Implement GET /role_assignment API call

Add support for the GET /role_assignment call as a first step to making role_assignment a first class entity. This patch also enables v3 collection filtering to match against attributes of entities being returned in the list, using the same dot notation (e.g. user.id) that we already support for policy file checking against filters. Limitations: - The current implementation uses the standard v3 collections wrapper mechanism for filtering. Given the potential numbers of role assignments in a large system, this may have performance and resource impacts. A future improvement would pass the filters into the driver layer to keep the internal assignment processing to a minimum. - The LDAP backend is not currently supported Implements bp get-role-assignments Change-Id: I6ff2ea780e39d7097a88214fbb3ddee1b924c30c
author: Henry Nash <henryn@linux.vnet.ibm.com> 2013-06-21 22:50:40 +0100
committer: Henry Nash <henryn@linux.vnet.ibm.com> 2013-07-03 21:30:09 +0100
commit: fa10d4945ca9658eff02b1d8e917fde50d6576ce (patch)
tree: b5c50890695d8a503dc130a5c219cf543051cc2c /tests/test_backend.py
parent: 62d948a66b27ad2622a324bd9a070346f7b607d2 (diff)
download: keystone-fa10d4945ca9658eff02b1d8e917fde50d6576ce.tar.gz
keystone-fa10d4945ca9658eff02b1d8e917fde50d6576ce.tar.xz
keystone-fa10d4945ca9658eff02b1d8e917fde50d6576ce.zip
1 files changed, 66 insertions, 0 deletions
diff --git a/tests/test_backend.py b/tests/test_backend.py
index ea40cd8b..f8d04b6e 100644
--- a/tests/test_backend.py
+++ b/tests/test_backend.py
@@ -482,6 +482,72 @@ class IdentityTests(object):
                           self.identity_api.get_project,
                           'fake2')
 
+    def test_list_role_assignments_unfiltered(self):
+        """Test for unfiltered listing role assignments.
+
+        Test Plan:
+        - Create a domain, with a user, group & project
+        - Find how many role assignments already exist (from default
+          fixtures)
+        - Create a grant of each type (user/group on project/domain)
+        - Check the number of assignments has gone up by 4 and that
+          the entries we added are in the list returned
+
+        """
+        new_domain = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
+        self.identity_api.create_domain(new_domain['id'], new_domain)
+        new_user = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
+                    'password': uuid.uuid4().hex, 'enabled': True,
+                    'domain_id': new_domain['id']}
+        self.identity_api.create_user(new_user['id'],
+                                      new_user)
+        new_group = {'id': uuid.uuid4().hex, 'domain_id': new_domain['id'],
+                     'name': uuid.uuid4().hex}
+        self.identity_api.create_group(new_group['id'], new_group)
+        new_project = {'id': uuid.uuid4().hex,
+                       'name': uuid.uuid4().hex,
+                       'domain_id': new_domain['id']}
+        self.identity_api.create_project(new_project['id'], new_project)
+
+        # First check how many role grant already exist
+        existing_assignments = len(self.identity_api.list_role_assignments())
+
+        # Now create the grants (roles are defined in default_fixtures)
+        self.identity_api.create_grant(user_id=new_user['id'],
+                                       domain_id=new_domain['id'],
+                                       role_id='member')
+        self.identity_api.create_grant(user_id=new_user['id'],
+                                       project_id=new_project['id'],
+                                       role_id='other')
+        self.identity_api.create_grant(group_id=new_group['id'],
+                                       domain_id=new_domain['id'],
+                                       role_id='admin')
+        self.identity_api.create_grant(group_id=new_group['id'],
+                                       project_id=new_project['id'],
+                                       role_id='admin')
+
+        # Read back the list of assignments - check it is gone up by 4
+        assignment_list = self.identity_api.list_role_assignments()
+        self.assertEquals(len(assignment_list), existing_assignments + 4)
+
+        # Now check that each of our four new entries are in the list
+        self.assertIn(
+            {'user_id': new_user['id'], 'domain_id': new_domain['id'],
+             'role_id': 'member'},
+            assignment_list)
+        self.assertIn(
+            {'user_id': new_user['id'], 'project_id': new_project['id'],
+             'role_id': 'other'},
+            assignment_list)
+        self.assertIn(
+            {'group_id': new_group['id'], 'domain_id': new_domain['id'],
+             'role_id': 'admin'},
+            assignment_list)
+        self.assertIn(
+            {'group_id': new_group['id'], 'project_id': new_project['id'],
+             'role_id': 'admin'},
+            assignment_list)
+
     def test_add_duplicate_role_grant(self):
         roles_ref = self.identity_api.get_roles_for_user_and_project(
             self.user_foo['id'], self.tenant_bar['id'])
author	Henry Nash <henryn@linux.vnet.ibm.com>	2013-06-21 22:50:40 +0100
committer	Henry Nash <henryn@linux.vnet.ibm.com>	2013-07-03 21:30:09 +0100
commit	fa10d4945ca9658eff02b1d8e917fde50d6576ce (patch)
tree	b5c50890695d8a503dc130a5c219cf543051cc2c /tests/test_backend.py
parent	62d948a66b27ad2622a324bd9a070346f7b607d2 (diff)
download	keystone-fa10d4945ca9658eff02b1d8e917fde50d6576ce.tar.gz keystone-fa10d4945ca9658eff02b1d8e917fde50d6576ce.tar.xz keystone-fa10d4945ca9658eff02b1d8e917fde50d6576ce.zip