8aa322236a
This fix implements the hints mechanism, considering filters as hints, so the particular backend implementation has an option to process or ignore it. Since the EC2 credentials code calls list_credentials() with user_id as a param, a separate method list_credentials_for_user has been introduced to provide the compatibility while support the standard hints mechanism in list_credentials(). This fix doesn't plug hints into the controller, it prepares the way for implementation of the bp filter-credentials-by-user to support filtering credentials by user in a follow on patch. Closes-Bug: #1353511 Change-Id: Ibcf59aa45a8fc7e5cc66fd4edb91ae8fdc641d93
141 lines
4.3 KiB
Python
141 lines
4.3 KiB
Python
# Copyright 2013 OpenStack Foundation
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
"""Main entry point into the Credentials service."""
|
|
|
|
import abc
|
|
|
|
import six
|
|
|
|
from keystone.common import dependency
|
|
from keystone.common import driver_hints
|
|
from keystone.common import manager
|
|
from keystone import config
|
|
from keystone import exception
|
|
from keystone.openstack.common import log
|
|
|
|
|
|
CONF = config.CONF
|
|
|
|
LOG = log.getLogger(__name__)
|
|
|
|
|
|
@dependency.provider('credential_api')
|
|
class Manager(manager.Manager):
|
|
"""Default pivot point for the Credential backend.
|
|
|
|
See :mod:`keystone.common.manager.Manager` for more details on how this
|
|
dynamically calls the backend.
|
|
|
|
"""
|
|
|
|
def __init__(self):
|
|
super(Manager, self).__init__(CONF.credential.driver)
|
|
|
|
@manager.response_truncated
|
|
def list_credentials(self, hints=None):
|
|
return self.driver.list_credentials(hints or driver_hints.Hints())
|
|
|
|
|
|
@six.add_metaclass(abc.ABCMeta)
|
|
class Driver(object):
|
|
# credential crud
|
|
|
|
@abc.abstractmethod
|
|
def create_credential(self, credential_id, credential):
|
|
"""Creates a new credential.
|
|
|
|
:raises: keystone.exception.Conflict
|
|
|
|
"""
|
|
raise exception.NotImplemented() # pragma: no cover
|
|
|
|
@abc.abstractmethod
|
|
def list_credentials(self, hints):
|
|
"""List all credentials.
|
|
|
|
:param hints: contains the list of filters yet to be satisfied.
|
|
Any filters satisfied here will be removed so that
|
|
the caller will know if any filters remain.
|
|
|
|
:returns: a list of credential_refs or an empty list.
|
|
|
|
"""
|
|
raise exception.NotImplemented() # pragma: no cover
|
|
|
|
@abc.abstractmethod
|
|
def list_credentials_for_user(self, user_id):
|
|
"""List credentials for a user.
|
|
|
|
:param user_id: ID of a user to filter credentials by.
|
|
|
|
:returns: a list of credential_refs or an empty list.
|
|
|
|
"""
|
|
raise exception.NotImplemented() # pragma: no cover
|
|
|
|
@abc.abstractmethod
|
|
def get_credential(self, credential_id):
|
|
"""Get a credential by ID.
|
|
|
|
:returns: credential_ref
|
|
:raises: keystone.exception.CredentialNotFound
|
|
|
|
"""
|
|
raise exception.NotImplemented() # pragma: no cover
|
|
|
|
@abc.abstractmethod
|
|
def update_credential(self, credential_id, credential):
|
|
"""Updates an existing credential.
|
|
|
|
:raises: keystone.exception.CredentialNotFound,
|
|
keystone.exception.Conflict
|
|
|
|
"""
|
|
raise exception.NotImplemented() # pragma: no cover
|
|
|
|
@abc.abstractmethod
|
|
def delete_credential(self, credential_id):
|
|
"""Deletes an existing credential.
|
|
|
|
:raises: keystone.exception.CredentialNotFound
|
|
|
|
"""
|
|
raise exception.NotImplemented() # pragma: no cover
|
|
|
|
@abc.abstractmethod
|
|
def delete_credentials_for_project(self, project_id):
|
|
"""Deletes all credentials for a project."""
|
|
self._delete_credentials(lambda cr: cr['project_id'] == project_id)
|
|
|
|
@abc.abstractmethod
|
|
def delete_credentials_for_user(self, user_id):
|
|
"""Deletes all credentials for a user."""
|
|
self._delete_credentials(lambda cr: cr['user_id'] == user_id)
|
|
|
|
def _delete_credentials(self, match_fn):
|
|
"""Do the actual credential deletion work (default implementation).
|
|
|
|
:param match_fn: function that takes a credential dict as the
|
|
parameter and returns true or false if the
|
|
identifier matches the credential dict.
|
|
"""
|
|
for cr in self.list_credentials():
|
|
if match_fn(cr):
|
|
try:
|
|
self.credential_api.delete_credential(cr['id'])
|
|
except exception.CredentialNotFound:
|
|
LOG.debug('Deletion of credential is not required: %s',
|
|
cr['id'])
|