From b048286e154b541312ea476d9758f680142ed205 Mon Sep 17 00:00:00 2001 From: Yuriy Taraday Date: Fri, 12 Aug 2011 16:58:02 +0400 Subject: Fixed service-bound roles implementation in LDAP backend. Change-Id: If3775bf32d610750ac3bddfa83de642765982106 --- keystone/backends/ldap/api/role.py | 54 ++++++++++++++++++++++------------ keystone/backends/ldap/api/user.py | 7 +++++ keystone/backends/ldap/keystone.ldif | 10 ++++++- keystone/backends/ldap/keystone.schema | 11 ++++++- 4 files changed, 61 insertions(+), 21 deletions(-) diff --git a/keystone/backends/ldap/api/role.py b/keystone/backends/ldap/api/role.py index d3129a3b..c9e880b1 100644 --- a/keystone/backends/ldap/api/role.py +++ b/keystone/backends/ldap/api/role.py @@ -12,7 +12,7 @@ class RoleAPI(BaseLdapAPI, BaseTenantAPI): options_name = 'role_tree_dn' object_class = 'keystoneRole' model = models.Role - attribute_mapping = {'desc': 'description'} + attribute_mapping = {'desc': 'description', 'service_id': 'serviceId'} @staticmethod def _create_ref(role_id, tenant_id, user_id): @@ -66,7 +66,6 @@ class RoleAPI(BaseLdapAPI, BaseTenantAPI): ('objectClass', 'keystoneTenantRole'), ('member', user_dn), ('keystoneRole', self._id_to_dn(role_id)), - ('tenant', tenant_dn), ] conn.add_s(role_dn, attrs) return models.UserRoleAssociation( @@ -74,7 +73,7 @@ class RoleAPI(BaseLdapAPI, BaseTenantAPI): role_id=role_id, user_id=user_id, tenant_id=tenant_id) def get_by_service(self, service_id): - roles = self.get_all('(service_id=%s)' % \ + roles = self.get_all('(serviceId=%s)' % \ (ldap.filter.escape_filter_chars(service_id),)) try: return roles[0] @@ -113,24 +112,41 @@ class RoleAPI(BaseLdapAPI, BaseTenantAPI): role_id=role.id, user_id=user_id) for role in roles] - def ref_get_all_tenant_roles(self, user_id, tenant_id): + def ref_get_all_tenant_roles(self, user_id, tenant_id=None): conn = self.api.get_connection() user_dn = self.api.user._id_to_dn(user_id) - tenant_dn = self.api.tenant._id_to_dn(tenant_id) query = '(&(objectClass=keystoneTenantRole)(member=%s))' % (user_dn,) - try: - roles = conn.search_s(tenant_dn, ldap.SCOPE_ONELEVEL, query) - except ldap.NO_SUCH_OBJECT: - return [] - res = [] - for role_dn, _ in roles: - role_id = ldap.dn.str2dn(role_dn)[0][0][1] - res.append(models.UserRoleAssociation( - id=self._create_ref(role_id, tenant_id, user_id), - user_id=user_id, - role_id=role_id, - tenant_id=tenant_id)) - return res + if tenant_id is not None: + tenant_dn = self.api.tenant._id_to_dn(tenant_id) + try: + roles = conn.search_s(tenant_dn, ldap.SCOPE_ONELEVEL, query) + except ldap.NO_SUCH_OBJECT: + return [] + res = [] + for role_dn, _ in roles: + role_id = ldap.dn.str2dn(role_dn)[0][0][1] + res.append(models.UserRoleAssociation( + id=self._create_ref(role_id, tenant_id, user_id), + user_id=user_id, + role_id=role_id, + tenant_id=tenant_id)) + return res + else: + try: + roles = conn.search_s(self.api.tenant.tree_dn, + ldap.SCOPE_SUBTREE, query) + except ldap.NO_SUCH_OBJECT: + return [] + res = [] + for role_dn, _ in roles: + role_id = ldap.dn.str2dn(role_dn)[0][0][1] + tenant_id = ldap.dn.str2dn(role_dn)[1][0][1] + res.append(models.UserRoleAssociation( + id=self._create_ref(role_id, tenant_id, user_id), + user_id=user_id, + role_id=role_id, + tenant_id=tenant_id)) + return res def ref_get(self, id): role_id, tenant_id, user_id = self._explode_ref(id) @@ -168,7 +184,7 @@ class RoleAPI(BaseLdapAPI, BaseTenantAPI): all_roles += self.ref_get_all_tenant_roles(user_id, tenant.id) return self._get_page_markers(marker, limit, all_roles) - def ref_get_by_role(self, id): + def ref_get_by_role(self, id): role_dn = self._id_to_dn(id) try: roles = self.get_all('(keystoneRole=%s)' % (role_dn,)) diff --git a/keystone/backends/ldap/api/user.py b/keystone/backends/ldap/api/user.py index c26ce144..2eab1194 100644 --- a/keystone/backends/ldap/api/user.py +++ b/keystone/backends/ldap/api/user.py @@ -45,6 +45,13 @@ class UserAPI(BaseLdapAPI, BaseUserAPI): self.api.tenant.add_user(new_tenant, id) super(UserAPI, self).update(id, values, old_obj) + def delete(self, id): + super(UserAPI, self).delete(id) + for ref in self.api.role.ref_get_all_global_roles(id): + self.api.role.ref_delete(ref.id) + for ref in self.api.role.ref_get_all_tenant_roles(id): + self.api.role.ref_delete(ref.id) + def get_by_email(self, email): users = self.get_all('(mail=%s)' % \ (ldap.filter.escape_filter_chars(email),)) diff --git a/keystone/backends/ldap/keystone.ldif b/keystone/backends/ldap/keystone.ldif index b011a219..cfa50625 100644 --- a/keystone/backends/ldap/keystone.ldif +++ b/keystone/backends/ldap/keystone.ldif @@ -20,6 +20,14 @@ olcAttributeTypes: ( SUP distinguishedName SINGLE-VALUE ) +olcAttributeTypes: ( + 1.3.6.1.3.1.666.667.3.4 + NAME 'serviceId' + EQUALITY caseExactIA5Match + SUBSTR caseExactIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE + ) olcObjectClasses: ( 1.3.6.1.3.1.666.667.4.1 NAME 'keystoneUser' @@ -34,7 +42,7 @@ olcObjectClasses: ( SUP top STRUCTURAL MUST ( cn ) - MAY ( member $ description) + MAY ( member $ description $ serviceId ) ) olcObjectClasses: ( 1.3.6.1.3.1.666.667.4.3 diff --git a/keystone/backends/ldap/keystone.schema b/keystone/backends/ldap/keystone.schema index a409a700..518e0bc0 100644 --- a/keystone/backends/ldap/keystone.schema +++ b/keystone/backends/ldap/keystone.schema @@ -24,6 +24,15 @@ attributetype ( SINGLE-VALUE ) +attributetype ( + keystoneAttrs:4 + NAME 'serviceId' + EQUALITY caseExactIA5Match + SUBSTR caseExactIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE + ) + objectClass ( keystoneOCs:1 NAME 'keystoneUser' @@ -39,7 +48,7 @@ objectClass ( SUP top STRUCTURAL MUST ( cn ) - MAY ( member $ description) + MAY ( member $ description $ serviceId ) ) objectClass ( -- cgit