openstack
/
keystone
Code Issues Proposed changes

Move audit initiator creation to request 

The audit initiator is basically a context with all the information
about the current operation available. This information is all gathered
from the request and context so we can simplify its generation by moving
it onto the request object.

Change-Id: If91eacd3e07e0d9cd825f92b06c0ac819b3daf8c
This commit is contained in:
Jamie Lennox 2016-07-15 17:53:12 +10:00
parent 5046ba01d8
commit 9117e45d6e
11 changed files with 165 additions and 152 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
keystone/assignment/controllers.py
View File

@ -30,7 +30,6 @@ from keystone.common import wsgi
import keystone.conf
from keystone import exception
from keystone.i18n import _
from keystone import notifications
CONF = keystone.conf.CONF
@ -106,15 +105,15 @@ class Role(controller.V2Controller):
role_id = uuid.uuid4().hex
role['id'] = role_id
initiator = notifications._get_request_audit_info(request.context_dict)
role_ref = self.role_api.create_role(role_id, role, initiator)
role_ref = self.role_api.create_role(role_id,
role,
request.audit_initiator)
return {'role': role_ref}
@controller.v2_deprecated
def delete_role(self, request, role_id):
self.assert_admin(request)
initiator = notifications._get_request_audit_info(request.context_dict)
self.role_api.delete_role(role_id, initiator)
self.role_api.delete_role(role_id, request.audit_initiator)
@controller.v2_deprecated
def get_roles(self, request):
@ -319,12 +318,12 @@ class RoleV3(controller.V3Controller):
@controller.protected()
def create_role(self, request, role):
validation.lazy_validate(schema.role_create, role)
return self._create_role(request.context_dict, role)
return self._create_role(request, role)
@controller.protected()
def create_domain_role(self, request, role):
validation.lazy_validate(schema.role_create, role)
return self._create_role(request.context_dict, role)
return self._create_role(request, role)
def list_roles_wrapper(self, request):
if request.params.get('domain_id'):
@ -348,11 +347,11 @@ class RoleV3(controller.V3Controller):
@controller.protected()
def get_role(self, request, role_id):
return self._get_role(request.context_dict, role_id)
return self._get_role(request, role_id)
@controller.protected()
def get_domain_role(self, request, role_id):
return self._get_role(request.context_dict, role_id)
return self._get_role(request, role_id)
def update_role_wrapper(self, context, role_id, role):
# Since we don't allow you change whether a role is global or domain
@ -367,12 +366,12 @@ class RoleV3(controller.V3Controller):
@controller.protected()
def update_role(self, request, role_id, role):
validation.lazy_validate(schema.role_update, role)
return self._update_role(request.context_dict, role_id, role)
return self._update_role(request, role_id, role)
@controller.protected()
def update_domain_role(self, request, role_id, role):
validation.lazy_validate(schema.role_update, role)
return self._update_role(request.context_dict, role_id, role)
return self._update_role(request, role_id, role)
def delete_role_wrapper(self, context, role_id):
if self._is_domain_role_target(role_id):
@ -382,13 +381,13 @@ class RoleV3(controller.V3Controller):
@controller.protected()
def delete_role(self, request, role_id):
return self._delete_role(request.context_dict, role_id)
return self._delete_role(request, role_id)
@controller.protected()
def delete_domain_role(self, request, role_id):
return self._delete_role(request.context_dict, role_id)
return self._delete_role(request, role_id)
def _create_role(self, context, role):
def _create_role(self, request, role):
if role['name'] == CONF.member_role_name:
# Use the configured member role ID when creating the configured
# member role name. This avoids the potential of creating a
@ -398,29 +397,27 @@ class RoleV3(controller.V3Controller):
role = self._assign_unique_id(role)
ref = self._normalize_dict(role)
initiator = notifications._get_request_audit_info(context)
ref = self.role_api.create_role(ref['id'], ref, initiator)
return RoleV3.wrap_member(context, ref)
ref = self.role_api.create_role(ref['id'],
ref,
request.audit_initiator)
return RoleV3.wrap_member(request.context_dict, ref)
def _list_roles(self, request, filters):
hints = RoleV3.build_driver_hints(request, filters)
refs = self.role_api.list_roles(hints=hints)
return RoleV3.wrap_collection(request.context_dict, refs, hints=hints)
def _get_role(self, context, role_id):
def _get_role(self, request, role_id):
ref = self.role_api.get_role(role_id)
return RoleV3.wrap_member(context, ref)
return RoleV3.wrap_member(request.context_dict, ref)
def _update_role(self, context, role_id, role):
def _update_role(self, request, role_id, role):
self._require_matching_id(role_id, role)
initiator = notifications._get_request_audit_info(context)
ref = self.role_api.update_role(role_id, role, initiator)
return RoleV3.wrap_member(context, ref)
ref = self.role_api.update_role(role_id, role, request.audit_initiator)
return RoleV3.wrap_member(request.context_dict, ref)
def _delete_role(self, context, role_id):
initiator = notifications._get_request_audit_info(context)
self.role_api.delete_role(role_id, initiator)
def _delete_role(self, request, role_id):
self.role_api.delete_role(role_id, request.audit_initiator)
@classmethod
def build_driver_hints(cls, request, supported_filters):

6
keystone/auth/plugins/mapped.py
View File

@ -81,7 +81,7 @@ def handle_scoped_token(request, auth_payload, auth_context, token_ref,
group_ids = token_ref.federation_group_ids
send_notification = functools.partial(
notifications.send_saml_audit_notification, 'authenticate',
request.context_dict, user_id, group_ids, identity_provider, protocol,
request, user_id, group_ids, identity_provider, protocol,
token_audit_id)
utils.assert_enabled_identity_provider(federation_api, identity_provider)
@ -171,7 +171,7 @@ def handle_unscoped_token(request, auth_payload, auth_context,
# after sending the notification
outcome = taxonomy.OUTCOME_FAILURE
notifications.send_saml_audit_notification('authenticate',
request.context_dict,
request,
user_id, group_ids,
identity_provider,
protocol, token_id,
@ -180,7 +180,7 @@ def handle_unscoped_token(request, auth_payload, auth_context,
else:
outcome = taxonomy.OUTCOME_SUCCESS
notifications.send_saml_audit_notification('authenticate',
request.context_dict,
request,
user_id, group_ids,
identity_provider,
protocol, token_id,

69
keystone/catalog/controllers.py
View File

@ -50,8 +50,7 @@ class Service(controller.V2Controller):
@controller.v2_deprecated
def delete_service(self, request, service_id):
self.assert_admin(request)
initiator = notifications._get_request_audit_info(request.context_dict)
self.catalog_api.delete_service(service_id, initiator)
self.catalog_api.delete_service(service_id, request.audit_initiator)
@controller.v2_deprecated
def create_service(self, request, OS_KSADM_service):
@ -60,9 +59,8 @@ class Service(controller.V2Controller):
service_id = uuid.uuid4().hex
service_ref = OS_KSADM_service.copy()
service_ref['id'] = service_id
initiator = notifications._get_request_audit_info(request.context_dict)
new_service_ref = self.catalog_api.create_service(
service_id, service_ref, initiator)
service_id, service_ref, request.audit_initiator)
return {'OS-KSADM:service': new_service_ref}
@ -147,14 +145,12 @@ class Endpoint(controller.V2Controller):
if interface_url:
utils.check_endpoint_url(interface_url)
initiator = notifications._get_request_audit_info(request.context_dict)
if endpoint.get('region') is not None:
try:
self.catalog_api.get_region(endpoint['region'])
except exception.RegionNotFound:
region = dict(id=endpoint['region'])
self.catalog_api.create_region(region, initiator)
self.catalog_api.create_region(region, request.audit_initiator)
legacy_endpoint_ref = endpoint.copy()
@ -178,8 +174,9 @@ class Endpoint(controller.V2Controller):
endpoint_ref['interface'] = interface
endpoint_ref['url'] = url
endpoint_ref['region_id'] = endpoint_ref.pop('region')
self.catalog_api.create_endpoint(endpoint_ref['id'], endpoint_ref,
initiator)
self.catalog_api.create_endpoint(endpoint_ref['id'],
endpoint_ref,
request.audit_initiator)
legacy_endpoint_ref['id'] = legacy_endpoint_id
return {'endpoint': legacy_endpoint_ref}
@ -188,12 +185,12 @@ class Endpoint(controller.V2Controller):
def delete_endpoint(self, request, endpoint_id):
"""Delete up to three v3 endpoint refs based on a legacy ref ID."""
self.assert_admin(request)
initiator = notifications._get_request_audit_info(request.context_dict)
deleted_at_least_one = False
for endpoint in self.catalog_api.list_endpoints():
if endpoint['legacy_endpoint_id'] == endpoint_id:
self.catalog_api.delete_endpoint(endpoint['id'], initiator)
self.catalog_api.delete_endpoint(endpoint['id'],
request.audit_initiator)
deleted_at_least_one = True
if not deleted_at_least_one:
@ -228,8 +225,7 @@ class RegionV3(controller.V3Controller):
if not ref.get('id'):
ref = self._assign_unique_id(ref)
initiator = notifications._get_request_audit_info(request.context_dict)
ref = self.catalog_api.create_region(ref, initiator)
ref = self.catalog_api.create_region(ref, request.audit_initiator)
return wsgi.render_response(
RegionV3.wrap_member(request.context_dict, ref),
status=(http_client.CREATED,
@ -252,14 +248,15 @@ class RegionV3(controller.V3Controller):
def update_region(self, request, region_id, region):
validation.lazy_validate(schema.region_update, region)
self._require_matching_id(region_id, region)
initiator = notifications._get_request_audit_info(request.context_dict)
ref = self.catalog_api.update_region(region_id, region, initiator)
ref = self.catalog_api.update_region(region_id,
region,
request.audit_initiator)
return RegionV3.wrap_member(request.context_dict, ref)
@controller.protected()
def delete_region(self, request, region_id):
initiator = notifications._get_request_audit_info(request.context_dict)
return self.catalog_api.delete_region(region_id, initiator)
return self.catalog_api.delete_region(region_id,
request.audit_initiator)
@dependency.requires('catalog_api')
@ -275,8 +272,9 @@ class ServiceV3(controller.V3Controller):
def create_service(self, request, service):
validation.lazy_validate(schema.service_create, service)
ref = self._assign_unique_id(self._normalize_dict(service))
initiator = notifications._get_request_audit_info(request.context_dict)
ref = self.catalog_api.create_service(ref['id'], ref, initiator)
ref = self.catalog_api.create_service(ref['id'],
ref,
request.audit_initiator)
return ServiceV3.wrap_member(request.context_dict, ref)
@controller.filterprotected('type', 'name')
@ -296,14 +294,15 @@ class ServiceV3(controller.V3Controller):
def update_service(self, request, service_id, service):
validation.lazy_validate(schema.service_update, service)
self._require_matching_id(service_id, service)
initiator = notifications._get_request_audit_info(request.context_dict)
ref = self.catalog_api.update_service(service_id, service, initiator)
ref = self.catalog_api.update_service(service_id,
service,
request.audit_initiator)
return ServiceV3.wrap_member(request.context_dict, ref)
@controller.protected()
def delete_service(self, request, service_id):
initiator = notifications._get_request_audit_info(request.context_dict)
return self.catalog_api.delete_service(service_id, initiator)
return self.catalog_api.delete_service(service_id,
request.audit_initiator)
@dependency.requires('catalog_api')
@ -327,7 +326,7 @@ class EndpointV3(controller.V3Controller):
ref = cls.filter_endpoint(ref)
return super(EndpointV3, cls).wrap_member(context, ref)
def _validate_endpoint_region(self, endpoint, context=None):
def _validate_endpoint_region(self, endpoint, request):
"""Ensure the region for the endpoint exists.
If 'region_id' is used to specify the region, then we will let the
@ -346,8 +345,7 @@ class EndpointV3(controller.V3Controller):
self.catalog_api.get_region(endpoint['region_id'])
except exception.RegionNotFound:
region = dict(id=endpoint['region_id'])
initiator = notifications._get_request_audit_info(context)
self.catalog_api.create_region(region, initiator)
self.catalog_api.create_region(region, request.audit_initiator)
return endpoint
@ -356,9 +354,10 @@ class EndpointV3(controller.V3Controller):
validation.lazy_validate(schema.endpoint_create, endpoint)
utils.check_endpoint_url(endpoint['url'])
ref = self._assign_unique_id(self._normalize_dict(endpoint))
ref = self._validate_endpoint_region(ref, request.context_dict)
initiator = notifications._get_request_audit_info(request.context_dict)
ref = self.catalog_api.create_endpoint(ref['id'], ref, initiator)
ref = self._validate_endpoint_region(ref, request)
ref = self.catalog_api.create_endpoint(ref['id'],
ref,
request.audit_initiator)
return EndpointV3.wrap_member(request.context_dict, ref)
@controller.filterprotected('interface', 'service_id', 'region_id')
@ -380,17 +379,17 @@ class EndpointV3(controller.V3Controller):
self._require_matching_id(endpoint_id, endpoint)
endpoint = self._validate_endpoint_region(endpoint.copy(),
request.context_dict)
request)
initiator = notifications._get_request_audit_info(request.context_dict)
ref = self.catalog_api.update_endpoint(endpoint_id, endpoint,
initiator)
ref = self.catalog_api.update_endpoint(endpoint_id,
endpoint,
request.audit_initiator)
return EndpointV3.wrap_member(request.context_dict, ref)
@controller.protected()
def delete_endpoint(self, request, endpoint_id):
initiator = notifications._get_request_audit_info(request.context_dict)
return self.catalog_api.delete_endpoint(endpoint_id, initiator)
return self.catalog_api.delete_endpoint(endpoint_id,
request.audit_initiator)
@dependency.requires('catalog_api', 'resource_api')

24
keystone/common/request.py
View File

@ -12,11 +12,15 @@
import logging
from pycadf import cadftaxonomy as taxonomy
from pycadf import host
from pycadf import resource
import webob
from webob.descriptors import environ_getter
from keystone.common import authorization
from keystone.common import context
from keystone.common import utils
import keystone.conf
from keystone import exception
from keystone.i18n import _, _LW
@ -90,6 +94,26 @@ class Request(webob.Request):
# auth_context didn't decode anything we can use
raise exception.Unauthorized()
@property
def audit_initiator(self):
"""A pyCADF initiator describing the current authenticated context."""
pycadf_host = host.Host(address=self.remote_addr,
agent=self.user_agent)
initiator = resource.Resource(typeURI=taxonomy.ACCOUNT_USER,
host=pycadf_host)
if self.context.user_id:
initiator.id = utils.resource_uuid(self.context.user_id)
initiator.user_id = self.context.user_id
if self.context.project_id:
initiator.project_id = self.context.project_id
if self.context.domain_id:
initiator.domain_id = self.context.domain_id
return initiator
auth_type = environ_getter('AUTH_TYPE', None)
remote_domain = environ_getter('REMOTE_DOMAIN', None)
context = environ_getter(context.REQUEST_CONTEXT_ENV, None)

52
keystone/identity/controllers.py
View File

@ -23,7 +23,6 @@ import keystone.conf
from keystone import exception
from keystone.i18n import _LW
from keystone.identity import schema
from keystone import notifications
CONF = keystone.conf.CONF
@ -77,9 +76,8 @@ class User(controller.V2Controller):
# The manager layer will generate the unique ID for users
user_ref = self._normalize_domain_id(request, user.copy())
initiator = notifications._get_request_audit_info(request.context_dict)
new_user_ref = self.v3_to_v2_user(
self.identity_api.create_user(user_ref, initiator))
self.identity_api.create_user(user_ref, request.audit_initiator))
if default_project_id is not None:
self.assignment_api.add_user_to_project(default_project_id,
@ -113,9 +111,10 @@ class User(controller.V2Controller):
# user update.
self.resource_api.get_project(default_project_id)
initiator = notifications._get_request_audit_info(request.context_dict)
user_ref = self.v3_to_v2_user(
self.identity_api.update_user(user_id, user, initiator))
user_ref = self.identity_api.update_user(user_id,
user,
request.audit_initiator)
user_ref = self.v3_to_v2_user(user_ref)
# If 'tenantId' is in either ref, we might need to add or remove the
# user from a project.
@ -160,8 +159,7 @@ class User(controller.V2Controller):
@controller.v2_deprecated
def delete_user(self, request, user_id):
self.assert_admin(request)
initiator = notifications._get_request_audit_info(request.context_dict)
self.identity_api.delete_user(user_id, initiator)
self.identity_api.delete_user(user_id, request.audit_initiator)
@controller.v2_deprecated
def set_user_enabled(self, request, user_id, user):
@ -213,8 +211,7 @@ class UserV3(controller.V3Controller):
# The manager layer will generate the unique ID for users
ref = self._normalize_dict(user)
ref = self._normalize_domain_id(request, ref)
initiator = notifications._get_request_audit_info(request.context_dict)
ref = self.identity_api.create_user(ref, initiator)
ref = self.identity_api.create_user(ref, request.audit_initiator)
return UserV3.wrap_member(request.context_dict, ref)
@controller.filterprotected('domain_id', 'enabled', 'name')
@ -236,23 +233,25 @@ class UserV3(controller.V3Controller):
ref = self.identity_api.get_user(user_id)
return UserV3.wrap_member(request.context_dict, ref)
def _update_user(self, context, user_id, user):
def _update_user(self, request, user_id, user):
self._require_matching_id(user_id, user)
self._require_matching_domain_id(
user_id, user, self.identity_api.get_user)
initiator = notifications._get_request_audit_info(context)
ref = self.identity_api.update_user(user_id, user, initiator)
return UserV3.wrap_member(context, ref)
ref = self.identity_api.update_user(user_id,
user,
request.audit_initiator)
return UserV3.wrap_member(request.context_dict, ref)
@controller.protected()
def update_user(self, request, user_id, user):
validation.lazy_validate(schema.user_update, user)
return self._update_user(request.context_dict, user_id, user)
return self._update_user(request, user_id, user)
@controller.protected(callback=_check_user_and_group_protection)
def add_user_to_group(self, request, user_id, group_id):
initiator = notifications._get_request_audit_info(request.context_dict)
self.identity_api.add_user_to_group(user_id, group_id, initiator)
self.identity_api.add_user_to_group(user_id,
group_id,
request.audit_initiator)
@controller.protected(callback=_check_user_and_group_protection)
def check_user_in_group(self, request, user_id, group_id):
@ -260,13 +259,13 @@ class UserV3(controller.V3Controller):
@controller.protected(callback=_check_user_and_group_protection)
def remove_user_from_group(self, request, user_id, group_id):
initiator = notifications._get_request_audit_info(request.context_dict)
self.identity_api.remove_user_from_group(user_id, group_id, initiator)
self.identity_api.remove_user_from_group(user_id,
group_id,
request.audit_initiator)
@controller.protected()
def delete_user(self, request, user_id):
initiator = notifications._get_request_audit_info(request.context_dict)
return self.identity_api.delete_user(user_id, initiator)
return self.identity_api.delete_user(user_id, request.audit_initiator)
@controller.protected()
def change_password(self, request, user_id, user):
@ -306,8 +305,7 @@ class GroupV3(controller.V3Controller):
# The manager layer will generate the unique ID for groups
ref = self._normalize_dict(group)
ref = self._normalize_domain_id(request, ref)
initiator = notifications._get_request_audit_info(request.context_dict)
ref = self.identity_api.create_group(ref, initiator)
ref = self.identity_api.create_group(ref, request.audit_initiator)
return GroupV3.wrap_member(request.context_dict, ref)
@controller.filterprotected('domain_id', 'name')
@ -334,11 +332,11 @@ class GroupV3(controller.V3Controller):
self._require_matching_id(group_id, group)
self._require_matching_domain_id(
group_id, group, self.identity_api.get_group)
initiator = notifications._get_request_audit_info(request.context_dict)
ref = self.identity_api.update_group(group_id, group, initiator)
ref = self.identity_api.update_group(group_id,
group,
request.audit_initiator)
return GroupV3.wrap_member(request.context_dict, ref)
@controller.protected()
def delete_group(self, request, group_id):
initiator = notifications._get_request_audit_info(request.context_dict)
self.identity_api.delete_group(group_id, initiator)
self.identity_api.delete_group(group_id, request.audit_initiator)

15
keystone/notifications.py
View File

@ -481,19 +481,18 @@ class CadfNotificationWrapper(object):
def __call__(self, f):
@functools.wraps(f)
def wrapper(wrapped_self, request, user_id, *args, **kwargs):
# Always send a notification.
initiator = _get_request_audit_info(request.context_dict, user_id)
"""Alway send a notification."""
target = resource.Resource(typeURI=taxonomy.ACCOUNT_USER)
try:
result = f(wrapped_self, request, user_id, *args, **kwargs)
except Exception:
# For authentication failure send a cadf event as well
_send_audit_notification(self.action, initiator,
_send_audit_notification(self.action, request.audit_initiator,
taxonomy.OUTCOME_FAILURE,
target, self.event_type)
raise
else:
_send_audit_notification(self.action, initiator,
_send_audit_notification(self.action, request.audit_initiator,
taxonomy.OUTCOME_SUCCESS,
target, self.event_type)
return result
@ -603,15 +602,15 @@ class CadfRoleAssignmentNotificationWrapper(object):
return wrapper
def send_saml_audit_notification(action, context, user_id, group_ids,
def send_saml_audit_notification(action, request, user_id, group_ids,
identity_provider, protocol, token_id,
outcome):
"""Send notification to inform observers about SAML events.
:param action: Action being audited
:type action: str
:param context: Current request context to collect request info from
:type context: dict
:param request: Current request to collect request info from
:type request: keystone.common.request.Request
:param user_id: User ID from Keystone token
:type user_id: str
:param group_ids: List of Group IDs from Keystone token
@ -625,7 +624,7 @@ def send_saml_audit_notification(action, context, user_id, group_ids,
:param outcome: One of :class:`pycadf.cadftaxonomy`
:type outcome: str
"""
initiator = _get_request_audit_info(context)
initiator = request.audit_initiator
target = resource.Resource(typeURI=taxonomy.ACCOUNT_USER)
audit_type = SAML_AUDIT_TYPE
user_id = user_id or taxonomy.UNKNOWN

31
keystone/oauth1/controllers.py
View File

@ -65,8 +65,8 @@ class ConsumerCrudV3(controller.V3Controller):
def create_consumer(self, request, consumer):
validation.lazy_validate(schema.consumer_create, consumer)
ref = self._assign_unique_id(self._normalize_dict(consumer))
initiator = notifications._get_request_audit_info(request.context_dict)
consumer_ref = self.oauth_api.create_consumer(ref, initiator)
consumer_ref = self.oauth_api.create_consumer(ref,
request.audit_initiator)
return ConsumerCrudV3.wrap_member(request.context_dict, consumer_ref)
@controller.protected()
@ -74,8 +74,9 @@ class ConsumerCrudV3(controller.V3Controller):
validation.lazy_validate(schema.consumer_update, consumer)
self._require_matching_id(consumer_id, consumer)
ref = self._normalize_dict(consumer)
initiator = notifications._get_request_audit_info(request.context_dict)
ref = self.oauth_api.update_consumer(consumer_id, ref, initiator)
ref = self.oauth_api.update_consumer(consumer_id,
ref,
request.audit_initiator)
return ConsumerCrudV3.wrap_member(request.context_dict, ref)
@controller.protected()
@ -94,8 +95,7 @@ class ConsumerCrudV3(controller.V3Controller):
payload = {'user_id': user_token_ref.user_id,
'consumer_id': consumer_id}
_emit_user_oauth_consumer_token_invalidate(payload)
initiator = notifications._get_request_audit_info(request.context_dict)
self.oauth_api.delete_consumer(consumer_id, initiator)
self.oauth_api.delete_consumer(consumer_id, request.audit_initiator)
@dependency.requires('oauth_api')
@ -140,9 +140,9 @@ class AccessTokenCrudV3(controller.V3Controller):
consumer_id = access_token['consumer_id']
payload = {'user_id': user_id, 'consumer_id': consumer_id}
_emit_user_oauth_consumer_token_invalidate(payload)
initiator = notifications._get_request_audit_info(request.context_dict)
return self.oauth_api.delete_access_token(
user_id, access_token_id, initiator)
return self.oauth_api.delete_access_token(user_id,
access_token_id,
request.audit_initiator)
@staticmethod
def _get_user_id(entity):
@ -248,11 +248,11 @@ class OAuthControllerV3(controller.V3Controller):
# show the details of the failure.
oauth1.validate_oauth_params(b)
request_token_duration = CONF.oauth1.request_token_duration
initiator = notifications._get_request_audit_info(request.context_dict)
token_ref = self.oauth_api.create_request_token(consumer_id,
requested_project_id,
request_token_duration,
initiator)
token_ref = self.oauth_api.create_request_token(
consumer_id,
requested_project_id,
request_token_duration,
request.audit_initiator)
result = ('oauth_token=%(key)s&oauth_token_secret=%(secret)s'
% {'key': token_ref['id'],
@ -340,10 +340,9 @@ class OAuthControllerV3(controller.V3Controller):
raise exception.Unauthorized(message=msg)
access_token_duration = CONF.oauth1.access_token_duration
initiator = notifications._get_request_audit_info(request.context_dict)
token_ref = self.oauth_api.create_access_token(request_token_id,
access_token_duration,
initiator)
request.audit_initiator)
result = ('oauth_token=%(key)s&oauth_token_secret=%(secret)s'
% {'key': token_ref['id'],

15
keystone/policy/controllers.py
View File

@ -15,7 +15,6 @@
from keystone.common import controller
from keystone.common import dependency
from keystone.common import validation
from keystone import notifications
from keystone.policy import schema
@ -28,8 +27,9 @@ class PolicyV3(controller.V3Controller):
def create_policy(self, request, policy):
validation.lazy_validate(schema.policy_create, policy)
ref = self._assign_unique_id(self._normalize_dict(policy))
initiator = notifications._get_request_audit_info(request.context_dict)
ref = self.policy_api.create_policy(ref['id'], ref, initiator)
ref = self.policy_api.create_policy(ref['id'],
ref,
request.audit_initiator)
return PolicyV3.wrap_member(request.context_dict, ref)
@controller.filterprotected('type')
@ -47,11 +47,12 @@ class PolicyV3(controller.V3Controller):
@controller.protected()
def update_policy(self, request, policy_id, policy):
validation.lazy_validate(schema.policy_update, policy)
initiator = notifications._get_request_audit_info(request.context_dict)
ref = self.policy_api.update_policy(policy_id, policy, initiator)
ref = self.policy_api.update_policy(policy_id,
policy,
request.audit_initiator)
return PolicyV3.wrap_member(request.context_dict, ref)
@controller.protected()
def delete_policy(self, request, policy_id):
initiator = notifications._get_request_audit_info(request.context_dict)
return self.policy_api.delete_policy(policy_id, initiator)
return self.policy_api.delete_policy(policy_id,
request.audit_initiator)

44
keystone/resource/controllers.py
View File

@ -26,7 +26,6 @@ from keystone.common import wsgi
import keystone.conf
from keystone import exception
from keystone.i18n import _
from keystone import notifications
from keystone.resource import schema
@ -94,11 +93,10 @@ class Tenant(controller.V2Controller):
self.resource_api.ensure_default_domain_exists()
tenant_ref['id'] = tenant_ref.get('id', uuid.uuid4().hex)
initiator = notifications._get_request_audit_info(request.context_dict)
tenant = self.resource_api.create_project(
tenant_ref['id'],
self._normalize_domain_id(request, tenant_ref),
initiator)
request.audit_initiator)
return {'tenant': self.v3_to_v2_project(tenant)}
@controller.v2_deprecated
@ -107,17 +105,15 @@ class Tenant(controller.V2Controller):
self.assert_admin(request)
self._assert_not_is_domain_project(tenant_id)
initiator = notifications._get_request_audit_info(request.context_dict)
tenant_ref = self.resource_api.update_project(
tenant_id, tenant, initiator)
tenant_id, tenant, request.audit_initiator)
return {'tenant': self.v3_to_v2_project(tenant_ref)}
@controller.v2_deprecated
def delete_project(self, request, tenant_id):
self.assert_admin(request)
self._assert_not_is_domain_project(tenant_id)
initiator = notifications._get_request_audit_info(request.context_dict)
self.resource_api.delete_project(tenant_id, initiator)
self.resource_api.delete_project(tenant_id, request.audit_initiator)
@dependency.requires('resource_api')
@ -133,8 +129,9 @@ class DomainV3(controller.V3Controller):
def create_domain(self, request, domain):
validation.lazy_validate(schema.domain_create, domain)
ref = self._assign_unique_id(self._normalize_dict(domain))
initiator = notifications._get_request_audit_info(request.context_dict)
ref = self.resource_api.create_domain(ref['id'], ref, initiator)
ref = self.resource_api.create_domain(ref['id'],
ref,
request.audit_initiator)
return DomainV3.wrap_member(request.context_dict, ref)
@controller.filterprotected('enabled', 'name')
@ -153,14 +150,15 @@ class DomainV3(controller.V3Controller):
def update_domain(self, request, domain_id, domain):
validation.lazy_validate(schema.domain_update, domain)
self._require_matching_id(domain_id, domain)
initiator = notifications._get_request_audit_info(request.context_dict)
ref = self.resource_api.update_domain(domain_id, domain, initiator)
ref = self.resource_api.update_domain(domain_id,
domain,
request.audit_initiator)
return DomainV3.wrap_member(request.context_dict, ref)
@controller.protected()
def delete_domain(self, request, domain_id):
initiator = notifications._get_request_audit_info(request.context_dict)
return self.resource_api.delete_domain(domain_id, initiator)
return self.resource_api.delete_domain(domain_id,
request.audit_initiator)
@dependency.requires('domain_config_api')
@ -241,10 +239,11 @@ class ProjectV3(controller.V3Controller):
if not ref.get('parent_id'):
ref['parent_id'] = ref.get('domain_id')
initiator = notifications._get_request_audit_info(request.context_dict)
try:
ref = self.resource_api.create_project(ref['id'], ref,
initiator=initiator)
ref = self.resource_api.create_project(
ref['id'],
ref,
initiator=request.audit_initiator)
except (exception.DomainNotFound, exception.ProjectNotFound) as e:
raise exception.ValidationError(e)
return ProjectV3.wrap_member(request.context_dict, ref)
@ -316,13 +315,14 @@ class ProjectV3(controller.V3Controller):
self._require_matching_id(project_id, project)
self._require_matching_domain_id(
project_id, project, self.resource_api.get_project)
initiator = notifications._get_request_audit_info(request.context_dict)
ref = self.resource_api.update_project(project_id, project,
initiator=initiator)
ref = self.resource_api.update_project(
project_id,
project,
initiator=request.audit_initiator)
return ProjectV3.wrap_member(request.context_dict, ref)
@controller.protected()
def delete_project(self, request, project_id):
initiator = notifications._get_request_audit_info(request.context_dict)
return self.resource_api.delete_project(project_id,
initiator=initiator)
return self.resource_api.delete_project(
project_id,
initiator=request.audit_initiator)

2
keystone/tests/unit/test_v3_federation.py
View File

@ -1631,7 +1631,7 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin):
super(FederatedTokenTests, self).setUp()
self._notifications = []
def fake_saml_notify(action, context, user_id, group_ids,
def fake_saml_notify(action, request, user_id, group_ids,
identity_provider, protocol, token_id, outcome):
note = {
'action': action,

8
keystone/trust/controllers.py
View File

@ -24,7 +24,6 @@ from keystone.common import utils
from keystone.common import validation
from keystone import exception
from keystone.i18n import _
from keystone import notifications
from keystone.trust import schema
@ -137,12 +136,10 @@ class TrustV3(controller.V3Controller):
trust['expires_at'] = self._parse_expiration_date(
trust.get('expires_at'))
trust_id = uuid.uuid4().hex
initiator = notifications._get_request_audit_info(request.context_dict)
new_trust = self.trust_api.create_trust(trust_id, trust,
normalized_roles,
redelegated_trust,
initiator)
request.audit_initiator)
self._fill_in_roles(request.context_dict, new_trust)
return TrustV3.wrap_member(request.context_dict, new_trust)
@ -227,8 +224,7 @@ class TrustV3(controller.V3Controller):
not request.context.is_admin):
raise exception.Forbidden()
initiator = notifications._get_request_audit_info(request.context_dict)
self.trust_api.delete_trust(trust_id, initiator)
self.trust_api.delete_trust(trust_id, request.audit_initiator)
@controller.protected()
def list_roles_for_trust(self, request, trust_id):