diff options
author | Henry Nash <henryn@linux.vnet.ibm.com> | 2013-07-25 20:09:45 +0100 |
---|---|---|
committer | Henry Nash <henryn@linux.vnet.ibm.com> | 2013-08-15 23:41:15 +0100 |
commit | 1ed2046eaa91fa36926d66a5fe1e88ccd65373bb (patch) | |
tree | b370dde77bb78b2a5a217840a97bc25c3d37ef26 /keystone/common/controller.py | |
parent | 049c5c7159ba88f584c832e6b1a87d6bee9c31d7 (diff) | |
download | keystone-1ed2046eaa91fa36926d66a5fe1e88ccd65373bb.tar.gz keystone-1ed2046eaa91fa36926d66a5fe1e88ccd65373bb.tar.xz keystone-1ed2046eaa91fa36926d66a5fe1e88ccd65373bb.zip |
Implement domain specific Identity backends
A common scenario in shared clouds will be that a cloud provider will
want to be able to offer larger customers the ability to interface to
their chosen identity provider. In the base case, this might well be
their own corporate LDAP/AD directory. A cloud provider might also
want smaller customers to have their identity managed solely
within the OpenStack cloud, perhaps in a shared SQL database.
This patch allows domain specific backends for identity objects
(namely user and groups), which are specified by creation of a domain
configuration file for each domain that requires its own backend.
A side benefit of this change is that it clearly separates the
backends into those that are domain-aware and those that are not,
allowing, for example, the removal of domain validation from the
LDAP identity backend.
Implements bp multiple-ldap-servers
DocImpact
Change-Id: I489e8e50035f88eca4235908ae8b1a532645daab
Diffstat (limited to 'keystone/common/controller.py')
-rw-r--r-- | keystone/common/controller.py | 51 |
1 files changed, 26 insertions, 25 deletions
diff --git a/keystone/common/controller.py b/keystone/common/controller.py index 1bf65cda..90818fb4 100644 --- a/keystone/common/controller.py +++ b/keystone/common/controller.py @@ -303,34 +303,35 @@ class V3Controller(V2Controller): ref['id'] = uuid.uuid4().hex return ref + def _get_domain_id_for_request(self, context): + """Get the domain_id for a v3 call.""" + + if context['is_admin']: + return DEFAULT_DOMAIN_ID + + # Fish the domain_id out of the token + # + # We could make this more efficient by loading the domain_id + # into the context in the wrapper function above (since + # this version of normalize_domain will only be called inside + # a v3 protected call). However, this optimization is probably not + # worth the duplication of state + try: + token_ref = self.token_api.get_token( + token_id=context['token_id']) + except exception.TokenNotFound: + LOG.warning(_('Invalid token in _get_domain_id_for_request')) + raise exception.Unauthorized() + + if 'domain' in token_ref: + return token_ref['domain']['id'] + else: + return DEFAULT_DOMAIN_ID + def _normalize_domain_id(self, context, ref): """Fill in domain_id if not specified in a v3 call.""" - if 'domain_id' not in ref: - if context['is_admin']: - ref['domain_id'] = DEFAULT_DOMAIN_ID - else: - # Fish the domain_id out of the token - # - # We could make this more efficient by loading the domain_id - # into the context in the wrapper function above (since - # this version of normalize_domain will only be called inside - # a v3 protected call). However, given that we only use this - # for creating entities, this optimization is probably not - # worth the duplication of state - try: - token_ref = self.token_api.get_token( - token_id=context['token_id']) - except exception.TokenNotFound: - LOG.warning(_('Invalid token in normalize_domain_id')) - raise exception.Unauthorized() - - if 'domain' in token_ref: - ref['domain_id'] = token_ref['domain']['id'] - else: - # FIXME(henry-nash) Revisit this once v3 token scoping - # across domains has been hashed out - ref['domain_id'] = DEFAULT_DOMAIN_ID + ref['domain_id'] = self._get_domain_id_for_request(context) return ref def _filter_domain_id(self, ref): |