diff options
| author | Jenkins <jenkins@review.openstack.org> | 2013-02-19 01:01:54 +0000 |
|---|---|---|
| committer | Gerrit Code Review <review@openstack.org> | 2013-02-19 01:01:54 +0000 |
| commit | fa0d93be204d4e2cc56b9a6e17949e58db15182d (patch) | |
| tree | 7a14eaac1691c619b204e816a2fe9a90ae57f8c7 | |
| parent | 60cb16c7c1867109413ad427babd71c415d03af6 (diff) | |
| parent | fb66ad89a547b9b5d9cd92cd42fb0531deb9887b (diff) | |
Merge "Remove usage of UserRoleAssociation.id in LDAP"
| -rw-r--r-- | keystone/identity/backends/ldap/core.py | 158 |
1 files changed, 3 insertions, 155 deletions
diff --git a/keystone/identity/backends/ldap/core.py b/keystone/identity/backends/ldap/core.py index 22a7fd0c..ec9df209 100644 --- a/keystone/identity/backends/ldap/core.py +++ b/keystone/identity/backends/ldap/core.py @@ -431,10 +431,10 @@ class UserApi(common_ldap.BaseLdap, ApiShimMixin): super(UserApi, self).delete(id) for ref in self.role_api.list_global_roles_for_user(id): - self.role_api.rolegrant_delete(ref.id) + self.role_api.delete_user(ref.role_id, ref.user_id, ref.project_id) for ref in self.role_api.list_project_roles_for_user(id): - self.role_api.rolegrant_delete(ref.id) + self.role_api.delete_user(ref.role_id, ref.user_id, ref.project_id) def get_by_email(self, email): query = ('(%s=%s)' % (self.attribute_mapping['mail'], @@ -635,15 +635,11 @@ class ProjectApi(common_ldap.BaseLdap, ApiShimMixin): class UserRoleAssociation(object): """Role Grant model.""" - def __init__(self, user_id=None, role_id=None, tenant_id=None, id=None, + def __init__(self, user_id=None, role_id=None, tenant_id=None, *args, **kw): self.user_id = str(user_id) self.role_id = role_id self.project_id = str(tenant_id) - if id is None: - self.id = create_role_ref(role_id, tenant_id, user_id) - else: - self.id = id class GroupRoleAssociation(object): @@ -689,23 +685,6 @@ class RoleApi(common_ldap.BaseLdap, ApiShimMixin): self.attribute_ignore = (getattr(conf.ldap, 'role_attribute_ignore') or self.DEFAULT_ATTRIBUTE_IGNORE) - @staticmethod - def _create_ref(role_id, tenant_id, user_id): - return create_role_ref(role_id, tenant_id, user_id) - - @staticmethod - def _explode_ref(rolegrant): - a = rolegrant.split('-', 2) - len_role = int(a[0]) - len_project = int(a[1]) - role_id = a[2][:len_role] - role_id = None if len(role_id) == 0 else str(role_id) - tenant_id = a[2][len_role:len_project + len_role] - tenant_id = None if len(tenant_id) == 0 else str(tenant_id) - user_id = a[2][len_project + len_role:] - user_id = None if len(user_id) == 0 else str(user_id) - return role_id, tenant_id, user_id - def _subrole_id_to_dn(self, role_id, tenant_id): if tenant_id is None: return self._id_to_dn(role_id) @@ -760,7 +739,6 @@ class RoleApi(common_ldap.BaseLdap, ApiShimMixin): raise inst return UserRoleAssociation( - id=self._create_ref(role_id, tenant_id, user_id), role_id=role_id, user_id=user_id, tenant_id=tenant_id) @@ -821,7 +799,6 @@ class RoleApi(common_ldap.BaseLdap, ApiShimMixin): user_id = self.user_api._dn_to_id(user_dn) role_id = self._dn_to_id(role_dn) res.append(UserRoleAssociation( - id=self._create_ref(role_id, tenant_id, user_id), user_id=user_id, role_id=role_id, tenant_id=tenant_id)) @@ -832,7 +809,6 @@ class RoleApi(common_ldap.BaseLdap, ApiShimMixin): user_dn = self.user_api._id_to_dn(user_id) roles = self.get_all('(%s=%s)' % (self.member_attribute, user_dn)) return [UserRoleAssociation( - id=self._create_ref(role.id, None, user_id), role_id=role.id, user_id=user_id) for role in roles] @@ -853,7 +829,6 @@ class RoleApi(common_ldap.BaseLdap, ApiShimMixin): for role_dn, _ in roles: role_id = self._dn_to_id(role_dn) res.append(UserRoleAssociation( - id=self._create_ref(role_id, tenant_id, user_id), user_id=user_id, role_id=role_id, tenant_id=tenant_id)) @@ -870,63 +845,11 @@ class RoleApi(common_ldap.BaseLdap, ApiShimMixin): role_id = self._dn_to_id(role_dn) tenant_id = ldap.dn.str2dn(role_dn)[1][0][1] res.append(UserRoleAssociation( - id=self._create_ref(role_id, tenant_id, user_id), user_id=user_id, role_id=role_id, tenant_id=tenant_id)) return res - def rolegrant_get(self, id): - role_id, tenant_id, user_id = self._explode_ref(id) - user_dn = self.user_api._id_to_dn(user_id) - role_dn = self._subrole_id_to_dn(role_id, tenant_id) - query = '(&(objectClass=%s)(%s=%s))' % (self.object_class, - self.member_attribute, - user_dn) - conn = self.get_connection() - try: - res = conn.search_s(role_dn, ldap.SCOPE_BASE, query) - except ldap.NO_SUCH_OBJECT: - return None - if len(res) == 0: - return None - return UserRoleAssociation(id=id, - role_id=role_id, - tenant_id=tenant_id, - user_id=user_id) - - def rolegrant_delete(self, id): - role_id, tenant_id, user_id = self._explode_ref(id) - user_dn = self.user_api._id_to_dn(user_id) - role_dn = self._subrole_id_to_dn(role_id, tenant_id) - conn = self.get_connection() - try: - conn.modify_s(role_dn, [(ldap.MOD_DELETE, - self.member_attribute, - [user_dn])]) - except ldap.NO_SUCH_ATTRIBUTE: - raise exception.Error("No such user in role") - - def rolegrant_get_page(self, marker, limit, user_id, tenant_id): - all_roles = [] - if tenant_id is None: - all_roles += self.list_global_roles_for_user(user_id) - else: - for tenant in self.project_api.get_all(): - all_roles += self.list_project_roles_for_user(user_id, - tenant['id']) - return self._get_page(marker, limit, all_roles) - - def rolegrant_get_page_markers(self, user_id, tenant_id, marker, limit): - all_roles = [] - if tenant_id is None: - all_roles = self.list_global_roles_for_user(user_id) - else: - for tenant in self.project_api.get_all(): - all_roles += self.list_project_roles_for_user(user_id, - tenant['id']) - return self._get_page_markers(marker, limit, all_roles) - def get_by_service_get_page(self, service_id, marker, limit): all_roles = self.get_by_service(service_id) return self._get_page(marker, limit, all_roles) @@ -935,37 +858,6 @@ class RoleApi(common_ldap.BaseLdap, ApiShimMixin): all_roles = self.get_by_service(service_id) return self._get_page_markers(marker, limit, all_roles) - def rolegrant_list_by_role(self, id): - role_dn = self._id_to_dn(id) - try: - roles = self.get_all('(%s=%s)' % (self.member_attribute, role_dn)) - except ldap.NO_SUCH_OBJECT: - return [] - - res = [] - for role_dn, attrs in roles: - try: - user_dns = attrs[self.member_attribute] - tenant_dns = attrs['tenant'] - except KeyError: - continue - - for user_dn in user_dns: - if self.use_dumb_member and user_dn == self.dumb_member: - continue - user_id = self.user_api._dn_to_id(user_dn) - tenant_id = None - if tenant_dns is not None: - for tenant_dn in tenant_dns: - tenant_id = self.project_api._dn_to_id(tenant_dn) - role_id = self._dn_to_id(role_dn) - res.append(UserRoleAssociation( - id=self._create_ref(role_id, tenant_id, user_id), - user_id=user_id, - role_id=role_id, - tenant_id=tenant_id)) - return res - def roles_delete_subtree_by_project(self, tenant_id): conn = self.get_connection() query = '(objectClass=%s)' % self.object_class @@ -980,50 +872,6 @@ class RoleApi(common_ldap.BaseLdap, ApiShimMixin): except ldap.NO_SUCH_OBJECT: pass - def rolegrant_get_by_ids(self, user_id, role_id, tenant_id): - conn = self.get_connection() - user_dn = self.user_api._id_to_dn(user_id) - query = '(&(objectClass=%s)(%s=%s))' % (self.object_class, - self.member_attribute, - user_dn) - - if tenant_id is not None: - tenant_dn = self.project_api._id_to_dn(tenant_id) - try: - roles = conn.search_s(tenant_dn, ldap.SCOPE_ONELEVEL, query) - except ldap.NO_SUCH_OBJECT: - return None - - if len(roles) == 0: - return None - - for role_dn, _ in roles: - ldap_role_id = self._dn_to_id(role_dn) - if role_id == ldap_role_id: - res = UserRoleAssociation( - id=self._create_ref(role_id, tenant_id, user_id), - user_id=user_id, - role_id=role_id, - tenant_id=tenant_id) - return res - else: - try: - roles = self.get_all('(%s=%s)' % (self.member_attribute, - user_dn)) - except ldap.NO_SUCH_OBJECT: - return None - - if len(roles) == 0: - return None - - for role in roles: - if role.id == role_id: - return UserRoleAssociation( - id=self._create_ref(role.id, None, user_id), - role_id=role.id, - user_id=user_id) - return None - def update(self, role_id, role): if role['id'] != role_id: raise exception.ValidationError('Cannot change role ID') |