Workflow Logic the Assignment service.
Bases: keystone.common.controller.V3Controller
The V3 Grant Assignment APIs.
Checks if a role has been granted on either a domain or project.
Grants a role to a user or group on either a domain or project.
Lists roles granted to user/group on either a domain or project.
Bases: keystone.common.controller.V3Controller
The V3 ImpliedRoles CRD APIs. There is no Update.
Bases: keystone.common.controller.V3Controller
The V3 Project APIs that are processing assignments.
Bases: keystone.common.controller.V2Controller
The Role management APIs.
Bases: keystone.common.controller.V2Controller
The V2 Role APIs that are processing assignments.
Add a role to a user and tenant pair.
Since we’re trying to ignore the idea of user-only roles we’re not implementing them in hopes that the idea will die off.
This is actually used for adding a user to a tenant.
In the legacy data model adding a user to a tenant required setting a role.
This is actually used for deleting a user from a tenant.
In the legacy data model removing a user from a tenant required deleting a role.
To emulate this, we encode the tenant and role in the role_ref_id, and if this happens to be the last role for the user-tenant pair, we remove the user from the tenant.
Ultimate hack to get around having to make role_refs first-class.
This will basically iterate over the various roles the user has in all tenants the user is a member of and create fake role_refs where the id encodes the user-tenant-role information so we can look up the appropriate data when we need to delete them.
Bases: keystone.common.controller.V3Controller
The V3 Role Assignment APIs, really just list_role_assignment().
Main entry point from router for list role assignments.
Since we want different policy file rules to be applicable based on whether there the include_subtree query parameter is part of the API call, this method checks for this and then calls the appropriate protected entry point.
Bases: keystone.common.controller.V3Controller
The V3 Role CRUD APIs.
To ease complexity (and hence risk) in writing the policy rules for the role APIs, we create separate policy actions for roles that are domain specific, as opposed to those that are global. In order to achieve this each of the role API methods has a wrapper method that checks to see if the role is global or domain specific.
NOTE (henry-nash): If this separate global vs scoped policy action pattern becomes repeated for other entities, we should consider encapsulating this into a specialized router class.
Bases: keystone.common.controller.V2Controller
The V2 Project APIs that are processing assignments.
Main entry point into the Assignment service.
Bases: object
Add a role to a user within given tenant.
Raises keystone.exception.Conflict: | |
---|---|
If a duplicate role assignment exists. |
Checks an assignment/grant role id.
Raises keystone.exception.RoleAssignmentNotFound: | |
---|---|
If the role assignment doesn’t exist. | |
Returns: | None or raises an exception if grant not found |
Creates a new assignment/grant.
If the assignment is to a domain, then optionally it may be specified as inherited to owned projects (this requires the OS-INHERIT extension to be enabled).
Deletes assignments/grants.
Raises keystone.exception.RoleAssignmentNotFound: | |
---|---|
If the role assignment doesn’t exist. |
Deletes all assignments for a group.
Raises keystone.exception.RoleNotFound: | |
---|---|
If the role doesn’t exist. |
Deletes all assignments for a project.
Raises keystone.exception.ProjectNotFound: | |
---|---|
If the project doesn’t exist. |
Deletes all assignments for a user.
Raises keystone.exception.RoleNotFound: | |
---|---|
If the role doesn’t exist. |
Lists role ids for assignments/grants.
Returns a list of role assignments for actors on targets.
Available parameters represent values in which the returned role assignments attributes need to be filtered on.
Remove a role from a user within given tenant.
Raises keystone.exception.RoleNotFound: | |
---|---|
If the role doesn’t exist. |
Bases: keystone.assignment.core.AssignmentDriverBase
Removed or redefined methods from V8.
Move the abstract methods of any methods removed or modified in later versions of the driver from AssignmentDriverBase to here. We maintain this so that legacy drivers, which will be a subclass of AssignmentDriverV8, can still reference them.
List domain ids accessible to specified groups.
Parameters: |
|
---|---|
Returns: | List of domain ids accessible to specified groups. |
List all domain ids associated with a given user.
Parameters: |
|
---|---|
Returns: | a list of domain ids or an empty list. |
List project ids accessible to specified groups.
Parameters: |
|
---|---|
Returns: | List of project ids accessible to specified groups. |
This method should not try and expand any inherited assignments, just report the projects that have the role for this group. The manager method is responsible for expanding out inherited assignments.
List all project ids associated with a given user.
Parameters: |
|
---|---|
Returns: | a list of project ids or an empty list. |
This method should not try and expand any inherited assignments, just report the projects that have the role for this user. The manager method is responsible for expanding out inherited assignments.
List the group role ids for a specific domain.
Parameters: |
|
---|---|
Returns: | list of role ids for the project |
Return type: | list |
List the group role ids for a specific project.
Supports the OS-INHERIT role inheritance from the project’s domain if supported by the assignment driver.
Parameters: |
|
---|---|
Returns: | list of role ids for the project |
Return type: | list |
Bases: keystone.assignment.core.AssignmentDriverBase
New or redefined methods from V8.
Add any new V9 abstract methods (or those with modified signatures) to this class.
Bases: keystone.common.manager.Manager
Default pivot point for the Assignment backend.
See keystone.common.manager.Manager for more details on how this dynamically calls the backend.
Expand out implied roles.
The role_refs passed in have had all inheritance and group assignments expanded out. We now need to look at the role_id in each ref and see if it is a prior role for some implied roles. If it is, then we need to duplicate that ref, one for each implied role. We store the prior role in the indirect dict that is part of such a duplicated ref, so that a caller can determine where the assignment came from.
Add user to a tenant by creating a default role relationship.
Raises: |
|
---|
Get a list of roles for this group on domain and/or project.
Get the roles associated with a user within given domain.
Returns: | a list of role ids. |
---|---|
Raises keystone.exception.DomainNotFound: | |
If the domain doesn’t exist. |
Get the roles associated with a user within given project.
This includes roles directly assigned to the user on the project, as well as those by virtue of group membership or inheritance.
Returns: | a list of role ids. |
---|---|
Raises keystone.exception.ProjectNotFound: | |
If the project doesn’t exist. |
List role assignments, honoring effective mode and provided filters.
Returns a list of role assignments, where their attributes match the provided filters (role_id, user_id, group_id, domain_id, project_id and inherited). If include_subtree is True, then assignments on all descendants of the project specified by project_id are also included. The inherited filter defaults to None, meaning to get both non-inherited and inherited role assignments.
If effective mode is specified, this means that rather than simply return the assignments that match the filters, any group or inheritance assignments will be expanded. Group assignments will become assignments for all the users in that group, and inherited assignments will be shown on the projects below the assignment point. Think of effective mode as being the list of assignments that actually affect a user, for example the roles that would be placed in a token.
If include_names is set to true the entities’ names are returned in addition to their id’s.
source_from_group_ids is a list of group IDs and, if specified, then only those assignments that are derived from membership of these groups are considered, and any such assignments will not be expanded into their user membership assignments. This is different to a group filter of the resulting list, instead being a restriction on which assignments should be considered before expansion of inheritance. This option is only used internally (i.e. it is not exposed at the API level) and is only supported in effective mode (since in regular mode there is no difference between this and a group filter, other than it is a list of groups).
In effective mode, any domain specific roles are usually stripped from the returned assignments (since such roles are not placed in tokens). This stripping can be disabled by specifying strip_domain_roles=False, which is useful for internal calls like trusts which need to examine the full set of roles.
If OS-INHERIT extension is disabled or the used driver does not support inherited roles retrieval, inherited role assignments will be ignored.
Remove user from a tenant
Raises: |
|
---|
Bases: object
Creates a new role.
Raises keystone.exception.Conflict: | |
---|---|
If a duplicate role exists. |
Deletes an existing role.
Raises keystone.exception.RoleNotFound: | |
---|---|
If the role doesn’t exist. |
Get a role by ID.
Returns: | role_ref |
---|---|
Raises keystone.exception.RoleNotFound: | |
If the role doesn’t exist. |
List roles in the system.
Parameters: | hints – filter hints which the driver should implement if at all possible. |
---|---|
Returns: | a list of role_refs or an empty list. |
List roles for the provided list of ids.
Parameters: | role_ids – list of ids |
---|---|
Returns: | a list of role_refs. |
This method is used internally by the assignment manager to bulk read a set of roles given their ids.
Updates an existing role.
Raises: |
|
---|
Bases: keystone.assignment.core.RoleDriverBase
Removed or redefined methods from V8.
Move the abstract methods of any methods removed or modified in later versions of the driver from RoleDriverBase to here. We maintain this so that legacy drivers, which will be a subclass of RoleDriverV8, can still reference them.
Bases: keystone.assignment.core.RoleDriverBase
New or redefined methods from V8.
Add any new V9 abstract methods (or those with modified signatures) to this class.
Creates a role inference rule
Raises: | keystone.exception.RoleNotFound: If the role doesn’t exist. |
---|
Deletes a role inference rule
Raises keystone.exception.ImpliedRoleNotFound: | |
---|---|
If the implied role doesn’t exist. |
Fetches a role inference rule
Raises keystone.exception.ImpliedRoleNotFound: | |
---|---|
If the implied role doesn’t exist. |
Bases: keystone.common.manager.Manager
Default pivot point for the Role backend.
Bases: keystone.assignment.core.AssignmentDriverV9
Wrapper class to supported a V8 legacy driver.
In order to support legacy drivers without having to make the manager code driver-version aware, we wrap legacy drivers so that they look like the latest version. For the various changes made in a new driver, here are the actions needed in this wrapper:
Bases: keystone.assignment.core.RoleDriverV9
Wrapper class to supported a V8 legacy driver.
In order to support legacy drivers without having to make the manager code driver-version aware, we wrap legacy drivers so that they look like the latest version. For the various changes made in a new driver, here are the actions needed in this wrapper:
This V8 wrapper contains the following support for newer manager code:
WSGI Routers for the Assignment service.