diff options
author | Jenkins <jenkins@review.openstack.org> | 2013-06-05 00:13:54 +0000 |
---|---|---|
committer | Gerrit Code Review <review@openstack.org> | 2013-06-05 00:13:54 +0000 |
commit | 99717a8fc8f5dc0f5cc310a8113ade5536657cfa (patch) | |
tree | b1c4a596fa74412a0fbedd807d1df8f1de35b0af /keystone/identity | |
parent | e183b93481de61d909abb9569841bd553e1ea489 (diff) | |
parent | db0370d2d30de086e5b973e14cd6a8790a555ee9 (diff) | |
download | keystone-99717a8fc8f5dc0f5cc310a8113ade5536657cfa.tar.gz keystone-99717a8fc8f5dc0f5cc310a8113ade5536657cfa.tar.xz keystone-99717a8fc8f5dc0f5cc310a8113ade5536657cfa.zip |
Merge "split authenticate call"
Diffstat (limited to 'keystone/identity')
-rw-r--r-- | keystone/identity/backends/kvs.py | 19 | ||||
-rw-r--r-- | keystone/identity/backends/ldap/core.py | 16 | ||||
-rw-r--r-- | keystone/identity/backends/pam.py | 22 | ||||
-rw-r--r-- | keystone/identity/backends/sql.py | 18 | ||||
-rw-r--r-- | keystone/identity/core.py | 21 |
5 files changed, 49 insertions, 47 deletions
diff --git a/keystone/identity/backends/kvs.py b/keystone/identity/backends/kvs.py index 101ceb9e..339d2e75 100644 --- a/keystone/identity/backends/kvs.py +++ b/keystone/identity/backends/kvs.py @@ -23,29 +23,23 @@ from keystone import identity class Identity(kvs.Base, identity.Driver): # Public interface - def authenticate(self, user_id=None, tenant_id=None, password=None): - """Authenticate based on a user, tenant and password. - - Expects the user object to have a password field and the tenant to be - in the list of tenants on the user. - - """ + def authenticate_user(self, user_id=None, password=None): user_ref = None - tenant_ref = None - metadata_ref = {} - try: user_ref = self._get_user(user_id) except exception.UserNotFound: raise AssertionError('Invalid user / password') - if not utils.check_password(password, user_ref.get('password')): raise AssertionError('Invalid user / password') + return user_ref + def authorize_for_project(self, user_ref, tenant_id=None): + user_id = user_ref['id'] + tenant_ref = None + metadata_ref = {} if tenant_id is not None: if tenant_id not in self.get_projects_for_user(user_id): raise AssertionError('Invalid tenant') - try: tenant_ref = self.get_project(tenant_id) metadata_ref = self.get_metadata(user_id, tenant_id) @@ -54,7 +48,6 @@ class Identity(kvs.Base, identity.Driver): metadata_ref = {} except exception.MetadataNotFound: metadata_ref = {} - return (identity.filter_user(user_ref), tenant_ref, metadata_ref) def get_project(self, tenant_id): diff --git a/keystone/identity/backends/ldap/core.py b/keystone/identity/backends/ldap/core.py index 65330149..4493e49c 100644 --- a/keystone/identity/backends/ldap/core.py +++ b/keystone/identity/backends/ldap/core.py @@ -95,20 +95,12 @@ class Identity(identity.Driver): raise ValueError(_('Expected dict or list: %s') % type(ref)) # Identity interface - def authenticate(self, user_id=None, tenant_id=None, password=None): - """Authenticate based on a user, tenant and password. - - Expects the user object to have a password field and the tenant to be - in the list of tenants on the user. - """ - tenant_ref = None - metadata_ref = {} + def authenticate_user(self, user_id=None, password=None): try: user_ref = self._get_user(user_id) except exception.UserNotFound: raise AssertionError('Invalid user / password') - try: conn = self.user.get_connection(self.user._id_to_dn(user_id), password) @@ -116,6 +108,12 @@ class Identity(identity.Driver): raise AssertionError('Invalid user / password') except Exception: raise AssertionError('Invalid user / password') + return user_ref + + def authorize_for_project(self, user_ref, tenant_id=None): + user_id = user_ref['id'] + tenant_ref = None + metadata_ref = {} if tenant_id is not None: if tenant_id not in self.get_projects_for_user(user_id): diff --git a/keystone/identity/backends/pam.py b/keystone/identity/backends/pam.py index 1a312a27..9c4bbf38 100644 --- a/keystone/identity/backends/pam.py +++ b/keystone/identity/backends/pam.py @@ -58,18 +58,20 @@ class PamIdentity(identity.Driver): Tenant is always the same as User, root user has admin role. """ - def authenticate(self, user_id, tenant_id, password): + def authenticate_user(self, user_id=None, password=None): auth = pam.authenticate if pam else PAM_authenticate - if auth(user_id, password): - metadata = {} - if user_id == 'root': - metadata['is_admin'] = True + if not auth(user_id, password): + raise AssertionError('Invalid user / password') + user = {'id': user_id, 'name': user_id} + return user - tenant = {'id': user_id, 'name': user_id} - - user = {'id': user_id, 'name': user_id} - - return (user, tenant, metadata) + def authorize_for_project(self, user_ref, tenant_id=None): + user_id = user_ref['id'] + metadata = {} + if user_id == 'root': + metadata['is_admin'] = True + tenant = {'id': user_id, 'name': user_id} + return (user_ref, tenant, metadata) def get_project(self, tenant_id): return {'id': tenant_id, 'name': tenant_id} diff --git a/keystone/identity/backends/sql.py b/keystone/identity/backends/sql.py index 71cab057..41285579 100644 --- a/keystone/identity/backends/sql.py +++ b/keystone/identity/backends/sql.py @@ -156,27 +156,21 @@ class Identity(sql.Base, identity.Driver): return utils.check_password(password, user_ref.password) # Identity interface - def authenticate(self, user_id=None, tenant_id=None, password=None): - """Authenticate based on a user, tenant and password. - - Expects the user object to have a password field and the tenant to be - in the list of tenants on the user. - - """ + def authenticate_user(self, user_id=None, password=None): session = self.get_session() - user_ref = None - tenant_ref = None - metadata_ref = {} - try: user_ref = self._get_user(session, user_id) except exception.UserNotFound: raise AssertionError('Invalid user / password') - if not self._check_password(password, user_ref): raise AssertionError('Invalid user / password') + return user_ref + def authorize_for_project(self, user_ref, tenant_id=None): + user_id = user_ref['id'] + tenant_ref = None + metadata_ref = {} if tenant_id is not None: # FIXME(gyee): this should really be # get_roles_for_user_and_project() after the dusts settle diff --git a/keystone/identity/core.py b/keystone/identity/core.py index fde7ac8d..6f30c744 100644 --- a/keystone/identity/core.py +++ b/keystone/identity/core.py @@ -62,6 +62,16 @@ class Manager(manager.Manager): def __init__(self): super(Manager, self).__init__(CONF.identity.driver) + def authenticate(self, context, user_id=None, + tenant_id=None, password=None): + """Authenticate a given user and password and + authorize them for a tenant. + :returns: (user_ref, tenant_ref, metadata_ref) + :raises: AssertionError + """ + user_ref = self.driver.authenticate_user(user_id, password) + return self.driver.authorize_for_project(user_ref, tenant_id) + def create_user(self, context, user_id, user_ref): user = user_ref.copy() if 'enabled' not in user: @@ -86,12 +96,17 @@ class Manager(manager.Manager): class Driver(object): """Interface description for an Identity driver.""" - def authenticate(self, user_id=None, tenant_id=None, password=None): - """Authenticate a given user, tenant and password. + def authenticate_user(self, user_id, password): + """Authenticate a given user and password. + :returns: user_ref + :raises: AssertionError + """ + raise exception.NotImplemented() + def authorize_for_project(self, tenant_id, user_ref): + """Authenticate a given user for a tenant. :returns: (user_ref, tenant_ref, metadata_ref) :raises: AssertionError - """ raise exception.NotImplemented() |