Merge lp:~gundlach/nova/controllers-in-api into lp:~hudson-openstack/nova/trunk

Some style nits and questions:

1. Please kill extra newlines at:

nova/api/ec2/__init__.py lines:

95, 102, 144

nova/api/ec2/apirequest.py

493, 525

nova/api/tests/api_unittest.py

1773

nova/api/ec2/cloud.py

948, 989

2. Line up the arguments inside the parens in all the added methods in nova/image/service.py. Additionally it doesn't look like the "qs" function exists that file in the branch I am looking at, are there tests written for these methods?.

e.g.

query_args = qs({'image_id': image_id})
response = self._conn().make_request(method='GET',
                                     bucket='_images',
                                     query_args=query_args)

3. Same as #2 but for nova/api/ec2/images.py, however it _does_ have a qs function defined, which seems like it should be replaced by urllib.urlencode anyway.

4. Extra newline at nova/api/ec2/context.py line 1020

Crap, the lines mentioned next to this have nothing to do with the files, please refer to them as per the diff displayed by launchpad and hope it doesn't change, I suppose. -sigh-

5. In nova/api/ec2/cloud.py please make the formatting in create_volume match that of the other calls in that file, namely moving the {"method"... section to the next line and double indenting it.

6. Also in nova/api/ec2/cloud.py please line up the indentation in create_key_pair's return statement.

7. Please include your name in the TODO added in APIRequest's send method.

e.g. TODO(gundlach): foo

Unless this is just a renamed file being treated as added, in which case I guess
we leave it as an unclaimed TODO.

8. Please format your docstring for the Router, Authorizer, Executor class with the format

"""Single line summary of this class.

Additional details about this class.
"""

or just

"""Single line summary of this class."""

9. If the args in Authenticate's __call__ method could all fit indented to the end of manager.AuthManager().authenticate( that would be grand, but if they can't could you double indent them and make the last parens either be on the last line or lined up with rest of the words (as it stands it looks like the end of the "(user" parens.

Aaaaanyway, besides all that minor stuff it looks pretty stellar, please take the time to make sure that the stuff in #2 is being covered by tests, because it seems like any test using it would be failing since qs is not defined.

Also consider replacing qs with urllib.urlencode.

Really happy to be getting rid of Tornado and having better names for our stuff :)

Agreed with all of termie's points, with one note. :)

For point 8:

8. Please format your docstring for the Router, Authorizer, Executor class with the format

"""Single line summary of this class.

Additional details about this class.
"""

or just

"""Single line summary of this class."""

PEP257 recommends an additional newline before the end, so it should be:

"""Single line summary of this class.

Additional details about this class.

"""

Thanks so much for the review! Comments inline. A major theme is that some
things look weird because I intentionally did the minimal amount of touching
the old code while moving it into the new framework. I'd like to leave them
untouched for this merge, as the purpose is to move code off of Tornado onto
Eventlet, not to clean up all the style issues in the old code. Please push
back if you think this is inappropriate.

On Wed, Sep 8, 2010 at 9:37 AM, termie <email address hidden> wrote:

> 1. Please kill extra newlines at:
>

Done. Many of these are just newlines in the old code that I moved around
and purposefully didn't touch (to minimize the changes I was making), but I
took care of them anyway.

> 2. Line up the arguments inside the parens in all the added methods in
> nova/image/service.py.

I didn't modify the spacing of arguments in the old code.

> Additionally it doesn't look like the "qs" function exists that file in the
> branch I am looking at, are there tests written for these methods?.
>

Good catch! There are *no* tests written covering this part of the EC2
Images-related API, apparently, since the unit tests passed with this broken
code.

This change actually snuck in to my branch accidentally, and I left it in
because I thought it was harmless. As I'm not in the business of cleaning
up (or particularly understanding!) the EC2 API right now, but rather moving
it to Eventlet, I have simply fixed the qs() reference. If you disagree
with this I will just excise the S3ImageService from this mergeprop and
leave it for a separate branch. Let me know.

> 3. Same as #2 but for nova/api/ec2/images.py, however it _does_ have a qs
> function defined, which seems like it should be replaced by urllib.urlencode
> anyway.
>

Probably -- again, I'm not in the business of improving the old code, but
just moving it.

> 4. Extra newline at nova/api/ec2/context.py line 1020
>

Done

> 5. In nova/api/ec2/cloud.py please make the formatting in create_volume
> match that of the other calls in that file, namely moving the {"method"...
> section to the next line and double indenting it.
>

This is old code, and I don't actually see any pattern in the layout of the
many rpc.call()s in that file (there are several layouts). I lined it up to
look less egregious.

> 6. Also in nova/api/ec2/cloud.py please line up the indentation in
> create_key_pair's return statement.
>

Done

> 7. Please include your name in the TODO added in APIRequest's send method.
>
> e.g. TODO(gundlach): foo
>
> Unless this is just a renamed file being treated as added, in which case I
> guess
> we leave it as an unclaimed TODO.
>

It is a renamed file being treated as added. AKA, I didn't write that TODO.

> 8. Please format your docstring for the Router, Authorizer, Executor class
> with the format
>
> """Single line summary of this class.
>
> Additional details about this class.
> """
>

Oops, duh, thanks. Done. Also,
http://www.python.org/dev/peps/pep-0257/ claims
that you can put a \n before the word "Single" in your example above... is
that not kosher? For expediency I've changed the file to put the summary on
the same line as the triple-quote.

> 9...

On Wed, Sep 8, 2010 at 10:44 AM, Jay Pipes <email address hidden> wrote:

> Agreed with all of termie's points, with one note. :)
>
> For point 8:
>
> PEP257 recommends an additional newline before the end, so it should be:
>
> """Single line summary of this class.
>
> Additional details about this class.
>
> """
>

No thanks! That's a recommendation from the BDFL, not a requirement, and
I've never seen code that actually uses it, and I think it looks uglier that
way (and who uses the fill-paragraph feature in emacs anyway? ;)

I appreciate you putting another pair of eyes on the review,
Michael

Confidentiality Notice: This e-mail message (including any attached or
embedded documents) is intended for the exclusive and confidential use of the
individual or entity to which this message is addressed, and unless otherwise
expressly indicated, is confidential and privileged information of Rackspace.
Any dissemination, distribution or copying of the enclosed material is prohibited.
If you receive this transmission in error, please notify us immediately by e-mail
at <email address hidden>, and delete the original message.
Your cooperation is appreciated.

If there are no tests for the code, some need to be written, I would propose
that you write the tests since you are now familiar with the code.

I also don't think there is harm in fixing the formatting, you are much more
unlikely to do it later. I usually start by fixing the formatting in the old
code before I start my code to keep the changes different, but nobody ever
fixes the formatting afterwards.

On Fri, Sep 10, 2010 at 1:27 AM, Michael Gundlach <
<email address hidden>> wrote:

> On Wed, Sep 8, 2010 at 10:44 AM, Jay Pipes <email address hidden> wrote:
>
> > Agreed with all of termie's points, with one note. :)
> >
> > For point 8:
> >
> > PEP257 recommends an additional newline before the end, so it should be:
> >
> > """Single line summary of this class.
> >
> > Additional details about this class.
> >
> > """
> >
>
> No thanks! That's a recommendation from the BDFL, not a requirement, and
> I've never seen code that actually uses it, and I think it looks uglier
> that
> way (and who uses the fill-paragraph feature in emacs anyway? ;)
>
> I appreciate you putting another pair of eyes on the review,
> Michael
>
>
> Confidentiality Notice: This e-mail message (including any attached or
> embedded documents) is intended for the exclusive and confidential use of
> the
> individual or entity to which this message is addressed, and unless
> otherwise
> expressly indicated, is confidential and privileged information of
> Rackspace.
> Any dissemination, distribution or copying of the enclosed material is
> prohibited.
> If you receive this transmission in error, please notify us immediately by
> e-mail
> at <email address hidden>, and delete the original message.
> Your cooperation is appreciated.
>
>
> --
> https://code.launchpad.net/~gundlach/nova/controllers-in-api/+merge/34795
> You are reviewing the proposed merge of
> lp:~gundlach/nova/controllers-in-api into lp:nova.
>

On Sat, Sep 11, 2010 at 7:58 AM, termie <email address hidden> wrote:

> If there are no tests for the code, some need to be written, I would
> propose
> that you write the tests since you are now familiar with the code.
>

I actually *don't* understand that code -- I just extracted some methods.

I just read my diff again from top to bottom, and S3ImageService is the only
thing I did that wasn't purely "move plumbing code from Twisted to
Eventlet." So I'm pulling it out of this mergeprop -- it shouldn't have
been included in the first place.

> I also don't think there is harm in fixing the formatting, you are much
> more
> unlikely to do it later. I usually start by fixing the formatting in the
> old
> code before I start my code to keep the changes different, but nobody ever
> fixes the formatting afterwards.
>

Fair enough -- I'll address the formatting comments you made above.

Thanks!
Michael

Confidentiality Notice: This e-mail message (including any attached or
embedded documents) is intended for the exclusive and confidential use of the
individual or entity to which this message is addressed, and unless otherwise
expressly indicated, is confidential and privileged information of Rackspace.
Any dissemination, distribution or copying of the enclosed material is prohibited.
If you receive this transmission in error, please notify us immediately by e-mail
at <email address hidden>, and delete the original message.
Your cooperation is appreciated.

OK, the only code now touched in this mergeprop has to do with Tornado/Twisted plumbing being converted to Eventlet plumbing. images.py is no longer touched.

Seems to be a decent amount of effort going in to avoidance of writing tests.

Regardless, the basics of this code are minimally tested as is and I see no reason to prevent this merge any further.

Attempt to merge lp:~gundlach/nova/controllers-in-api into lp:nova failed due to merge conflicts:

deleting parent in nova/endpoint

The attempt to merge lp:~gundlach/nova/controllers-in-api into lp:nova failed.Below is the output from the failed tests.

nova.tests.access_unittest
  AccessTestCase
    test_001_allow_all ... [OK]
    test_002_allow_none ... [OK]
    test_003_allow_project_manager ... [OK]
    test_004_allow_sys_and_net ... [OK]
    test_005_allow_sys_no_pm ... [OK]
nova.tests.api_unittest
  ApiEc2TestCase
    test_describe_instances ... [OK]
    test_get_all_key_pairs ... [OK]
nova.tests.auth_unittest
  AuthTestCase
    test_001_can_create_users ... [OK]
    test_002_can_get_user ... [OK]
    test_003_can_retreive_properties ... [OK]
    test_004_signature_is_valid ... [OK]
    test_005_can_get_credentials ... [OK]
    test_006_test_key_storage ... [OK]
    test_007_test_key_generation ... [OK]
    test_008_can_list_key_pairs ... [OK]
    test_009_can_delete_key_pair ... [OK]
    test_010_can_list_users ... [OK]
    test_101_can_add_user_role ... [OK]
    test_199_can_remove_user_role ... [OK]
    test_201_can_create_project ... [OK]
    test_202_user1_is_project_member ... [OK]
    test_203_user2_is_not_project_member ... [OK]
    test_204_user1_is_project_manager ... [OK]
    test_205_user2_is_not_project_manager ... [OK]
    test_206_can_add_user_to_project ... [OK]
    test_207_can_remove_user_from_project ... [OK]
    test_208_can_remove_add_user_with_role ... [OK]
    test_209_can_generate_x509 ... [OK]
    test_210_can_add_project_role ... [OK]
    test_211_can_list_project_roles ... [OK]
    test_212_can_remove_project_role ... [OK]
    test_214_can_retrieve_project_by_user ... [OK]
    test_299_can_delete_project ... [OK]
    test_999_can_delete_users ... [OK]
nova.tests.cloud_unittest
  CloudTestCase
    test_console_output ... [OK]
    test_instance_update_state ... [OK]
    test_run_instances ... ...

Attempt to merge lp:~gundlach/nova/controllers-in-api into lp:nova failed due to merge conflicts:

deleting parent in nova/endpoint

Attempt to merge lp:~gundlach/nova/controllers-in-api into lp:nova failed due to merge conflicts:

text conflict in nova/api/ec2/admin.py
text conflict in nova/api/ec2/cloud.py
deleting parent in nova/endpoint
text conflict in nova/tests/cloud_unittest.py

Attempt to merge lp:~gundlach/nova/controllers-in-api into lp:nova failed due to merge conflicts:

deleting parent in nova/endpoint

The attempt to merge lp:~gundlach/nova/controllers-in-api into lp:nova failed.Below is the output from the failed tests.

nova.tests.access_unittest
  AccessTestCase
    test_001_allow_all ... [OK]
    test_002_allow_none ... [OK]
    test_003_allow_project_manager ... [OK]
    test_004_allow_sys_and_net ... [OK]
    test_005_allow_sys_no_pm ... [OK]
nova.tests.api_unittest
  ApiEc2TestCase
    test_describe_instances ... [OK]
    test_get_all_key_pairs ... [OK]
nova.tests.auth_unittest
  AuthTestCase
    test_001_can_create_users ... [OK]
    test_002_can_get_user ... [OK]
    test_003_can_retreive_properties ... [OK]
    test_004_signature_is_valid ... [OK]
    test_005_can_get_credentials ... [OK]
    test_006_test_key_storage ... [OK]
    test_007_test_key_generation ... [OK]
    test_008_can_list_key_pairs ... [OK]
    test_009_can_delete_key_pair ... [OK]
    test_010_can_list_users ... [OK]
    test_101_can_add_user_role ... [OK]
    test_199_can_remove_user_role ... [OK]
    test_201_can_create_project ... [OK]
    test_202_user1_is_project_member ... [OK]
    test_203_user2_is_not_project_member ... [OK]
    test_204_user1_is_project_manager ... [OK]
    test_205_user2_is_not_project_manager ... [OK]
    test_206_can_add_user_to_project ... [OK]
    test_207_can_remove_user_from_project ... [OK]
    test_208_can_remove_add_user_with_role ... [OK]
    test_209_can_generate_x509 ... [OK]
    test_210_can_add_project_role ... [OK]
    test_211_can_list_project_roles ... [OK]
    test_212_can_remove_project_role ... [OK]
    test_214_can_retrieve_project_by_user ... [OK]
    test_299_can_delete_project ... [OK]
    test_999_can_delete_users ... [OK]
nova.tests.cloud_unittest
  CloudTestCase
    test_console_output ... [OK]
    test_instance_update_state ... [OK]
    test_run_instances ... ...

The attempt to merge lp:~gundlach/nova/controllers-in-api into lp:nova failed.Below is the output from the failed tests.

nova.tests.access_unittest
  AccessTestCase
    test_001_allow_all ... [OK]
    test_002_allow_none ... [OK]
    test_003_allow_project_manager ... [OK]
    test_004_allow_sys_and_net ... [OK]
    test_005_allow_sys_no_pm ... [OK]
nova.tests.api_unittest
  ApiEc2TestCase
    test_describe_instances ... [OK]
    test_get_all_key_pairs ... [OK]
nova.tests.auth_unittest
  AuthTestCase
    test_001_can_create_users ... [OK]
    test_002_can_get_user ... [OK]
    test_003_can_retreive_properties ... [OK]
    test_004_signature_is_valid ... [OK]
    test_005_can_get_credentials ... [OK]
    test_006_test_key_storage ... [OK]
    test_007_test_key_generation ... [OK]
    test_008_can_list_key_pairs ... [OK]
    test_009_can_delete_key_pair ... [OK]
    test_010_can_list_users ... [OK]
    test_101_can_add_user_role ... [OK]
    test_199_can_remove_user_role ... [OK]
    test_201_can_create_project ... [OK]
    test_202_user1_is_project_member ... [OK]
    test_203_user2_is_not_project_member ... [OK]
    test_204_user1_is_project_manager ... [OK]
    test_205_user2_is_not_project_manager ... [OK]
    test_206_can_add_user_to_project ... [OK]
    test_207_can_remove_user_from_project ... [OK]
    test_208_can_remove_add_user_with_role ... [OK]
    test_209_can_generate_x509 ... [OK]
    test_210_can_add_project_role ... [OK]
    test_211_can_list_project_roles ... [OK]
    test_212_can_remove_project_role ... [OK]
    test_214_can_retrieve_project_by_user ... [OK]
    test_299_can_delete_project ... [OK]
    test_999_can_delete_users ... [OK]
nova.tests.cloud_unittest
  CloudTestCase
    test_console_output ... [OK]
    test_instance_update_state ... [OK]
    test_run_instances ... ...

Crossing my fingers...

Attempt to merge lp:~gundlach/nova/controllers-in-api into lp:nova failed due to merge conflicts:

text conflict in nova/api/ec2/cloud.py
deleting parent in nova/endpoint
unversioned parent in nova/endpoint
contents conflict in nova/endpoint/api.py

Attempt to merge lp:~gundlach/nova/controllers-in-api into lp:nova failed due to merge conflicts:

deleting parent in nova/endpoint

Attempt to merge lp:~gundlach/nova/controllers-in-api into lp:nova failed due to merge conflicts:

deleting parent in nova/endpoint

Attempt to merge lp:~gundlach/nova/controllers-in-api into lp:nova failed due to merge conflicts:

text conflict in nova/api/__init__.py
deleting parent in nova/endpoint

Attempt to merge lp:~gundlach/nova/controllers-in-api into lp:nova failed due to merge conflicts:

text conflict in nova/api/ec2/cloud.py
deleting parent in nova/endpoint
text conflict in nova/tests/api_unittest.py
text conflict in nova/tests/cloud_unittest.py

The attempt to merge lp:~gundlach/nova/controllers-in-api into lp:nova failed.Below is the output from the failed tests.

Traceback (most recent call last):
  File "run_tests.py", line 61, in <module>
    from nova.tests.quota_unittest import *
  File "/var/lib/hudson/src/nova/hudson/nova/tests/quota_unittest.py", line 28, in <module>
    from nova.endpoint import cloud
ImportError: No module named endpoint

The attempt to merge lp:~gundlach/nova/controllers-in-api into lp:nova failed.Below is the output from the failed tests.

nova.tests.api_unittest
  ApiEc2TestCase
    test_describe_instances ... [OK]
    test_get_all_key_pairs ... [OK]
nova.tests.auth_unittest
  AuthTestCase
    test_001_can_create_users ... [OK]
    test_002_can_get_user ... [OK]
    test_003_can_retreive_properties ... [OK]
    test_004_signature_is_valid ... [OK]
    test_005_can_get_credentials ... [OK]
    test_010_can_list_users ... [OK]
    test_101_can_add_user_role ... [OK]
    test_199_can_remove_user_role ... [OK]
    test_201_can_create_project ... [OK]
    test_202_user1_is_project_member ... [OK]
    test_203_user2_is_not_project_member ... [OK]
    test_204_user1_is_project_manager ... [OK]
    test_205_user2_is_not_project_manager ... [OK]
    test_206_can_add_user_to_project ... [OK]
    test_207_can_remove_user_from_project ... [OK]
    test_208_can_remove_add_user_with_role ... [OK]
    test_209_can_generate_x509 ... [OK]
    test_210_can_add_project_role ... [OK]
    test_211_can_list_project_roles ... [OK]
    test_212_can_remove_project_role ... [OK]
    test_214_can_retrieve_project_by_user ... [OK]
    test_220_can_modify_project ... [OK]
    test_299_can_delete_project ... [OK]
    test_999_can_delete_users ... [OK]
nova.tests.cloud_unittest
  CloudTestCase
    test_console_output ... [OK]
    test_delete_key_pair ... [OK]
    test_describe_key_pairs ... [OK]
    test_instance_update_state ... [OK]
    test_key_generation ... [OK]
    test_run_instances ... [OK]
nova.tests.compute_unittest
  ComputeTestCase
    test_console_output ... [OK]
    test_reboot ... [OK]
    test_run_instance_existing ... [OK]
    test_run_terminate ... [OK]
    test_run_terminate_timest...

Attempt to merge lp:~gundlach/nova/controllers-in-api into lp:nova failed due to merge conflicts:

deleting parent in nova/endpoint

The attempt to merge lp:~gundlach/nova/controllers-in-api into lp:nova failed.Below is the output from the failed tests.

nova.tests.api_unittest
  ApiEc2TestCase
    test_describe_instances ... [ERROR]
    test_get_all_key_pairs ... [OK]
nova.tests.auth_unittest
  AuthTestCase
    test_001_can_create_users ... [OK]
    test_002_can_get_user ... [OK]
    test_003_can_retreive_properties ... [OK]
    test_004_signature_is_valid ... [OK]
    test_005_can_get_credentials ... [OK]
    test_010_can_list_users ... [OK]
    test_101_can_add_user_role ... [OK]
    test_199_can_remove_user_role ... [OK]
    test_201_can_create_project ... [OK]
    test_202_user1_is_project_member ... [OK]
    test_203_user2_is_not_project_member ... [OK]
    test_204_user1_is_project_manager ... [OK]
    test_205_user2_is_not_project_manager ... [OK]
    test_206_can_add_user_to_project ... [OK]
    test_207_can_remove_user_from_project ... [OK]
    test_208_can_remove_add_user_with_role ... [OK]
    test_209_can_generate_x509 ... [OK]
    test_210_can_add_project_role ... [OK]
    test_211_can_list_project_roles ... [OK]
    test_212_can_remove_project_role ... [OK]
    test_214_can_retrieve_project_by_user ... [OK]
    test_220_can_modify_project ... [OK]
    test_299_can_delete_project ... [OK]
    test_999_can_delete_users ... [OK]
nova.tests.cloud_unittest
  CloudTestCase
    test_console_output ... [OK]
    test_delete_key_pair ... [OK]
    test_describe_key_pairs ... [OK]
    test_instance_update_state ... [OK]
    test_key_generation ... [OK]
    test_run_instances ... [OK]
nova.tests.compute_unittest
  ComputeTestCase
    test_console_output ... [OK]
    test_reboot ... [OK]
    test_run_instance_existing ... [OK]
    test_run_terminate ... [OK]
    test_run_terminate_timest...

=== modified file 'bin/nova-manage'
--- bin/nova-manage 2010-09-21 22:00:22 +0000
+++ bin/nova-manage 2010-09-23 00:17:01 +0000
@@ -73,7 +73,7 @@
 from nova import utils
 from nova.auth import manager
 from nova.cloudpipe import pipelib
-from nova.endpoint import cloud
+from nova.api.ec2 import cloud

to fix nova-manage

another important one:

=== modified file 'bin/nova-api'
--- bin/nova-api-new 2010-09-23 00:54:57 +0000
+++ bin/nova-api-new 2010-09-23 01:34:51 +0000
@@ -34,12 +34,11 @@

 from nova import api
 from nova import flags
-from nova import utils
 from nova import wsgi

 FLAGS = flags.FLAGS
 flags.DEFINE_integer('api_port', 8773, 'API port')

 if __name__ == '__main__':
- utils.default_flagfile()
+ FLAGS(sys.argv)
     wsgi.run_server(api.API(), FLAGS.api_port)

make sure to replace nova-api-new with nova-api if applying after merging edays patch

(default_flagfile doesn't load flags, it just makes it look for a default file, which isn't what you want to do here)

Why remove default_flagfile? You definitely need the FLAGS(sys.argv), but wouldn't we want to still consume the nova.conf in the local directory (if another --flagfile isn't set)?

Let me know what the final state of flags is so I can manage: https://code.launchpad.net/~anso/nova/apiflags

Todd: none of the other workers are using it any more. Some people frowned upon magically loading a flagfile. The only one still using it is nova-manage and it looks for /etc/nova/nova-manage.conf

Commands to the admin api universally fail, because there is no shortcut for superusers to bypass role checking. This patch adds the shortcut, updates the documentation and make the default 'none' instead of []:

=== modified file 'nova/api/ec2/__init__.py'
--- nova/api/ec2/__init__.py 2010-09-23 00:35:10 +0000
+++ nova/api/ec2/__init__.py 2010-09-23 07:54:59 +0000
@@ -164,8 +164,8 @@
                 'ModifyImageAttribute': ['projectmanager', 'sysadmin', 'developer', 'itsec'],
             },
             'AdminController': {
- # All actions have the same permission: [] (the default)
- # admins will be allowed to run them
+ # All actions have the same permission: ['none'] (the default)
+ # superusers will be allowed to run them
                 # all others will get HTTPUnauthorized.
             },
         }
@@ -175,7 +175,7 @@
         context = req.environ['ec2.context']
         controller_name = req.environ['ec2.controller'].__class__.__name__
         action = req.environ['ec2.action']
- allowed_roles = self.action_roles[controller_name].get(action, [])
+ allowed_roles = self.action_roles[controller_name].get(action, ['none'])
         if self._matches_any_role(context, allowed_roles):
             return self.application
         else:
@@ -183,6 +183,8 @@

     def _matches_any_role(self, context, roles):
         """Return True if any role in roles is allowed in context."""
+ if context.user.is_superuser():
+ return True
         if 'all' in roles:
             return True
         if 'none' in roles:

I see that you already added some code for this, using extend by superuser roles. The one issue with this is that it ignores the flag in ldap for admin, which is also picked up by is_superuser(). If we want to stop using that flag, we need to at the very least change the auth/manager.py.create_user() to automatically create a role if admin=True instead of just setting the flag in ldap.