Andrew Bogott has uploaded a new change for review.
https://gerrit.wikimedia.org/r/268834
Change subject: Modify projects and roles using keystone calls.
......................................................................
Modify projects and roles using keystone calls.
Bug: T115029
Change-Id: I93f73c7171377ef5126ee7b716d79c905a55c2ed
---
M nova/OpenStackNovaController.php
M nova/OpenStackNovaProject.php
M nova/OpenStackNovaRole.php
3 files changed, 184 insertions(+), 234 deletions(-)
git pull
ssh://gerrit.wikimedia.org:29418/mediawiki/extensions/OpenStackManager
refs/changes/34/268834/1
diff --git a/nova/OpenStackNovaController.php b/nova/OpenStackNovaController.php
index dd9af57..e5820b3 100644
--- a/nova/OpenStackNovaController.php
+++ b/nova/OpenStackNovaController.php
@@ -244,7 +244,7 @@
*/
function _getAdminToken() {
global $wgOpenStackManagerLDAPUsername,
$wgOpenStackManagerLDAPUserPassword;
- global $wgOpenStackManagerProject, $wgAuth;
+ global $wgOpenStackManagerProjectId, $wgAuth;
global $wgMemc;
if ( $this->admintoken ) {
@@ -262,8 +262,8 @@
'auth' => array(
'passwordCredentials' => array(
'username' =>
$wgOpenStackManagerLDAPUsername,
- 'password' =>
$wgOpenStackManagerLDAPUserPassword ),
- 'tenantId' => $wgOpenStackManagerProject ) );
+ 'password' =>
$wgOpenStackManagerLDAPUserPassword),
+ 'tenantId' => $wgOpenStackManagerProjectId ) );
$headers = array(
'Accept: application/json',
'Content-Type: application/json',
@@ -317,6 +317,38 @@
}
/**
+ * @return id of new project or "" on failure
+ */
+ function createProject( $projectname ) {
+ $admintoken = $this->_getAdminToken();
+ $headers = array(
+ 'Accept: application/json',
+ 'Content-Type: application/json',
+ "X-Auth-Token: $admintoken"
+ );
+ $projname = urlencode( $projectname );
+ $data = array( 'tenant' => array( 'name' => $projname, 'id' =>
$projname ) );
+ $ret = $this->restCall( 'identity', '/tenants', 'POST', $data,
$headers );
+ if ( $ret['code'] == 200 ) {
+ $tenant = self::_get_property( $ret['body'], 'tenant' );
+ return self::_get_property( $tenant, 'id' );
+ }
+ return "";
+ }
+
+ function deleteProject( $projectid ) {
+ $admintoken = $this->_getAdminToken();
+ $headers = array( "X-Auth-Token: $admintoken" );
+
+ $ret = $this->restCall( 'identity', '/tenants/$projectid',
'DELETE', array(), $headers );
+ if ( $ret['code'] !== 204 ) {
+ return false;
+ }
+ return true;
+ }
+
+
+ /**
* @return array of user ids
*/
function getUsersInProject( $projectid ) {
@@ -360,7 +392,8 @@
}
foreach ( $roles as $role ) {
$name = self::_get_property( $role, 'name' );
- $rolearr[] = $name;
+ $id = self::_get_property( $role, 'id' );
+ $rolearr[$id] = $name;
}
$wgMemc->set( $key, $rolearr, 3600 );
@@ -368,12 +401,44 @@
return $rolearr;
}
- function getRolesForProjectAndUser( $projectid, $userid ) {
+ function grantRoleForProjectAndUser( $roleid, $projectid, $username ) {
+ $admintoken = $this->_getAdminToken();
+ $headers = array(
+ 'Accept: application/json',
+ 'Content-Type: application/json',
+ "X-Auth-Token: $admintoken"
+ );
+
+ $rolearr = array();
+ $ret = $this->restCall( 'identity',
"/tenants/$projectid/users/$username/roles/OS-KSADM/$roleid", 'PUT', array(),
$headers );
+ if ( $ret['code'] !== 200 && $ret['code'] !== 201 ) {
+ return false;
+ }
+ return true;
+ }
+
+ function revokeRoleForProjectAndUser( $roleid, $projectid, $username ) {
+ $admintoken = $this->_getAdminToken();
+ $headers = array(
+ 'Accept: application/json',
+ 'Content-Type: application/json',
+ "X-Auth-Token: $admintoken"
+ );
+
+ $rolearr = array();
+ $ret = $this->restCall( 'identity',
"/tenants/$projectid/users/$username/roles/OS-KSADM/$roleid", 'DELETE',
array(), $headers );
+ if ( $ret['code'] !== 204 && $ret['code'] !== 200 ) {
+ return false;
+ }
+ return true;
+ }
+
+ function getRolesForProjectAndUser( $projectid, $username ) {
$admintoken = $this->_getAdminToken();
$headers = array( "X-Auth-Token: $admintoken" );
$rolearr = array();
- $ret = $this->restCall( 'identity',
"/tenants/$projectid/users/$userid/roles", 'GET', array(), $headers );
+ $ret = $this->restCall( 'identity',
"/tenants/$projectid/users/$username/roles", 'GET', array(), $headers );
$roles = self::_get_property( $ret['body'], 'roles' );
if ( !$roles ) {
return $rolearr;
diff --git a/nova/OpenStackNovaProject.php b/nova/OpenStackNovaProject.php
index 9d74723..f48675b 100644
--- a/nova/OpenStackNovaProject.php
+++ b/nova/OpenStackNovaProject.php
@@ -3,6 +3,19 @@
/**
* Class to manage Projects, project roles, service groups.
*
+ * For historical reasons this class is kind of a mess, mixing
+ * ldap with keystone-managed resources.
+ *
+ * Projects: Live in keystone, have ids and names
+ * Users: Stored in ldap, managed elsewhere
+ * Project members: Stored via keystone roles that manage user/project/role
records.
+ * We have a role called 'user' that grants no OpenStack
rights but is
+ * used to keep track of which users should have login
access to project
+ * instances.
+ * Sudoers: Live in ldap, in a domain named after the project name (not the
id)
+ * Service groups: Live entirely in ldap in domains named with the project
name
+ *
+ *
* @file
* @ingroup Extensions
*/
@@ -10,13 +23,17 @@
class OpenStackNovaProject {
public $projectname;
public $projectDN;
- public $projectInfo;
public $roles;
+ public $userrole;
public $loaded;
public $projectGroup;
- // list of roles
- static $roleids = array( 'projectadmin' );
+ // list of roles that are visible in the web UI
+ static $visiblerolenames = array( 'projectadmin' );
+
+ // this is a stealth role that implies project membership
+ // but no ability to manipulate the project or instances
+ static $userrolename = 'user';
// short-lived cache of project objects
static $projectCache = array();
@@ -53,8 +70,14 @@
}
function loadProjectName() {
+ global $wgOpenStackManagerLDAPProjectBaseDN;
+
$controller = OpenstackNovaProject::getController();
$this->projectname = $controller->getProjectName(
$this->projectid );
+
+ # We still keep things like sudoers in ldap, so we need a
unique dn for this
+ # project to keep things under.
+ $this->projectDN = 'cn=' . $this->projectname . ',' .
$wgOpenStackManagerLDAPProjectBaseDN;
}
/**
@@ -74,24 +97,15 @@
}
$this->roles = array();
- foreach ( self::$roleids as $roleid ) {
- $this->roles[] = OpenStackNovaRole::getProjectRoleById(
$roleid, $this );
+ foreach ( self::$visiblerolenames as $rolename ) {
+ $this->roles[] =
OpenStackNovaRole::getProjectRoleByName( $rolename, $this );
}
+ $this->userrole = OpenStackNovaRole::getProjectRoleByName(
self::$userrolename, $this );
// fetch the associated posix project group
(project-$projectname)
$this->fetchProjectGroup();
$this->fetchServiceGroups();
-
- // For legacy purposes, still read in the ldap data. This can
be removed once we
- // are writing via keystone as well:
- $result = LdapAuthenticationPlugin::ldap_search(
$wgAuth->ldapconn, $wgOpenStackManagerLDAPProjectBaseDN,
- '(&(cn=' .
$this->projectname . ')(objectclass=groupofnames))' );
- $this->projectInfo =
LdapAuthenticationPlugin::ldap_get_entries( $wgAuth->ldapconn, $result );
- if ( $this->projectInfo['count'] === 0 ) {
- return;
- }
- $this->projectDN = $this->projectInfo[0]['dn'];
$this->loaded = true;
}
@@ -278,35 +292,6 @@
}
/**
- * Get service user homedir setting for project.
- *
- * This is stored as an 'info' setting in ldap:
- *
- * info: homedirpattern=<pattern>
- *
- * @return string
- */
- function getServiceGroupHomedirPattern() {
- global $wgOpenStackManagerServiceGroupHomedirPattern;
- $pattern = $wgOpenStackManagerServiceGroupHomedirPattern;
-
- if ( isset( $this->projectInfo[0]['info'] ) ) {
- $infos = $this->projectInfo[0]['info'];
-
- // first member is a count.
- array_shift( $infos );
- foreach ( $infos as $info ) {
- $substrings=explode( '=', $info );
- if ( ( count( $substrings ) == 2 ) and (
$substrings[0] == 'servicegrouphomedirpattern' ) ) {
- $pattern = $substrings[1];
- break;
- }
- }
- }
- return $pattern;
- }
-
- /**
* Returns an array of all member DNs that belong to this project.
*
* @return array
@@ -323,11 +308,14 @@
}
function getProjectDN() {
+ if ( !$this->projectDN ) {
+ $this->loadProjectName();
+ }
return $this->projectDN;
}
function getSudoersDN() {
- return 'ou=sudoers,' . $this->projectDN;
+ return 'ou=sudoers,' . $this->getProjectDN();
}
/**
@@ -343,55 +331,28 @@
$key = wfMemcKey( 'openstackmanager', 'projectuidsandmembers',
$this->projectname );
$wgMemc->delete( $key );
- if ( isset( $this->projectInfo[0]['member'] ) ) {
- $members = $this->projectInfo[0]['member'];
- array_shift( $members );
- $user = new OpenStackNovaUser( $username );
- if ( ! $user->userDN ) {
- $wgAuth->printDebug( "Failed to find userDN for
username $username in OpenStackNovaProject deleteMember", NONSENSITIVE );
- return false;
- }
- $index = array_search( $user->userDN, $members );
- if ( $index === false ) {
- $wgAuth->printDebug( "Failed to find userDN " .
$user->userDN . " in Project " . $this->projectname . " member list",
NONSENSITIVE );
- return false;
- }
- unset( $members[$index] );
- $values = array();
- $values['member'] = array();
- foreach ( $members as $member ) {
- $values['member'][] = $member;
- }
+ if ( $this->userrole->deleteMember( $username ) ) {
+ $this->projectGroup->deleteMember( $username );
- $success = LdapAuthenticationPlugin::ldap_modify(
$wgAuth->ldapconn, $this->projectDN, $values );
- if ( $success ) {
- // If we successfully deleted the Project
Member, then also
- // delete the member from the corresponding
ProjectGroup.
- $this->projectGroup->deleteMember( $username );
-
- foreach ( $this->roles as $role ) {
- $role->deleteMember( $username );
- # @todo Find a way to fail gracefully
if role member
- # deletion fails
- }
- $sudoers =
OpenStackNovaSudoer::getAllSudoersByProject( $this->getProjectName() );
- foreach ( $sudoers as $sudoer ) {
- $success = $sudoer->deleteUser(
$username );
- if ( $success ) {
- $wgAuth->printDebug(
"Successfully removed $username from " . $sudoer->getSudoerName(), NONSENSITIVE
);
- } else {
- $wgAuth->printDebug( "Failed to
remove $username from " . $sudoer->getSudoerName(), NONSENSITIVE );
- }
- }
- $this->fetchProjectInfo(true);
- $wgAuth->printDebug( "Successfully removed
$user->userDN from $this->projectDN", NONSENSITIVE );
- $this->editArticle();
- return true;
- } else {
- $wgAuth->printDebug( "Failed to remove
$user->userDN from $this->projectDN: " . ldap_error($wgAuth->ldapconn),
NONSENSITIVE );
- return false;
+ foreach ( $this->roles as $role ) {
+ $role->deleteMember( $username );
+ # @todo Find a way to fail gracefully if role
member
+ # deletion fails
}
+ $sudoers = OpenStackNovaSudoer::getAllSudoersByProject(
$this->getProjectName() );
+ foreach ( $sudoers as $sudoer ) {
+ $success = $sudoer->deleteUser( $username );
+ if ( $success ) {
+ $wgAuth->printDebug( "Successfully
removed $username from " . $sudoer->getSudoerName(), NONSENSITIVE );
+ } else {
+ $wgAuth->printDebug( "Failed to remove
$username from " . $sudoer->getSudoerName(), NONSENSITIVE );
+ }
+ }
+ $wgAuth->printDebug( "Successfully removed
$user->userDN from $this->projectname", NONSENSITIVE );
+ $this->editArticle();
+ return true;
} else {
+ $wgAuth->printDebug( "Failed to remove $user->userDN
from $this->projectname: " . ldap_error($wgAuth->ldapconn), NONSENSITIVE );
return false;
}
}
@@ -443,34 +404,20 @@
$key = wfMemcKey( 'openstackmanager', 'projectuidsandmembers',
$this->projectname );
$wgMemc->delete( $key );
- $members = array();
- if ( isset( $this->projectInfo[0]['member'] ) ) {
- $members = $this->projectInfo[0]['member'];
- array_shift( $members );
+ if ( !$this->userrole ) {
+ $this->userrole =
OpenStackNovaRole::getProjectRoleByName( self::$userrolename, $this );
}
- $user = new OpenStackNovaUser( $username );
- if ( ! $user->userDN ) {
- $wgAuth->printDebug( "Failed to find userDN in
addMember", NONSENSITIVE );
- return false;
- }
- $members[] = $user->userDN;
- $values = array();
- $values['member'] = $members;
- $success = LdapAuthenticationPlugin::ldap_modify(
$wgAuth->ldapconn, $this->projectDN, $values );
-
-
- if ( $success ) {
+ if ( $this->userrole->addMember( $username ) ) {
// If we successfully added the member to this Project,
then
// also add the member to the corresponding
ProjectGroup.
$this->projectGroup->addMember( $username );
- $this->fetchProjectInfo( true );
- $wgAuth->printDebug( "Successfully added $user->userDN
to $this->projectDN", NONSENSITIVE );
+ $wgAuth->printDebug( "Successfully added $username to
$this->projectname", NONSENSITIVE );
$this->editArticle();
return true;
} else {
- $wgAuth->printDebug( "Failed to add $user->userDN to
$this->projectDN: " . ldap_error($wgAuth->ldapconn), NONSENSITIVE );
+ $wgAuth->printDebug( "Failed to add $username to
$this->projectname", NONSENSITIVE );
return false;
}
}
@@ -538,7 +485,7 @@
return self::$projectCache[ $projectid ];
}
$project = new OpenStackNovaProject( $projectid );
- if ( $project->projectInfo ) {
+ if ( $project ) {
if ( count( self::$projectCache ) >=
self::$projectCacheMaxSize ) {
array_shift( self::$projectCache );
}
@@ -637,24 +584,14 @@
global $wgOpenStackManagerLDAPUser;
global $wgOpenStackManagerLDAPProjectBaseDN;
- OpenStackNovaLdapConnection::connect();
+ $controller = OpenstackNovaProject::getController();
+ $newProjectId = $controller->createProject( $projectname );
- $project = array();
- $project['objectclass'][] = 'extensibleobject';
- $project['objectclass'][] = 'groupofnames';
- $project['cn'] = $projectname;
- $project['member'] = $wgOpenStackManagerLDAPUser;
- $projectdn = 'cn=' . $projectname . ',' .
$wgOpenStackManagerLDAPProjectBaseDN;
+ if ( $newProjectId ) {
+ OpenStackNovaLdapConnection::connect();
+ $project = self::getProjectById( $newProjectId );
+ $projectdn = $project->getProjectDN();
- $success = LdapAuthenticationPlugin::ldap_add(
$wgAuth->ldapconn, $projectdn, $project );
- $project = new OpenStackNovaProject( $projectname );
- if ( $success ) {
- foreach ( self::$roleids as $roleid ) {
- OpenStackNovaRole::createRole( $roleid,
$project );
- # TODO: If role addition fails, find a way to
fail gracefully
- # Though, if the project was added
successfully, it is unlikely
- # that role addition will fail.
- }
$sudoerOU = array();
$sudoerOU['objectclass'][] = 'organizationalunit';
$sudoerOU['ou'] = 'sudooers';
@@ -750,20 +687,6 @@
if ( ! $project ) {
return false;
}
- $dn = $project->projectDN;
- # Projects can have roles as sub-entries, we need to delete
them first
- $result = LdapAuthenticationPlugin::ldap_list(
$wgAuth->ldapconn, $dn, 'objectclass=*' );
- $roles = LdapAuthenticationPlugin::ldap_get_entries(
$wgAuth->ldapconn, $result );
- array_shift( $roles );
- foreach ( $roles as $role ) {
- $roledn = $role['dn'];
- $success = LdapAuthenticationPlugin::ldap_delete(
$wgAuth->ldapconn, $roledn );
- if ( $success ){
- $wgAuth->printDebug( "Successfully deleted role
$roledn", NONSENSITIVE );
- } else {
- $wgAuth->printDebug( "Failed to delete role
$roledn", NONSENSITIVE );
- }
- }
OpenStackNovaProjectGroup::deleteProjectGroup( $projectname );
@@ -794,12 +717,15 @@
$wgAuth->printDebug( "Failed to delete servie
group " . $groupName, NONSENSITIVE );
}
}
- $success = LdapAuthenticationPlugin::ldap_delete(
$wgAuth->ldapconn, $dn );
+
+ $controller = OpenstackNovaProject::getController();
+ $succes = $controller->deleteProject( $projectid );
+
if ( $success ) {
- $wgAuth->printDebug( "Successfully deleted project
$projectname", NONSENSITIVE );
+ $wgAuth->printDebug( "Successfully deleted project",
NONSENSITIVE );
return true;
} else {
- $wgAuth->printDebug( "Failed to delete project
$projectname", NONSENSITIVE );
+ $wgAuth->printDebug( "Failed to delete project",
NONSENSITIVE );
return false;
}
}
diff --git a/nova/OpenStackNovaRole.php b/nova/OpenStackNovaRole.php
index 0438cbc..6a8b036 100644
--- a/nova/OpenStackNovaRole.php
+++ b/nova/OpenStackNovaRole.php
@@ -22,13 +22,22 @@
$this->roleid = $roleid;
$this->project = $project;
OpenStackNovaLdapConnection::connect();
- $this->fetchRoleInfo();
+
+ # Get the name by searching the global role list
+ $controller = OpenstackNovaProject::getController();
+ $globalrolelist = $controller->getKeystoneRoles();
+ $this->rolename = 'unknown role';
+ foreach ( $globalrolelist as $id => $name ) {
+ if ( $id == $this->roleid ) {
+ $this->rolename = $name;
+ }
+ }
}
/**
* @return void
*/
- function fetchRoleInfo() {
+ function loadMembers() {
global $wgMemc;
$controller = OpenstackNovaProject::getController();
@@ -48,15 +57,6 @@
}
}
$wgMemc->set( $key, $this->members, '3600' );
- }
-
- # And, get the name by searching the global role list
- $globalrolelist = $controller->getKeystoneRoles();
- $this->rolename = 'unknown role';
- foreach ( $globalrolelist as $id => $name ) {
- if ( $id == $this->roleid ) {
- $this->rolename = $name;
- }
}
}
@@ -78,6 +78,7 @@
* @return array
*/
function getMembers() {
+ $this->loadMembers();
return $this->members;
}
@@ -88,36 +89,16 @@
function deleteMember( $username ) {
global $wgAuth;
- if ( isset( $this->roleInfo[0]['roleoccupant'] ) ) {
- $members = $this->roleInfo[0]['roleoccupant'];
- array_shift( $members );
+ $controller = OpenstackNovaProject::getController();
+ if ( $controller->revokeRoleForProjectAndUser( $this->roleid,
+
$this->project->getId(),
+ $username ) ) {
$user = new OpenStackNovaUser( $username );
- if ( ! $user->userDN ) {
- $wgAuth->printDebug( "Failed to find userDN in
deleteMember", NONSENSITIVE );
- return false;
- }
- $index = array_search( $user->userDN, $members );
- if ( $index === false ) {
- $wgAuth->printDebug( "Failed to find userDN in
member list", NONSENSITIVE );
- return false;
- }
- unset( $members[$index] );
- $values = array();
- $values['roleoccupant'] = array();
- foreach ( $members as $member ) {
- $values['roleoccupant'][] = $member;
- }
- $success = LdapAuthenticationPlugin::ldap_modify(
$wgAuth->ldapconn, $this->roleDN, $values );
- if ( $success ) {
- $this->deleteMemcKeys( $user );
- $this->fetchRoleInfo();
- $wgAuth->printDebug( "Successfully removed
$user->userDN from $this->roleDN", NONSENSITIVE );
- return true;
- } else {
- $wgAuth->printDebug( "Failed to remove
$user->userDN from $this->roleDN", NONSENSITIVE );
- return false;
- }
+ $this->deleteMemcKeys( $user );
+ $wgAuth->printDebug( "Successfully removed $username
from role $this->rolename", NONSENSITIVE );
+ return true;
} else {
+ $wgAuth->printDebug( "Failed to remove $username from
role $this->rolename", NONSENSITIVE );
return false;
}
}
@@ -129,27 +110,16 @@
function addMember( $username ) {
global $wgAuth;
- $members = array();
- if ( isset( $this->roleInfo[0]['roleoccupant'] ) ) {
- $members = $this->roleInfo[0]['roleoccupant'];
- array_shift( $members );
- }
- $user = new OpenStackNovaUser( $username );
- if ( ! $user->userDN ) {
- $wgAuth->printDebug( "Failed to find userDN in
addMember", NONSENSITIVE );
- return false;
- }
- $members[] = $user->userDN;
- $values = array();
- $values['roleoccupant'] = $members;
- $success = LdapAuthenticationPlugin::ldap_modify(
$wgAuth->ldapconn, $this->roleDN, $values );
- if ( $success ) {
- $this->fetchRoleInfo();
- $wgAuth->printDebug( "Successfully added $user->userDN
to $this->roleDN", NONSENSITIVE );
+ $controller = OpenstackNovaProject::getController();
+ if ( $controller->grantRoleForProjectAndUser( $this->roleid,
+
$this->project->getId(),
+ $username ) ) {
+ $wgAuth->printDebug( "Successfully added $username to
$this->rolename", NONSENSITIVE );
+ $user = new OpenStackNovaUser( $username );
$this->deleteMemcKeys( $user );
return true;
} else {
- $wgAuth->printDebug( "Failed to add $user->userDN to
$this->roleDN", NONSENSITIVE );
+ $wgAuth->printDebug( "Failed to add $username to role
$this->rolename", NONSENSITIVE );
return false;
}
}
@@ -162,16 +132,16 @@
global $wgMemc;
global $wgOpenStackManagerLDAPUseUidAsNamingAttribute;
- $projectname = $this->project->getProjectName();
- $role = $this->getRoleName();
- $key = wfMemcKey( 'openstackmanager',
"projectrole-$projectname-$role", $user->userDN );
+ $projectid = $this->project->getId();
+ $role = $this->getRoleId();
+ $key = wfMemcKey( 'openstackmanager',
"projectrole-$projectid-$role", $user->userDN );
$wgMemc->delete( $key );
if ( $wgOpenStackManagerLDAPUseUidAsNamingAttribute ) {
$username = $user->getUid();
} else {
$username = $user->getUsername();
}
- $key = wfMemcKey( 'openstackmanager', "fulltoken-$projectname",
$username );
+ $key = wfMemcKey( 'openstackmanager', "fulltoken-$projectid",
$username );
$wgMemc->delete( $key );
$key = wfMemcKey( 'openstackmanager', 'roles',
$user->getUsername() );
$wgMemc->delete( $key );
@@ -185,6 +155,8 @@
* @return bool
*/
function userInRole( $userLDAP ) {
+ $this->loadMembers();
+
if ( !$userLDAP ) {
return false;
}
@@ -208,30 +180,17 @@
/**
* @static
* @param $rolename
- * @param $project OpenStackNovaProject
- * @return bool
+ * @param $project
+ * @return null|OpenStackNovaRole
*/
- static function createRole( $rolename, $project ) {
- global $wgAuth;
- global $wgOpenStackManagerLDAPUser;
-
- OpenStackNovaLdapConnection::connect();
-
- $role = array();
- $role['objectclass'][] = 'organizationalrole';
- $role['cn'] = $rolename;
- $role['roleoccupant'] = $wgOpenStackManagerLDAPUser;
- $roledn = 'cn=' . $rolename . ',' . $project->projectDN;
- $success = LdapAuthenticationPlugin::ldap_add(
$wgAuth->ldapconn, $roledn, $role );
- # TODO: If role addition fails, find a way to fail gracefully
- # Though, if the project was added successfully, it is unlikely
- # that role addition will fail.
- if ( $success ) {
- $wgAuth->printDebug( "Successfully added role
$rolename", NONSENSITIVE );
- return true;
- } else {
- $wgAuth->printDebug( "Failed to add role $rolename",
NONSENSITIVE );
- return false;
+ static function getProjectRoleByName( $rolename, $project ) {
+ $controller = OpenstackNovaProject::getController();
+ $globalrolelist = $controller->getKeystoneRoles();
+ foreach ( $globalrolelist as $id => $name ) {
+ if ( $name == $rolename ) {
+ return OpenStackNovaRole::getProjectRoleById(
$id, $project );
+ }
}
+ return null;
}
}
--
To view, visit https://gerrit.wikimedia.org/r/268834
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I93f73c7171377ef5126ee7b716d79c905a55c2ed
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/extensions/OpenStackManager
Gerrit-Branch: master
Gerrit-Owner: Andrew Bogott <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
