Make controllers and managers reference new resource manager
This is the part of the more comprehensive split of assignments, which rationalizes both the backend and controllers. In order to make this change easier for reviewers, it is divided into a number of smaller patches. Previous patches have: - Moved role management into its own manager and drivers - Fixed incorrect doc strings for grant driver methods - Updated controllers to call the new role manager - Updated unit tests to call the new role manager - Refactored the assignment manager and drivers enabling projects/domains to be split out - Fixed incorrect comment about circular dependency between assignment and identity - Moved the logically separated project and domain functionality into their own manager/backend (called resource). - Removes unused pointer to assignment from identity driver This patch updates all the controllers and managers to call the new resource manager to access projects and domains. Future patches will: - Update the tests to call the new resource manager - Split the assignment controller, giving projects/domains their own controller Partially implements: bp pluggable-assignments Change-Id: I7180c5a324c44a22e40a367797d9bcd1d2ae79f2
This commit is contained in:
parent
cbcece0fc8
commit
63c1a98a1a
|
@ -36,7 +36,8 @@ CONF = config.CONF
|
||||||
LOG = log.getLogger(__name__)
|
LOG = log.getLogger(__name__)
|
||||||
|
|
||||||
|
|
||||||
@dependency.requires('assignment_api', 'identity_api', 'token_provider_api')
|
@dependency.requires('assignment_api', 'identity_api', 'resource_api',
|
||||||
|
'token_provider_api')
|
||||||
class Tenant(controller.V2Controller):
|
class Tenant(controller.V2Controller):
|
||||||
|
|
||||||
@controller.v2_deprecated
|
@controller.v2_deprecated
|
||||||
|
@ -47,7 +48,7 @@ class Tenant(controller.V2Controller):
|
||||||
context, context['query_string'].get('name'))
|
context, context['query_string'].get('name'))
|
||||||
|
|
||||||
self.assert_admin(context)
|
self.assert_admin(context)
|
||||||
tenant_refs = self.assignment_api.list_projects_in_domain(
|
tenant_refs = self.resource_api.list_projects_in_domain(
|
||||||
CONF.identity.default_domain_id)
|
CONF.identity.default_domain_id)
|
||||||
for tenant_ref in tenant_refs:
|
for tenant_ref in tenant_refs:
|
||||||
tenant_ref = self.filter_domain_id(tenant_ref)
|
tenant_ref = self.filter_domain_id(tenant_ref)
|
||||||
|
@ -90,13 +91,13 @@ class Tenant(controller.V2Controller):
|
||||||
def get_project(self, context, tenant_id):
|
def get_project(self, context, tenant_id):
|
||||||
# TODO(termie): this stuff should probably be moved to middleware
|
# TODO(termie): this stuff should probably be moved to middleware
|
||||||
self.assert_admin(context)
|
self.assert_admin(context)
|
||||||
ref = self.assignment_api.get_project(tenant_id)
|
ref = self.resource_api.get_project(tenant_id)
|
||||||
return {'tenant': self.filter_domain_id(ref)}
|
return {'tenant': self.filter_domain_id(ref)}
|
||||||
|
|
||||||
@controller.v2_deprecated
|
@controller.v2_deprecated
|
||||||
def get_project_by_name(self, context, tenant_name):
|
def get_project_by_name(self, context, tenant_name):
|
||||||
self.assert_admin(context)
|
self.assert_admin(context)
|
||||||
ref = self.assignment_api.get_project_by_name(
|
ref = self.resource_api.get_project_by_name(
|
||||||
tenant_name, CONF.identity.default_domain_id)
|
tenant_name, CONF.identity.default_domain_id)
|
||||||
return {'tenant': self.filter_domain_id(ref)}
|
return {'tenant': self.filter_domain_id(ref)}
|
||||||
|
|
||||||
|
@ -111,7 +112,7 @@ class Tenant(controller.V2Controller):
|
||||||
|
|
||||||
self.assert_admin(context)
|
self.assert_admin(context)
|
||||||
tenant_ref['id'] = tenant_ref.get('id', uuid.uuid4().hex)
|
tenant_ref['id'] = tenant_ref.get('id', uuid.uuid4().hex)
|
||||||
tenant = self.assignment_api.create_project(
|
tenant = self.resource_api.create_project(
|
||||||
tenant_ref['id'],
|
tenant_ref['id'],
|
||||||
self._normalize_domain_id(context, tenant_ref))
|
self._normalize_domain_id(context, tenant_ref))
|
||||||
return {'tenant': self.filter_domain_id(tenant)}
|
return {'tenant': self.filter_domain_id(tenant)}
|
||||||
|
@ -124,14 +125,14 @@ class Tenant(controller.V2Controller):
|
||||||
clean_tenant = tenant.copy()
|
clean_tenant = tenant.copy()
|
||||||
clean_tenant.pop('domain_id', None)
|
clean_tenant.pop('domain_id', None)
|
||||||
|
|
||||||
tenant_ref = self.assignment_api.update_project(
|
tenant_ref = self.resource_api.update_project(
|
||||||
tenant_id, clean_tenant)
|
tenant_id, clean_tenant)
|
||||||
return {'tenant': tenant_ref}
|
return {'tenant': tenant_ref}
|
||||||
|
|
||||||
@controller.v2_deprecated
|
@controller.v2_deprecated
|
||||||
def delete_project(self, context, tenant_id):
|
def delete_project(self, context, tenant_id):
|
||||||
self.assert_admin(context)
|
self.assert_admin(context)
|
||||||
self.assignment_api.delete_project(tenant_id)
|
self.resource_api.delete_project(tenant_id)
|
||||||
|
|
||||||
@controller.v2_deprecated
|
@controller.v2_deprecated
|
||||||
def get_project_users(self, context, tenant_id, **kw):
|
def get_project_users(self, context, tenant_id, **kw):
|
||||||
|
@ -345,74 +346,73 @@ class Role(controller.V2Controller):
|
||||||
user_id, tenant_id, role_id)
|
user_id, tenant_id, role_id)
|
||||||
|
|
||||||
|
|
||||||
@dependency.requires('assignment_api')
|
@dependency.requires('resource_api')
|
||||||
class DomainV3(controller.V3Controller):
|
class DomainV3(controller.V3Controller):
|
||||||
collection_name = 'domains'
|
collection_name = 'domains'
|
||||||
member_name = 'domain'
|
member_name = 'domain'
|
||||||
|
|
||||||
def __init__(self):
|
def __init__(self):
|
||||||
super(DomainV3, self).__init__()
|
super(DomainV3, self).__init__()
|
||||||
self.get_member_from_driver = self.assignment_api.get_domain
|
self.get_member_from_driver = self.resource_api.get_domain
|
||||||
|
|
||||||
@controller.protected()
|
@controller.protected()
|
||||||
@validation.validated(schema.domain_create, 'domain')
|
@validation.validated(schema.domain_create, 'domain')
|
||||||
def create_domain(self, context, domain):
|
def create_domain(self, context, domain):
|
||||||
ref = self._assign_unique_id(self._normalize_dict(domain))
|
ref = self._assign_unique_id(self._normalize_dict(domain))
|
||||||
ref = self.assignment_api.create_domain(ref['id'], ref)
|
ref = self.resource_api.create_domain(ref['id'], ref)
|
||||||
return DomainV3.wrap_member(context, ref)
|
return DomainV3.wrap_member(context, ref)
|
||||||
|
|
||||||
@controller.filterprotected('enabled', 'name')
|
@controller.filterprotected('enabled', 'name')
|
||||||
def list_domains(self, context, filters):
|
def list_domains(self, context, filters):
|
||||||
hints = DomainV3.build_driver_hints(context, filters)
|
hints = DomainV3.build_driver_hints(context, filters)
|
||||||
refs = self.assignment_api.list_domains(hints=hints)
|
refs = self.resource_api.list_domains(hints=hints)
|
||||||
return DomainV3.wrap_collection(context, refs, hints=hints)
|
return DomainV3.wrap_collection(context, refs, hints=hints)
|
||||||
|
|
||||||
@controller.protected()
|
@controller.protected()
|
||||||
def get_domain(self, context, domain_id):
|
def get_domain(self, context, domain_id):
|
||||||
ref = self.assignment_api.get_domain(domain_id)
|
ref = self.resource_api.get_domain(domain_id)
|
||||||
return DomainV3.wrap_member(context, ref)
|
return DomainV3.wrap_member(context, ref)
|
||||||
|
|
||||||
@controller.protected()
|
@controller.protected()
|
||||||
@validation.validated(schema.domain_update, 'domain')
|
@validation.validated(schema.domain_update, 'domain')
|
||||||
def update_domain(self, context, domain_id, domain):
|
def update_domain(self, context, domain_id, domain):
|
||||||
self._require_matching_id(domain_id, domain)
|
self._require_matching_id(domain_id, domain)
|
||||||
ref = self.assignment_api.update_domain(domain_id, domain)
|
ref = self.resource_api.update_domain(domain_id, domain)
|
||||||
return DomainV3.wrap_member(context, ref)
|
return DomainV3.wrap_member(context, ref)
|
||||||
|
|
||||||
@controller.protected()
|
@controller.protected()
|
||||||
def delete_domain(self, context, domain_id):
|
def delete_domain(self, context, domain_id):
|
||||||
return self.assignment_api.delete_domain(domain_id)
|
return self.resource_api.delete_domain(domain_id)
|
||||||
|
|
||||||
|
|
||||||
@dependency.requires('assignment_api')
|
@dependency.requires('assignment_api', 'resource_api')
|
||||||
class ProjectV3(controller.V3Controller):
|
class ProjectV3(controller.V3Controller):
|
||||||
collection_name = 'projects'
|
collection_name = 'projects'
|
||||||
member_name = 'project'
|
member_name = 'project'
|
||||||
|
|
||||||
def __init__(self):
|
def __init__(self):
|
||||||
super(ProjectV3, self).__init__()
|
super(ProjectV3, self).__init__()
|
||||||
self.get_member_from_driver = self.assignment_api.get_project
|
self.get_member_from_driver = self.resource_api.get_project
|
||||||
|
|
||||||
@controller.protected()
|
@controller.protected()
|
||||||
@validation.validated(schema.project_create, 'project')
|
@validation.validated(schema.project_create, 'project')
|
||||||
def create_project(self, context, project):
|
def create_project(self, context, project):
|
||||||
ref = self._assign_unique_id(self._normalize_dict(project))
|
ref = self._assign_unique_id(self._normalize_dict(project))
|
||||||
ref = self._normalize_domain_id(context, ref)
|
ref = self._normalize_domain_id(context, ref)
|
||||||
ref = self.assignment_api.create_project(ref['id'], ref)
|
ref = self.resource_api.create_project(ref['id'], ref)
|
||||||
return ProjectV3.wrap_member(context, ref)
|
return ProjectV3.wrap_member(context, ref)
|
||||||
|
|
||||||
@controller.filterprotected('domain_id', 'enabled', 'name',
|
@controller.filterprotected('domain_id', 'enabled', 'name',
|
||||||
'parent_id')
|
'parent_id')
|
||||||
def list_projects(self, context, filters):
|
def list_projects(self, context, filters):
|
||||||
hints = ProjectV3.build_driver_hints(context, filters)
|
hints = ProjectV3.build_driver_hints(context, filters)
|
||||||
refs = self.assignment_api.list_projects(hints=hints)
|
refs = self.resource_api.list_projects(hints=hints)
|
||||||
return ProjectV3.wrap_collection(context, refs, hints=hints)
|
return ProjectV3.wrap_collection(context, refs, hints=hints)
|
||||||
|
|
||||||
@controller.filterprotected('enabled', 'name')
|
@controller.filterprotected('enabled', 'name')
|
||||||
def list_user_projects(self, context, filters, user_id):
|
def list_user_projects(self, context, filters, user_id):
|
||||||
hints = ProjectV3.build_driver_hints(context, filters)
|
hints = ProjectV3.build_driver_hints(context, filters)
|
||||||
refs = self.assignment_api.list_projects_for_user(user_id,
|
refs = self.assignment_api.list_projects_for_user(user_id, hints=hints)
|
||||||
hints=hints)
|
|
||||||
return ProjectV3.wrap_collection(context, refs, hints=hints)
|
return ProjectV3.wrap_collection(context, refs, hints=hints)
|
||||||
|
|
||||||
def _expand_project_ref(self, context, ref):
|
def _expand_project_ref(self, context, ref):
|
||||||
|
@ -420,7 +420,7 @@ class ProjectV3(controller.V3Controller):
|
||||||
if ('parents_as_list' in context['query_string'] and
|
if ('parents_as_list' in context['query_string'] and
|
||||||
self.query_filter_is_true(
|
self.query_filter_is_true(
|
||||||
context['query_string']['parents_as_list'])):
|
context['query_string']['parents_as_list'])):
|
||||||
parents = self.assignment_api.list_project_parents(
|
parents = self.resource_api.list_project_parents(
|
||||||
ref['id'], user_id)
|
ref['id'], user_id)
|
||||||
ref['parents'] = [ProjectV3.wrap_member(context, p)
|
ref['parents'] = [ProjectV3.wrap_member(context, p)
|
||||||
for p in parents]
|
for p in parents]
|
||||||
|
@ -428,14 +428,14 @@ class ProjectV3(controller.V3Controller):
|
||||||
if ('subtree_as_list' in context['query_string'] and
|
if ('subtree_as_list' in context['query_string'] and
|
||||||
self.query_filter_is_true(
|
self.query_filter_is_true(
|
||||||
context['query_string']['subtree_as_list'])):
|
context['query_string']['subtree_as_list'])):
|
||||||
subtree = self.assignment_api.list_projects_in_subtree(
|
subtree = self.resource_api.list_projects_in_subtree(
|
||||||
ref['id'], user_id)
|
ref['id'], user_id)
|
||||||
ref['subtree'] = [ProjectV3.wrap_member(context, p)
|
ref['subtree'] = [ProjectV3.wrap_member(context, p)
|
||||||
for p in subtree]
|
for p in subtree]
|
||||||
|
|
||||||
@controller.protected()
|
@controller.protected()
|
||||||
def get_project(self, context, project_id):
|
def get_project(self, context, project_id):
|
||||||
ref = self.assignment_api.get_project(project_id)
|
ref = self.resource_api.get_project(project_id)
|
||||||
self._expand_project_ref(context, ref)
|
self._expand_project_ref(context, ref)
|
||||||
return ProjectV3.wrap_member(context, ref)
|
return ProjectV3.wrap_member(context, ref)
|
||||||
|
|
||||||
|
@ -444,16 +444,17 @@ class ProjectV3(controller.V3Controller):
|
||||||
def update_project(self, context, project_id, project):
|
def update_project(self, context, project_id, project):
|
||||||
self._require_matching_id(project_id, project)
|
self._require_matching_id(project_id, project)
|
||||||
self._require_matching_domain_id(
|
self._require_matching_domain_id(
|
||||||
project_id, project, self.assignment_api.get_project)
|
project_id, project, self.resource_api.get_project)
|
||||||
ref = self.assignment_api.update_project(project_id, project)
|
ref = self.resource_api.update_project(project_id, project)
|
||||||
return ProjectV3.wrap_member(context, ref)
|
return ProjectV3.wrap_member(context, ref)
|
||||||
|
|
||||||
@controller.protected()
|
@controller.protected()
|
||||||
def delete_project(self, context, project_id):
|
def delete_project(self, context, project_id):
|
||||||
return self.assignment_api.delete_project(project_id)
|
return self.resource_api.delete_project(project_id)
|
||||||
|
|
||||||
|
|
||||||
@dependency.requires('assignment_api', 'identity_api', 'role_api')
|
@dependency.requires('assignment_api', 'identity_api', 'resource_api',
|
||||||
|
'role_api')
|
||||||
class RoleV3(controller.V3Controller):
|
class RoleV3(controller.V3Controller):
|
||||||
collection_name = 'roles'
|
collection_name = 'roles'
|
||||||
member_name = 'role'
|
member_name = 'role'
|
||||||
|
@ -532,9 +533,9 @@ class RoleV3(controller.V3Controller):
|
||||||
ref['group'] = self.identity_api.get_group(group_id)
|
ref['group'] = self.identity_api.get_group(group_id)
|
||||||
|
|
||||||
if domain_id:
|
if domain_id:
|
||||||
ref['domain'] = self.assignment_api.get_domain(domain_id)
|
ref['domain'] = self.resource_api.get_domain(domain_id)
|
||||||
else:
|
else:
|
||||||
ref['project'] = self.assignment_api.get_project(project_id)
|
ref['project'] = self.resource_api.get_project(project_id)
|
||||||
|
|
||||||
self.check_protection(context, protection, ref)
|
self.check_protection(context, protection, ref)
|
||||||
|
|
||||||
|
@ -588,7 +589,7 @@ class RoleV3(controller.V3Controller):
|
||||||
self._check_if_inherited(context), context)
|
self._check_if_inherited(context), context)
|
||||||
|
|
||||||
|
|
||||||
@dependency.requires('assignment_api', 'identity_api')
|
@dependency.requires('assignment_api', 'identity_api', 'resource_api')
|
||||||
class RoleAssignmentV3(controller.V3Controller):
|
class RoleAssignmentV3(controller.V3Controller):
|
||||||
|
|
||||||
# TODO(henry-nash): The current implementation does not provide a full
|
# TODO(henry-nash): The current implementation does not provide a full
|
||||||
|
@ -824,7 +825,7 @@ class RoleAssignmentV3(controller.V3Controller):
|
||||||
# projects owned by this domain.
|
# projects owned by this domain.
|
||||||
project_ids = (
|
project_ids = (
|
||||||
[x['id'] for x in
|
[x['id'] for x in
|
||||||
self.assignment_api.list_projects_in_domain(
|
self.resource_api.list_projects_in_domain(
|
||||||
r['scope']['domain']['id'])])
|
r['scope']['domain']['id'])])
|
||||||
base_entry = copy.deepcopy(r)
|
base_entry = copy.deepcopy(r)
|
||||||
target_type = 'domains'
|
target_type = 'domains'
|
||||||
|
@ -836,7 +837,7 @@ class RoleAssignmentV3(controller.V3Controller):
|
||||||
project_id = r['scope']['project']['id']
|
project_id = r['scope']['project']['id']
|
||||||
project_ids = (
|
project_ids = (
|
||||||
[x['id'] for x in
|
[x['id'] for x in
|
||||||
self.assignment_api.list_projects_in_subtree(
|
self.resource_api.list_projects_in_subtree(
|
||||||
project_id)])
|
project_id)])
|
||||||
base_entry = copy.deepcopy(r)
|
base_entry = copy.deepcopy(r)
|
||||||
target_type = 'projects'
|
target_type = 'projects'
|
||||||
|
|
|
@ -124,7 +124,7 @@ class AuthContext(dict):
|
||||||
# available for consumers. Consumers should probably not be getting
|
# available for consumers. Consumers should probably not be getting
|
||||||
# identity_api from this since it's available in global registry, then
|
# identity_api from this since it's available in global registry, then
|
||||||
# identity_api should be removed from this list.
|
# identity_api should be removed from this list.
|
||||||
@dependency.requires('assignment_api', 'identity_api', 'trust_api')
|
@dependency.requires('identity_api', 'resource_api', 'trust_api')
|
||||||
class AuthInfo(object):
|
class AuthInfo(object):
|
||||||
"""Encapsulation of "auth" request."""
|
"""Encapsulation of "auth" request."""
|
||||||
|
|
||||||
|
@ -147,7 +147,7 @@ class AuthInfo(object):
|
||||||
def _assert_project_is_enabled(self, project_ref):
|
def _assert_project_is_enabled(self, project_ref):
|
||||||
# ensure the project is enabled
|
# ensure the project is enabled
|
||||||
try:
|
try:
|
||||||
self.assignment_api.assert_project_enabled(
|
self.resource_api.assert_project_enabled(
|
||||||
project_id=project_ref['id'],
|
project_id=project_ref['id'],
|
||||||
project=project_ref)
|
project=project_ref)
|
||||||
except AssertionError as e:
|
except AssertionError as e:
|
||||||
|
@ -157,7 +157,7 @@ class AuthInfo(object):
|
||||||
|
|
||||||
def _assert_domain_is_enabled(self, domain_ref):
|
def _assert_domain_is_enabled(self, domain_ref):
|
||||||
try:
|
try:
|
||||||
self.assignment_api.assert_domain_enabled(
|
self.resource_api.assert_domain_enabled(
|
||||||
domain_id=domain_ref['id'],
|
domain_id=domain_ref['id'],
|
||||||
domain=domain_ref)
|
domain=domain_ref)
|
||||||
except AssertionError as e:
|
except AssertionError as e:
|
||||||
|
@ -174,10 +174,10 @@ class AuthInfo(object):
|
||||||
target='domain')
|
target='domain')
|
||||||
try:
|
try:
|
||||||
if domain_name:
|
if domain_name:
|
||||||
domain_ref = self.assignment_api.get_domain_by_name(
|
domain_ref = self.resource_api.get_domain_by_name(
|
||||||
domain_name)
|
domain_name)
|
||||||
else:
|
else:
|
||||||
domain_ref = self.assignment_api.get_domain(domain_id)
|
domain_ref = self.resource_api.get_domain(domain_id)
|
||||||
except exception.DomainNotFound as e:
|
except exception.DomainNotFound as e:
|
||||||
LOG.exception(e)
|
LOG.exception(e)
|
||||||
raise exception.Unauthorized(e)
|
raise exception.Unauthorized(e)
|
||||||
|
@ -197,10 +197,10 @@ class AuthInfo(object):
|
||||||
raise exception.ValidationError(attribute='domain',
|
raise exception.ValidationError(attribute='domain',
|
||||||
target='project')
|
target='project')
|
||||||
domain_ref = self._lookup_domain(project_info['domain'])
|
domain_ref = self._lookup_domain(project_info['domain'])
|
||||||
project_ref = self.assignment_api.get_project_by_name(
|
project_ref = self.resource_api.get_project_by_name(
|
||||||
project_name, domain_ref['id'])
|
project_name, domain_ref['id'])
|
||||||
else:
|
else:
|
||||||
project_ref = self.assignment_api.get_project(project_id)
|
project_ref = self.resource_api.get_project(project_id)
|
||||||
# NOTE(morganfainberg): The _lookup_domain method will raise
|
# NOTE(morganfainberg): The _lookup_domain method will raise
|
||||||
# exception.Unauthorized if the domain isn't found or is
|
# exception.Unauthorized if the domain isn't found or is
|
||||||
# disabled.
|
# disabled.
|
||||||
|
@ -340,7 +340,7 @@ class AuthInfo(object):
|
||||||
|
|
||||||
|
|
||||||
@dependency.requires('assignment_api', 'catalog_api', 'identity_api',
|
@dependency.requires('assignment_api', 'catalog_api', 'identity_api',
|
||||||
'token_provider_api', 'trust_api')
|
'resource_api', 'token_provider_api', 'trust_api')
|
||||||
class Auth(controller.V3Controller):
|
class Auth(controller.V3Controller):
|
||||||
|
|
||||||
# Note(atiwari): From V3 auth controller code we are
|
# Note(atiwari): From V3 auth controller code we are
|
||||||
|
@ -427,9 +427,9 @@ class Auth(controller.V3Controller):
|
||||||
|
|
||||||
# make sure user's default project is legit before scoping to it
|
# make sure user's default project is legit before scoping to it
|
||||||
try:
|
try:
|
||||||
default_project_ref = self.assignment_api.get_project(
|
default_project_ref = self.resource_api.get_project(
|
||||||
default_project_id)
|
default_project_id)
|
||||||
default_project_domain_ref = self.assignment_api.get_domain(
|
default_project_domain_ref = self.resource_api.get_domain(
|
||||||
default_project_ref['domain_id'])
|
default_project_ref['domain_id'])
|
||||||
if (default_project_ref.get('enabled', True) and
|
if (default_project_ref.get('enabled', True) and
|
||||||
default_project_domain_ref.get('enabled', True)):
|
default_project_domain_ref.get('enabled', True)):
|
||||||
|
|
|
@ -74,7 +74,7 @@ class DefaultDomain(Base):
|
||||||
return user_ref
|
return user_ref
|
||||||
|
|
||||||
|
|
||||||
@dependency.requires('assignment_api', 'identity_api')
|
@dependency.requires('identity_api', 'resource_api')
|
||||||
class Domain(Base):
|
class Domain(Base):
|
||||||
def _authenticate(self, remote_user, context):
|
def _authenticate(self, remote_user, context):
|
||||||
"""Use remote_user to look up the user in the identity backend.
|
"""Use remote_user to look up the user in the identity backend.
|
||||||
|
@ -89,7 +89,7 @@ class Domain(Base):
|
||||||
except KeyError:
|
except KeyError:
|
||||||
domain_id = CONF.identity.default_domain_id
|
domain_id = CONF.identity.default_domain_id
|
||||||
else:
|
else:
|
||||||
domain_ref = self.assignment_api.get_domain_by_name(domain_name)
|
domain_ref = self.resource_api.get_domain_by_name(domain_name)
|
||||||
domain_id = domain_ref['id']
|
domain_id = domain_ref['id']
|
||||||
|
|
||||||
user_ref = self.identity_api.get_user_by_name(username, domain_id)
|
user_ref = self.identity_api.get_user_by_name(username, domain_id)
|
||||||
|
@ -156,7 +156,7 @@ class LegacyDefaultDomain(Base):
|
||||||
return user_ref
|
return user_ref
|
||||||
|
|
||||||
|
|
||||||
@dependency.requires('assignment_api', 'identity_api')
|
@dependency.requires('identity_api', 'resource_api')
|
||||||
class LegacyDomain(Base):
|
class LegacyDomain(Base):
|
||||||
"""Deprecated. Please use keystone.auth.external.Domain instead."""
|
"""Deprecated. Please use keystone.auth.external.Domain instead."""
|
||||||
|
|
||||||
|
@ -178,7 +178,7 @@ class LegacyDomain(Base):
|
||||||
username = names.pop(0)
|
username = names.pop(0)
|
||||||
if names:
|
if names:
|
||||||
domain_name = names[0]
|
domain_name = names[0]
|
||||||
domain_ref = self.assignment_api.get_domain_by_name(domain_name)
|
domain_ref = self.resource_api.get_domain_by_name(domain_name)
|
||||||
domain_id = domain_ref['id']
|
domain_id = domain_ref['id']
|
||||||
else:
|
else:
|
||||||
domain_id = CONF.identity.default_domain_id
|
domain_id = CONF.identity.default_domain_id
|
||||||
|
|
|
@ -27,7 +27,7 @@ METHOD_NAME = 'password'
|
||||||
LOG = log.getLogger(__name__)
|
LOG = log.getLogger(__name__)
|
||||||
|
|
||||||
|
|
||||||
@dependency.requires('assignment_api', 'identity_api')
|
@dependency.requires('identity_api', 'resource_api')
|
||||||
class UserAuthInfo(object):
|
class UserAuthInfo(object):
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def create(auth_payload):
|
def create(auth_payload):
|
||||||
|
@ -42,7 +42,7 @@ class UserAuthInfo(object):
|
||||||
|
|
||||||
def _assert_domain_is_enabled(self, domain_ref):
|
def _assert_domain_is_enabled(self, domain_ref):
|
||||||
try:
|
try:
|
||||||
self.assignment_api.assert_domain_enabled(
|
self.resource_api.assert_domain_enabled(
|
||||||
domain_id=domain_ref['id'],
|
domain_id=domain_ref['id'],
|
||||||
domain=domain_ref)
|
domain=domain_ref)
|
||||||
except AssertionError as e:
|
except AssertionError as e:
|
||||||
|
@ -69,10 +69,10 @@ class UserAuthInfo(object):
|
||||||
target='domain')
|
target='domain')
|
||||||
try:
|
try:
|
||||||
if domain_name:
|
if domain_name:
|
||||||
domain_ref = self.assignment_api.get_domain_by_name(
|
domain_ref = self.resource_api.get_domain_by_name(
|
||||||
domain_name)
|
domain_name)
|
||||||
else:
|
else:
|
||||||
domain_ref = self.assignment_api.get_domain(domain_id)
|
domain_ref = self.resource_api.get_domain(domain_id)
|
||||||
except exception.DomainNotFound as e:
|
except exception.DomainNotFound as e:
|
||||||
LOG.exception(e)
|
LOG.exception(e)
|
||||||
raise exception.Unauthorized(e)
|
raise exception.Unauthorized(e)
|
||||||
|
@ -101,7 +101,7 @@ class UserAuthInfo(object):
|
||||||
user_name, domain_ref['id'])
|
user_name, domain_ref['id'])
|
||||||
else:
|
else:
|
||||||
user_ref = self.identity_api.get_user(user_id)
|
user_ref = self.identity_api.get_user(user_id)
|
||||||
domain_ref = self.assignment_api.get_domain(
|
domain_ref = self.resource_api.get_domain(
|
||||||
user_ref['domain_id'])
|
user_ref['domain_id'])
|
||||||
self._assert_domain_is_enabled(domain_ref)
|
self._assert_domain_is_enabled(domain_ref)
|
||||||
except exception.UserNotFound as e:
|
except exception.UserNotFound as e:
|
||||||
|
|
|
@ -50,7 +50,8 @@ from keystone.models import token_model
|
||||||
|
|
||||||
|
|
||||||
@dependency.requires('assignment_api', 'catalog_api', 'credential_api',
|
@dependency.requires('assignment_api', 'catalog_api', 'credential_api',
|
||||||
'identity_api', 'role_api', 'token_provider_api')
|
'identity_api', 'resource_api', 'role_api',
|
||||||
|
'token_provider_api')
|
||||||
@six.add_metaclass(abc.ABCMeta)
|
@six.add_metaclass(abc.ABCMeta)
|
||||||
class Ec2ControllerCommon(object):
|
class Ec2ControllerCommon(object):
|
||||||
def check_signature(self, creds_ref, credentials):
|
def check_signature(self, creds_ref, credentials):
|
||||||
|
@ -112,7 +113,7 @@ class Ec2ControllerCommon(object):
|
||||||
|
|
||||||
# TODO(termie): don't create new tokens every time
|
# TODO(termie): don't create new tokens every time
|
||||||
# TODO(termie): this is copied from TokenController.authenticate
|
# TODO(termie): this is copied from TokenController.authenticate
|
||||||
tenant_ref = self.assignment_api.get_project(creds_ref['tenant_id'])
|
tenant_ref = self.resource_api.get_project(creds_ref['tenant_id'])
|
||||||
user_ref = self.identity_api.get_user(creds_ref['user_id'])
|
user_ref = self.identity_api.get_user(creds_ref['user_id'])
|
||||||
metadata_ref = {}
|
metadata_ref = {}
|
||||||
metadata_ref['roles'] = (
|
metadata_ref['roles'] = (
|
||||||
|
@ -128,9 +129,9 @@ class Ec2ControllerCommon(object):
|
||||||
try:
|
try:
|
||||||
self.identity_api.assert_user_enabled(
|
self.identity_api.assert_user_enabled(
|
||||||
user_id=user_ref['id'], user=user_ref)
|
user_id=user_ref['id'], user=user_ref)
|
||||||
self.assignment_api.assert_domain_enabled(
|
self.resource_api.assert_domain_enabled(
|
||||||
domain_id=user_ref['domain_id'])
|
domain_id=user_ref['domain_id'])
|
||||||
self.assignment_api.assert_project_enabled(
|
self.resource_api.assert_project_enabled(
|
||||||
project_id=tenant_ref['id'], project=tenant_ref)
|
project_id=tenant_ref['id'], project=tenant_ref)
|
||||||
except AssertionError as e:
|
except AssertionError as e:
|
||||||
six.reraise(exception.Unauthorized, exception.Unauthorized(e),
|
six.reraise(exception.Unauthorized, exception.Unauthorized(e),
|
||||||
|
@ -159,7 +160,7 @@ class Ec2ControllerCommon(object):
|
||||||
"""
|
"""
|
||||||
|
|
||||||
self.identity_api.get_user(user_id)
|
self.identity_api.get_user(user_id)
|
||||||
self.assignment_api.get_project(tenant_id)
|
self.resource_api.get_project(tenant_id)
|
||||||
trust_id = self._get_trust_id_for_request(context)
|
trust_id = self._get_trust_id_for_request(context)
|
||||||
blob = {'access': uuid.uuid4().hex,
|
blob = {'access': uuid.uuid4().hex,
|
||||||
'secret': uuid.uuid4().hex,
|
'secret': uuid.uuid4().hex,
|
||||||
|
|
|
@ -22,14 +22,14 @@ from keystone import exception
|
||||||
from keystone import notifications
|
from keystone import notifications
|
||||||
|
|
||||||
|
|
||||||
@dependency.requires('assignment_api', 'catalog_api', 'endpoint_filter_api')
|
@dependency.requires('catalog_api', 'endpoint_filter_api', 'resource_api')
|
||||||
class _ControllerBase(controller.V3Controller):
|
class _ControllerBase(controller.V3Controller):
|
||||||
"""Base behaviors for endpoint filter controllers."""
|
"""Base behaviors for endpoint filter controllers."""
|
||||||
|
|
||||||
def _get_endpoint_groups_for_project(self, project_id):
|
def _get_endpoint_groups_for_project(self, project_id):
|
||||||
# recover the project endpoint group memberships and for each
|
# recover the project endpoint group memberships and for each
|
||||||
# membership recover the endpoint group
|
# membership recover the endpoint group
|
||||||
self.assignment_api.get_project(project_id)
|
self.resource_api.get_project(project_id)
|
||||||
try:
|
try:
|
||||||
refs = self.endpoint_filter_api.list_endpoint_groups_for_project(
|
refs = self.endpoint_filter_api.list_endpoint_groups_for_project(
|
||||||
project_id)
|
project_id)
|
||||||
|
@ -85,7 +85,7 @@ class EndpointFilterV3Controller(_ControllerBase):
|
||||||
# The relationship can still be established even with a disabled
|
# The relationship can still be established even with a disabled
|
||||||
# project as there are no security implications.
|
# project as there are no security implications.
|
||||||
self.catalog_api.get_endpoint(endpoint_id)
|
self.catalog_api.get_endpoint(endpoint_id)
|
||||||
self.assignment_api.get_project(project_id)
|
self.resource_api.get_project(project_id)
|
||||||
self.endpoint_filter_api.add_endpoint_to_project(endpoint_id,
|
self.endpoint_filter_api.add_endpoint_to_project(endpoint_id,
|
||||||
project_id)
|
project_id)
|
||||||
|
|
||||||
|
@ -93,14 +93,14 @@ class EndpointFilterV3Controller(_ControllerBase):
|
||||||
def check_endpoint_in_project(self, context, project_id, endpoint_id):
|
def check_endpoint_in_project(self, context, project_id, endpoint_id):
|
||||||
"""Verifies endpoint is currently associated with given project."""
|
"""Verifies endpoint is currently associated with given project."""
|
||||||
self.catalog_api.get_endpoint(endpoint_id)
|
self.catalog_api.get_endpoint(endpoint_id)
|
||||||
self.assignment_api.get_project(project_id)
|
self.resource_api.get_project(project_id)
|
||||||
self.endpoint_filter_api.check_endpoint_in_project(endpoint_id,
|
self.endpoint_filter_api.check_endpoint_in_project(endpoint_id,
|
||||||
project_id)
|
project_id)
|
||||||
|
|
||||||
@controller.protected()
|
@controller.protected()
|
||||||
def list_endpoints_for_project(self, context, project_id):
|
def list_endpoints_for_project(self, context, project_id):
|
||||||
"""List all endpoints currently associated with a given project."""
|
"""List all endpoints currently associated with a given project."""
|
||||||
self.assignment_api.get_project(project_id)
|
self.resource_api.get_project(project_id)
|
||||||
refs = self.endpoint_filter_api.list_endpoints_for_project(project_id)
|
refs = self.endpoint_filter_api.list_endpoints_for_project(project_id)
|
||||||
filtered_endpoints = dict(
|
filtered_endpoints = dict(
|
||||||
(ref['endpoint_id'], self.catalog_api.get_endpoint(
|
(ref['endpoint_id'], self.catalog_api.get_endpoint(
|
||||||
|
@ -133,7 +133,7 @@ class EndpointFilterV3Controller(_ControllerBase):
|
||||||
self.catalog_api.get_endpoint(endpoint_id)
|
self.catalog_api.get_endpoint(endpoint_id)
|
||||||
refs = self.endpoint_filter_api.list_projects_for_endpoint(endpoint_id)
|
refs = self.endpoint_filter_api.list_projects_for_endpoint(endpoint_id)
|
||||||
|
|
||||||
projects = [self.assignment_api.get_project(
|
projects = [self.resource_api.get_project(
|
||||||
ref['project_id']) for ref in refs]
|
ref['project_id']) for ref in refs]
|
||||||
return assignment.controllers.ProjectV3.wrap_collection(context,
|
return assignment.controllers.ProjectV3.wrap_collection(context,
|
||||||
projects)
|
projects)
|
||||||
|
@ -221,7 +221,7 @@ class EndpointGroupV3Controller(_ControllerBase):
|
||||||
endpoint_group_id))
|
endpoint_group_id))
|
||||||
projects = []
|
projects = []
|
||||||
for endpoint_group_ref in endpoint_group_refs:
|
for endpoint_group_ref in endpoint_group_refs:
|
||||||
project = self.assignment_api.get_project(
|
project = self.resource_api.get_project(
|
||||||
endpoint_group_ref['project_id'])
|
endpoint_group_ref['project_id'])
|
||||||
if project:
|
if project:
|
||||||
projects.append(project)
|
projects.append(project)
|
||||||
|
@ -260,7 +260,7 @@ class ProjectEndpointGroupV3Controller(_ControllerBase):
|
||||||
def get_endpoint_group_in_project(self, context, endpoint_group_id,
|
def get_endpoint_group_in_project(self, context, endpoint_group_id,
|
||||||
project_id):
|
project_id):
|
||||||
"""Retrieve the endpoint group associated with the id if exists."""
|
"""Retrieve the endpoint group associated with the id if exists."""
|
||||||
self.assignment_api.get_project(project_id)
|
self.resource_api.get_project(project_id)
|
||||||
self.endpoint_filter_api.get_endpoint_group(endpoint_group_id)
|
self.endpoint_filter_api.get_endpoint_group(endpoint_group_id)
|
||||||
ref = self.endpoint_filter_api.get_endpoint_group_in_project(
|
ref = self.endpoint_filter_api.get_endpoint_group_in_project(
|
||||||
endpoint_group_id, project_id)
|
endpoint_group_id, project_id)
|
||||||
|
@ -271,7 +271,7 @@ class ProjectEndpointGroupV3Controller(_ControllerBase):
|
||||||
def add_endpoint_group_to_project(self, context, endpoint_group_id,
|
def add_endpoint_group_to_project(self, context, endpoint_group_id,
|
||||||
project_id):
|
project_id):
|
||||||
"""Creates an association between an endpoint group and project."""
|
"""Creates an association between an endpoint group and project."""
|
||||||
self.assignment_api.get_project(project_id)
|
self.resource_api.get_project(project_id)
|
||||||
self.endpoint_filter_api.get_endpoint_group(endpoint_group_id)
|
self.endpoint_filter_api.get_endpoint_group(endpoint_group_id)
|
||||||
self.endpoint_filter_api.add_endpoint_group_to_project(
|
self.endpoint_filter_api.add_endpoint_group_to_project(
|
||||||
endpoint_group_id, project_id)
|
endpoint_group_id, project_id)
|
||||||
|
@ -280,7 +280,7 @@ class ProjectEndpointGroupV3Controller(_ControllerBase):
|
||||||
def remove_endpoint_group_from_project(self, context, endpoint_group_id,
|
def remove_endpoint_group_from_project(self, context, endpoint_group_id,
|
||||||
project_id):
|
project_id):
|
||||||
"""Remove the endpoint group from associated project."""
|
"""Remove the endpoint group from associated project."""
|
||||||
self.assignment_api.get_project(project_id)
|
self.resource_api.get_project(project_id)
|
||||||
self.endpoint_filter_api.get_endpoint_group(endpoint_group_id)
|
self.endpoint_filter_api.get_endpoint_group(endpoint_group_id)
|
||||||
self.endpoint_filter_api.remove_endpoint_group_from_project(
|
self.endpoint_filter_api.remove_endpoint_group_from_project(
|
||||||
endpoint_group_id, project_id)
|
endpoint_group_id, project_id)
|
||||||
|
|
|
@ -289,14 +289,14 @@ class Auth(auth_controllers.Auth):
|
||||||
headers=[('Content-Type', 'text/xml')])
|
headers=[('Content-Type', 'text/xml')])
|
||||||
|
|
||||||
|
|
||||||
@dependency.requires('assignment_api')
|
@dependency.requires('assignment_api', 'resource_api')
|
||||||
class DomainV3(controller.V3Controller):
|
class DomainV3(controller.V3Controller):
|
||||||
collection_name = 'domains'
|
collection_name = 'domains'
|
||||||
member_name = 'domain'
|
member_name = 'domain'
|
||||||
|
|
||||||
def __init__(self):
|
def __init__(self):
|
||||||
super(DomainV3, self).__init__()
|
super(DomainV3, self).__init__()
|
||||||
self.get_member_from_driver = self.assignment_api.get_domain
|
self.get_member_from_driver = self.resource_api.get_domain
|
||||||
|
|
||||||
@controller.protected()
|
@controller.protected()
|
||||||
def list_domains_for_groups(self, context):
|
def list_domains_for_groups(self, context):
|
||||||
|
@ -312,14 +312,14 @@ class DomainV3(controller.V3Controller):
|
||||||
return DomainV3.wrap_collection(context, domains)
|
return DomainV3.wrap_collection(context, domains)
|
||||||
|
|
||||||
|
|
||||||
@dependency.requires('assignment_api')
|
@dependency.requires('assignment_api', 'resource_api')
|
||||||
class ProjectV3(controller.V3Controller):
|
class ProjectV3(controller.V3Controller):
|
||||||
collection_name = 'projects'
|
collection_name = 'projects'
|
||||||
member_name = 'project'
|
member_name = 'project'
|
||||||
|
|
||||||
def __init__(self):
|
def __init__(self):
|
||||||
super(ProjectV3, self).__init__()
|
super(ProjectV3, self).__init__()
|
||||||
self.get_member_from_driver = self.assignment_api.get_project
|
self.get_member_from_driver = self.resource_api.get_project
|
||||||
|
|
||||||
@controller.protected()
|
@controller.protected()
|
||||||
def list_projects_for_groups(self, context):
|
def list_projects_for_groups(self, context):
|
||||||
|
|
|
@ -165,7 +165,7 @@ class AccessTokenCrudV3(controller.V3Controller):
|
||||||
return formatted_entity
|
return formatted_entity
|
||||||
|
|
||||||
|
|
||||||
@dependency.requires('assignment_api', 'oauth_api', 'role_api')
|
@dependency.requires('oauth_api', 'role_api')
|
||||||
class AccessTokenRolesV3(controller.V3Controller):
|
class AccessTokenRolesV3(controller.V3Controller):
|
||||||
collection_name = 'roles'
|
collection_name = 'roles'
|
||||||
member_name = 'role'
|
member_name = 'role'
|
||||||
|
|
|
@ -46,7 +46,7 @@ extension.register_public_extension(
|
||||||
]})
|
]})
|
||||||
|
|
||||||
|
|
||||||
@dependency.requires('assignment_api', 'catalog_api', 'identity_api',
|
@dependency.requires('catalog_api', 'identity_api', 'resource_api',
|
||||||
'token_provider_api')
|
'token_provider_api')
|
||||||
class UserController(identity.controllers.User):
|
class UserController(identity.controllers.User):
|
||||||
def set_user_password(self, context, user_id, user):
|
def set_user_password(self, context, user_id, user):
|
||||||
|
@ -97,7 +97,7 @@ class UserController(identity.controllers.User):
|
||||||
if token_ref.bind:
|
if token_ref.bind:
|
||||||
new_token_ref['bind'] = token_ref.bind
|
new_token_ref['bind'] = token_ref.bind
|
||||||
if token_ref.project_id:
|
if token_ref.project_id:
|
||||||
new_token_ref['tenant'] = self.assignment_api.get_project(
|
new_token_ref['tenant'] = self.resource_api.get_project(
|
||||||
token_ref.project_id)
|
token_ref.project_id)
|
||||||
if token_ref.role_names:
|
if token_ref.role_names:
|
||||||
roles_ref = [dict(name=value)
|
roles_ref = [dict(name=value)
|
||||||
|
|
|
@ -26,7 +26,7 @@ CONF = config.CONF
|
||||||
LOG = log.getLogger(__name__)
|
LOG = log.getLogger(__name__)
|
||||||
|
|
||||||
|
|
||||||
@dependency.requires('assignment_api', 'identity_api')
|
@dependency.requires('assignment_api', 'identity_api', 'resource_api')
|
||||||
class User(controller.V2Controller):
|
class User(controller.V2Controller):
|
||||||
|
|
||||||
@controller.v2_deprecated
|
@controller.v2_deprecated
|
||||||
|
@ -73,7 +73,7 @@ class User(controller.V2Controller):
|
||||||
default_project_id = user.pop('tenantId', None)
|
default_project_id = user.pop('tenantId', None)
|
||||||
if default_project_id is not None:
|
if default_project_id is not None:
|
||||||
# Check to see if the project is valid before moving on.
|
# Check to see if the project is valid before moving on.
|
||||||
self.assignment_api.get_project(default_project_id)
|
self.resource_api.get_project(default_project_id)
|
||||||
user['default_project_id'] = default_project_id
|
user['default_project_id'] = default_project_id
|
||||||
|
|
||||||
# The manager layer will generate the unique ID for users
|
# The manager layer will generate the unique ID for users
|
||||||
|
@ -114,7 +114,7 @@ class User(controller.V2Controller):
|
||||||
default_project_id is not None)):
|
default_project_id is not None)):
|
||||||
# Make sure the new project actually exists before we perform the
|
# Make sure the new project actually exists before we perform the
|
||||||
# user update.
|
# user update.
|
||||||
self.assignment_api.get_project(default_project_id)
|
self.resource_api.get_project(default_project_id)
|
||||||
|
|
||||||
user_ref = self.v3_to_v2_user(
|
user_ref = self.v3_to_v2_user(
|
||||||
self.identity_api.update_user(user_id, user))
|
self.identity_api.update_user(user_id, user))
|
||||||
|
|
|
@ -91,7 +91,7 @@ class DomainConfigs(dict):
|
||||||
return importutils.import_object(
|
return importutils.import_object(
|
||||||
domain_config['cfg'].identity.driver, domain_config['cfg'])
|
domain_config['cfg'].identity.driver, domain_config['cfg'])
|
||||||
|
|
||||||
def _load_config(self, assignment_api, file_list, domain_name):
|
def _load_config(self, resource_api, file_list, domain_name):
|
||||||
|
|
||||||
def assert_no_more_than_one_sql_driver(new_config, config_file):
|
def assert_no_more_than_one_sql_driver(new_config, config_file):
|
||||||
"""Ensure there is more than one sql driver.
|
"""Ensure there is more than one sql driver.
|
||||||
|
@ -109,7 +109,7 @@ class DomainConfigs(dict):
|
||||||
self._any_sql = new_config['driver'].is_sql
|
self._any_sql = new_config['driver'].is_sql
|
||||||
|
|
||||||
try:
|
try:
|
||||||
domain_ref = assignment_api.get_domain_by_name(domain_name)
|
domain_ref = resource_api.get_domain_by_name(domain_name)
|
||||||
except exception.DomainNotFound:
|
except exception.DomainNotFound:
|
||||||
LOG.warning(
|
LOG.warning(
|
||||||
_LW('Invalid domain name (%s) found in config file name'),
|
_LW('Invalid domain name (%s) found in config file name'),
|
||||||
|
@ -130,7 +130,7 @@ class DomainConfigs(dict):
|
||||||
assert_no_more_than_one_sql_driver(domain_config, file_list)
|
assert_no_more_than_one_sql_driver(domain_config, file_list)
|
||||||
self[domain_ref['id']] = domain_config
|
self[domain_ref['id']] = domain_config
|
||||||
|
|
||||||
def setup_domain_drivers(self, standard_driver, assignment_api):
|
def setup_domain_drivers(self, standard_driver, resource_api):
|
||||||
# This is called by the api call wrapper
|
# This is called by the api call wrapper
|
||||||
self.configured = True
|
self.configured = True
|
||||||
self.driver = standard_driver
|
self.driver = standard_driver
|
||||||
|
@ -146,7 +146,7 @@ class DomainConfigs(dict):
|
||||||
if (fname.startswith(DOMAIN_CONF_FHEAD) and
|
if (fname.startswith(DOMAIN_CONF_FHEAD) and
|
||||||
fname.endswith(DOMAIN_CONF_FTAIL)):
|
fname.endswith(DOMAIN_CONF_FTAIL)):
|
||||||
if fname.count('.') >= 2:
|
if fname.count('.') >= 2:
|
||||||
self._load_config(assignment_api,
|
self._load_config(resource_api,
|
||||||
[os.path.join(r, fname)],
|
[os.path.join(r, fname)],
|
||||||
fname[len(DOMAIN_CONF_FHEAD):
|
fname[len(DOMAIN_CONF_FHEAD):
|
||||||
-len(DOMAIN_CONF_FTAIL)])
|
-len(DOMAIN_CONF_FTAIL)])
|
||||||
|
@ -193,7 +193,7 @@ def domains_configured(f):
|
||||||
if (not self.domain_configs.configured and
|
if (not self.domain_configs.configured and
|
||||||
CONF.identity.domain_specific_drivers_enabled):
|
CONF.identity.domain_specific_drivers_enabled):
|
||||||
self.domain_configs.setup_domain_drivers(
|
self.domain_configs.setup_domain_drivers(
|
||||||
self.driver, self.assignment_api)
|
self.driver, self.resource_api)
|
||||||
return f(self, *args, **kwargs)
|
return f(self, *args, **kwargs)
|
||||||
return wrapper
|
return wrapper
|
||||||
|
|
||||||
|
@ -221,7 +221,8 @@ def exception_translated(exception_type):
|
||||||
|
|
||||||
@dependency.provider('identity_api')
|
@dependency.provider('identity_api')
|
||||||
@dependency.optional('revoke_api')
|
@dependency.optional('revoke_api')
|
||||||
@dependency.requires('assignment_api', 'credential_api', 'id_mapping_api')
|
@dependency.requires('assignment_api', 'credential_api', 'id_mapping_api',
|
||||||
|
'resource_api')
|
||||||
class Manager(manager.Manager):
|
class Manager(manager.Manager):
|
||||||
"""Default pivot point for the Identity backend.
|
"""Default pivot point for the Identity backend.
|
||||||
|
|
||||||
|
@ -554,7 +555,7 @@ class Manager(manager.Manager):
|
||||||
user.setdefault('enabled', True)
|
user.setdefault('enabled', True)
|
||||||
user['enabled'] = clean.user_enabled(user['enabled'])
|
user['enabled'] = clean.user_enabled(user['enabled'])
|
||||||
domain_id = user['domain_id']
|
domain_id = user['domain_id']
|
||||||
self.assignment_api.get_domain(domain_id)
|
self.resource_api.get_domain(domain_id)
|
||||||
|
|
||||||
# For creating a user, the domain is in the object itself
|
# For creating a user, the domain is in the object itself
|
||||||
domain_id = user_ref['domain_id']
|
domain_id = user_ref['domain_id']
|
||||||
|
@ -584,7 +585,7 @@ class Manager(manager.Manager):
|
||||||
"""
|
"""
|
||||||
if user is None:
|
if user is None:
|
||||||
user = self.get_user(user_id)
|
user = self.get_user(user_id)
|
||||||
self.assignment_api.assert_domain_enabled(user['domain_id'])
|
self.resource_api.assert_domain_enabled(user['domain_id'])
|
||||||
if not user.get('enabled', True):
|
if not user.get('enabled', True):
|
||||||
raise AssertionError(_('User is disabled: %s') % user_id)
|
raise AssertionError(_('User is disabled: %s') % user_id)
|
||||||
|
|
||||||
|
@ -625,7 +626,7 @@ class Manager(manager.Manager):
|
||||||
if 'enabled' in user:
|
if 'enabled' in user:
|
||||||
user['enabled'] = clean.user_enabled(user['enabled'])
|
user['enabled'] = clean.user_enabled(user['enabled'])
|
||||||
if 'domain_id' in user:
|
if 'domain_id' in user:
|
||||||
self.assignment_api.get_domain(user['domain_id'])
|
self.resource_api.get_domain(user['domain_id'])
|
||||||
if 'id' in user:
|
if 'id' in user:
|
||||||
if user_id != user['id']:
|
if user_id != user['id']:
|
||||||
raise exception.ValidationError(_('Cannot change user ID'))
|
raise exception.ValidationError(_('Cannot change user ID'))
|
||||||
|
@ -665,7 +666,7 @@ class Manager(manager.Manager):
|
||||||
group = group_ref.copy()
|
group = group_ref.copy()
|
||||||
group.setdefault('description', '')
|
group.setdefault('description', '')
|
||||||
domain_id = group['domain_id']
|
domain_id = group['domain_id']
|
||||||
self.assignment_api.get_domain(domain_id)
|
self.resource_api.get_domain(domain_id)
|
||||||
|
|
||||||
# For creating a group, the domain is in the object itself
|
# For creating a group, the domain is in the object itself
|
||||||
domain_id = group_ref['domain_id']
|
domain_id = group_ref['domain_id']
|
||||||
|
@ -701,7 +702,7 @@ class Manager(manager.Manager):
|
||||||
@exception_translated('group')
|
@exception_translated('group')
|
||||||
def update_group(self, group_id, group):
|
def update_group(self, group_id, group):
|
||||||
if 'domain_id' in group:
|
if 'domain_id' in group:
|
||||||
self.assignment_api.get_domain(group['domain_id'])
|
self.resource_api.get_domain(group['domain_id'])
|
||||||
domain_id, driver, entity_id = (
|
domain_id, driver, entity_id = (
|
||||||
self._get_domain_driver_and_entity_id(group_id))
|
self._get_domain_driver_and_entity_id(group_id))
|
||||||
group = self._clear_domain_id_if_domain_unaware(driver, group)
|
group = self._clear_domain_id_if_domain_unaware(driver, group)
|
||||||
|
|
|
@ -41,7 +41,8 @@ class ExternalAuthNotApplicable(Exception):
|
||||||
|
|
||||||
|
|
||||||
@dependency.requires('assignment_api', 'catalog_api', 'identity_api',
|
@dependency.requires('assignment_api', 'catalog_api', 'identity_api',
|
||||||
'role_api', 'token_provider_api', 'trust_api')
|
'resource_api', 'role_api', 'token_provider_api',
|
||||||
|
'trust_api')
|
||||||
class Auth(controller.V2Controller):
|
class Auth(controller.V2Controller):
|
||||||
|
|
||||||
@controller.v2_deprecated
|
@controller.v2_deprecated
|
||||||
|
@ -105,7 +106,7 @@ class Auth(controller.V2Controller):
|
||||||
self.identity_api.assert_user_enabled(
|
self.identity_api.assert_user_enabled(
|
||||||
user_id=user_ref['id'], user=user_ref)
|
user_id=user_ref['id'], user=user_ref)
|
||||||
if tenant_ref:
|
if tenant_ref:
|
||||||
self.assignment_api.assert_project_enabled(
|
self.resource_api.assert_project_enabled(
|
||||||
project_id=tenant_ref['id'], project=tenant_ref)
|
project_id=tenant_ref['id'], project=tenant_ref)
|
||||||
except AssertionError as e:
|
except AssertionError as e:
|
||||||
six.reraise(exception.Unauthorized, exception.Unauthorized(e),
|
six.reraise(exception.Unauthorized, exception.Unauthorized(e),
|
||||||
|
@ -360,7 +361,7 @@ class Auth(controller.V2Controller):
|
||||||
|
|
||||||
if tenant_name:
|
if tenant_name:
|
||||||
try:
|
try:
|
||||||
tenant_ref = self.assignment_api.get_project_by_name(
|
tenant_ref = self.resource_api.get_project_by_name(
|
||||||
tenant_name, CONF.identity.default_domain_id)
|
tenant_name, CONF.identity.default_domain_id)
|
||||||
tenant_id = tenant_ref['id']
|
tenant_id = tenant_ref['id']
|
||||||
except exception.ProjectNotFound as e:
|
except exception.ProjectNotFound as e:
|
||||||
|
@ -374,7 +375,7 @@ class Auth(controller.V2Controller):
|
||||||
role_list = []
|
role_list = []
|
||||||
if tenant_id:
|
if tenant_id:
|
||||||
try:
|
try:
|
||||||
tenant_ref = self.assignment_api.get_project(tenant_id)
|
tenant_ref = self.resource_api.get_project(tenant_id)
|
||||||
role_list = self.assignment_api.get_roles_for_user_and_project(
|
role_list = self.assignment_api.get_roles_for_user_and_project(
|
||||||
user_id, tenant_id)
|
user_id, tenant_id)
|
||||||
except exception.ProjectNotFound:
|
except exception.ProjectNotFound:
|
||||||
|
|
|
@ -60,7 +60,7 @@ def validate_auth_info(self, user_ref, tenant_ref):
|
||||||
raise exception.Unauthorized(msg)
|
raise exception.Unauthorized(msg)
|
||||||
|
|
||||||
# If the user's domain is disabled don't allow them to authenticate
|
# If the user's domain is disabled don't allow them to authenticate
|
||||||
user_domain_ref = self.assignment_api.get_domain(
|
user_domain_ref = self.resource_api.get_domain(
|
||||||
user_ref['domain_id'])
|
user_ref['domain_id'])
|
||||||
if user_domain_ref and not user_domain_ref.get('enabled', True):
|
if user_domain_ref and not user_domain_ref.get('enabled', True):
|
||||||
msg = _('Domain is disabled: %s') % user_domain_ref['id']
|
msg = _('Domain is disabled: %s') % user_domain_ref['id']
|
||||||
|
@ -75,7 +75,7 @@ def validate_auth_info(self, user_ref, tenant_ref):
|
||||||
raise exception.Unauthorized(msg)
|
raise exception.Unauthorized(msg)
|
||||||
|
|
||||||
# If the project's domain is disabled don't allow them to authenticate
|
# If the project's domain is disabled don't allow them to authenticate
|
||||||
project_domain_ref = self.assignment_api.get_domain(
|
project_domain_ref = self.resource_api.get_domain(
|
||||||
tenant_ref['domain_id'])
|
tenant_ref['domain_id'])
|
||||||
if (project_domain_ref and
|
if (project_domain_ref and
|
||||||
not project_domain_ref.get('enabled', True)):
|
not project_domain_ref.get('enabled', True)):
|
||||||
|
|
|
@ -39,8 +39,8 @@ EXPIRATION_TIME = lambda: CONF.token.cache_time
|
||||||
REVOCATION_CACHE_EXPIRATION_TIME = lambda: CONF.token.revocation_cache_time
|
REVOCATION_CACHE_EXPIRATION_TIME = lambda: CONF.token.revocation_cache_time
|
||||||
|
|
||||||
|
|
||||||
@dependency.requires('assignment_api', 'identity_api', 'token_provider_api',
|
@dependency.requires('assignment_api', 'identity_api', 'resource_api',
|
||||||
'trust_api')
|
'token_provider_api', 'trust_api')
|
||||||
class PersistenceManager(manager.Manager):
|
class PersistenceManager(manager.Manager):
|
||||||
"""Default pivot point for the Token backend.
|
"""Default pivot point for the Token backend.
|
||||||
|
|
||||||
|
@ -142,7 +142,7 @@ class PersistenceManager(manager.Manager):
|
||||||
"""
|
"""
|
||||||
if not CONF.token.revoke_by_id:
|
if not CONF.token.revoke_by_id:
|
||||||
return
|
return
|
||||||
projects = self.assignment_api.list_projects()
|
projects = self.resource_api.list_projects()
|
||||||
for project in projects:
|
for project in projects:
|
||||||
if project['domain_id'] == domain_id:
|
if project['domain_id'] == domain_id:
|
||||||
for user_id in self.assignment_api.list_user_ids_for_project(
|
for user_id in self.assignment_api.list_user_ids_for_project(
|
||||||
|
|
|
@ -101,6 +101,7 @@ def audit_info(parent_audit_id):
|
||||||
|
|
||||||
@dependency.optional('revoke_api')
|
@dependency.optional('revoke_api')
|
||||||
@dependency.provider('token_provider_api')
|
@dependency.provider('token_provider_api')
|
||||||
|
@dependency.requires('assignment_api')
|
||||||
class Manager(manager.Manager):
|
class Manager(manager.Manager):
|
||||||
"""Default pivot point for the token provider backend.
|
"""Default pivot point for the token provider backend.
|
||||||
|
|
||||||
|
|
|
@ -144,7 +144,7 @@ class V2TokenDataHelper(object):
|
||||||
|
|
||||||
|
|
||||||
@dependency.requires('assignment_api', 'catalog_api', 'identity_api',
|
@dependency.requires('assignment_api', 'catalog_api', 'identity_api',
|
||||||
'role_api', 'trust_api')
|
'resource_api', 'role_api', 'trust_api')
|
||||||
class V3TokenDataHelper(object):
|
class V3TokenDataHelper(object):
|
||||||
"""Token data helper."""
|
"""Token data helper."""
|
||||||
def __init__(self):
|
def __init__(self):
|
||||||
|
@ -152,11 +152,11 @@ class V3TokenDataHelper(object):
|
||||||
super(V3TokenDataHelper, self).__init__()
|
super(V3TokenDataHelper, self).__init__()
|
||||||
|
|
||||||
def _get_filtered_domain(self, domain_id):
|
def _get_filtered_domain(self, domain_id):
|
||||||
domain_ref = self.assignment_api.get_domain(domain_id)
|
domain_ref = self.resource_api.get_domain(domain_id)
|
||||||
return {'id': domain_ref['id'], 'name': domain_ref['name']}
|
return {'id': domain_ref['id'], 'name': domain_ref['name']}
|
||||||
|
|
||||||
def _get_filtered_project(self, project_id):
|
def _get_filtered_project(self, project_id):
|
||||||
project_ref = self.assignment_api.get_project(project_id)
|
project_ref = self.resource_api.get_project(project_id)
|
||||||
filtered_project = {
|
filtered_project = {
|
||||||
'id': project_ref['id'],
|
'id': project_ref['id'],
|
||||||
'name': project_ref['name']}
|
'name': project_ref['name']}
|
||||||
|
@ -383,7 +383,7 @@ class V3TokenDataHelper(object):
|
||||||
|
|
||||||
|
|
||||||
@dependency.optional('oauth_api')
|
@dependency.optional('oauth_api')
|
||||||
@dependency.requires('assignment_api', 'catalog_api', 'identity_api',
|
@dependency.requires('catalog_api', 'identity_api', 'resource_api',
|
||||||
'role_api', 'trust_api')
|
'role_api', 'trust_api')
|
||||||
class BaseProvider(provider.Provider):
|
class BaseProvider(provider.Provider):
|
||||||
def __init__(self, *args, **kwargs):
|
def __init__(self, *args, **kwargs):
|
||||||
|
@ -532,7 +532,7 @@ class BaseProvider(provider.Provider):
|
||||||
if (trustor_user_ref['domain_id'] !=
|
if (trustor_user_ref['domain_id'] !=
|
||||||
CONF.identity.default_domain_id):
|
CONF.identity.default_domain_id):
|
||||||
raise exception.Unauthorized(msg)
|
raise exception.Unauthorized(msg)
|
||||||
project_ref = self.assignment_api.get_project(
|
project_ref = self.resource_api.get_project(
|
||||||
trust_ref['project_id'])
|
trust_ref['project_id'])
|
||||||
if (project_ref['domain_id'] !=
|
if (project_ref['domain_id'] !=
|
||||||
CONF.identity.default_domain_id):
|
CONF.identity.default_domain_id):
|
||||||
|
|
Loading…
Reference in New Issue