keystone.resource package

Submodules

keystone.resource.controllers module

Workflow Logic the Resource service.

class keystone.resource.controllers.DomainConfigV3(*args, **kwargs)[source]

Bases: keystone.common.controller.V3Controller

create_domain_config(context, *args, **kwargs)[source]
delete_domain_config(context, *args, **kwargs)[source]
get_domain_config(context, *args, **kwargs)[source]
get_domain_config_default(context, *args, **kwargs)[source]
member_name = 'config'
update_domain_config(context, *args, **kwargs)[source]
update_domain_config_group(context, domain_id, group, config)[source]
update_domain_config_only(context, domain_id, config)[source]
class keystone.resource.controllers.DomainV3[source]

Bases: keystone.common.controller.V3Controller

collection_name = 'domains'
create_domain(context, *args, **kwargs)[source]
delete_domain(context, *args, **kwargs)[source]
get_domain(context, *args, **kwargs)[source]
list_domains(context, **kwargs)[source]
member_name = 'domain'
update_domain(context, *args, **kwargs)[source]
class keystone.resource.controllers.ProjectV3[source]

Bases: keystone.common.controller.V3Controller

collection_name = 'projects'
create_project(context, *args, **kwargs)[source]
delete_project(context, *args, **kwargs)[source]
get_project(context, *args, **kwargs)[source]
list_projects(context, **kwargs)[source]
member_name = 'project'
update_project(context, *args, **kwargs)[source]
class keystone.resource.controllers.Tenant(*args, **kwargs)[source]

Bases: keystone.common.controller.V2Controller

create_project(*args, **kwargs)[source]
delete_project(*args, **kwargs)[source]
get_all_projects(*args, **kwargs)[source]

Gets a list of all tenants for an admin user.

get_project(*args, **kwargs)[source]
update_project(*args, **kwargs)[source]

keystone.resource.core module

Main entry point into the Resource service.

class keystone.resource.core.DomainConfigDriverV8[source]

Bases: object

Interface description for a Domain Config driver.

create_config_option(domain_id, group, option, value, sensitive=False)[source]

Creates a config option for a domain.

Parameters:
  • domain_id – the domain for this option
  • group – the group name
  • option – the option name
  • value – the value to assign to this option
  • sensitive – whether the option is sensitive
Returns:

dict containing group, option and value
Raises keystone.exception.Conflict:
 

when the option already exists
delete_config_options(domain_id, group=None, option=None, sensitive=False)[source]

Deletes config options for a domain.

Allows deletion of all options for a domain, all options in a group or a specific option. The driver is silent if there are no options to delete.

Parameters:
  • domain_id – the domain for this option
  • group – optional group option name
  • option – optional option name. If group is None, then this parameter is ignored
  • sensitive – whether the option is sensitive
get_config_option(domain_id, group, option, sensitive=False)[source]

Gets the config option for a domain.

Parameters:
  • domain_id – the domain for this option
  • group – the group name
  • option – the option name
  • sensitive – whether the option is sensitive
Returns:

dict containing group, option and value
Raises keystone.exception.DomainConfigNotFound:
 

the option doesn’t exist.
list_config_options(domain_id, group=None, option=False, sensitive=False)[source]

Gets a config options for a domain.

Parameters:
  • domain_id – the domain for this option
  • group – optional group option name
  • option – optional option name. If group is None, then this parameter is ignored
  • sensitive – whether the option is sensitive
Returns:

list of dicts containing group, option and value
obtain_registration(domain_id, type)[source]

Try and register this domain to use the type specified.

Parameters:
  • domain_id – the domain required
  • type – type of registration
Returns:

True if the domain was registered, False otherwise. Failing to register means that someone already has it (which could even be the domain being requested).
read_registration(type)[source]

Get the domain ID of who is registered to use this type.

Parameters:type – type of registration
Returns:domain_id of who is registered.
Raises keystone.exception.ConfigRegistrationNotFound:
 If nobody is registered.
release_registration(domain_id, type=None)[source]

Release registration if it is held by the domain specified.

If the specified domain is registered for this domain then free it, if it is not then do nothing - no exception is raised.

Parameters:
  • domain_id – the domain in question
  • type – type of registration, if None then all registrations for this domain will be freed
update_config_option(domain_id, group, option, value, sensitive=False)[source]

Updates a config option for a domain.

Parameters:
  • domain_id – the domain for this option
  • group – the group option name
  • option – the option name
  • value – the value to assign to this option
  • sensitive – whether the option is sensitive
Returns:

dict containing updated group, option and value
Raises keystone.exception.DomainConfigNotFound:
 

the option doesn’t exist.
class keystone.resource.core.DomainConfigManager(*args, **kwargs)[source]

Bases: keystone.common.manager.Manager

Default pivot point for the Domain Config backend.

create_config(*args, **kwargs)[source]

Create config for a domain

Parameters:
  • domain_id – the domain in question
  • config – the dict of config groups/options to assign to the domain

Creates a new config, overwriting any previous config (no Conflict error will be generated).

Returns:a dict of group dicts containing the options, with any that are sensitive removed
Raises keystone.exception.InvalidDomainConfig:
 when the config contains options we do not support
delete_config(*args, **kwargs)[source]

Delete config, or partial config, for the domain.

Parameters:
  • domain_id – the domain in question
  • group – an optional specific group of options
  • option – an optional specific option within the group

If group and option are None, then the entire config for the domain is deleted. If group is not None, then just that group of options will be deleted. If group and option are both specified, then just that option is deleted.

Raises keystone.exception.InvalidDomainConfig:
 when group/option parameters specify an option we do not support or one that does not exist in the original config.
driver_namespace = 'keystone.resource.domain_config'
get_config(*args, **kwargs)[source]

Get config, or partial config, for a domain

Parameters:
  • domain_id – the domain in question
  • group – an optional specific group of options
  • option – an optional specific option within the group
Returns:

a dict of group dicts containing the whitelisted options, filtered by group and option specified
Raises:

An example response:

{
    'ldap': {
        'url': 'myurl'
        'user_tree_dn': 'OU=myou'},
    'identity': {
        'driver': 'ldap'}

}
get_config_default(*args, **kwargs)[source]

Get default config, or partial default config

Parameters:
  • group – an optional specific group of options
  • option – an optional specific option within the group
Returns:

a dict of group dicts containing the default options, filtered by group and option if specified
Raises keystone.exception.InvalidDomainConfig:
 

when the config and group/option parameters specify an option we do not support (or one that is not whitelisted).

An example response:

{
    'ldap': {
        'url': 'myurl',
        'user_tree_dn': 'OU=myou',
        ....},
    'identity': {
        'driver': 'ldap'}

}
get_config_with_sensitive_info(*args, **kwargs)[source]

Get config for a domain with sensitive info included.

This method is not exposed via the public API, but is used by the identity manager to initialize a domain with the fully formed config options.

sensitive_options = {'identity': [], 'ldap': ['password']}
update_config(*args, **kwargs)[source]

Update config, or partial config, for a domain

Parameters:
  • domain_id – the domain in question
  • config – the config dict containing and groups/options being updated
  • group – an optional specific group of options, which if specified must appear in config, with no other groups
  • option – an optional specific option within the group, which if specified must appear in config, with no other options

The contents of the supplied config will be merged with the existing config for this domain, updating or creating new options if these did not previously exist. If group or option is specified, then the update will be limited to those specified items and the inclusion of other options in the supplied config will raise an exception, as will the situation when those options do not already exist in the current config.

Returns:a dict of groups containing all whitelisted options
Raises keystone.exception.InvalidDomainConfig:
 when the config and group/option parameters specify an option we do not support or one that does not exist in the original config
whitelisted_options = {'identity': ['driver', 'list_limit'], 'ldap': ['url', 'user', 'suffix', 'use_dumb_member', 'dumb_member', 'allow_subtree_delete', 'query_scope', 'page_size', 'alias_dereferencing', 'debug_level', 'chase_referrals', 'user_tree_dn', 'user_filter', 'user_objectclass', 'user_id_attribute', 'user_name_attribute', 'user_mail_attribute', 'user_description_attribute', 'user_pass_attribute', 'user_enabled_attribute', 'user_enabled_invert', 'user_enabled_mask', 'user_enabled_default', 'user_attribute_ignore', 'user_default_project_id_attribute', 'user_allow_create', 'user_allow_update', 'user_allow_delete', 'user_enabled_emulation', 'user_enabled_emulation_dn', 'user_enabled_emulation_use_group_config', 'user_additional_attribute_mapping', 'group_tree_dn', 'group_filter', 'group_objectclass', 'group_id_attribute', 'group_name_attribute', 'group_member_attribute', 'group_desc_attribute', 'group_attribute_ignore', 'group_allow_create', 'group_allow_update', 'group_allow_delete', 'group_additional_attribute_mapping', 'tls_cacertfile', 'tls_cacertdir', 'use_tls', 'tls_req_cert', 'use_pool', 'pool_size', 'pool_retry_max', 'pool_retry_delay', 'pool_connection_timeout', 'pool_connection_lifetime', 'use_auth_pool', 'auth_pool_size', 'auth_pool_connection_lifetime']}
class keystone.resource.core.Manager(*args, **kwargs)[source]

Bases: keystone.common.manager.Manager

Default pivot point for the Resource backend.

See keystone.common.manager.Manager for more details on how this dynamically calls the backend.

assert_domain_enabled(*args, **kwargs)[source]

Assert the Domain is enabled.

Raises AssertionError:
 if domain is disabled.
assert_domain_not_federated(*args, **kwargs)[source]

Assert the Domain’s name and id do not match the reserved keyword.

Note that the reserved keyword is defined in the configuration file, by default, it is ‘Federated’, it is also case insensitive. If config’s option is empty the default hardcoded value ‘Federated’ will be used.

Raises AssertionError:
 if domain named match the value in the config.
assert_project_enabled(*args, **kwargs)[source]

Assert the project is enabled and its associated domain is enabled.

Raises AssertionError:
 if the project or domain is disabled.
create_domain(*args, **kwargs)[source]
create_project(*args, **kwargs)[source]
delete_domain(*args, **kwargs)[source]
delete_project(*args, **kwargs)[source]
driver_namespace = 'keystone.resource'
ensure_default_domain_exists(*args, **kwargs)[source]

Creates the default domain if it doesn’t exist.

This is only used for the v2 API and can go away when V2 does.

get_domain(*args, **kwargs)[source]
get_domain_by_name(*args, **kwargs)[source]
get_project(*args, **kwargs)[source]
get_project_by_name(*args, **kwargs)[source]
get_project_parents_as_ids(*args, **kwargs)[source]

Gets the IDs from the parents from a given project.

The project IDs are returned as a structured dictionary traversing up the hierarchy to the top level project. For example, considering the following project hierarchy:

  A
  |
+-B-+
|   |
C   D

If we query for project C parents, the expected return is the following dictionary:

'parents': {
    B['id']: {
        A['id']: None
    }
}
get_projects_in_subtree_as_ids(*args, **kwargs)[source]

Gets the IDs from the projects in the subtree from a given project.

The project IDs are returned as a structured dictionary representing their hierarchy. For example, considering the following project hierarchy:

  A
  |
+-B-+
|   |
C   D

If we query for project A subtree, the expected return is the following dictionary:

'subtree': {
    B['id']: {
        C['id']: None,
        D['id']: None
    }
}
list_domains(*args, **kwargs)[source]
list_domains_from_ids(*args, **kwargs)[source]

List domains for the provided list of ids.

Parameters:domain_ids – list of ids
Returns:a list of domain_refs.

This method is used internally by the assignment manager to bulk read a set of domains given their ids.

list_project_parents(*args, **kwargs)[source]
list_projects(*args, **kwargs)[source]
list_projects_acting_as_domain(*args, **kwargs)[source]
list_projects_in_domain(*args, **kwargs)[source]
list_projects_in_subtree(*args, **kwargs)[source]
update_domain(*args, **kwargs)[source]
update_project(*args, **kwargs)[source]
class keystone.resource.core.ResourceDriverBase[source]

Bases: object

delete_project(project_id)[source]

Deletes an existing project.

Raises keystone.exception.ProjectNotFound:
 if project_id does not exist
get_project(project_id)[source]

Get a project by ID.

Returns:project_ref
Raises keystone.exception.ProjectNotFound:
 if project_id does not exist
is_leaf_project(project_id)[source]

Checks if a project is a leaf in the hierarchy.

Parameters:project_id – the driver will check if this project is a leaf in the hierarchy.
Raises keystone.exception.ProjectNotFound:
 if project_id does not exist
list_project_ids_from_domain_ids(domain_ids)[source]

List project ids for the provided list of domain ids.

Parameters:domain_ids – list of domain ids
Returns:a list of project ids owned by the specified domain ids.

This method is used internally by the assignment manager to bulk read a set of project ids given a list of domain ids.

list_project_parents(project_id)[source]

List all parents from a project by its ID.

Parameters:project_id – the driver will list the parents of this project.
Returns:a list of project_refs or an empty list.
Raises keystone.exception.ProjectNotFound:
 if project_id does not exist
list_projects(hints)[source]

List projects in the system.

Parameters:hints – filter hints which the driver should implement if at all possible.
Returns:a list of project_refs or an empty list.
list_projects_from_ids(project_ids)[source]

List projects for the provided list of ids.

Parameters:project_ids – list of ids
Returns:a list of project_refs.

This method is used internally by the assignment manager to bulk read a set of projects given their ids.

list_projects_in_domain(domain_id)[source]

List projects in the domain.

Parameters:domain_id – the driver MUST only return projects within this domain.
Returns:a list of project_refs or an empty list.
list_projects_in_subtree(project_id)[source]

List all projects in the subtree of a given project.

Parameters:project_id – the driver will get the subtree under this project.
Returns:a list of project_refs or an empty list
Raises keystone.exception.ProjectNotFound:
 if project_id does not exist
update_project(project_id, project)[source]

Updates an existing project.

Raises:
class keystone.resource.core.ResourceDriverV8[source]

Bases: keystone.resource.core.ResourceDriverBase

Removed or redefined methods from V8.

Move the abstract methods of any methods removed or modified in later versions of the driver from ResourceDriverBase to here. We maintain this so that legacy drivers, which will be a subclass of ResourceDriverV8, can still reference them.

create_domain(domain_id, domain)[source]

Creates a new domain.

Raises keystone.exception.Conflict:
 if the domain_id or domain name already exists
create_project(tenant_id, tenant)[source]

Creates a new project.

Parameters:
  • tenant_id – This parameter can be ignored.
  • tenant (dict) – The new project

Project schema:

type: object
properties:
    id:
        type: string
    name:
        type: string
    domain_id:
        type: string
    description:
        type: string
    enabled:
        type: boolean
    parent_id:
        type: string
    is_domain:
        type: boolean
required: [id, name, domain_id]
additionalProperties: true

If project doesn’t match the schema the behavior is undefined.

The driver can impose requirements such as the maximum length of a field. If these requirements are not met the behavior is undefined.

Raises keystone.exception.Conflict:
 if the project id already exists or the name already exists for the domain_id.
delete_domain(domain_id)[source]

Deletes an existing domain.

Raises keystone.exception.DomainNotFound:
 if domain_id does not exist
get_domain(domain_id)[source]

Get a domain by ID.

Returns:domain_ref
Raises keystone.exception.DomainNotFound:
 if domain_id does not exist
get_domain_by_name(domain_name)[source]

Get a domain by name.

Returns:domain_ref
Raises keystone.exception.DomainNotFound:
 if domain_name does not exist
get_project_by_name(tenant_name, domain_id)[source]

Get a tenant by name.

Returns:tenant_ref
Raises keystone.exception.ProjectNotFound:
 if a project with the tenant_name does not exist within the domain
list_domains(hints)[source]

List domains in the system.

Parameters:hints – filter hints which the driver should implement if at all possible.
Returns:a list of domain_refs or an empty list.
list_domains_from_ids(domain_ids)[source]

List domains for the provided list of ids.

Parameters:domain_ids – list of ids
Returns:a list of domain_refs.

This method is used internally by the assignment manager to bulk read a set of domains given their ids.

update_domain(domain_id, domain)[source]

Updates an existing domain.

Raises:
class keystone.resource.core.ResourceDriverV9[source]

Bases: keystone.resource.core.ResourceDriverBase

New or redefined methods from V8.

Add any new V9 abstract methods (or those with modified signatures) to this class.

create_project(project_id, project)[source]

Creates a new project.

Parameters:
  • project_id – This parameter can be ignored.
  • project (dict) – The new project

Project schema:

type: object
properties:
    id:
        type: string
    name:
        type: string
    domain_id:
        type: [string, null]
    description:
        type: string
    enabled:
        type: boolean
    parent_id:
        type: string
    is_domain:
        type: boolean
required: [id, name, domain_id]
additionalProperties: true

If the project doesn’t match the schema the behavior is undefined.

The driver can impose requirements such as the maximum length of a field. If these requirements are not met the behavior is undefined.

Raises keystone.exception.Conflict:
 if the project id already exists or the name already exists for the domain_id.
delete_projects_from_ids(project_ids)[source]

Deletes a given list of projects.

Deletes a list of projects. Ensures no project on the list exists after it is successfully called. If an empty list is provided, the it is silently ignored. In addition, if a project ID in the list of project_ids is not found in the backend, no exception is raised, but a message is logged.

get_project_by_name(project_name, domain_id)[source]

Get a project by name.

Returns:project_ref
Raises keystone.exception.ProjectNotFound:
 if a project with the project_name does not exist within the domain
list_projects_acting_as_domain(hints)[source]

List all projects acting as domains.

Parameters:hints – filter hints which the driver should implement if at all possible.
Returns:a list of project_refs or an empty list.
class keystone.resource.core.V9ResourceWrapperForV8Driver(*args, **kwargs)[source]

Bases: keystone.resource.core.ResourceDriverV9

Wrapper class to supported a V8 legacy driver.

In order to support legacy drivers without having to make the manager code driver-version aware, we wrap legacy drivers so that they look like the latest version. For the various changes made in a new driver, here are the actions needed in this wrapper:

Method removed from new driver - remove the call-through method from this
class, since the manager will no longer be calling it.
Method signature (or meaning) changed - wrap the old method in a new
signature here, and munge the input and output parameters accordingly.
New method added to new driver - add a method to implement the new
functionality here if possible. If that is not possible, then return NotImplemented, since we do not guarantee to support new functionality with legacy drivers.

This wrapper contains the following support for newer manager code:

  • The current manager code expects domains to be represented as projects acting as domains, something that may not be possible in a legacy driver. Hence the wrapper will map any calls for projects acting as a domain back onto the driver domain methods. The caveat for this, is that this assumes that there can not be a clash between a project_id and a domain_id, in which case it may not be able to locate the correct entry.
create_project(project_id, project)[source]
delete_project(project_id)[source]
delete_projects_from_ids(project_ids)[source]
get_project(project_id)[source]
get_project_by_name(project_name, domain_id)[source]
is_leaf_project(project_id)[source]
list_project_ids_from_domain_ids(domain_ids)[source]
list_project_parents(project_id)[source]

List a project’s ancestors.

The current manager expects the ancestor tree to end with the project acting as the domain (since that’s now the top of the tree), but a legacy driver will not have that top project in their projects table, since it’s still in the domain table. Hence we lift the algorithm for traversing up the tree from the driver to here, so that our version of get_project() is called, which will fetch the “project” from the right table.

list_projects(hints)[source]

List projects and/or domains.

We use the hints filter to determine whether we are listing projects, domains or both.

If the filter includes domain_id==None, then we should only list domains (convert to a project acting as a domain) since regular projcets always have a non-None value for domain_id.

Likewise, if the filter includes domain_id==<non-None value>, then we should only list projects.

If there is no domain_id filter, then we need to do a combained listing of domains and projects, converting domains to projects acting as a domain.

list_projects_acting_as_domain(hints)[source]
list_projects_from_ids(project_ids)[source]
list_projects_in_domain(domain_id)[source]
list_projects_in_subtree(project_id)[source]
update_project(project_id, project)[source]
keystone.resource.core.calc_default_domain()[source]

keystone.resource.routers module

WSGI Routers for the Resource service.

class keystone.resource.routers.Admin(mapper=None)[source]

Bases: keystone.common.wsgi.ComposableRouter

add_routes(mapper)[source]
class keystone.resource.routers.Routers[source]

Bases: keystone.common.wsgi.RoutersBase

append_v3_routers(mapper, routers)[source]

keystone.resource.schema module

Module contents

Table Of Contents

Previous topic

keystone.policy.backends package

Next topic

keystone.resource.V8_backends package

Project Source

This Page

Navigation

© Copyright 2012, OpenStack, LLC. Last updated on 'Wed Feb 1 18:44:36 2017, commit 27793e6'. Created using Sphinx 1.2.3.