Added project role assignment

Change-Id: I4eb3d430365f3b22c1a77faea71f710fb565082f
This commit is contained in:
Yuval Shalev 2017-01-04 17:54:43 +02:00
parent ed5d3570f7
commit d8f62dc0e9
16 changed files with 621 additions and 7 deletions

View File

@ -78,3 +78,31 @@ def list_roles(conn):
for role in conn.identity.roles():
print(role)
def list_role_domain_group_assignments(conn):
print("List Roles assignments for a group on domain:")
for role in conn.identity.role_domain_group_assignments():
print(role)
def list_role_domain_user_assignments(conn):
print("List Roles assignments for a user on domain:")
for role in conn.identity.role_project_user_assignments():
print(role)
def list_role_project_group_assignments(conn):
print("List Roles assignments for a group on project:")
for role in conn.identity.role_project_group_assignments():
print(role)
def list_role_project_user_assignments(conn):
print("List Roles assignments for a user on project:")
for role in conn.identity.role_project_user_assignments():
print(role)

View File

@ -10,6 +10,7 @@
# License for the specific language governing permissions and limitations
# under the License.
import openstack.exceptions as exception
from openstack.identity.v3 import credential as _credential
from openstack.identity.v3 import domain as _domain
from openstack.identity.v3 import endpoint as _endpoint
@ -18,6 +19,15 @@ from openstack.identity.v3 import policy as _policy
from openstack.identity.v3 import project as _project
from openstack.identity.v3 import region as _region
from openstack.identity.v3 import role as _role
from openstack.identity.v3 import role_assignment as _role_assignment
from openstack.identity.v3 import role_domain_group_assignment \
as _role_domain_group_assignment
from openstack.identity.v3 import role_domain_user_assignment \
as _role_domain_user_assignment
from openstack.identity.v3 import role_project_group_assignment \
as _role_project_group_assignment
from openstack.identity.v3 import role_project_user_assignment \
as _role_project_user_assignment
from openstack.identity.v3 import service as _service
from openstack.identity.v3 import trust as _trust
from openstack.identity.v3 import user as _user
@ -875,3 +885,75 @@ class Proxy(proxy.BaseProxy):
:rtype: :class:`~openstack.identity.v3.role.Role`
"""
return self._update(_role.Role, role, **attrs)
def role_assignments_filter(self, domain=None, project=None, group=None,
user=None):
"""Retrieve a generator of roles assigned to user/group
:param domain: Either the ID of a domain or a
:class:`~openstack.identity.v3.domain.Domain` instance.
:param project: Either the ID of a project or a
:class:`~openstack.identity.v3.project.Project`
instance.
:param group: Either the ID of a group or a
:class:`~openstack.identity.v3.group.Group` instance.
:param user: Either the ID of a user or a
:class:`~openstack.identity.v3.user.User` instance.
:return: A generator of role instances.
:rtype: :class:`~openstack.identity.v3.role.Role`
"""
if domain and project:
raise exception.InvalidRequest(
'Only one of domain or project can be specified')
if domain is None and project is None:
raise exception.InvalidRequest(
'Either domain or project should be specified')
if group and user:
raise exception.InvalidRequest(
'Only one of group or user can be specified')
if group is None and user is None:
raise exception.InvalidRequest(
'Either group or user should be specified')
if domain:
domain = self._get_resource(_domain.Domain, domain)
if group:
group = self._get_resource(_group.Group, group)
return self._list(
_role_domain_group_assignment.RoleDomainGroupAssignment,
paginated=False, domain_id=domain.id, group_id=group.id)
else:
user = self._get_resource(_user.User, user)
return self._list(
_role_domain_user_assignment.RoleDomainUserAssignment,
paginated=False, domain_id=domain.id, user_id=user.id)
else:
project = self._get_resource(_project.Project, project)
if group:
group = self._get_resource(_group.Group, group)
return self._list(
_role_project_group_assignment.RoleProjectGroupAssignment,
paginated=False, project_id=project.id, group_id=group.id)
else:
user = self._get_resource(_user.User, user)
return self._list(
_role_project_user_assignment.RoleProjectUserAssignment,
paginated=False, project_id=project.id, user_id=user.id)
def role_assignments(self, **query):
"""Retrieve a generator of role_assignment
:class:`~openstack.identity.v3.user.User` instance.
:param kwargs \*\*query: Optional query parameters to be sent to limit
the resources being returned. The options
are: group_id, role_id, scope_domain_id,
scope_project_id, user_id, include_names,
include_subtree.
:return:
:class:`~openstack.identity.v3.role_assignment.RoleAssignment`
"""
return self._list(_role_assignment.RoleAssignment,
paginated=False, **query)

View File

@ -12,6 +12,7 @@
from openstack.identity import identity_service
from openstack import resource2 as resource
from openstack import utils
class Domain(resource.Resource):
@ -43,3 +44,57 @@ class Domain(resource.Resource):
name = resource.Body('name')
#: The links related to the domain resource.
links = resource.Body('links')
def assign_role_to_user(self, session, user, role):
"""Assign role to user on domain"""
url = utils.urljoin(self.base_path, self.id, 'users',
user.id, 'roles', role.id)
resp = session.put(url, endpoint_filter=self.service)
if resp.status_code == 204:
return True
return False
def validate_user_has_role(self, session, user, role):
"""Validates that a user has a role on a domain"""
url = utils.urljoin(self.base_path, self.id, 'users',
user.id, 'roles', role.id)
resp = session.head(url, endpoint_filter=self.service)
if resp.status_code == 201:
return True
return False
def unassign_role_from_user(self, session, user, role):
"""Unassigns a role from a user on a domain"""
url = utils.urljoin(self.base_path, self.id, 'users',
user.id, 'roles', role.id)
resp = session.delete(url, endpoint_filter=self.service)
if resp.status_code == 204:
return True
return False
def assign_role_to_group(self, session, group, role):
"""Assign role to group on domain"""
url = utils.urljoin(self.base_path, self.id, 'groups',
group.id, 'roles', role.id)
resp = session.put(url, endpoint_filter=self.service)
if resp.status_code == 204:
return True
return False
def validate_group_has_role(self, session, group, role):
"""Validates that a group has a role on a domain"""
url = utils.urljoin(self.base_path, self.id, 'groups',
group.id, 'roles', role.id)
resp = session.head(url, endpoint_filter=self.service)
if resp.status_code == 201:
return True
return False
def unassign_role_from_group(self, session, group, role):
"""Unassigns a role from a group on a domain"""
url = utils.urljoin(self.base_path, self.id, 'groups',
group.id, 'roles', role.id)
resp = session.delete(url, endpoint_filter=self.service)
if resp.status_code == 204:
return True
return False

View File

@ -12,6 +12,7 @@
from openstack.identity import identity_service
from openstack import resource2 as resource
from openstack import utils
class Project(resource.Resource):
@ -50,3 +51,57 @@ class Project(resource.Resource):
#: The ID of the parent of the project.
#: New in version 3.4
parent_id = resource.Body('parent_id')
def assign_role_to_user(self, session, user, role):
"""Assign role to user on project"""
url = utils.urljoin(self.base_path, self.id, 'users',
user.id, 'roles', role.id)
resp = session.put(url, endpoint_filter=self.service)
if resp.status_code == 204:
return True
return False
def validate_user_has_role(self, session, user, role):
"""Validates that a user has a role on a project"""
url = utils.urljoin(self.base_path, self.id, 'users',
user.id, 'roles', role.id)
resp = session.head(url, endpoint_filter=self.service)
if resp.status_code == 201:
return True
return False
def unassign_role_from_user(self, session, user, role):
"""Unassigns a role from a user on a project"""
url = utils.urljoin(self.base_path, self.id, 'users',
user.id, 'roles', role.id)
resp = session.delete(url, endpoint_filter=self.service)
if resp.status_code == 204:
return True
return False
def assign_role_to_group(self, session, group, role):
"""Assign role to group on project"""
url = utils.urljoin(self.base_path, self.id, 'groups',
group.id, 'roles', role.id)
resp = session.put(url, endpoint_filter=self.service)
if resp.status_code == 204:
return True
return False
def validate_group_has_role(self, session, group, role):
"""Validates that a group has a role on a project"""
url = utils.urljoin(self.base_path, self.id, 'groups',
group.id, 'roles', role.id)
resp = session.head(url, endpoint_filter=self.service)
if resp.status_code == 201:
return True
return False
def unassign_role_from_group(self, session, group, role):
"""Unassigns a role from a group on a project"""
url = utils.urljoin(self.base_path, self.id, 'groups',
group.id, 'roles', role.id)
resp = session.delete(url, endpoint_filter=self.service)
if resp.status_code == 204:
return True
return False

View File

@ -32,11 +32,6 @@ class Role(resource.Resource):
'name', 'domain_id')
# Properties
#: References the domain ID which owns the role; if a domain ID is not
#: specified by the client, the Identity service implementation will
#: default it to the domain ID to which the client's token is scoped.
#: *Type: string*
domain_id = resource.Body('domain_id')
#: Unique role name, within the owning domain. *Type: string*
name = resource.Body('name')
#: The links for the service resource.

View File

@ -0,0 +1,41 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from openstack.identity import identity_service
from openstack import resource2 as resource
class RoleAssignment(resource.Resource):
resource_key = 'role_assignment'
resources_key = 'role_assignments'
base_path = '/role_assignments'
service = identity_service.IdentityService()
# capabilities
allow_list = True
_query_mapping = resource.QueryParameters(
'group_id', 'role_id', 'scope_domain_id', 'scope_project_id',
'user_id', 'effective', 'include_names', 'include_subtree'
)
# Properties
#: The links for the service resource.
links = resource.Body('links')
#: The role (dictionary contains only id) *Type: dict*
role = resource.Body('role', type=dict)
#: The scope (either domain or group dictionary contains id) *Type: dict*
scope = resource.Body('scope', type=dict)
#: The user (dictionary contains only id) *Type: dict*
user = resource.Body('user', type=dict)
#: The group (dictionary contains only id) *Type: dict*
group = resource.Body('group', type=dict)

View File

@ -0,0 +1,34 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from openstack.identity import identity_service
from openstack import resource2 as resource
class RoleDomainGroupAssignment(resource.Resource):
resource_key = 'role'
resources_key = 'roles'
base_path = '/domains/%(domain_id)s/groups/%(group_id)s/roles'
service = identity_service.IdentityService()
# capabilities
allow_list = True
# Properties
#: name of the role *Type: string*
name = resource.Body('name')
#: The links for the service resource.
links = resource.Body('links')
#: The ID of the domain to list assignment from. *Type: string*
domain_id = resource.URI('domain_id')
#: The ID of the group to list assignment from. *Type: string*
group_id = resource.URI('group_id')

View File

@ -0,0 +1,34 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from openstack.identity import identity_service
from openstack import resource2 as resource
class RoleDomainUserAssignment(resource.Resource):
resource_key = 'role'
resources_key = 'roles'
base_path = '/domains/%(domain_id)s/users/%(user_id)s/roles'
service = identity_service.IdentityService()
# capabilities
allow_list = True
# Properties
#: name of the role *Type: string*
name = resource.Body('name')
#: The links for the service resource.
links = resource.Body('links')
#: The ID of the domain to list assignment from. *Type: string*
domain_id = resource.URI('domain_id')
#: The ID of the user to list assignment from. *Type: string*
user_id = resource.URI('user_id')

View File

@ -0,0 +1,34 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from openstack.identity import identity_service
from openstack import resource2 as resource
class RoleProjectGroupAssignment(resource.Resource):
resource_key = 'role'
resources_key = 'roles'
base_path = '/projects/%(project_id)s/groups/%(group_id)s/roles'
service = identity_service.IdentityService()
# capabilities
allow_list = True
# Properties
#: name of the role *Type: string*
name = resource.Body('name')
#: The links for the service resource.
links = resource.Body('links')
#: The ID of the project to list assignment from. *Type: string*
project_id = resource.URI('project_id')
#: The ID of the group to list assignment from. *Type: string*
group_id = resource.URI('group_id')

View File

@ -0,0 +1,34 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from openstack.identity import identity_service
from openstack import resource2 as resource
class RoleProjectUserAssignment(resource.Resource):
resource_key = 'role'
resources_key = 'roles'
base_path = '/projects/%(project_id)s/users/%(user_id)s/roles'
service = identity_service.IdentityService()
# capabilities
allow_list = True
# Properties
#: name of the role *Type: string*
name = resource.Body('name')
#: The links for the service resource.
links = resource.Body('links')
#: The ID of the project to list assignment from. *Type: string*
project_id = resource.URI('project_id')
#: The ID of the user to list assignment from. *Type: string*
user_id = resource.URI('user_id')

View File

@ -16,7 +16,6 @@ from openstack.identity.v3 import role
IDENTIFIER = 'IDENTIFIER'
EXAMPLE = {
'domain_id': '1',
'id': IDENTIFIER,
'links': {'self': 'http://example.com/user1'},
'name': '2',
@ -40,7 +39,6 @@ class TestRole(testtools.TestCase):
def test_make_it(self):
sot = role.Role(**EXAMPLE)
self.assertEqual(EXAMPLE['domain_id'], sot.domain_id)
self.assertEqual(EXAMPLE['id'], sot.id)
self.assertEqual(EXAMPLE['links'], sot.links)
self.assertEqual(EXAMPLE['name'], sot.name)

View File

@ -0,0 +1,44 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import testtools
from openstack.identity.v3 import role_assignment
IDENTIFIER = 'IDENTIFIER'
EXAMPLE = {
'id': IDENTIFIER,
'links': {'self': 'http://example.com/user1'},
'scope': {'domain': {'id': '2'}},
'user': {'id': '3'},
'group': {'id': '4'}
}
class TestRoleAssignment(testtools.TestCase):
def test_basic(self):
sot = role_assignment.RoleAssignment()
self.assertEqual('role_assignment', sot.resource_key)
self.assertEqual('role_assignments', sot.resources_key)
self.assertEqual('/role_assignments',
sot.base_path)
self.assertEqual('identity', sot.service.service_type)
self.assertTrue(sot.allow_list)
def test_make_it(self):
sot = role_assignment.RoleAssignment(**EXAMPLE)
self.assertEqual(EXAMPLE['id'], sot.id)
self.assertEqual(EXAMPLE['links'], sot.links)
self.assertEqual(EXAMPLE['scope'], sot.scope)
self.assertEqual(EXAMPLE['user'], sot.user)
self.assertEqual(EXAMPLE['group'], sot.group)

View File

@ -0,0 +1,45 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import testtools
from openstack.identity.v3 import role_domain_group_assignment
IDENTIFIER = 'IDENTIFIER'
EXAMPLE = {
'id': IDENTIFIER,
'links': {'self': 'http://example.com/user1'},
'name': '2',
'domain_id': '3',
'group_id': '4'
}
class TestRoleDomainGroupAssignment(testtools.TestCase):
def test_basic(self):
sot = role_domain_group_assignment.RoleDomainGroupAssignment()
self.assertEqual('role', sot.resource_key)
self.assertEqual('roles', sot.resources_key)
self.assertEqual('/domains/%(domain_id)s/groups/%(group_id)s/roles',
sot.base_path)
self.assertEqual('identity', sot.service.service_type)
self.assertTrue(sot.allow_list)
def test_make_it(self):
sot = \
role_domain_group_assignment.RoleDomainGroupAssignment(**EXAMPLE)
self.assertEqual(EXAMPLE['id'], sot.id)
self.assertEqual(EXAMPLE['links'], sot.links)
self.assertEqual(EXAMPLE['name'], sot.name)
self.assertEqual(EXAMPLE['domain_id'], sot.domain_id)
self.assertEqual(EXAMPLE['group_id'], sot.group_id)

View File

@ -0,0 +1,45 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import testtools
from openstack.identity.v3 import role_domain_user_assignment
IDENTIFIER = 'IDENTIFIER'
EXAMPLE = {
'id': IDENTIFIER,
'links': {'self': 'http://example.com/user1'},
'name': '2',
'domain_id': '3',
'user_id': '4'
}
class TestRoleDomainUserAssignment(testtools.TestCase):
def test_basic(self):
sot = role_domain_user_assignment.RoleDomainUserAssignment()
self.assertEqual('role', sot.resource_key)
self.assertEqual('roles', sot.resources_key)
self.assertEqual('/domains/%(domain_id)s/users/%(user_id)s/roles',
sot.base_path)
self.assertEqual('identity', sot.service.service_type)
self.assertTrue(sot.allow_list)
def test_make_it(self):
sot = \
role_domain_user_assignment.RoleDomainUserAssignment(**EXAMPLE)
self.assertEqual(EXAMPLE['id'], sot.id)
self.assertEqual(EXAMPLE['links'], sot.links)
self.assertEqual(EXAMPLE['name'], sot.name)
self.assertEqual(EXAMPLE['domain_id'], sot.domain_id)
self.assertEqual(EXAMPLE['user_id'], sot.user_id)

View File

@ -0,0 +1,45 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import testtools
from openstack.identity.v3 import role_project_group_assignment
IDENTIFIER = 'IDENTIFIER'
EXAMPLE = {
'id': IDENTIFIER,
'links': {'self': 'http://example.com/user1'},
'name': '2',
'project_id': '3',
'group_id': '4'
}
class TestRoleProjectGroupAssignment(testtools.TestCase):
def test_basic(self):
sot = role_project_group_assignment.RoleProjectGroupAssignment()
self.assertEqual('role', sot.resource_key)
self.assertEqual('roles', sot.resources_key)
self.assertEqual('/projects/%(project_id)s/groups/%(group_id)s/roles',
sot.base_path)
self.assertEqual('identity', sot.service.service_type)
self.assertTrue(sot.allow_list)
def test_make_it(self):
sot = \
role_project_group_assignment.RoleProjectGroupAssignment(**EXAMPLE)
self.assertEqual(EXAMPLE['id'], sot.id)
self.assertEqual(EXAMPLE['links'], sot.links)
self.assertEqual(EXAMPLE['name'], sot.name)
self.assertEqual(EXAMPLE['project_id'], sot.project_id)
self.assertEqual(EXAMPLE['group_id'], sot.group_id)

View File

@ -0,0 +1,45 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import testtools
from openstack.identity.v3 import role_project_user_assignment
IDENTIFIER = 'IDENTIFIER'
EXAMPLE = {
'id': IDENTIFIER,
'links': {'self': 'http://example.com/user1'},
'name': '2',
'project_id': '3',
'user_id': '4'
}
class TestRoleProjectUserAssignment(testtools.TestCase):
def test_basic(self):
sot = role_project_user_assignment.RoleProjectUserAssignment()
self.assertEqual('role', sot.resource_key)
self.assertEqual('roles', sot.resources_key)
self.assertEqual('/projects/%(project_id)s/users/%(user_id)s/roles',
sot.base_path)
self.assertEqual('identity', sot.service.service_type)
self.assertTrue(sot.allow_list)
def test_make_it(self):
sot = \
role_project_user_assignment.RoleProjectUserAssignment(**EXAMPLE)
self.assertEqual(EXAMPLE['id'], sot.id)
self.assertEqual(EXAMPLE['links'], sot.links)
self.assertEqual(EXAMPLE['name'], sot.name)
self.assertEqual(EXAMPLE['project_id'], sot.project_id)
self.assertEqual(EXAMPLE['user_id'], sot.user_id)