keystone.assignment package

keystone.assignment package

Submodules

keystone.assignment.controllers module

Workflow Logic the Assignment service.

class keystone.assignment.controllers.GrantAssignmentV3[source]

Bases: keystone.common.controller.V3Controller

The V3 Grant Assignment APIs.

check_grant(request, *args, **kwargs)[source]

Check if a role has been granted on either a domain or project.

check_system_grant_for_group(request, *args, **kwargs)[source]

Check if a group has a specific role on the system.

Parameters:
  • request – the request object
  • role_id – the ID of the role to check
  • group_id – the ID of the group to check
check_system_grant_for_user(request, *args, **kwargs)[source]

Check if a user has a specific role on the system.

Parameters:
  • request – the request object
  • role_id – the ID of the role to check
  • user_id – the ID of the user to check
collection_name = 'roles'
create_grant(request, *args, **kwargs)[source]

Grant a role to a user or group on either a domain or project.

create_system_grant_for_group(request, *args, **kwargs)[source]

Grant a role to a group on the system.

Parameters:
  • request – the request object
  • role_id – the ID of the role to grant to the group
  • group_id – the ID of the group
create_system_grant_for_user(request, *args, **kwargs)[source]

Grant a role to a user on the system.

Parameters:
  • request – the request object
  • role_id – the ID of the role to grant to the user
  • user_id – the ID of the user
list_grants(request, *args, **kwargs)[source]

List roles granted to user/group on either a domain or project.

list_system_grants_for_group(request, *args, **kwargs)[source]

List all system grants for a specific group.

Parameters:
  • request – the request object
  • group_id – ID of the group
Returns:

a list of grants the group has on the system

list_system_grants_for_user(request, *args, **kwargs)[source]

List all system grants for a specific user.

Parameters:
  • request – the request object
  • user_id – ID of the user
Returns:

a list of grants the user has on the system

member_name = 'role'
revoke_grant(request, *args, **kwargs)[source]

Revoke a role from user/group on either a domain or project.

revoke_system_grant_for_group(request, *args, **kwargs)[source]

Revoke a role from the group on the system.

Parameters:
  • request – the request object
  • role_id – the ID of the role to remove
  • user_id – the ID of the user
revoke_system_grant_for_user(request, *args, **kwargs)[source]

Revoke a role from user on the system.

Parameters:
  • request – the request object
  • role_id – the ID of the role to remove
  • user_id – the ID of the user
class keystone.assignment.controllers.ImpliedRolesV3[source]

Bases: keystone.common.controller.V3Controller

The V3 ImpliedRoles CRD APIs. There is no Update.

check_implied_role(request, *args, **kwargs)[source]
create_implied_role(request, *args, **kwargs)[source]
delete_implied_role(request, *args, **kwargs)[source]
get_implied_role(request, *args, **kwargs)[source]
list_implied_roles(request, *args, **kwargs)[source]
list_role_inference_rules(request, *args, **kwargs)[source]
class keystone.assignment.controllers.ProjectAssignmentV3[source]

Bases: keystone.common.controller.V3Controller

The V3 Project APIs that are processing assignments.

collection_name = 'projects'
list_user_projects(request, **kwargs)[source]
member_name = 'project'
class keystone.assignment.controllers.RoleAssignmentV3[source]

Bases: keystone.common.controller.V3Controller

The V3 Role Assignment APIs, really just list_role_assignment().

collection_name = 'role_assignments'
list_role_assignments(request, **kwargs)[source]
list_role_assignments_for_tree(request, **kwargs)[source]
list_role_assignments_wrapper(request)[source]

Main entry point from router for list role assignments.

Since we want different policy file rules to be applicable based on whether there the include_subtree query parameter is part of the API call, this method checks for this and then calls the appropriate protected entry point.

member_name = 'role_assignment'
classmethod wrap_member(context, ref)[source]
class keystone.assignment.controllers.RoleV3[source]

Bases: keystone.common.controller.V3Controller

The V3 Role CRUD APIs.

To ease complexity (and hence risk) in writing the policy rules for the role APIs, we create separate policy actions for roles that are domain specific, as opposed to those that are global. In order to achieve this each of the role API methods has a wrapper method that checks to see if the role is global or domain specific.

NOTE (henry-nash): If this separate global vs scoped policy action pattern becomes repeated for other entities, we should consider encapsulating this into a specialized router class.

classmethod build_driver_hints(request, supported_filters)[source]
collection_name = 'roles'
create_domain_role(request, *args, **kwargs)[source]
create_role(request, *args, **kwargs)[source]
create_role_wrapper(request, role)[source]
delete_domain_role(request, *args, **kwargs)[source]
delete_role(request, *args, **kwargs)[source]
delete_role_wrapper(request, role_id)[source]
get_domain_role(request, *args, **kwargs)[source]
get_role(request, *args, **kwargs)[source]
get_role_wrapper(request, role_id)[source]
list_domain_roles(request, **kwargs)[source]
list_roles(request, **kwargs)[source]
list_roles_wrapper(request)[source]
member_name = 'role'
update_domain_role(request, *args, **kwargs)[source]
update_role(request, *args, **kwargs)[source]
update_role_wrapper(request, role_id, role)[source]

keystone.assignment.core module

Main entry point into the Assignment service.

class keystone.assignment.core.Manager(*args, **kwargs)[source]

Bases: keystone.common.manager.Manager

Default pivot point for the Assignment backend.

See keystone.common.manager.Manager for more details on how this dynamically calls the backend.

add_implied_roles(*args, **kwargs)[source]

Expand out implied roles.

The role_refs passed in have had all inheritance and group assignments expanded out. We now need to look at the role_id in each ref and see if it is a prior role for some implied roles. If it is, then we need to duplicate that ref, one for each implied role. We store the prior role in the indirect dict that is part of such a duplicated ref, so that a caller can determine where the assignment came from.

add_role_to_user_and_project(*args, **kwargs)[source]
check_system_grant_for_group(*args, **kwargs)[source]

Check if a group has a specific role on the system.

Parameters:
  • group_id – the ID of the group in the assignment
  • role_id – the ID of the system role in the assignment
Raises:

keystone.exception.RoleAssignmentNotFound – if the group doesn’t have a role assignment matching the role_id on the system

check_system_grant_for_user(*args, **kwargs)[source]

Check if a user has a specific role on the system.

Parameters:
  • user_id – the ID of the user in the assignment
  • role_id – the ID of the system role in the assignment
Raises:

keystone.exception.RoleAssignmentNotFound – if the user doesn’t have a role assignment matching the role_id on the system

create_grant(*args, **kwargs)[source]
create_system_grant_for_group(*args, **kwargs)[source]

Grant a group a role on the system.

Parameters:
  • group_id – the ID of the group
  • role_id – the ID of the role to grant on the system
create_system_grant_for_user(*args, **kwargs)[source]

Grant a user a role on the system.

Parameters:
  • user_id – the ID of the user
  • role_id – the ID of the role to grant on the system
delete_grant(*args, **kwargs)[source]
delete_group_assignments(*args, **kwargs)[source]
delete_system_grant_for_group(*args, **kwargs)[source]

Remove a system grant from a group.

Parameters:
  • group_id – the ID of the group
  • role_id – the ID of the role to remove from the group on the system
Raises:

keystone.exception.RoleAssignmentNotFound – if the group doesn’t have a role assignment with role_id on the system

delete_system_grant_for_user(*args, **kwargs)[source]

Remove a system grant from a user.

Parameters:
  • user_id – the ID of the user
  • role_id – the ID of the role to remove from the user on the system
Raises:

keystone.exception.RoleAssignmentNotFound – if the user doesn’t have a role assignment with role_id on the system

delete_tokens_for_role_assignments(*args, **kwargs)[source]
delete_user_assignments(*args, **kwargs)[source]
driver_namespace = 'keystone.assignment'
ensure_default_role(*args, **kwargs)[source]
get_grant(*args, **kwargs)[source]
get_roles_for_groups(*args, **kwargs)[source]

Get a list of roles for this group on domain and/or project.

get_roles_for_user_and_domain(*args, **kwargs)[source]

Get the roles associated with a user within given domain.

Returns:a list of role ids.
Raises:keystone.exception.DomainNotFound – If the domain doesn’t exist.
get_roles_for_user_and_project(*args, **kwargs)[source]

Get the roles associated with a user within given project.

This includes roles directly assigned to the user on the project, as well as those by virtue of group membership or inheritance.

Returns:a list of role ids.
Raises:keystone.exception.ProjectNotFound – If the project doesn’t exist.
list_all_system_grants(*args, **kwargs)[source]

Return a list of all system grants.

list_domains_for_groups(*args, **kwargs)[source]
list_domains_for_user(*args, **kwargs)[source]
list_grants(*args, **kwargs)[source]
list_projects_for_groups(*args, **kwargs)[source]
list_projects_for_user(*args, **kwargs)[source]
list_role_assignments(*args, **kwargs)[source]

List role assignments, honoring effective mode and provided filters.

Returns a list of role assignments, where their attributes match the provided filters (role_id, user_id, group_id, domain_id, project_id and inherited). If include_subtree is True, then assignments on all descendants of the project specified by project_id are also included. The inherited filter defaults to None, meaning to get both non-inherited and inherited role assignments.

If effective mode is specified, this means that rather than simply return the assignments that match the filters, any group or inheritance assignments will be expanded. Group assignments will become assignments for all the users in that group, and inherited assignments will be shown on the projects below the assignment point. Think of effective mode as being the list of assignments that actually affect a user, for example the roles that would be placed in a token.

If include_names is set to true the entities’ names are returned in addition to their id’s.

source_from_group_ids is a list of group IDs and, if specified, then only those assignments that are derived from membership of these groups are considered, and any such assignments will not be expanded into their user membership assignments. This is different to a group filter of the resulting list, instead being a restriction on which assignments should be considered before expansion of inheritance. This option is only used internally (i.e. it is not exposed at the API level) and is only supported in effective mode (since in regular mode there is no difference between this and a group filter, other than it is a list of groups).

In effective mode, any domain specific roles are usually stripped from the returned assignments (since such roles are not placed in tokens). This stripping can be disabled by specifying strip_domain_roles=False, which is useful for internal calls like trusts which need to examine the full set of roles.

list_system_grants_for_group(*args, **kwargs)[source]

Return a list of roles the group has on the system.

Parameters:group_id – the ID of the group
Returns:a list of role assignments the group has system-wide
list_system_grants_for_user(*args, **kwargs)[source]

Return a list of roles the user has on the system.

Parameters:user_id – the ID of the user
Returns:a list of role assignments the user has system-wide
list_user_ids_for_project(*args, **kwargs)[source]
remove_role_from_user_and_project(*args, **kwargs)[source]
class keystone.assignment.core.RoleManager[source]

Bases: keystone.common.manager.Manager

Default pivot point for the Role backend.

create_implied_role(*args, **kwargs)[source]
create_role(*args, **kwargs)[source]
delete_implied_role(*args, **kwargs)[source]
delete_role(*args, **kwargs)[source]
driver_namespace = 'keystone.role'
get_role(*args, **kwargs)[source]
get_unique_role_by_name(*args, **kwargs)[source]
list_roles(*args, **kwargs)[source]
update_role(*args, **kwargs)[source]

keystone.assignment.routers module

WSGI Routers for the Assignment service.

class keystone.assignment.routers.Public(mapper=None)[source]

Bases: keystone.common.wsgi.ComposableRouter

add_routes(mapper)[source]
class keystone.assignment.routers.Routers[source]

Bases: keystone.common.wsgi.RoutersBase

append_v3_routers(mapper, routers)[source]

keystone.assignment.schema module

Module contents

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.