diff options
author | Guang Yee <guang.yee@hp.com> | 2013-02-20 20:28:38 -0800 |
---|---|---|
committer | Guang Yee <guang.yee@hp.com> | 2013-02-20 20:28:38 -0800 |
commit | 43adc12790c2ca0fee170c51c79ce5f5721f5e5d (patch) | |
tree | 5ab7399c18e361369a0f06cd845574d5fb88e768 /keystone/auth | |
parent | 27429e39440738a5cb40a126dbf129cdc43f674d (diff) | |
download | keystone-43adc12790c2ca0fee170c51c79ce5f5721f5e5d.tar.gz keystone-43adc12790c2ca0fee170c51c79ce5f5721f5e5d.tar.xz keystone-43adc12790c2ca0fee170c51c79ce5f5721f5e5d.zip |
domain-scoping
Implement domain-scoping functionality for v3 auth API
Change-Id: Id5e935735a43fefee10a36d9d691578871ba7fcb
Diffstat (limited to 'keystone/auth')
-rw-r--r-- | keystone/auth/token_factory.py | 18 |
1 files changed, 16 insertions, 2 deletions
diff --git a/keystone/auth/token_factory.py b/keystone/auth/token_factory.py index e803ae79..fdd33d12 100644 --- a/keystone/auth/token_factory.py +++ b/keystone/auth/token_factory.py @@ -77,11 +77,25 @@ class TokenDataHelper(object): raise exception.Unauthorized(msg) return roles_ref + def _get_domain_roles_for_user(self, user_id, domain_id): + roles = self.identity_api.get_roles_for_user_and_domain( + self.context, user_id, domain_id) + roles_ref = [] + for role_id in roles: + role_ref = self.identity_api.get_role(self.context, role_id) + role_ref.setdefault('domain_id', domain_id) + roles_ref.append(role_ref) + # user have no domain roles, therefore access denied + if len(roles_ref) == 0: + msg = _('User have no access to domain') + LOG.debug(msg) + raise exception.Unauthorized(msg) + return roles_ref + def _get_roles_for_user(self, user_id, domain_id, project_id): roles = [] if domain_id: - # TODO(gyee): get domain roles - pass + roles = self._get_domain_roles_for_user(user_id, domain_id) if project_id: roles = self._get_project_roles_for_user(user_id, project_id) return roles |