Make controllers call the new, split out, role manager
This is the part of the more comprehensive split of assignments, which rationalizes both the backend and controllers. In order to make this change easier for reviewers, it is divided into a number of smaller patches. Previous patches: - Moved role management into its own manager and drivers - Fixed incorrect doc strings for grant driver methods This patch updates any controllers that make calls to manage roles to use the new role manager. Future patches will: - Update the tests to call the new role manager - Refactor assignment manager and driver methods to logically separate project/domains from the actual assignments - Split projects and domains into their own backend - Split the controllers so they call the correct manager - Update the tests to call the new correct manager Partially implements: bp pluggable-assignments Change-Id: Ia8777cd44921372afc8e918e2ae58d760f0c96fa
This commit is contained in:
parent
27b90d8ca9
commit
6d4a0a3fa6
|
@ -186,7 +186,7 @@ class Tenant(controller.V2Controller):
|
|||
return o
|
||||
|
||||
|
||||
@dependency.requires('assignment_api')
|
||||
@dependency.requires('assignment_api', 'role_api')
|
||||
class Role(controller.V2Controller):
|
||||
|
||||
# COMPAT(essex-3)
|
||||
|
@ -205,14 +205,14 @@ class Role(controller.V2Controller):
|
|||
|
||||
roles = self.assignment_api.get_roles_for_user_and_project(
|
||||
user_id, tenant_id)
|
||||
return {'roles': [self.assignment_api.get_role(x)
|
||||
return {'roles': [self.role_api.get_role(x)
|
||||
for x in roles]}
|
||||
|
||||
# CRUD extension
|
||||
@controller.v2_deprecated
|
||||
def get_role(self, context, role_id):
|
||||
self.assert_admin(context)
|
||||
return {'role': self.assignment_api.get_role(role_id)}
|
||||
return {'role': self.role_api.get_role(role_id)}
|
||||
|
||||
@controller.v2_deprecated
|
||||
def create_role(self, context, role):
|
||||
|
@ -225,18 +225,18 @@ class Role(controller.V2Controller):
|
|||
|
||||
role_id = uuid.uuid4().hex
|
||||
role['id'] = role_id
|
||||
role_ref = self.assignment_api.create_role(role_id, role)
|
||||
role_ref = self.role_api.create_role(role_id, role)
|
||||
return {'role': role_ref}
|
||||
|
||||
@controller.v2_deprecated
|
||||
def delete_role(self, context, role_id):
|
||||
self.assert_admin(context)
|
||||
self.assignment_api.delete_role(role_id)
|
||||
self.role_api.delete_role(role_id)
|
||||
|
||||
@controller.v2_deprecated
|
||||
def get_roles(self, context):
|
||||
self.assert_admin(context)
|
||||
return {'roles': self.assignment_api.list_roles()}
|
||||
return {'roles': self.role_api.list_roles()}
|
||||
|
||||
@controller.v2_deprecated
|
||||
def add_role_to_user(self, context, user_id, role_id, tenant_id=None):
|
||||
|
@ -254,7 +254,7 @@ class Role(controller.V2Controller):
|
|||
self.assignment_api.add_role_to_user_and_project(
|
||||
user_id, tenant_id, role_id)
|
||||
|
||||
role_ref = self.assignment_api.get_role(role_id)
|
||||
role_ref = self.role_api.get_role(role_id)
|
||||
return {'role': role_ref}
|
||||
|
||||
@controller.v2_deprecated
|
||||
|
@ -320,7 +320,7 @@ class Role(controller.V2Controller):
|
|||
self.assignment_api.add_role_to_user_and_project(
|
||||
user_id, tenant_id, role_id)
|
||||
|
||||
role_ref = self.assignment_api.get_role(role_id)
|
||||
role_ref = self.role_api.get_role(role_id)
|
||||
return {'role': role_ref}
|
||||
|
||||
# COMPAT(diablo): CRUD extension
|
||||
|
@ -453,32 +453,32 @@ class ProjectV3(controller.V3Controller):
|
|||
return self.assignment_api.delete_project(project_id)
|
||||
|
||||
|
||||
@dependency.requires('assignment_api', 'identity_api')
|
||||
@dependency.requires('assignment_api', 'identity_api', 'role_api')
|
||||
class RoleV3(controller.V3Controller):
|
||||
collection_name = 'roles'
|
||||
member_name = 'role'
|
||||
|
||||
def __init__(self):
|
||||
super(RoleV3, self).__init__()
|
||||
self.get_member_from_driver = self.assignment_api.get_role
|
||||
self.get_member_from_driver = self.role_api.get_role
|
||||
|
||||
@controller.protected()
|
||||
@validation.validated(schema.role_create, 'role')
|
||||
def create_role(self, context, role):
|
||||
ref = self._assign_unique_id(self._normalize_dict(role))
|
||||
ref = self.assignment_api.create_role(ref['id'], ref)
|
||||
ref = self.role_api.create_role(ref['id'], ref)
|
||||
return RoleV3.wrap_member(context, ref)
|
||||
|
||||
@controller.filterprotected('name')
|
||||
def list_roles(self, context, filters):
|
||||
hints = RoleV3.build_driver_hints(context, filters)
|
||||
refs = self.assignment_api.list_roles(
|
||||
refs = self.role_api.list_roles(
|
||||
hints=hints)
|
||||
return RoleV3.wrap_collection(context, refs, hints=hints)
|
||||
|
||||
@controller.protected()
|
||||
def get_role(self, context, role_id):
|
||||
ref = self.assignment_api.get_role(role_id)
|
||||
ref = self.role_api.get_role(role_id)
|
||||
return RoleV3.wrap_member(context, ref)
|
||||
|
||||
@controller.protected()
|
||||
|
@ -486,12 +486,12 @@ class RoleV3(controller.V3Controller):
|
|||
def update_role(self, context, role_id, role):
|
||||
self._require_matching_id(role_id, role)
|
||||
|
||||
ref = self.assignment_api.update_role(role_id, role)
|
||||
ref = self.role_api.update_role(role_id, role)
|
||||
return RoleV3.wrap_member(context, ref)
|
||||
|
||||
@controller.protected()
|
||||
def delete_role(self, context, role_id):
|
||||
self.assignment_api.delete_role(role_id)
|
||||
self.role_api.delete_role(role_id)
|
||||
|
||||
def _require_domain_xor_project(self, domain_id, project_id):
|
||||
if (domain_id and project_id) or (not domain_id and not project_id):
|
||||
|
@ -521,7 +521,7 @@ class RoleV3(controller.V3Controller):
|
|||
"""
|
||||
ref = {}
|
||||
if role_id:
|
||||
ref['role'] = self.assignment_api.get_role(role_id)
|
||||
ref['role'] = self.role_api.get_role(role_id)
|
||||
if user_id:
|
||||
try:
|
||||
ref['user'] = self.identity_api.get_user(user_id)
|
||||
|
|
|
@ -50,7 +50,7 @@ from keystone.models import token_model
|
|||
|
||||
|
||||
@dependency.requires('assignment_api', 'catalog_api', 'credential_api',
|
||||
'identity_api', 'token_provider_api')
|
||||
'identity_api', 'role_api', 'token_provider_api')
|
||||
@six.add_metaclass(abc.ABCMeta)
|
||||
class Ec2ControllerCommon(object):
|
||||
def check_signature(self, creds_ref, credentials):
|
||||
|
@ -139,8 +139,7 @@ class Ec2ControllerCommon(object):
|
|||
roles = metadata_ref.get('roles', [])
|
||||
if not roles:
|
||||
raise exception.Unauthorized(message='User not valid for tenant.')
|
||||
roles_ref = [self.assignment_api.get_role(role_id)
|
||||
for role_id in roles]
|
||||
roles_ref = [self.role_api.get_role(role_id) for role_id in roles]
|
||||
|
||||
catalog_ref = self.catalog_api.get_catalog(
|
||||
user_ref['id'], tenant_ref['id'], metadata_ref)
|
||||
|
|
|
@ -165,7 +165,7 @@ class AccessTokenCrudV3(controller.V3Controller):
|
|||
return formatted_entity
|
||||
|
||||
|
||||
@dependency.requires('assignment_api', 'oauth_api')
|
||||
@dependency.requires('assignment_api', 'oauth_api', 'role_api')
|
||||
class AccessTokenRolesV3(controller.V3Controller):
|
||||
collection_name = 'roles'
|
||||
member_name = 'role'
|
||||
|
@ -195,7 +195,7 @@ class AccessTokenRolesV3(controller.V3Controller):
|
|||
raise exception.RoleNotFound(_('Could not find role'))
|
||||
|
||||
def _format_role_entity(self, role_id):
|
||||
role = self.assignment_api.get_role(role_id)
|
||||
role = self.role_api.get_role(role_id)
|
||||
formatted_entity = role.copy()
|
||||
if 'description' in role:
|
||||
formatted_entity.pop('description')
|
||||
|
|
|
@ -41,7 +41,7 @@ class ExternalAuthNotApplicable(Exception):
|
|||
|
||||
|
||||
@dependency.requires('assignment_api', 'catalog_api', 'identity_api',
|
||||
'token_provider_api', 'trust_api')
|
||||
'role_api', 'token_provider_api', 'trust_api')
|
||||
class Auth(controller.V2Controller):
|
||||
|
||||
@controller.v2_deprecated
|
||||
|
@ -136,7 +136,7 @@ class Auth(controller.V2Controller):
|
|||
|
||||
roles_ref = []
|
||||
for role_id in metadata_ref.get('roles', []):
|
||||
role_ref = self.assignment_api.get_role(role_id)
|
||||
role_ref = self.role_api.get_role(role_id)
|
||||
roles_ref.append(dict(name=role_ref['name']))
|
||||
|
||||
(token_id, token_data) = self.token_provider_api.issue_v2_token(
|
||||
|
|
|
@ -144,7 +144,7 @@ class V2TokenDataHelper(object):
|
|||
|
||||
|
||||
@dependency.requires('assignment_api', 'catalog_api', 'identity_api',
|
||||
'trust_api')
|
||||
'role_api', 'trust_api')
|
||||
class V3TokenDataHelper(object):
|
||||
"""Token data helper."""
|
||||
def __init__(self):
|
||||
|
@ -182,7 +182,7 @@ class V3TokenDataHelper(object):
|
|||
if project_id:
|
||||
roles = self.assignment_api.get_roles_for_user_and_project(
|
||||
user_id, project_id)
|
||||
return [self.assignment_api.get_role(role_id) for role_id in roles]
|
||||
return [self.role_api.get_role(role_id) for role_id in roles]
|
||||
|
||||
def _populate_roles_for_groups(self, group_ids,
|
||||
project_id=None, domain_id=None,
|
||||
|
@ -256,7 +256,7 @@ class V3TokenDataHelper(object):
|
|||
if access_token:
|
||||
filtered_roles = []
|
||||
authed_role_ids = jsonutils.loads(access_token['role_ids'])
|
||||
all_roles = self.assignment_api.list_roles()
|
||||
all_roles = self.role_api.list_roles()
|
||||
for role in all_roles:
|
||||
for authed_role in authed_role_ids:
|
||||
if authed_role == role['id']:
|
||||
|
@ -384,7 +384,7 @@ class V3TokenDataHelper(object):
|
|||
|
||||
@dependency.optional('oauth_api')
|
||||
@dependency.requires('assignment_api', 'catalog_api', 'identity_api',
|
||||
'trust_api')
|
||||
'role_api', 'trust_api')
|
||||
class BaseProvider(provider.Provider):
|
||||
def __init__(self, *args, **kwargs):
|
||||
super(BaseProvider, self).__init__(*args, **kwargs)
|
||||
|
@ -557,7 +557,7 @@ class BaseProvider(provider.Provider):
|
|||
metadata_ref = token_ref['metadata']
|
||||
roles_ref = []
|
||||
for role_id in metadata_ref.get('roles', []):
|
||||
roles_ref.append(self.assignment_api.get_role(role_id))
|
||||
roles_ref.append(self.role_api.get_role(role_id))
|
||||
|
||||
# Get a service catalog if possible
|
||||
# This is needed for on-behalf-of requests
|
||||
|
|
|
@ -42,8 +42,8 @@ def _admin_trustor_only(context, trust, user_id):
|
|||
raise exception.Forbidden()
|
||||
|
||||
|
||||
@dependency.requires('assignment_api', 'identity_api', 'token_provider_api',
|
||||
'trust_api')
|
||||
@dependency.requires('assignment_api', 'identity_api', 'role_api',
|
||||
'token_provider_api', 'trust_api')
|
||||
class TrustV3(controller.V3Controller):
|
||||
collection_name = "trusts"
|
||||
member_name = "trust"
|
||||
|
@ -73,7 +73,7 @@ class TrustV3(controller.V3Controller):
|
|||
raise exception.TrustNotFound(trust_id=trust_id)
|
||||
_trustor_trustee_only(trust, user_id)
|
||||
self._fill_in_roles(context, trust,
|
||||
self.assignment_api.list_roles())
|
||||
self.role_api.list_roles())
|
||||
return TrustV3.wrap_member(context, trust)
|
||||
|
||||
def _fill_in_roles(self, context, trust, all_roles):
|
||||
|
@ -142,7 +142,7 @@ class TrustV3(controller.V3Controller):
|
|||
self._require_role(trust)
|
||||
self._require_user_is_trustor(context, trust)
|
||||
self._require_trustee_exists(trust['trustee_user_id'])
|
||||
all_roles = self.assignment_api.list_roles()
|
||||
all_roles = self.role_api.list_roles()
|
||||
clean_roles = self._clean_role_list(context, trust, all_roles)
|
||||
self._require_trustor_has_role_in_project(trust, clean_roles)
|
||||
trust['expires_at'] = self._parse_expiration_date(
|
||||
|
@ -258,5 +258,5 @@ class TrustV3(controller.V3Controller):
|
|||
def get_role_for_trust(self, context, trust_id, role_id):
|
||||
"""Get a role that has been assigned to a trust."""
|
||||
self.check_role_for_trust(context, trust_id, role_id)
|
||||
role = self.assignment_api.get_role(role_id)
|
||||
role = self.role_api.get_role(role_id)
|
||||
return assignment.controllers.RoleV3.wrap_member(context, role)
|
||||
|
|
Loading…
Reference in New Issue