keystone.assignment.backends.sql module

keystone.assignment.backends.sql module

class keystone.assignment.backends.sql.Assignment[source]

Bases: keystone.assignment.backends.base.AssignmentDriverBase

add_role_to_user_and_project(user_id, project_id, role_id)[source]

Add a role to a user within given project.

Raises:keystone.exception.Conflict – If a duplicate role assignment exists.
check_grant_role_id(role_id, user_id=None, group_id=None, domain_id=None, project_id=None, inherited_to_projects=False)[source]

Check an assignment/grant role id.

Raises:keystone.exception.RoleAssignmentNotFound – If the role assignment doesn’t exist.
Returns:None or raises an exception if grant not found
check_system_grant(role_id, actor_id, target_id, inherited)[source]

Check if a user or group has a specific role on the system.

Parameters:
  • role_id – the unique ID of the role to grant to the user
  • actor_id – the unique ID of the user or group
  • target_id – the unique ID or string representing the target
  • inherited – a boolean denoting if the assignment is inherited or not
create_grant(role_id, user_id=None, group_id=None, domain_id=None, project_id=None, inherited_to_projects=False)[source]

Create a new assignment/grant.

If the assignment is to a domain, then optionally it may be specified as inherited to owned projects (this requires the OS-INHERIT extension to be enabled).

create_system_grant(role_id, actor_id, target_id, assignment_type, inherited)[source]

Grant a user or group a role on the system.

Parameters:
  • role_id – the unique ID of the role to grant to the user
  • actor_id – the unique ID of the user or group
  • target_id – the unique ID or string representing the target
  • assignment_type – a string describing the relationship of the assignment
  • inherited – a boolean denoting if the assignment is inherited or not
classmethod default_role_driver()[source]
delete_domain_assignments(domain_id)[source]

Delete all assignments for a domain.

delete_grant(role_id, user_id=None, group_id=None, domain_id=None, project_id=None, inherited_to_projects=False)[source]

Delete assignments/grants.

Raises:keystone.exception.RoleAssignmentNotFound – If the role assignment doesn’t exist.
delete_group_assignments(group_id)[source]

Delete all assignments for a group.

Raises:keystone.exception.RoleNotFound – If the role doesn’t exist.
delete_project_assignments(project_id)[source]

Delete all assignments for a project.

Raises:keystone.exception.ProjectNotFound – If the project doesn’t exist.
delete_role_assignments(role_id)[source]

Delete all assignments for a role.

delete_system_grant(role_id, actor_id, target_id, inherited)[source]

Remove a system assignment from a user or group.

Parameters:
  • role_id – the unique ID of the role to grant to the user
  • actor_id – the unique ID of the user or group
  • target_id – the unique ID or string representing the target
  • inherited – a boolean denoting if the assignment is inherited or not
delete_user_assignments(user_id)[source]

Delete all assignments for a user.

Raises:keystone.exception.RoleNotFound – If the role doesn’t exist.
list_grant_role_ids(user_id=None, group_id=None, domain_id=None, project_id=None, inherited_to_projects=False)[source]

List role ids for assignments/grants.

list_role_assignments(role_id=None, user_id=None, group_ids=None, domain_id=None, project_ids=None, inherited_to_projects=None)[source]

Return a list of role assignments for actors on targets.

Available parameters represent values in which the returned role assignments attributes need to be filtered on.

list_system_grants(actor_id, target_id, assignment_type)[source]

Return a list of all system assignments for a specific entity.

Parameters:
  • actor_id – the unique ID of the actor
  • target_id – the unique ID of the target
  • assignment_type – the type of assignment to return
list_system_grants_by_role(role_id)[source]

Return a list of system assignments associated to a role.

Parameters:role_id – the unique ID of the role to grant to the user
remove_role_from_user_and_project(user_id, project_id, role_id)[source]

Remove a role from a user within given project.

Raises:keystone.exception.RoleNotFound – If the role doesn’t exist.
class keystone.assignment.backends.sql.AssignmentType[source]

Bases: object

GROUP_DOMAIN = 'GroupDomain'
GROUP_PROJECT = 'GroupProject'
USER_DOMAIN = 'UserDomain'
USER_PROJECT = 'UserProject'
classmethod calculate_type(user_id, group_id, project_id, domain_id)[source]
class keystone.assignment.backends.sql.RoleAssignment(*args, **kwargs)[source]

Bases: sqlalchemy.ext.declarative.api.Base, keystone.common.sql.core.ModelDictMixin

actor_id
attributes = ['type', 'actor_id', 'target_id', 'role_id', 'inherited']
inherited
role_id
target_id
to_dict()[source]

Override parent method with a simpler implementation.

RoleAssignment doesn’t have non-indexed ‘extra’ attributes, so the parent implementation is not applicable.

type
class keystone.assignment.backends.sql.SystemRoleAssignment(*args, **kwargs)[source]

Bases: sqlalchemy.ext.declarative.api.Base, keystone.common.sql.core.ModelDictMixin

actor_id
attributes = ['type', 'actor_id', 'target_id', 'role_id', 'inherited']
inherited
role_id
target_id
to_dict()[source]

Override parent method with a simpler implementation.

RoleAssignment doesn’t have non-indexed ‘extra’ attributes, so the parent implementation is not applicable.

type
Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.