Keystone server support for user groups

This implements the server side of groups of users.  This
set of code provides all the crud functionality for groups as
well as the corresponding support for role assignments.

blueprint user-groups

The following deficiencies existing with the current version and
will be corrected ahead of the final Grizzly release:

1) There is only placeholder support for LDAP (Bug #1092187)
2) Domain role grants are accepted but not yet honored (Bug #1093248)
3) Token invalidation does not occur with group changes (Bug #1093493)

This update also fills in missing v3 grant unit testing and v3 grant
support within the kvs backend.  In addition, there is a fix for
Bug #1092200 (uncaught exception when listing grants)

DocImpact

Change-Id: Ibd1783b04b2d7804eff90312e5ef591dca4d0695

1 files changed, 11 insertions, 0 deletions

diff --git a/keystone/config.py b/keystone/config.py
index 9d4da38a..c26a518c 100644
--- a/keystone/config.py
+++ b/keystone/config.py
@@ -226,6 +226,17 @@ register_bool('role_allow_create', group='ldap', default=True)
 register_bool('role_allow_update', group='ldap', default=True)
 register_bool('role_allow_delete', group='ldap', default=True)
 
+register_str('group_tree_dn', group='ldap', default=None)
+register_str('group_filter', group='ldap', default=None)
+register_str('group_objectclass', group='ldap', default='groupOfNames')
+register_str('group_id_attribute', group='ldap', default='cn')
+register_str('group_name_attribute', group='ldap', default='ou')
+register_str('group_member_attribute', group='ldap', default='member')
+register_str('group_desc_attribute', group='ldap', default='desc')
+register_list('group_attribute_ignore', group='ldap', default='')
+register_bool('group_allow_create', group='ldap', default=True)
+register_bool('group_allow_update', group='ldap', default=True)
+register_bool('group_allow_delete', group='ldap', default=True)
 #pam
 register_str('url', group='pam', default=None)
 register_str('userid', group='pam', default=None)