 @@ class SqlUpgradeTests(test.TestCase): self.insert_dict(session, 'endpoint', endpoint) session.commit() - self.downgrade(8) + self.downgrade(9) self.assertTableColumns( 'service', |