+ try:
+ #self.manager.driver.delete_user(user.id)
+ logger.info("deleted user: %s" % user)
+ except:
+ logger.log_exc("delete user failed: %s" % user)
+
+
+ def sync_user_tenant_roles(self):
+ """
+ Save all site privileges and slice memberships wheree enacted < updated or
+ enacted == None. Remove ones that don't exist in openstack db if they have
+ an enacted time (enacted != None).
+ """
+ # sync site privileges
+ pending_site_privileges = SitePrivilege.objects.filter(Q(enacted__lt=F('updated')) | Q(enacted=None))
+ for site_priv in pending_site_privileges:
+ try:
+ self.manager.save_site_privilege(site_priv)
+ logger.info("saved site privilege: %s" % (site_priv))
+ except: logger.log_exc("save site privilege failed: %s " % site_priv)
+
+ # sync slice memberships
+ pending_slice_memberships = SliceMembership.objects.filter(Q(enacted__lt=F('updated')) | Q(enacted=None))
+ for slice_memb in pending_slice_memberships:
+ try:
+ self.manager.save_slice_membership(slice_memb)
+ logger.info("saved slice membership: %s" % (slice_memb))
+ except: logger.log_exc("save slice membership failed: %s" % slice_memb)
+
+ # get all site privileges and slice memberships that have been enacted
+ user_tenant_roles = defaultdict(list)
+ for site_priv in SitePrivilege.objects.filter(enacted__isnull=False):
+ user_tenant_roles[(site_priv.user.kuser_id, site_priv.site.tenant_id)].append(site_priv.role.role)
+ for slice_memb in SliceMembership.objects.filter(enacted__isnull=False):
+ user_tenant_roles[(slice_memb.user.kuser_id, slice_memb.slice.tenant_id)].append(slice_memb.role.role)
+
+ # Some user tenant role aren't stored in planetstack but they must be preserved.
+ # Role that fall in this category are
+ # 1. Never remove a user's role that their home site
+ # 2. Never remove a user's role at a slice they've created.
+ # Keep track of all roles that must be preserved.
+ users = User.objects.all()
+ preserved_roles = {}
+ for user in users:
+ tenant_ids = [s['tenant_id'] for s in user.slices.values()]
+ tenant_ids.append(user.site.tenant_id)
+ preserved_roles[user.kuser_id] = tenant_ids
+
+
+ # begin removing user tenant roles from keystone. This is stored in the
+ # Metadata table.
+ for metadata in self.manager.driver.shell.keystone_db.get_metadata():
+ # skip admin roles
+ if metadata.user_id == self.manager.driver.admin_user.id:
+ continue
+ # skip preserved tenant ids
+ if metadata.user_id in preserved_roles and \
+ metadata.tenant_id in preserved_roles[metadata.user_id]:
+ continue
+ # get roles for user at this tenant
+ user_tenant_role_ids = user_tenant_roles.get((metadata.user_id, metadata.tenant_id), [])
+
+ if user_tenant_role_ids:
+ # The user has roles at the tenant. Check if roles need to
+ # be updated.
+ user_keystone_role_ids = metadata.data.get('roles', [])
+ for role_id in user_keystone_role_ids:
+ if role_id not in user_tenant_role_ids:
+ user_keystone_role_ids.pop(user_keystone_role_ids.index(role_id))
+ else:
+ # The user has no roles at this tenant.
+ metadata.data['roles'] = []
+ #session.add(metadata)
+ logger.info("pruning metadata for %s at %s" % (metadata.user_id, metadata.tenant_id))
+