Merge "Revoke user tokens when disabling/delete a project"

author: Jenkins <jenkins@review.openstack.org> 2013-08-15 20:45:50 +0000
committer: Gerrit Code Review <review@openstack.org> 2013-08-15 20:45:50 +0000
commit: 1b4f0a5ec848af94e322a8f55deb52223c94b62a (patch)
tree: b7ba6edd958027060980f3c05a79eda01bc43bdd /keystone/identity/controllers.py
parent: 116897786dbb8473154ec85a01b019af8106a1f4 (diff)
parent: 74f788aa9da0dabf54bd1f4718f9c0e0b9726757 (diff)
download: keystone-1b4f0a5ec848af94e322a8f55deb52223c94b62a.tar.gz
keystone-1b4f0a5ec848af94e322a8f55deb52223c94b62a.tar.xz
keystone-1b4f0a5ec848af94e322a8f55deb52223c94b62a.zip
1 files changed, 16 insertions, 0 deletions
diff --git a/keystone/identity/controllers.py b/keystone/identity/controllers.py
index 7ca1f8bf..8777b1f9 100644
--- a/keystone/identity/controllers.py
+++ b/keystone/identity/controllers.py
@@ -109,12 +109,20 @@ class Tenant(controller.V2Controller):
         # be specifying that
         clean_tenant = tenant.copy()
         clean_tenant.pop('domain_id', None)
+
+        # If the project has been disabled (or enabled=False) we are
+        # deleting the tokens for that project.
+        if not tenant.get('enabled', True):
+            self._delete_tokens_for_project(tenant_id)
+
         tenant_ref = self.identity_api.update_project(
             tenant_id, clean_tenant)
         return {'tenant': tenant_ref}
 
     def delete_project(self, context, tenant_id):
         self.assert_admin(context)
+        # Delete all tokens belonging to the users for that project
+        self._delete_tokens_for_project(tenant_id)
         self.identity_api.delete_project(tenant_id)
 
     def get_project_users(self, context, tenant_id, **kw):
@@ -572,6 +580,10 @@ class ProjectV3(controller.V3Controller):
     def update_project(self, context, project_id, project):
         self._require_matching_id(project_id, project)
 
+        # The project was disabled so we delete the tokens
+        if not project.get('enabled', True):
+            self._delete_tokens_for_project(project_id)
+
         ref = self.identity_api.update_project(project_id, project)
         return ProjectV3.wrap_member(context, ref)
 
@@ -580,6 +592,10 @@ class ProjectV3(controller.V3Controller):
         for cred in self.credential_api.list_credentials():
             if cred['project_id'] == project_id:
                 self.credential_api.delete_credential(cred['id'])
+
+        # Delete all tokens belonging to the users for that project
+        self._delete_tokens_for_project(project_id)
+
         # Finally delete the project itself - the backend is
         # responsible for deleting any role assignments related
         # to this project
author	Jenkins <jenkins@review.openstack.org>	2013-08-15 20:45:50 +0000
committer	Gerrit Code Review <review@openstack.org>	2013-08-15 20:45:50 +0000
commit	1b4f0a5ec848af94e322a8f55deb52223c94b62a (patch)
tree	b7ba6edd958027060980f3c05a79eda01bc43bdd /keystone/identity/controllers.py
parent	116897786dbb8473154ec85a01b019af8106a1f4 (diff)
parent	74f788aa9da0dabf54bd1f4718f9c0e0b9726757 (diff)
download	keystone-1b4f0a5ec848af94e322a8f55deb52223c94b62a.tar.gz keystone-1b4f0a5ec848af94e322a8f55deb52223c94b62a.tar.xz keystone-1b4f0a5ec848af94e322a8f55deb52223c94b62a.zip