diff options
Diffstat (limited to 'keystone/assignment')
-rw-r--r-- | keystone/assignment/backends/kvs.py | 73 | ||||
-rw-r--r-- | keystone/assignment/backends/ldap.py | 31 | ||||
-rw-r--r-- | keystone/assignment/backends/sql.py | 101 | ||||
-rw-r--r-- | keystone/assignment/core.py | 81 |
4 files changed, 107 insertions, 179 deletions
diff --git a/keystone/assignment/backends/kvs.py b/keystone/assignment/backends/kvs.py index 9a09598f..4ed3937b 100644 --- a/keystone/assignment/backends/kvs.py +++ b/keystone/assignment/backends/kvs.py @@ -26,22 +26,6 @@ class Assignment(kvs.Base, assignment.Driver): super(Assignment, self).__init__() # Public interface - def authorize_for_project(self, user_ref, tenant_id=None): - user_id = user_ref['id'] - tenant_ref = None - metadata_ref = {} - if tenant_id is not None: - if tenant_id not in self.get_projects_for_user(user_id): - raise AssertionError('Invalid tenant') - try: - tenant_ref = self.get_project(tenant_id) - metadata_ref = self.get_metadata(user_id, tenant_id) - except exception.ProjectNotFound: - tenant_ref = None - metadata_ref = {} - except exception.MetadataNotFound: - metadata_ref = {} - return (identity.filter_user(user_ref), tenant_ref, metadata_ref) def get_project(self, tenant_id): try: @@ -79,8 +63,8 @@ class Assignment(kvs.Base, assignment.Driver): except exception.NotFound: raise exception.UserNotFound(user_id=user_name) - def get_metadata(self, user_id=None, tenant_id=None, - domain_id=None, group_id=None): + def _get_metadata(self, user_id=None, tenant_id=None, + domain_id=None, group_id=None): try: if user_id: if tenant_id: @@ -113,21 +97,12 @@ class Assignment(kvs.Base, assignment.Driver): user_ref = self._get_user(user_id) return user_ref.get('tenants', []) - def get_roles_for_user_and_project(self, user_id, tenant_id): - self.identity_api.get_user(user_id) - self.get_project(tenant_id) - try: - metadata_ref = self.get_metadata(user_id, tenant_id) - except exception.MetadataNotFound: - metadata_ref = {} - return metadata_ref.get('roles', []) - def add_role_to_user_and_project(self, user_id, tenant_id, role_id): self.identity_api.get_user(user_id) self.get_project(tenant_id) self.get_role(role_id) try: - metadata_ref = self.get_metadata(user_id, tenant_id) + metadata_ref = self._get_metadata(user_id, tenant_id) except exception.MetadataNotFound: metadata_ref = {} roles = set(metadata_ref.get('roles', [])) @@ -137,11 +112,11 @@ class Assignment(kvs.Base, assignment.Driver): raise exception.Conflict(type='role grant', details=msg) roles.add(role_id) metadata_ref['roles'] = list(roles) - self.update_metadata(user_id, tenant_id, metadata_ref) + self._update_metadata(user_id, tenant_id, metadata_ref) def remove_role_from_user_and_project(self, user_id, tenant_id, role_id): try: - metadata_ref = self.get_metadata(user_id, tenant_id) + metadata_ref = self._get_metadata(user_id, tenant_id) except exception.MetadataNotFound: metadata_ref = {} roles = set(metadata_ref.get('roles', [])) @@ -160,7 +135,7 @@ class Assignment(kvs.Base, assignment.Driver): user_ref['tenants'] = list(tenants) self.identity_api.update_user(user_id, user_ref) else: - self.update_metadata(user_id, tenant_id, metadata_ref) + self._update_metadata(user_id, tenant_id, metadata_ref) def list_role_assignments(self): """List the role assignments. @@ -255,14 +230,14 @@ class Assignment(kvs.Base, assignment.Driver): self.db.delete('tenant_name-%s' % old_project['name']) self.db.delete('tenant-%s' % tenant_id) - def create_metadata(self, user_id, tenant_id, metadata, - domain_id=None, group_id=None): + def _create_metadata(self, user_id, tenant_id, metadata, + domain_id=None, group_id=None): - return self.update_metadata(user_id, tenant_id, metadata, - domain_id, group_id) + return self._update_metadata(user_id, tenant_id, metadata, + domain_id, group_id) - def update_metadata(self, user_id, tenant_id, metadata, - domain_id=None, group_id=None): + def _update_metadata(self, user_id, tenant_id, metadata, + domain_id=None, group_id=None): if user_id: if tenant_id: self.db.set('metadata-%s-%s' % (tenant_id, user_id), metadata) @@ -362,15 +337,15 @@ class Assignment(kvs.Base, assignment.Driver): self.get_project(project_id) try: - metadata_ref = self.get_metadata(user_id, project_id, - domain_id, group_id) + metadata_ref = self._get_metadata(user_id, project_id, + domain_id, group_id) except exception.MetadataNotFound: metadata_ref = {} roles = set(metadata_ref.get('roles', [])) roles.add(role_id) metadata_ref['roles'] = list(roles) - self.update_metadata(user_id, project_id, metadata_ref, - domain_id, group_id) + self._update_metadata(user_id, project_id, metadata_ref, + domain_id, group_id) def list_grants(self, user_id=None, group_id=None, domain_id=None, project_id=None): @@ -384,8 +359,8 @@ class Assignment(kvs.Base, assignment.Driver): self.get_project(project_id) try: - metadata_ref = self.get_metadata(user_id, project_id, - domain_id, group_id) + metadata_ref = self._get_metadata(user_id, project_id, + domain_id, group_id) except exception.MetadataNotFound: metadata_ref = {} return [self.get_role(x) for x in metadata_ref.get('roles', [])] @@ -403,8 +378,8 @@ class Assignment(kvs.Base, assignment.Driver): self.get_project(project_id) try: - metadata_ref = self.get_metadata(user_id, project_id, - domain_id, group_id) + metadata_ref = self._get_metadata(user_id, project_id, + domain_id, group_id) except exception.MetadataNotFound: metadata_ref = {} role_ids = set(metadata_ref.get('roles', [])) @@ -425,8 +400,8 @@ class Assignment(kvs.Base, assignment.Driver): self.get_project(project_id) try: - metadata_ref = self.get_metadata(user_id, project_id, - domain_id, group_id) + metadata_ref = self._get_metadata(user_id, project_id, + domain_id, group_id) except exception.MetadataNotFound: metadata_ref = {} roles = set(metadata_ref.get('roles', [])) @@ -435,8 +410,8 @@ class Assignment(kvs.Base, assignment.Driver): except KeyError: raise exception.RoleNotFound(role_id=role_id) metadata_ref['roles'] = list(roles) - self.update_metadata(user_id, project_id, metadata_ref, - domain_id, group_id) + self._update_metadata(user_id, project_id, metadata_ref, + domain_id, group_id) # domain crud diff --git a/keystone/assignment/backends/ldap.py b/keystone/assignment/backends/ldap.py index 500f304a..44a479bf 100644 --- a/keystone/assignment/backends/ldap.py +++ b/keystone/assignment/backends/ldap.py @@ -26,7 +26,6 @@ from keystone.common import logging from keystone.common import models from keystone import config from keystone import exception -from keystone import identity from keystone.identity.backends import ldap as ldap_identity @@ -70,29 +69,6 @@ class Assignment(assignment.Driver): #once we remove here. the getter and setter can be removed as well. self._identity_api.driver.project = self.project - def authorize_for_project(self, user_ref, tenant_id=None): - user_id = user_ref['id'] - tenant_ref = None - metadata_ref = {} - - if tenant_id is not None: - if tenant_id not in self.get_projects_for_user(user_id): - raise AssertionError('Invalid tenant') - - try: - tenant_ref = self.get_project(tenant_id) - # TODO(termie): this should probably be made into a - # get roles call - metadata_ref = self.get_metadata(user_id, tenant_id) - except exception.ProjectNotFound: - tenant_ref = None - metadata_ref = {} - except exception.MetadataNotFound: - metadata_ref = {} - - user_ref = self._set_default_domain(identity.filter_user(user_ref)) - return (user_ref, tenant_ref, metadata_ref) - def get_project(self, tenant_id): return self._set_default_domain(self.project.get(tenant_id)) @@ -149,8 +125,9 @@ class Assignment(assignment.Driver): tenant['name'] = clean.project_name(tenant['name']) return self._set_default_domain(self.project.update(tenant_id, tenant)) - def get_metadata(self, user_id=None, tenant_id=None, - domain_id=None, group_id=None): + def _get_metadata(self, user_id=None, tenant_id=None, + domain_id=None, group_id=None): + def _get_roles_for_just_user_and_project(user_id, tenant_id): self.identity_api.get_user(user_id) self.get_project(tenant_id) @@ -216,7 +193,7 @@ class Assignment(assignment.Driver): user_dn=user_dn, tenant_dn=tenant_dn) - def create_metadata(self, user_id, tenant_id, metadata): + def _create_metadata(self, user_id, tenant_id, metadata): return {} def create_role(self, role_id, role): diff --git a/keystone/assignment/backends/sql.py b/keystone/assignment/backends/sql.py index 65d1bbc7..57ca7834 100644 --- a/keystone/assignment/backends/sql.py +++ b/keystone/assignment/backends/sql.py @@ -19,7 +19,6 @@ from keystone import clean from keystone.common import sql from keystone.common.sql import migration from keystone import exception -from keystone import identity class Assignment(sql.Base, assignment.Driver): @@ -31,26 +30,6 @@ class Assignment(sql.Base, assignment.Driver): def db_sync(self, version=None): migration.db_sync(version=version) - def authorize_for_project(self, user_ref, tenant_id=None): - user_id = user_ref['id'] - tenant_ref = None - metadata_ref = {} - if tenant_id is not None: - # FIXME(gyee): this should really be - # get_roles_for_user_and_project() after the dusts settle - if tenant_id not in self.get_projects_for_user(user_id): - raise AssertionError('Invalid project') - try: - tenant_ref = self.get_project(tenant_id) - metadata_ref = self.get_metadata(user_id, tenant_id) - except exception.ProjectNotFound: - tenant_ref = None - metadata_ref = {} - except exception.MetadataNotFound: - metadata_ref = {} - user_ref = identity.filter_user(user_ref.to_dict()) - return (user_ref, tenant_ref, metadata_ref) - def _get_project(self, session, project_id): project_ref = session.query(Project).get(project_id) if project_ref is None: @@ -91,8 +70,8 @@ class Assignment(sql.Base, assignment.Driver): user_refs.append(user_ref) return user_refs - def get_metadata(self, user_id=None, tenant_id=None, - domain_id=None, group_id=None): + def _get_metadata(self, user_id=None, tenant_id=None, + domain_id=None, group_id=None): session = self.get_session() if user_id: @@ -130,8 +109,8 @@ class Assignment(sql.Base, assignment.Driver): self._get_project(session, project_id) try: - metadata_ref = self.get_metadata(user_id, project_id, - domain_id, group_id) + metadata_ref = self._get_metadata(user_id, project_id, + domain_id, group_id) is_new = False except exception.MetadataNotFound: metadata_ref = {} @@ -140,11 +119,11 @@ class Assignment(sql.Base, assignment.Driver): roles.add(role_id) metadata_ref['roles'] = list(roles) if is_new: - self.create_metadata(user_id, project_id, metadata_ref, - domain_id, group_id) + self._create_metadata(user_id, project_id, metadata_ref, + domain_id, group_id) else: - self.update_metadata(user_id, project_id, metadata_ref, - domain_id, group_id) + self._update_metadata(user_id, project_id, metadata_ref, + domain_id, group_id) def list_grants(self, user_id=None, group_id=None, domain_id=None, project_id=None): @@ -159,8 +138,8 @@ class Assignment(sql.Base, assignment.Driver): self._get_project(session, project_id) try: - metadata_ref = self.get_metadata(user_id, project_id, - domain_id, group_id) + metadata_ref = self._get_metadata(user_id, project_id, + domain_id, group_id) except exception.MetadataNotFound: metadata_ref = {} return [self.get_role(x) for x in metadata_ref.get('roles', [])] @@ -179,8 +158,8 @@ class Assignment(sql.Base, assignment.Driver): self._get_project(session, project_id) try: - metadata_ref = self.get_metadata(user_id, project_id, - domain_id, group_id) + metadata_ref = self._get_metadata(user_id, project_id, + domain_id, group_id) except exception.MetadataNotFound: metadata_ref = {} role_ids = set(metadata_ref.get('roles', [])) @@ -202,8 +181,8 @@ class Assignment(sql.Base, assignment.Driver): self._get_project(session, project_id) try: - metadata_ref = self.get_metadata(user_id, project_id, - domain_id, group_id) + metadata_ref = self._get_metadata(user_id, project_id, + domain_id, group_id) is_new = False except exception.MetadataNotFound: metadata_ref = {} @@ -215,11 +194,11 @@ class Assignment(sql.Base, assignment.Driver): raise exception.RoleNotFound(role_id=role_id) metadata_ref['roles'] = list(roles) if is_new: - self.create_metadata(user_id, project_id, metadata_ref, - domain_id, group_id) + self._create_metadata(user_id, project_id, metadata_ref, + domain_id, group_id) else: - self.update_metadata(user_id, project_id, metadata_ref, - domain_id, group_id) + self._update_metadata(user_id, project_id, metadata_ref, + domain_id, group_id) def list_projects(self): session = self.get_session() @@ -234,39 +213,13 @@ class Assignment(sql.Base, assignment.Driver): membership_refs = query.all() return [x.project_id for x in membership_refs] - def _get_user_group_project_roles(self, metadata_ref, user_id, project_id): - group_refs = self.identity_api.list_groups_for_user(user_id=user_id) - for x in group_refs: - try: - metadata_ref.update( - self.get_metadata(group_id=x['id'], - tenant_id=project_id)) - except exception.MetadataNotFound: - # no group grant, skip - pass - - def _get_user_project_roles(self, metadata_ref, user_id, project_id): - try: - metadata_ref.update(self.get_metadata(user_id, project_id)) - except exception.MetadataNotFound: - pass - - def get_roles_for_user_and_project(self, user_id, tenant_id): - session = self.get_session() - self.identity_api._get_user(session, user_id) - self._get_project(session, tenant_id) - metadata_ref = {} - self._get_user_project_roles(metadata_ref, user_id, tenant_id) - self._get_user_group_project_roles(metadata_ref, user_id, tenant_id) - return list(set(metadata_ref.get('roles', []))) - def add_role_to_user_and_project(self, user_id, tenant_id, role_id): session = self.get_session() self.identity_api._get_user(session, user_id) self._get_project(session, tenant_id) self._get_role(session, role_id) try: - metadata_ref = self.get_metadata(user_id, tenant_id) + metadata_ref = self._get_metadata(user_id, tenant_id) is_new = False except exception.MetadataNotFound: metadata_ref = {} @@ -279,13 +232,13 @@ class Assignment(sql.Base, assignment.Driver): roles.add(role_id) metadata_ref['roles'] = list(roles) if is_new: - self.create_metadata(user_id, tenant_id, metadata_ref) + self._create_metadata(user_id, tenant_id, metadata_ref) else: - self.update_metadata(user_id, tenant_id, metadata_ref) + self._update_metadata(user_id, tenant_id, metadata_ref) def remove_role_from_user_and_project(self, user_id, tenant_id, role_id): try: - metadata_ref = self.get_metadata(user_id, tenant_id) + metadata_ref = self._get_metadata(user_id, tenant_id) roles = set(metadata_ref.get('roles', [])) if role_id not in roles: raise exception.RoleNotFound(message=_( @@ -294,7 +247,7 @@ class Assignment(sql.Base, assignment.Driver): roles.remove(role_id) metadata_ref['roles'] = list(roles) if len(roles): - self.update_metadata(user_id, tenant_id, metadata_ref) + self._update_metadata(user_id, tenant_id, metadata_ref) else: session = self.get_session() q = session.query(UserProjectGrant) @@ -396,8 +349,8 @@ class Assignment(sql.Base, assignment.Driver): session.flush() @sql.handle_conflicts(type='metadata') - def create_metadata(self, user_id, tenant_id, metadata, - domain_id=None, group_id=None): + def _create_metadata(self, user_id, tenant_id, metadata, + domain_id=None, group_id=None): session = self.get_session() with session.begin(): if user_id: @@ -426,8 +379,8 @@ class Assignment(sql.Base, assignment.Driver): return metadata @sql.handle_conflicts(type='metadata') - def update_metadata(self, user_id, tenant_id, metadata, - domain_id=None, group_id=None): + def _update_metadata(self, user_id, tenant_id, metadata, + domain_id=None, group_id=None): session = self.get_session() with session.begin(): if user_id: diff --git a/keystone/assignment/core.py b/keystone/assignment/core.py index 251a3bc6..879fee0b 100644 --- a/keystone/assignment/core.py +++ b/keystone/assignment/core.py @@ -58,8 +58,8 @@ class Manager(manager.Manager): (user_id=user_id)) for x in group_refs: try: - metadata_ref = self.get_metadata(group_id=x['id'], - tenant_id=tenant_id) + metadata_ref = self._get_metadata(group_id=x['id'], + tenant_id=tenant_id) role_list += metadata_ref.get('roles', []) except exception.MetadataNotFound: # no group grant, skip @@ -69,8 +69,8 @@ class Manager(manager.Manager): def _get_user_project_roles(user_id, tenant_id): metadata_ref = {} try: - metadata_ref = self.get_metadata(user_id=user_id, - tenant_id=tenant_id) + metadata_ref = self._get_metadata(user_id=user_id, + tenant_id=tenant_id) except exception.MetadataNotFound: pass return metadata_ref.get('roles', []) @@ -97,8 +97,8 @@ class Manager(manager.Manager): list_groups_for_user(user_id=user_id)) for x in group_refs: try: - metadata_ref = self.get_metadata(group_id=x['id'], - domain_id=domain_id) + metadata_ref = self._get_metadata(group_id=x['id'], + domain_id=domain_id) role_list += metadata_ref.get('roles', []) except (exception.MetadataNotFound, exception.NotImplemented): # MetadataNotFound implies no group grant, so skip. @@ -110,8 +110,8 @@ class Manager(manager.Manager): def _get_user_domain_roles(user_id, domain_id): metadata_ref = {} try: - metadata_ref = self.get_metadata(user_id=user_id, - domain_id=domain_id) + metadata_ref = self._get_metadata(user_id=user_id, + domain_id=domain_id) except (exception.MetadataNotFound, exception.NotImplemented): # MetadataNotFound implies no user grants. # Ignore NotImplemented since not all backends support @@ -152,12 +152,6 @@ class Manager(manager.Manager): class Driver(object): - def authorize_for_project(self, tenant_id, user_ref): - """Authenticate a given user for a tenant. - :returns: (user_ref, tenant_ref, metadata_ref) - :raises: AssertionError - """ - raise exception.NotImplemented() def get_project_by_name(self, tenant_name, domain_id): """Get a tenant by name. @@ -205,39 +199,68 @@ class Driver(object): """ raise exception.NotImplemented() - def list_role_assignments(self): + # assignment/grant crud + + def create_grant(self, role_id, user_id=None, group_id=None, + domain_id=None, project_id=None): + """Creates a new assignment/grant. + :raises: keystone.exception.UserNotFound, + keystone.exception.GroupNotFound, + keystone.exception.ProjectNotFound, + keystone.exception.DomainNotFound, + keystone.exception.ProjectNotFound, + keystone.exception.RoleNotFound + + """ raise exception.NotImplemented() - # metadata crud - def get_metadata(self, user_id=None, tenant_id=None, - domain_id=None, group_id=None): - """Gets the metadata for the specified user/group on project/domain. + def list_grants(self, user_id=None, group_id=None, + domain_id=None, project_id=None): + """Lists assignments/grants. - :raises: keystone.exception.MetadataNotFound - :returns: metadata + :raises: keystone.exception.UserNotFound, + keystone.exception.GroupNotFound, + keystone.exception.ProjectNotFound, + keystone.exception.DomainNotFound, + keystone.exception.ProjectNotFound, + keystone.exception.RoleNotFound """ raise exception.NotImplemented() - def create_metadata(self, user_id, tenant_id, metadata, - domain_id=None, group_id=None): - """Creates the metadata for the specified user/group on project/domain. + def get_grant(self, role_id, user_id=None, group_id=None, + domain_id=None, project_id=None): + """Lists assignments/grants. - :returns: metadata created + :raises: keystone.exception.UserNotFound, + keystone.exception.GroupNotFound, + keystone.exception.ProjectNotFound, + keystone.exception.DomainNotFound, + keystone.exception.ProjectNotFound, + keystone.exception.RoleNotFound """ raise exception.NotImplemented() - def update_metadata(self, user_id, tenant_id, metadata, - domain_id=None, group_id=None): - """Updates the metadata for the specified user/group on project/domain. + def delete_grant(self, role_id, user_id=None, group_id=None, + domain_id=None, project_id=None): + """Lists assignments/grants. - :returns: metadata updated + :raises: keystone.exception.UserNotFound, + keystone.exception.GroupNotFound, + keystone.exception.ProjectNotFound, + keystone.exception.DomainNotFound, + keystone.exception.ProjectNotFound, + keystone.exception.RoleNotFound """ raise exception.NotImplemented() + def list_role_assignments(self): + + raise exception.NotImplemented() + # domain crud def create_domain(self, domain_id, domain): """Creates a new domain. |