7f4891ddc3
This extension allows for project roles to be optionally
inherited from the owning domain. The v3 grant APIs are extended
to take an inherited_to_projects flag. The GET role_assignments
API will also include these roles in its response, either showing them
as inherited roles assigned to the domain or, if the 'effective'
query parameter is set, will interpret the inheritance and reflect
those role assignments on the projects.
The inherited_to_projects flag is encoded in the role list in
the metadata of the relevant entries in the grant tables. The
'roles' key in the metadata is now a list of dicts, as opposed
to a simple list, where each dict is either
{'id': role_id} for a regular role, or
{'id': role_id, 'inherited_to': 'projects'} for an inherited role
Remember that a previous patch had rationalized the way metadata is
handled so that its structure is entirely hidden within the driver
layer.
The extension can be enabled/disabled via a config setting.
Limitations:
- The extension is not yet discoverable via url, this will be added
as a separate patch when the v3/extensions work is complete.
A separate issue has been discovered with the fact that the v2
calls of 'get_projects_for_user()' and 'list_user_projects()'
should be rationalized and also honor both group (and inherited)
role assignments. This is being raised as a separate bug.
DocImpact
Implements bp inherited-domain-roles
Change-Id: I35b57ce0df668f12462e96b3467cef0239594e97
222 lines
10 KiB
Python
222 lines
10 KiB
Python
# vim: tabstop=4 shiftwidth=4 softtabstop=4
|
|
|
|
# Copyright 2012 OpenStack LLC
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
"""WSGI Routers for the Identity service."""
|
|
from keystone.common import router
|
|
from keystone.common import wsgi
|
|
from keystone import config
|
|
from keystone.identity import controllers
|
|
|
|
|
|
class Public(wsgi.ComposableRouter):
|
|
def add_routes(self, mapper):
|
|
tenant_controller = controllers.Tenant()
|
|
mapper.connect('/tenants',
|
|
controller=tenant_controller,
|
|
action='get_projects_for_token',
|
|
conditions=dict(method=['GET']))
|
|
|
|
|
|
class Admin(wsgi.ComposableRouter):
|
|
def add_routes(self, mapper):
|
|
# Tenant Operations
|
|
tenant_controller = controllers.Tenant()
|
|
mapper.connect('/tenants',
|
|
controller=tenant_controller,
|
|
action='get_all_projects',
|
|
conditions=dict(method=['GET']))
|
|
mapper.connect('/tenants/{tenant_id}',
|
|
controller=tenant_controller,
|
|
action='get_project',
|
|
conditions=dict(method=['GET']))
|
|
|
|
# User Operations
|
|
user_controller = controllers.User()
|
|
mapper.connect('/users/{user_id}',
|
|
controller=user_controller,
|
|
action='get_user',
|
|
conditions=dict(method=['GET']))
|
|
|
|
# Role Operations
|
|
roles_controller = controllers.Role()
|
|
mapper.connect('/tenants/{tenant_id}/users/{user_id}/roles',
|
|
controller=roles_controller,
|
|
action='get_user_roles',
|
|
conditions=dict(method=['GET']))
|
|
mapper.connect('/users/{user_id}/roles',
|
|
controller=roles_controller,
|
|
action='get_user_roles',
|
|
conditions=dict(method=['GET']))
|
|
|
|
|
|
def append_v3_routers(mapper, routers):
|
|
routers.append(
|
|
router.Router(controllers.DomainV3(),
|
|
'domains', 'domain'))
|
|
|
|
project_controller = controllers.ProjectV3()
|
|
routers.append(
|
|
router.Router(project_controller,
|
|
'projects', 'project'))
|
|
mapper.connect('/users/{user_id}/projects',
|
|
controller=project_controller,
|
|
action='list_user_projects',
|
|
conditions=dict(method=['GET']))
|
|
|
|
user_controller = controllers.UserV3()
|
|
routers.append(
|
|
router.Router(user_controller,
|
|
'users', 'user'))
|
|
mapper.connect('/groups/{group_id}/users',
|
|
controller=user_controller,
|
|
action='list_users_in_group',
|
|
conditions=dict(method=['GET']))
|
|
|
|
mapper.connect('/groups/{group_id}/users/{user_id}',
|
|
controller=user_controller,
|
|
action='add_user_to_group',
|
|
conditions=dict(method=['PUT']))
|
|
|
|
mapper.connect('/groups/{group_id}/users/{user_id}',
|
|
controller=user_controller,
|
|
action='check_user_in_group',
|
|
conditions=dict(method=['HEAD']))
|
|
|
|
mapper.connect('/groups/{group_id}/users/{user_id}',
|
|
controller=user_controller,
|
|
action='remove_user_from_group',
|
|
conditions=dict(method=['DELETE']))
|
|
|
|
group_controller = controllers.GroupV3()
|
|
routers.append(
|
|
router.Router(group_controller,
|
|
'groups', 'group'))
|
|
mapper.connect('/users/{user_id}/groups',
|
|
controller=group_controller,
|
|
action='list_groups_for_user',
|
|
conditions=dict(method=['GET']))
|
|
|
|
role_controller = controllers.RoleV3()
|
|
routers.append(router.Router(role_controller, 'roles', 'role'))
|
|
mapper.connect('/projects/{project_id}/users/{user_id}/roles/{role_id}',
|
|
controller=role_controller,
|
|
action='create_grant',
|
|
conditions=dict(method=['PUT']))
|
|
mapper.connect('/projects/{project_id}/groups/{group_id}/roles/{role_id}',
|
|
controller=role_controller,
|
|
action='create_grant',
|
|
conditions=dict(method=['PUT']))
|
|
mapper.connect('/projects/{project_id}/users/{user_id}/roles/{role_id}',
|
|
controller=role_controller,
|
|
action='check_grant',
|
|
conditions=dict(method=['HEAD']))
|
|
mapper.connect('/projects/{project_id}/groups/{group_id}/roles/{role_id}',
|
|
controller=role_controller,
|
|
action='check_grant',
|
|
conditions=dict(method=['HEAD']))
|
|
mapper.connect('/projects/{project_id}/users/{user_id}/roles',
|
|
controller=role_controller,
|
|
action='list_grants',
|
|
conditions=dict(method=['GET']))
|
|
mapper.connect('/projects/{project_id}/groups/{group_id}/roles',
|
|
controller=role_controller,
|
|
action='list_grants',
|
|
conditions=dict(method=['GET']))
|
|
mapper.connect('/projects/{project_id}/users/{user_id}/roles/{role_id}',
|
|
controller=role_controller,
|
|
action='revoke_grant',
|
|
conditions=dict(method=['DELETE']))
|
|
mapper.connect('/projects/{project_id}/groups/{group_id}/roles/{role_id}',
|
|
controller=role_controller,
|
|
action='revoke_grant',
|
|
conditions=dict(method=['DELETE']))
|
|
mapper.connect('/domains/{domain_id}/users/{user_id}/roles/{role_id}',
|
|
controller=role_controller,
|
|
action='create_grant',
|
|
conditions=dict(method=['PUT']))
|
|
mapper.connect('/domains/{domain_id}/groups/{group_id}/roles/{role_id}',
|
|
controller=role_controller,
|
|
action='create_grant',
|
|
conditions=dict(method=['PUT']))
|
|
mapper.connect('/domains/{domain_id}/users/{user_id}/roles/{role_id}',
|
|
controller=role_controller,
|
|
action='check_grant',
|
|
conditions=dict(method=['HEAD']))
|
|
mapper.connect('/domains/{domain_id}/groups/{group_id}/roles/{role_id}',
|
|
controller=role_controller,
|
|
action='check_grant',
|
|
conditions=dict(method=['HEAD']))
|
|
mapper.connect('/domains/{domain_id}/users/{user_id}/roles',
|
|
controller=role_controller,
|
|
action='list_grants',
|
|
conditions=dict(method=['GET']))
|
|
mapper.connect('/domains/{domain_id}/groups/{group_id}/roles',
|
|
controller=role_controller,
|
|
action='list_grants',
|
|
conditions=dict(method=['GET']))
|
|
mapper.connect('/domains/{domain_id}/users/{user_id}/roles/{role_id}',
|
|
controller=role_controller,
|
|
action='revoke_grant',
|
|
conditions=dict(method=['DELETE']))
|
|
mapper.connect('/domains/{domain_id}/groups/{group_id}/roles/{role_id}',
|
|
controller=role_controller,
|
|
action='revoke_grant',
|
|
conditions=dict(method=['DELETE']))
|
|
|
|
if config.CONF.os_inherit.enabled:
|
|
mapper.connect(('/OS-INHERIT/domains/{domain_id}/users/{user_id}'
|
|
'/roles/{role_id}/inherited_to_projects'),
|
|
controller=role_controller,
|
|
action='create_grant',
|
|
conditions=dict(method=['PUT']))
|
|
mapper.connect(('/OS-INHERIT/domains/{domain_id}/groups/{group_id}'
|
|
'/roles/{role_id}/inherited_to_projects'),
|
|
controller=role_controller,
|
|
action='create_grant',
|
|
conditions=dict(method=['PUT']))
|
|
mapper.connect(('/OS-INHERIT/domains/{domain_id}/users/{user_id}'
|
|
'/roles/{role_id}/inherited_to_projects'),
|
|
controller=role_controller,
|
|
action='check_grant',
|
|
conditions=dict(method=['HEAD']))
|
|
mapper.connect(('/OS-INHERIT/domains/{domain_id}/groups/{group_id}'
|
|
'/roles/{role_id}/inherited_to_projects'),
|
|
controller=role_controller,
|
|
action='check_grant',
|
|
conditions=dict(method=['HEAD']))
|
|
mapper.connect(('/OS-INHERIT/domains/{domain_id}/users/{user_id}'
|
|
'/roles/inherited_to_projects'),
|
|
controller=role_controller,
|
|
action='list_grants',
|
|
conditions=dict(method=['GET']))
|
|
mapper.connect(('/OS-INHERIT/domains/{domain_id}/groups/{group_id}'
|
|
'/roles/inherited_to_projects'),
|
|
controller=role_controller,
|
|
action='list_grants',
|
|
conditions=dict(method=['GET']))
|
|
mapper.connect(('/OS-INHERIT/domains/{domain_id}/users/{user_id}'
|
|
'/roles/{role_id}/inherited_to_projects'),
|
|
controller=role_controller,
|
|
action='revoke_grant',
|
|
conditions=dict(method=['DELETE']))
|
|
mapper.connect(('/OS-INHERIT/domains/{domain_id}/groups/{group_id}'
|
|
'/roles/{role_id}/inherited_to_projects'),
|
|
controller=role_controller,
|
|
action='revoke_grant',
|
|
conditions=dict(method=['DELETE']))
|
|
routers.append(
|
|
router.Router(controllers.RoleAssignmentV3(),
|
|
'role_assignments', 'role_assignment'))
|