assignment Package

assignment Package

controllers Module

Workflow Logic the Assignment service.

class keystone.assignment.controllers.GrantAssignmentV3[source]

Bases: keystone.common.controller.V3Controller

The V3 Grant Assignment APIs.

check_grant(context, *args, **kwargs)[source]

Checks if a role has been granted on either a domain or project.

collection_name = 'roles'
create_grant(context, *args, **kwargs)[source]

Grants a role to a user or group on either a domain or project.

list_grants(context, *args, **kwargs)[source]

Lists roles granted to user/group on either a domain or project.

member_name = 'role'
revoke_grant(context, *args, **kwargs)[source]

Revokes a role from user/group on either a domain or project.

class keystone.assignment.controllers.ProjectAssignmentV3[source]

Bases: keystone.common.controller.V3Controller

The V3 Project APIs that are processing assignments.

collection_name = 'projects'
list_user_projects(context, **kwargs)[source]
member_name = 'project'
class keystone.assignment.controllers.Role(*args, **kwargs)[source]

Bases: keystone.common.controller.V2Controller

The Role management APIs.

create_role(context, role)[source]
delete_role(context, role_id)[source]
get_role(context, role_id)[source]
get_roles(context)[source]
class keystone.assignment.controllers.RoleAssignmentV2(*args, **kwargs)[source]

Bases: keystone.common.controller.V2Controller

The V2 Role APIs that are processing assignments.

add_role_to_user(context, user_id, role_id, tenant_id=None)[source]

Add a role to a user and tenant pair.

Since we’re trying to ignore the idea of user-only roles we’re not implementing them in hopes that the idea will die off.

create_role_ref(context, user_id, role)[source]

This is actually used for adding a user to a tenant.

In the legacy data model adding a user to a tenant required setting a role.

delete_role_ref(context, user_id, role_ref_id)[source]

This is actually used for deleting a user from a tenant.

In the legacy data model removing a user from a tenant required deleting a role.

To emulate this, we encode the tenant and role in the role_ref_id, and if this happens to be the last role for the user-tenant pair, we remove the user from the tenant.

get_role_refs(context, user_id)[source]

Ultimate hack to get around having to make role_refs first-class.

This will basically iterate over the various roles the user has in all tenants the user is a member of and create fake role_refs where the id encodes the user-tenant-role information so we can look up the appropriate data when we need to delete them.

get_user_roles(context, user_id, tenant_id=None)[source]

Get the roles for a user and tenant pair.

Since we’re trying to ignore the idea of user-only roles we’re not implementing them in hopes that the idea will die off.

remove_role_from_user(context, user_id, role_id, tenant_id=None)[source]

Remove a role from a user and tenant pair.

Since we’re trying to ignore the idea of user-only roles we’re not implementing them in hopes that the idea will die off.

class keystone.assignment.controllers.RoleAssignmentV3(*args, **kwargs)[source]

Bases: keystone.common.controller.V3Controller

The V3 Role Assignment APIs, really just list_role_assignment().

collection_name = 'role_assignments'
delete_role_assignment(context, *args, **kwargs)[source]
get_role_assignment(context, *args, **kwargs)[source]
list_role_assignments(context, **kwargs)[source]

List role assignments to user and groups on domains and projects.

Return a list of all existing role assignments in the system, filtered by assignments attributes, if provided.

If effective option is used and OS-INHERIT extension is enabled, the following functions will be applied: 1) For any group role assignment on a target, replace it by a set of role assignments containing one for each user of that group on that target; 2) For any inherited role assignment for an actor on a target, replace it by a set of role assignments for that actor on every project under that target.

It means that, if effective mode is used, no group or domain inherited assignments will be present in the resultant list. Thus, combining effective with them is invalid.

As a role assignment contains only one actor and one target, providing both user and group ids or domain and project ids is invalid as well.

member_name = 'role_assignment'
update_role_assignment(context, *args, **kwargs)[source]
classmethod wrap_member(context, ref)[source]
class keystone.assignment.controllers.RoleV3[source]

Bases: keystone.common.controller.V3Controller

The V3 Role CRUD APIs.

collection_name = 'roles'
create_role(context, *args, **kwargs)[source]
delete_role(context, *args, **kwargs)[source]
get_role(context, *args, **kwargs)[source]
list_roles(context, **kwargs)[source]
member_name = 'role'
update_role(context, *args, **kwargs)[source]
class keystone.assignment.controllers.TenantAssignment(*args, **kwargs)[source]

Bases: keystone.common.controller.V2Controller

The V2 Project APIs that are processing assignments.

get_project_users(context, tenant_id, **kw)[source]
get_projects_for_token(context, **kw)[source]

Get valid tenants for token based on token used to authenticate.

Pulls the token from the context, validates it and gets the valid tenants for the user in the token.

Doesn’t care about token scopedness.

core Module

Main entry point into the Assignment service.

class keystone.assignment.core.AssignmentDriverV8[source]

Bases: object

add_role_to_user_and_project(user_id, tenant_id, role_id)[source]

Add a role to a user within given tenant.

Raises :keystone.exception.Conflict
check_grant_role_id(role_id, user_id=None, group_id=None, domain_id=None, project_id=None, inherited_to_projects=False)[source]

Checks an assignment/grant role id.

Raises :keystone.exception.RoleAssignmentNotFound
Returns:None or raises an exception if grant not found
create_grant(role_id, user_id=None, group_id=None, domain_id=None, project_id=None, inherited_to_projects=False)[source]

Creates a new assignment/grant.

If the assignment is to a domain, then optionally it may be specified as inherited to owned projects (this requires the OS-INHERIT extension to be enabled).

delete_grant(role_id, user_id=None, group_id=None, domain_id=None, project_id=None, inherited_to_projects=False)[source]

Deletes assignments/grants.

Raises :keystone.exception.RoleAssignmentNotFound
delete_group_assignments(group_id)[source]

Deletes all assignments for a group.

Raises :keystone.exception.RoleNotFound
delete_project_assignments(project_id)[source]

Deletes all assignments for a project.

Raises :keystone.exception.ProjectNotFound
delete_role_assignments(role_id)[source]

Deletes all assignments for a role.

delete_user_assignments(user_id)[source]

Deletes all assignments for a user.

Raises :keystone.exception.RoleNotFound
list_domain_ids_for_groups(group_ids, inherited=False)[source]

List domain ids accessible to specified groups.

Parameters:
  • group_ids – List of group ids.
  • inherited – whether to return domain_ids that have inherited assignments or not.
Returns:

List of domain ids accessible to specified groups.

list_domain_ids_for_user(user_id, group_ids, hints, inherited=False)[source]

List all domain ids associated with a given user.

Parameters:
  • user_id – the user in question
  • group_ids – the groups this user is a member of. This list is built in the Manager, so that the driver itself does not have to call across to identity.
  • hints – filter hints which the driver should implement if at all possible.
  • inherited – whether to return domain_ids that have inherited assignments or not.
Returns:

a list of domain ids or an empty list.

list_grant_role_ids(user_id=None, group_id=None, domain_id=None, project_id=None, inherited_to_projects=False)[source]

Lists role ids for assignments/grants.

list_project_ids_for_groups(group_ids, hints, inherited=False)[source]

List project ids accessible to specified groups.

Parameters:
  • group_ids – List of group ids.
  • hints – filter hints which the driver should implement if at all possible.
  • inherited – whether assignments marked as inherited should be included.
Returns:

List of project ids accessible to specified groups.

This method should not try and expand any inherited assignments, just report the projects that have the role for this group. The manager method is responsible for expanding out inherited assignments.

list_project_ids_for_user(user_id, group_ids, hints, inherited=False)[source]

List all project ids associated with a given user.

Parameters:
  • user_id – the user in question
  • group_ids – the groups this user is a member of. This list is built in the Manager, so that the driver itself does not have to call across to identity.
  • hints – filter hints which the driver should implement if at all possible.
  • inherited – whether assignments marked as inherited should be included.
Returns:

a list of project ids or an empty list.

This method should not try and expand any inherited assignments, just report the projects that have the role for this user. The manager method is responsible for expanding out inherited assignments.

list_role_assignments(role_id=None, user_id=None, group_ids=None, domain_id=None, project_ids=None, inherited_to_projects=None)[source]

Returns a list of role assignments for actors on targets.

Available parameters represent values in which the returned role assignments attributes need to be filtered on.

list_role_ids_for_groups_on_domain(group_ids, domain_id)[source]

List the group role ids for a specific domain.

Parameters:
  • group_ids (list) – list of group ids
  • domain_id (str) – domain identifier
Returns:

list of role ids for the project

Return type:

list

list_role_ids_for_groups_on_project(group_ids, project_id, project_domain_id, project_parents)[source]

List the group role ids for a specific project.

Supports the OS-INHERIT role inheritance from the project’s domain if supported by the assignment driver.

Parameters:
  • group_ids (list) – list of group ids
  • project_id (str) – project identifier
  • project_domain_id (str) – project’s domain identifier
  • project_parents (list) – list of parent ids of this project
Returns:

list of role ids for the project

Return type:

list

list_user_ids_for_project(tenant_id)[source]

Lists all user IDs with a role assignment in the specified project.

Returns:a list of user_ids or an empty set.
remove_role_from_user_and_project(user_id, tenant_id, role_id)[source]

Remove a role from a user within given tenant.

Raises :keystone.exception.RoleNotFound
class keystone.assignment.core.Manager(*args, **kwargs)[source]

Bases: keystone.common.manager.Manager

Default pivot point for the Assignment backend.

See keystone.common.manager.Manager for more details on how this dynamically calls the backend.

add_role_to_user_and_project(user_id, tenant_id, role_id)[source]
add_user_to_project(tenant_id, user_id)[source]

Add user to a tenant by creating a default role relationship.

Raises :keystone.exception.ProjectNotFound, keystone.exception.UserNotFound
create_grant(wrapped_self, role_id, *args, **kwargs)[source]

Send a notification if the wrapped callable is successful.

delete_grant(role_id, user_id=None, group_id=None, domain_id=None, project_id=None, inherited_to_projects=False, context=None)[source]
delete_tokens_for_role_assignments(role_id)[source]
driver_namespace = 'keystone.assignment'
get_grant(role_id, user_id=None, group_id=None, domain_id=None, project_id=None, inherited_to_projects=False)[source]
get_roles_for_groups(group_ids, project_id=None, domain_id=None)[source]

Get a list of roles for this group on domain and/or project.

get_roles_for_user_and_domain(user_id, domain_id)[source]

Get the roles associated with a user within given domain.

Returns:a list of role ids.
Raises :keystone.exception.UserNotFound, keystone.exception.DomainNotFound
get_roles_for_user_and_project(user_id, tenant_id)[source]

Get the roles associated with a user within given project.

This includes roles directly assigned to the user on the project, as well as those by virtue of group membership. If the OS-INHERIT extension is enabled, then this will also include roles inherited from the domain.

Returns:a list of role ids.
Raises :keystone.exception.UserNotFound, keystone.exception.ProjectNotFound
list_domains_for_groups(group_ids)[source]
list_domains_for_user(user_id, hints=None)[source]
list_grants(user_id=None, group_id=None, domain_id=None, project_id=None, inherited_to_projects=False)[source]
list_projects_for_groups(group_ids)[source]
list_projects_for_user(user_id, hints=None)[source]
list_role_assignments(role_id=None, user_id=None, group_id=None, domain_id=None, project_id=None, inherited=None, effective=None)[source]

List role assignments, honoring effective mode and provided filters.

Returns a list of role assignments, where their attributes match the provided filters (role_id, user_id, group_id, domain_id, project_id and inherited). The inherited filter defaults to None, meaning to get both non-inherited and inherited role assignments.

If effective mode is specified, this means that rather than simply return the assignments that match the filters, any group or inheritance assignments will be expanded. Group assignments will become assignments for all the users in that group, and inherited assignments will be shown on the projects below the assignment point. Think of effective mode as being the list of assignments that actually affect a user, for example the roles that would be placed in a token.

If OS-INHERIT extension is disabled or the used driver does not support inherited roles retrieval, inherited role assignments will be ignored.

list_role_assignments_for_role(role_id=None)[source]
list_user_ids_for_project(tenant_id)[source]
remove_role_from_user_and_project(user_id, tenant_id, role_id)[source]
remove_user_from_project(tenant_id, user_id)[source]

Remove user from a tenant

Raises :keystone.exception.ProjectNotFound, keystone.exception.UserNotFound
class keystone.assignment.core.RoleDriverV8[source]

Bases: object

create_role(role_id, role)[source]

Creates a new role.

Raises :keystone.exception.Conflict
delete_role(role_id)[source]

Deletes an existing role.

Raises :keystone.exception.RoleNotFound
get_role(role_id)[source]

Get a role by ID.

Returns:role_ref
Raises :keystone.exception.RoleNotFound
list_roles(hints)[source]

List roles in the system.

Parameters:hints – filter hints which the driver should implement if at all possible.
Returns:a list of role_refs or an empty list.
list_roles_from_ids(role_ids)[source]

List roles for the provided list of ids.

Parameters:role_ids – list of ids
Returns:a list of role_refs.

This method is used internally by the assignment manager to bulk read a set of roles given their ids.

update_role(role_id, role)[source]

Updates an existing role.

Raises :keystone.exception.RoleNotFound, keystone.exception.Conflict
class keystone.assignment.core.RoleManager(*args, **kwargs)[source]

Bases: keystone.common.manager.Manager

Default pivot point for the Role backend.

create_role(role_id, role, initiator=None)[source]
delete_role(role_id, initiator=None)[source]
driver_namespace = 'keystone.role'
get_role(*arg, **kw)[source]
list_roles(*args, **kwargs)[source]
update_role(role_id, role, initiator=None)[source]

routers Module

WSGI Routers for the Assignment service.

class keystone.assignment.routers.Admin(mapper=None)[source]

Bases: keystone.common.wsgi.ComposableRouter

add_routes(mapper)[source]
class keystone.assignment.routers.Public(mapper=None)[source]

Bases: keystone.common.wsgi.ComposableRouter

add_routes(mapper)[source]
class keystone.assignment.routers.Routers[source]

Bases: keystone.common.wsgi.RoutersBase

append_v3_routers(mapper, routers)[source]

schema Module

Table Of Contents

This Page