Mixed LDAP/SQL Backend.

Supports the configuration where LDAP is used for  identity and
SQL is used for assignment.

blueprint split-identity

Change-Id: Ib91b5d804282b7f78fc2458ff64653bbf2cf5d9e

3 files changed, 72 insertions, 54 deletions

diff --git a/keystone/assignment/backends/ldap.py b/keystone/assignment/backends/ldap.py
index 44a479bf..09539c9f 100644
--- a/keystone/assignment/backends/ldap.py
+++ b/keystone/assignment/backends/ldap.py
@@ -76,41 +76,11 @@ class Assignment(assignment.Driver):
         return self._set_default_domain(self.project.get_all())
 
     def get_project_by_name(self, tenant_name, domain_id):
-        self._validate_domain_id(domain_id)
+        self._validate_default_domain_id(domain_id)
         return self._set_default_domain(self.project.get_by_name(tenant_name))
 
-    def _validate_domain(self, ref):
-        """Validate that either the default domain or nothing is specified.
-
-        Also removes the domain from the ref so that LDAP doesn't have to
-        persist the attribute.
-
-        """
-        ref = ref.copy()
-        domain_id = ref.pop('domain_id', CONF.identity.default_domain_id)
-        self._validate_domain_id(domain_id)
-        return ref
-
-    def _validate_domain_id(self, domain_id):
-        """Validate that the domain ID specified belongs to the default domain.
-
-        """
-        if domain_id != CONF.identity.default_domain_id:
-            raise exception.DomainNotFound(domain_id=domain_id)
-
-    def _set_default_domain(self, ref):
-        """Overrides any domain reference with the default domain."""
-        if isinstance(ref, dict):
-            ref = ref.copy()
-            ref['domain_id'] = CONF.identity.default_domain_id
-            return ref
-        elif isinstance(ref, list):
-            return [self._set_default_domain(x) for x in ref]
-        else:
-            raise ValueError(_('Expected dict or list: %s') % type(ref))
-
     def create_project(self, tenant_id, tenant):
-        tenant = self._validate_domain(tenant)
+        tenant = self._validate_default_domain(tenant)
         tenant['name'] = clean.project_name(tenant['name'])
         data = tenant.copy()
         if 'id' not in data or data['id'] is None:
@@ -120,7 +90,7 @@ class Assignment(assignment.Driver):
         return self._set_default_domain(self.project.create(data))
 
     def update_project(self, tenant_id, tenant):
-        tenant = self._validate_domain(tenant)
+        tenant = self._validate_default_domain(tenant)
         if 'name' in tenant:
             tenant['name'] = clean.project_name(tenant['name'])
         return self._set_default_domain(self.project.update(tenant_id, tenant))
@@ -244,19 +214,19 @@ class Assignment(assignment.Driver):
         raise exception.Forbidden('Domains are read-only against LDAP')
 
     def get_domain(self, domain_id):
-        self._validate_domain_id(domain_id)
+        self._validate_default_domain_id(domain_id)
         return DEFAULT_DOMAIN
 
     def update_domain(self, domain_id, domain):
-        self._validate_domain_id(domain_id)
+        self._validate_default_domain_id(domain_id)
         raise exception.Forbidden('Domains are read-only against LDAP')
 
     def delete_domain(self, domain_id):
-        self._validate_domain_id(domain_id)
+        self._validate_default_domain_id(domain_id)
         raise exception.Forbidden('Domains are read-only against LDAP')
 
     def list_domains(self):
-        return [DEFAULT_DOMAIN]
+        return [assignment.DEFAULT_DOMAIN]
 
 #Bulk actions on User From identity
     def delete_user(self, user_id):
diff --git a/keystone/assignment/backends/sql.py b/keystone/assignment/backends/sql.py
index 57ca7834..237330ce 100644
--- a/keystone/assignment/backends/sql.py
+++ b/keystone/assignment/backends/sql.py
@@ -97,12 +97,14 @@ class Assignment(sql.Base, assignment.Driver):
 
     def create_grant(self, role_id, user_id=None, group_id=None,
                      domain_id=None, project_id=None):
-        session = self.get_session()
-        self._get_role(session, role_id)
         if user_id:
-            self.identity_api._get_user(session, user_id)
+            self.identity_api.get_user(user_id)
         if group_id:
-            self.identity_api._get_group(session, group_id)
+            self.identity_api.get_group(group_id)
+
+        session = self.get_session()
+        self._get_role(session, role_id)
+
         if domain_id:
             self._get_domain(session, domain_id)
         if project_id:
@@ -127,11 +129,11 @@ class Assignment(sql.Base, assignment.Driver):
 
     def list_grants(self, user_id=None, group_id=None,
                     domain_id=None, project_id=None):
-        session = self.get_session()
         if user_id:
-            self.identity_api._get_user(session, user_id)
+            self.identity_api.get_user(user_id)
         if group_id:
-            self.identity_api._get_group(session, group_id)
+            self.identity_api.get_group(group_id)
+        session = self.get_session()
         if domain_id:
             self._get_domain(session, domain_id)
         if project_id:
@@ -146,12 +148,14 @@ class Assignment(sql.Base, assignment.Driver):
 
     def get_grant(self, role_id, user_id=None, group_id=None,
                   domain_id=None, project_id=None):
-        session = self.get_session()
-        role_ref = self._get_role(session, role_id)
         if user_id:
-            self.identity_api._get_user(session, user_id)
+            self.identity_api.get_user(user_id)
         if group_id:
-            self.identity_api._get_group(session, group_id)
+            self.identity_api.get_group(group_id)
+
+        session = self.get_session()
+        role_ref = self._get_role(session, role_id)
+
         if domain_id:
             self._get_domain(session, domain_id)
         if project_id:
@@ -169,12 +173,14 @@ class Assignment(sql.Base, assignment.Driver):
 
     def delete_grant(self, role_id, user_id=None, group_id=None,
                      domain_id=None, project_id=None):
-        session = self.get_session()
-        self._get_role(session, role_id)
         if user_id:
-            self.identity_api._get_user(session, user_id)
+            self.identity_api.get_user(user_id)
         if group_id:
-            self.identity_api._get_group(session, group_id)
+            self.identity_api.get_group(group_id)
+
+        session = self.get_session()
+        self._get_role(session, role_id)
+
         if domain_id:
             self._get_domain(session, domain_id)
         if project_id:
@@ -206,16 +212,16 @@ class Assignment(sql.Base, assignment.Driver):
         return [tenant_ref.to_dict() for tenant_ref in tenant_refs]
 
     def get_projects_for_user(self, user_id):
+        self.identity_api.get_user(user_id)
         session = self.get_session()
-        self.identity_api._get_user(session, user_id)
         query = session.query(UserProjectGrant)
         query = query.filter_by(user_id=user_id)
         membership_refs = query.all()
         return [x.project_id for x in membership_refs]
 
     def add_role_to_user_and_project(self, user_id, tenant_id, role_id):
+        self.identity_api.get_user(user_id)
         session = self.get_session()
-        self.identity_api._get_user(session, user_id)
         self._get_project(session, tenant_id)
         self._get_role(session, role_id)
         try:
diff --git a/keystone/assignment/core.py b/keystone/assignment/core.py
index 879fee0b..531da02e 100644
--- a/keystone/assignment/core.py
+++ b/keystone/assignment/core.py
@@ -26,6 +26,13 @@ from keystone import exception
 CONF = config.CONF
 LOG = logging.getLogger(__name__)
 
+DEFAULT_DOMAIN = {'description':
+                  (u'Owns users and tenants (i.e. projects)'
+                   ' available on Identity API v2.'),
+                  'enabled': True,
+                  'id': CONF.identity.default_domain_id,
+                  'name': u'Default'}
+
 
 @dependency.provider('assignment_api')
 class Manager(manager.Manager):
@@ -424,3 +431,38 @@ class Driver(object):
         :raises: keystone.exception.RoleNotFound
 
         """
+        raise exception.NotImplemented()
+
+    #domain management functions for backends that only allow a single domain.
+    #currently, this is only LDAP, but might be used by PAM or other backends
+    #as well.  This is used by both identity and assignment drivers.
+    def _set_default_domain(self, ref):
+        """If the domain ID has not been set, set it to the default."""
+        if isinstance(ref, dict):
+            if 'domain_id' not in ref:
+                ref = ref.copy()
+                ref['domain_id'] = CONF.identity.default_domain_id
+            return ref
+        elif isinstance(ref, list):
+            return [self._set_default_domain(x) for x in ref]
+        else:
+            raise ValueError(_('Expected dict or list: %s') % type(ref))
+
+    def _validate_default_domain(self, ref):
+        """Validate that either the default domain or nothing is specified.
+
+        Also removes the domain from the ref so that LDAP doesn't have to
+        persist the attribute.
+
+        """
+        ref = ref.copy()
+        domain_id = ref.pop('domain_id', CONF.identity.default_domain_id)
+        self._validate_default_domain_id(domain_id)
+        return ref
+
+    def _validate_default_domain_id(self, domain_id):
+        """Validate that the domain ID specified belongs to the default domain.
+
+        """
+        if domain_id != CONF.identity.default_domain_id:
+            raise exception.DomainNotFound(domain_id=domain_id)