summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRyan Lane <laner@controller>2010-12-23 17:46:59 +0000
committerTarmac <>2010-12-23 17:46:59 +0000
commita0ab2ffca9a4a578115f36319bbd8640b0521cb0 (patch)
treefb064cc40988cc457b29581a4931ba22f759a5a7
parentf0c4580aa66984bae61846ac110dd679813b933e (diff)
parent5012ccb22724c2f7fb0fcdcb7b146d5d5e61337d (diff)
downloadnova-a0ab2ffca9a4a578115f36319bbd8640b0521cb0.tar.gz
nova-a0ab2ffca9a4a578115f36319bbd8640b0521cb0.tar.xz
nova-a0ab2ffca9a4a578115f36319bbd8640b0521cb0.zip
Simplifies and improves ldap schema.
Diffstat
-rw-r--r--nova/auth/fakeldap.py3
-rw-r--r--nova/auth/ldapdriver.py161
-rw-r--r--nova/auth/nova_openldap.schema46
-rw-r--r--nova/auth/nova_sun.schema13
-rwxr-xr-xnova/auth/opendj.sh1
-rwxr-xr-xnova/auth/slap.sh3
6 files changed, 105 insertions, 122 deletions
diff --git a/nova/auth/fakeldap.py b/nova/auth/fakeldap.py
index 33cd03430..4466051f0 100644
--- a/nova/auth/fakeldap.py
+++ b/nova/auth/fakeldap.py
@@ -150,6 +150,9 @@ def _match(key, value, attrs):
"""Match a given key and value against an attribute list."""
if key not in attrs:
return False
+ # This is a wild card search. Implemented as all or nothing for now.
+ if value == "*":
+ return True
if key != "objectclass":
return value in attrs[key]
# it is an objectclass check, so check subclasses
diff --git a/nova/auth/ldapdriver.py b/nova/auth/ldapdriver.py
index e289ea5a2..7616ff112 100644
--- a/nova/auth/ldapdriver.py
+++ b/nova/auth/ldapdriver.py
@@ -32,11 +32,16 @@ from nova import flags
FLAGS = flags.FLAGS
+flags.DEFINE_integer('ldap_schema_version', 2,
+ 'Current version of the LDAP schema')
flags.DEFINE_string('ldap_url', 'ldap://localhost',
'Point this at your ldap server')
flags.DEFINE_string('ldap_password', 'changeme', 'LDAP password')
flags.DEFINE_string('ldap_user_dn', 'cn=Manager,dc=example,dc=com',
'DN of admin user')
+flags.DEFINE_string('ldap_user_id_attribute', 'uid', 'Attribute to use as id')
+flags.DEFINE_string('ldap_user_name_attribute', 'cn',
+ 'Attribute to use as name')
flags.DEFINE_string('ldap_user_unit', 'Users', 'OID for Users')
flags.DEFINE_string('ldap_user_subtree', 'ou=Users,dc=example,dc=com',
'OU for Users')
@@ -73,10 +78,20 @@ class LdapDriver(object):
Defines enter and exit and therefore supports the with/as syntax.
"""
+ project_pattern = '(owner=*)'
+ isadmin_attribute = 'isNovaAdmin'
+ project_attribute = 'owner'
+ project_objectclass = 'groupOfNames'
+
def __init__(self):
"""Imports the LDAP module"""
self.ldap = __import__('ldap')
self.conn = None
+ if FLAGS.ldap_schema_version == 1:
+ LdapDriver.project_pattern = '(objectclass=novaProject)'
+ LdapDriver.isadmin_attribute = 'isAdmin'
+ LdapDriver.project_attribute = 'projectManager'
+ LdapDriver.project_objectclass = 'novaProject'
def __enter__(self):
"""Creates the connection to LDAP"""
@@ -104,13 +119,13 @@ class LdapDriver(object):
"""Retrieve project by id"""
dn = 'cn=%s,%s' % (pid,
FLAGS.ldap_project_subtree)
- attr = self.__find_object(dn, '(objectclass=novaProject)')
+ attr = self.__find_object(dn, LdapDriver.project_pattern)
return self.__to_project(attr)
def get_users(self):
"""Retrieve list of users"""
attrs = self.__find_objects(FLAGS.ldap_user_subtree,
- '(objectclass=novaUser)')
+ '(objectclass=novaUser)')
users = []
for attr in attrs:
user = self.__to_user(attr)
@@ -120,7 +135,7 @@ class LdapDriver(object):
def get_projects(self, uid=None):
"""Retrieve list of projects"""
- pattern = '(objectclass=novaProject)'
+ pattern = LdapDriver.project_pattern
if uid:
pattern = "(&%s(member=%s))" % (pattern, self.__uid_to_dn(uid))
attrs = self.__find_objects(FLAGS.ldap_project_subtree,
@@ -139,23 +154,25 @@ class LdapDriver(object):
# Malformed entries are useless, replace attributes found.
attr = []
if 'secretKey' in user.keys():
- attr.append((self.ldap.MOD_REPLACE, 'secretKey', \
- [secret_key]))
+ attr.append((self.ldap.MOD_REPLACE, 'secretKey',
+ [secret_key]))
else:
- attr.append((self.ldap.MOD_ADD, 'secretKey', \
- [secret_key]))
+ attr.append((self.ldap.MOD_ADD, 'secretKey',
+ [secret_key]))
if 'accessKey' in user.keys():
- attr.append((self.ldap.MOD_REPLACE, 'accessKey', \
- [access_key]))
+ attr.append((self.ldap.MOD_REPLACE, 'accessKey',
+ [access_key]))
else:
- attr.append((self.ldap.MOD_ADD, 'accessKey', \
- [access_key]))
- if 'isAdmin' in user.keys():
- attr.append((self.ldap.MOD_REPLACE, 'isAdmin', \
- [str(is_admin).upper()]))
+ attr.append((self.ldap.MOD_ADD, 'accessKey',
+ [access_key]))
+ if LdapDriver.isadmin_attribute in user.keys():
+ attr.append((self.ldap.MOD_REPLACE,
+ LdapDriver.isadmin_attribute,
+ [str(is_admin).upper()]))
else:
- attr.append((self.ldap.MOD_ADD, 'isAdmin', \
- [str(is_admin).upper()]))
+ attr.append((self.ldap.MOD_ADD,
+ LdapDriver.isadmin_attribute,
+ [str(is_admin).upper()]))
self.conn.modify_s(self.__uid_to_dn(name), attr)
return self.get_user(name)
else:
@@ -168,12 +185,12 @@ class LdapDriver(object):
'inetOrgPerson',
'novaUser']),
('ou', [FLAGS.ldap_user_unit]),
- ('uid', [name]),
+ (FLAGS.ldap_user_id_attribute, [name]),
('sn', [name]),
- ('cn', [name]),
+ (FLAGS.ldap_user_name_attribute, [name]),
('secretKey', [secret_key]),
('accessKey', [access_key]),
- ('isAdmin', [str(is_admin).upper()]),
+ (LdapDriver.isadmin_attribute, [str(is_admin).upper()]),
]
self.conn.add_s(self.__uid_to_dn(name), attr)
return self.__to_user(dict(attr))
@@ -204,10 +221,10 @@ class LdapDriver(object):
if not manager_dn in members:
members.append(manager_dn)
attr = [
- ('objectclass', ['novaProject']),
+ ('objectclass', [LdapDriver.project_objectclass]),
('cn', [name]),
('description', [description]),
- ('projectManager', [manager_dn]),
+ (LdapDriver.project_attribute, [manager_dn]),
('member', members)]
self.conn.add_s('cn=%s,%s' % (name, FLAGS.ldap_project_subtree), attr)
return self.__to_project(dict(attr))
@@ -223,7 +240,8 @@ class LdapDriver(object):
"manager %s doesn't exist")
% manager_uid)
manager_dn = self.__uid_to_dn(manager_uid)
- attr.append((self.ldap.MOD_REPLACE, 'projectManager', manager_dn))
+ attr.append((self.ldap.MOD_REPLACE, LdapDriver.project_attribute,
+ manager_dn))
if description:
attr.append((self.ldap.MOD_REPLACE, 'description', description))
self.conn.modify_s('cn=%s,%s' % (project_id,
@@ -283,10 +301,9 @@ class LdapDriver(object):
return roles
else:
project_dn = 'cn=%s,%s' % (project_id, FLAGS.ldap_project_subtree)
- roles = self.__find_objects(project_dn,
- '(&(&(objectclass=groupOfNames)'
- '(!(objectclass=novaProject)))'
- '(member=%s))' % self.__uid_to_dn(uid))
+ query = ('(&(&(objectclass=groupOfNames)(!%s))(member=%s))' %
+ (LdapDriver.project_pattern, self.__uid_to_dn(uid)))
+ roles = self.__find_objects(project_dn, query)
return [role['cn'][0] for role in roles]
def delete_user(self, uid):
@@ -300,14 +317,15 @@ class LdapDriver(object):
# Retrieve user by name
user = self.__get_ldap_user(uid)
if 'secretKey' in user.keys():
- attr.append((self.ldap.MOD_DELETE, 'secretKey', \
- user['secretKey']))
+ attr.append((self.ldap.MOD_DELETE, 'secretKey',
+ user['secretKey']))
if 'accessKey' in user.keys():
- attr.append((self.ldap.MOD_DELETE, 'accessKey', \
- user['accessKey']))
- if 'isAdmin' in user.keys():
- attr.append((self.ldap.MOD_DELETE, 'isAdmin', \
- user['isAdmin']))
+ attr.append((self.ldap.MOD_DELETE, 'accessKey',
+ user['accessKey']))
+ if LdapDriver.isadmin_attribute in user.keys():
+ attr.append((self.ldap.MOD_DELETE,
+ LdapDriver.isadmin_attribute,
+ user[LdapDriver.isadmin_attribute]))
self.conn.modify_s(self.__uid_to_dn(uid), attr)
else:
# Delete entry
@@ -329,7 +347,8 @@ class LdapDriver(object):
if secret_key:
attr.append((self.ldap.MOD_REPLACE, 'secretKey', secret_key))
if admin is not None:
- attr.append((self.ldap.MOD_REPLACE, 'isAdmin', str(admin).upper()))
+ attr.append((self.ldap.MOD_REPLACE, LdapDriver.isadmin_attribute,
+ str(admin).upper()))
self.conn.modify_s(self.__uid_to_dn(uid), attr)
def __user_exists(self, uid):
@@ -347,7 +366,7 @@ class LdapDriver(object):
def __get_ldap_user(self, uid):
"""Retrieve LDAP user entry by id"""
attr = self.__find_object(self.__uid_to_dn(uid),
- '(objectclass=novaUser)')
+ '(objectclass=novaUser)')
return attr
def __find_object(self, dn, query=None, scope=None):
@@ -383,19 +402,21 @@ class LdapDriver(object):
def __find_role_dns(self, tree):
"""Find dns of role objects in given tree"""
- return self.__find_dns(tree,
- '(&(objectclass=groupOfNames)(!(objectclass=novaProject)))')
+ query = ('(&(objectclass=groupOfNames)(!%s))' %
+ LdapDriver.project_pattern)
+ return self.__find_dns(tree, query)
def __find_group_dns_with_member(self, tree, uid):
"""Find dns of group objects in a given tree that contain member"""
- dns = self.__find_dns(tree,
- '(&(objectclass=groupOfNames)(member=%s))' %
- self.__uid_to_dn(uid))
+ query = ('(&(objectclass=groupOfNames)(member=%s))' %
+ self.__uid_to_dn(uid))
+ dns = self.__find_dns(tree, query)
return dns
def __group_exists(self, dn):
"""Check if group exists"""
- return self.__find_object(dn, '(objectclass=groupOfNames)') is not None
+ query = '(objectclass=groupOfNames)'
+ return self.__find_object(dn, query) is not None
@staticmethod
def __role_to_dn(role, project_id=None):
@@ -417,9 +438,9 @@ class LdapDriver(object):
if member_uids is not None:
for member_uid in member_uids:
if not self.__user_exists(member_uid):
- raise exception.NotFound(_("Group can't be created "
- "because user %s doesn't exist")
- % member_uid)
+ raise exception.NotFound("Group can't be created "
+ "because user %s doesn't exist" %
+ member_uid)
members.append(self.__uid_to_dn(member_uid))
dn = self.__uid_to_dn(uid)
if not dn in members:
@@ -434,9 +455,8 @@ class LdapDriver(object):
def __is_in_group(self, uid, group_dn):
"""Check if user is in group"""
if not self.__user_exists(uid):
- raise exception.NotFound(_("User %s can't be searched in group "
- "because the user doesn't exist")
- % uid)
+ raise exception.NotFound("User %s can't be searched in group "
+ "because the user doesn't exist" % uid)
if not self.__group_exists(group_dn):
return False
res = self.__find_object(group_dn,
@@ -447,12 +467,11 @@ class LdapDriver(object):
def __add_to_group(self, uid, group_dn):
"""Add user to group"""
if not self.__user_exists(uid):
- raise exception.NotFound(_("User %s can't be added to the group "
- "because the user doesn't exist")
- % uid)
+ raise exception.NotFound("User %s can't be added to the group "
+ "because the user doesn't exist" % uid)
if not self.__group_exists(group_dn):
- raise exception.NotFound(_("The group at dn %s doesn't exist")
- % group_dn)
+ raise exception.NotFound("The group at dn %s doesn't exist" %
+ group_dn)
if self.__is_in_group(uid, group_dn):
raise exception.Duplicate(_("User %s is already a member of "
"the group %s") % (uid, group_dn))
@@ -462,18 +481,17 @@ class LdapDriver(object):
def __remove_from_group(self, uid, group_dn):
"""Remove user from group"""
if not self.__group_exists(group_dn):
- raise exception.NotFound(_("The group at dn %s doesn't exist")
- % group_dn)
+ raise exception.NotFound("The group at dn %s doesn't exist" %
+ group_dn)
if not self.__user_exists(uid):
- raise exception.NotFound(_("User %s can't be removed from the "
- "group because the user doesn't exist")
- % uid)
+ raise exception.NotFound("User %s can't be removed from the "
+ "group because the user doesn't exist" %
+ uid)
if not self.__is_in_group(uid, group_dn):
- raise exception.NotFound(_("User %s is not a member of the group")
- % uid)
+ raise exception.NotFound("User %s is not a member of the group" %
+ uid)
# NOTE(vish): remove user from group and any sub_groups
- sub_dns = self.__find_group_dns_with_member(
- group_dn, uid)
+ sub_dns = self.__find_group_dns_with_member(group_dn, uid)
for sub_dn in sub_dns:
self.__safe_remove_from_group(uid, sub_dn)
@@ -491,9 +509,8 @@ class LdapDriver(object):
def __remove_from_all(self, uid):
"""Remove user from all roles and projects"""
if not self.__user_exists(uid):
- raise exception.NotFound(_("User %s can't be removed from all "
- "because the user doesn't exist")
- % uid)
+ raise exception.NotFound("User %s can't be removed from all "
+ "because the user doesn't exist" % uid)
role_dns = self.__find_group_dns_with_member(
FLAGS.role_project_subtree, uid)
for role_dn in role_dns:
@@ -521,13 +538,13 @@ class LdapDriver(object):
if attr is None:
return None
if ('accessKey' in attr.keys() and 'secretKey' in attr.keys() \
- and 'isAdmin' in attr.keys()):
+ and LdapDriver.isadmin_attribute in attr.keys()):
return {
- 'id': attr['uid'][0],
- 'name': attr['cn'][0],
+ 'id': attr[FLAGS.ldap_user_id_attribute][0],
+ 'name': attr[FLAGS.ldap_user_name_attribute][0],
'access': attr['accessKey'][0],
'secret': attr['secretKey'][0],
- 'admin': (attr['isAdmin'][0] == 'TRUE')}
+ 'admin': (attr[LdapDriver.isadmin_attribute][0] == 'TRUE')}
else:
return None
@@ -539,7 +556,8 @@ class LdapDriver(object):
return {
'id': attr['cn'][0],
'name': attr['cn'][0],
- 'project_manager_id': self.__dn_to_uid(attr['projectManager'][0]),
+ 'project_manager_id':
+ self.__dn_to_uid(attr[LdapDriver.project_attribute][0]),
'description': attr.get('description', [None])[0],
'member_ids': [self.__dn_to_uid(x) for x in member_dns]}
@@ -549,9 +567,10 @@ class LdapDriver(object):
return dn.split(',')[0].split('=')[1]
@staticmethod
- def __uid_to_dn(dn):
+ def __uid_to_dn(uid):
"""Convert uid to dn"""
- return 'uid=%s,%s' % (dn, FLAGS.ldap_user_subtree)
+ return (FLAGS.ldap_user_id_attribute + '=%s,%s'
+ % (uid, FLAGS.ldap_user_subtree))
class FakeLdapDriver(LdapDriver):
diff --git a/nova/auth/nova_openldap.schema b/nova/auth/nova_openldap.schema
index 4047361de..539a5c42d 100644
--- a/nova/auth/nova_openldap.schema
+++ b/nova/auth/nova_openldap.schema
@@ -1,7 +1,9 @@
#
# Person object for Nova
# inetorgperson with extra attributes
-# Author: Vishvananda Ishaya <vishvananda@yahoo.com>
+# Schema version: 2
+# Authors: Vishvananda Ishaya <vishvananda@gmail.com>
+# Ryan Lane <rlane@wikimedia.org>
#
#
@@ -31,54 +33,18 @@ attributetype (
)
attributetype (
- novaAttrs:3
- NAME 'keyFingerprint'
- DESC 'Fingerprint of private key'
- EQUALITY caseIgnoreMatch
- SUBSTR caseIgnoreSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
- SINGLE-VALUE
- )
-
-attributetype (
novaAttrs:4
- NAME 'isAdmin'
- DESC 'Is user an administrator?'
+ NAME 'isNovaAdmin'
+ DESC 'Is user an nova administrator?'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE
)
-attributetype (
- novaAttrs:5
- NAME 'projectManager'
- DESC 'Project Managers of a project'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
- )
-
objectClass (
novaOCs:1
NAME 'novaUser'
DESC 'access and secret keys'
AUXILIARY
- MUST ( uid )
- MAY ( accessKey $ secretKey $ isAdmin )
- )
-
-objectClass (
- novaOCs:2
- NAME 'novaKeyPair'
- DESC 'Key pair for User'
- SUP top
- STRUCTURAL
- MUST ( cn $ sshPublicKey $ keyFingerprint )
- )
-
-objectClass (
- novaOCs:3
- NAME 'novaProject'
- DESC 'Container for project'
- SUP groupOfNames
- STRUCTURAL
- MUST ( cn $ projectManager )
+ MAY ( accessKey $ secretKey $ isNovaAdmin )
)
diff --git a/nova/auth/nova_sun.schema b/nova/auth/nova_sun.schema
index e925e05e4..4a6a78839 100644
--- a/nova/auth/nova_sun.schema
+++ b/nova/auth/nova_sun.schema
@@ -1,16 +1,13 @@
#
# Person object for Nova
# inetorgperson with extra attributes
-# Author: Vishvananda Ishaya <vishvananda@yahoo.com>
-# Modified for strict RFC 4512 compatibility by: Ryan Lane <ryan@ryandlane.com>
+# Schema version: 2
+# Authors: Vishvananda Ishaya <vishvananda@gmail.com>
+# Ryan Lane <rlane@wikimedia.org>
#
# using internet experimental oid arc as per BP64 3.1
dn: cn=schema
attributeTypes: ( 1.3.6.1.3.1.666.666.3.1 NAME 'accessKey' DESC 'Key for accessing data' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.3.1.666.666.3.2 NAME 'secretKey' DESC 'Secret key' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
-attributeTypes: ( 1.3.6.1.3.1.666.666.3.3 NAME 'keyFingerprint' DESC 'Fingerprint of private key' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE)
-attributeTypes: ( 1.3.6.1.3.1.666.666.3.4 NAME 'isAdmin' DESC 'Is user an administrator?' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
-attributeTypes: ( 1.3.6.1.3.1.666.666.3.5 NAME 'projectManager' DESC 'Project Managers of a project' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
-objectClasses: ( 1.3.6.1.3.1.666.666.4.1 NAME 'novaUser' DESC 'access and secret keys' SUP top AUXILIARY MUST ( uid ) MAY ( accessKey $ secretKey $ isAdmin ) )
-objectClasses: ( 1.3.6.1.3.1.666.666.4.2 NAME 'novaKeyPair' DESC 'Key pair for User' SUP top STRUCTURAL MUST ( cn $ sshPublicKey $ keyFingerprint ) )
-objectClasses: ( 1.3.6.1.3.1.666.666.4.3 NAME 'novaProject' DESC 'Container for project' SUP groupOfNames STRUCTURAL MUST ( cn $ projectManager ) )
+attributeTypes: ( 1.3.6.1.3.1.666.666.3.4 NAME 'isNovaAdmin' DESC 'Is user a nova administrator?' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
+objectClasses: ( 1.3.6.1.3.1.666.666.4.1 NAME 'novaUser' DESC 'access and secret keys' SUP top AUXILIARY MAY ( accessKey $ secretKey $ isNovaAdmin ) )
diff --git a/nova/auth/opendj.sh b/nova/auth/opendj.sh
index 8052c077d..1a280e5a8 100755
--- a/nova/auth/opendj.sh
+++ b/nova/auth/opendj.sh
@@ -32,7 +32,6 @@ abspath=`dirname "$(cd "${0%/*}" 2>/dev/null; echo "$PWD"/"${0##*/}")"`
schemapath='/var/opendj/instance/config/schema'
cp $abspath/openssh-lpk_sun.schema $schemapath/97-openssh-lpk_sun.ldif
cp $abspath/nova_sun.schema $schemapath/98-nova_sun.ldif
-chown opendj:opendj $schemapath/97-openssh-lpk_sun.ldif
chown opendj:opendj $schemapath/98-nova_sun.ldif
cat >/etc/ldap/ldap.conf <<LDAP_CONF_EOF
diff --git a/nova/auth/slap.sh b/nova/auth/slap.sh
index 797675d2e..95c61dafd 100755
--- a/nova/auth/slap.sh
+++ b/nova/auth/slap.sh
@@ -22,7 +22,7 @@ apt-get install -y slapd ldap-utils python-ldap
abspath=`dirname "$(cd "${0%/*}" 2>/dev/null; echo "$PWD"/"${0##*/}")"`
cp $abspath/openssh-lpk_openldap.schema /etc/ldap/schema/openssh-lpk_openldap.schema
-cp $abspath/nova_openldap.schema /etc/ldap/schema/nova_openldap.schema
+cp $abspath/nova_openldap.schema /etc/ldap/schema/nova.schema
mv /etc/ldap/slapd.conf /etc/ldap/slapd.conf.orig
cat >/etc/ldap/slapd.conf <<SLAPD_CONF_EOF
@@ -33,7 +33,6 @@ cat >/etc/ldap/slapd.conf <<SLAPD_CONF_EOF
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/inetorgperson.schema
-include /etc/ldap/schema/openssh-lpk_openldap.schema
include /etc/ldap/schema/nova.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
generated by cgit (git 2.34.1) at 2026-02-03 13:22:59 +0000