Move Assignment Controllers and Routers to be First Class

The assignment and identity controllers and routers have been intermixed since they were the same subsystem. The split of Identity and Assignment at the manager level has completed. This change continues the process and makes the Assignment controllers and router definitions part of the assignment subsystem instead of part of Identity. In part, this is also a continuation of clarifying where domain lookups (for per-domain-identity backend logic) occurs. Identity maintains a simple subclass-proxy of each Controller that was moved to maintain compatibility for clean deprecation until Icehouse has been released and development opens up for J. bp: assignment-controller-first-class bp: deprecated-as-of-icehouse related-bug: #1218094 Change-Id: If9a206692704005284e619679e1b6fe8b08bf8c9
2013-12-13 23:04:06 -08:00 · 2013-12-13 23:04:06 -08:00 · 3e2a26281c
parent dcefec5e0f
commit 3e2a26281c
10 changed files with 1314 additions and 1155 deletions
--- a/keystone/assignment/init.py
+++ b/keystone/assignment/init.py
@ -15,4 +15,6 @@
 # License for the specific language governing permissions and limitations
 # under the License.

+from keystone.assignment import controllers
 from keystone.assignment.core import *
+from keystone.assignment import routers
--- a/keystone/assignment/controllers.py
+++ b/keystone/assignment/controllers.py
--- a/keystone/assignment/routers.py
+++ b/keystone/assignment/routers.py
@ -0,0 +1,184 @@
+# -*- coding: utf-8 -*-
+
+# Copyright 2013 Metacloud, Inc.
+# Copyright 2012 OpenStack Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+"""WSGI Routers for the Assignment service."""
+
+from keystone.assignment import controllers
+from keystone.common import router
+from keystone.common import wsgi
+from keystone import config
+
+
+class Public(wsgi.ComposableRouter):
+    def add_routes(self, mapper):
+        tenant_controller = controllers.Tenant()
+        mapper.connect('/tenants',
+                       controller=tenant_controller,
+                       action='get_projects_for_token',
+                       conditions=dict(method=['GET']))
+
+
+class Admin(wsgi.ComposableRouter):
+    def add_routes(self, mapper):
+        # Tenant Operations
+        tenant_controller = controllers.Tenant()
+        mapper.connect('/tenants',
+                       controller=tenant_controller,
+                       action='get_all_projects',
+                       conditions=dict(method=['GET']))
+        mapper.connect('/tenants/{tenant_id}',
+                       controller=tenant_controller,
+                       action='get_project',
+                       conditions=dict(method=['GET']))
+
+        # Role Operations
+        roles_controller = controllers.Role()
+        mapper.connect('/tenants/{tenant_id}/users/{user_id}/roles',
+                       controller=roles_controller,
+                       action='get_user_roles',
+                       conditions=dict(method=['GET']))
+        mapper.connect('/users/{user_id}/roles',
+                       controller=roles_controller,
+                       action='get_user_roles',
+                       conditions=dict(method=['GET']))
+
+
+def append_v3_routers(mapper, routers):
+    routers.append(
+        router.Router(controllers.DomainV3(),
+                      'domains', 'domain'))
+
+    project_controller = controllers.ProjectV3()
+    routers.append(
+        router.Router(project_controller,
+                      'projects', 'project'))
+    mapper.connect('/users/{user_id}/projects',
+                   controller=project_controller,
+                   action='list_user_projects',
+                   conditions=dict(method=['GET']))
+
+    role_controller = controllers.RoleV3()
+    routers.append(router.Router(role_controller, 'roles', 'role'))
+    mapper.connect('/projects/{project_id}/users/{user_id}/roles/{role_id}',
+                   controller=role_controller,
+                   action='create_grant',
+                   conditions=dict(method=['PUT']))
+    mapper.connect('/projects/{project_id}/groups/{group_id}/roles/{role_id}',
+                   controller=role_controller,
+                   action='create_grant',
+                   conditions=dict(method=['PUT']))
+    mapper.connect('/projects/{project_id}/users/{user_id}/roles/{role_id}',
+                   controller=role_controller,
+                   action='check_grant',
+                   conditions=dict(method=['HEAD']))
+    mapper.connect('/projects/{project_id}/groups/{group_id}/roles/{role_id}',
+                   controller=role_controller,
+                   action='check_grant',
+                   conditions=dict(method=['HEAD']))
+    mapper.connect('/projects/{project_id}/users/{user_id}/roles',
+                   controller=role_controller,
+                   action='list_grants',
+                   conditions=dict(method=['GET']))
+    mapper.connect('/projects/{project_id}/groups/{group_id}/roles',
+                   controller=role_controller,
+                   action='list_grants',
+                   conditions=dict(method=['GET']))
+    mapper.connect('/projects/{project_id}/users/{user_id}/roles/{role_id}',
+                   controller=role_controller,
+                   action='revoke_grant',
+                   conditions=dict(method=['DELETE']))
+    mapper.connect('/projects/{project_id}/groups/{group_id}/roles/{role_id}',
+                   controller=role_controller,
+                   action='revoke_grant',
+                   conditions=dict(method=['DELETE']))
+    mapper.connect('/domains/{domain_id}/users/{user_id}/roles/{role_id}',
+                   controller=role_controller,
+                   action='create_grant',
+                   conditions=dict(method=['PUT']))
+    mapper.connect('/domains/{domain_id}/groups/{group_id}/roles/{role_id}',
+                   controller=role_controller,
+                   action='create_grant',
+                   conditions=dict(method=['PUT']))
+    mapper.connect('/domains/{domain_id}/users/{user_id}/roles/{role_id}',
+                   controller=role_controller,
+                   action='check_grant',
+                   conditions=dict(method=['HEAD']))
+    mapper.connect('/domains/{domain_id}/groups/{group_id}/roles/{role_id}',
+                   controller=role_controller,
+                   action='check_grant',
+                   conditions=dict(method=['HEAD']))
+    mapper.connect('/domains/{domain_id}/users/{user_id}/roles',
+                   controller=role_controller,
+                   action='list_grants',
+                   conditions=dict(method=['GET']))
+    mapper.connect('/domains/{domain_id}/groups/{group_id}/roles',
+                   controller=role_controller,
+                   action='list_grants',
+                   conditions=dict(method=['GET']))
+    mapper.connect('/domains/{domain_id}/users/{user_id}/roles/{role_id}',
+                   controller=role_controller,
+                   action='revoke_grant',
+                   conditions=dict(method=['DELETE']))
+    mapper.connect('/domains/{domain_id}/groups/{group_id}/roles/{role_id}',
+                   controller=role_controller,
+                   action='revoke_grant',
+                   conditions=dict(method=['DELETE']))
+
+    if config.CONF.os_inherit.enabled:
+        mapper.connect(('/OS-INHERIT/domains/{domain_id}/users/{user_id}'
+                        '/roles/{role_id}/inherited_to_projects'),
+                       controller=role_controller,
+                       action='create_grant',
+                       conditions=dict(method=['PUT']))
+        mapper.connect(('/OS-INHERIT/domains/{domain_id}/groups/{group_id}'
+                        '/roles/{role_id}/inherited_to_projects'),
+                       controller=role_controller,
+                       action='create_grant',
+                       conditions=dict(method=['PUT']))
+        mapper.connect(('/OS-INHERIT/domains/{domain_id}/users/{user_id}'
+                        '/roles/{role_id}/inherited_to_projects'),
+                       controller=role_controller,
+                       action='check_grant',
+                       conditions=dict(method=['HEAD']))
+        mapper.connect(('/OS-INHERIT/domains/{domain_id}/groups/{group_id}'
+                        '/roles/{role_id}/inherited_to_projects'),
+                       controller=role_controller,
+                       action='check_grant',
+                       conditions=dict(method=['HEAD']))
+        mapper.connect(('/OS-INHERIT/domains/{domain_id}/users/{user_id}'
+                        '/roles/inherited_to_projects'),
+                       controller=role_controller,
+                       action='list_grants',
+                       conditions=dict(method=['GET']))
+        mapper.connect(('/OS-INHERIT/domains/{domain_id}/groups/{group_id}'
+                        '/roles/inherited_to_projects'),
+                       controller=role_controller,
+                       action='list_grants',
+                       conditions=dict(method=['GET']))
+        mapper.connect(('/OS-INHERIT/domains/{domain_id}/users/{user_id}'
+                        '/roles/{role_id}/inherited_to_projects'),
+                       controller=role_controller,
+                       action='revoke_grant',
+                       conditions=dict(method=['DELETE']))
+        mapper.connect(('/OS-INHERIT/domains/{domain_id}/groups/{group_id}'
+                        '/roles/{role_id}/inherited_to_projects'),
+                       controller=role_controller,
+                       action='revoke_grant',
+                       conditions=dict(method=['DELETE']))
+    routers.append(
+        router.Router(controllers.RoleAssignmentV3(),
+                      'role_assignments', 'role_assignment'))
--- a/keystone/contrib/admin_crud/core.py
+++ b/keystone/contrib/admin_crud/core.py
@ -13,6 +13,8 @@
 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 # License for the specific language governing permissions and limitations
 # under the License.
+
+from keystone import assignment
 from keystone import catalog
 from keystone.common import extension
 from keystone.common import wsgi
@ -47,9 +49,9 @@ class CrudExtension(wsgi.ExtensionRouter):
    """

    def add_routes(self, mapper):
-        tenant_controller = identity.controllers.Tenant()
+        tenant_controller = assignment.controllers.Tenant()
        user_controller = identity.controllers.User()
-        role_controller = identity.controllers.Role()
+        role_controller = assignment.controllers.Role()
        service_controller = catalog.controllers.Service()
        endpoint_controller = catalog.controllers.Endpoint()

--- a/keystone/contrib/endpoint_filter/controllers.py
+++ b/keystone/contrib/endpoint_filter/controllers.py
@ -15,10 +15,10 @@
 # under the License.


+from keystone import assignment
 from keystone.catalog import controllers as catalog_controllers
 from keystone.common import controller
 from keystone.common import dependency
-from keystone.identity import controllers as identity_controllers


@dependency.requires('assignment_api', 'catalog_api', 'endpoint_filter_api')
@ -72,5 +72,5 @@ class EndpointFilterV3Controller(controller.V3Controller):

        projects = [self.assignment_api.get_project(
            ref.project_id) for ref in refs]
-        return identity_controllers.ProjectV3.wrap_collection(context,
-                                                              projects)
+        return assignment.controllers.ProjectV3.wrap_collection(context,
+                                                                projects)
--- a/keystone/identity/controllers.py
+++ b/keystone/identity/controllers.py
--- a/keystone/identity/routers.py
+++ b/keystone/identity/routers.py
@ -16,32 +16,11 @@
 """WSGI Routers for the Identity service."""
 from keystone.common import router
 from keystone.common import wsgi
-from keystone import config
 from keystone.identity import controllers


-class Public(wsgi.ComposableRouter):
-    def add_routes(self, mapper):
-        tenant_controller = controllers.Tenant()
-        mapper.connect('/tenants',
-                       controller=tenant_controller,
-                       action='get_projects_for_token',
-                       conditions=dict(method=['GET']))
-
-
 class Admin(wsgi.ComposableRouter):
    def add_routes(self, mapper):
-        # Tenant Operations
-        tenant_controller = controllers.Tenant()
-        mapper.connect('/tenants',
-                       controller=tenant_controller,
-                       action='get_all_projects',
-                       conditions=dict(method=['GET']))
-        mapper.connect('/tenants/{tenant_id}',
-                       controller=tenant_controller,
-                       action='get_project',
-                       conditions=dict(method=['GET']))
-
        # User Operations
        user_controller = controllers.User()
        mapper.connect('/users/{user_id}',
@ -49,32 +28,8 @@ class Admin(wsgi.ComposableRouter):
                       action='get_user',
                       conditions=dict(method=['GET']))

-        # Role Operations
-        roles_controller = controllers.Role()
-        mapper.connect('/tenants/{tenant_id}/users/{user_id}/roles',
-                       controller=roles_controller,
-                       action='get_user_roles',
-                       conditions=dict(method=['GET']))
-        mapper.connect('/users/{user_id}/roles',
-                       controller=roles_controller,
-                       action='get_user_roles',
-                       conditions=dict(method=['GET']))
-

 def append_v3_routers(mapper, routers):
-    routers.append(
-        router.Router(controllers.DomainV3(),
-                      'domains', 'domain'))
-
-    project_controller = controllers.ProjectV3()
-    routers.append(
-        router.Router(project_controller,
-                      'projects', 'project'))
-    mapper.connect('/users/{user_id}/projects',
-                   controller=project_controller,
-                   action='list_user_projects',
-                   conditions=dict(method=['GET']))
-
    user_controller = controllers.UserV3()
    routers.append(
        router.Router(user_controller,
@ -112,115 +67,3 @@ def append_v3_routers(mapper, routers):
                   controller=group_controller,
                   action='list_groups_for_user',
                   conditions=dict(method=['GET']))
-
-    role_controller = controllers.RoleV3()
-    routers.append(router.Router(role_controller, 'roles', 'role'))
-    mapper.connect('/projects/{project_id}/users/{user_id}/roles/{role_id}',
-                   controller=role_controller,
-                   action='create_grant',
-                   conditions=dict(method=['PUT']))
-    mapper.connect('/projects/{project_id}/groups/{group_id}/roles/{role_id}',
-                   controller=role_controller,
-                   action='create_grant',
-                   conditions=dict(method=['PUT']))
-    mapper.connect('/projects/{project_id}/users/{user_id}/roles/{role_id}',
-                   controller=role_controller,
-                   action='check_grant',
-                   conditions=dict(method=['HEAD']))
-    mapper.connect('/projects/{project_id}/groups/{group_id}/roles/{role_id}',
-                   controller=role_controller,
-                   action='check_grant',
-                   conditions=dict(method=['HEAD']))
-    mapper.connect('/projects/{project_id}/users/{user_id}/roles',
-                   controller=role_controller,
-                   action='list_grants',
-                   conditions=dict(method=['GET']))
-    mapper.connect('/projects/{project_id}/groups/{group_id}/roles',
-                   controller=role_controller,
-                   action='list_grants',
-                   conditions=dict(method=['GET']))
-    mapper.connect('/projects/{project_id}/users/{user_id}/roles/{role_id}',
-                   controller=role_controller,
-                   action='revoke_grant',
-                   conditions=dict(method=['DELETE']))
-    mapper.connect('/projects/{project_id}/groups/{group_id}/roles/{role_id}',
-                   controller=role_controller,
-                   action='revoke_grant',
-                   conditions=dict(method=['DELETE']))
-    mapper.connect('/domains/{domain_id}/users/{user_id}/roles/{role_id}',
-                   controller=role_controller,
-                   action='create_grant',
-                   conditions=dict(method=['PUT']))
-    mapper.connect('/domains/{domain_id}/groups/{group_id}/roles/{role_id}',
-                   controller=role_controller,
-                   action='create_grant',
-                   conditions=dict(method=['PUT']))
-    mapper.connect('/domains/{domain_id}/users/{user_id}/roles/{role_id}',
-                   controller=role_controller,
-                   action='check_grant',
-                   conditions=dict(method=['HEAD']))
-    mapper.connect('/domains/{domain_id}/groups/{group_id}/roles/{role_id}',
-                   controller=role_controller,
-                   action='check_grant',
-                   conditions=dict(method=['HEAD']))
-    mapper.connect('/domains/{domain_id}/users/{user_id}/roles',
-                   controller=role_controller,
-                   action='list_grants',
-                   conditions=dict(method=['GET']))
-    mapper.connect('/domains/{domain_id}/groups/{group_id}/roles',
-                   controller=role_controller,
-                   action='list_grants',
-                   conditions=dict(method=['GET']))
-    mapper.connect('/domains/{domain_id}/users/{user_id}/roles/{role_id}',
-                   controller=role_controller,
-                   action='revoke_grant',
-                   conditions=dict(method=['DELETE']))
-    mapper.connect('/domains/{domain_id}/groups/{group_id}/roles/{role_id}',
-                   controller=role_controller,
-                   action='revoke_grant',
-                   conditions=dict(method=['DELETE']))
-
-    if config.CONF.os_inherit.enabled:
-        mapper.connect(('/OS-INHERIT/domains/{domain_id}/users/{user_id}'
-                        '/roles/{role_id}/inherited_to_projects'),
-                       controller=role_controller,
-                       action='create_grant',
-                       conditions=dict(method=['PUT']))
-        mapper.connect(('/OS-INHERIT/domains/{domain_id}/groups/{group_id}'
-                        '/roles/{role_id}/inherited_to_projects'),
-                       controller=role_controller,
-                       action='create_grant',
-                       conditions=dict(method=['PUT']))
-        mapper.connect(('/OS-INHERIT/domains/{domain_id}/users/{user_id}'
-                        '/roles/{role_id}/inherited_to_projects'),
-                       controller=role_controller,
-                       action='check_grant',
-                       conditions=dict(method=['HEAD']))
-        mapper.connect(('/OS-INHERIT/domains/{domain_id}/groups/{group_id}'
-                        '/roles/{role_id}/inherited_to_projects'),
-                       controller=role_controller,
-                       action='check_grant',
-                       conditions=dict(method=['HEAD']))
-        mapper.connect(('/OS-INHERIT/domains/{domain_id}/users/{user_id}'
-                        '/roles/inherited_to_projects'),
-                       controller=role_controller,
-                       action='list_grants',
-                       conditions=dict(method=['GET']))
-        mapper.connect(('/OS-INHERIT/domains/{domain_id}/groups/{group_id}'
-                        '/roles/inherited_to_projects'),
-                       controller=role_controller,
-                       action='list_grants',
-                       conditions=dict(method=['GET']))
-        mapper.connect(('/OS-INHERIT/domains/{domain_id}/users/{user_id}'
-                        '/roles/{role_id}/inherited_to_projects'),
-                       controller=role_controller,
-                       action='revoke_grant',
-                       conditions=dict(method=['DELETE']))
-        mapper.connect(('/OS-INHERIT/domains/{domain_id}/groups/{group_id}'
-                        '/roles/{role_id}/inherited_to_projects'),
-                       controller=role_controller,
-                       action='revoke_grant',
-                       conditions=dict(method=['DELETE']))
-    routers.append(
-        router.Router(controllers.RoleAssignmentV3(),
-                      'role_assignments', 'role_assignment'))
--- a/keystone/service.py
+++ b/keystone/service.py
@ -83,7 +83,7 @@ def public_app_factory(global_conf, **local_conf):
    conf = global_conf.copy()
    conf.update(local_conf)
    return wsgi.ComposingRouter(routes.Mapper(),
-                                [identity.routers.Public(),
+                                [assignment.routers.Public(),
                                 token.routers.Router(),
                                 routers.VersionV2('public'),
                                 routers.Extension(False)])
@ -95,6 +95,7 @@ def admin_app_factory(global_conf, **local_conf):
    conf.update(local_conf)
    return wsgi.ComposingRouter(routes.Mapper(),
                                [identity.routers.Admin(),
+                                 assignment.routers.Admin(),
                                    token.routers.Router(),
                                    routers.VersionV2('admin'),
                                    routers.Extension()])
@ -123,7 +124,7 @@ def v3_app_factory(global_conf, **local_conf):
    conf.update(local_conf)
    mapper = routes.Mapper()
    v3routers = []
-    for module in [auth, catalog, credential, identity, policy]:
+    for module in [assignment, auth, catalog, credential, identity, policy]:
        module.routers.append_v3_routers(mapper, v3routers)

    if CONF.trust.enabled:
--- a/keystone/tests/test_auth.py
+++ b/keystone/tests/test_auth.py
@ -16,10 +16,10 @@ import copy
 import datetime
 import uuid

+from keystone import assignment
 from keystone import auth
 from keystone import config
 from keystone import exception
-from keystone import identity
 from keystone.openstack.common import timeutils
 from keystone import tests
 from keystone.tests import default_fixtures
@ -409,7 +409,7 @@ class AuthWithToken(AuthTest):
        self.assertEqual(bind['kerberos'], 'FOO')

    def test_deleting_role_revokes_token(self):
-        role_controller = identity.controllers.Role()
+        role_controller = assignment.controllers.Role()
        project1 = {'id': 'Project1', 'name': uuid.uuid4().hex,
                    'domain_id': DEFAULT_DOMAIN_ID}
        self.assignment_api.create_project(project1['id'], project1)
--- a/keystone/trust/controllers.py
+++ b/keystone/trust/controllers.py
@ -16,11 +16,11 @@

 import uuid

+from keystone import assignment
 from keystone.common import controller
 from keystone.common import dependency
 from keystone import config
 from keystone import exception
-from keystone import identity
 from keystone.openstack.common import log as logging
 from keystone.openstack.common import timeutils

@ -105,7 +105,7 @@ class TrustV3(controller.V3Controller):
            matching_roles = [x for x in global_roles
                              if x['id'] == trust_role['id']]
            if matching_roles:
-                full_role = identity.controllers.RoleV3.wrap_member(
+                full_role = assignment.controllers.RoleV3.wrap_member(
                    context, matching_roles[0])['role']
                trust_full_roles.append(full_role)
        trust['roles'] = trust_full_roles
@ -265,7 +265,7 @@ class TrustV3(controller.V3Controller):
        matching_roles = [x for x in global_roles
                          if x['id'] == role_id]
        if matching_roles:
-            full_role = (identity.controllers.
+            full_role = (assignment.controllers.
                         RoleV3.wrap_member(context, matching_roles[0]))
            return full_role
        else: