keystone.assignment.backends package

Submodules

keystone.assignment.backends.base module

class keystone.assignment.backends.base.AssignmentDriverBase

Bases: object

add_role_to_user_and_project(user_id, tenant_id, role_id)

Add a role to a user within given tenant.

Raises keystone.exception.Conflict:  If a duplicate role assignment exists.

check_grant_role_id(role_id, user_id=None, group_id=None, domain_id=None, project_id=None, inherited_to_projects=False)

Check an assignment/grant role id.

Raises keystone.exception.RoleAssignmentNotFound:  If the role assignment doesn’t exist. Returns:None or raises an exception if grant not found

create_grant(role_id, user_id=None, group_id=None, domain_id=None, project_id=None, inherited_to_projects=False)

Create a new assignment/grant.

If the assignment is to a domain, then optionally it may be specified as inherited to owned projects (this requires the OS-INHERIT extension to be enabled).

delete_grant(role_id, user_id=None, group_id=None, domain_id=None, project_id=None, inherited_to_projects=False)

Delete assignments/grants.

Raises keystone.exception.RoleAssignmentNotFound:  If the role assignment doesn’t exist.

delete_group_assignments(group_id)

Delete all assignments for a group.

Raises keystone.exception.RoleNotFound:  If the role doesn’t exist.

delete_project_assignments(project_id)

Delete all assignments for a project.

Raises keystone.exception.ProjectNotFound:  If the project doesn’t exist.

delete_role_assignments(role_id)

Delete all assignments for a role.

delete_user_assignments(user_id)

Delete all assignments for a user.

Raises keystone.exception.RoleNotFound:  If the role doesn’t exist.

list_grant_role_ids(user_id=None, group_id=None, domain_id=None, project_id=None, inherited_to_projects=False)

List role ids for assignments/grants.

list_role_assignments(role_id=None, user_id=None, group_ids=None, domain_id=None, project_ids=None, inherited_to_projects=None)

Return a list of role assignments for actors on targets.

Available parameters represent values in which the returned role assignments attributes need to be filtered on.

remove_role_from_user_and_project(user_id, tenant_id, role_id)

Remove a role from a user within given tenant.

Raises keystone.exception.RoleNotFound:  If the role doesn’t exist.

class keystone.assignment.backends.base.AssignmentDriverV8

Bases: keystone.assignment.backends.base.AssignmentDriverBase

Removed or redefined methods from V8.

Move the abstract methods of any methods removed or modified in later versions of the driver from AssignmentDriverBase to here. We maintain this so that legacy drivers, which will be a subclass of AssignmentDriverV8, can still reference them.

list_domain_ids_for_groups(group_ids, inherited=False)

List domain ids accessible to specified groups.

Parameters:

• group_ids – List of group ids.
• inherited – whether to return domain_ids that have inherited assignments or not.

Returns:

List of domain ids accessible to specified groups.

list_domain_ids_for_user(user_id, group_ids, hints, inherited=False)

List all domain ids associated with a given user.

Parameters:

• user_id – the user in question
• group_ids – the groups this user is a member of. This list is built in the Manager, so that the driver itself does not have to call across to identity.
• hints – filter hints which the driver should implement if at all possible.
• inherited – whether to return domain_ids that have inherited assignments or not.

Returns:

a list of domain ids or an empty list.

list_project_ids_for_groups(group_ids, hints, inherited=False)

List project ids accessible to specified groups.

Parameters:

• group_ids – List of group ids.
• hints – filter hints which the driver should implement if at all possible.
• inherited – whether assignments marked as inherited should be included.

Returns:

List of project ids accessible to specified groups.

This method should not try and expand any inherited assignments, just report the projects that have the role for this group. The manager method is responsible for expanding out inherited assignments.

list_project_ids_for_user(user_id, group_ids, hints, inherited=False)

List all project ids associated with a given user.

Parameters:

• user_id – the user in question
• group_ids – the groups this user is a member of. This list is built in the Manager, so that the driver itself does not have to call across to identity.
• hints – filter hints which the driver should implement if at all possible.
• inherited – whether assignments marked as inherited should be included.

Returns:

a list of project ids or an empty list.

This method should not try and expand any inherited assignments, just report the projects that have the role for this user. The manager method is responsible for expanding out inherited assignments.

list_role_ids_for_groups_on_domain(group_ids, domain_id)

List the group role ids for a specific domain.

Parameters:

• group_ids (list) – list of group ids
• domain_id (str) – domain identifier

Returns:

list of role ids for the project

Return type:

list

list_role_ids_for_groups_on_project(group_ids, project_id, project_domain_id, project_parents)

List the group role ids for a specific project.

Supports the OS-INHERIT role inheritance from the project’s domain if supported by the assignment driver.

Parameters:

• group_ids (list) – list of group ids
• project_id (str) – project identifier
• project_domain_id (str) – project’s domain identifier
• project_parents (list) – list of parent ids of this project

Returns:

list of role ids for the project

Return type:

list

list_user_ids_for_project(tenant_id)

List all user IDs with a role assignment in the specified project.

Returns:a list of user_ids or an empty set.

class keystone.assignment.backends.base.AssignmentDriverV9

Bases: keystone.assignment.backends.base.AssignmentDriverBase

New or redefined methods from V8.

Add any new V9 abstract methods (or those with modified signatures) to this class.

delete_domain_assignments(domain_id)

Delete all assignments for a domain.

class keystone.assignment.backends.base.V9AssignmentWrapperForV8Driver(*args, **kwargs)

Bases: keystone.assignment.backends.base.AssignmentDriverV9

Wrapper class to supported a V8 legacy driver.

In order to support legacy drivers without having to make the manager code driver-version aware, we wrap legacy drivers so that they look like the latest version. For the various changes made in a new driver, here are the actions needed in this wrapper:

Method removed from new driver - remove the call-through method from this

class, since the manager will no longer be calling it.

Method signature (or meaning) changed - wrap the old method in a new

signature here, and munge the input and output parameters accordingly.

New method added to new driver - add a method to implement the new

functionality here if possible. If that is not possible, then return NotImplemented, since we do not guarantee to support new functionality with legacy drivers.

add_role_to_user_and_project(user_id, tenant_id, role_id)

check_grant_role_id(role_id, user_id=None, group_id=None, domain_id=None, project_id=None, inherited_to_projects=False)

create_grant(role_id, user_id=None, group_id=None, domain_id=None, project_id=None, inherited_to_projects=False)

default_resource_driver()

default_role_driver()

delete_domain_assignments(domain_id)

Delete all assignments for a domain.

delete_grant(role_id, user_id=None, group_id=None, domain_id=None, project_id=None, inherited_to_projects=False)

delete_group_assignments(group_id)

delete_project_assignments(project_id)

delete_role_assignments(role_id)

delete_user_assignments(user_id)

list_grant_role_ids(user_id=None, group_id=None, domain_id=None, project_id=None, inherited_to_projects=False)

list_role_assignments(role_id=None, user_id=None, group_ids=None, domain_id=None, project_ids=None, inherited_to_projects=None)

remove_role_from_user_and_project(user_id, tenant_id, role_id)

keystone.assignment.backends.sql module

Module contents