diff --git a/keystone/assignment/controllers.py b/keystone/assignment/controllers.py index 245def5c56..5be6ab6400 100644 --- a/keystone/assignment/controllers.py +++ b/keystone/assignment/controllers.py @@ -36,7 +36,8 @@ CONF = config.CONF LOG = log.getLogger(__name__) -@dependency.requires('assignment_api', 'identity_api', 'token_provider_api') +@dependency.requires('assignment_api', 'identity_api', 'resource_api', + 'token_provider_api') class Tenant(controller.V2Controller): @controller.v2_deprecated @@ -47,7 +48,7 @@ class Tenant(controller.V2Controller): context, context['query_string'].get('name')) self.assert_admin(context) - tenant_refs = self.assignment_api.list_projects_in_domain( + tenant_refs = self.resource_api.list_projects_in_domain( CONF.identity.default_domain_id) for tenant_ref in tenant_refs: tenant_ref = self.filter_domain_id(tenant_ref) @@ -90,13 +91,13 @@ class Tenant(controller.V2Controller): def get_project(self, context, tenant_id): # TODO(termie): this stuff should probably be moved to middleware self.assert_admin(context) - ref = self.assignment_api.get_project(tenant_id) + ref = self.resource_api.get_project(tenant_id) return {'tenant': self.filter_domain_id(ref)} @controller.v2_deprecated def get_project_by_name(self, context, tenant_name): self.assert_admin(context) - ref = self.assignment_api.get_project_by_name( + ref = self.resource_api.get_project_by_name( tenant_name, CONF.identity.default_domain_id) return {'tenant': self.filter_domain_id(ref)} @@ -111,7 +112,7 @@ class Tenant(controller.V2Controller): self.assert_admin(context) tenant_ref['id'] = tenant_ref.get('id', uuid.uuid4().hex) - tenant = self.assignment_api.create_project( + tenant = self.resource_api.create_project( tenant_ref['id'], self._normalize_domain_id(context, tenant_ref)) return {'tenant': self.filter_domain_id(tenant)} @@ -124,14 +125,14 @@ class Tenant(controller.V2Controller): clean_tenant = tenant.copy() clean_tenant.pop('domain_id', None) - tenant_ref = self.assignment_api.update_project( + tenant_ref = self.resource_api.update_project( tenant_id, clean_tenant) return {'tenant': tenant_ref} @controller.v2_deprecated def delete_project(self, context, tenant_id): self.assert_admin(context) - self.assignment_api.delete_project(tenant_id) + self.resource_api.delete_project(tenant_id) @controller.v2_deprecated def get_project_users(self, context, tenant_id, **kw): @@ -345,74 +346,73 @@ class Role(controller.V2Controller): user_id, tenant_id, role_id) -@dependency.requires('assignment_api') +@dependency.requires('resource_api') class DomainV3(controller.V3Controller): collection_name = 'domains' member_name = 'domain' def __init__(self): super(DomainV3, self).__init__() - self.get_member_from_driver = self.assignment_api.get_domain + self.get_member_from_driver = self.resource_api.get_domain @controller.protected() @validation.validated(schema.domain_create, 'domain') def create_domain(self, context, domain): ref = self._assign_unique_id(self._normalize_dict(domain)) - ref = self.assignment_api.create_domain(ref['id'], ref) + ref = self.resource_api.create_domain(ref['id'], ref) return DomainV3.wrap_member(context, ref) @controller.filterprotected('enabled', 'name') def list_domains(self, context, filters): hints = DomainV3.build_driver_hints(context, filters) - refs = self.assignment_api.list_domains(hints=hints) + refs = self.resource_api.list_domains(hints=hints) return DomainV3.wrap_collection(context, refs, hints=hints) @controller.protected() def get_domain(self, context, domain_id): - ref = self.assignment_api.get_domain(domain_id) + ref = self.resource_api.get_domain(domain_id) return DomainV3.wrap_member(context, ref) @controller.protected() @validation.validated(schema.domain_update, 'domain') def update_domain(self, context, domain_id, domain): self._require_matching_id(domain_id, domain) - ref = self.assignment_api.update_domain(domain_id, domain) + ref = self.resource_api.update_domain(domain_id, domain) return DomainV3.wrap_member(context, ref) @controller.protected() def delete_domain(self, context, domain_id): - return self.assignment_api.delete_domain(domain_id) + return self.resource_api.delete_domain(domain_id) -@dependency.requires('assignment_api') +@dependency.requires('assignment_api', 'resource_api') class ProjectV3(controller.V3Controller): collection_name = 'projects' member_name = 'project' def __init__(self): super(ProjectV3, self).__init__() - self.get_member_from_driver = self.assignment_api.get_project + self.get_member_from_driver = self.resource_api.get_project @controller.protected() @validation.validated(schema.project_create, 'project') def create_project(self, context, project): ref = self._assign_unique_id(self._normalize_dict(project)) ref = self._normalize_domain_id(context, ref) - ref = self.assignment_api.create_project(ref['id'], ref) + ref = self.resource_api.create_project(ref['id'], ref) return ProjectV3.wrap_member(context, ref) @controller.filterprotected('domain_id', 'enabled', 'name', 'parent_id') def list_projects(self, context, filters): hints = ProjectV3.build_driver_hints(context, filters) - refs = self.assignment_api.list_projects(hints=hints) + refs = self.resource_api.list_projects(hints=hints) return ProjectV3.wrap_collection(context, refs, hints=hints) @controller.filterprotected('enabled', 'name') def list_user_projects(self, context, filters, user_id): hints = ProjectV3.build_driver_hints(context, filters) - refs = self.assignment_api.list_projects_for_user(user_id, - hints=hints) + refs = self.assignment_api.list_projects_for_user(user_id, hints=hints) return ProjectV3.wrap_collection(context, refs, hints=hints) def _expand_project_ref(self, context, ref): @@ -420,7 +420,7 @@ class ProjectV3(controller.V3Controller): if ('parents_as_list' in context['query_string'] and self.query_filter_is_true( context['query_string']['parents_as_list'])): - parents = self.assignment_api.list_project_parents( + parents = self.resource_api.list_project_parents( ref['id'], user_id) ref['parents'] = [ProjectV3.wrap_member(context, p) for p in parents] @@ -428,14 +428,14 @@ class ProjectV3(controller.V3Controller): if ('subtree_as_list' in context['query_string'] and self.query_filter_is_true( context['query_string']['subtree_as_list'])): - subtree = self.assignment_api.list_projects_in_subtree( + subtree = self.resource_api.list_projects_in_subtree( ref['id'], user_id) ref['subtree'] = [ProjectV3.wrap_member(context, p) for p in subtree] @controller.protected() def get_project(self, context, project_id): - ref = self.assignment_api.get_project(project_id) + ref = self.resource_api.get_project(project_id) self._expand_project_ref(context, ref) return ProjectV3.wrap_member(context, ref) @@ -444,16 +444,17 @@ class ProjectV3(controller.V3Controller): def update_project(self, context, project_id, project): self._require_matching_id(project_id, project) self._require_matching_domain_id( - project_id, project, self.assignment_api.get_project) - ref = self.assignment_api.update_project(project_id, project) + project_id, project, self.resource_api.get_project) + ref = self.resource_api.update_project(project_id, project) return ProjectV3.wrap_member(context, ref) @controller.protected() def delete_project(self, context, project_id): - return self.assignment_api.delete_project(project_id) + return self.resource_api.delete_project(project_id) -@dependency.requires('assignment_api', 'identity_api', 'role_api') +@dependency.requires('assignment_api', 'identity_api', 'resource_api', + 'role_api') class RoleV3(controller.V3Controller): collection_name = 'roles' member_name = 'role' @@ -532,9 +533,9 @@ class RoleV3(controller.V3Controller): ref['group'] = self.identity_api.get_group(group_id) if domain_id: - ref['domain'] = self.assignment_api.get_domain(domain_id) + ref['domain'] = self.resource_api.get_domain(domain_id) else: - ref['project'] = self.assignment_api.get_project(project_id) + ref['project'] = self.resource_api.get_project(project_id) self.check_protection(context, protection, ref) @@ -588,7 +589,7 @@ class RoleV3(controller.V3Controller): self._check_if_inherited(context), context) -@dependency.requires('assignment_api', 'identity_api') +@dependency.requires('assignment_api', 'identity_api', 'resource_api') class RoleAssignmentV3(controller.V3Controller): # TODO(henry-nash): The current implementation does not provide a full @@ -824,7 +825,7 @@ class RoleAssignmentV3(controller.V3Controller): # projects owned by this domain. project_ids = ( [x['id'] for x in - self.assignment_api.list_projects_in_domain( + self.resource_api.list_projects_in_domain( r['scope']['domain']['id'])]) base_entry = copy.deepcopy(r) target_type = 'domains' @@ -836,7 +837,7 @@ class RoleAssignmentV3(controller.V3Controller): project_id = r['scope']['project']['id'] project_ids = ( [x['id'] for x in - self.assignment_api.list_projects_in_subtree( + self.resource_api.list_projects_in_subtree( project_id)]) base_entry = copy.deepcopy(r) target_type = 'projects' diff --git a/keystone/auth/controllers.py b/keystone/auth/controllers.py index 60fdae04f0..b86eadf940 100644 --- a/keystone/auth/controllers.py +++ b/keystone/auth/controllers.py @@ -124,7 +124,7 @@ class AuthContext(dict): # available for consumers. Consumers should probably not be getting # identity_api from this since it's available in global registry, then # identity_api should be removed from this list. -@dependency.requires('assignment_api', 'identity_api', 'trust_api') +@dependency.requires('identity_api', 'resource_api', 'trust_api') class AuthInfo(object): """Encapsulation of "auth" request.""" @@ -147,7 +147,7 @@ class AuthInfo(object): def _assert_project_is_enabled(self, project_ref): # ensure the project is enabled try: - self.assignment_api.assert_project_enabled( + self.resource_api.assert_project_enabled( project_id=project_ref['id'], project=project_ref) except AssertionError as e: @@ -157,7 +157,7 @@ class AuthInfo(object): def _assert_domain_is_enabled(self, domain_ref): try: - self.assignment_api.assert_domain_enabled( + self.resource_api.assert_domain_enabled( domain_id=domain_ref['id'], domain=domain_ref) except AssertionError as e: @@ -174,10 +174,10 @@ class AuthInfo(object): target='domain') try: if domain_name: - domain_ref = self.assignment_api.get_domain_by_name( + domain_ref = self.resource_api.get_domain_by_name( domain_name) else: - domain_ref = self.assignment_api.get_domain(domain_id) + domain_ref = self.resource_api.get_domain(domain_id) except exception.DomainNotFound as e: LOG.exception(e) raise exception.Unauthorized(e) @@ -197,10 +197,10 @@ class AuthInfo(object): raise exception.ValidationError(attribute='domain', target='project') domain_ref = self._lookup_domain(project_info['domain']) - project_ref = self.assignment_api.get_project_by_name( + project_ref = self.resource_api.get_project_by_name( project_name, domain_ref['id']) else: - project_ref = self.assignment_api.get_project(project_id) + project_ref = self.resource_api.get_project(project_id) # NOTE(morganfainberg): The _lookup_domain method will raise # exception.Unauthorized if the domain isn't found or is # disabled. @@ -340,7 +340,7 @@ class AuthInfo(object): @dependency.requires('assignment_api', 'catalog_api', 'identity_api', - 'token_provider_api', 'trust_api') + 'resource_api', 'token_provider_api', 'trust_api') class Auth(controller.V3Controller): # Note(atiwari): From V3 auth controller code we are @@ -427,9 +427,9 @@ class Auth(controller.V3Controller): # make sure user's default project is legit before scoping to it try: - default_project_ref = self.assignment_api.get_project( + default_project_ref = self.resource_api.get_project( default_project_id) - default_project_domain_ref = self.assignment_api.get_domain( + default_project_domain_ref = self.resource_api.get_domain( default_project_ref['domain_id']) if (default_project_ref.get('enabled', True) and default_project_domain_ref.get('enabled', True)): diff --git a/keystone/auth/plugins/external.py b/keystone/auth/plugins/external.py index 3cf51ebc88..4cd37b5776 100644 --- a/keystone/auth/plugins/external.py +++ b/keystone/auth/plugins/external.py @@ -74,7 +74,7 @@ class DefaultDomain(Base): return user_ref -@dependency.requires('assignment_api', 'identity_api') +@dependency.requires('identity_api', 'resource_api') class Domain(Base): def _authenticate(self, remote_user, context): """Use remote_user to look up the user in the identity backend. @@ -89,7 +89,7 @@ class Domain(Base): except KeyError: domain_id = CONF.identity.default_domain_id else: - domain_ref = self.assignment_api.get_domain_by_name(domain_name) + domain_ref = self.resource_api.get_domain_by_name(domain_name) domain_id = domain_ref['id'] user_ref = self.identity_api.get_user_by_name(username, domain_id) @@ -156,7 +156,7 @@ class LegacyDefaultDomain(Base): return user_ref -@dependency.requires('assignment_api', 'identity_api') +@dependency.requires('identity_api', 'resource_api') class LegacyDomain(Base): """Deprecated. Please use keystone.auth.external.Domain instead.""" @@ -178,7 +178,7 @@ class LegacyDomain(Base): username = names.pop(0) if names: domain_name = names[0] - domain_ref = self.assignment_api.get_domain_by_name(domain_name) + domain_ref = self.resource_api.get_domain_by_name(domain_name) domain_id = domain_ref['id'] else: domain_id = CONF.identity.default_domain_id diff --git a/keystone/auth/plugins/password.py b/keystone/auth/plugins/password.py index 632e9ca736..c34489a821 100644 --- a/keystone/auth/plugins/password.py +++ b/keystone/auth/plugins/password.py @@ -27,7 +27,7 @@ METHOD_NAME = 'password' LOG = log.getLogger(__name__) -@dependency.requires('assignment_api', 'identity_api') +@dependency.requires('identity_api', 'resource_api') class UserAuthInfo(object): @staticmethod def create(auth_payload): @@ -42,7 +42,7 @@ class UserAuthInfo(object): def _assert_domain_is_enabled(self, domain_ref): try: - self.assignment_api.assert_domain_enabled( + self.resource_api.assert_domain_enabled( domain_id=domain_ref['id'], domain=domain_ref) except AssertionError as e: @@ -69,10 +69,10 @@ class UserAuthInfo(object): target='domain') try: if domain_name: - domain_ref = self.assignment_api.get_domain_by_name( + domain_ref = self.resource_api.get_domain_by_name( domain_name) else: - domain_ref = self.assignment_api.get_domain(domain_id) + domain_ref = self.resource_api.get_domain(domain_id) except exception.DomainNotFound as e: LOG.exception(e) raise exception.Unauthorized(e) @@ -101,7 +101,7 @@ class UserAuthInfo(object): user_name, domain_ref['id']) else: user_ref = self.identity_api.get_user(user_id) - domain_ref = self.assignment_api.get_domain( + domain_ref = self.resource_api.get_domain( user_ref['domain_id']) self._assert_domain_is_enabled(domain_ref) except exception.UserNotFound as e: diff --git a/keystone/contrib/ec2/controllers.py b/keystone/contrib/ec2/controllers.py index 0e9f381617..08f4e85735 100644 --- a/keystone/contrib/ec2/controllers.py +++ b/keystone/contrib/ec2/controllers.py @@ -50,7 +50,8 @@ from keystone.models import token_model @dependency.requires('assignment_api', 'catalog_api', 'credential_api', - 'identity_api', 'role_api', 'token_provider_api') + 'identity_api', 'resource_api', 'role_api', + 'token_provider_api') @six.add_metaclass(abc.ABCMeta) class Ec2ControllerCommon(object): def check_signature(self, creds_ref, credentials): @@ -112,7 +113,7 @@ class Ec2ControllerCommon(object): # TODO(termie): don't create new tokens every time # TODO(termie): this is copied from TokenController.authenticate - tenant_ref = self.assignment_api.get_project(creds_ref['tenant_id']) + tenant_ref = self.resource_api.get_project(creds_ref['tenant_id']) user_ref = self.identity_api.get_user(creds_ref['user_id']) metadata_ref = {} metadata_ref['roles'] = ( @@ -128,9 +129,9 @@ class Ec2ControllerCommon(object): try: self.identity_api.assert_user_enabled( user_id=user_ref['id'], user=user_ref) - self.assignment_api.assert_domain_enabled( + self.resource_api.assert_domain_enabled( domain_id=user_ref['domain_id']) - self.assignment_api.assert_project_enabled( + self.resource_api.assert_project_enabled( project_id=tenant_ref['id'], project=tenant_ref) except AssertionError as e: six.reraise(exception.Unauthorized, exception.Unauthorized(e), @@ -159,7 +160,7 @@ class Ec2ControllerCommon(object): """ self.identity_api.get_user(user_id) - self.assignment_api.get_project(tenant_id) + self.resource_api.get_project(tenant_id) trust_id = self._get_trust_id_for_request(context) blob = {'access': uuid.uuid4().hex, 'secret': uuid.uuid4().hex, diff --git a/keystone/contrib/endpoint_filter/controllers.py b/keystone/contrib/endpoint_filter/controllers.py index d4ffeeace8..87b5c3e65f 100644 --- a/keystone/contrib/endpoint_filter/controllers.py +++ b/keystone/contrib/endpoint_filter/controllers.py @@ -22,14 +22,14 @@ from keystone import exception from keystone import notifications -@dependency.requires('assignment_api', 'catalog_api', 'endpoint_filter_api') +@dependency.requires('catalog_api', 'endpoint_filter_api', 'resource_api') class _ControllerBase(controller.V3Controller): """Base behaviors for endpoint filter controllers.""" def _get_endpoint_groups_for_project(self, project_id): # recover the project endpoint group memberships and for each # membership recover the endpoint group - self.assignment_api.get_project(project_id) + self.resource_api.get_project(project_id) try: refs = self.endpoint_filter_api.list_endpoint_groups_for_project( project_id) @@ -85,7 +85,7 @@ class EndpointFilterV3Controller(_ControllerBase): # The relationship can still be established even with a disabled # project as there are no security implications. self.catalog_api.get_endpoint(endpoint_id) - self.assignment_api.get_project(project_id) + self.resource_api.get_project(project_id) self.endpoint_filter_api.add_endpoint_to_project(endpoint_id, project_id) @@ -93,14 +93,14 @@ class EndpointFilterV3Controller(_ControllerBase): def check_endpoint_in_project(self, context, project_id, endpoint_id): """Verifies endpoint is currently associated with given project.""" self.catalog_api.get_endpoint(endpoint_id) - self.assignment_api.get_project(project_id) + self.resource_api.get_project(project_id) self.endpoint_filter_api.check_endpoint_in_project(endpoint_id, project_id) @controller.protected() def list_endpoints_for_project(self, context, project_id): """List all endpoints currently associated with a given project.""" - self.assignment_api.get_project(project_id) + self.resource_api.get_project(project_id) refs = self.endpoint_filter_api.list_endpoints_for_project(project_id) filtered_endpoints = dict( (ref['endpoint_id'], self.catalog_api.get_endpoint( @@ -133,7 +133,7 @@ class EndpointFilterV3Controller(_ControllerBase): self.catalog_api.get_endpoint(endpoint_id) refs = self.endpoint_filter_api.list_projects_for_endpoint(endpoint_id) - projects = [self.assignment_api.get_project( + projects = [self.resource_api.get_project( ref['project_id']) for ref in refs] return assignment.controllers.ProjectV3.wrap_collection(context, projects) @@ -221,7 +221,7 @@ class EndpointGroupV3Controller(_ControllerBase): endpoint_group_id)) projects = [] for endpoint_group_ref in endpoint_group_refs: - project = self.assignment_api.get_project( + project = self.resource_api.get_project( endpoint_group_ref['project_id']) if project: projects.append(project) @@ -260,7 +260,7 @@ class ProjectEndpointGroupV3Controller(_ControllerBase): def get_endpoint_group_in_project(self, context, endpoint_group_id, project_id): """Retrieve the endpoint group associated with the id if exists.""" - self.assignment_api.get_project(project_id) + self.resource_api.get_project(project_id) self.endpoint_filter_api.get_endpoint_group(endpoint_group_id) ref = self.endpoint_filter_api.get_endpoint_group_in_project( endpoint_group_id, project_id) @@ -271,7 +271,7 @@ class ProjectEndpointGroupV3Controller(_ControllerBase): def add_endpoint_group_to_project(self, context, endpoint_group_id, project_id): """Creates an association between an endpoint group and project.""" - self.assignment_api.get_project(project_id) + self.resource_api.get_project(project_id) self.endpoint_filter_api.get_endpoint_group(endpoint_group_id) self.endpoint_filter_api.add_endpoint_group_to_project( endpoint_group_id, project_id) @@ -280,7 +280,7 @@ class ProjectEndpointGroupV3Controller(_ControllerBase): def remove_endpoint_group_from_project(self, context, endpoint_group_id, project_id): """Remove the endpoint group from associated project.""" - self.assignment_api.get_project(project_id) + self.resource_api.get_project(project_id) self.endpoint_filter_api.get_endpoint_group(endpoint_group_id) self.endpoint_filter_api.remove_endpoint_group_from_project( endpoint_group_id, project_id) diff --git a/keystone/contrib/federation/controllers.py b/keystone/contrib/federation/controllers.py index 159118c1e5..81d57a80f7 100644 --- a/keystone/contrib/federation/controllers.py +++ b/keystone/contrib/federation/controllers.py @@ -289,14 +289,14 @@ class Auth(auth_controllers.Auth): headers=[('Content-Type', 'text/xml')]) -@dependency.requires('assignment_api') +@dependency.requires('assignment_api', 'resource_api') class DomainV3(controller.V3Controller): collection_name = 'domains' member_name = 'domain' def __init__(self): super(DomainV3, self).__init__() - self.get_member_from_driver = self.assignment_api.get_domain + self.get_member_from_driver = self.resource_api.get_domain @controller.protected() def list_domains_for_groups(self, context): @@ -312,14 +312,14 @@ class DomainV3(controller.V3Controller): return DomainV3.wrap_collection(context, domains) -@dependency.requires('assignment_api') +@dependency.requires('assignment_api', 'resource_api') class ProjectV3(controller.V3Controller): collection_name = 'projects' member_name = 'project' def __init__(self): super(ProjectV3, self).__init__() - self.get_member_from_driver = self.assignment_api.get_project + self.get_member_from_driver = self.resource_api.get_project @controller.protected() def list_projects_for_groups(self, context): diff --git a/keystone/contrib/oauth1/controllers.py b/keystone/contrib/oauth1/controllers.py index e77f3412be..ba5cce49aa 100644 --- a/keystone/contrib/oauth1/controllers.py +++ b/keystone/contrib/oauth1/controllers.py @@ -165,7 +165,7 @@ class AccessTokenCrudV3(controller.V3Controller): return formatted_entity -@dependency.requires('assignment_api', 'oauth_api', 'role_api') +@dependency.requires('oauth_api', 'role_api') class AccessTokenRolesV3(controller.V3Controller): collection_name = 'roles' member_name = 'role' diff --git a/keystone/contrib/user_crud/core.py b/keystone/contrib/user_crud/core.py index b0be434d81..48563aaa8a 100644 --- a/keystone/contrib/user_crud/core.py +++ b/keystone/contrib/user_crud/core.py @@ -46,7 +46,7 @@ extension.register_public_extension( ]}) -@dependency.requires('assignment_api', 'catalog_api', 'identity_api', +@dependency.requires('catalog_api', 'identity_api', 'resource_api', 'token_provider_api') class UserController(identity.controllers.User): def set_user_password(self, context, user_id, user): @@ -97,7 +97,7 @@ class UserController(identity.controllers.User): if token_ref.bind: new_token_ref['bind'] = token_ref.bind if token_ref.project_id: - new_token_ref['tenant'] = self.assignment_api.get_project( + new_token_ref['tenant'] = self.resource_api.get_project( token_ref.project_id) if token_ref.role_names: roles_ref = [dict(name=value) diff --git a/keystone/identity/controllers.py b/keystone/identity/controllers.py index 326b20be66..0752c8c310 100644 --- a/keystone/identity/controllers.py +++ b/keystone/identity/controllers.py @@ -26,7 +26,7 @@ CONF = config.CONF LOG = log.getLogger(__name__) -@dependency.requires('assignment_api', 'identity_api') +@dependency.requires('assignment_api', 'identity_api', 'resource_api') class User(controller.V2Controller): @controller.v2_deprecated @@ -73,7 +73,7 @@ class User(controller.V2Controller): default_project_id = user.pop('tenantId', None) if default_project_id is not None: # Check to see if the project is valid before moving on. - self.assignment_api.get_project(default_project_id) + self.resource_api.get_project(default_project_id) user['default_project_id'] = default_project_id # The manager layer will generate the unique ID for users @@ -114,7 +114,7 @@ class User(controller.V2Controller): default_project_id is not None)): # Make sure the new project actually exists before we perform the # user update. - self.assignment_api.get_project(default_project_id) + self.resource_api.get_project(default_project_id) user_ref = self.v3_to_v2_user( self.identity_api.update_user(user_id, user)) diff --git a/keystone/identity/core.py b/keystone/identity/core.py index 8236d837df..3ff2690809 100644 --- a/keystone/identity/core.py +++ b/keystone/identity/core.py @@ -91,7 +91,7 @@ class DomainConfigs(dict): return importutils.import_object( domain_config['cfg'].identity.driver, domain_config['cfg']) - def _load_config(self, assignment_api, file_list, domain_name): + def _load_config(self, resource_api, file_list, domain_name): def assert_no_more_than_one_sql_driver(new_config, config_file): """Ensure there is more than one sql driver. @@ -109,7 +109,7 @@ class DomainConfigs(dict): self._any_sql = new_config['driver'].is_sql try: - domain_ref = assignment_api.get_domain_by_name(domain_name) + domain_ref = resource_api.get_domain_by_name(domain_name) except exception.DomainNotFound: LOG.warning( _LW('Invalid domain name (%s) found in config file name'), @@ -130,7 +130,7 @@ class DomainConfigs(dict): assert_no_more_than_one_sql_driver(domain_config, file_list) self[domain_ref['id']] = domain_config - def setup_domain_drivers(self, standard_driver, assignment_api): + def setup_domain_drivers(self, standard_driver, resource_api): # This is called by the api call wrapper self.configured = True self.driver = standard_driver @@ -146,7 +146,7 @@ class DomainConfigs(dict): if (fname.startswith(DOMAIN_CONF_FHEAD) and fname.endswith(DOMAIN_CONF_FTAIL)): if fname.count('.') >= 2: - self._load_config(assignment_api, + self._load_config(resource_api, [os.path.join(r, fname)], fname[len(DOMAIN_CONF_FHEAD): -len(DOMAIN_CONF_FTAIL)]) @@ -193,7 +193,7 @@ def domains_configured(f): if (not self.domain_configs.configured and CONF.identity.domain_specific_drivers_enabled): self.domain_configs.setup_domain_drivers( - self.driver, self.assignment_api) + self.driver, self.resource_api) return f(self, *args, **kwargs) return wrapper @@ -221,7 +221,8 @@ def exception_translated(exception_type): @dependency.provider('identity_api') @dependency.optional('revoke_api') -@dependency.requires('assignment_api', 'credential_api', 'id_mapping_api') +@dependency.requires('assignment_api', 'credential_api', 'id_mapping_api', + 'resource_api') class Manager(manager.Manager): """Default pivot point for the Identity backend. @@ -554,7 +555,7 @@ class Manager(manager.Manager): user.setdefault('enabled', True) user['enabled'] = clean.user_enabled(user['enabled']) domain_id = user['domain_id'] - self.assignment_api.get_domain(domain_id) + self.resource_api.get_domain(domain_id) # For creating a user, the domain is in the object itself domain_id = user_ref['domain_id'] @@ -584,7 +585,7 @@ class Manager(manager.Manager): """ if user is None: user = self.get_user(user_id) - self.assignment_api.assert_domain_enabled(user['domain_id']) + self.resource_api.assert_domain_enabled(user['domain_id']) if not user.get('enabled', True): raise AssertionError(_('User is disabled: %s') % user_id) @@ -625,7 +626,7 @@ class Manager(manager.Manager): if 'enabled' in user: user['enabled'] = clean.user_enabled(user['enabled']) if 'domain_id' in user: - self.assignment_api.get_domain(user['domain_id']) + self.resource_api.get_domain(user['domain_id']) if 'id' in user: if user_id != user['id']: raise exception.ValidationError(_('Cannot change user ID')) @@ -665,7 +666,7 @@ class Manager(manager.Manager): group = group_ref.copy() group.setdefault('description', '') domain_id = group['domain_id'] - self.assignment_api.get_domain(domain_id) + self.resource_api.get_domain(domain_id) # For creating a group, the domain is in the object itself domain_id = group_ref['domain_id'] @@ -701,7 +702,7 @@ class Manager(manager.Manager): @exception_translated('group') def update_group(self, group_id, group): if 'domain_id' in group: - self.assignment_api.get_domain(group['domain_id']) + self.resource_api.get_domain(group['domain_id']) domain_id, driver, entity_id = ( self._get_domain_driver_and_entity_id(group_id)) group = self._clear_domain_id_if_domain_unaware(driver, group) diff --git a/keystone/token/controllers.py b/keystone/token/controllers.py index 3fabd0be13..61cb762eae 100644 --- a/keystone/token/controllers.py +++ b/keystone/token/controllers.py @@ -41,7 +41,8 @@ class ExternalAuthNotApplicable(Exception): @dependency.requires('assignment_api', 'catalog_api', 'identity_api', - 'role_api', 'token_provider_api', 'trust_api') + 'resource_api', 'role_api', 'token_provider_api', + 'trust_api') class Auth(controller.V2Controller): @controller.v2_deprecated @@ -105,7 +106,7 @@ class Auth(controller.V2Controller): self.identity_api.assert_user_enabled( user_id=user_ref['id'], user=user_ref) if tenant_ref: - self.assignment_api.assert_project_enabled( + self.resource_api.assert_project_enabled( project_id=tenant_ref['id'], project=tenant_ref) except AssertionError as e: six.reraise(exception.Unauthorized, exception.Unauthorized(e), @@ -360,7 +361,7 @@ class Auth(controller.V2Controller): if tenant_name: try: - tenant_ref = self.assignment_api.get_project_by_name( + tenant_ref = self.resource_api.get_project_by_name( tenant_name, CONF.identity.default_domain_id) tenant_id = tenant_ref['id'] except exception.ProjectNotFound as e: @@ -374,7 +375,7 @@ class Auth(controller.V2Controller): role_list = [] if tenant_id: try: - tenant_ref = self.assignment_api.get_project(tenant_id) + tenant_ref = self.resource_api.get_project(tenant_id) role_list = self.assignment_api.get_roles_for_user_and_project( user_id, tenant_id) except exception.ProjectNotFound: diff --git a/keystone/token/core.py b/keystone/token/core.py index ca2e7a6a85..52ee4a2a39 100644 --- a/keystone/token/core.py +++ b/keystone/token/core.py @@ -60,7 +60,7 @@ def validate_auth_info(self, user_ref, tenant_ref): raise exception.Unauthorized(msg) # If the user's domain is disabled don't allow them to authenticate - user_domain_ref = self.assignment_api.get_domain( + user_domain_ref = self.resource_api.get_domain( user_ref['domain_id']) if user_domain_ref and not user_domain_ref.get('enabled', True): msg = _('Domain is disabled: %s') % user_domain_ref['id'] @@ -75,7 +75,7 @@ def validate_auth_info(self, user_ref, tenant_ref): raise exception.Unauthorized(msg) # If the project's domain is disabled don't allow them to authenticate - project_domain_ref = self.assignment_api.get_domain( + project_domain_ref = self.resource_api.get_domain( tenant_ref['domain_id']) if (project_domain_ref and not project_domain_ref.get('enabled', True)): diff --git a/keystone/token/persistence/core.py b/keystone/token/persistence/core.py index 84d430357f..014aab0b41 100644 --- a/keystone/token/persistence/core.py +++ b/keystone/token/persistence/core.py @@ -39,8 +39,8 @@ EXPIRATION_TIME = lambda: CONF.token.cache_time REVOCATION_CACHE_EXPIRATION_TIME = lambda: CONF.token.revocation_cache_time -@dependency.requires('assignment_api', 'identity_api', 'token_provider_api', - 'trust_api') +@dependency.requires('assignment_api', 'identity_api', 'resource_api', + 'token_provider_api', 'trust_api') class PersistenceManager(manager.Manager): """Default pivot point for the Token backend. @@ -142,7 +142,7 @@ class PersistenceManager(manager.Manager): """ if not CONF.token.revoke_by_id: return - projects = self.assignment_api.list_projects() + projects = self.resource_api.list_projects() for project in projects: if project['domain_id'] == domain_id: for user_id in self.assignment_api.list_user_ids_for_project( diff --git a/keystone/token/provider.py b/keystone/token/provider.py index c7186d9b7b..8ddbd1dc7a 100644 --- a/keystone/token/provider.py +++ b/keystone/token/provider.py @@ -101,6 +101,7 @@ def audit_info(parent_audit_id): @dependency.optional('revoke_api') @dependency.provider('token_provider_api') +@dependency.requires('assignment_api') class Manager(manager.Manager): """Default pivot point for the token provider backend. diff --git a/keystone/token/providers/common.py b/keystone/token/providers/common.py index 6883ecbba9..cd93a880f8 100644 --- a/keystone/token/providers/common.py +++ b/keystone/token/providers/common.py @@ -144,7 +144,7 @@ class V2TokenDataHelper(object): @dependency.requires('assignment_api', 'catalog_api', 'identity_api', - 'role_api', 'trust_api') + 'resource_api', 'role_api', 'trust_api') class V3TokenDataHelper(object): """Token data helper.""" def __init__(self): @@ -152,11 +152,11 @@ class V3TokenDataHelper(object): super(V3TokenDataHelper, self).__init__() def _get_filtered_domain(self, domain_id): - domain_ref = self.assignment_api.get_domain(domain_id) + domain_ref = self.resource_api.get_domain(domain_id) return {'id': domain_ref['id'], 'name': domain_ref['name']} def _get_filtered_project(self, project_id): - project_ref = self.assignment_api.get_project(project_id) + project_ref = self.resource_api.get_project(project_id) filtered_project = { 'id': project_ref['id'], 'name': project_ref['name']} @@ -383,7 +383,7 @@ class V3TokenDataHelper(object): @dependency.optional('oauth_api') -@dependency.requires('assignment_api', 'catalog_api', 'identity_api', +@dependency.requires('catalog_api', 'identity_api', 'resource_api', 'role_api', 'trust_api') class BaseProvider(provider.Provider): def __init__(self, *args, **kwargs): @@ -532,7 +532,7 @@ class BaseProvider(provider.Provider): if (trustor_user_ref['domain_id'] != CONF.identity.default_domain_id): raise exception.Unauthorized(msg) - project_ref = self.assignment_api.get_project( + project_ref = self.resource_api.get_project( trust_ref['project_id']) if (project_ref['domain_id'] != CONF.identity.default_domain_id):