File hybrid_assignment.py of Package openstack-keystone
# Copyright 2014 Hewlett-Packard Development Company, L.P.
# Copyright 2014 SUSE Linux Products GmbH
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo.config import cfg
from keystone import config
from keystone.assignment.backends import sql as sql_assign
from keystone.common import sql
from keystone import exception
from keystone.openstack.common.gettextutils import _
from keystone.identity.backends import ldap as ldap_backend
hybrid_opts = [
cfg.ListOpt('default_roles',
default=['_member_', ],
help='List of roles assigned by default to an LDAP user'),
cfg.StrOpt('default_project',
default='demo',
help='Default project'),
cfg.StrOpt('default_domain',
default='default',
help='Default domain'),
]
CONF = config.CONF
CONF.register_opts(hybrid_opts, 'ldap_hybrid')
class Assignment(sql_assign.Assignment):
_default_roles = list()
_default_project = None
def __init__(self, *args, **kwargs):
super(Assignment, self).__init__(*args, **kwargs)
self.ldap_user = ldap_backend.UserApi(CONF)
def _get_metadata(self, user_id=None, tenant_id=None,
domain_id=None, group_id=None, session=None):
# We only want to apply 'default_roles' to users from LDAP, so
# check if this is an LDAP User first
is_ldap = False
try:
self.ldap_user.get(user_id)
except exception.UserNotFound:
# Not an LDAP User
pass
else:
is_ldap = True
try:
res = super(Assignment, self)._get_metadata(
user_id, tenant_id, domain_id, group_id, session)
except exception.MetadataNotFound:
if self.default_project_id == tenant_id and is_ldap:
return {
'roles': [
{'id': role_id} for role_id in self.default_roles
]
}
else:
raise
else:
if is_ldap:
roles = res.get('roles', [])
res['roles'] = roles + [
{'id': role_id} for role_id in self.default_roles
]
return res
@property
def default_project(self):
if self._default_project is None:
self._default_project = self.get_project_by_name(
CONF.ldap_hybrid.default_project,
CONF.ldap_hybrid.default_domain)
return dict(self._default_project)
@property
def default_project_id(self):
return self.default_project['id']
@property
def default_roles(self):
if not self._default_roles:
with sql.transaction() as session:
query = session.query(sql_assign.Role)
query = query.filter(sql_assign.Role.name.in_(
CONF.ldap_hybrid.default_roles))
role_refs = query.all()
if len(role_refs) != len(CONF.ldap_hybrid.default_roles):
raise exception.RoleNotFound(
message=_('Could not find one or more roles: %s') %
', '.join(CONF.ldap_hybrid.default_roles))
self._default_roles = [role_ref.id for role_ref in role_refs]
return self._default_roles
def list_projects_for_user(self, user_id, group_ids, hints):
projects = super(Assignment, self).list_projects_for_user(
user_id, group_ids, hints)
# Make sure the default project is in the project list for the user
# user_id
for project in projects:
if project['id'] == self.default_project_id:
return projects
# We only want to apply 'default_project' to users from LDAP, so
# check if this is an LDAP User first
try:
self.ldap_user.get(user_id)
except exception.UserNotFound:
# Not an LDAP User
pass
else:
projects.append(self.default_project)
return projects