Pass request to normalize_domain_id

The normalize_domain_id function is adding the appropriate domain_id to users and projects that are allowed to receive this information from a domain scoped token. Pass a request to this function and use the context to determine the current scope. Change-Id: Ia880c6164c63ff08900218ab5947d648638868fa
2016-07-14 16:47:25 +10:00 · 2016-07-14 16:47:25 +10:00 · b75562c86a
parent 7d96826021
commit b75562c86a
3 changed files with 37 additions and 40 deletions
--- a/keystone/common/controller.py
+++ b/keystone/common/controller.py
@ -240,7 +240,7 @@ def filterprotected(*filters, **callback):
 class V2Controller(wsgi.Application):
    """Base controller class for Identity API v2."""

-    def _normalize_domain_id(self, context, ref):
+    def _normalize_domain_id(self, request, ref):
        """Fill in domain_id since v2 calls are not domain-aware.

        This will overwrite any domain_id that was inadvertently
@ -716,7 +716,7 @@ class V3Controller(wsgi.Application):
                _LW('No domain information specified as part of list request'))
            raise exception.Unauthorized()

-    def _get_domain_id_from_token(self, context):
+    def _get_domain_id_from_token(self, request):
        """Get the domain_id for a v3 create call.

        In the case of a v3 create entity call that does not specify a domain
@ -724,43 +724,40 @@ class V3Controller(wsgi.Application):
        being used.

        """
-        try:
-            token_ref = utils.get_token_ref(context)
-        except exception.Unauthorized:
-            if context.get('is_admin'):
-                raise exception.ValidationError(
-                    _('You have tried to create a resource using the admin '
-                      'token. As this token is not within a domain you must '
-                      'explicitly include a domain for this resource to '
-                      'belong to.'))
-            raise
+        # return if domain scoped
+        if request.context.domain_id:
+            return request.context.domain_id

-        if token_ref.domain_scoped:
-            return token_ref.domain_id
-        else:
-            # TODO(henry-nash): We should issue an exception here since if
-            # a v3 call does not explicitly specify the domain_id in the
-            # entity, it should be using a domain scoped token.  However,
-            # the current tempest heat tests issue a v3 call without this.
-            # This is raised as bug #1283539.  Once this is fixed, we
-            # should remove the line below and replace it with an error.
-            #
-            # Ahead of actually changing the code to raise an exception, we
-            # issue a deprecation warning.
-            versionutils.report_deprecated_feature(
-                LOG,
-                _LW('Not specifying a domain during a create user, group or '
-                    'project call, and relying on falling back to the '
-                    'default domain, is deprecated as of Liberty. There is no '
-                    'plan to remove this compatibility, however, future API '
-                    'versions may remove this, so please specify the domain '
-                    'explicitly or use a domain-scoped token.'))
-            return CONF.identity.default_domain_id
+        if request.context.is_admin:
+            raise exception.ValidationError(
+                _('You have tried to create a resource using the admin '
+                  'token. As this token is not within a domain you must '
+                  'explicitly include a domain for this resource to '
+                  'belong to.'))

-    def _normalize_domain_id(self, context, ref):
+        # TODO(henry-nash): We should issue an exception here since if
+        # a v3 call does not explicitly specify the domain_id in the
+        # entity, it should be using a domain scoped token.  However,
+        # the current tempest heat tests issue a v3 call without this.
+        # This is raised as bug #1283539.  Once this is fixed, we
+        # should remove the line below and replace it with an error.
+        #
+        # Ahead of actually changing the code to raise an exception, we
+        # issue a deprecation warning.
+        versionutils.report_deprecated_feature(
+            LOG,
+            _LW('Not specifying a domain during a create user, group or '
+                'project call, and relying on falling back to the '
+                'default domain, is deprecated as of Liberty. There is no '
+                'plan to remove this compatibility, however, future API '
+                'versions may remove this, so please specify the domain '
+                'explicitly or use a domain-scoped token.'))
+        return CONF.identity.default_domain_id
+
+    def _normalize_domain_id(self, request, ref):
        """Fill in domain_id if not specified in a v3 call."""
        if not ref.get('domain_id'):
-            ref['domain_id'] = self._get_domain_id_from_token(context)
+            ref['domain_id'] = self._get_domain_id_from_token(request)
        return ref

    @staticmethod
--- a/keystone/identity/controllers.py
+++ b/keystone/identity/controllers.py
@ -82,7 +82,7 @@ class User(controller.V2Controller):
        self.resource_api.ensure_default_domain_exists()

        # The manager layer will generate the unique ID for users
-        user_ref = self._normalize_domain_id(request.context_dict, user.copy())
+        user_ref = self._normalize_domain_id(request, user.copy())
        initiator = notifications._get_request_audit_info(request.context_dict)
        new_user_ref = self.v3_to_v2_user(
            self.identity_api.create_user(user_ref, initiator))
@ -220,7 +220,7 @@ class UserV3(controller.V3Controller):
        validation.lazy_validate(schema.user_create, user)
        # The manager layer will generate the unique ID for users
        ref = self._normalize_dict(user)
-        ref = self._normalize_domain_id(request.context_dict, ref)
+        ref = self._normalize_domain_id(request, ref)
        initiator = notifications._get_request_audit_info(request.context_dict)
        ref = self.identity_api.create_user(ref, initiator)
        return UserV3.wrap_member(request.context_dict, ref)
@ -313,7 +313,7 @@ class GroupV3(controller.V3Controller):
        validation.lazy_validate(schema.group_create, group)
        # The manager layer will generate the unique ID for groups
        ref = self._normalize_dict(group)
-        ref = self._normalize_domain_id(request.context_dict, ref)
+        ref = self._normalize_domain_id(request, ref)
        initiator = notifications._get_request_audit_info(request.context_dict)
        ref = self.identity_api.create_group(ref, initiator)
        return GroupV3.wrap_member(request.context_dict, ref)
--- a/keystone/resource/controllers.py
+++ b/keystone/resource/controllers.py
@ -105,7 +105,7 @@ class Tenant(controller.V2Controller):
        initiator = notifications._get_request_audit_info(request.context_dict)
        tenant = self.resource_api.create_project(
            tenant_ref['id'],
-            self._normalize_domain_id(request.context_dict, tenant_ref),
+            self._normalize_domain_id(request, tenant_ref),
            initiator)
        return {'tenant': self.v3_to_v2_project(tenant)}

@ -245,7 +245,7 @@ class ProjectV3(controller.V3Controller):
        ref = self._assign_unique_id(self._normalize_dict(project))

        if not ref.get('is_domain'):
-            ref = self._normalize_domain_id(request.context_dict, ref)
+            ref = self._normalize_domain_id(request, ref)
        # Our API requires that you specify the location in the hierarchy
        # unambiguously. This could be by parent_id or, if it is a top level
        # project, just by providing a domain_id.