From 6ecf99c779c3373acaa6650f15116abade1207f1 Mon Sep 17 00:00:00 2001 From: lin-hua-cheng Date: Tue, 17 Feb 2015 12:46:38 -0800 Subject: [PATCH] Remove check_role_for_trust from sample policies The "identity:check_role_for_trust" was defined in the sample policy files but there is no actual mapping for it, so setting a value for this target has no effect. If or when the mapping gets added then this target must be added back in. Fixed the double protected call in "get_role_for_trust" by changing its call to a private unprotected version of "check_role_for_trust". Also, marking the public version of "check_role_for_trust" as deprecated for future cleanup. Change-Id: I1c2b1186e37e31eaf556f81db686cc362768a5ae Closes-Bug: #1421966 --- etc/policy.json | 1 - etc/policy.v3cloudsample.json | 1 - keystone/trust/controllers.py | 26 ++++++++++++++++---------- 3 files changed, 16 insertions(+), 12 deletions(-) diff --git a/etc/policy.json b/etc/policy.json index 2cb82a2943..688a4fd621 100644 --- a/etc/policy.json +++ b/etc/policy.json @@ -96,7 +96,6 @@ "identity:get_trust": "rule:admin_or_owner", "identity:list_trusts": "", "identity:list_roles_for_trust": "", - "identity:check_role_for_trust": "", "identity:get_role_for_trust": "", "identity:delete_trust": "", diff --git a/etc/policy.v3cloudsample.json b/etc/policy.v3cloudsample.json index dde36be125..ff0d3378a1 100644 --- a/etc/policy.v3cloudsample.json +++ b/etc/policy.v3cloudsample.json @@ -109,7 +109,6 @@ "identity:get_trust": "rule:admin_or_owner", "identity:list_trusts": "", "identity:list_roles_for_trust": "", - "identity:check_role_for_trust": "", "identity:get_role_for_trust": "", "identity:delete_trust": "", diff --git a/keystone/trust/controllers.py b/keystone/trust/controllers.py index 86fdf9d0fe..75b6abf48f 100644 --- a/keystone/trust/controllers.py +++ b/keystone/trust/controllers.py @@ -26,6 +26,7 @@ from keystone import config from keystone import exception from keystone.i18n import _ from keystone.models import token_model +from keystone.openstack.common import versionutils from keystone.trust import schema @@ -203,6 +204,16 @@ class TrustV3(controller.V3Controller): except ValueError: raise exception.ValidationTimeStampError() + def _check_role_for_trust(self, context, trust_id, role_id): + """Checks if a role has been assigned to a trust.""" + trust = self.trust_api.get_trust(trust_id) + if not trust: + raise exception.TrustNotFound(trust_id=trust_id) + user_id = self._get_user_id(context) + _trustor_trustee_only(trust, user_id) + if not any(role['id'] == role_id for role in trust['roles']): + raise exception.RoleNotFound(role_id=role_id) + @controller.protected() def list_trusts(self, context): query = context['query_string'] @@ -255,20 +266,15 @@ class TrustV3(controller.V3Controller): return {'roles': trust['roles'], 'links': trust['roles_links']} - @controller.protected() + @versionutils.deprecated( + versionutils.deprecated.KILO, + remove_in=+2) def check_role_for_trust(self, context, trust_id, role_id): - """Checks if a role has been assigned to a trust.""" - trust = self.trust_api.get_trust(trust_id) - if not trust: - raise exception.TrustNotFound(trust_id=trust_id) - user_id = self._get_user_id(context) - _trustor_trustee_only(trust, user_id) - if not any(role['id'] == role_id for role in trust['roles']): - raise exception.RoleNotFound(role_id=role_id) + return self._check_role_for_trust(self, context, trust_id, role_id) @controller.protected() def get_role_for_trust(self, context, trust_id, role_id): """Get a role that has been assigned to a trust.""" - self.check_role_for_trust(context, trust_id, role_id) + self._check_role_for_trust(context, trust_id, role_id) role = self.role_api.get_role(role_id) return assignment.controllers.RoleV3.wrap_member(context, role)