Merge from trunk

author: Ryan Lane <laner@controller> 2010-12-08 08:21:44 +0000
committer: Ryan Lane <laner@controller> 2010-12-08 08:21:44 +0000
commit: 8d2bb4659fc06c306afa02e57e138646a1fc0f47 (patch)
tree: ac71c9d20f3dc2c55dd45b8939d504fee9e92d18 /nova/auth
parent: da010f311c07ee31d7d00ceb48d0f8656f1825ca (diff)
parent: 332549add2c74c82c1f476642d56f7866dd0db9b (diff)
download: nova-8d2bb4659fc06c306afa02e57e138646a1fc0f47.tar.gz
nova-8d2bb4659fc06c306afa02e57e138646a1fc0f47.tar.xz
nova-8d2bb4659fc06c306afa02e57e138646a1fc0f47.zip
3 files changed, 226 insertions, 35 deletions
diff --git a/nova/auth/ldapdriver.py b/nova/auth/ldapdriver.py
index e4c36c28d..871515663 100644
--- a/nova/auth/ldapdriver.py
+++ b/nova/auth/ldapdriver.py
@@ -42,6 +42,8 @@ flags.DEFINE_string('ldap_user_name_attribute', 'cn', 'Attribute to use as name'
 flags.DEFINE_string('ldap_user_unit', 'Users', 'OID for Users')
 flags.DEFINE_string('ldap_user_subtree', 'ou=Users,dc=example,dc=com',
                     'OU for Users')
+flags.DEFINE_boolean('ldap_user_modify_only', False,
+                    'Modify attributes for users instead of creating/deleting')
 flags.DEFINE_string('ldap_project_subtree', 'ou=Groups,dc=example,dc=com',
                     'OU for Projects')
 flags.DEFINE_string('role_project_subtree', 'ou=Groups,dc=example,dc=com',
@@ -91,8 +93,7 @@ class LdapDriver(object):
 
     def get_user(self, uid):
         """Retrieve user by id"""
-        attr = self.__find_object(self.__uid_to_dn(uid),
-                                '(objectclass=novaUser)')
+        attr = self.__get_ldap_user(uid)
         return self.__to_user(attr)
 
     def get_user_from_access_key(self, access):
@@ -112,7 +113,12 @@ class LdapDriver(object):
         """Retrieve list of users"""
         attrs = self.__find_objects(FLAGS.ldap_user_subtree,
                                   '(objectclass=novaUser)')
-        return [self.__to_user(attr) for attr in attrs]
+        users = []
+        for attr in attrs:
+            user = self.__to_user(attr)
+            if user is not None:
+                users.append(user)
+        return users
 
     def get_projects(self, uid=None):
         """Retrieve list of projects"""
@@ -127,21 +133,52 @@ class LdapDriver(object):
         """Create a user"""
         if self.__user_exists(name):
             raise exception.Duplicate("LDAP user %s already exists" % name)
-        attr = [
-            ('objectclass', ['person',
-                             'organizationalPerson',
-                             'inetOrgPerson',
-                             'novaUser']),
-            ('ou', [FLAGS.ldap_user_unit]),
-            (FLAGS.ldap_user_id_attribute, [name]),
-            ('sn', [name]),
-            (FLAGS.ldap_user_name_attribute, [name]),
-            ('secretKey', [secret_key]),
-            ('accessKey', [access_key]),
-            ('isNovaAdmin', [str(is_admin).upper()]),
-        ]
-        self.conn.add_s(self.__uid_to_dn(name), attr)
-        return self.__to_user(dict(attr))
+        if FLAGS.ldap_user_modify_only:
+            if self.__ldap_user_exists(name):
+                # Retrieve user by name
+                user = self.__get_ldap_user(name)
+                # Entry could be malformed, test for missing attrs.
+                # Malformed entries are useless, replace attributes found.
+                attr = []
+                if 'secretKey' in user.keys():
+                    attr.append((self.ldap.MOD_REPLACE, 'secretKey', \
+                    [secret_key]))
+                else:
+                    attr.append((self.ldap.MOD_ADD, 'secretKey', \
+                    [secret_key]))
+                if 'accessKey' in user.keys():
+                    attr.append((self.ldap.MOD_REPLACE, 'accessKey', \
+                    [access_key]))
+                else:
+                    attr.append((self.ldap.MOD_ADD, 'accessKey', \
+                    [access_key]))
+                if 'isNovaAdmin' in user.keys():
+                    attr.append((self.ldap.MOD_REPLACE, 'isNovaAdmin', \
+                    [str(is_admin).upper()]))
+                else:
+                    attr.append((self.ldap.MOD_ADD, 'isNovaAdmin', \
+                    [str(is_admin).upper()]))
+                self.conn.modify_s(self.__uid_to_dn(name), attr)
+                return self.get_user(name)
+            else:
+                raise exception.NotFound("LDAP object for %s doesn't exist"
+                                         % name)
+        else:
+            attr = [
+                ('objectclass', ['person',
+                                 'organizationalPerson',
+                                 'inetOrgPerson',
+                                 'novaUser']),
+                ('ou', [FLAGS.ldap_user_unit]),
+                (FLAGS.ldap_user_id_attribute, [name]),
+                ('sn', [name]),
+                (FLAGS.ldap_user_name_attribute, [name]),
+                ('secretKey', [secret_key]),
+                ('accessKey', [access_key]),
+                ('isNovaAdmin', [str(is_admin).upper()]),
+            ]
+            self.conn.add_s(self.__uid_to_dn(name), attr)
+            return self.__to_user(dict(attr))
 
     def create_project(self, name, manager_uid,
                        description=None, member_uids=None):
@@ -157,7 +194,7 @@ class LdapDriver(object):
         if description is None:
             description = name
         members = []
-        if member_uids != None:
+        if member_uids is not None:
             for member_uid in member_uids:
                 if not self.__user_exists(member_uid):
                     raise exception.NotFound("Project can't be created "
@@ -258,7 +295,24 @@ class LdapDriver(object):
         if not self.__user_exists(uid):
             raise exception.NotFound("User %s doesn't exist" % uid)
         self.__remove_from_all(uid)
-        self.conn.delete_s(self.__uid_to_dn(uid))
+        if FLAGS.ldap_user_modify_only:
+            # Delete attributes
+            attr = []
+            # Retrieve user by name
+            user = self.__get_ldap_user(uid)
+            if 'secretKey' in user.keys():
+                attr.append((self.ldap.MOD_DELETE, 'secretKey', \
+                user['secretKey']))
+            if 'accessKey' in user.keys():
+                attr.append((self.ldap.MOD_DELETE, 'accessKey', \
+                user['accessKey']))
+            if 'isNovaAdmin' in user.keys():
+                attr.append((self.ldap.MOD_DELETE, 'isNovaAdmin', \
+                user['isNovaAdmin']))
+            self.conn.modify_s(self.__uid_to_dn(uid), attr)
+        else:
+            # Delete entry
+            self.conn.delete_s(self.__uid_to_dn(uid))
 
     def delete_project(self, project_id):
         """Delete a project"""
@@ -267,7 +321,7 @@ class LdapDriver(object):
         self.__delete_group(project_dn)
 
     def modify_user(self, uid, access_key=None, secret_key=None, admin=None):
-        """Modify an existing project"""
+        """Modify an existing user"""
         if not access_key and not secret_key and admin is None:
             return
         attr = []
@@ -281,11 +335,21 @@ class LdapDriver(object):
 
     def __user_exists(self, uid):
         """Check if user exists"""
-        return self.get_user(uid) != None
+        return self.get_user(uid) is not None
+
+    def __ldap_user_exists(self, uid):
+        """Check if the user exists in ldap"""
+        return self.__get_ldap_user(uid) is not None
 
     def __project_exists(self, project_id):
         """Check if project exists"""
-        return self.get_project(project_id) != None
+        return self.get_project(project_id) is not None
+
+    def __get_ldap_user(self, uid):
+        """Retrieve LDAP user entry by id"""
+        attr = self.__find_object(self.__uid_to_dn(uid),
+                                '(objectclass=novaUser)')
+        return attr
 
     def __find_object(self, dn, query=None, scope=None):
         """Find an object by dn and query"""
@@ -332,12 +396,12 @@ class LdapDriver(object):
 
     def __group_exists(self, dn):
         """Check if group exists"""
-        return self.__find_object(dn, '(objectclass=groupOfNames)') != None
+        return self.__find_object(dn, '(objectclass=groupOfNames)') is not None
 
     @staticmethod
     def __role_to_dn(role, project_id=None):
         """Convert role to corresponding dn"""
-        if project_id == None:
+        if project_id is None:
             return FLAGS.__getitem__("ldap_%s" % role).value
         else:
             return 'cn=%s,cn=%s,%s' % (role,
@@ -351,7 +415,7 @@ class LdapDriver(object):
             raise exception.Duplicate("Group can't be created because "
                                       "group %s already exists" % name)
         members = []
-        if member_uids != None:
+        if member_uids is not None:
             for member_uid in member_uids:
                 if not self.__user_exists(member_uid):
                     raise exception.NotFound("Group can't be created "
@@ -377,7 +441,7 @@ class LdapDriver(object):
         res = self.__find_object(group_dn,
                                  '(member=%s)' % self.__uid_to_dn(uid),
                                  self.ldap.SCOPE_BASE)
-        return res != None
+        return res is not None
 
     def __add_to_group(self, uid, group_dn):
         """Add user to group"""
@@ -449,18 +513,22 @@ class LdapDriver(object):
     @staticmethod
     def __to_user(attr):
         """Convert ldap attributes to User object"""
-        if attr == None:
+        if attr is None:
+            return None
+        if ('accessKey' in attr.keys() and 'secretKey' in attr.keys() \
+            and 'isNovaAdmin' in attr.keys()):
+            return {
+                'id': attr[FLAGS.ldap_user_id_attribute][0],
+                'name': attr[FLAGS.ldap_user_name_attribute][0],
+                'access': attr['accessKey'][0],
+                'secret': attr['secretKey'][0],
+                'admin': (attr['isNovaAdmin'][0] == 'TRUE')}
+        else:
             return None
-        return {
-            'id': attr[FLAGS.ldap_user_id_attribute][0],
-            'name': attr[FLAGS.ldap_user_name_attribute][0],
-            'access': attr['accessKey'][0],
-            'secret': attr['secretKey'][0],
-            'admin': (attr['isNovaAdmin'][0] == 'TRUE')}
 
     def __to_project(self, attr):
         """Convert ldap attributes to Project object"""
-        if attr == None:
+        if attr is None:
             return None
         member_dns = attr.get('member', [])
         return {
diff --git a/nova/auth/manager.py b/nova/auth/manager.py
index 7b2b68161..11c3bd6df 100644
--- a/nova/auth/manager.py
+++ b/nova/auth/manager.py
@@ -624,6 +624,10 @@ class AuthManager(object):
         with self.driver() as drv:
             drv.modify_user(uid, access_key, secret_key, admin)
 
+    @staticmethod
+    def get_key_pairs(context):
+        return db.key_pair_get_all_by_user(context.elevated(), context.user_id)
+
     def get_credentials(self, user, project=None):
         """Get credential zip for user in project"""
         if not isinstance(user, User):
diff --git a/nova/auth/opendj.sh b/nova/auth/opendj.sh
new file mode 100755
index 000000000..8052c077d
--- /dev/null
+++ b/nova/auth/opendj.sh
@@ -0,0 +1,119 @@
+#!/usr/bin/env bash
+# vim: tabstop=4 shiftwidth=4 softtabstop=4
+
+# Copyright 2010 United States Government as represented by the
+# Administrator of the National Aeronautics and Space Administration.
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+# LDAP INSTALL SCRIPT -  IS IDEMPOTENT, does not scrub users
+
+apt-get install -y ldap-utils python-ldap openjdk-6-jre
+
+if [ ! -d "/usr/opendj" ]
+then
+    # TODO(rlane): Wikimedia Foundation is the current package maintainer.
+    # After the package is included in Ubuntu's channel, change this.
+    wget http://apt.wikimedia.org/wikimedia/pool/main/o/opendj/opendj_2.4.0-7_amd64.deb
+    dpkg -i opendj_2.4.0-7_amd64.deb
+fi
+
+abspath=`dirname "$(cd "${0%/*}" 2>/dev/null; echo "$PWD"/"${0##*/}")"`
+schemapath='/var/opendj/instance/config/schema'
+cp $abspath/openssh-lpk_sun.schema $schemapath/97-openssh-lpk_sun.ldif
+cp $abspath/nova_sun.schema $schemapath/98-nova_sun.ldif
+chown opendj:opendj $schemapath/97-openssh-lpk_sun.ldif
+chown opendj:opendj $schemapath/98-nova_sun.ldif
+
+cat >/etc/ldap/ldap.conf <<LDAP_CONF_EOF
+# LDAP Client Settings
+URI ldap://localhost
+BASE dc=example,dc=com
+BINDDN cn=Directory Manager
+SIZELIMIT  0
+TIMELIMIT  0
+LDAP_CONF_EOF
+
+cat >/etc/ldap/base.ldif <<BASE_LDIF_EOF
+# This is the root of the directory tree
+dn: dc=example,dc=com
+description: Example.Com, your trusted non-existent corporation.
+dc: example
+o: Example.Com
+objectClass: top
+objectClass: dcObject
+objectClass: organization
+
+# Subtree for users
+dn: ou=Users,dc=example,dc=com
+ou: Users
+description: Users
+objectClass: organizationalUnit
+
+# Subtree for groups
+dn: ou=Groups,dc=example,dc=com
+ou: Groups
+description: Groups
+objectClass: organizationalUnit
+
+# Subtree for system accounts
+dn: ou=System,dc=example,dc=com
+ou: System
+description: Special accounts used by software applications.
+objectClass: organizationalUnit
+
+# Special Account for Authentication:
+dn: uid=authenticate,ou=System,dc=example,dc=com
+uid: authenticate
+ou: System
+description: Special account for authenticating users
+userPassword: {MD5}TLnIqASP0CKUR3/LGkEZGg==
+objectClass: account
+objectClass: simpleSecurityObject
+
+# create the sysadmin entry
+
+dn: cn=developers,ou=Groups,dc=example,dc=com
+objectclass: groupOfNames
+cn: developers
+description: IT admin group
+member: uid=admin,ou=Users,dc=example,dc=com
+
+dn: cn=sysadmins,ou=Groups,dc=example,dc=com
+objectclass: groupOfNames
+cn: sysadmins
+description: IT admin group
+member: uid=admin,ou=Users,dc=example,dc=com
+
+dn: cn=netadmins,ou=Groups,dc=example,dc=com
+objectclass: groupOfNames
+cn: netadmins
+description: Network admin group
+member: uid=admin,ou=Users,dc=example,dc=com
+
+dn: cn=cloudadmins,ou=Groups,dc=example,dc=com
+objectclass: groupOfNames
+cn: cloudadmins
+description: Cloud admin group
+member: uid=admin,ou=Users,dc=example,dc=com
+
+dn: cn=itsec,ou=Groups,dc=example,dc=com
+objectclass: groupOfNames
+cn: itsec
+description: IT security users group
+member: uid=admin,ou=Users,dc=example,dc=com
+BASE_LDIF_EOF
+
+/etc/init.d/opendj stop
+su - opendj -c '/usr/opendj/setup -i -b "dc=example,dc=com" -l /etc/ldap/base.ldif -S -w changeme -O -n --noPropertiesFile'
+/etc/init.d/opendj start
author	Ryan Lane <laner@controller>	2010-12-08 08:21:44 +0000
committer	Ryan Lane <laner@controller>	2010-12-08 08:21:44 +0000
commit	8d2bb4659fc06c306afa02e57e138646a1fc0f47 (patch)
tree	ac71c9d20f3dc2c55dd45b8939d504fee9e92d18 /nova/auth
parent	da010f311c07ee31d7d00ceb48d0f8656f1825ca (diff)
parent	332549add2c74c82c1f476642d56f7866dd0db9b (diff)
download	nova-8d2bb4659fc06c306afa02e57e138646a1fc0f47.tar.gz nova-8d2bb4659fc06c306afa02e57e138646a1fc0f47.tar.xz nova-8d2bb4659fc06c306afa02e57e138646a1fc0f47.zip