Workflow Logic the Assignment service.
Bases: keystone.common.controller.V3Controller
Bases: keystone.common.controller.V3Controller
Bases: keystone.common.controller.V2Controller
Add a role to a user and tenant pair.
Since we’re trying to ignore the idea of user-only roles we’re not implementing them in hopes that the idea will die off.
This is actually used for adding a user to a tenant.
In the legacy data model adding a user to a tenant required setting a role.
This is actually used for deleting a user from a tenant.
In the legacy data model removing a user from a tenant required deleting a role.
To emulate this, we encode the tenant and role in the role_ref_id, and if this happens to be the last role for the user-tenant pair, we remove the user from the tenant.
Ultimate hack to get around having to make role_refs first-class.
This will basically iterate over the various roles the user has in all tenants the user is a member of and create fake role_refs where the id encodes the user-tenant-role information so we can look up the appropriate data when we need to delete them.
Bases: keystone.common.controller.V3Controller
Bases: keystone.common.controller.V3Controller
Checks if a role has been granted on either a domain or project.
Grants a role to a user or group on either a domain or project.
Lists roles granted to user/group on either a domain or project.
Main entry point into the assignment service.
Bases: object
Add a role to a user within given tenant.
Raises: | keystone.exception.UserNotFound, keystone.exception.ProjectNotFound, keystone.exception.RoleNotFound |
---|
Creates a new assignment/grant.
If the assignment is to a domain, then optionally it may be specified as inherited to owned projects (this requires the OS-INHERIT extension to be enabled).
Raises: | keystone.exception.DomainNotFound, keystone.exception.ProjectNotFound, keystone.exception.RoleNotFound |
---|
Creates a new project.
Raises: | keystone.exception.Conflict |
---|
Deletes an existing domain.
Raises: | keystone.exception.DomainNotFound |
---|
Deletes assignments/grants.
Raises: | keystone.exception.ProjectNotFound, keystone.exception.DomainNotFound, keystone.exception.RoleNotFound |
---|
Deletes all assignments for a group.
Raises: | keystone.exception.RoleNotFound |
---|
Deletes an existing project.
Raises: | keystone.exception.ProjectNotFound |
---|
Deletes all assignments for a user.
Raises: | keystone.exception.RoleNotFound |
---|
Get a domain by ID.
Returns: | domain_ref |
---|---|
Raises: | keystone.exception.DomainNotFound |
Get a domain by name.
Returns: | domain_ref |
---|---|
Raises: | keystone.exception.DomainNotFound |
Lists assignments/grants.
Raises: | keystone.exception.UserNotFound, keystone.exception.GroupNotFound, keystone.exception.ProjectNotFound, keystone.exception.DomainNotFound, keystone.exception.RoleNotFound |
---|
Get a project by ID.
Returns: | project_ref |
---|---|
Raises: | keystone.exception.ProjectNotFound |
Get a tenant by name.
Returns: | tenant_ref |
---|---|
Raises: | keystone.exception.ProjectNotFound |
Get a role by ID.
Returns: | role_ref |
---|---|
Raises: | keystone.exception.RoleNotFound |
List all the roles assigned to groups on either domain or project.
If the project_id is not None, this value will be used, no matter what was specified in the domain_id.
Parameters: |
|
---|---|
Raises: | AttributeError: In case both project_id and domain_id are set to None |
Returns: | a list of Role entities matching groups and project_id or domain_id |
List domains in the system.
Parameters: | hints – filter hints which the driver should implement if at all possible. |
---|---|
Returns: | a list of domain_refs or an empty list. |
List domains accessible to specified groups.
Parameters: | group_ids – List of group ids. |
---|---|
Returns: | List of domains accessible to specified groups. |
Lists assignments/grants.
Raises: | keystone.exception.UserNotFound, keystone.exception.GroupNotFound, keystone.exception.ProjectNotFound, keystone.exception.DomainNotFound, keystone.exception.RoleNotFound |
---|
List projects in the system.
Parameters: | hints – filter hints which the driver should implement if at all possible. |
---|---|
Returns: | a list of project_refs or an empty list. |
List projects accessible to specified groups.
Parameters: | group_ids – List of group ids. |
---|---|
Returns: | List of projects accessible to specified groups. |
List all projects associated with a given user.
Parameters: |
|
---|---|
Returns: | a list of project_refs or an empty list. |
List projects in the domain.
Parameters: | domain_id – the driver MUST only return projects within this domain. |
---|---|
Returns: | a list of project_refs or an empty list. |
List roles in the system.
Parameters: | hints – filter hints which the driver should implement if at all possible. |
---|---|
Returns: | a list of role_refs or an empty list. |
Lists all user IDs with a role assignment in the specified project.
Returns: | a list of user_ids or an empty set. |
---|---|
Raises: | keystone.exception.ProjectNotFound |
Remove a role from a user within given tenant.
Raises: | keystone.exception.UserNotFound, keystone.exception.ProjectNotFound, keystone.exception.RoleNotFound |
---|
Updates an existing domain.
Raises: | keystone.exception.DomainNotFound, keystone.exception.Conflict |
---|
Bases: keystone.common.manager.Manager
Default pivot point for the Assignment backend.
See keystone.common.manager.Manager for more details on how this dynamically calls the backend. assignment.Manager() and identity.Manager() have a circular dependency. The late import works around this. The if block prevents creation of the api object by both managers.
Add user to a tenant by creating a default role relationship.
Raises: | keystone.exception.ProjectNotFound, keystone.exception.UserNotFound |
---|
Get the roles associated with a user within given domain.
Returns: | a list of role ids. |
---|---|
Raises: | keystone.exception.UserNotFound, keystone.exception.DomainNotFound |
Get the roles associated with a user within given project.
This includes roles directly assigned to the user on the project, as well as those by virtue of group membership. If the OS-INHERIT extension is enabled, then this will also include roles inherited from the domain.
Returns: | a list of role ids. |
---|---|
Raises: | keystone.exception.UserNotFound, keystone.exception.ProjectNotFound |
WSGI Routers for the Assignment service.