| Commit message (Collapse) | Author | Age | Files | Lines |
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This is used to avoid code duplication in keystone/identity/
backends/ldap.py. All changes are fully covered by test_*option_
name*_attribute_ignore() in test_backend_ldap.py.
bp refactor-ldap-driver
Change-Id: Ia0fc0b3d4a92416dcd65ddb49b3b0bf9a0777363
|
|\ \
| |/
|/| |
|
| |
| |
| |
| |
| |
| |
| |
| | |
When adding a user to a project, if the default role is missing, create it.
Bug 1176270
Change-Id: Id972ccf9c132c362a0b85049d248530dc2d56d54
|
| |
| |
| |
| |
| |
| | |
bp refactor-ldap-driver
Change-Id: I4b3bb2900b54f046b05d68f15fb6e35b324ca9f7
|
|\ \ |
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch syncs models with migrations for:
-Domain
-GroupDomainGrant
-GroupProjectGrant
-Role
-UserDomainGrant
-UserProjectGrant
No actual schema change is taking place, this patch just corrects errors
in the model definitions.
partially implements bp db-sync-models-with-migrations
Change-Id: Ib3f22f56a9d00c725f21036ab4bfe4df5fad6876
|
|/
|
|
|
|
|
|
|
|
|
|
|
| |
The assignment and identity backends don't use normal
dependency injection because of a circular reference.
Support for circular references was added, so these
backends can now use normal dependency injection.
Fixes: bug 1200769
Fixes: bug 1204605
Change-Id: I8716a65b984c26fcaaf2595463db09e1f02cb475
|
|
|
|
|
|
| |
Bug 1204995
Change-Id: Ife92041ffc386b8f9629096ebd65020f3cc7ae26
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This extension allows for project roles to be optionally
inherited from the owning domain. The v3 grant APIs are extended
to take an inherited_to_projects flag. The GET role_assignments
API will also include these roles in its response, either showing them
as inherited roles assigned to the domain or, if the 'effective'
query parameter is set, will interpret the inheritance and reflect
those role assignments on the projects.
The inherited_to_projects flag is encoded in the role list in
the metadata of the relevant entries in the grant tables. The
'roles' key in the metadata is now a list of dicts, as opposed
to a simple list, where each dict is either
{'id': role_id} for a regular role, or
{'id': role_id, 'inherited_to': 'projects'} for an inherited role
Remember that a previous patch had rationalized the way metadata is
handled so that its structure is entirely hidden within the driver
layer.
The extension can be enabled/disabled via a config setting.
Limitations:
- The extension is not yet discoverable via url, this will be added
as a separate patch when the v3/extensions work is complete.
A separate issue has been discovered with the fact that the v2
calls of 'get_projects_for_user()' and 'list_user_projects()'
should be rationalized and also honor both group (and inherited)
role assignments. This is being raised as a separate bug.
DocImpact
Implements bp inherited-domain-roles
Change-Id: I35b57ce0df668f12462e96b3467cef0239594e97
|
|
|
|
|
|
|
|
|
| |
Supports the configuration where LDAP is used for identity and
SQL is used for assignment.
blueprint split-identity
Change-Id: Ib91b5d804282b7f78fc2458ff64653bbf2cf5d9e
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently there is a mixture of strategies in the v2 and v3 controllers
for how to get the roles assigned for the scope of the requested
authentication. This duplicates code, is hard to maintain and in at
least once case (where your only roles on a project are due to a group
membership) is not actually correct (for v2 tokens).
This change does the following:
- Standardizes on using the 'get_roles_for_user_and_project()', and its
domain equivalent, for how roles are obtained to build a token. This
was already the case for v3 tokens. The controllers no longer need
to get metadata and extract the roles.
- Removes the driver level function to 'authorize_for_project' - this is
now handled wihin the controller. The driver simply supports the user
authentication.
A nice (and planned for) sideffect of the above is that we now hide
the schema of how we store roles within the driver layer - i.e.
nothing outside of the driver (other than any specific-to-implementation
tests) have to know about how roles are stored in the metadata. This paves
the way for a re-implementation of the grant tables in IceHouse.
This change also fills in missing function definitons in the assignment
driver.
Implements bp authenticate-role-rationalization
Change-Id: I75fc7f5f728649d40ab1c696b33bbcd88ea6edee
|
|
Splits the assignments functions off of the identity api
and manager, and moved them into their own backend.
To prevent breaking existing code, this adds assignment delegation
functions to Identity Manager.
There is a circular dependency between ID and assignments.
This code is mostly pure refactoring, with no changes to the
unit tests. Existing behavior is maintained.
In the future, we will add unit tests for mixing an LDAP
identity provider with a SQL assignment backend.
blueprint split-identity
Change-Id: I6c180aa1ae626ace5b91e0bf1931bdaf2aa031d5
|