Add 'default_ad_site' field to security service object

Allows to configure optional field 'default_ad_site' from version 2.76. Restrict to make sure either server or 'default_at_site' provided, but not both. APIImpact Relates-bug: #1988146 Change-Id: I8e21e9170eace134a51efed84de1ccc58eb7eaaa
2023-02-16 09:23:07 +00:00 · 2023-02-16 09:23:07 +00:00 · 858939c190
commit 858939c190
parent d94d1ae7bd
18 changed files with 156 additions and 5 deletions
--- a/api-ref/source/parameters.yaml
+++ b/api-ref/source/parameters.yaml
@ -2418,6 +2418,20 @@ scheduler_hints:
  required: false
  type: object
  min_version: 2.65
 security_service_default_ad_site:
  description: |
    The security service default AD site.
  in: body
  required: true
  type: string
  min_version: 2.76
 security_service_default_ad_site_request:
  description: |
    The security service default AD site.
  in: body
  required: false
  type: string
  min_version: 2.76
 security_service_dns_ip:
  description: |
    The DNS IP address that is used inside the project network.
--- a/api-ref/source/samples/security-service-create-response.json
+++ b/api-ref/source/samples/security-service-create-response.json
@ -8,6 +8,7 @@
        "created_at": "2015-09-07T12:19:10.695211",
        "updated_at": null,
        "server": null,
        "default_ad_site": null,
        "dns_ip": "10.0.0.0/24",
        "user": "demo",
        "password": "supersecret",
--- a/api-ref/source/samples/security-service-show-response.json
+++ b/api-ref/source/samples/security-service-show-response.json
@ -8,6 +8,7 @@
        "created_at": "2015-09-07T12:19:10.000000",
        "updated_at": null,
        "server": null,
        "default_ad_site": null,
        "dns_ip": "10.0.0.0/24",
        "user": "demo",
        "password": "supersecret",
--- a/api-ref/source/samples/security-services-list-detailed-response.json
+++ b/api-ref/source/samples/security-services-list-detailed-response.json
@ -10,6 +10,7 @@
            "description": "Creating my first Security Service",
            "updated_at": null,
            "server": null,
            "default_ad_site": null,
            "dns_ip": "10.0.0.0/24",
            "user": "demo",
            "password": "supersecret",
@ -27,6 +28,7 @@
            "description": "Creating my second Security Service",
            "updated_at": null,
            "server": null,
            "default_ad_site": null,
            "dns_ip": "10.0.0.0/24",
            "user": null,
            "password": null,
--- a/api-ref/source/samples/security-services-list-for-share-network-response.json
+++ b/api-ref/source/samples/security-services-list-for-share-network-response.json
@ -10,6 +10,7 @@
            "description": "Creating my first Security Service",
            "updated_at": null,
            "server": null,
            "default_ad_site": null,
            "dns_ip": "10.0.0.0/24",
            "user": "demo",
            "password": "supersecret",
@ -29,6 +30,7 @@
            "description": "Creating my second Security Service",
            "updated_at": null,
            "server": null,
            "default_ad_site": null,
            "dns_ip": "10.0.0.0/24",
            "user": null,
            "password": null,
--- a/api-ref/source/security-services.inc
+++ b/api-ref/source/security-services.inc
@ -32,6 +32,8 @@ You can configure a security service with these options:
 - The password for the user, if you specify a user name.
 - A default AD site, optional (available starting with API version 2.76)
 A security service resource can also be given a user defined name and
 description.
@ -125,6 +127,7 @@ Response parameters
   - domain: security_service_domain
   - ou: security_service_ou
   - server: security_service_server
   - default_ad_site: security_service_default_ad_site
   - updated_at: updated_at
   - created_at: created_at
@ -181,6 +184,7 @@ Response parameters
   - domain: security_service_domain
   - ou: security_service_ou
   - server: security_service_server
   - default_ad_site: security_service_default_ad_site
   - updated_at: updated_at
   - created_at: created_at
@ -227,6 +231,7 @@ Request
   - domain: security_service_domain_request
   - ou: security_service_ou_request
   - server: security_service_server_request
   - default_ad_site: security_service_default_ad_site_request
 Request example
 ---------------
@ -251,6 +256,7 @@ Response parameters
   - domain: security_service_domain
   - ou: security_service_ou
   - server: security_service_server
   - default_ad_site: security_service_default_ad_site
   - updated_at: updated_at
   - created_at: created_at
@ -304,6 +310,7 @@ Request
   - domain: security_service_domain_request
   - ou: security_service_ou_request
   - server: security_service_server_request
   - default_ad_site: security_service_default_ad_site_request
 Request example
 ---------------
@ -328,6 +335,7 @@ Response parameters
   - domain: security_service_domain
   - ou: security_service_ou
   - server: security_service_server
   - default_ad_site: security_service_default_ad_site
   - updated_at: updated_at
   - created_at: created_at
--- a/manila/api/openstack/api_version_request.py
+++ b/manila/api/openstack/api_version_request.py
@ -192,6 +192,7 @@ REST_API_VERSION_HISTORY = """
             'error' state.
    * 2.75 - Added option to specify quiesce wait time in share replica
             promote API.
    * 2.76 - Added 'default_ad_site' field in security service object.
 """
@ -199,7 +200,7 @@ REST_API_VERSION_HISTORY = """
 # The default api version request is defined to be the
 # minimum version of the API supported.
 _MIN_API_VERSION = "2.0"
-_MAX_API_VERSION = "2.75"
+_MAX_API_VERSION = "2.76"
 DEFAULT_API_VERSION = _MIN_API_VERSION
--- a/manila/api/openstack/rest_api_version_history.rst
+++ b/manila/api/openstack/rest_api_version_history.rst
@ -410,3 +410,11 @@ ____
 2.74
 ----
  Allow/deny share access rule even if share replicas are in 'error' state.
 2.75
 ----
  Added option to specify quiesce wait time in share replica promote API.
 2.76
 ----
  Added 'default_ad_site' field in security service object.
--- a/manila/api/v1/security_service.py
+++ b/manila/api/v1/security_service.py
@ -22,6 +22,7 @@ import webob
 from webob import exc
 from manila.api import common
 from manila.api.openstack import api_version_request as api_version
 from manila.api.openstack import wsgi
 from manila.api.views import security_service as security_service_views
 from manila.common import constants
@ -192,6 +193,21 @@ class SecurityServiceController(wsgi.Controller):
                            "fields are available for update.") % id
                    raise exc.HTTPForbidden(explanation=msg)
        server = security_service_data.get('server')
        default_ad_site = security_service_data.get('default_ad_site')
        if default_ad_site:
            if req.api_version_request < api_version.APIVersionRequest("2.76"):
                msg = _('"default_ad_site" is only supported from API '
                        'version 2.76.')
                raise webob.exc.HTTPBadRequest(explanation=msg)
            if (security_service['type'] == 'active_directory' and server and
                    default_ad_site):
                raise exception.InvalidInput(
                    reason=(_("Cannot create security service because both "
                              "server and 'default_ad_site' were provided. "
                              "Specify either server or 'default_ad_site'.")))
        policy.check_policy(context, RESOURCE_NAME, 'update', security_service)
        security_service = db.security_service_update(
            context, id, security_service_data)
@ -214,6 +230,20 @@ class SecurityServiceController(wsgi.Controller):
                          "service. Valid types are %(types)s") %
                        {'type': security_srv_type,
                         'types': ','.join(allowed_types)}))
        server = security_service_args.get('server')
        default_ad_site = security_service_args.get('default_ad_site')
        if default_ad_site:
            if req.api_version_request < api_version.APIVersionRequest("2.76"):
                msg = _('"default_ad_site" is only supported from API '
                        'version 2.76.')
                raise webob.exc.HTTPBadRequest(explanation=msg)
            if (security_srv_type == 'active_directory' and server and
                    default_ad_site):
                raise exception.InvalidInput(
                    reason=(_("Cannot create security service because both "
                              "server and 'default_ad_site' were provided, "
                              "Specify either server or 'default_ad_site'.")))
        security_service_args['project_id'] = context.project_id
        security_service = db.security_service_create(
            context, security_service_args)
--- a/manila/api/views/security_service.py
+++ b/manila/api/views/security_service.py
@ -23,6 +23,7 @@ class ViewBuilder(common.ViewBuilder):
    _collection_name = 'security_services'
    _detail_version_modifiers = [
        'add_ou_to_security_service',
        'add_default_ad_site_to_security_service',
    ]
    def summary_list(self, request, security_services):
@ -64,6 +65,10 @@ class ViewBuilder(common.ViewBuilder):
    def add_ou_to_security_service(self, context, ss_dict, ss):
        ss_dict['ou'] = ss.get('ou')
    @common.ViewBuilder.versioned_method("2.76")
    def add_default_ad_site_to_security_service(self, context, ss_dict, ss):
        ss_dict['default_ad_site'] = ss.get('default_ad_site')
    def _list_view(self, func, request, security_services):
        """Provide a view for a list of security services."""
        security_services_list = [func(request, service)['security_service']
--- a/manila/db/migrations/alembic/versions/c476aeb186ec_add_default_ad_site_to_security_service.py
+++ b/manila/db/migrations/alembic/versions/c476aeb186ec_add_default_ad_site_to_security_service.py
@ -0,0 +1,49 @@
 # Licensed under the Apache License, Version 2.0 (the "License"); you may
 # not use this file except in compliance with the License. You may obtain
 # a copy of the License at
 #
 # http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 # License for the specific language governing permissions and limitations
 # under the License.
 """add default_ad_site to security service
 Revision ID: c476aeb186ec
 Revises: bb5938d74b73
 Create Date: 2022-11-30 10:59:34.866946
 """
 # revision identifiers, used by Alembic.
 revision = 'c476aeb186ec'
 down_revision = 'bb5938d74b73'
 from alembic import op
 from oslo_log import log
 import sqlalchemy as sa
 LOG = log.getLogger(__name__)
 ss_table_name = 'security_services'
 def upgrade():
    try:
        op.add_column(
            ss_table_name,
            sa.Column('default_ad_site', sa.String(255), nullable=True))
    except Exception:
        LOG.error("%s table column default_ad_site not added", ss_table_name)
        raise
 def downgrade():
    try:
        op.drop_column(ss_table_name, 'default_ad_site')
    except Exception:
        LOG.error("%s table column default_ad_site not dropped", ss_table_name)
        raise
--- a/manila/db/sqlalchemy/models.py
+++ b/manila/db/sqlalchemy/models.py
@ -931,6 +931,7 @@ class SecurityService(BASE, ManilaBase):
    name = Column(String(255), nullable=True)
    description = Column(String(255), nullable=True)
    ou = Column(String(255), nullable=True)
    default_ad_site = Column(String(255), nullable=True)
 class ShareNetwork(BASE, ManilaBase):
--- a/manila/share/manager.py
+++ b/manila/share/manager.py
@ -3246,6 +3246,7 @@ class ShareManager(manager.SchedulerDependentManager):
                data = {
                    'name': security_service['name'],
                    'ou': security_service['ou'],
                    'default_ad_site': security_service['default_ad_site'],
                    'domain': security_service['domain'],
                    'server': security_service['server'],
                    'dns_ip': security_service['dns_ip'],
@ -4205,6 +4206,7 @@ class ShareManager(manager.SchedulerDependentManager):
                    'user': security_service['user'],
                    'type': ss_type,
                    'password': security_service['password'],
                    'default_ad_site': security_service['default_ad_site'],
                }
                self.db.share_server_backend_details_set(
                    context, share_server['id'],
@ -5843,6 +5845,7 @@ class ShareManager(manager.SchedulerDependentManager):
        backend_details_data = {
            'name': new_security_service['name'],
            'ou': new_security_service['ou'],
            'default_ad_site': new_security_service['default_ad_site'],
            'domain': new_security_service['domain'],
            'server': new_security_service['server'],
            'dns_ip': new_security_service['dns_ip'],
--- a/manila/tests/api/v1/test_security_service.py
+++ b/manila/tests/api/v1/test_security_service.py
@ -140,6 +140,14 @@ class ShareApiTest(test.TestCase):
        self.assertRaises(exception.InvalidInput, self.controller.create, req,
                          {"security_service": sec_service})
    @ddt.data('2.76')
    def test_security_service_create_invalid_active_directory(self, version):
        sec_service = self.ss_active_directory.copy()
        sec_service['default_ad_site'] = 'fake_default_ad_site'
        req = fakes.HTTPRequest.blank('/security-services', version=version)
        self.assertRaises(exception.InvalidInput, self.controller.create, req,
                          {"security_service": sec_service})
    def test_create_security_service_no_body(self):
        body = {}
        req = fakes.HTTPRequest.blank('/security-services')
--- a/manila/tests/api/v2/test_security_services.py
+++ b/manila/tests/api/v2/test_security_services.py
@ -43,6 +43,8 @@ def stub_security_service(self, version, id):
    )
    if self.is_microversion_ge(version, '2.44'):
        ss_dict['ou'] = 'fake-ou'
    if self.is_microversion_ge(version, '2.76'):
        ss_dict['default_ad_site'] = 'fake-default_ad_site'
    return ss_dict
@ -53,6 +55,7 @@ class SecurityServicesAPITest(test.TestCase):
        ('2.0'),
        ('2.43'),
        ('2.44'),
        ('2.76'),
    )
    def test_index(self, version):
        ss = [
@ -85,3 +88,8 @@ class SecurityServicesAPITest(test.TestCase):
            self.assertIn('ou', ss_keys)
        else:
            self.assertNotIn('ou', ss_keys)
        if self.is_microversion_ge(version, '2.76'):
            self.assertIn('default_ad_site', ss_keys)
        else:
            self.assertNotIn('default_ad_site', ss_keys)
--- a/manila/tests/db/sqlalchemy/test_api.py
+++ b/manila/tests/db/sqlalchemy/test_api.py
@ -45,6 +45,7 @@ security_service_dict = {
    'dns_ip': 'fake dns',
    'server': 'fake ldap server',
    'domain': 'fake ldap domain',
    'default_ad_site': 'fake ldap default_ad_site',
    'ou': 'fake ldap ou',
    'user': 'fake user',
    'password': 'fake password',
@ -3232,6 +3233,7 @@ class SecurityServiceDatabaseAPITestCase(BaseDatabaseAPITestCase):
            'dns_ip': 'new dns',
            'server': 'new ldap server',
            'domain': 'new ldap domain',
            'default_ad_site': 'new ldap default_ad_site',
            'ou': 'new ldap ou',
            'user': 'new user',
            'password': 'new password',
--- a/manila/tests/share/test_manager.py
+++ b/manila/tests/share/test_manager.py
@ -3539,6 +3539,7 @@ class ShareManagerTestCase(test.TestCase):
                'user': 'fake_user' + ss_type,
                'type': ss_type,
                'password': 'fake_password' + ss_type,
                'default_ad_site': 'fake_default_ad_site' + ss_type,
            })
        sec_services = network_info['security_services']
        server_info = {'fake_server_info_key': 'fake_server_info_value'}
@ -6491,6 +6492,7 @@ class ShareManagerTestCase(test.TestCase):
        ss_data_from_db = {
            'name': ss_from_db['name'],
            'ou': ss_from_db['ou'],
            'default_ad_site': ss_from_db['default_ad_site'],
            'domain': ss_from_db['domain'],
            'server': ss_from_db['server'],
            'dns_ip': ss_from_db['dns_ip'],
@ -9515,8 +9517,8 @@ class ShareManagerTestCase(test.TestCase):
        fake_rules = ['fake_rules']
        network_info = {'fake': 'fake'}
        backend_details_keys = [
-            'name', 'ou', 'domain', 'server', 'dns_ip', 'user', 'type',
+            'name', 'ou', 'default_ad_site', 'domain', 'server', 'dns_ip',
-            'password']
+            'user', 'type', 'password']
        backend_details_data = {}
        [backend_details_data.update(
            {key: security_services[0][key]}) for key in backend_details_keys]
@ -9673,8 +9675,8 @@ class ShareManagerTestCase(test.TestCase):
        new_security_service_id = security_services[1]['id']
        network_info = [{'fake': 'fake'}]
        backend_details_keys = [
-            'name', 'ou', 'domain', 'server', 'dns_ip', 'user', 'type',
+            'name', 'ou', 'default_ad_site', 'domain', 'server', 'dns_ip',
-            'password']
+            'user', 'type', 'password']
        backend_details_data = {}
        [backend_details_data.update(
            {key: security_services[0][key]}) for key in backend_details_keys]
--- a/releasenotes/notes/add-defaultadsite-to-security-service-e90854c1a69be581.yaml
+++ b/releasenotes/notes/add-defaultadsite-to-security-service-e90854c1a69be581.yaml
@ -0,0 +1,6 @@
 ---
 features:
  - |
    From API version 2.76, added 'default_ad_site' field to 'security_service'
    object. This field can not be used along-with 'server' field of the
    'security_service'.