Add notifications to user/group membership

When a user is added or removed from a group we should emit a notification. The notification has group as the resource type and the group ID as the resource ID. The notification also includes the user, user ID, and the operation that was done ('removed' or 'added'). This way consumers are notified of user and group memberships. Change-Id: I93ca3a0cb2fe9b93f5370e5871be1f1b30d87f72 Closes-Bug: 1552639
2016-03-03 14:51:16 +00:00 · 2016-03-03 14:51:16 +00:00 · 90c15100c4
parent 06e4bb776c
commit 90c15100c4
4 changed files with 38 additions and 4 deletions
--- a/keystone/identity/controllers.py
+++ b/keystone/identity/controllers.py
@ -255,7 +255,8 @@ class UserV3(controller.V3Controller):

    @controller.protected(callback=_check_user_and_group_protection)
    def add_user_to_group(self, context, user_id, group_id):
-        self.identity_api.add_user_to_group(user_id, group_id)
+        initiator = notifications._get_request_audit_info(context)
+        self.identity_api.add_user_to_group(user_id, group_id, initiator)

    @controller.protected(callback=_check_user_and_group_protection)
    def check_user_in_group(self, context, user_id, group_id):
@ -263,7 +264,8 @@ class UserV3(controller.V3Controller):

    @controller.protected(callback=_check_user_and_group_protection)
    def remove_user_from_group(self, context, user_id, group_id):
-        self.identity_api.remove_user_from_group(user_id, group_id)
+        initiator = notifications._get_request_audit_info(context)
+        self.identity_api.remove_user_from_group(user_id, group_id, initiator)

    @controller.protected()
    def delete_user(self, context, user_id):
--- a/keystone/identity/core.py
+++ b/keystone/identity/core.py
@ -1061,7 +1061,7 @@ class Manager(manager.Manager):

    @domains_configured
    @exception_translated('group')
-    def add_user_to_group(self, user_id, group_id):
+    def add_user_to_group(self, user_id, group_id, initiator=None):
        @exception_translated('user')
        def get_entity_info_for_user(public_id):
            return self._get_domain_driver_and_entity_id(public_id)
@ -1081,10 +1081,12 @@ class Manager(manager.Manager):
        # Invalidate user role assignments cache region, as it may now need to
        # include role assignments from the specified group to its users
        assignment.COMPUTED_ASSIGNMENTS_REGION.invalidate()
+        notifications.Audit.added_to(self._GROUP, group_id, self._USER,
+                                     user_id, initiator)

    @domains_configured
    @exception_translated('group')
-    def remove_user_from_group(self, user_id, group_id):
+    def remove_user_from_group(self, user_id, group_id, initiator=None):
        @exception_translated('user')
        def get_entity_info_for_user(public_id):
            return self._get_domain_driver_and_entity_id(public_id)
@ -1105,6 +1107,8 @@ class Manager(manager.Manager):
        # Invalidate user role assignments cache region, as it may be caching
        # role assignments expanded from this group to this user
        assignment.COMPUTED_ASSIGNMENTS_REGION.invalidate()
+        notifications.Audit.removed_from(self._GROUP, group_id, self._USER,
+                                         user_id, initiator)

    @notifications.internal(notifications.INVALIDATE_USER_TOKEN_PERSISTENCE)
    def emit_invalidate_user_token_persistence(self, user_id):
--- a/keystone/tests/unit/common/test_notifications.py
+++ b/keystone/tests/unit/common/test_notifications.py
@ -722,6 +722,28 @@ class NotificationsForEntities(BaseNotificationTest):
        # No audit event should have occurred
        self.assertEqual(0, len(self._audits))

+    def test_add_user_to_group(self):
+        user_ref = unit.new_user_ref(domain_id=self.domain_id)
+        user_ref = self.identity_api.create_user(user_ref)
+        group_ref = unit.new_group_ref(domain_id=self.domain_id)
+        group_ref = self.identity_api.create_group(group_ref)
+        self.identity_api.add_user_to_group(user_ref['id'], group_ref['id'])
+        self._assert_last_note(group_ref['id'], UPDATED_OPERATION, 'group',
+                               actor_id=user_ref['id'], actor_type='user',
+                               actor_operation='added')
+
+    def test_remove_user_from_group(self):
+        user_ref = unit.new_user_ref(domain_id=self.domain_id)
+        user_ref = self.identity_api.create_user(user_ref)
+        group_ref = unit.new_group_ref(domain_id=self.domain_id)
+        group_ref = self.identity_api.create_group(group_ref)
+        self.identity_api.add_user_to_group(user_ref['id'], group_ref['id'])
+        self.identity_api.remove_user_from_group(user_ref['id'],
+                                                 group_ref['id'])
+        self._assert_last_note(group_ref['id'], UPDATED_OPERATION, 'group',
+                               actor_id=user_ref['id'], actor_type='user',
+                               actor_operation='removed')
+

 class CADFNotificationsForEntities(NotificationsForEntities):

--- a/releasenotes/notes/notify-on-user-group-membership-8c0136ee0484e255.yaml
+++ b/releasenotes/notes/notify-on-user-group-membership-8c0136ee0484e255.yaml
@ -0,0 +1,6 @@
+---
+fixes:
+  - Support has now been added to send notification events
+    on user/group membership. When a user is added or removed
+    from a group a notification will be sent including the
+    identifiers of both the user and the group.