diff options
author | Adam Young <ayoung@redhat.com> | 2013-06-28 18:34:25 -0400 |
---|---|---|
committer | Adam Young <ayoung@redhat.com> | 2013-07-12 15:16:47 -0400 |
commit | 4be48868ef9b34e90e8e6028201bc3b0ac569c3d (patch) | |
tree | 01203677ad0d44c6360bb0cf08e4ed10d8ce504a /keystone/assignment | |
parent | 661cef927e95cf87a96eea7f0f6d840f8bf4adcd (diff) | |
download | keystone-4be48868ef9b34e90e8e6028201bc3b0ac569c3d.tar.gz keystone-4be48868ef9b34e90e8e6028201bc3b0ac569c3d.tar.xz keystone-4be48868ef9b34e90e8e6028201bc3b0ac569c3d.zip |
Mixed LDAP/SQL Backend.
Supports the configuration where LDAP is used for identity and
SQL is used for assignment.
blueprint split-identity
Change-Id: Ib91b5d804282b7f78fc2458ff64653bbf2cf5d9e
Diffstat (limited to 'keystone/assignment')
-rw-r--r-- | keystone/assignment/backends/ldap.py | 44 | ||||
-rw-r--r-- | keystone/assignment/backends/sql.py | 40 | ||||
-rw-r--r-- | keystone/assignment/core.py | 42 |
3 files changed, 72 insertions, 54 deletions
diff --git a/keystone/assignment/backends/ldap.py b/keystone/assignment/backends/ldap.py index 44a479bf..09539c9f 100644 --- a/keystone/assignment/backends/ldap.py +++ b/keystone/assignment/backends/ldap.py @@ -76,41 +76,11 @@ class Assignment(assignment.Driver): return self._set_default_domain(self.project.get_all()) def get_project_by_name(self, tenant_name, domain_id): - self._validate_domain_id(domain_id) + self._validate_default_domain_id(domain_id) return self._set_default_domain(self.project.get_by_name(tenant_name)) - def _validate_domain(self, ref): - """Validate that either the default domain or nothing is specified. - - Also removes the domain from the ref so that LDAP doesn't have to - persist the attribute. - - """ - ref = ref.copy() - domain_id = ref.pop('domain_id', CONF.identity.default_domain_id) - self._validate_domain_id(domain_id) - return ref - - def _validate_domain_id(self, domain_id): - """Validate that the domain ID specified belongs to the default domain. - - """ - if domain_id != CONF.identity.default_domain_id: - raise exception.DomainNotFound(domain_id=domain_id) - - def _set_default_domain(self, ref): - """Overrides any domain reference with the default domain.""" - if isinstance(ref, dict): - ref = ref.copy() - ref['domain_id'] = CONF.identity.default_domain_id - return ref - elif isinstance(ref, list): - return [self._set_default_domain(x) for x in ref] - else: - raise ValueError(_('Expected dict or list: %s') % type(ref)) - def create_project(self, tenant_id, tenant): - tenant = self._validate_domain(tenant) + tenant = self._validate_default_domain(tenant) tenant['name'] = clean.project_name(tenant['name']) data = tenant.copy() if 'id' not in data or data['id'] is None: @@ -120,7 +90,7 @@ class Assignment(assignment.Driver): return self._set_default_domain(self.project.create(data)) def update_project(self, tenant_id, tenant): - tenant = self._validate_domain(tenant) + tenant = self._validate_default_domain(tenant) if 'name' in tenant: tenant['name'] = clean.project_name(tenant['name']) return self._set_default_domain(self.project.update(tenant_id, tenant)) @@ -244,19 +214,19 @@ class Assignment(assignment.Driver): raise exception.Forbidden('Domains are read-only against LDAP') def get_domain(self, domain_id): - self._validate_domain_id(domain_id) + self._validate_default_domain_id(domain_id) return DEFAULT_DOMAIN def update_domain(self, domain_id, domain): - self._validate_domain_id(domain_id) + self._validate_default_domain_id(domain_id) raise exception.Forbidden('Domains are read-only against LDAP') def delete_domain(self, domain_id): - self._validate_domain_id(domain_id) + self._validate_default_domain_id(domain_id) raise exception.Forbidden('Domains are read-only against LDAP') def list_domains(self): - return [DEFAULT_DOMAIN] + return [assignment.DEFAULT_DOMAIN] #Bulk actions on User From identity def delete_user(self, user_id): diff --git a/keystone/assignment/backends/sql.py b/keystone/assignment/backends/sql.py index 57ca7834..237330ce 100644 --- a/keystone/assignment/backends/sql.py +++ b/keystone/assignment/backends/sql.py @@ -97,12 +97,14 @@ class Assignment(sql.Base, assignment.Driver): def create_grant(self, role_id, user_id=None, group_id=None, domain_id=None, project_id=None): - session = self.get_session() - self._get_role(session, role_id) if user_id: - self.identity_api._get_user(session, user_id) + self.identity_api.get_user(user_id) if group_id: - self.identity_api._get_group(session, group_id) + self.identity_api.get_group(group_id) + + session = self.get_session() + self._get_role(session, role_id) + if domain_id: self._get_domain(session, domain_id) if project_id: @@ -127,11 +129,11 @@ class Assignment(sql.Base, assignment.Driver): def list_grants(self, user_id=None, group_id=None, domain_id=None, project_id=None): - session = self.get_session() if user_id: - self.identity_api._get_user(session, user_id) + self.identity_api.get_user(user_id) if group_id: - self.identity_api._get_group(session, group_id) + self.identity_api.get_group(group_id) + session = self.get_session() if domain_id: self._get_domain(session, domain_id) if project_id: @@ -146,12 +148,14 @@ class Assignment(sql.Base, assignment.Driver): def get_grant(self, role_id, user_id=None, group_id=None, domain_id=None, project_id=None): - session = self.get_session() - role_ref = self._get_role(session, role_id) if user_id: - self.identity_api._get_user(session, user_id) + self.identity_api.get_user(user_id) if group_id: - self.identity_api._get_group(session, group_id) + self.identity_api.get_group(group_id) + + session = self.get_session() + role_ref = self._get_role(session, role_id) + if domain_id: self._get_domain(session, domain_id) if project_id: @@ -169,12 +173,14 @@ class Assignment(sql.Base, assignment.Driver): def delete_grant(self, role_id, user_id=None, group_id=None, domain_id=None, project_id=None): - session = self.get_session() - self._get_role(session, role_id) if user_id: - self.identity_api._get_user(session, user_id) + self.identity_api.get_user(user_id) if group_id: - self.identity_api._get_group(session, group_id) + self.identity_api.get_group(group_id) + + session = self.get_session() + self._get_role(session, role_id) + if domain_id: self._get_domain(session, domain_id) if project_id: @@ -206,16 +212,16 @@ class Assignment(sql.Base, assignment.Driver): return [tenant_ref.to_dict() for tenant_ref in tenant_refs] def get_projects_for_user(self, user_id): + self.identity_api.get_user(user_id) session = self.get_session() - self.identity_api._get_user(session, user_id) query = session.query(UserProjectGrant) query = query.filter_by(user_id=user_id) membership_refs = query.all() return [x.project_id for x in membership_refs] def add_role_to_user_and_project(self, user_id, tenant_id, role_id): + self.identity_api.get_user(user_id) session = self.get_session() - self.identity_api._get_user(session, user_id) self._get_project(session, tenant_id) self._get_role(session, role_id) try: diff --git a/keystone/assignment/core.py b/keystone/assignment/core.py index 879fee0b..531da02e 100644 --- a/keystone/assignment/core.py +++ b/keystone/assignment/core.py @@ -26,6 +26,13 @@ from keystone import exception CONF = config.CONF LOG = logging.getLogger(__name__) +DEFAULT_DOMAIN = {'description': + (u'Owns users and tenants (i.e. projects)' + ' available on Identity API v2.'), + 'enabled': True, + 'id': CONF.identity.default_domain_id, + 'name': u'Default'} + @dependency.provider('assignment_api') class Manager(manager.Manager): @@ -424,3 +431,38 @@ class Driver(object): :raises: keystone.exception.RoleNotFound """ + raise exception.NotImplemented() + + #domain management functions for backends that only allow a single domain. + #currently, this is only LDAP, but might be used by PAM or other backends + #as well. This is used by both identity and assignment drivers. + def _set_default_domain(self, ref): + """If the domain ID has not been set, set it to the default.""" + if isinstance(ref, dict): + if 'domain_id' not in ref: + ref = ref.copy() + ref['domain_id'] = CONF.identity.default_domain_id + return ref + elif isinstance(ref, list): + return [self._set_default_domain(x) for x in ref] + else: + raise ValueError(_('Expected dict or list: %s') % type(ref)) + + def _validate_default_domain(self, ref): + """Validate that either the default domain or nothing is specified. + + Also removes the domain from the ref so that LDAP doesn't have to + persist the attribute. + + """ + ref = ref.copy() + domain_id = ref.pop('domain_id', CONF.identity.default_domain_id) + self._validate_default_domain_id(domain_id) + return ref + + def _validate_default_domain_id(self, domain_id): + """Validate that the domain ID specified belongs to the default domain. + + """ + if domain_id != CONF.identity.default_domain_id: + raise exception.DomainNotFound(domain_id=domain_id) |