From 9ffdedb7581aacc279a3c16400895fceecfee045 Mon Sep 17 00:00:00 2001
From: Steve Martinelli <stevemar@ca.ibm.com>
Date: Sun, 17 Aug 2014 02:07:08 -0400
Subject: [PATCH] Expose context to create grant and delete grant

To correctly issue a CADF audit event for a change in role
assignments, we need to expose the context at the manager level.
Note that the driver signatures are *not* changing, just the
manager needs to know the context.

implements bp role-assignment-notifications

Change-Id: I116b185f5d1fc3f9cbb03ffcf3ce64c56a73d969
---
 keystone/assignment/controllers.py | 4 ++--
 keystone/assignment/core.py        | 8 +++++++-
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/keystone/assignment/controllers.py b/keystone/assignment/controllers.py
index 0ee88bf1ea..6b54ad3279 100644
--- a/keystone/assignment/controllers.py
+++ b/keystone/assignment/controllers.py
@@ -520,7 +520,7 @@ class RoleV3(controller.V3Controller):
 
         self.assignment_api.create_grant(
             role_id, user_id, group_id, domain_id, project_id,
-            self._check_if_inherited(context))
+            self._check_if_inherited(context), context)
 
     @controller.protected(callback=_check_grant_protection)
     def list_grants(self, context, user_id=None,
@@ -554,7 +554,7 @@ class RoleV3(controller.V3Controller):
 
         self.assignment_api.delete_grant(
             role_id, user_id, group_id, domain_id, project_id,
-            self._check_if_inherited(context))
+            self._check_if_inherited(context), context)
 
 
 @dependency.requires('assignment_api', 'identity_api')
diff --git a/keystone/assignment/core.py b/keystone/assignment/core.py
index 379b44d5e3..4106070e42 100644
--- a/keystone/assignment/core.py
+++ b/keystone/assignment/core.py
@@ -504,9 +504,15 @@ class Manager(manager.Manager):
             self.revoke_api.revoke_by_grant(role_id, user_id=user_id,
                                             project_id=tenant_id)
 
+    def create_grant(self, role_id, user_id=None, group_id=None,
+                     domain_id=None, project_id=None,
+                     inherited_to_projects=False, context=None):
+        self.driver.create_grant(role_id, user_id, group_id, domain_id,
+                                 project_id, inherited_to_projects)
+
     def delete_grant(self, role_id, user_id=None, group_id=None,
                      domain_id=None, project_id=None,
-                     inherited_to_projects=False):
+                     inherited_to_projects=False, context=None):
         user_ids = []
         if group_id is None:
             if self.revoke_api: