Make controllers call the new, split out, role manager

This is the part of the more comprehensive split of
assignments, which rationalizes both the backend and controllers.
In order to make this change easier for reviewers, it is divided
into a number of smaller patches. Previous patches:

- Moved role management into its own manager and drivers
- Fixed incorrect doc strings for grant driver methods

This patch updates any controllers that make calls to manage
roles to use the new role manager.

Future patches will:

- Update the tests to call the new role manager
- Refactor assignment manager and driver methods to logically
  separate project/domains from the actual assignments
- Split projects and domains into their own backend
- Split the controllers so they call the correct manager
- Update the tests to call the new correct manager

Partially implements: bp pluggable-assignments

Change-Id: Ia8777cd44921372afc8e918e2ae58d760f0c96fa
This commit is contained in:
Henry Nash 2014-12-30 18:17:35 +00:00
parent 27b90d8ca9
commit 6d4a0a3fa6
6 changed files with 32 additions and 33 deletions

View File

@ -186,7 +186,7 @@ class Tenant(controller.V2Controller):
return o
@dependency.requires('assignment_api')
@dependency.requires('assignment_api', 'role_api')
class Role(controller.V2Controller):
# COMPAT(essex-3)
@ -205,14 +205,14 @@ class Role(controller.V2Controller):
roles = self.assignment_api.get_roles_for_user_and_project(
user_id, tenant_id)
return {'roles': [self.assignment_api.get_role(x)
return {'roles': [self.role_api.get_role(x)
for x in roles]}
# CRUD extension
@controller.v2_deprecated
def get_role(self, context, role_id):
self.assert_admin(context)
return {'role': self.assignment_api.get_role(role_id)}
return {'role': self.role_api.get_role(role_id)}
@controller.v2_deprecated
def create_role(self, context, role):
@ -225,18 +225,18 @@ class Role(controller.V2Controller):
role_id = uuid.uuid4().hex
role['id'] = role_id
role_ref = self.assignment_api.create_role(role_id, role)
role_ref = self.role_api.create_role(role_id, role)
return {'role': role_ref}
@controller.v2_deprecated
def delete_role(self, context, role_id):
self.assert_admin(context)
self.assignment_api.delete_role(role_id)
self.role_api.delete_role(role_id)
@controller.v2_deprecated
def get_roles(self, context):
self.assert_admin(context)
return {'roles': self.assignment_api.list_roles()}
return {'roles': self.role_api.list_roles()}
@controller.v2_deprecated
def add_role_to_user(self, context, user_id, role_id, tenant_id=None):
@ -254,7 +254,7 @@ class Role(controller.V2Controller):
self.assignment_api.add_role_to_user_and_project(
user_id, tenant_id, role_id)
role_ref = self.assignment_api.get_role(role_id)
role_ref = self.role_api.get_role(role_id)
return {'role': role_ref}
@controller.v2_deprecated
@ -320,7 +320,7 @@ class Role(controller.V2Controller):
self.assignment_api.add_role_to_user_and_project(
user_id, tenant_id, role_id)
role_ref = self.assignment_api.get_role(role_id)
role_ref = self.role_api.get_role(role_id)
return {'role': role_ref}
# COMPAT(diablo): CRUD extension
@ -453,32 +453,32 @@ class ProjectV3(controller.V3Controller):
return self.assignment_api.delete_project(project_id)
@dependency.requires('assignment_api', 'identity_api')
@dependency.requires('assignment_api', 'identity_api', 'role_api')
class RoleV3(controller.V3Controller):
collection_name = 'roles'
member_name = 'role'
def __init__(self):
super(RoleV3, self).__init__()
self.get_member_from_driver = self.assignment_api.get_role
self.get_member_from_driver = self.role_api.get_role
@controller.protected()
@validation.validated(schema.role_create, 'role')
def create_role(self, context, role):
ref = self._assign_unique_id(self._normalize_dict(role))
ref = self.assignment_api.create_role(ref['id'], ref)
ref = self.role_api.create_role(ref['id'], ref)
return RoleV3.wrap_member(context, ref)
@controller.filterprotected('name')
def list_roles(self, context, filters):
hints = RoleV3.build_driver_hints(context, filters)
refs = self.assignment_api.list_roles(
refs = self.role_api.list_roles(
hints=hints)
return RoleV3.wrap_collection(context, refs, hints=hints)
@controller.protected()
def get_role(self, context, role_id):
ref = self.assignment_api.get_role(role_id)
ref = self.role_api.get_role(role_id)
return RoleV3.wrap_member(context, ref)
@controller.protected()
@ -486,12 +486,12 @@ class RoleV3(controller.V3Controller):
def update_role(self, context, role_id, role):
self._require_matching_id(role_id, role)
ref = self.assignment_api.update_role(role_id, role)
ref = self.role_api.update_role(role_id, role)
return RoleV3.wrap_member(context, ref)
@controller.protected()
def delete_role(self, context, role_id):
self.assignment_api.delete_role(role_id)
self.role_api.delete_role(role_id)
def _require_domain_xor_project(self, domain_id, project_id):
if (domain_id and project_id) or (not domain_id and not project_id):
@ -521,7 +521,7 @@ class RoleV3(controller.V3Controller):
"""
ref = {}
if role_id:
ref['role'] = self.assignment_api.get_role(role_id)
ref['role'] = self.role_api.get_role(role_id)
if user_id:
try:
ref['user'] = self.identity_api.get_user(user_id)

View File

@ -50,7 +50,7 @@ from keystone.models import token_model
@dependency.requires('assignment_api', 'catalog_api', 'credential_api',
'identity_api', 'token_provider_api')
'identity_api', 'role_api', 'token_provider_api')
@six.add_metaclass(abc.ABCMeta)
class Ec2ControllerCommon(object):
def check_signature(self, creds_ref, credentials):
@ -139,8 +139,7 @@ class Ec2ControllerCommon(object):
roles = metadata_ref.get('roles', [])
if not roles:
raise exception.Unauthorized(message='User not valid for tenant.')
roles_ref = [self.assignment_api.get_role(role_id)
for role_id in roles]
roles_ref = [self.role_api.get_role(role_id) for role_id in roles]
catalog_ref = self.catalog_api.get_catalog(
user_ref['id'], tenant_ref['id'], metadata_ref)

View File

@ -165,7 +165,7 @@ class AccessTokenCrudV3(controller.V3Controller):
return formatted_entity
@dependency.requires('assignment_api', 'oauth_api')
@dependency.requires('assignment_api', 'oauth_api', 'role_api')
class AccessTokenRolesV3(controller.V3Controller):
collection_name = 'roles'
member_name = 'role'
@ -195,7 +195,7 @@ class AccessTokenRolesV3(controller.V3Controller):
raise exception.RoleNotFound(_('Could not find role'))
def _format_role_entity(self, role_id):
role = self.assignment_api.get_role(role_id)
role = self.role_api.get_role(role_id)
formatted_entity = role.copy()
if 'description' in role:
formatted_entity.pop('description')

View File

@ -41,7 +41,7 @@ class ExternalAuthNotApplicable(Exception):
@dependency.requires('assignment_api', 'catalog_api', 'identity_api',
'token_provider_api', 'trust_api')
'role_api', 'token_provider_api', 'trust_api')
class Auth(controller.V2Controller):
@controller.v2_deprecated
@ -136,7 +136,7 @@ class Auth(controller.V2Controller):
roles_ref = []
for role_id in metadata_ref.get('roles', []):
role_ref = self.assignment_api.get_role(role_id)
role_ref = self.role_api.get_role(role_id)
roles_ref.append(dict(name=role_ref['name']))
(token_id, token_data) = self.token_provider_api.issue_v2_token(

View File

@ -144,7 +144,7 @@ class V2TokenDataHelper(object):
@dependency.requires('assignment_api', 'catalog_api', 'identity_api',
'trust_api')
'role_api', 'trust_api')
class V3TokenDataHelper(object):
"""Token data helper."""
def __init__(self):
@ -182,7 +182,7 @@ class V3TokenDataHelper(object):
if project_id:
roles = self.assignment_api.get_roles_for_user_and_project(
user_id, project_id)
return [self.assignment_api.get_role(role_id) for role_id in roles]
return [self.role_api.get_role(role_id) for role_id in roles]
def _populate_roles_for_groups(self, group_ids,
project_id=None, domain_id=None,
@ -256,7 +256,7 @@ class V3TokenDataHelper(object):
if access_token:
filtered_roles = []
authed_role_ids = jsonutils.loads(access_token['role_ids'])
all_roles = self.assignment_api.list_roles()
all_roles = self.role_api.list_roles()
for role in all_roles:
for authed_role in authed_role_ids:
if authed_role == role['id']:
@ -384,7 +384,7 @@ class V3TokenDataHelper(object):
@dependency.optional('oauth_api')
@dependency.requires('assignment_api', 'catalog_api', 'identity_api',
'trust_api')
'role_api', 'trust_api')
class BaseProvider(provider.Provider):
def __init__(self, *args, **kwargs):
super(BaseProvider, self).__init__(*args, **kwargs)
@ -557,7 +557,7 @@ class BaseProvider(provider.Provider):
metadata_ref = token_ref['metadata']
roles_ref = []
for role_id in metadata_ref.get('roles', []):
roles_ref.append(self.assignment_api.get_role(role_id))
roles_ref.append(self.role_api.get_role(role_id))
# Get a service catalog if possible
# This is needed for on-behalf-of requests

View File

@ -42,8 +42,8 @@ def _admin_trustor_only(context, trust, user_id):
raise exception.Forbidden()
@dependency.requires('assignment_api', 'identity_api', 'token_provider_api',
'trust_api')
@dependency.requires('assignment_api', 'identity_api', 'role_api',
'token_provider_api', 'trust_api')
class TrustV3(controller.V3Controller):
collection_name = "trusts"
member_name = "trust"
@ -73,7 +73,7 @@ class TrustV3(controller.V3Controller):
raise exception.TrustNotFound(trust_id=trust_id)
_trustor_trustee_only(trust, user_id)
self._fill_in_roles(context, trust,
self.assignment_api.list_roles())
self.role_api.list_roles())
return TrustV3.wrap_member(context, trust)
def _fill_in_roles(self, context, trust, all_roles):
@ -142,7 +142,7 @@ class TrustV3(controller.V3Controller):
self._require_role(trust)
self._require_user_is_trustor(context, trust)
self._require_trustee_exists(trust['trustee_user_id'])
all_roles = self.assignment_api.list_roles()
all_roles = self.role_api.list_roles()
clean_roles = self._clean_role_list(context, trust, all_roles)
self._require_trustor_has_role_in_project(trust, clean_roles)
trust['expires_at'] = self._parse_expiration_date(
@ -258,5 +258,5 @@ class TrustV3(controller.V3Controller):
def get_role_for_trust(self, context, trust_id, role_id):
"""Get a role that has been assigned to a trust."""
self.check_role_for_trust(context, trust_id, role_id)
role = self.assignment_api.get_role(role_id)
role = self.role_api.get_role(role_id)
return assignment.controllers.RoleV3.wrap_member(context, role)