From 58fb7978152002f713d2bfcdf27d7ee69b3f2823 Mon Sep 17 00:00:00 2001 From: Dolph Mathews Date: Tue, 24 Jun 2014 10:28:01 -0500 Subject: [PATCH] deprecate LDAP config options for 'tenants' This deprecates all config options using the term 'tenant' in favor of new options using the term 'project'. Change-Id: I7eb6819de33f4d94a8bae75286bb02436152c64b Closes-Bug: 1283841 --- doc/source/configuration.rst | 58 ++++++++-------- etc/keystone.conf.sample | 34 +++++----- keystone/assignment/backends/ldap.py | 4 +- keystone/common/config.py | 66 ++++++++++++++----- .../tests/config_files/backend_liveldap.conf | 4 +- .../config_files/backend_tls_liveldap.conf | 4 +- keystone/tests/test_backend_ldap.py | 36 +++++----- keystone/tests/test_ldap_livetest.py | 2 +- 8 files changed, 120 insertions(+), 88 deletions(-) diff --git a/doc/source/configuration.rst b/doc/source/configuration.rst index 879a1a9f05..4be92392c6 100644 --- a/doc/source/configuration.rst +++ b/doc/source/configuration.rst @@ -1332,8 +1332,8 @@ The corresponding entries in the Keystone configuration file are:: user_tree_dn = ou=Users,dc=openstack,dc=org user_objectclass = inetOrgPerson - tenant_tree_dn = ou=Projects,dc=openstack,dc=org - tenant_objectclass = groupOfNames + project_tree_dn = ou=Projects,dc=openstack,dc=org + project_objectclass = groupOfNames role_tree_dn = ou=Roles,dc=openstack,dc=org role_objectclass = organizationalRole @@ -1362,9 +1362,9 @@ is:: user_allow_update = False user_allow_delete = False - tenant_allow_create = True - tenant_allow_update = True - tenant_allow_delete = True + project_allow_create = True + project_allow_update = True + project_allow_delete = True role_allow_create = True role_allow_update = True @@ -1376,7 +1376,7 @@ will look like:: [ldap] user_filter = (memberof=CN=openstack-users,OU=workgroups,DC=openstack,DC=org) - tenant_filter = + project_filter = role_filter = In case that the directory server does not have an attribute enabled of type @@ -1404,36 +1404,36 @@ In case of Active Directory the classes and attributes could not match the specified classes in the LDAP module so you can configure them like:: [ldap] - user_objectclass = person - user_id_attribute = cn - user_name_attribute = cn - user_mail_attribute = mail - user_enabled_attribute = userAccountControl - user_enabled_mask = 2 - user_enabled_default = 512 - user_attribute_ignore = tenant_id,tenants - tenant_objectclass = groupOfNames - tenant_id_attribute = cn - tenant_member_attribute = member - tenant_name_attribute = ou - tenant_desc_attribute = description - tenant_enabled_attribute = extensionName - tenant_attribute_ignore = - role_objectclass = organizationalRole - role_id_attribute = cn - role_name_attribute = ou - role_member_attribute = roleOccupant - role_attribute_ignore = + user_objectclass = person + user_id_attribute = cn + user_name_attribute = cn + user_mail_attribute = mail + user_enabled_attribute = userAccountControl + user_enabled_mask = 2 + user_enabled_default = 512 + user_attribute_ignore = tenant_id,tenants + project_objectclass = groupOfNames + project_id_attribute = cn + project_member_attribute = member + project_name_attribute = ou + project_desc_attribute = description + project_enabled_attribute = extensionName + project_attribute_ignore = + role_objectclass = organizationalRole + role_id_attribute = cn + role_name_attribute = ou + role_member_attribute = roleOccupant + role_attribute_ignore = Enabled Emulation ----------------- Some directory servers do not provide any enabled attribute. For these -servers, the ``user_enabled_emulation`` and ``tenant_enabled_emulation`` +servers, the ``user_enabled_emulation`` and ``project_enabled_emulation`` attributes have been created. They are enabled by setting their respective flags to True. Then the attributes ``user_enabled_emulation_dn`` and -``tenant_enabled_emulation_dn`` may be set to specify how the enabled users +``project_enabled_emulation_dn`` may be set to specify how the enabled users and projects (tenants) are selected. These attributes work by using a ``groupOfNames`` and adding whichever users or projects (tenants) that you want enabled to the respective group. For example, this will @@ -1444,7 +1444,7 @@ mark any user who is a member of ``enabled_users`` as enabled:: user_enabled_emulation_dn = cn=enabled_users,cn=groups,dc=openstack,dc=org The default values for user and project (tenant) enabled emulation DN is -``cn=enabled_users,$user_tree_dn`` and ``cn=enabled_tenants,$tenant_tree_dn`` +``cn=enabled_users,$user_tree_dn`` and ``cn=enabled_tenants,$project_tree_dn`` respectively. Secure Connection diff --git a/etc/keystone.conf.sample b/etc/keystone.conf.sample index b7259c3596..fe968d00e7 100644 --- a/etc/keystone.conf.sample +++ b/etc/keystone.conf.sample @@ -948,60 +948,60 @@ #user_additional_attribute_mapping= # Search base for projects (string value) -#tenant_tree_dn= +#project_tree_dn= # LDAP search filter for projects. (string value) -#tenant_filter= +#project_filter= # LDAP objectclass for projects. (string value) -#tenant_objectclass=groupOfNames +#project_objectclass=groupOfNames # LDAP attribute mapped to project id. (string value) -#tenant_id_attribute=cn +#project_id_attribute=cn # LDAP attribute mapped to project membership for user. # (string value) -#tenant_member_attribute=member +#project_member_attribute=member # LDAP attribute mapped to project name. (string value) -#tenant_name_attribute=ou +#project_name_attribute=ou # LDAP attribute mapped to project description. (string value) -#tenant_desc_attribute=description +#project_desc_attribute=description # LDAP attribute mapped to project enabled. (string value) -#tenant_enabled_attribute=enabled +#project_enabled_attribute=enabled # LDAP attribute mapped to project domain_id. (string value) -#tenant_domain_id_attribute=businessCategory +#project_domain_id_attribute=businessCategory # List of attributes stripped off the project on update. (list # value) -#tenant_attribute_ignore= +#project_attribute_ignore= # Allow project creation in LDAP backend. (boolean value) -#tenant_allow_create=true +#project_allow_create=true # Allow project update in LDAP backend. (boolean value) -#tenant_allow_update=true +#project_allow_update=true # Allow project deletion in LDAP backend. (boolean value) -#tenant_allow_delete=true +#project_allow_delete=true # If true, Keystone uses an alternative method to determine if # a project is enabled or not by checking if they are a member -# of the "tenant_enabled_emulation_dn" group. (boolean value) -#tenant_enabled_emulation=false +# of the "project_enabled_emulation_dn" group. (boolean value) +#project_enabled_emulation=false # DN of the group entry to hold enabled projects when using # enabled emulation. (string value) -#tenant_enabled_emulation_dn= +#project_enabled_emulation_dn= # Additional attribute mappings for projects. Attribute # mapping format is :, where ldap_attr # is the attribute in the LDAP entry and user_attr is the # Identity API attribute. (list value) -#tenant_additional_attribute_mapping= +#project_additional_attribute_mapping= # Search base for roles. (string value) #role_tree_dn= diff --git a/keystone/assignment/backends/ldap.py b/keystone/assignment/backends/ldap.py index 0ab9c29652..744441c72e 100644 --- a/keystone/assignment/backends/ldap.py +++ b/keystone/assignment/backends/ldap.py @@ -409,7 +409,7 @@ class ProjectApi(common_ldap.EnabledEmuMixIn, common_ldap.BaseLdap): DEFAULT_MEMBER_ATTRIBUTE = 'member' NotFound = exception.ProjectNotFound notfound_arg = 'project_id' # NOTE(yorik-sar): while options_name = tenant - options_name = 'tenant' + options_name = 'project' attribute_options_names = {'name': 'name', 'description': 'desc', 'enabled': 'enabled', @@ -419,7 +419,7 @@ class ProjectApi(common_ldap.EnabledEmuMixIn, common_ldap.BaseLdap): def __init__(self, conf): super(ProjectApi, self).__init__(conf) - self.member_attribute = (getattr(conf.ldap, 'tenant_member_attribute') + self.member_attribute = (getattr(conf.ldap, 'project_member_attribute') or self.DEFAULT_MEMBER_ATTRIBUTE) def create(self, values): diff --git a/keystone/common/config.py b/keystone/common/config.py index f46a499409..822ac2d513 100644 --- a/keystone/common/config.py +++ b/keystone/common/config.py @@ -527,44 +527,76 @@ FILE_OPTIONS = { 'ldap_attr is the attribute in the LDAP entry and ' 'user_attr is the Identity API attribute.'), - cfg.StrOpt('tenant_tree_dn', default=None, + cfg.StrOpt('project_tree_dn', default=None, + deprecated_opts=[cfg.DeprecatedOpt( + 'tenant_tree_dn', group='ldap')], help='Search base for projects'), - cfg.StrOpt('tenant_filter', default=None, + cfg.StrOpt('project_filter', default=None, + deprecated_opts=[cfg.DeprecatedOpt( + 'tenant_filter', group='ldap')], help='LDAP search filter for projects.'), - cfg.StrOpt('tenant_objectclass', default='groupOfNames', + cfg.StrOpt('project_objectclass', default='groupOfNames', + deprecated_opts=[cfg.DeprecatedOpt( + 'tenant_objectclass', group='ldap')], help='LDAP objectclass for projects.'), - cfg.StrOpt('tenant_id_attribute', default='cn', + cfg.StrOpt('project_id_attribute', default='cn', + deprecated_opts=[cfg.DeprecatedOpt( + 'tenant_id_attribute', group='ldap')], help='LDAP attribute mapped to project id.'), - cfg.StrOpt('tenant_member_attribute', default='member', + cfg.StrOpt('project_member_attribute', default='member', + deprecated_opts=[cfg.DeprecatedOpt( + 'tenant_member_attribute', group='ldap')], help='LDAP attribute mapped to project membership for ' 'user.'), - cfg.StrOpt('tenant_name_attribute', default='ou', + cfg.StrOpt('project_name_attribute', default='ou', + deprecated_opts=[cfg.DeprecatedOpt( + 'tenant_name_attribute', group='ldap')], help='LDAP attribute mapped to project name.'), - cfg.StrOpt('tenant_desc_attribute', default='description', + cfg.StrOpt('project_desc_attribute', default='description', + deprecated_opts=[cfg.DeprecatedOpt( + 'tenant_desc_attribute', group='ldap')], help='LDAP attribute mapped to project description.'), - cfg.StrOpt('tenant_enabled_attribute', default='enabled', + cfg.StrOpt('project_enabled_attribute', default='enabled', + deprecated_opts=[cfg.DeprecatedOpt( + 'tenant_enabled_attribute', group='ldap')], help='LDAP attribute mapped to project enabled.'), - cfg.StrOpt('tenant_domain_id_attribute', + cfg.StrOpt('project_domain_id_attribute', + deprecated_opts=[cfg.DeprecatedOpt( + 'tenant_domain_id_attribute', group='ldap')], default='businessCategory', help='LDAP attribute mapped to project domain_id.'), - cfg.ListOpt('tenant_attribute_ignore', default=[], + cfg.ListOpt('project_attribute_ignore', default=[], + deprecated_opts=[cfg.DeprecatedOpt( + 'tenant_attribute_ignore', group='ldap')], help='List of attributes stripped off the project on ' 'update.'), - cfg.BoolOpt('tenant_allow_create', default=True, + cfg.BoolOpt('project_allow_create', default=True, + deprecated_opts=[cfg.DeprecatedOpt( + 'tenant_allow_create', group='ldap')], help='Allow project creation in LDAP backend.'), - cfg.BoolOpt('tenant_allow_update', default=True, + cfg.BoolOpt('project_allow_update', default=True, + deprecated_opts=[cfg.DeprecatedOpt( + 'tenant_allow_update', group='ldap')], help='Allow project update in LDAP backend.'), - cfg.BoolOpt('tenant_allow_delete', default=True, + cfg.BoolOpt('project_allow_delete', default=True, + deprecated_opts=[cfg.DeprecatedOpt( + 'tenant_allow_delete', group='ldap')], help='Allow project deletion in LDAP backend.'), - cfg.BoolOpt('tenant_enabled_emulation', default=False, + cfg.BoolOpt('project_enabled_emulation', default=False, + deprecated_opts=[cfg.DeprecatedOpt( + 'tenant_enabled_emulation', group='ldap')], help='If true, Keystone uses an alternative method to ' 'determine if a project is enabled or not by ' 'checking if they are a member of the ' - '"tenant_enabled_emulation_dn" group.'), - cfg.StrOpt('tenant_enabled_emulation_dn', default=None, + '"project_enabled_emulation_dn" group.'), + cfg.StrOpt('project_enabled_emulation_dn', default=None, + deprecated_opts=[cfg.DeprecatedOpt( + 'tenant_enabled_emulation_dn', group='ldap')], help='DN of the group entry to hold enabled projects when ' 'using enabled emulation.'), - cfg.ListOpt('tenant_additional_attribute_mapping', + cfg.ListOpt('project_additional_attribute_mapping', + deprecated_opts=[cfg.DeprecatedOpt( + 'tenant_additional_attribute_mapping', group='ldap')], default=[], help='Additional attribute mappings for projects. ' 'Attribute mapping format is ' diff --git a/keystone/tests/config_files/backend_liveldap.conf b/keystone/tests/config_files/backend_liveldap.conf index 51d948caa2..59cb8577d2 100644 --- a/keystone/tests/config_files/backend_liveldap.conf +++ b/keystone/tests/config_files/backend_liveldap.conf @@ -5,9 +5,9 @@ password = test suffix = dc=openstack,dc=org group_tree_dn = ou=UserGroups,dc=openstack,dc=org role_tree_dn = ou=Roles,dc=openstack,dc=org -tenant_tree_dn = ou=Projects,dc=openstack,dc=org +project_tree_dn = ou=Projects,dc=openstack,dc=org user_tree_dn = ou=Users,dc=openstack,dc=org -tenant_enabled_emulation = True +project_enabled_emulation = True user_enabled_emulation = True user_mail_attribute = mail use_dumb_member = True diff --git a/keystone/tests/config_files/backend_tls_liveldap.conf b/keystone/tests/config_files/backend_tls_liveldap.conf index eb41d5f35a..d35b9139f1 100644 --- a/keystone/tests/config_files/backend_tls_liveldap.conf +++ b/keystone/tests/config_files/backend_tls_liveldap.conf @@ -5,9 +5,9 @@ password = test suffix = dc=openstack,dc=org group_tree_dn = ou=UserGroups,dc=openstack,dc=org role_tree_dn = ou=Roles,dc=openstack,dc=org -tenant_tree_dn = ou=Projects,dc=openstack,dc=org +project_tree_dn = ou=Projects,dc=openstack,dc=org user_tree_dn = ou=Users,dc=openstack,dc=org -tenant_enabled_emulation = True +project_enabled_emulation = True user_enabled_emulation = True user_mail_attribute = mail use_dumb_member = True diff --git a/keystone/tests/test_backend_ldap.py b/keystone/tests/test_backend_ldap.py index aa1c9b5223..3038ddee9b 100644 --- a/keystone/tests/test_backend_ldap.py +++ b/keystone/tests/test_backend_ldap.py @@ -800,8 +800,8 @@ class LDAPIdentity(BaseLDAPIdentity, tests.TestCase): def test_configurable_forbidden_project_actions(self): self.config_fixture.config( - group='ldap', tenant_allow_create=False, tenant_allow_update=False, - tenant_allow_delete=False) + group='ldap', project_allow_create=False, + project_allow_update=False, project_allow_delete=False) self.load_backends() tenant = {'id': u'fäké1', 'name': u'fäké1'} @@ -860,9 +860,9 @@ class LDAPIdentity(BaseLDAPIdentity, tests.TestCase): self.assertDictEqual(tenant_ref, self.tenant_bar) self.config_fixture.config(group='ldap', - tenant_filter='(CN=DOES_NOT_MATCH)') + project_filter='(CN=DOES_NOT_MATCH)') self.load_backends() - # NOTE(morganfainberg): CONF.ldap.tenant_filter will not be + # NOTE(morganfainberg): CONF.ldap.project_filter will not be # dynamically changed at runtime. This invalidate is a work-around for # the expectation that it is safe to change config values in tests that # could affect what the drivers would return up to the manager. This @@ -908,15 +908,15 @@ class LDAPIdentity(BaseLDAPIdentity, tests.TestCase): def test_project_attribute_mapping(self): self.config_fixture.config( - group='ldap', tenant_name_attribute='ou', - tenant_desc_attribute='description', - tenant_enabled_attribute='enabled') + group='ldap', project_name_attribute='ou', + project_desc_attribute='description', + project_enabled_attribute='enabled') self.clear_database() self.load_backends() self.load_fixtures(default_fixtures) - # NOTE(morganfainberg): CONF.ldap.tenant_name_attribute, - # CONF.ldap.tenant_desc_attribute, and - # CONF.ldap.tenant_enabled_attribute will not be + # NOTE(morganfainberg): CONF.ldap.project_name_attribute, + # CONF.ldap.project_desc_attribute, and + # CONF.ldap.project_enabled_attribute will not be # dynamically changed at runtime. This invalidate is a work-around for # the expectation that it is safe to change config values in tests that # could affect what the drivers would return up to the manager. This @@ -933,12 +933,12 @@ class LDAPIdentity(BaseLDAPIdentity, tests.TestCase): self.assertEqual(self.tenant_baz['enabled'], tenant_ref['enabled']) self.config_fixture.config(group='ldap', - tenant_name_attribute='description', - tenant_desc_attribute='ou') + project_name_attribute='description', + project_desc_attribute='ou') self.load_backends() - # NOTE(morganfainberg): CONF.ldap.tenant_name_attribute, - # CONF.ldap.tenant_desc_attribute, and - # CONF.ldap.tenant_enabled_attribute will not be + # NOTE(morganfainberg): CONF.ldap.project_name_attribute, + # CONF.ldap.project_desc_attribute, and + # CONF.ldap.project_enabled_attribute will not be # dynamically changed at runtime. This invalidate is a work-around for # the expectation that it is safe to change config values in tests that # could affect what the drivers would return up to the manager. This @@ -955,11 +955,11 @@ class LDAPIdentity(BaseLDAPIdentity, tests.TestCase): def test_project_attribute_ignore(self): self.config_fixture.config( group='ldap', - tenant_attribute_ignore=['name', 'description', 'enabled']) + project_attribute_ignore=['name', 'description', 'enabled']) self.clear_database() self.load_backends() self.load_fixtures(default_fixtures) - # NOTE(morganfainberg): CONF.ldap.tenant_attribute_ignore will not be + # NOTE(morganfainberg): CONF.ldap.project_attribute_ignore will not be # dynamically changed at runtime. This invalidate is a work-around for # the expectation that it is safe to change configs values in tests # that could affect what the drivers would return up to the manager. @@ -1551,7 +1551,7 @@ class LDAPIdentityEnabledEmulation(LDAPIdentity): super(LDAPIdentityEnabledEmulation, self).config_overrides() self.config_fixture.config(group='ldap', user_enabled_emulation=True, - tenant_enabled_emulation=True) + project_enabled_emulation=True) def test_project_crud(self): # NOTE(topol): LDAPIdentityEnabledEmulation will create an diff --git a/keystone/tests/test_ldap_livetest.py b/keystone/tests/test_ldap_livetest.py index d3368386d7..1cb0e090aa 100644 --- a/keystone/tests/test_ldap_livetest.py +++ b/keystone/tests/test_ldap_livetest.py @@ -68,7 +68,7 @@ class LiveLDAPIdentity(test_backend_ldap.LDAPIdentity): create_object(CONF.ldap.role_tree_dn, {'objectclass': 'organizationalUnit', 'ou': 'Roles'}) - create_object(CONF.ldap.tenant_tree_dn, + create_object(CONF.ldap.project_tree_dn, {'objectclass': 'organizationalUnit', 'ou': 'Projects'}) create_object(CONF.ldap.group_tree_dn,