diff options
Diffstat (limited to 'keystone/common')
-rw-r--r-- | keystone/common/cms.py | 2 | ||||
-rw-r--r-- | keystone/common/config.py | 535 | ||||
-rw-r--r-- | keystone/common/controller.py | 58 | ||||
-rw-r--r-- | keystone/common/environment/__init__.py | 2 | ||||
-rw-r--r-- | keystone/common/environment/eventlet_server.py | 13 | ||||
-rw-r--r-- | keystone/common/ldap/core.py | 9 | ||||
-rw-r--r-- | keystone/common/ldap/fakeldap.py | 20 | ||||
-rw-r--r-- | keystone/common/openssl.py | 3 | ||||
-rw-r--r-- | keystone/common/sql/core.py | 2 | ||||
-rw-r--r-- | keystone/common/sql/legacy.py | 2 | ||||
-rw-r--r-- | keystone/common/sql/migrate_repo/versions/032_username_length.py | 31 | ||||
-rw-r--r-- | keystone/common/sql/nova.py | 2 | ||||
-rw-r--r-- | keystone/common/utils.py | 3 | ||||
-rw-r--r-- | keystone/common/wsgi.py | 19 |
14 files changed, 336 insertions, 365 deletions
diff --git a/keystone/common/cms.py b/keystone/common/cms.py index 6ec740f8..09a98cdc 100644 --- a/keystone/common/cms.py +++ b/keystone/common/cms.py @@ -1,7 +1,7 @@ import hashlib from keystone.common import environment -from keystone.common import logging +from keystone.openstack.common import log as logging LOG = logging.getLogger(__name__) diff --git a/keystone/common/config.py b/keystone/common/config.py index 5a961d4a..34ab0988 100644 --- a/keystone/common/config.py +++ b/keystone/common/config.py @@ -24,6 +24,223 @@ _DEFAULT_LOG_DATE_FORMAT = "%Y-%m-%d %H:%M:%S" _DEFAULT_AUTH_METHODS = ['external', 'password', 'token'] +FILE_OPTIONS = { + '': [ + cfg.StrOpt('admin_token', secret=True, default='ADMIN'), + cfg.StrOpt('bind_host', default='0.0.0.0'), + cfg.IntOpt('compute_port', default=8774), + cfg.IntOpt('admin_port', default=35357), + cfg.IntOpt('public_port', default=5000), + cfg.StrOpt('public_endpoint', + default='http://localhost:%(public_port)s/'), + cfg.StrOpt('admin_endpoint', + default='http://localhost:%(admin_port)s/'), + cfg.StrOpt('onready'), + cfg.StrOpt('auth_admin_prefix', default=''), + cfg.StrOpt('policy_file', default='policy.json'), + cfg.StrOpt('policy_default_rule', default=None), + # default max request size is 112k + cfg.IntOpt('max_request_body_size', default=114688), + cfg.IntOpt('max_param_size', default=64), + # we allow tokens to be a bit larger to accommodate PKI + cfg.IntOpt('max_token_size', default=8192), + cfg.StrOpt('member_role_id', + default='9fe2ff9ee4384b1894a90878d3e92bab'), + cfg.StrOpt('member_role_name', default='_member_'), + cfg.IntOpt('crypt_strength', default=40000)], + 'identity': [ + cfg.StrOpt('default_domain_id', default='default'), + cfg.BoolOpt('domain_specific_drivers_enabled', + default=False), + cfg.StrOpt('domain_config_dir', + default='/etc/keystone/domains'), + cfg.StrOpt('driver', + default=('keystone.identity.backends' + '.sql.Identity')), + cfg.IntOpt('max_password_length', default=4096)], + 'trust': [ + cfg.BoolOpt('enabled', default=True), + cfg.StrOpt('driver', + default='keystone.trust.backends.sql.Trust')], + 'os_inherit': [ + cfg.BoolOpt('enabled', default=False)], + 'token': [ + cfg.ListOpt('bind', default=[]), + cfg.StrOpt('enforce_token_bind', default='permissive'), + cfg.IntOpt('expiration', default=86400), + cfg.StrOpt('provider', default=None), + cfg.StrOpt('driver', + default='keystone.token.backends.sql.Token')], + 'ssl': [ + cfg.BoolOpt('enable', default=False), + cfg.StrOpt('certfile', + default="/etc/keystone/ssl/certs/keystone.pem"), + cfg.StrOpt('keyfile', + default="/etc/keystone/ssl/private/keystonekey.pem"), + cfg.StrOpt('ca_certs', + default="/etc/keystone/ssl/certs/ca.pem"), + cfg.StrOpt('ca_key', + default="/etc/keystone/ssl/certs/cakey.pem"), + cfg.BoolOpt('cert_required', default=False), + cfg.IntOpt('key_size', default=1024), + cfg.IntOpt('valid_days', default=3650), + cfg.StrOpt('ca_password', default=None), + cfg.StrOpt('cert_subject', + default='/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost')], + 'signing': [ + cfg.StrOpt('token_format', default=None), + cfg.StrOpt('certfile', + default="/etc/keystone/ssl/certs/signing_cert.pem"), + cfg.StrOpt('keyfile', + default="/etc/keystone/ssl/private/signing_key.pem"), + cfg.StrOpt('ca_certs', + default="/etc/keystone/ssl/certs/ca.pem"), + cfg.StrOpt('ca_key', + default="/etc/keystone/ssl/certs/cakey.pem"), + cfg.IntOpt('key_size', default=2048), + cfg.IntOpt('valid_days', default=3650), + cfg.StrOpt('ca_password', default=None), + cfg.StrOpt('cert_subject', + default=('/C=US/ST=Unset/L=Unset/O=Unset/' + 'CN=www.example.com'))], + 'sql': [ + cfg.StrOpt('connection', secret=True, + default='sqlite:///keystone.db'), + cfg.IntOpt('idle_timeout', default=200)], + 'assignment': [ + # assignment has no default for backward compatibility reasons. + # If assignment driver is not specified, the identity driver chooses + # the backend + cfg.StrOpt('driver', default=None)], + 'credential': [ + cfg.StrOpt('driver', + default=('keystone.credential.backends' + '.sql.Credential'))], + 'oauth1': [ + cfg.StrOpt('driver', + default='keystone.contrib.oauth1.backends.sql.OAuth1'), + cfg.IntOpt('request_token_duration', default=28800), + cfg.IntOpt('access_token_duration', default=86400)], + 'policy': [ + cfg.StrOpt('driver', + default='keystone.policy.backends.sql.Policy')], + 'ec2': [ + cfg.StrOpt('driver', + default='keystone.contrib.ec2.backends.kvs.Ec2')], + 'stats': [ + cfg.StrOpt('driver', + default=('keystone.contrib.stats.backends' + '.kvs.Stats'))], + 'ldap': [ + cfg.StrOpt('url', default='ldap://localhost'), + cfg.StrOpt('user', default=None), + cfg.StrOpt('password', secret=True, default=None), + cfg.StrOpt('suffix', default='cn=example,cn=com'), + cfg.BoolOpt('use_dumb_member', default=False), + cfg.StrOpt('dumb_member', default='cn=dumb,dc=nonexistent'), + cfg.BoolOpt('allow_subtree_delete', default=False), + cfg.StrOpt('query_scope', default='one'), + cfg.IntOpt('page_size', default=0), + cfg.StrOpt('alias_dereferencing', default='default'), + + cfg.StrOpt('user_tree_dn', default=None), + cfg.StrOpt('user_filter', default=None), + cfg.StrOpt('user_objectclass', default='inetOrgPerson'), + cfg.StrOpt('user_id_attribute', default='cn'), + cfg.StrOpt('user_name_attribute', default='sn'), + cfg.StrOpt('user_mail_attribute', default='email'), + cfg.StrOpt('user_pass_attribute', default='userPassword'), + cfg.StrOpt('user_enabled_attribute', default='enabled'), + cfg.StrOpt('user_domain_id_attribute', + default='businessCategory'), + cfg.IntOpt('user_enabled_mask', default=0), + cfg.StrOpt('user_enabled_default', default='True'), + cfg.ListOpt('user_attribute_ignore', + default='tenant_id,tenants'), + cfg.BoolOpt('user_allow_create', default=True), + cfg.BoolOpt('user_allow_update', default=True), + cfg.BoolOpt('user_allow_delete', default=True), + cfg.BoolOpt('user_enabled_emulation', default=False), + cfg.StrOpt('user_enabled_emulation_dn', default=None), + cfg.ListOpt('user_additional_attribute_mapping', + default=None), + + cfg.StrOpt('tenant_tree_dn', default=None), + cfg.StrOpt('tenant_filter', default=None), + cfg.StrOpt('tenant_objectclass', default='groupOfNames'), + cfg.StrOpt('tenant_id_attribute', default='cn'), + cfg.StrOpt('tenant_member_attribute', default='member'), + cfg.StrOpt('tenant_name_attribute', default='ou'), + cfg.StrOpt('tenant_desc_attribute', default='description'), + cfg.StrOpt('tenant_enabled_attribute', default='enabled'), + cfg.StrOpt('tenant_domain_id_attribute', + default='businessCategory'), + cfg.ListOpt('tenant_attribute_ignore', default=''), + cfg.BoolOpt('tenant_allow_create', default=True), + cfg.BoolOpt('tenant_allow_update', default=True), + cfg.BoolOpt('tenant_allow_delete', default=True), + cfg.BoolOpt('tenant_enabled_emulation', default=False), + cfg.StrOpt('tenant_enabled_emulation_dn', default=None), + cfg.ListOpt('tenant_additional_attribute_mapping', + default=None), + + cfg.StrOpt('role_tree_dn', default=None), + cfg.StrOpt('role_filter', default=None), + cfg.StrOpt('role_objectclass', default='organizationalRole'), + cfg.StrOpt('role_id_attribute', default='cn'), + cfg.StrOpt('role_name_attribute', default='ou'), + cfg.StrOpt('role_member_attribute', default='roleOccupant'), + cfg.ListOpt('role_attribute_ignore', default=''), + cfg.BoolOpt('role_allow_create', default=True), + cfg.BoolOpt('role_allow_update', default=True), + cfg.BoolOpt('role_allow_delete', default=True), + cfg.ListOpt('role_additional_attribute_mapping', + default=None), + + cfg.StrOpt('group_tree_dn', default=None), + cfg.StrOpt('group_filter', default=None), + cfg.StrOpt('group_objectclass', default='groupOfNames'), + cfg.StrOpt('group_id_attribute', default='cn'), + cfg.StrOpt('group_name_attribute', default='ou'), + cfg.StrOpt('group_member_attribute', default='member'), + cfg.StrOpt('group_desc_attribute', default='description'), + cfg.StrOpt('group_domain_id_attribute', + default='businessCategory'), + cfg.ListOpt('group_attribute_ignore', default=''), + cfg.BoolOpt('group_allow_create', default=True), + cfg.BoolOpt('group_allow_update', default=True), + cfg.BoolOpt('group_allow_delete', default=True), + cfg.ListOpt('group_additional_attribute_mapping', + default=None), + + cfg.StrOpt('tls_cacertfile', default=None), + cfg.StrOpt('tls_cacertdir', default=None), + cfg.BoolOpt('use_tls', default=False), + cfg.StrOpt('tls_req_cert', default='demand')], + 'pam': [ + cfg.StrOpt('userid', default=None), + cfg.StrOpt('password', default=None)], + 'auth': [ + cfg.ListOpt('methods', default=_DEFAULT_AUTH_METHODS), + cfg.StrOpt('password', + default='keystone.auth.plugins.token.Token'), + cfg.StrOpt('token', + default='keystone.auth.plugins.password.Password'), + #deals with REMOTE_USER authentication + cfg.StrOpt('external', + default='keystone.auth.plugins.external.ExternalDefault')], + 'paste_deploy': [ + cfg.StrOpt('config_file', default=None)], + 'memcache': [ + cfg.StrOpt('servers', default='localhost:11211'), + cfg.IntOpt('max_compare_and_set_retry', default=16)], + 'catalog': [ + cfg.StrOpt('template_file', + default='default_catalog.templates'), + cfg.StrOpt('driver', + default='keystone.catalog.backends.sql.Catalog')]} + + CONF = cfg.CONF @@ -40,297 +257,35 @@ def setup_logging(conf, product_name='keystone'): logging.setup(product_name) -def setup_authentication(): +def setup_authentication(conf=None): # register any non-default auth methods here (used by extensions, etc) - for method_name in CONF.auth.methods: + if conf is None: + conf = CONF + for method_name in conf.auth.methods: if method_name not in _DEFAULT_AUTH_METHODS: - register_str(method_name, group="auth") - - -def register_str(*args, **kw): - conf = kw.pop('conf', CONF) - group = kw.pop('group', None) - return conf.register_opt(cfg.StrOpt(*args, **kw), group=group) - - -def register_cli_str(*args, **kw): - conf = kw.pop('conf', CONF) - group = kw.pop('group', None) - return conf.register_cli_opt(cfg.StrOpt(*args, **kw), group=group) - - -def register_list(*args, **kw): - conf = kw.pop('conf', CONF) - group = kw.pop('group', None) - return conf.register_opt(cfg.ListOpt(*args, **kw), group=group) - - -def register_cli_list(*args, **kw): - conf = kw.pop('conf', CONF) - group = kw.pop('group', None) - return conf.register_cli_opt(cfg.ListOpt(*args, **kw), group=group) - - -def register_bool(*args, **kw): - conf = kw.pop('conf', CONF) - group = kw.pop('group', None) - return conf.register_opt(cfg.BoolOpt(*args, **kw), group=group) - - -def register_cli_bool(*args, **kw): - conf = kw.pop('conf', CONF) - group = kw.pop('group', None) - return conf.register_cli_opt(cfg.BoolOpt(*args, **kw), group=group) - - -def register_int(*args, **kw): - conf = kw.pop('conf', CONF) - group = kw.pop('group', None) - return conf.register_opt(cfg.IntOpt(*args, **kw), group=group) - - -def register_cli_int(*args, **kw): - conf = kw.pop('conf', CONF) - group = kw.pop('group', None) - return conf.register_cli_opt(cfg.IntOpt(*args, **kw), group=group) - - -def configure(): - register_cli_bool('standard-threads', default=False, - help='Do not monkey-patch threading system modules.') + conf.register_opt(cfg.StrOpt(method_name), group='auth') + + +def configure(conf=None): + if conf is None: + conf = CONF + + conf.register_cli_opt( + cfg.BoolOpt('standard-threads', default=False, + help='Do not monkey-patch threading system modules.')) + conf.register_cli_opt( + cfg.StrOpt('pydev-debug-host', default=None, + help='Host to connect to for remote debugger.')) + conf.register_cli_opt( + cfg.IntOpt('pydev-debug-port', default=None, + help='Port to connect to for remote debugger.')) + + for section in FILE_OPTIONS: + for option in FILE_OPTIONS[section]: + if section: + conf.register_opt(option, group=section) + else: + conf.register_opt(option) - register_cli_str('pydev-debug-host', default=None, - help='Host to connect to for remote debugger.') - register_cli_int('pydev-debug-port', default=None, - help='Port to connect to for remote debugger.') - - register_str('admin_token', secret=True, default='ADMIN') - register_str('bind_host', default='0.0.0.0') - register_int('compute_port', default=8774) - register_int('admin_port', default=35357) - register_int('public_port', default=5000) - register_str( - 'public_endpoint', default='http://localhost:%(public_port)s/') - register_str('admin_endpoint', default='http://localhost:%(admin_port)s/') - register_str('onready') - register_str('auth_admin_prefix', default='') - register_str('policy_file', default='policy.json') - register_str('policy_default_rule', default=None) - # default max request size is 112k - register_int('max_request_body_size', default=114688) - register_int('max_param_size', default=64) - # we allow tokens to be a bit larger to accommodate PKI - register_int('max_token_size', default=8192) - register_str( - 'member_role_id', default='9fe2ff9ee4384b1894a90878d3e92bab') - register_str('member_role_name', default='_member_') - - # identity - register_str('default_domain_id', group='identity', default='default') - register_int('max_password_length', group='identity', default=4096) - - # trust - register_bool('enabled', group='trust', default=True) - - # os_inherit - register_bool('enabled', group='os_inherit', default=False) - - # binding - register_list('bind', group='token', default=[]) - register_str('enforce_token_bind', group='token', default='permissive') - - # ssl - register_bool('enable', group='ssl', default=False) - register_str('certfile', group='ssl', - default="/etc/keystone/ssl/certs/keystone.pem") - register_str('keyfile', group='ssl', - default="/etc/keystone/ssl/private/keystonekey.pem") - register_str('ca_certs', group='ssl', - default="/etc/keystone/ssl/certs/ca.pem") - register_str('ca_key', group='ssl', - default="/etc/keystone/ssl/certs/cakey.pem") - register_bool('cert_required', group='ssl', default=False) - register_int('key_size', group='ssl', default=1024) - register_int('valid_days', group='ssl', default=3650) - register_str('ca_password', group='ssl', default=None) - register_str('cert_subject', group='ssl', - default='/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost') - - # signing - register_str( - 'token_format', group='signing', default=None) - register_str( - 'certfile', - group='signing', - default="/etc/keystone/ssl/certs/signing_cert.pem") - register_str( - 'keyfile', - group='signing', - default="/etc/keystone/ssl/private/signing_key.pem") - register_str( - 'ca_certs', - group='signing', - default="/etc/keystone/ssl/certs/ca.pem") - register_str('ca_key', group='signing', - default="/etc/keystone/ssl/certs/cakey.pem") - register_int('key_size', group='signing', default=2048) - register_int('valid_days', group='signing', default=3650) - register_str('ca_password', group='signing', default=None) - register_str('cert_subject', group='signing', - default='/C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com') - - # sql - register_str('connection', group='sql', secret=True, - default='sqlite:///keystone.db') - register_int('idle_timeout', group='sql', default=200) - - #assignment has no default for backward compatibility reasons. - #If assignment is not specified, the identity driver chooses the backend - register_str( - 'driver', - group='assignment', - default=None) - register_str( - 'driver', - group='catalog', - default='keystone.catalog.backends.sql.Catalog') - register_str( - 'driver', - group='identity', - default='keystone.identity.backends.sql.Identity') - register_str( - 'driver', - group='credential', - default='keystone.credential.backends.sql.Credential') - register_str( - 'driver', - group='policy', - default='keystone.policy.backends.sql.Policy') - register_str( - 'driver', group='token', default='keystone.token.backends.sql.Token') - register_str( - 'driver', group='trust', default='keystone.trust.backends.sql.Trust') - register_str( - 'driver', group='ec2', default='keystone.contrib.ec2.backends.kvs.Ec2') - register_str( - 'driver', - group='stats', - default='keystone.contrib.stats.backends.kvs.Stats') - - # ldap - register_str('url', group='ldap', default='ldap://localhost') - register_str('user', group='ldap', default=None) - register_str('password', group='ldap', secret=True, default=None) - register_str('suffix', group='ldap', default='cn=example,cn=com') - register_bool('use_dumb_member', group='ldap', default=False) - register_str('dumb_member', group='ldap', default='cn=dumb,dc=nonexistent') - register_bool('allow_subtree_delete', group='ldap', default=False) - register_str('query_scope', group='ldap', default='one') - register_int('page_size', group='ldap', default=0) - register_str('alias_dereferencing', group='ldap', default='default') - - register_str('user_tree_dn', group='ldap', default=None) - register_str('user_filter', group='ldap', default=None) - register_str('user_objectclass', group='ldap', default='inetOrgPerson') - register_str('user_id_attribute', group='ldap', default='cn') - register_str('user_name_attribute', group='ldap', default='sn') - register_str('user_mail_attribute', group='ldap', default='email') - register_str('user_pass_attribute', group='ldap', default='userPassword') - register_str('user_enabled_attribute', group='ldap', default='enabled') - register_str( - 'user_domain_id_attribute', group='ldap', default='businessCategory') - register_int('user_enabled_mask', group='ldap', default=0) - register_str('user_enabled_default', group='ldap', default='True') - register_list( - 'user_attribute_ignore', group='ldap', default='tenant_id,tenants') - register_bool('user_allow_create', group='ldap', default=True) - register_bool('user_allow_update', group='ldap', default=True) - register_bool('user_allow_delete', group='ldap', default=True) - register_bool('user_enabled_emulation', group='ldap', default=False) - register_str('user_enabled_emulation_dn', group='ldap', default=None) - register_list( - 'user_additional_attribute_mapping', group='ldap', default=None) - - register_str('tenant_tree_dn', group='ldap', default=None) - register_str('tenant_filter', group='ldap', default=None) - register_str('tenant_objectclass', group='ldap', default='groupOfNames') - register_str('tenant_id_attribute', group='ldap', default='cn') - register_str('tenant_member_attribute', group='ldap', default='member') - register_str('tenant_name_attribute', group='ldap', default='ou') - register_str('tenant_desc_attribute', group='ldap', default='description') - register_str('tenant_enabled_attribute', group='ldap', default='enabled') - register_str( - 'tenant_domain_id_attribute', group='ldap', default='businessCategory') - register_list('tenant_attribute_ignore', group='ldap', default='') - register_bool('tenant_allow_create', group='ldap', default=True) - register_bool('tenant_allow_update', group='ldap', default=True) - register_bool('tenant_allow_delete', group='ldap', default=True) - register_bool('tenant_enabled_emulation', group='ldap', default=False) - register_str('tenant_enabled_emulation_dn', group='ldap', default=None) - register_list( - 'tenant_additional_attribute_mapping', group='ldap', default=None) - - register_str('role_tree_dn', group='ldap', default=None) - register_str('role_filter', group='ldap', default=None) - register_str( - 'role_objectclass', group='ldap', default='organizationalRole') - register_str('role_id_attribute', group='ldap', default='cn') - register_str('role_name_attribute', group='ldap', default='ou') - register_str('role_member_attribute', group='ldap', default='roleOccupant') - register_list('role_attribute_ignore', group='ldap', default='') - register_bool('role_allow_create', group='ldap', default=True) - register_bool('role_allow_update', group='ldap', default=True) - register_bool('role_allow_delete', group='ldap', default=True) - register_list( - 'role_additional_attribute_mapping', group='ldap', default=None) - - register_str('group_tree_dn', group='ldap', default=None) - register_str('group_filter', group='ldap', default=None) - register_str('group_objectclass', group='ldap', default='groupOfNames') - register_str('group_id_attribute', group='ldap', default='cn') - register_str('group_name_attribute', group='ldap', default='ou') - register_str('group_member_attribute', group='ldap', default='member') - register_str('group_desc_attribute', group='ldap', default='description') - register_str( - 'group_domain_id_attribute', group='ldap', default='businessCategory') - register_list('group_attribute_ignore', group='ldap', default='') - register_bool('group_allow_create', group='ldap', default=True) - register_bool('group_allow_update', group='ldap', default=True) - register_bool('group_allow_delete', group='ldap', default=True) - register_list( - 'group_additional_attribute_mapping', group='ldap', default=None) - - register_str('tls_cacertfile', group='ldap', default=None) - register_str('tls_cacertdir', group='ldap', default=None) - register_bool('use_tls', group='ldap', default=False) - register_str('tls_req_cert', group='ldap', default='demand') - - # pam - register_str('userid', group='pam', default=None) - register_str('password', group='pam', default=None) - - # default authentication methods - register_list('methods', group='auth', default=_DEFAULT_AUTH_METHODS) - register_str( - 'password', group='auth', default='keystone.auth.plugins.token.Token') - register_str( - 'token', group='auth', - default='keystone.auth.plugins.password.Password') - #deals with REMOTE_USER authentication - register_str( - 'external', - group='auth', - default='keystone.auth.plugins.external.ExternalDefault') # register any non-default auth methods here (used by extensions, etc) - for method_name in CONF.auth.methods: - if method_name not in _DEFAULT_AUTH_METHODS: - register_str(method_name, group='auth') - - # PasteDeploy config file - register_str('config_file', group='paste_deploy', default=None) - - # token provider - register_str( - 'provider', - group='token', - default=None) + setup_authentication(conf) diff --git a/keystone/common/controller.py b/keystone/common/controller.py index affc34de..90818fb4 100644 --- a/keystone/common/controller.py +++ b/keystone/common/controller.py @@ -3,11 +3,10 @@ import functools import uuid from keystone.common import dependency -from keystone.common import logging from keystone.common import wsgi from keystone import config from keystone import exception - +from keystone.openstack.common import log as logging LOG = logging.getLogger(__name__) CONF = config.CONF @@ -169,6 +168,10 @@ class V2Controller(wsgi.Application): self._delete_tokens_for_trust(trust['trustee_user_id'], trust['id']) + def _delete_tokens_for_project(self, project_id): + for user_ref in self.identity_api.get_project_users(project_id): + self._delete_tokens_for_user(user_ref['id'], project_id=project_id) + def _require_attribute(self, ref, attr): """Ensures the reference contains the specified attribute.""" if ref.get(attr) is None or ref.get(attr) == '': @@ -300,34 +303,35 @@ class V3Controller(V2Controller): ref['id'] = uuid.uuid4().hex return ref + def _get_domain_id_for_request(self, context): + """Get the domain_id for a v3 call.""" + + if context['is_admin']: + return DEFAULT_DOMAIN_ID + + # Fish the domain_id out of the token + # + # We could make this more efficient by loading the domain_id + # into the context in the wrapper function above (since + # this version of normalize_domain will only be called inside + # a v3 protected call). However, this optimization is probably not + # worth the duplication of state + try: + token_ref = self.token_api.get_token( + token_id=context['token_id']) + except exception.TokenNotFound: + LOG.warning(_('Invalid token in _get_domain_id_for_request')) + raise exception.Unauthorized() + + if 'domain' in token_ref: + return token_ref['domain']['id'] + else: + return DEFAULT_DOMAIN_ID + def _normalize_domain_id(self, context, ref): """Fill in domain_id if not specified in a v3 call.""" - if 'domain_id' not in ref: - if context['is_admin']: - ref['domain_id'] = DEFAULT_DOMAIN_ID - else: - # Fish the domain_id out of the token - # - # We could make this more efficient by loading the domain_id - # into the context in the wrapper function above (since - # this version of normalize_domain will only be called inside - # a v3 protected call). However, given that we only use this - # for creating entities, this optimization is probably not - # worth the duplication of state - try: - token_ref = self.token_api.get_token( - token_id=context['token_id']) - except exception.TokenNotFound: - LOG.warning(_('Invalid token in normalize_domain_id')) - raise exception.Unauthorized() - - if 'domain' in token_ref: - ref['domain_id'] = token_ref['domain']['id'] - else: - # FIXME(henry-nash) Revisit this once v3 token scoping - # across domains has been hashed out - ref['domain_id'] = DEFAULT_DOMAIN_ID + ref['domain_id'] = self._get_domain_id_for_request(context) return ref def _filter_domain_id(self, ref): diff --git a/keystone/common/environment/__init__.py b/keystone/common/environment/__init__.py index 2993536a..7ec82002 100644 --- a/keystone/common/environment/__init__.py +++ b/keystone/common/environment/__init__.py @@ -2,7 +2,7 @@ import functools import os from keystone.common import config -from keystone.common import logging +from keystone.openstack.common import log as logging CONF = config.CONF LOG = logging.getLogger(__name__) diff --git a/keystone/common/environment/eventlet_server.py b/keystone/common/environment/eventlet_server.py index 18987d26..874c4831 100644 --- a/keystone/common/environment/eventlet_server.py +++ b/keystone/common/environment/eventlet_server.py @@ -26,8 +26,7 @@ import eventlet import eventlet.wsgi import greenlet -from keystone.common import logging -from keystone.common import wsgi +from keystone.openstack.common import log as logging LOG = logging.getLogger(__name__) @@ -48,10 +47,10 @@ class Server(object): def start(self, key=None, backlog=128): """Run a WSGI server with the given application.""" - LOG.debug(_('Starting %(arg0)s on %(host)s:%(port)s') % - {'arg0': sys.argv[0], - 'host': self.host, - 'port': self.port}) + LOG.info(_('Starting %(arg0)s on %(host)s:%(port)s') % + {'arg0': sys.argv[0], + 'host': self.host, + 'port': self.port}) # TODO(dims): eventlet's green dns/socket module does not actually # support IPv6 in getaddrinfo(). We need to get around this in the @@ -108,7 +107,7 @@ class Server(object): log = logging.getLogger('eventlet.wsgi.server') try: eventlet.wsgi.server(socket, application, custom_pool=self.pool, - log=wsgi.WritableLogger(log)) + log=logging.WritableLogger(log)) except Exception: LOG.exception(_('Server error')) raise diff --git a/keystone/common/ldap/core.py b/keystone/common/ldap/core.py index 39ea78de..48e4121f 100644 --- a/keystone/common/ldap/core.py +++ b/keystone/common/ldap/core.py @@ -20,9 +20,8 @@ import ldap from ldap import filter as ldap_filter from keystone.common.ldap import fakeldap -from keystone.common import logging from keystone import exception - +from keystone.openstack.common import log as logging LOG = logging.getLogger(__name__) @@ -509,7 +508,7 @@ class LdapWrapper(object): def add_s(self, dn, attrs): ldap_attrs = [(kind, [py2ldap(x) for x in safe_iter(values)]) for kind, values in attrs] - if LOG.isEnabledFor(logging.DEBUG): + if LOG.isEnabledFor(LOG.debug): sane_attrs = [(kind, values if kind != 'userPassword' else ['****']) @@ -519,7 +518,7 @@ class LdapWrapper(object): return self.conn.add_s(dn, ldap_attrs) def search_s(self, dn, scope, query, attrlist=None): - if LOG.isEnabledFor(logging.DEBUG): + if LOG.isEnabledFor(LOG.debug): LOG.debug(_( 'LDAP search: dn=%(dn)s, scope=%(scope)s, query=%(query)s, ' 'attrs=%(attrlist)s') % { @@ -586,7 +585,7 @@ class LdapWrapper(object): else [py2ldap(x) for x in safe_iter(values)])) for op, kind, values in modlist] - if LOG.isEnabledFor(logging.DEBUG): + if LOG.isEnabledFor(LOG.debug): sane_modlist = [(op, kind, (values if kind != 'userPassword' else ['****'])) for op, kind, values in ldap_modlist] diff --git a/keystone/common/ldap/fakeldap.py b/keystone/common/ldap/fakeldap.py index f6c95895..e4458874 100644 --- a/keystone/common/ldap/fakeldap.py +++ b/keystone/common/ldap/fakeldap.py @@ -29,8 +29,8 @@ import shelve import ldap -from keystone.common import logging from keystone.common import utils +from keystone.openstack.common import log as logging SCOPE_NAMES = { @@ -41,8 +41,6 @@ SCOPE_NAMES = { LOG = logging.getLogger(__name__) -#Only enable a lower level than WARN if you are actively debugging -LOG.level = logging.WARN def _match_query(query, attrs): @@ -125,18 +123,14 @@ server_fail = False class FakeShelve(dict): - @classmethod - def get_instance(cls): - try: - return cls.__instance - except AttributeError: - cls.__instance = cls() - return cls.__instance def sync(self): pass +FakeShelves = {} + + class FakeLdap(object): """Fake LDAP connection.""" @@ -144,8 +138,10 @@ class FakeLdap(object): def __init__(self, url): LOG.debug(_('FakeLdap initialize url=%s'), url) - if url == 'fake://memory': - self.db = FakeShelve.get_instance() + if url.startswith('fake://memory'): + if url not in FakeShelves: + FakeShelves[url] = FakeShelve() + self.db = FakeShelves[url] else: self.db = shelve.open(url[7:]) diff --git a/keystone/common/openssl.py b/keystone/common/openssl.py index 90484505..280815ae 100644 --- a/keystone/common/openssl.py +++ b/keystone/common/openssl.py @@ -19,9 +19,8 @@ import os import stat from keystone.common import environment -from keystone.common import logging from keystone import config - +from keystone.openstack.common import log as logging LOG = logging.getLogger(__name__) CONF = config.CONF diff --git a/keystone/common/sql/core.py b/keystone/common/sql/core.py index 67863588..fdb45c74 100644 --- a/keystone/common/sql/core.py +++ b/keystone/common/sql/core.py @@ -26,10 +26,10 @@ from sqlalchemy.orm.attributes import InstrumentedAttribute import sqlalchemy.pool from sqlalchemy import types as sql_types -from keystone.common import logging from keystone import config from keystone import exception from keystone.openstack.common import jsonutils +from keystone.openstack.common import log as logging LOG = logging.getLogger(__name__) diff --git a/keystone/common/sql/legacy.py b/keystone/common/sql/legacy.py index c8adc900..d88e5a46 100644 --- a/keystone/common/sql/legacy.py +++ b/keystone/common/sql/legacy.py @@ -21,10 +21,10 @@ from sqlalchemy import exc from keystone.assignment.backends import sql as assignment_sql -from keystone.common import logging from keystone import config from keystone.contrib.ec2.backends import sql as ec2_sql from keystone.identity.backends import sql as identity_sql +from keystone.openstack.common import log as logging LOG = logging.getLogger(__name__) diff --git a/keystone/common/sql/migrate_repo/versions/032_username_length.py b/keystone/common/sql/migrate_repo/versions/032_username_length.py new file mode 100644 index 00000000..636ebd75 --- /dev/null +++ b/keystone/common/sql/migrate_repo/versions/032_username_length.py @@ -0,0 +1,31 @@ +import sqlalchemy as sql +from sqlalchemy.orm import sessionmaker + + +def upgrade(migrate_engine): + meta = sql.MetaData() + meta.bind = migrate_engine + user_table = sql.Table('user', meta, autoload=True) + user_table.c.name.alter(type=sql.String(255)) + + +def downgrade(migrate_engine): + meta = sql.MetaData() + meta.bind = migrate_engine + user_table = sql.Table('user', meta, autoload=True) + if migrate_engine.name != 'mysql': + # NOTE(aloga): sqlite does not enforce length on the + # VARCHAR types: http://www.sqlite.org/faq.html#q9 + # postgresql and DB2 do not truncate. + maker = sessionmaker(bind=migrate_engine) + session = maker() + for user in session.query(user_table).all(): + values = {'name': user.name[:64]} + update = (user_table.update(). + where(user_table.c.id == user.id). + values(values)) + migrate_engine.execute(update) + + session.commit() + session.close() + user_table.c.name.alter(type=sql.String(64)) diff --git a/keystone/common/sql/nova.py b/keystone/common/sql/nova.py index fd8d2481..c7abfb81 100644 --- a/keystone/common/sql/nova.py +++ b/keystone/common/sql/nova.py @@ -19,10 +19,10 @@ import uuid from keystone import assignment -from keystone.common import logging from keystone import config from keystone.contrib.ec2.backends import sql as ec2_sql from keystone import identity +from keystone.openstack.common import log as logging LOG = logging.getLogger(__name__) diff --git a/keystone/common/utils.py b/keystone/common/utils.py index 9966ee67..27968efc 100644 --- a/keystone/common/utils.py +++ b/keystone/common/utils.py @@ -27,12 +27,11 @@ import passlib.hash from keystone.common import config from keystone.common import environment -from keystone.common import logging from keystone import exception +from keystone.openstack.common import log as logging CONF = config.CONF -config.register_int('crypt_strength', default=40000) LOG = logging.getLogger(__name__) diff --git a/keystone/common/wsgi.py b/keystone/common/wsgi.py index ae199d74..646bb4c4 100644 --- a/keystone/common/wsgi.py +++ b/keystone/common/wsgi.py @@ -27,12 +27,12 @@ import webob.dec import webob.exc from keystone.common import config -from keystone.common import logging from keystone.common import utils from keystone import exception from keystone.openstack.common import gettextutils from keystone.openstack.common import importutils from keystone.openstack.common import jsonutils +from keystone.openstack.common import log as logging CONF = config.CONF @@ -123,17 +123,6 @@ def validate_token_bind(context, token_ref): raise exception.Unauthorized() -class WritableLogger(object): - """A thin wrapper that responds to `write` and logs.""" - - def __init__(self, logger, level=logging.DEBUG): - self.logger = logger - self.level = level - - def write(self, msg): - self.logger.log(self.level, msg) - - class Request(webob.Request): def best_match_language(self): """Determines the best available locale from the Accept-Language @@ -407,7 +396,7 @@ class Debug(Middleware): @webob.dec.wsgify(RequestClass=Request) def __call__(self, req): - if LOG.isEnabledFor(logging.DEBUG): + if LOG.isEnabledFor(LOG.debug): LOG.debug('%s %s %s', ('*' * 20), 'REQUEST ENVIRON', ('*' * 20)) for key, value in req.environ.items(): LOG.debug('%s = %s', key, mask_password(value, @@ -419,7 +408,7 @@ class Debug(Middleware): LOG.debug('') resp = req.get_response(self.application) - if LOG.isEnabledFor(logging.DEBUG): + if LOG.isEnabledFor(LOG.debug): LOG.debug('%s %s %s', ('*' * 20), 'RESPONSE HEADERS', ('*' * 20)) for (key, value) in resp.headers.iteritems(): LOG.debug('%s = %s', key, value) @@ -468,7 +457,7 @@ class Router(object): # if we're only running in debug, bump routes' internal logging up a # notch, as it's very spammy if CONF.debug: - logging.getLogger('routes.middleware').setLevel(logging.INFO) + logging.getLogger('routes.middleware') self.map = mapper self._router = routes.middleware.RoutesMiddleware(self._dispatch, |