Implement name space for domains

Creates a separate name space for each domain for the name attribute of
user, groups and projects - meaning that the names of these entities
only have to be unique within that domain.

Implementation of this within the SQL backends is handled by simply
changing the uniqueness constraints on the relevant attributes.  KVS
and LDAP backends do not yet support domain separation (blocked by
existing restrictions, already raised as bugs).

An issue exists for the downward migration with this change in that
if the database has been used and populated with the name space in place
then the downward migration may fail due to clashing names when you
try and revert to a global name space (raised as a separate bug)

This patch also improves the group support in the KVS backend and
cleans up string quoting in the 016 migration fucntions, and fixes an
issue where the SQL update_project was not updating a change in domain_id.

Change-Id: I8f0df0e1bf84bfd26b8ef5505fe5fafd930dc78b

1 files changed, 74 insertions, 0 deletions

diff --git a/tests/test_sql_upgrade.py b/tests/test_sql_upgrade.py
index 7dcce7fe..85ea7580 100644
--- a/tests/test_sql_upgrade.py
+++ b/tests/test_sql_upgrade.py
@@ -279,6 +279,7 @@ class SqlUpgradeTests(test.TestCase):
         self.populate_user_table(with_pass_enab=True)
         self.populate_tenant_table(with_desc_enab=True)
         self.upgrade(16)
+
         self.assertTableColumns("user",
                                 ["id", "name", "extra",
                                  "password", "enabled", "domain_id"])
@@ -299,9 +300,12 @@ class SqlUpgradeTests(test.TestCase):
         self.assertEqual(a_project.description,
                          default_fixtures.TENANTS[1]['description'])
         self.assertEqual(a_project.domain_id, DEFAULT_DOMAIN_ID)
+
         session.commit()
         session.close()
 
+        self.check_uniqueness_constraints()
+
     def test_downgrade_16_to_14(self):
         self.upgrade(16)
         self.populate_user_table(with_pass_enab_domain=True)
@@ -452,6 +456,76 @@ class SqlUpgradeTests(test.TestCase):
         self.downgrade(16)
         self.assertEquals(0, count_member_roles())
 
+    def check_uniqueness_constraints(self):
+        # Check uniqueness constraints for User & Project tables are
+        # correct following schema modification.  The Group table's
+        # schema is never modified, so we don't bother to check that.
+        domain_table = sqlalchemy.Table('domain',
+                                        self.metadata,
+                                        autoload=True)
+        domain1 = {'id': uuid.uuid4().hex,
+                   'name': uuid.uuid4().hex,
+                   'enabled': True}
+        domain2 = {'id': uuid.uuid4().hex,
+                   'name': uuid.uuid4().hex,
+                   'enabled': True}
+        cmd = domain_table.insert().values(domain1)
+        self.engine.execute(cmd)
+        cmd = domain_table.insert().values(domain2)
+        self.engine.execute(cmd)
+
+        # First, the User table.
+        this_table = sqlalchemy.Table('user',
+                                      self.metadata,
+                                      autoload=True)
+        user = {'id': uuid.uuid4().hex,
+                'name': uuid.uuid4().hex,
+                'domain_id': domain1['id'],
+                'password': uuid.uuid4().hex,
+                'enabled': True,
+                'extra': json.dumps({})}
+        cmd = this_table.insert().values(user)
+        self.engine.execute(cmd)
+        # now insert a user with the same name into a different
+        # domain - which should work.
+        user['id'] = uuid.uuid4().hex
+        user['domain_id'] = domain2['id']
+        cmd = this_table.insert().values(user)
+        self.engine.execute(cmd)
+        # TODO(henry-nash).  For now, as part of clean-up we
+        # delete one of these users.  Although not part of this test,
+        # unless we do so the downgrade(16->15) that is part of
+        # teardown with fail due to having two uses with clashing
+        # name as we try to revert to a single global name space.  This
+        # limitation is raised as Bug #1125046 and the delete
+        # could be removed depending on how that bug is resolved.
+        cmd = this_table.delete(id=user['id'])
+        self.engine.execute(cmd)
+
+        # Now, the Project table.
+        this_table = sqlalchemy.Table('project',
+                                      self.metadata,
+                                      autoload=True)
+        project = {'id': uuid.uuid4().hex,
+                   'name': uuid.uuid4().hex,
+                   'domain_id': domain1['id'],
+                   'description': uuid.uuid4().hex,
+                   'enabled': True,
+                   'extra': json.dumps({})}
+        cmd = this_table.insert().values(project)
+        self.engine.execute(cmd)
+        # now insert a project with the same name into a different
+        # domain - which should work.
+        project['id'] = uuid.uuid4().hex
+        project['domain_id'] = domain2['id']
+        cmd = this_table.insert().values(project)
+        self.engine.execute(cmd)
+        # TODO(henry-nash) For now, we delete one of the projects for
+        # the same reason as we delete one of the users (Bug #1125046).
+        # This delete could be removed depending on that bug resolution.
+        cmd = this_table.delete(id=project['id'])
+        self.engine.execute(cmd)
+
     def populate_user_table(self, with_pass_enab=False,
                             with_pass_enab_domain=False):
         # Populate the appropriate fields in the user