Make controllers and managers reference new resource manager
This is the part of the more comprehensive split of assignments, which rationalizes both the backend and controllers. In order to make this change easier for reviewers, it is divided into a number of smaller patches. Previous patches have: - Moved role management into its own manager and drivers - Fixed incorrect doc strings for grant driver methods - Updated controllers to call the new role manager - Updated unit tests to call the new role manager - Refactored the assignment manager and drivers enabling projects/domains to be split out - Fixed incorrect comment about circular dependency between assignment and identity - Moved the logically separated project and domain functionality into their own manager/backend (called resource). - Removes unused pointer to assignment from identity driver This patch updates all the controllers and managers to call the new resource manager to access projects and domains. Future patches will: - Update the tests to call the new resource manager - Split the assignment controller, giving projects/domains their own controller Partially implements: bp pluggable-assignments Change-Id: I7180c5a324c44a22e40a367797d9bcd1d2ae79f2
This commit is contained in:
parent
cbcece0fc8
commit
63c1a98a1a
|
@ -36,7 +36,8 @@ CONF = config.CONF
|
|||
LOG = log.getLogger(__name__)
|
||||
|
||||
|
||||
@dependency.requires('assignment_api', 'identity_api', 'token_provider_api')
|
||||
@dependency.requires('assignment_api', 'identity_api', 'resource_api',
|
||||
'token_provider_api')
|
||||
class Tenant(controller.V2Controller):
|
||||
|
||||
@controller.v2_deprecated
|
||||
|
@ -47,7 +48,7 @@ class Tenant(controller.V2Controller):
|
|||
context, context['query_string'].get('name'))
|
||||
|
||||
self.assert_admin(context)
|
||||
tenant_refs = self.assignment_api.list_projects_in_domain(
|
||||
tenant_refs = self.resource_api.list_projects_in_domain(
|
||||
CONF.identity.default_domain_id)
|
||||
for tenant_ref in tenant_refs:
|
||||
tenant_ref = self.filter_domain_id(tenant_ref)
|
||||
|
@ -90,13 +91,13 @@ class Tenant(controller.V2Controller):
|
|||
def get_project(self, context, tenant_id):
|
||||
# TODO(termie): this stuff should probably be moved to middleware
|
||||
self.assert_admin(context)
|
||||
ref = self.assignment_api.get_project(tenant_id)
|
||||
ref = self.resource_api.get_project(tenant_id)
|
||||
return {'tenant': self.filter_domain_id(ref)}
|
||||
|
||||
@controller.v2_deprecated
|
||||
def get_project_by_name(self, context, tenant_name):
|
||||
self.assert_admin(context)
|
||||
ref = self.assignment_api.get_project_by_name(
|
||||
ref = self.resource_api.get_project_by_name(
|
||||
tenant_name, CONF.identity.default_domain_id)
|
||||
return {'tenant': self.filter_domain_id(ref)}
|
||||
|
||||
|
@ -111,7 +112,7 @@ class Tenant(controller.V2Controller):
|
|||
|
||||
self.assert_admin(context)
|
||||
tenant_ref['id'] = tenant_ref.get('id', uuid.uuid4().hex)
|
||||
tenant = self.assignment_api.create_project(
|
||||
tenant = self.resource_api.create_project(
|
||||
tenant_ref['id'],
|
||||
self._normalize_domain_id(context, tenant_ref))
|
||||
return {'tenant': self.filter_domain_id(tenant)}
|
||||
|
@ -124,14 +125,14 @@ class Tenant(controller.V2Controller):
|
|||
clean_tenant = tenant.copy()
|
||||
clean_tenant.pop('domain_id', None)
|
||||
|
||||
tenant_ref = self.assignment_api.update_project(
|
||||
tenant_ref = self.resource_api.update_project(
|
||||
tenant_id, clean_tenant)
|
||||
return {'tenant': tenant_ref}
|
||||
|
||||
@controller.v2_deprecated
|
||||
def delete_project(self, context, tenant_id):
|
||||
self.assert_admin(context)
|
||||
self.assignment_api.delete_project(tenant_id)
|
||||
self.resource_api.delete_project(tenant_id)
|
||||
|
||||
@controller.v2_deprecated
|
||||
def get_project_users(self, context, tenant_id, **kw):
|
||||
|
@ -345,74 +346,73 @@ class Role(controller.V2Controller):
|
|||
user_id, tenant_id, role_id)
|
||||
|
||||
|
||||
@dependency.requires('assignment_api')
|
||||
@dependency.requires('resource_api')
|
||||
class DomainV3(controller.V3Controller):
|
||||
collection_name = 'domains'
|
||||
member_name = 'domain'
|
||||
|
||||
def __init__(self):
|
||||
super(DomainV3, self).__init__()
|
||||
self.get_member_from_driver = self.assignment_api.get_domain
|
||||
self.get_member_from_driver = self.resource_api.get_domain
|
||||
|
||||
@controller.protected()
|
||||
@validation.validated(schema.domain_create, 'domain')
|
||||
def create_domain(self, context, domain):
|
||||
ref = self._assign_unique_id(self._normalize_dict(domain))
|
||||
ref = self.assignment_api.create_domain(ref['id'], ref)
|
||||
ref = self.resource_api.create_domain(ref['id'], ref)
|
||||
return DomainV3.wrap_member(context, ref)
|
||||
|
||||
@controller.filterprotected('enabled', 'name')
|
||||
def list_domains(self, context, filters):
|
||||
hints = DomainV3.build_driver_hints(context, filters)
|
||||
refs = self.assignment_api.list_domains(hints=hints)
|
||||
refs = self.resource_api.list_domains(hints=hints)
|
||||
return DomainV3.wrap_collection(context, refs, hints=hints)
|
||||
|
||||
@controller.protected()
|
||||
def get_domain(self, context, domain_id):
|
||||
ref = self.assignment_api.get_domain(domain_id)
|
||||
ref = self.resource_api.get_domain(domain_id)
|
||||
return DomainV3.wrap_member(context, ref)
|
||||
|
||||
@controller.protected()
|
||||
@validation.validated(schema.domain_update, 'domain')
|
||||
def update_domain(self, context, domain_id, domain):
|
||||
self._require_matching_id(domain_id, domain)
|
||||
ref = self.assignment_api.update_domain(domain_id, domain)
|
||||
ref = self.resource_api.update_domain(domain_id, domain)
|
||||
return DomainV3.wrap_member(context, ref)
|
||||
|
||||
@controller.protected()
|
||||
def delete_domain(self, context, domain_id):
|
||||
return self.assignment_api.delete_domain(domain_id)
|
||||
return self.resource_api.delete_domain(domain_id)
|
||||
|
||||
|
||||
@dependency.requires('assignment_api')
|
||||
@dependency.requires('assignment_api', 'resource_api')
|
||||
class ProjectV3(controller.V3Controller):
|
||||
collection_name = 'projects'
|
||||
member_name = 'project'
|
||||
|
||||
def __init__(self):
|
||||
super(ProjectV3, self).__init__()
|
||||
self.get_member_from_driver = self.assignment_api.get_project
|
||||
self.get_member_from_driver = self.resource_api.get_project
|
||||
|
||||
@controller.protected()
|
||||
@validation.validated(schema.project_create, 'project')
|
||||
def create_project(self, context, project):
|
||||
ref = self._assign_unique_id(self._normalize_dict(project))
|
||||
ref = self._normalize_domain_id(context, ref)
|
||||
ref = self.assignment_api.create_project(ref['id'], ref)
|
||||
ref = self.resource_api.create_project(ref['id'], ref)
|
||||
return ProjectV3.wrap_member(context, ref)
|
||||
|
||||
@controller.filterprotected('domain_id', 'enabled', 'name',
|
||||
'parent_id')
|
||||
def list_projects(self, context, filters):
|
||||
hints = ProjectV3.build_driver_hints(context, filters)
|
||||
refs = self.assignment_api.list_projects(hints=hints)
|
||||
refs = self.resource_api.list_projects(hints=hints)
|
||||
return ProjectV3.wrap_collection(context, refs, hints=hints)
|
||||
|
||||
@controller.filterprotected('enabled', 'name')
|
||||
def list_user_projects(self, context, filters, user_id):
|
||||
hints = ProjectV3.build_driver_hints(context, filters)
|
||||
refs = self.assignment_api.list_projects_for_user(user_id,
|
||||
hints=hints)
|
||||
refs = self.assignment_api.list_projects_for_user(user_id, hints=hints)
|
||||
return ProjectV3.wrap_collection(context, refs, hints=hints)
|
||||
|
||||
def _expand_project_ref(self, context, ref):
|
||||
|
@ -420,7 +420,7 @@ class ProjectV3(controller.V3Controller):
|
|||
if ('parents_as_list' in context['query_string'] and
|
||||
self.query_filter_is_true(
|
||||
context['query_string']['parents_as_list'])):
|
||||
parents = self.assignment_api.list_project_parents(
|
||||
parents = self.resource_api.list_project_parents(
|
||||
ref['id'], user_id)
|
||||
ref['parents'] = [ProjectV3.wrap_member(context, p)
|
||||
for p in parents]
|
||||
|
@ -428,14 +428,14 @@ class ProjectV3(controller.V3Controller):
|
|||
if ('subtree_as_list' in context['query_string'] and
|
||||
self.query_filter_is_true(
|
||||
context['query_string']['subtree_as_list'])):
|
||||
subtree = self.assignment_api.list_projects_in_subtree(
|
||||
subtree = self.resource_api.list_projects_in_subtree(
|
||||
ref['id'], user_id)
|
||||
ref['subtree'] = [ProjectV3.wrap_member(context, p)
|
||||
for p in subtree]
|
||||
|
||||
@controller.protected()
|
||||
def get_project(self, context, project_id):
|
||||
ref = self.assignment_api.get_project(project_id)
|
||||
ref = self.resource_api.get_project(project_id)
|
||||
self._expand_project_ref(context, ref)
|
||||
return ProjectV3.wrap_member(context, ref)
|
||||
|
||||
|
@ -444,16 +444,17 @@ class ProjectV3(controller.V3Controller):
|
|||
def update_project(self, context, project_id, project):
|
||||
self._require_matching_id(project_id, project)
|
||||
self._require_matching_domain_id(
|
||||
project_id, project, self.assignment_api.get_project)
|
||||
ref = self.assignment_api.update_project(project_id, project)
|
||||
project_id, project, self.resource_api.get_project)
|
||||
ref = self.resource_api.update_project(project_id, project)
|
||||
return ProjectV3.wrap_member(context, ref)
|
||||
|
||||
@controller.protected()
|
||||
def delete_project(self, context, project_id):
|
||||
return self.assignment_api.delete_project(project_id)
|
||||
return self.resource_api.delete_project(project_id)
|
||||
|
||||
|
||||
@dependency.requires('assignment_api', 'identity_api', 'role_api')
|
||||
@dependency.requires('assignment_api', 'identity_api', 'resource_api',
|
||||
'role_api')
|
||||
class RoleV3(controller.V3Controller):
|
||||
collection_name = 'roles'
|
||||
member_name = 'role'
|
||||
|
@ -532,9 +533,9 @@ class RoleV3(controller.V3Controller):
|
|||
ref['group'] = self.identity_api.get_group(group_id)
|
||||
|
||||
if domain_id:
|
||||
ref['domain'] = self.assignment_api.get_domain(domain_id)
|
||||
ref['domain'] = self.resource_api.get_domain(domain_id)
|
||||
else:
|
||||
ref['project'] = self.assignment_api.get_project(project_id)
|
||||
ref['project'] = self.resource_api.get_project(project_id)
|
||||
|
||||
self.check_protection(context, protection, ref)
|
||||
|
||||
|
@ -588,7 +589,7 @@ class RoleV3(controller.V3Controller):
|
|||
self._check_if_inherited(context), context)
|
||||
|
||||
|
||||
@dependency.requires('assignment_api', 'identity_api')
|
||||
@dependency.requires('assignment_api', 'identity_api', 'resource_api')
|
||||
class RoleAssignmentV3(controller.V3Controller):
|
||||
|
||||
# TODO(henry-nash): The current implementation does not provide a full
|
||||
|
@ -824,7 +825,7 @@ class RoleAssignmentV3(controller.V3Controller):
|
|||
# projects owned by this domain.
|
||||
project_ids = (
|
||||
[x['id'] for x in
|
||||
self.assignment_api.list_projects_in_domain(
|
||||
self.resource_api.list_projects_in_domain(
|
||||
r['scope']['domain']['id'])])
|
||||
base_entry = copy.deepcopy(r)
|
||||
target_type = 'domains'
|
||||
|
@ -836,7 +837,7 @@ class RoleAssignmentV3(controller.V3Controller):
|
|||
project_id = r['scope']['project']['id']
|
||||
project_ids = (
|
||||
[x['id'] for x in
|
||||
self.assignment_api.list_projects_in_subtree(
|
||||
self.resource_api.list_projects_in_subtree(
|
||||
project_id)])
|
||||
base_entry = copy.deepcopy(r)
|
||||
target_type = 'projects'
|
||||
|
|
|
@ -124,7 +124,7 @@ class AuthContext(dict):
|
|||
# available for consumers. Consumers should probably not be getting
|
||||
# identity_api from this since it's available in global registry, then
|
||||
# identity_api should be removed from this list.
|
||||
@dependency.requires('assignment_api', 'identity_api', 'trust_api')
|
||||
@dependency.requires('identity_api', 'resource_api', 'trust_api')
|
||||
class AuthInfo(object):
|
||||
"""Encapsulation of "auth" request."""
|
||||
|
||||
|
@ -147,7 +147,7 @@ class AuthInfo(object):
|
|||
def _assert_project_is_enabled(self, project_ref):
|
||||
# ensure the project is enabled
|
||||
try:
|
||||
self.assignment_api.assert_project_enabled(
|
||||
self.resource_api.assert_project_enabled(
|
||||
project_id=project_ref['id'],
|
||||
project=project_ref)
|
||||
except AssertionError as e:
|
||||
|
@ -157,7 +157,7 @@ class AuthInfo(object):
|
|||
|
||||
def _assert_domain_is_enabled(self, domain_ref):
|
||||
try:
|
||||
self.assignment_api.assert_domain_enabled(
|
||||
self.resource_api.assert_domain_enabled(
|
||||
domain_id=domain_ref['id'],
|
||||
domain=domain_ref)
|
||||
except AssertionError as e:
|
||||
|
@ -174,10 +174,10 @@ class AuthInfo(object):
|
|||
target='domain')
|
||||
try:
|
||||
if domain_name:
|
||||
domain_ref = self.assignment_api.get_domain_by_name(
|
||||
domain_ref = self.resource_api.get_domain_by_name(
|
||||
domain_name)
|
||||
else:
|
||||
domain_ref = self.assignment_api.get_domain(domain_id)
|
||||
domain_ref = self.resource_api.get_domain(domain_id)
|
||||
except exception.DomainNotFound as e:
|
||||
LOG.exception(e)
|
||||
raise exception.Unauthorized(e)
|
||||
|
@ -197,10 +197,10 @@ class AuthInfo(object):
|
|||
raise exception.ValidationError(attribute='domain',
|
||||
target='project')
|
||||
domain_ref = self._lookup_domain(project_info['domain'])
|
||||
project_ref = self.assignment_api.get_project_by_name(
|
||||
project_ref = self.resource_api.get_project_by_name(
|
||||
project_name, domain_ref['id'])
|
||||
else:
|
||||
project_ref = self.assignment_api.get_project(project_id)
|
||||
project_ref = self.resource_api.get_project(project_id)
|
||||
# NOTE(morganfainberg): The _lookup_domain method will raise
|
||||
# exception.Unauthorized if the domain isn't found or is
|
||||
# disabled.
|
||||
|
@ -340,7 +340,7 @@ class AuthInfo(object):
|
|||
|
||||
|
||||
@dependency.requires('assignment_api', 'catalog_api', 'identity_api',
|
||||
'token_provider_api', 'trust_api')
|
||||
'resource_api', 'token_provider_api', 'trust_api')
|
||||
class Auth(controller.V3Controller):
|
||||
|
||||
# Note(atiwari): From V3 auth controller code we are
|
||||
|
@ -427,9 +427,9 @@ class Auth(controller.V3Controller):
|
|||
|
||||
# make sure user's default project is legit before scoping to it
|
||||
try:
|
||||
default_project_ref = self.assignment_api.get_project(
|
||||
default_project_ref = self.resource_api.get_project(
|
||||
default_project_id)
|
||||
default_project_domain_ref = self.assignment_api.get_domain(
|
||||
default_project_domain_ref = self.resource_api.get_domain(
|
||||
default_project_ref['domain_id'])
|
||||
if (default_project_ref.get('enabled', True) and
|
||||
default_project_domain_ref.get('enabled', True)):
|
||||
|
|
|
@ -74,7 +74,7 @@ class DefaultDomain(Base):
|
|||
return user_ref
|
||||
|
||||
|
||||
@dependency.requires('assignment_api', 'identity_api')
|
||||
@dependency.requires('identity_api', 'resource_api')
|
||||
class Domain(Base):
|
||||
def _authenticate(self, remote_user, context):
|
||||
"""Use remote_user to look up the user in the identity backend.
|
||||
|
@ -89,7 +89,7 @@ class Domain(Base):
|
|||
except KeyError:
|
||||
domain_id = CONF.identity.default_domain_id
|
||||
else:
|
||||
domain_ref = self.assignment_api.get_domain_by_name(domain_name)
|
||||
domain_ref = self.resource_api.get_domain_by_name(domain_name)
|
||||
domain_id = domain_ref['id']
|
||||
|
||||
user_ref = self.identity_api.get_user_by_name(username, domain_id)
|
||||
|
@ -156,7 +156,7 @@ class LegacyDefaultDomain(Base):
|
|||
return user_ref
|
||||
|
||||
|
||||
@dependency.requires('assignment_api', 'identity_api')
|
||||
@dependency.requires('identity_api', 'resource_api')
|
||||
class LegacyDomain(Base):
|
||||
"""Deprecated. Please use keystone.auth.external.Domain instead."""
|
||||
|
||||
|
@ -178,7 +178,7 @@ class LegacyDomain(Base):
|
|||
username = names.pop(0)
|
||||
if names:
|
||||
domain_name = names[0]
|
||||
domain_ref = self.assignment_api.get_domain_by_name(domain_name)
|
||||
domain_ref = self.resource_api.get_domain_by_name(domain_name)
|
||||
domain_id = domain_ref['id']
|
||||
else:
|
||||
domain_id = CONF.identity.default_domain_id
|
||||
|
|
|
@ -27,7 +27,7 @@ METHOD_NAME = 'password'
|
|||
LOG = log.getLogger(__name__)
|
||||
|
||||
|
||||
@dependency.requires('assignment_api', 'identity_api')
|
||||
@dependency.requires('identity_api', 'resource_api')
|
||||
class UserAuthInfo(object):
|
||||
@staticmethod
|
||||
def create(auth_payload):
|
||||
|
@ -42,7 +42,7 @@ class UserAuthInfo(object):
|
|||
|
||||
def _assert_domain_is_enabled(self, domain_ref):
|
||||
try:
|
||||
self.assignment_api.assert_domain_enabled(
|
||||
self.resource_api.assert_domain_enabled(
|
||||
domain_id=domain_ref['id'],
|
||||
domain=domain_ref)
|
||||
except AssertionError as e:
|
||||
|
@ -69,10 +69,10 @@ class UserAuthInfo(object):
|
|||
target='domain')
|
||||
try:
|
||||
if domain_name:
|
||||
domain_ref = self.assignment_api.get_domain_by_name(
|
||||
domain_ref = self.resource_api.get_domain_by_name(
|
||||
domain_name)
|
||||
else:
|
||||
domain_ref = self.assignment_api.get_domain(domain_id)
|
||||
domain_ref = self.resource_api.get_domain(domain_id)
|
||||
except exception.DomainNotFound as e:
|
||||
LOG.exception(e)
|
||||
raise exception.Unauthorized(e)
|
||||
|
@ -101,7 +101,7 @@ class UserAuthInfo(object):
|
|||
user_name, domain_ref['id'])
|
||||
else:
|
||||
user_ref = self.identity_api.get_user(user_id)
|
||||
domain_ref = self.assignment_api.get_domain(
|
||||
domain_ref = self.resource_api.get_domain(
|
||||
user_ref['domain_id'])
|
||||
self._assert_domain_is_enabled(domain_ref)
|
||||
except exception.UserNotFound as e:
|
||||
|
|
|
@ -50,7 +50,8 @@ from keystone.models import token_model
|
|||
|
||||
|
||||
@dependency.requires('assignment_api', 'catalog_api', 'credential_api',
|
||||
'identity_api', 'role_api', 'token_provider_api')
|
||||
'identity_api', 'resource_api', 'role_api',
|
||||
'token_provider_api')
|
||||
@six.add_metaclass(abc.ABCMeta)
|
||||
class Ec2ControllerCommon(object):
|
||||
def check_signature(self, creds_ref, credentials):
|
||||
|
@ -112,7 +113,7 @@ class Ec2ControllerCommon(object):
|
|||
|
||||
# TODO(termie): don't create new tokens every time
|
||||
# TODO(termie): this is copied from TokenController.authenticate
|
||||
tenant_ref = self.assignment_api.get_project(creds_ref['tenant_id'])
|
||||
tenant_ref = self.resource_api.get_project(creds_ref['tenant_id'])
|
||||
user_ref = self.identity_api.get_user(creds_ref['user_id'])
|
||||
metadata_ref = {}
|
||||
metadata_ref['roles'] = (
|
||||
|
@ -128,9 +129,9 @@ class Ec2ControllerCommon(object):
|
|||
try:
|
||||
self.identity_api.assert_user_enabled(
|
||||
user_id=user_ref['id'], user=user_ref)
|
||||
self.assignment_api.assert_domain_enabled(
|
||||
self.resource_api.assert_domain_enabled(
|
||||
domain_id=user_ref['domain_id'])
|
||||
self.assignment_api.assert_project_enabled(
|
||||
self.resource_api.assert_project_enabled(
|
||||
project_id=tenant_ref['id'], project=tenant_ref)
|
||||
except AssertionError as e:
|
||||
six.reraise(exception.Unauthorized, exception.Unauthorized(e),
|
||||
|
@ -159,7 +160,7 @@ class Ec2ControllerCommon(object):
|
|||
"""
|
||||
|
||||
self.identity_api.get_user(user_id)
|
||||
self.assignment_api.get_project(tenant_id)
|
||||
self.resource_api.get_project(tenant_id)
|
||||
trust_id = self._get_trust_id_for_request(context)
|
||||
blob = {'access': uuid.uuid4().hex,
|
||||
'secret': uuid.uuid4().hex,
|
||||
|
|
|
@ -22,14 +22,14 @@ from keystone import exception
|
|||
from keystone import notifications
|
||||
|
||||
|
||||
@dependency.requires('assignment_api', 'catalog_api', 'endpoint_filter_api')
|
||||
@dependency.requires('catalog_api', 'endpoint_filter_api', 'resource_api')
|
||||
class _ControllerBase(controller.V3Controller):
|
||||
"""Base behaviors for endpoint filter controllers."""
|
||||
|
||||
def _get_endpoint_groups_for_project(self, project_id):
|
||||
# recover the project endpoint group memberships and for each
|
||||
# membership recover the endpoint group
|
||||
self.assignment_api.get_project(project_id)
|
||||
self.resource_api.get_project(project_id)
|
||||
try:
|
||||
refs = self.endpoint_filter_api.list_endpoint_groups_for_project(
|
||||
project_id)
|
||||
|
@ -85,7 +85,7 @@ class EndpointFilterV3Controller(_ControllerBase):
|
|||
# The relationship can still be established even with a disabled
|
||||
# project as there are no security implications.
|
||||
self.catalog_api.get_endpoint(endpoint_id)
|
||||
self.assignment_api.get_project(project_id)
|
||||
self.resource_api.get_project(project_id)
|
||||
self.endpoint_filter_api.add_endpoint_to_project(endpoint_id,
|
||||
project_id)
|
||||
|
||||
|
@ -93,14 +93,14 @@ class EndpointFilterV3Controller(_ControllerBase):
|
|||
def check_endpoint_in_project(self, context, project_id, endpoint_id):
|
||||
"""Verifies endpoint is currently associated with given project."""
|
||||
self.catalog_api.get_endpoint(endpoint_id)
|
||||
self.assignment_api.get_project(project_id)
|
||||
self.resource_api.get_project(project_id)
|
||||
self.endpoint_filter_api.check_endpoint_in_project(endpoint_id,
|
||||
project_id)
|
||||
|
||||
@controller.protected()
|
||||
def list_endpoints_for_project(self, context, project_id):
|
||||
"""List all endpoints currently associated with a given project."""
|
||||
self.assignment_api.get_project(project_id)
|
||||
self.resource_api.get_project(project_id)
|
||||
refs = self.endpoint_filter_api.list_endpoints_for_project(project_id)
|
||||
filtered_endpoints = dict(
|
||||
(ref['endpoint_id'], self.catalog_api.get_endpoint(
|
||||
|
@ -133,7 +133,7 @@ class EndpointFilterV3Controller(_ControllerBase):
|
|||
self.catalog_api.get_endpoint(endpoint_id)
|
||||
refs = self.endpoint_filter_api.list_projects_for_endpoint(endpoint_id)
|
||||
|
||||
projects = [self.assignment_api.get_project(
|
||||
projects = [self.resource_api.get_project(
|
||||
ref['project_id']) for ref in refs]
|
||||
return assignment.controllers.ProjectV3.wrap_collection(context,
|
||||
projects)
|
||||
|
@ -221,7 +221,7 @@ class EndpointGroupV3Controller(_ControllerBase):
|
|||
endpoint_group_id))
|
||||
projects = []
|
||||
for endpoint_group_ref in endpoint_group_refs:
|
||||
project = self.assignment_api.get_project(
|
||||
project = self.resource_api.get_project(
|
||||
endpoint_group_ref['project_id'])
|
||||
if project:
|
||||
projects.append(project)
|
||||
|
@ -260,7 +260,7 @@ class ProjectEndpointGroupV3Controller(_ControllerBase):
|
|||
def get_endpoint_group_in_project(self, context, endpoint_group_id,
|
||||
project_id):
|
||||
"""Retrieve the endpoint group associated with the id if exists."""
|
||||
self.assignment_api.get_project(project_id)
|
||||
self.resource_api.get_project(project_id)
|
||||
self.endpoint_filter_api.get_endpoint_group(endpoint_group_id)
|
||||
ref = self.endpoint_filter_api.get_endpoint_group_in_project(
|
||||
endpoint_group_id, project_id)
|
||||
|
@ -271,7 +271,7 @@ class ProjectEndpointGroupV3Controller(_ControllerBase):
|
|||
def add_endpoint_group_to_project(self, context, endpoint_group_id,
|
||||
project_id):
|
||||
"""Creates an association between an endpoint group and project."""
|
||||
self.assignment_api.get_project(project_id)
|
||||
self.resource_api.get_project(project_id)
|
||||
self.endpoint_filter_api.get_endpoint_group(endpoint_group_id)
|
||||
self.endpoint_filter_api.add_endpoint_group_to_project(
|
||||
endpoint_group_id, project_id)
|
||||
|
@ -280,7 +280,7 @@ class ProjectEndpointGroupV3Controller(_ControllerBase):
|
|||
def remove_endpoint_group_from_project(self, context, endpoint_group_id,
|
||||
project_id):
|
||||
"""Remove the endpoint group from associated project."""
|
||||
self.assignment_api.get_project(project_id)
|
||||
self.resource_api.get_project(project_id)
|
||||
self.endpoint_filter_api.get_endpoint_group(endpoint_group_id)
|
||||
self.endpoint_filter_api.remove_endpoint_group_from_project(
|
||||
endpoint_group_id, project_id)
|
||||
|
|
|
@ -289,14 +289,14 @@ class Auth(auth_controllers.Auth):
|
|||
headers=[('Content-Type', 'text/xml')])
|
||||
|
||||
|
||||
@dependency.requires('assignment_api')
|
||||
@dependency.requires('assignment_api', 'resource_api')
|
||||
class DomainV3(controller.V3Controller):
|
||||
collection_name = 'domains'
|
||||
member_name = 'domain'
|
||||
|
||||
def __init__(self):
|
||||
super(DomainV3, self).__init__()
|
||||
self.get_member_from_driver = self.assignment_api.get_domain
|
||||
self.get_member_from_driver = self.resource_api.get_domain
|
||||
|
||||
@controller.protected()
|
||||
def list_domains_for_groups(self, context):
|
||||
|
@ -312,14 +312,14 @@ class DomainV3(controller.V3Controller):
|
|||
return DomainV3.wrap_collection(context, domains)
|
||||
|
||||
|
||||
@dependency.requires('assignment_api')
|
||||
@dependency.requires('assignment_api', 'resource_api')
|
||||
class ProjectV3(controller.V3Controller):
|
||||
collection_name = 'projects'
|
||||
member_name = 'project'
|
||||
|
||||
def __init__(self):
|
||||
super(ProjectV3, self).__init__()
|
||||
self.get_member_from_driver = self.assignment_api.get_project
|
||||
self.get_member_from_driver = self.resource_api.get_project
|
||||
|
||||
@controller.protected()
|
||||
def list_projects_for_groups(self, context):
|
||||
|
|
|
@ -165,7 +165,7 @@ class AccessTokenCrudV3(controller.V3Controller):
|
|||
return formatted_entity
|
||||
|
||||
|
||||
@dependency.requires('assignment_api', 'oauth_api', 'role_api')
|
||||
@dependency.requires('oauth_api', 'role_api')
|
||||
class AccessTokenRolesV3(controller.V3Controller):
|
||||
collection_name = 'roles'
|
||||
member_name = 'role'
|
||||
|
|
|
@ -46,7 +46,7 @@ extension.register_public_extension(
|
|||
]})
|
||||
|
||||
|
||||
@dependency.requires('assignment_api', 'catalog_api', 'identity_api',
|
||||
@dependency.requires('catalog_api', 'identity_api', 'resource_api',
|
||||
'token_provider_api')
|
||||
class UserController(identity.controllers.User):
|
||||
def set_user_password(self, context, user_id, user):
|
||||
|
@ -97,7 +97,7 @@ class UserController(identity.controllers.User):
|
|||
if token_ref.bind:
|
||||
new_token_ref['bind'] = token_ref.bind
|
||||
if token_ref.project_id:
|
||||
new_token_ref['tenant'] = self.assignment_api.get_project(
|
||||
new_token_ref['tenant'] = self.resource_api.get_project(
|
||||
token_ref.project_id)
|
||||
if token_ref.role_names:
|
||||
roles_ref = [dict(name=value)
|
||||
|
|
|
@ -26,7 +26,7 @@ CONF = config.CONF
|
|||
LOG = log.getLogger(__name__)
|
||||
|
||||
|
||||
@dependency.requires('assignment_api', 'identity_api')
|
||||
@dependency.requires('assignment_api', 'identity_api', 'resource_api')
|
||||
class User(controller.V2Controller):
|
||||
|
||||
@controller.v2_deprecated
|
||||
|
@ -73,7 +73,7 @@ class User(controller.V2Controller):
|
|||
default_project_id = user.pop('tenantId', None)
|
||||
if default_project_id is not None:
|
||||
# Check to see if the project is valid before moving on.
|
||||
self.assignment_api.get_project(default_project_id)
|
||||
self.resource_api.get_project(default_project_id)
|
||||
user['default_project_id'] = default_project_id
|
||||
|
||||
# The manager layer will generate the unique ID for users
|
||||
|
@ -114,7 +114,7 @@ class User(controller.V2Controller):
|
|||
default_project_id is not None)):
|
||||
# Make sure the new project actually exists before we perform the
|
||||
# user update.
|
||||
self.assignment_api.get_project(default_project_id)
|
||||
self.resource_api.get_project(default_project_id)
|
||||
|
||||
user_ref = self.v3_to_v2_user(
|
||||
self.identity_api.update_user(user_id, user))
|
||||
|
|
|
@ -91,7 +91,7 @@ class DomainConfigs(dict):
|
|||
return importutils.import_object(
|
||||
domain_config['cfg'].identity.driver, domain_config['cfg'])
|
||||
|
||||
def _load_config(self, assignment_api, file_list, domain_name):
|
||||
def _load_config(self, resource_api, file_list, domain_name):
|
||||
|
||||
def assert_no_more_than_one_sql_driver(new_config, config_file):
|
||||
"""Ensure there is more than one sql driver.
|
||||
|
@ -109,7 +109,7 @@ class DomainConfigs(dict):
|
|||
self._any_sql = new_config['driver'].is_sql
|
||||
|
||||
try:
|
||||
domain_ref = assignment_api.get_domain_by_name(domain_name)
|
||||
domain_ref = resource_api.get_domain_by_name(domain_name)
|
||||
except exception.DomainNotFound:
|
||||
LOG.warning(
|
||||
_LW('Invalid domain name (%s) found in config file name'),
|
||||
|
@ -130,7 +130,7 @@ class DomainConfigs(dict):
|
|||
assert_no_more_than_one_sql_driver(domain_config, file_list)
|
||||
self[domain_ref['id']] = domain_config
|
||||
|
||||
def setup_domain_drivers(self, standard_driver, assignment_api):
|
||||
def setup_domain_drivers(self, standard_driver, resource_api):
|
||||
# This is called by the api call wrapper
|
||||
self.configured = True
|
||||
self.driver = standard_driver
|
||||
|
@ -146,7 +146,7 @@ class DomainConfigs(dict):
|
|||
if (fname.startswith(DOMAIN_CONF_FHEAD) and
|
||||
fname.endswith(DOMAIN_CONF_FTAIL)):
|
||||
if fname.count('.') >= 2:
|
||||
self._load_config(assignment_api,
|
||||
self._load_config(resource_api,
|
||||
[os.path.join(r, fname)],
|
||||
fname[len(DOMAIN_CONF_FHEAD):
|
||||
-len(DOMAIN_CONF_FTAIL)])
|
||||
|
@ -193,7 +193,7 @@ def domains_configured(f):
|
|||
if (not self.domain_configs.configured and
|
||||
CONF.identity.domain_specific_drivers_enabled):
|
||||
self.domain_configs.setup_domain_drivers(
|
||||
self.driver, self.assignment_api)
|
||||
self.driver, self.resource_api)
|
||||
return f(self, *args, **kwargs)
|
||||
return wrapper
|
||||
|
||||
|
@ -221,7 +221,8 @@ def exception_translated(exception_type):
|
|||
|
||||
@dependency.provider('identity_api')
|
||||
@dependency.optional('revoke_api')
|
||||
@dependency.requires('assignment_api', 'credential_api', 'id_mapping_api')
|
||||
@dependency.requires('assignment_api', 'credential_api', 'id_mapping_api',
|
||||
'resource_api')
|
||||
class Manager(manager.Manager):
|
||||
"""Default pivot point for the Identity backend.
|
||||
|
||||
|
@ -554,7 +555,7 @@ class Manager(manager.Manager):
|
|||
user.setdefault('enabled', True)
|
||||
user['enabled'] = clean.user_enabled(user['enabled'])
|
||||
domain_id = user['domain_id']
|
||||
self.assignment_api.get_domain(domain_id)
|
||||
self.resource_api.get_domain(domain_id)
|
||||
|
||||
# For creating a user, the domain is in the object itself
|
||||
domain_id = user_ref['domain_id']
|
||||
|
@ -584,7 +585,7 @@ class Manager(manager.Manager):
|
|||
"""
|
||||
if user is None:
|
||||
user = self.get_user(user_id)
|
||||
self.assignment_api.assert_domain_enabled(user['domain_id'])
|
||||
self.resource_api.assert_domain_enabled(user['domain_id'])
|
||||
if not user.get('enabled', True):
|
||||
raise AssertionError(_('User is disabled: %s') % user_id)
|
||||
|
||||
|
@ -625,7 +626,7 @@ class Manager(manager.Manager):
|
|||
if 'enabled' in user:
|
||||
user['enabled'] = clean.user_enabled(user['enabled'])
|
||||
if 'domain_id' in user:
|
||||
self.assignment_api.get_domain(user['domain_id'])
|
||||
self.resource_api.get_domain(user['domain_id'])
|
||||
if 'id' in user:
|
||||
if user_id != user['id']:
|
||||
raise exception.ValidationError(_('Cannot change user ID'))
|
||||
|
@ -665,7 +666,7 @@ class Manager(manager.Manager):
|
|||
group = group_ref.copy()
|
||||
group.setdefault('description', '')
|
||||
domain_id = group['domain_id']
|
||||
self.assignment_api.get_domain(domain_id)
|
||||
self.resource_api.get_domain(domain_id)
|
||||
|
||||
# For creating a group, the domain is in the object itself
|
||||
domain_id = group_ref['domain_id']
|
||||
|
@ -701,7 +702,7 @@ class Manager(manager.Manager):
|
|||
@exception_translated('group')
|
||||
def update_group(self, group_id, group):
|
||||
if 'domain_id' in group:
|
||||
self.assignment_api.get_domain(group['domain_id'])
|
||||
self.resource_api.get_domain(group['domain_id'])
|
||||
domain_id, driver, entity_id = (
|
||||
self._get_domain_driver_and_entity_id(group_id))
|
||||
group = self._clear_domain_id_if_domain_unaware(driver, group)
|
||||
|
|
|
@ -41,7 +41,8 @@ class ExternalAuthNotApplicable(Exception):
|
|||
|
||||
|
||||
@dependency.requires('assignment_api', 'catalog_api', 'identity_api',
|
||||
'role_api', 'token_provider_api', 'trust_api')
|
||||
'resource_api', 'role_api', 'token_provider_api',
|
||||
'trust_api')
|
||||
class Auth(controller.V2Controller):
|
||||
|
||||
@controller.v2_deprecated
|
||||
|
@ -105,7 +106,7 @@ class Auth(controller.V2Controller):
|
|||
self.identity_api.assert_user_enabled(
|
||||
user_id=user_ref['id'], user=user_ref)
|
||||
if tenant_ref:
|
||||
self.assignment_api.assert_project_enabled(
|
||||
self.resource_api.assert_project_enabled(
|
||||
project_id=tenant_ref['id'], project=tenant_ref)
|
||||
except AssertionError as e:
|
||||
six.reraise(exception.Unauthorized, exception.Unauthorized(e),
|
||||
|
@ -360,7 +361,7 @@ class Auth(controller.V2Controller):
|
|||
|
||||
if tenant_name:
|
||||
try:
|
||||
tenant_ref = self.assignment_api.get_project_by_name(
|
||||
tenant_ref = self.resource_api.get_project_by_name(
|
||||
tenant_name, CONF.identity.default_domain_id)
|
||||
tenant_id = tenant_ref['id']
|
||||
except exception.ProjectNotFound as e:
|
||||
|
@ -374,7 +375,7 @@ class Auth(controller.V2Controller):
|
|||
role_list = []
|
||||
if tenant_id:
|
||||
try:
|
||||
tenant_ref = self.assignment_api.get_project(tenant_id)
|
||||
tenant_ref = self.resource_api.get_project(tenant_id)
|
||||
role_list = self.assignment_api.get_roles_for_user_and_project(
|
||||
user_id, tenant_id)
|
||||
except exception.ProjectNotFound:
|
||||
|
|
|
@ -60,7 +60,7 @@ def validate_auth_info(self, user_ref, tenant_ref):
|
|||
raise exception.Unauthorized(msg)
|
||||
|
||||
# If the user's domain is disabled don't allow them to authenticate
|
||||
user_domain_ref = self.assignment_api.get_domain(
|
||||
user_domain_ref = self.resource_api.get_domain(
|
||||
user_ref['domain_id'])
|
||||
if user_domain_ref and not user_domain_ref.get('enabled', True):
|
||||
msg = _('Domain is disabled: %s') % user_domain_ref['id']
|
||||
|
@ -75,7 +75,7 @@ def validate_auth_info(self, user_ref, tenant_ref):
|
|||
raise exception.Unauthorized(msg)
|
||||
|
||||
# If the project's domain is disabled don't allow them to authenticate
|
||||
project_domain_ref = self.assignment_api.get_domain(
|
||||
project_domain_ref = self.resource_api.get_domain(
|
||||
tenant_ref['domain_id'])
|
||||
if (project_domain_ref and
|
||||
not project_domain_ref.get('enabled', True)):
|
||||
|
|
|
@ -39,8 +39,8 @@ EXPIRATION_TIME = lambda: CONF.token.cache_time
|
|||
REVOCATION_CACHE_EXPIRATION_TIME = lambda: CONF.token.revocation_cache_time
|
||||
|
||||
|
||||
@dependency.requires('assignment_api', 'identity_api', 'token_provider_api',
|
||||
'trust_api')
|
||||
@dependency.requires('assignment_api', 'identity_api', 'resource_api',
|
||||
'token_provider_api', 'trust_api')
|
||||
class PersistenceManager(manager.Manager):
|
||||
"""Default pivot point for the Token backend.
|
||||
|
||||
|
@ -142,7 +142,7 @@ class PersistenceManager(manager.Manager):
|
|||
"""
|
||||
if not CONF.token.revoke_by_id:
|
||||
return
|
||||
projects = self.assignment_api.list_projects()
|
||||
projects = self.resource_api.list_projects()
|
||||
for project in projects:
|
||||
if project['domain_id'] == domain_id:
|
||||
for user_id in self.assignment_api.list_user_ids_for_project(
|
||||
|
|
|
@ -101,6 +101,7 @@ def audit_info(parent_audit_id):
|
|||
|
||||
@dependency.optional('revoke_api')
|
||||
@dependency.provider('token_provider_api')
|
||||
@dependency.requires('assignment_api')
|
||||
class Manager(manager.Manager):
|
||||
"""Default pivot point for the token provider backend.
|
||||
|
||||
|
|
|
@ -144,7 +144,7 @@ class V2TokenDataHelper(object):
|
|||
|
||||
|
||||
@dependency.requires('assignment_api', 'catalog_api', 'identity_api',
|
||||
'role_api', 'trust_api')
|
||||
'resource_api', 'role_api', 'trust_api')
|
||||
class V3TokenDataHelper(object):
|
||||
"""Token data helper."""
|
||||
def __init__(self):
|
||||
|
@ -152,11 +152,11 @@ class V3TokenDataHelper(object):
|
|||
super(V3TokenDataHelper, self).__init__()
|
||||
|
||||
def _get_filtered_domain(self, domain_id):
|
||||
domain_ref = self.assignment_api.get_domain(domain_id)
|
||||
domain_ref = self.resource_api.get_domain(domain_id)
|
||||
return {'id': domain_ref['id'], 'name': domain_ref['name']}
|
||||
|
||||
def _get_filtered_project(self, project_id):
|
||||
project_ref = self.assignment_api.get_project(project_id)
|
||||
project_ref = self.resource_api.get_project(project_id)
|
||||
filtered_project = {
|
||||
'id': project_ref['id'],
|
||||
'name': project_ref['name']}
|
||||
|
@ -383,7 +383,7 @@ class V3TokenDataHelper(object):
|
|||
|
||||
|
||||
@dependency.optional('oauth_api')
|
||||
@dependency.requires('assignment_api', 'catalog_api', 'identity_api',
|
||||
@dependency.requires('catalog_api', 'identity_api', 'resource_api',
|
||||
'role_api', 'trust_api')
|
||||
class BaseProvider(provider.Provider):
|
||||
def __init__(self, *args, **kwargs):
|
||||
|
@ -532,7 +532,7 @@ class BaseProvider(provider.Provider):
|
|||
if (trustor_user_ref['domain_id'] !=
|
||||
CONF.identity.default_domain_id):
|
||||
raise exception.Unauthorized(msg)
|
||||
project_ref = self.assignment_api.get_project(
|
||||
project_ref = self.resource_api.get_project(
|
||||
trust_ref['project_id'])
|
||||
if (project_ref['domain_id'] !=
|
||||
CONF.identity.default_domain_id):
|
||||
|
|
Loading…
Reference in New Issue