Remove check_role_for_trust from sample policies
The "identity:check_role_for_trust" was defined in the sample policy files but there is no actual mapping for it, so setting a value for this target has no effect. If or when the mapping gets added then this target must be added back in. Fixed the double protected call in "get_role_for_trust" by changing its call to a private unprotected version of "check_role_for_trust". Also, marking the public version of "check_role_for_trust" as deprecated for future cleanup. Change-Id: I1c2b1186e37e31eaf556f81db686cc362768a5ae Closes-Bug: #1421966
This commit is contained in:
parent
19e3a7eb18
commit
6ecf99c779
|
@ -96,7 +96,6 @@
|
||||||
"identity:get_trust": "rule:admin_or_owner",
|
"identity:get_trust": "rule:admin_or_owner",
|
||||||
"identity:list_trusts": "",
|
"identity:list_trusts": "",
|
||||||
"identity:list_roles_for_trust": "",
|
"identity:list_roles_for_trust": "",
|
||||||
"identity:check_role_for_trust": "",
|
|
||||||
"identity:get_role_for_trust": "",
|
"identity:get_role_for_trust": "",
|
||||||
"identity:delete_trust": "",
|
"identity:delete_trust": "",
|
||||||
|
|
||||||
|
|
|
@ -109,7 +109,6 @@
|
||||||
"identity:get_trust": "rule:admin_or_owner",
|
"identity:get_trust": "rule:admin_or_owner",
|
||||||
"identity:list_trusts": "",
|
"identity:list_trusts": "",
|
||||||
"identity:list_roles_for_trust": "",
|
"identity:list_roles_for_trust": "",
|
||||||
"identity:check_role_for_trust": "",
|
|
||||||
"identity:get_role_for_trust": "",
|
"identity:get_role_for_trust": "",
|
||||||
"identity:delete_trust": "",
|
"identity:delete_trust": "",
|
||||||
|
|
||||||
|
|
|
@ -26,6 +26,7 @@ from keystone import config
|
||||||
from keystone import exception
|
from keystone import exception
|
||||||
from keystone.i18n import _
|
from keystone.i18n import _
|
||||||
from keystone.models import token_model
|
from keystone.models import token_model
|
||||||
|
from keystone.openstack.common import versionutils
|
||||||
from keystone.trust import schema
|
from keystone.trust import schema
|
||||||
|
|
||||||
|
|
||||||
|
@ -203,6 +204,16 @@ class TrustV3(controller.V3Controller):
|
||||||
except ValueError:
|
except ValueError:
|
||||||
raise exception.ValidationTimeStampError()
|
raise exception.ValidationTimeStampError()
|
||||||
|
|
||||||
|
def _check_role_for_trust(self, context, trust_id, role_id):
|
||||||
|
"""Checks if a role has been assigned to a trust."""
|
||||||
|
trust = self.trust_api.get_trust(trust_id)
|
||||||
|
if not trust:
|
||||||
|
raise exception.TrustNotFound(trust_id=trust_id)
|
||||||
|
user_id = self._get_user_id(context)
|
||||||
|
_trustor_trustee_only(trust, user_id)
|
||||||
|
if not any(role['id'] == role_id for role in trust['roles']):
|
||||||
|
raise exception.RoleNotFound(role_id=role_id)
|
||||||
|
|
||||||
@controller.protected()
|
@controller.protected()
|
||||||
def list_trusts(self, context):
|
def list_trusts(self, context):
|
||||||
query = context['query_string']
|
query = context['query_string']
|
||||||
|
@ -255,20 +266,15 @@ class TrustV3(controller.V3Controller):
|
||||||
return {'roles': trust['roles'],
|
return {'roles': trust['roles'],
|
||||||
'links': trust['roles_links']}
|
'links': trust['roles_links']}
|
||||||
|
|
||||||
@controller.protected()
|
@versionutils.deprecated(
|
||||||
|
versionutils.deprecated.KILO,
|
||||||
|
remove_in=+2)
|
||||||
def check_role_for_trust(self, context, trust_id, role_id):
|
def check_role_for_trust(self, context, trust_id, role_id):
|
||||||
"""Checks if a role has been assigned to a trust."""
|
return self._check_role_for_trust(self, context, trust_id, role_id)
|
||||||
trust = self.trust_api.get_trust(trust_id)
|
|
||||||
if not trust:
|
|
||||||
raise exception.TrustNotFound(trust_id=trust_id)
|
|
||||||
user_id = self._get_user_id(context)
|
|
||||||
_trustor_trustee_only(trust, user_id)
|
|
||||||
if not any(role['id'] == role_id for role in trust['roles']):
|
|
||||||
raise exception.RoleNotFound(role_id=role_id)
|
|
||||||
|
|
||||||
@controller.protected()
|
@controller.protected()
|
||||||
def get_role_for_trust(self, context, trust_id, role_id):
|
def get_role_for_trust(self, context, trust_id, role_id):
|
||||||
"""Get a role that has been assigned to a trust."""
|
"""Get a role that has been assigned to a trust."""
|
||||||
self.check_role_for_trust(context, trust_id, role_id)
|
self._check_role_for_trust(context, trust_id, role_id)
|
||||||
role = self.role_api.get_role(role_id)
|
role = self.role_api.get_role(role_id)
|
||||||
return assignment.controllers.RoleV3.wrap_member(context, role)
|
return assignment.controllers.RoleV3.wrap_member(context, role)
|
||||||
|
|
Loading…
Reference in New Issue