diff --git a/keystone/assignment/controllers.py b/keystone/assignment/controllers.py index 0a0be87471..245def5c56 100644 --- a/keystone/assignment/controllers.py +++ b/keystone/assignment/controllers.py @@ -186,7 +186,7 @@ class Tenant(controller.V2Controller): return o -@dependency.requires('assignment_api') +@dependency.requires('assignment_api', 'role_api') class Role(controller.V2Controller): # COMPAT(essex-3) @@ -205,14 +205,14 @@ class Role(controller.V2Controller): roles = self.assignment_api.get_roles_for_user_and_project( user_id, tenant_id) - return {'roles': [self.assignment_api.get_role(x) + return {'roles': [self.role_api.get_role(x) for x in roles]} # CRUD extension @controller.v2_deprecated def get_role(self, context, role_id): self.assert_admin(context) - return {'role': self.assignment_api.get_role(role_id)} + return {'role': self.role_api.get_role(role_id)} @controller.v2_deprecated def create_role(self, context, role): @@ -225,18 +225,18 @@ class Role(controller.V2Controller): role_id = uuid.uuid4().hex role['id'] = role_id - role_ref = self.assignment_api.create_role(role_id, role) + role_ref = self.role_api.create_role(role_id, role) return {'role': role_ref} @controller.v2_deprecated def delete_role(self, context, role_id): self.assert_admin(context) - self.assignment_api.delete_role(role_id) + self.role_api.delete_role(role_id) @controller.v2_deprecated def get_roles(self, context): self.assert_admin(context) - return {'roles': self.assignment_api.list_roles()} + return {'roles': self.role_api.list_roles()} @controller.v2_deprecated def add_role_to_user(self, context, user_id, role_id, tenant_id=None): @@ -254,7 +254,7 @@ class Role(controller.V2Controller): self.assignment_api.add_role_to_user_and_project( user_id, tenant_id, role_id) - role_ref = self.assignment_api.get_role(role_id) + role_ref = self.role_api.get_role(role_id) return {'role': role_ref} @controller.v2_deprecated @@ -320,7 +320,7 @@ class Role(controller.V2Controller): self.assignment_api.add_role_to_user_and_project( user_id, tenant_id, role_id) - role_ref = self.assignment_api.get_role(role_id) + role_ref = self.role_api.get_role(role_id) return {'role': role_ref} # COMPAT(diablo): CRUD extension @@ -453,32 +453,32 @@ class ProjectV3(controller.V3Controller): return self.assignment_api.delete_project(project_id) -@dependency.requires('assignment_api', 'identity_api') +@dependency.requires('assignment_api', 'identity_api', 'role_api') class RoleV3(controller.V3Controller): collection_name = 'roles' member_name = 'role' def __init__(self): super(RoleV3, self).__init__() - self.get_member_from_driver = self.assignment_api.get_role + self.get_member_from_driver = self.role_api.get_role @controller.protected() @validation.validated(schema.role_create, 'role') def create_role(self, context, role): ref = self._assign_unique_id(self._normalize_dict(role)) - ref = self.assignment_api.create_role(ref['id'], ref) + ref = self.role_api.create_role(ref['id'], ref) return RoleV3.wrap_member(context, ref) @controller.filterprotected('name') def list_roles(self, context, filters): hints = RoleV3.build_driver_hints(context, filters) - refs = self.assignment_api.list_roles( + refs = self.role_api.list_roles( hints=hints) return RoleV3.wrap_collection(context, refs, hints=hints) @controller.protected() def get_role(self, context, role_id): - ref = self.assignment_api.get_role(role_id) + ref = self.role_api.get_role(role_id) return RoleV3.wrap_member(context, ref) @controller.protected() @@ -486,12 +486,12 @@ class RoleV3(controller.V3Controller): def update_role(self, context, role_id, role): self._require_matching_id(role_id, role) - ref = self.assignment_api.update_role(role_id, role) + ref = self.role_api.update_role(role_id, role) return RoleV3.wrap_member(context, ref) @controller.protected() def delete_role(self, context, role_id): - self.assignment_api.delete_role(role_id) + self.role_api.delete_role(role_id) def _require_domain_xor_project(self, domain_id, project_id): if (domain_id and project_id) or (not domain_id and not project_id): @@ -521,7 +521,7 @@ class RoleV3(controller.V3Controller): """ ref = {} if role_id: - ref['role'] = self.assignment_api.get_role(role_id) + ref['role'] = self.role_api.get_role(role_id) if user_id: try: ref['user'] = self.identity_api.get_user(user_id) diff --git a/keystone/contrib/ec2/controllers.py b/keystone/contrib/ec2/controllers.py index c8625a863f..0e9f381617 100644 --- a/keystone/contrib/ec2/controllers.py +++ b/keystone/contrib/ec2/controllers.py @@ -50,7 +50,7 @@ from keystone.models import token_model @dependency.requires('assignment_api', 'catalog_api', 'credential_api', - 'identity_api', 'token_provider_api') + 'identity_api', 'role_api', 'token_provider_api') @six.add_metaclass(abc.ABCMeta) class Ec2ControllerCommon(object): def check_signature(self, creds_ref, credentials): @@ -139,8 +139,7 @@ class Ec2ControllerCommon(object): roles = metadata_ref.get('roles', []) if not roles: raise exception.Unauthorized(message='User not valid for tenant.') - roles_ref = [self.assignment_api.get_role(role_id) - for role_id in roles] + roles_ref = [self.role_api.get_role(role_id) for role_id in roles] catalog_ref = self.catalog_api.get_catalog( user_ref['id'], tenant_ref['id'], metadata_ref) diff --git a/keystone/contrib/oauth1/controllers.py b/keystone/contrib/oauth1/controllers.py index 9316466f1a..e77f3412be 100644 --- a/keystone/contrib/oauth1/controllers.py +++ b/keystone/contrib/oauth1/controllers.py @@ -165,7 +165,7 @@ class AccessTokenCrudV3(controller.V3Controller): return formatted_entity -@dependency.requires('assignment_api', 'oauth_api') +@dependency.requires('assignment_api', 'oauth_api', 'role_api') class AccessTokenRolesV3(controller.V3Controller): collection_name = 'roles' member_name = 'role' @@ -195,7 +195,7 @@ class AccessTokenRolesV3(controller.V3Controller): raise exception.RoleNotFound(_('Could not find role')) def _format_role_entity(self, role_id): - role = self.assignment_api.get_role(role_id) + role = self.role_api.get_role(role_id) formatted_entity = role.copy() if 'description' in role: formatted_entity.pop('description') diff --git a/keystone/token/controllers.py b/keystone/token/controllers.py index 7690444825..3fabd0be13 100644 --- a/keystone/token/controllers.py +++ b/keystone/token/controllers.py @@ -41,7 +41,7 @@ class ExternalAuthNotApplicable(Exception): @dependency.requires('assignment_api', 'catalog_api', 'identity_api', - 'token_provider_api', 'trust_api') + 'role_api', 'token_provider_api', 'trust_api') class Auth(controller.V2Controller): @controller.v2_deprecated @@ -136,7 +136,7 @@ class Auth(controller.V2Controller): roles_ref = [] for role_id in metadata_ref.get('roles', []): - role_ref = self.assignment_api.get_role(role_id) + role_ref = self.role_api.get_role(role_id) roles_ref.append(dict(name=role_ref['name'])) (token_id, token_data) = self.token_provider_api.issue_v2_token( diff --git a/keystone/token/providers/common.py b/keystone/token/providers/common.py index 1a8d4a9fc8..6936e97c94 100644 --- a/keystone/token/providers/common.py +++ b/keystone/token/providers/common.py @@ -144,7 +144,7 @@ class V2TokenDataHelper(object): @dependency.requires('assignment_api', 'catalog_api', 'identity_api', - 'trust_api') + 'role_api', 'trust_api') class V3TokenDataHelper(object): """Token data helper.""" def __init__(self): @@ -182,7 +182,7 @@ class V3TokenDataHelper(object): if project_id: roles = self.assignment_api.get_roles_for_user_and_project( user_id, project_id) - return [self.assignment_api.get_role(role_id) for role_id in roles] + return [self.role_api.get_role(role_id) for role_id in roles] def _populate_roles_for_groups(self, group_ids, project_id=None, domain_id=None, @@ -256,7 +256,7 @@ class V3TokenDataHelper(object): if access_token: filtered_roles = [] authed_role_ids = jsonutils.loads(access_token['role_ids']) - all_roles = self.assignment_api.list_roles() + all_roles = self.role_api.list_roles() for role in all_roles: for authed_role in authed_role_ids: if authed_role == role['id']: @@ -384,7 +384,7 @@ class V3TokenDataHelper(object): @dependency.optional('oauth_api') @dependency.requires('assignment_api', 'catalog_api', 'identity_api', - 'trust_api') + 'role_api', 'trust_api') class BaseProvider(provider.Provider): def __init__(self, *args, **kwargs): super(BaseProvider, self).__init__(*args, **kwargs) @@ -557,7 +557,7 @@ class BaseProvider(provider.Provider): metadata_ref = token_ref['metadata'] roles_ref = [] for role_id in metadata_ref.get('roles', []): - roles_ref.append(self.assignment_api.get_role(role_id)) + roles_ref.append(self.role_api.get_role(role_id)) # Get a service catalog if possible # This is needed for on-behalf-of requests diff --git a/keystone/trust/controllers.py b/keystone/trust/controllers.py index ae72add4ac..5bf191fcef 100644 --- a/keystone/trust/controllers.py +++ b/keystone/trust/controllers.py @@ -42,8 +42,8 @@ def _admin_trustor_only(context, trust, user_id): raise exception.Forbidden() -@dependency.requires('assignment_api', 'identity_api', 'token_provider_api', - 'trust_api') +@dependency.requires('assignment_api', 'identity_api', 'role_api', + 'token_provider_api', 'trust_api') class TrustV3(controller.V3Controller): collection_name = "trusts" member_name = "trust" @@ -73,7 +73,7 @@ class TrustV3(controller.V3Controller): raise exception.TrustNotFound(trust_id=trust_id) _trustor_trustee_only(trust, user_id) self._fill_in_roles(context, trust, - self.assignment_api.list_roles()) + self.role_api.list_roles()) return TrustV3.wrap_member(context, trust) def _fill_in_roles(self, context, trust, all_roles): @@ -142,7 +142,7 @@ class TrustV3(controller.V3Controller): self._require_role(trust) self._require_user_is_trustor(context, trust) self._require_trustee_exists(trust['trustee_user_id']) - all_roles = self.assignment_api.list_roles() + all_roles = self.role_api.list_roles() clean_roles = self._clean_role_list(context, trust, all_roles) self._require_trustor_has_role_in_project(trust, clean_roles) trust['expires_at'] = self._parse_expiration_date( @@ -258,5 +258,5 @@ class TrustV3(controller.V3Controller): def get_role_for_trust(self, context, trust_id, role_id): """Get a role that has been assigned to a trust.""" self.check_role_for_trust(context, trust_id, role_id) - role = self.assignment_api.get_role(role_id) + role = self.role_api.get_role(role_id) return assignment.controllers.RoleV3.wrap_member(context, role)