From fb66ad89a547b9b5d9cd92cd42fb0531deb9887b Mon Sep 17 00:00:00 2001 From: Yuriy Taraday Date: Mon, 14 Jan 2013 21:34:38 +0400 Subject: Remove usage of UserRoleAssociation.id in LDAP Change-Id: I44c2912e1105598c3279b24da23f83d823ef0e84 --- keystone/identity/backends/ldap/core.py | 158 +------------------------------- 1 file changed, 3 insertions(+), 155 deletions(-) diff --git a/keystone/identity/backends/ldap/core.py b/keystone/identity/backends/ldap/core.py index db95e246..5d82941c 100644 --- a/keystone/identity/backends/ldap/core.py +++ b/keystone/identity/backends/ldap/core.py @@ -442,10 +442,10 @@ class UserApi(common_ldap.BaseLdap, ApiShimMixin): super(UserApi, self).delete(id) for ref in self.role_api.list_global_roles_for_user(id): - self.role_api.rolegrant_delete(ref.id) + self.role_api.delete_user(ref.role_id, ref.user_id, ref.project_id) for ref in self.role_api.list_project_roles_for_user(id): - self.role_api.rolegrant_delete(ref.id) + self.role_api.delete_user(ref.role_id, ref.user_id, ref.project_id) def get_by_email(self, email): query = ('(%s=%s)' % (self.attribute_mapping['mail'], @@ -642,15 +642,11 @@ class ProjectApi(common_ldap.BaseLdap, ApiShimMixin): class UserRoleAssociation(object): """Role Grant model.""" - def __init__(self, user_id=None, role_id=None, tenant_id=None, id=None, + def __init__(self, user_id=None, role_id=None, tenant_id=None, *args, **kw): self.user_id = str(user_id) self.role_id = role_id self.project_id = str(tenant_id) - if id is None: - self.id = create_role_ref(role_id, tenant_id, user_id) - else: - self.id = id class GroupRoleAssociation(object): @@ -696,23 +692,6 @@ class RoleApi(common_ldap.BaseLdap, ApiShimMixin): self.attribute_ignore = (getattr(conf.ldap, 'role_attribute_ignore') or self.DEFAULT_ATTRIBUTE_IGNORE) - @staticmethod - def _create_ref(role_id, tenant_id, user_id): - return create_role_ref(role_id, tenant_id, user_id) - - @staticmethod - def _explode_ref(rolegrant): - a = rolegrant.split('-', 2) - len_role = int(a[0]) - len_project = int(a[1]) - role_id = a[2][:len_role] - role_id = None if len(role_id) == 0 else str(role_id) - tenant_id = a[2][len_role:len_project + len_role] - tenant_id = None if len(tenant_id) == 0 else str(tenant_id) - user_id = a[2][len_project + len_role:] - user_id = None if len(user_id) == 0 else str(user_id) - return role_id, tenant_id, user_id - def _subrole_id_to_dn(self, role_id, tenant_id): if tenant_id is None: return self._id_to_dn(role_id) @@ -767,7 +746,6 @@ class RoleApi(common_ldap.BaseLdap, ApiShimMixin): raise inst return UserRoleAssociation( - id=self._create_ref(role_id, tenant_id, user_id), role_id=role_id, user_id=user_id, tenant_id=tenant_id) @@ -828,7 +806,6 @@ class RoleApi(common_ldap.BaseLdap, ApiShimMixin): user_id = self.user_api._dn_to_id(user_dn) role_id = self._dn_to_id(role_dn) res.append(UserRoleAssociation( - id=self._create_ref(role_id, tenant_id, user_id), user_id=user_id, role_id=role_id, tenant_id=tenant_id)) @@ -839,7 +816,6 @@ class RoleApi(common_ldap.BaseLdap, ApiShimMixin): user_dn = self.user_api._id_to_dn(user_id) roles = self.get_all('(%s=%s)' % (self.member_attribute, user_dn)) return [UserRoleAssociation( - id=self._create_ref(role.id, None, user_id), role_id=role.id, user_id=user_id) for role in roles] @@ -860,7 +836,6 @@ class RoleApi(common_ldap.BaseLdap, ApiShimMixin): for role_dn, _ in roles: role_id = self._dn_to_id(role_dn) res.append(UserRoleAssociation( - id=self._create_ref(role_id, tenant_id, user_id), user_id=user_id, role_id=role_id, tenant_id=tenant_id)) @@ -877,63 +852,11 @@ class RoleApi(common_ldap.BaseLdap, ApiShimMixin): role_id = self._dn_to_id(role_dn) tenant_id = ldap.dn.str2dn(role_dn)[1][0][1] res.append(UserRoleAssociation( - id=self._create_ref(role_id, tenant_id, user_id), user_id=user_id, role_id=role_id, tenant_id=tenant_id)) return res - def rolegrant_get(self, id): - role_id, tenant_id, user_id = self._explode_ref(id) - user_dn = self.user_api._id_to_dn(user_id) - role_dn = self._subrole_id_to_dn(role_id, tenant_id) - query = '(&(objectClass=%s)(%s=%s))' % (self.object_class, - self.member_attribute, - user_dn) - conn = self.get_connection() - try: - res = conn.search_s(role_dn, ldap.SCOPE_BASE, query) - except ldap.NO_SUCH_OBJECT: - return None - if len(res) == 0: - return None - return UserRoleAssociation(id=id, - role_id=role_id, - tenant_id=tenant_id, - user_id=user_id) - - def rolegrant_delete(self, id): - role_id, tenant_id, user_id = self._explode_ref(id) - user_dn = self.user_api._id_to_dn(user_id) - role_dn = self._subrole_id_to_dn(role_id, tenant_id) - conn = self.get_connection() - try: - conn.modify_s(role_dn, [(ldap.MOD_DELETE, - self.member_attribute, - [user_dn])]) - except ldap.NO_SUCH_ATTRIBUTE: - raise exception.Error("No such user in role") - - def rolegrant_get_page(self, marker, limit, user_id, tenant_id): - all_roles = [] - if tenant_id is None: - all_roles += self.list_global_roles_for_user(user_id) - else: - for tenant in self.project_api.get_all(): - all_roles += self.list_project_roles_for_user(user_id, - tenant['id']) - return self._get_page(marker, limit, all_roles) - - def rolegrant_get_page_markers(self, user_id, tenant_id, marker, limit): - all_roles = [] - if tenant_id is None: - all_roles = self.list_global_roles_for_user(user_id) - else: - for tenant in self.project_api.get_all(): - all_roles += self.list_project_roles_for_user(user_id, - tenant['id']) - return self._get_page_markers(marker, limit, all_roles) - def get_by_service_get_page(self, service_id, marker, limit): all_roles = self.get_by_service(service_id) return self._get_page(marker, limit, all_roles) @@ -942,37 +865,6 @@ class RoleApi(common_ldap.BaseLdap, ApiShimMixin): all_roles = self.get_by_service(service_id) return self._get_page_markers(marker, limit, all_roles) - def rolegrant_list_by_role(self, id): - role_dn = self._id_to_dn(id) - try: - roles = self.get_all('(%s=%s)' % (self.member_attribute, role_dn)) - except ldap.NO_SUCH_OBJECT: - return [] - - res = [] - for role_dn, attrs in roles: - try: - user_dns = attrs[self.member_attribute] - tenant_dns = attrs['tenant'] - except KeyError: - continue - - for user_dn in user_dns: - if self.use_dumb_member and user_dn == self.dumb_member: - continue - user_id = self.user_api._dn_to_id(user_dn) - tenant_id = None - if tenant_dns is not None: - for tenant_dn in tenant_dns: - tenant_id = self.project_api._dn_to_id(tenant_dn) - role_id = self._dn_to_id(role_dn) - res.append(UserRoleAssociation( - id=self._create_ref(role_id, tenant_id, user_id), - user_id=user_id, - role_id=role_id, - tenant_id=tenant_id)) - return res - def roles_delete_subtree_by_project(self, tenant_id): conn = self.get_connection() query = '(objectClass=%s)' % self.object_class @@ -987,50 +879,6 @@ class RoleApi(common_ldap.BaseLdap, ApiShimMixin): except ldap.NO_SUCH_OBJECT: pass - def rolegrant_get_by_ids(self, user_id, role_id, tenant_id): - conn = self.get_connection() - user_dn = self.user_api._id_to_dn(user_id) - query = '(&(objectClass=%s)(%s=%s))' % (self.object_class, - self.member_attribute, - user_dn) - - if tenant_id is not None: - tenant_dn = self.project_api._id_to_dn(tenant_id) - try: - roles = conn.search_s(tenant_dn, ldap.SCOPE_ONELEVEL, query) - except ldap.NO_SUCH_OBJECT: - return None - - if len(roles) == 0: - return None - - for role_dn, _ in roles: - ldap_role_id = self._dn_to_id(role_dn) - if role_id == ldap_role_id: - res = UserRoleAssociation( - id=self._create_ref(role_id, tenant_id, user_id), - user_id=user_id, - role_id=role_id, - tenant_id=tenant_id) - return res - else: - try: - roles = self.get_all('(%s=%s)' % (self.member_attribute, - user_dn)) - except ldap.NO_SUCH_OBJECT: - return None - - if len(roles) == 0: - return None - - for role in roles: - if role.id == role_id: - return UserRoleAssociation( - id=self._create_ref(role.id, None, user_id), - role_id=role.id, - user_id=user_id) - return None - def update(self, role_id, role): if role['id'] != role_id: raise exception.ValidationError('Cannot change role ID') -- cgit