Remove check_role_for_trust from sample policies

The "identity:check_role_for_trust" was defined in the sample policy files but there is no actual mapping for it, so setting a value for this target has no effect. If or when the mapping gets added then this target must be added back in. Fixed the double protected call in "get_role_for_trust" by changing its call to a private unprotected version of "check_role_for_trust". Also, marking the public version of "check_role_for_trust" as deprecated for future cleanup. Change-Id: I1c2b1186e37e31eaf556f81db686cc362768a5ae Closes-Bug: #1421966
2015-02-17 12:46:38 -08:00 · 2015-02-17 12:46:38 -08:00 · 6ecf99c779
parent 19e3a7eb18
commit 6ecf99c779
3 changed files with 16 additions and 12 deletions
--- a/etc/policy.json
+++ b/etc/policy.json
@ -96,7 +96,6 @@
    "identity:get_trust": "rule:admin_or_owner",
    "identity:list_trusts": "",
    "identity:list_roles_for_trust": "",
-    "identity:check_role_for_trust": "",
    "identity:get_role_for_trust": "",
    "identity:delete_trust": "",

--- a/etc/policy.v3cloudsample.json
+++ b/etc/policy.v3cloudsample.json
@ -109,7 +109,6 @@
    "identity:get_trust": "rule:admin_or_owner",
    "identity:list_trusts": "",
    "identity:list_roles_for_trust": "",
-    "identity:check_role_for_trust": "",
    "identity:get_role_for_trust": "",
    "identity:delete_trust": "",

--- a/keystone/trust/controllers.py
+++ b/keystone/trust/controllers.py
@ -26,6 +26,7 @@ from keystone import config
 from keystone import exception
 from keystone.i18n import _
 from keystone.models import token_model
+from keystone.openstack.common import versionutils
 from keystone.trust import schema


@ -203,6 +204,16 @@ class TrustV3(controller.V3Controller):
        except ValueError:
            raise exception.ValidationTimeStampError()

+    def _check_role_for_trust(self, context, trust_id, role_id):
+        """Checks if a role has been assigned to a trust."""
+        trust = self.trust_api.get_trust(trust_id)
+        if not trust:
+            raise exception.TrustNotFound(trust_id=trust_id)
+        user_id = self._get_user_id(context)
+        _trustor_trustee_only(trust, user_id)
+        if not any(role['id'] == role_id for role in trust['roles']):
+            raise exception.RoleNotFound(role_id=role_id)
+
    @controller.protected()
    def list_trusts(self, context):
        query = context['query_string']
@ -255,20 +266,15 @@ class TrustV3(controller.V3Controller):
        return {'roles': trust['roles'],
                'links': trust['roles_links']}

-    @controller.protected()
+    @versionutils.deprecated(
+        versionutils.deprecated.KILO,
+        remove_in=+2)
    def check_role_for_trust(self, context, trust_id, role_id):
-        """Checks if a role has been assigned to a trust."""
-        trust = self.trust_api.get_trust(trust_id)
-        if not trust:
-            raise exception.TrustNotFound(trust_id=trust_id)
-        user_id = self._get_user_id(context)
-        _trustor_trustee_only(trust, user_id)
-        if not any(role['id'] == role_id for role in trust['roles']):
-            raise exception.RoleNotFound(role_id=role_id)
+        return self._check_role_for_trust(self, context, trust_id, role_id)

    @controller.protected()
    def get_role_for_trust(self, context, trust_id, role_id):
        """Get a role that has been assigned to a trust."""
-        self.check_role_for_trust(context, trust_id, role_id)
+        self._check_role_for_trust(context, trust_id, role_id)
        role = self.role_api.get_role(role_id)
        return assignment.controllers.RoleV3.wrap_member(context, role)