Workflow Logic the Assignment service.
Bases: keystone.common.controller.V3Controller
The V3 Grant Assignment APIs.
Checks if a role has been granted on either a domain or project.
Grants a role to a user or group on either a domain or project.
Lists roles granted to user/group on either a domain or project.
Bases: keystone.common.controller.V3Controller
The V3 Project APIs that are processing assignments.
Bases: keystone.common.controller.V2Controller
The Role management APIs.
Bases: keystone.common.controller.V2Controller
The V2 Role APIs that are processing assignments.
Add a role to a user and tenant pair.
Since we’re trying to ignore the idea of user-only roles we’re not implementing them in hopes that the idea will die off.
This is actually used for adding a user to a tenant.
In the legacy data model adding a user to a tenant required setting a role.
This is actually used for deleting a user from a tenant.
In the legacy data model removing a user from a tenant required deleting a role.
To emulate this, we encode the tenant and role in the role_ref_id, and if this happens to be the last role for the user-tenant pair, we remove the user from the tenant.
Ultimate hack to get around having to make role_refs first-class.
This will basically iterate over the various roles the user has in all tenants the user is a member of and create fake role_refs where the id encodes the user-tenant-role information so we can look up the appropriate data when we need to delete them.
Bases: keystone.common.controller.V3Controller
The V3 Role Assignment APIs, really just list_role_assignment().
Bases: keystone.common.controller.V3Controller
The V3 Role CRUD APIs.
Bases: keystone.common.controller.V2Controller
The V2 Project APIs that are processing assignments.
Main entry point into the assignment service.
Bases: object
Add a role to a user within given tenant.
Raises: | keystone.exception.Conflict |
---|
Checks an assignment/grant role id.
Raises: | keystone.exception.RoleAssignmentNotFound |
---|---|
Returns: | None or raises an exception if grant not found |
Creates a new assignment/grant.
If the assignment is to a domain, then optionally it may be specified as inherited to owned projects (this requires the OS-INHERIT extension to be enabled).
Deletes assignments/grants.
Raises: | keystone.exception.RoleAssignmentNotFound |
---|
Deletes all assignments for a group.
Raises: | keystone.exception.RoleNotFound |
---|
Deletes all assignments for a project.
Raises: | keystone.exception.ProjectNotFound |
---|
Deletes all assignments for a user.
Raises: | keystone.exception.RoleNotFound |
---|
List domain ids accessible to specified groups.
Parameters: |
|
---|---|
Returns: | List of domain ids accessible to specified groups. |
List all domain ids associated with a given user.
Parameters: |
|
---|---|
Returns: | a list of domain ids or an empty list. |
Lists role ids for assignments/grants.
List project ids accessible to specified groups.
Parameters: |
|
---|---|
Returns: | List of project ids accessible to specified groups. |
This method should not try and expand any inherited assignments, just report the projects that have the role for this group. The manager method is responsible for expanding out inherited assignments.
List all project ids associated with a given user.
Parameters: |
|
---|---|
Returns: | a list of project ids or an empty list. |
This method should not try and expand any inherited assignments, just report the projects that have the role for this user. The manager method is responsible for expanding out inherited assignments.
List the group role ids for a specific domain.
Parameters: |
|
---|---|
Returns: | list of role ids for the project |
Return type: | list |
List the group role ids for a specific project.
Supports the OS-INHERIT role inheritance from the project’s domain if supported by the assignment driver.
Parameters: |
|
---|---|
Returns: | list of role ids for the project |
Return type: | list |
Bases: keystone.common.manager.Manager
Default pivot point for the Assignment backend.
See keystone.common.manager.Manager for more details on how this dynamically calls the backend.
Add user to a tenant by creating a default role relationship.
Raises: | keystone.exception.ProjectNotFound, keystone.exception.UserNotFound |
---|
Send a notification if the wrapped callable is successful.
Send a notification if the wrapped callable is successful.
Get a list of roles for this group on domain and/or project.
Get the roles associated with a user within given domain.
Returns: | a list of role ids. |
---|---|
Raises: | keystone.exception.UserNotFound, keystone.exception.DomainNotFound |
Get the roles associated with a user within given project.
This includes roles directly assigned to the user on the project, as well as those by virtue of group membership. If the OS-INHERIT extension is enabled, then this will also include roles inherited from the domain.
Returns: | a list of role ids. |
---|---|
Raises: | keystone.exception.UserNotFound, keystone.exception.ProjectNotFound |
Bases: object
Get a role by ID.
Returns: | role_ref |
---|---|
Raises: | keystone.exception.RoleNotFound |
List roles in the system.
Parameters: | hints – filter hints which the driver should implement if at all possible. |
---|---|
Returns: | a list of role_refs or an empty list. |
Bases: keystone.common.manager.Manager
Default pivot point for the Role backend.
WSGI Routers for the Assignment service.