Use tenant/user ids rather than names

* Add script that migrates image owners from user/tenant names to ids * Fixes bug 950364 Change-Id: I157cb010ed0f8997bd2e1794e9c3b66eba75e36b
2012-03-19 10:41:53 -07:00 · 2012-03-19 10:41:53 -07:00 · f5603c8728
parent 265df1ebe8
commit f5603c8728
3 changed files with 103 additions and 7 deletions
--- a/glance/common/context.py
+++ b/glance/common/context.py
@ -95,16 +95,13 @@ class ContextMiddleware(wsgi.Middleware):
           tokenauth middleware would have rejected the request, so we must be
           using NoAuth. In that case, assume that is_admin=True.
        """
-        # TODO(sirp): should we be using the glance_tokeauth shim from
-        # Keystone here? If we do, we need to make sure it handles the NoAuth
-        # case
        auth_tok = req.headers.get('X-Auth-Token',
                                   req.headers.get('X-Storage-Token'))
        if auth_tok:
            if req.headers.get('X-Identity-Status') == 'Confirmed':
                # 1. Auth-token is passed, check other headers
-                user = req.headers.get('X-User-Name')
-                tenant = req.headers.get('X-Tenant-Name')
+                user = req.headers.get('X-User-Id')
+                tenant = req.headers.get('X-Tenant-Id')
                roles = [r.strip()
                         for r in req.headers.get('X-Roles', '').split(',')]
                is_admin = self.conf.admin_role in roles
--- a/glance/tests/unit/test_api.py
+++ b/glance/tests/unit/test_api.py
@ -3062,8 +3062,8 @@ class TestContextMiddleware(base.IsolatedUnitTest):
        req = webob.Request.blank('/')
        req.headers['x-auth-token'] = 'token1'
        req.headers['x-identity-status'] = 'Confirmed'
-        req.headers['x-user-name'] = 'user1'
-        req.headers['x-tenant-name'] = 'tenant1'
+        req.headers['x-user-id'] = 'user1'
+        req.headers['x-tenant-id'] = 'tenant1'
        _roles = roles or ['role1', 'role2']
        req.headers['x-roles'] = ','.join(_roles)
        return req
--- a/tools/migrate_image_owners.py
+++ b/tools/migrate_image_owners.py
@ -0,0 +1,99 @@
+#!/usr/bin/python
+
+import logging
+import sys
+
+import keystoneclient.v2_0.client
+
+import glance.common.context
+import glance.common.cfg
+import glance.registry.context
+import glance.registry.db.api as db_api
+
+
+logger = logging.getLogger(__name__)
+logger.addHandler(logging.StreamHandler())
+logger.setLevel(logging.DEBUG)
+
+
+def get_owner_map(ksclient, owner_is_tenant=True):
+    if owner_is_tenant:
+        entities = ksclient.tenants.list()
+    else:
+        entities = ksclient.users.list()
+    # build mapping of (user or tenant) name to id
+    return dict([(entity.name, entity.id) for entity in entities])
+
+
+def build_image_owner_map(owner_map, db, context):
+    image_owner_map = {}
+    for image in db.image_get_all(context):
+        image_id = image['id']
+        owner_name = image['owner']
+
+        if not owner_name:
+            logger.info('Image %s has no owner. Skipping.' % image_id)
+            continue
+
+        try:
+            owner_id = owner_map[owner_name]
+        except KeyError:
+            msg = 'Image %s owner %s was not found. Skipping.'
+            logger.error(msg % (image_id, owner_name))
+            continue
+
+        image_owner_map[image_id] = owner_id
+
+        msg = 'Image %s owner %s -> %s' % (image_id, owner_name, owner_id)
+        logger.info(msg)
+
+    return image_owner_map
+
+
+def update_image_owners(image_owner_map, db, context):
+    for (image_id, image_owner) in image_owner_map.items():
+        db.image_update(context, image_id, {'owner': image_owner})
+        logger.info('Image %s successfully updated.' % image_id)
+
+
+if __name__ == "__main__":
+    config = glance.common.cfg.CommonConfigOpts(project='glance',
+                                                prog='glance-registry')
+    extra_cli_opts = [
+        glance.common.cfg.BoolOpt('dry-run',
+                help='Print output but do not make db changes.'),
+        glance.common.cfg.StrOpt('keystone-auth-uri',
+                help='Authentication endpoint'),
+        glance.common.cfg.StrOpt('keystone-admin-tenant-name',
+                help='Administrative user\'s tenant name'),
+        glance.common.cfg.StrOpt('keystone-admin-user',
+                help='Administrative user\'s id'),
+        glance.common.cfg.StrOpt('keystone-admin-password',
+                help='Administrative user\'s password'),
+    ]
+    config.register_cli_opts(extra_cli_opts)
+    config()
+    config.register_opts(glance.common.context.ContextMiddleware.opts)
+
+    db_api.configure_db(config)
+
+    context = glance.registry.context.RequestContext(is_admin=True)
+
+    auth_uri = config.keystone_auth_uri
+    admin_tenant_name = config.keystone_admin_tenant_name
+    admin_user = config.keystone_admin_user
+    admin_password = config.keystone_admin_password
+
+    if not (auth_uri and admin_tenant_name and admin_user and admin_password):
+        logger.critical('Missing authentication arguments')
+        sys.exit(1)
+
+    ks = keystoneclient.v2_0.client.Client(username=admin_user,
+                                           password=admin_password,
+                                           tenant_name=admin_tenant_name,
+                                           auth_url=auth_uri)
+
+    owner_map = get_owner_map(ks, config.owner_is_tenant)
+    image_updates = build_image_owner_map(owner_map, db_api, context)
+    if not config.dry_run:
+        update_image_owners(image_updates, db_api, context)