Implement domain specific Identity backends

A common scenario in shared clouds will be that a cloud provider will
want to be able to offer larger customers the ability to interface to
their chosen identity provider. In the base case, this might well be
their own corporate LDAP/AD directory.  A cloud provider might also
want smaller customers to have their identity managed solely
within the OpenStack cloud, perhaps in a shared SQL database.

This patch allows domain specific backends for identity objects
(namely user and groups), which are specified by creation of a domain
configuration file for each domain that requires its own backend.

A side benefit of this change is that it clearly separates the
backends into those that are domain-aware and those that are not,
allowing, for example, the removal of domain validation from the
LDAP identity backend.

Implements bp multiple-ldap-servers

DocImpact

Change-Id: I489e8e50035f88eca4235908ae8b1a532645daab

1 files changed, 3 insertions, 1 deletions

diff --git a/keystone/auth/plugins/password.py b/keystone/auth/plugins/password.py
index 66c6d05b..b069f4d9 100644
--- a/keystone/auth/plugins/password.py
+++ b/keystone/auth/plugins/password.py
@@ -94,6 +94,7 @@ class UserAuthInfo(object):
         self._assert_user_is_enabled(user_ref)
         self.user_ref = user_ref
         self.user_id = user_ref['id']
+        self.domain_id = domain_ref['id']
 
 
 class Password(auth.AuthMethodHandler):
@@ -106,7 +107,8 @@ class Password(auth.AuthMethodHandler):
         try:
             self.identity_api.authenticate(
                 user_id=user_info.user_id,
-                password=user_info.password)
+                password=user_info.password,
+                domain_scope=user_info.domain_id)
         except AssertionError:
             # authentication failed because of invalid username or password
             msg = _('Invalid username or password')