openstack
/
keystone
Code Issues Proposed changes

proxy removed from identity and changed to assignment 

The identity_api served as a proxy for calling the assignment_api
but it was suggested that this proxy should be removed and the calls
should be made directly to the assignment_api.

bug: #1220913

Change-Id: I20c461c06db22c03eb6d16399d1ca50999d053d5
This commit is contained in:
Telles Nobrega 2013-10-14 15:48:31 -03:00
parent 4a100d4d10
commit bb1ac459a4
22 changed files with 768 additions and 845 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
keystone/auth/controllers.py
View File

@ -14,7 +14,7 @@
# License for the specific language governing permissions and limitations
# under the License.
from keystone import assignment
from keystone.common import controller
from keystone.common import dependency
from keystone.common import wsgi
@ -49,10 +49,12 @@ def get_auth_method(method_name):
return AUTH_METHODS[method_name]
@dependency.requires('assignment_api')
class AuthInfo(object):
"""Encapsulation of "auth" request."""
def __init__(self, context, auth=None):
self.assignment_api = assignment.Manager()
self.identity_api = identity.Manager()
self.trust_api = trust.Manager()
self.context = context
@ -115,10 +117,10 @@ class AuthInfo(object):
raise exception.ValidationError(attribute='domain',
target='project')
domain_ref = self._lookup_domain(project_info['domain'])
project_ref = self.identity_api.get_project_by_name(
project_ref = self.assignment_api.get_project_by_name(
project_name, domain_ref['id'])
else:
project_ref = self.identity_api.get_project(project_id)
project_ref = self.assignment_api.get_project(project_id)
except exception.ProjectNotFound as e:
LOG.exception(e)
raise exception.Unauthorized(e)

2
keystone/common/controller.py
View File

@ -79,7 +79,7 @@ def _build_policy_check_credentials(self, action, context, kwargs):
except AttributeError:
LOG.debug(_('RBAC: Proceeding without tenant'))
# NOTE(vish): this is pretty inefficient
creds['roles'] = [self.identity_api.get_role(role)['name']
creds['roles'] = [self.assignment_api.get_role(role)['name']
for role in creds.get('roles', [])]
return creds

2
keystone/common/wsgi.py
View File

@ -303,7 +303,7 @@ class Application(BaseApplication):
raise exception.Unauthorized()
# NOTE(vish): this is pretty inefficient
creds['roles'] = [self.identity_api.get_role(role)['name']
creds['roles'] = [self.assignment_api.get_role(role)['name']
for role in creds.get('roles', [])]
# Accept either is_admin or the admin role
self.policy_api.enforce(creds, 'admin_required', {})

11
keystone/contrib/ec2/controllers.py
View File

@ -45,7 +45,8 @@ from keystone import exception
from keystone import token
@dependency.requires('catalog_api', 'credential_api', 'token_provider_api')
@dependency.requires('assignment_api', 'catalog_api', 'credential_api',
'token_provider_api')
class Ec2Controller(controller.V2Controller):
def check_signature(self, creds_ref, credentials):
signer = ec2_utils.Ec2Signer(creds_ref['secret'])
@ -99,11 +100,11 @@ class Ec2Controller(controller.V2Controller):
# TODO(termie): don't create new tokens every time
# TODO(termie): this is copied from TokenController.authenticate
token_id = uuid.uuid4().hex
tenant_ref = self.identity_api.get_project(creds_ref['tenant_id'])
tenant_ref = self.assignment_api.get_project(creds_ref['tenant_id'])
user_ref = self.identity_api.get_user(creds_ref['user_id'])
metadata_ref = {}
metadata_ref['roles'] = (
self.identity_api.get_roles_for_user_and_project(
self.assignment_api.get_roles_for_user_and_project(
user_ref['id'], tenant_ref['id']))
# Validate that the auth info is valid and nothing is disabled
@ -112,7 +113,7 @@ class Ec2Controller(controller.V2Controller):
roles = metadata_ref.get('roles', [])
if not roles:
raise exception.Unauthorized(message='User not valid for tenant.')
roles_ref = [self.identity_api.get_role(role_id)
roles_ref = [self.assignment_api.get_role(role_id)
for role_id in roles]
catalog_ref = self.catalog_api.get_catalog(
@ -289,6 +290,6 @@ class Ec2Controller(controller.V2Controller):
:raises exception.ProjectNotFound: on failure
"""
project_ref = self.identity_api.get_project(project_id)
project_ref = self.assignment_api.get_project(project_id)
if not project_ref:
raise exception.ProjectNotFound(project_id=project_id)

10
keystone/contrib/endpoint_filter/controllers.py
View File

@ -21,7 +21,7 @@ from keystone.common import dependency
from keystone.identity import controllers as identity_controllers
@dependency.requires('catalog_api', 'identity_api', 'endpoint_filter_api')
@dependency.requires('assignment_api', 'endpoint_filter_api')
class EndpointFilterV3Controller(controller.V3Controller):
@controller.protected()
@ -32,7 +32,7 @@ class EndpointFilterV3Controller(controller.V3Controller):
# The relationship can still be establed even with a disabled project
# as there are no security implications.
self.catalog_api.get_endpoint(endpoint_id)
self.identity_api.get_project(project_id)
self.assignment_api.get_project(project_id)
# NOTE(gyee): we may need to cleanup any existing project-endpoint
# associations here if either project or endpoint is not found.
self.endpoint_filter_api.add_endpoint_to_project(endpoint_id,
@ -42,7 +42,7 @@ class EndpointFilterV3Controller(controller.V3Controller):
def check_endpoint_in_project(self, context, project_id, endpoint_id):
"""Verifies endpoint is currently associated with given project."""
self.catalog_api.get_endpoint(endpoint_id)
self.identity_api.get_project(project_id)
self.assignment_api.get_project(project_id)
# TODO(gyee): we may need to cleanup any existing project-endpoint
# associations here if either project or endpoint is not found.
self.endpoint_filter_api.check_endpoint_in_project(endpoint_id,
@ -51,7 +51,7 @@ class EndpointFilterV3Controller(controller.V3Controller):
@controller.protected()
def list_endpoints_for_project(self, context, project_id):
"""Lists all endpoints currently associated with a given project."""
self.identity_api.get_project(project_id)
self.assignment_api.get_project(project_id)
refs = self.endpoint_filter_api.list_endpoints_for_project(project_id)
endpoints = [self.catalog_api.get_endpoint(
@ -70,7 +70,7 @@ class EndpointFilterV3Controller(controller.V3Controller):
"""Return a list of projects associated with the endpoint."""
refs = self.endpoint_filter_api.list_project_endpoints(endpoint_id)
projects = [self.identity_api.get_project(
projects = [self.assignment_api.get_project(
ref.project_id) for ref in refs]
return identity_controllers.ProjectV3.wrap_collection(context,
projects)

79
keystone/identity/controllers.py
View File

@ -39,7 +39,7 @@ class Tenant(controller.V2Controller):
context, context['query_string'].get('name'))
self.assert_admin(context)
tenant_refs = self.identity_api.list_projects()
tenant_refs = self.assignment_api.list_projects()
for tenant_ref in tenant_refs:
tenant_ref = self.filter_domain_id(tenant_ref)
params = {
@ -77,12 +77,12 @@ class Tenant(controller.V2Controller):
def get_project(self, context, tenant_id):
# TODO(termie): this stuff should probably be moved to middleware
self.assert_admin(context)
ref = self.identity_api.get_project(tenant_id)
ref = self.assignment_api.get_project(tenant_id)
return {'tenant': self.filter_domain_id(ref)}
def get_project_by_name(self, context, tenant_name):
self.assert_admin(context)
ref = self.identity_api.get_project_by_name(
ref = self.assignment_api.get_project_by_name(
tenant_name, DEFAULT_DOMAIN_ID)
return {'tenant': self.filter_domain_id(ref)}
@ -214,7 +214,8 @@ class User(controller.V2Controller):
self.identity_api.create_user(user_id, user_ref))
if default_project_id is not None:
self.identity_api.add_user_to_project(default_project_id, user_id)
self.assignment_api.add_user_to_project(default_project_id,
user_id)
return {'user': new_user_ref}
def update_user(self, context, user_id, user):
@ -312,15 +313,15 @@ class Role(controller.V2Controller):
raise exception.NotImplemented(message='User roles not supported: '
'tenant ID required')
roles = self.identity_api.get_roles_for_user_and_project(
roles = self.assignment_api.get_roles_for_user_and_project(
user_id, tenant_id)
return {'roles': [self.identity_api.get_role(x)
return {'roles': [self.assignment_api.get_role(x)
for x in roles]}
# CRUD extension
def get_role(self, context, role_id):
self.assert_admin(context)
return {'role': self.identity_api.get_role(role_id)}
return {'role': self.assignment_api.get_role(role_id)}
def create_role(self, context, role):
role = self._normalize_dict(role)
@ -332,7 +333,7 @@ class Role(controller.V2Controller):
role_id = uuid.uuid4().hex
role['id'] = role_id
role_ref = self.identity_api.create_role(role_id, role)
role_ref = self.assignment_api.create_role(role_id, role)
return {'role': role_ref}
def delete_role(self, context, role_id):
@ -341,11 +342,11 @@ class Role(controller.V2Controller):
# We must first, however, revoke any tokens for users that have an
# assignment with this role.
self._delete_tokens_for_role(role_id)
self.identity_api.delete_role(role_id)
self.assignment_api.delete_role(role_id)
def get_roles(self, context):
self.assert_admin(context)
return {'roles': self.identity_api.list_roles()}
return {'roles': self.assignment_api.list_roles()}
def add_role_to_user(self, context, user_id, role_id, tenant_id=None):
"""Add a role to a user and tenant pair.
@ -359,10 +360,10 @@ class Role(controller.V2Controller):
raise exception.NotImplemented(message='User roles not supported: '
'tenant_id required')
self.identity_api.add_role_to_user_and_project(
self.assignment_api.add_role_to_user_and_project(
user_id, tenant_id, role_id)
role_ref = self.identity_api.get_role(role_id)
role_ref = self.assignment_api.get_role(role_id)
return {'role': role_ref}
def remove_role_from_user(self, context, user_id, role_id, tenant_id=None):
@ -379,7 +380,7 @@ class Role(controller.V2Controller):
# This still has the weird legacy semantics that adding a role to
# a user also adds them to a tenant, so we must follow up on that
self.identity_api.remove_role_from_user_and_project(
self.assignment_api.remove_role_from_user_and_project(
user_id, tenant_id, role_id)
self._delete_tokens_for_user(user_id)
@ -403,7 +404,7 @@ class Role(controller.V2Controller):
# the default domain.
if tenant['domain_id'] != DEFAULT_DOMAIN_ID:
continue
role_ids = self.identity_api.get_roles_for_user_and_project(
role_ids = self.assignment_api.get_roles_for_user_and_project(
user_id, tenant['id'])
for role_id in role_ids:
ref = {'roleId': role_id,
@ -425,11 +426,11 @@ class Role(controller.V2Controller):
# TODO(termie): for now we're ignoring the actual role
tenant_id = role.get('tenantId')
role_id = role.get('roleId')
self.identity_api.add_role_to_user_and_project(
self.assignment_api.add_role_to_user_and_project(
user_id, tenant_id, role_id)
self._delete_tokens_for_user(user_id)
role_ref = self.identity_api.get_role(role_id)
role_ref = self.assignment_api.get_role(role_id)
return {'role': role_ref}
# COMPAT(diablo): CRUD extension
@ -449,7 +450,7 @@ class Role(controller.V2Controller):
role_ref_ref = urlparse.parse_qs(role_ref_id)
tenant_id = role_ref_ref.get('tenantId')[0]
role_id = role_ref_ref.get('roleId')[0]
self.identity_api.remove_role_from_user_and_project(
self.assignment_api.remove_role_from_user_and_project(
user_id, tenant_id, role_id)
self._delete_tokens_for_user(user_id)
@ -467,31 +468,31 @@ class DomainV3(controller.V3Controller):
self._require_attribute(domain, 'name')
ref = self._assign_unique_id(self._normalize_dict(domain))
ref = self.identity_api.create_domain(ref['id'], ref)
ref = self.assignment_api.create_domain(ref['id'], ref)
return DomainV3.wrap_member(context, ref)
@controller.filterprotected('enabled', 'name')
def list_domains(self, context, filters):
refs = self.identity_api.list_domains()
refs = self.assignment_api.list_domains()
return DomainV3.wrap_collection(context, refs, filters)
@controller.protected()
def get_domain(self, context, domain_id):
ref = self.identity_api.get_domain(domain_id)
ref = self.assignment_api.get_domain(domain_id)
return DomainV3.wrap_member(context, ref)
@controller.protected()
def update_domain(self, context, domain_id, domain):
self._require_matching_id(domain_id, domain)
ref = self.identity_api.update_domain(domain_id, domain)
ref = self.assignment_api.update_domain(domain_id, domain)
# disable owned users & projects when the API user specifically set
# enabled=False
# FIXME(dolph): need a driver call to directly revoke all tokens by
# project or domain, regardless of user
if not domain.get('enabled', True):
projects = [x for x in self.identity_api.list_projects()
projects = [x for x in self.assignment_api.list_projects()
if x.get('domain_id') == domain_id]
for user in self.identity_api.list_users():
# TODO(dolph): disable domain-scoped tokens
@ -548,7 +549,7 @@ class DomainV3(controller.V3Controller):
user_refs = self.identity_api.list_users()
user_ids = [r['id'] for r in user_refs if r['domain_id'] == domain_id]
proj_refs = self.identity_api.list_projects()
proj_refs = self.assignment_api.list_projects()
proj_ids = [r['id'] for r in proj_refs if r['domain_id'] == domain_id]
# First delete the projects themselves
@ -581,14 +582,14 @@ class DomainV3(controller.V3Controller):
# has been previously disabled. This also prevents a user deleting
# their own domain since, once it is disabled, they won't be able
# to get a valid token to issue this delete.
ref = self.identity_api.get_domain(domain_id)
ref = self.assignment_api.get_domain(domain_id)
if ref['enabled']:
raise exception.ForbiddenAction(
action='delete a domain that is not disabled')
# OK, we are go for delete!
self._delete_domain_contents(context, domain_id)
return self.identity_api.delete_domain(domain_id)
return self.assignment_api.delete_domain(domain_id)
def _get_domain_by_name(self, context, domain_name):
"""Get the domain via its unique name.
@ -597,7 +598,7 @@ class DomainV3(controller.V3Controller):
router as a public api.
"""
ref = self.identity_api.get_domain_by_name(domain_name)
ref = self.assignment_api.get_domain_by_name(domain_name)
return {'domain': ref}
@ -620,17 +621,17 @@ class ProjectV3(controller.V3Controller):
@controller.filterprotected('domain_id', 'enabled', 'name')
def list_projects(self, context, filters):
refs = self.identity_api.list_projects()
refs = self.assignment_api.list_projects()
return ProjectV3.wrap_collection(context, refs, filters)
@controller.filterprotected('enabled', 'name')
def list_user_projects(self, context, filters, user_id):
refs = self.identity_api.list_projects_for_user(user_id)
refs = self.assignment_api.list_projects_for_user(user_id)
return ProjectV3.wrap_collection(context, refs, filters)
@controller.protected()
def get_project(self, context, project_id):
ref = self.identity_api.get_project(project_id)
ref = self.assignment_api.get_project(project_id)
return ProjectV3.wrap_member(context, ref)
@controller.protected()
@ -840,24 +841,24 @@ class RoleV3(controller.V3Controller):
self._require_attribute(role, 'name')
ref = self._assign_unique_id(self._normalize_dict(role))
ref = self.identity_api.create_role(ref['id'], ref)
ref = self.assignment_api.create_role(ref['id'], ref)
return RoleV3.wrap_member(context, ref)
@controller.filterprotected('name')
def list_roles(self, context, filters):
refs = self.identity_api.list_roles()
refs = self.assignment_api.list_roles()
return RoleV3.wrap_collection(context, refs, filters)
@controller.protected()
def get_role(self, context, role_id):
ref = self.identity_api.get_role(role_id)
ref = self.assignment_api.get_role(role_id)
return RoleV3.wrap_member(context, ref)
@controller.protected()
def update_role(self, context, role_id, role):
self._require_matching_id(role_id, role)
ref = self.identity_api.update_role(role_id, role)
ref = self.assignment_api.update_role(role_id, role)
return RoleV3.wrap_member(context, ref)
@controller.protected()
@ -866,7 +867,7 @@ class RoleV3(controller.V3Controller):
# We must first, however, revoke any tokens for users that have an
# assignment with this role.
self._delete_tokens_for_role(role_id)
self.identity_api.delete_role(role_id)
self.assignment_api.delete_role(role_id)
def _require_domain_xor_project(self, domain_id, project_id):
if (domain_id and project_id) or (not domain_id and not project_id):
@ -895,7 +896,7 @@ class RoleV3(controller.V3Controller):
"""
ref = {}
if role_id:
ref['role'] = self.identity_api.get_role(role_id)
ref['role'] = self.assignment_api.get_role(role_id)
if user_id:
ref['user'] = self.identity_api.get_user(user_id)
else:
@ -920,7 +921,7 @@ class RoleV3(controller.V3Controller):
if group_id:
self.identity_api.get_group(group_id)
self.identity_api.create_grant(
self.assignment_api.create_grant(
role_id, user_id, group_id, domain_id, project_id,
self._check_if_inherited(context))
@ -931,7 +932,7 @@ class RoleV3(controller.V3Controller):
self._require_domain_xor_project(domain_id, project_id)
self._require_user_xor_group(user_id, group_id)
refs = self.identity_api.list_grants(
refs = self.assignment_api.list_grants(
user_id, group_id, domain_id, project_id,
self._check_if_inherited(context))
return RoleV3.wrap_collection(context, refs)
@ -948,7 +949,7 @@ class RoleV3(controller.V3Controller):
if group_id:
self.identity_api.get_group(group_id)
self.identity_api.get_grant(
self.assignment_api.get_grant(
role_id, user_id, group_id, domain_id, project_id,
self._check_if_inherited(context))
@ -959,7 +960,7 @@ class RoleV3(controller.V3Controller):
self._require_domain_xor_project(domain_id, project_id)
self._require_user_xor_group(user_id, group_id)
self.identity_api.delete_grant(
self.assignment_api.delete_grant(
role_id, user_id, group_id, domain_id, project_id,
self._check_if_inherited(context))

94
keystone/identity/core.py
View File

@ -457,85 +457,9 @@ class Manager(manager.Manager):
# API should be removed, with the controller and tests making the correct
# calls direct to assignment.
def get_project_by_name(self, tenant_name, domain_id):
return self.assignment_api.get_project_by_name(tenant_name, domain_id)
def get_project(self, tenant_id):
return self.assignment_api.get_project(tenant_id)
def list_projects(self, domain_id=None):
return self.assignment_api.list_projects(domain_id)
def get_role(self, role_id):
return self.assignment_api.get_role(role_id)
def list_roles(self):
return self.assignment_api.list_roles()
def get_project_users(self, tenant_id):
return self.assignment_api.get_project_users(tenant_id)
def get_roles_for_user_and_project(self, user_id, tenant_id):
return self.assignment_api.get_roles_for_user_and_project(
user_id, tenant_id)
def get_roles_for_user_and_domain(self, user_id, domain_id):
return (self.assignment_api.get_roles_for_user_and_domain
(user_id, domain_id))
def _subrole_id_to_dn(self, role_id, tenant_id):
return self.assignment_api._subrole_id_to_dn(role_id, tenant_id)
def add_role_to_user_and_project(self, user_id,
tenant_id, role_id):
return (self.assignment_api.add_role_to_user_and_project
(user_id, tenant_id, role_id))
def create_role(self, role_id, role):
return self.assignment_api.create_role(role_id, role)
def delete_role(self, role_id):
return self.assignment_api.delete_role(role_id)
def remove_role_from_user_and_project(self, user_id,
tenant_id, role_id):
return (self.assignment_api.remove_role_from_user_and_project
(user_id, tenant_id, role_id))
def update_role(self, role_id, role):
return self.assignment_api.update_role(role_id, role)
def create_grant(self, role_id, user_id=None, group_id=None,
domain_id=None, project_id=None,
inherited_to_projects=False):
return (self.assignment_api.create_grant
(role_id, user_id, group_id, domain_id, project_id,
inherited_to_projects))
def list_grants(self, user_id=None, group_id=None,
domain_id=None, project_id=None,
inherited_to_projects=False):
return (self.assignment_api.list_grants
(user_id, group_id, domain_id, project_id,
inherited_to_projects))
def get_grant(self, role_id, user_id=None, group_id=None,
domain_id=None, project_id=None,
inherited_to_projects=False):
return (self.assignment_api.get_grant
(role_id, user_id, group_id, domain_id, project_id,
inherited_to_projects))
def delete_grant(self, role_id, user_id=None, group_id=None,
domain_id=None, project_id=None,
inherited_to_projects=False):
return (self.assignment_api.delete_grant
(role_id, user_id, group_id, domain_id, project_id,
inherited_to_projects))
def create_domain(self, domain_id, domain):
return self.assignment_api.create_domain(domain_id, domain)
# NOTE(tellesmvn):The following 4 methods where not removed since ayoung
# told me not to because someone else is working on a new feature involving
# these methods where the idea is to identify in which domain the user is
def get_domain_by_name(self, domain_name):
return self.assignment_api.get_domain_by_name(domain_name)
@ -545,21 +469,9 @@ class Manager(manager.Manager):
def update_domain(self, domain_id, domain):
return self.assignment_api.update_domain(domain_id, domain)
def delete_domain(self, domain_id):
return self.assignment_api.delete_domain(domain_id)
def list_domains(self):
return self.assignment_api.list_domains()
def list_projects_for_user(self, user_id):
return self.assignment_api.list_projects_for_user(user_id)
def add_user_to_project(self, tenant_id, user_id):
return self.assignment_api.add_user_to_project(tenant_id, user_id)
def remove_user_from_project(self, tenant_id, user_id):
return self.assignment_api.remove_user_from_project(tenant_id, user_id)
@six.add_metaclass(abc.ABCMeta)
class Driver(object):

17
keystone/tests/core.py
View File

@ -333,12 +333,13 @@ class TestCase(NoModule, testtools.TestCase):
"""
# TODO(termie): doing something from json, probably based on Django's
# loaddata will be much preferred.
if hasattr(self, 'identity_api'):
if hasattr(self, 'identity_api') and hasattr(self, 'assignment_api'):
for domain in fixtures.DOMAINS:
try:
rv = self.identity_api.create_domain(domain['id'], domain)
rv = self.assignment_api.create_domain(domain['id'],
domain)
except exception.Conflict:
rv = self.identity_api.get_domain(domain['id'])
rv = self.assignment_api.get_domain(domain['id'])
except exception.NotImplemented:
rv = domain
setattr(self, 'domain_%s' % domain['id'], rv)
@ -348,15 +349,15 @@ class TestCase(NoModule, testtools.TestCase):
rv = self.assignment_api.create_project(
tenant['id'], tenant)
except exception.Conflict:
rv = self.identity_api.get_project(tenant['id'])
rv = self.assignment_api.get_project(tenant['id'])
pass
setattr(self, 'tenant_%s' % tenant['id'], rv)
for role in fixtures.ROLES:
try:
rv = self.identity_api.create_role(role['id'], role)
rv = self.assignment_api.create_role(role['id'], role)
except exception.Conflict:
rv = self.identity_api.get_role(role['id'])
rv = self.assignment_api.get_role(role['id'])
pass
setattr(self, 'role_%s' % role['id'], rv)
@ -370,8 +371,8 @@ class TestCase(NoModule, testtools.TestCase):
pass
for tenant_id in tenants:
try:
self.identity_api.add_user_to_project(tenant_id,
user['id'])
self.assignment_api.add_user_to_project(tenant_id,
user['id'])
except exception.Conflict:
pass
setattr(self, 'user_%s' % user['id'], user_copy)

40
keystone/tests/test_auth.py
View File

@ -230,7 +230,7 @@ class AuthWithToken(AuthTest):
def test_auth_unscoped_token_project(self):
"""Verify getting a token in a tenant with an unscoped token."""
# Add a role in so we can check we get this back
self.identity_api.add_role_to_user_and_project(
self.assignment_api.add_role_to_user_and_project(
self.user_foo['id'],
self.tenant_bar['id'],
self.role_member['id'])
@ -253,19 +253,19 @@ class AuthWithToken(AuthTest):
def test_auth_token_project_group_role(self):
"""Verify getting a token in a tenant with group roles."""
# Add a v2 style role in so we can check we get this back
self.identity_api.add_role_to_user_and_project(
self.assignment_api.add_role_to_user_and_project(
self.user_foo['id'],
self.tenant_bar['id'],
self.role_member['id'])
# Now create a group role for this user as well
domain1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
self.identity_api.create_domain(domain1['id'], domain1)
self.assignment_api.create_domain(domain1['id'], domain1)
new_group = {'id': uuid.uuid4().hex, 'domain_id': domain1['id'],
'name': uuid.uuid4().hex}
self.identity_api.create_group(new_group['id'], new_group)
self.identity_api.add_user_to_group(self.user_foo['id'],
new_group['id'])
self.identity_api.create_grant(
self.assignment_api.create_grant(
group_id=new_group['id'],
project_id=self.tenant_bar['id'],
role_id=self.role_admin['id'])
@ -288,38 +288,38 @@ class AuthWithToken(AuthTest):
"""Verify getting a token in cross domain group/project roles."""
# create domain, project and group and grant roles to user
domain1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
self.identity_api.create_domain(domain1['id'], domain1)
self.assignment_api.create_domain(domain1['id'], domain1)
project1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
'domain_id': domain1['id']}
self.assignment_api.create_project(project1['id'], project1)
role_foo_domain1 = {'id': uuid.uuid4().hex,
'name': uuid.uuid4().hex}
self.identity_api.create_role(role_foo_domain1['id'],
role_foo_domain1)
self.assignment_api.create_role(role_foo_domain1['id'],
role_foo_domain1)
role_group_domain1 = {'id': uuid.uuid4().hex,
'name': uuid.uuid4().hex}
self.identity_api.create_role(role_group_domain1['id'],
role_group_domain1)
self.identity_api.add_user_to_project(project1['id'],
self.user_foo['id'])
self.assignment_api.create_role(role_group_domain1['id'],
role_group_domain1)
self.assignment_api.add_user_to_project(project1['id'],
self.user_foo['id'])
new_group = {'id': uuid.uuid4().hex, 'domain_id': domain1['id'],
'name': uuid.uuid4().hex}
self.identity_api.create_group(new_group['id'], new_group)
self.identity_api.add_user_to_group(self.user_foo['id'],
new_group['id'])
self.identity_api.create_grant(
self.assignment_api.create_grant(
user_id=self.user_foo['id'],
project_id=project1['id'],
role_id=self.role_member['id'])
self.identity_api.create_grant(
self.assignment_api.create_grant(
group_id=new_group['id'],
project_id=project1['id'],
role_id=self.role_admin['id'])
self.identity_api.create_grant(
self.assignment_api.create_grant(
user_id=self.user_foo['id'],
domain_id=domain1['id'],
role_id=role_foo_domain1['id'])
self.identity_api.create_grant(
self.assignment_api.create_grant(
group_id=new_group['id'],
domain_id=domain1['id'],
role_id=role_group_domain1['id'])
@ -410,7 +410,7 @@ class AuthWithToken(AuthTest):
self.assignment_api.create_project(project1['id'], project1)
role_one = {'id': 'role_one', 'name': uuid.uuid4().hex}
self.assignment_api.create_role(role_one['id'], role_one)
self.identity_api.add_role_to_user_and_project(
self.assignment_api.add_role_to_user_and_project(
self.user_foo['id'], project1['id'], role_one['id'])
no_context = {}
@ -597,7 +597,7 @@ class AuthWithTrust(AuthTest):
self.assigned_roles = [self.role_member['id'],
self.role_browser['id']]
for assigned_role in self.assigned_roles:
self.identity_api.add_role_to_user_and_project(
self.assignment_api.add_role_to_user_and_project(
self.trustor['id'], self.tenant_bar['id'], assigned_role)
self.sample_data = {'trustor_user_id': self.trustor['id'],
@ -801,7 +801,7 @@ class AuthWithTrust(AuthTest):
def test_token_from_trust_with_no_role_fails(self):
for assigned_role in self.assigned_roles:
self.identity_api.remove_role_from_user_and_project(
self.assignment_api.remove_role_from_user_and_project(
self.trustor['id'], self.tenant_bar['id'], assigned_role)
request_body = self.build_v2_token_request('TWO', 'two2')
self.assertRaises(
@ -817,12 +817,12 @@ class AuthWithTrust(AuthTest):
self.controller.authenticate, {}, request_body)
def test_token_from_trust_with_wrong_role_fails(self):
self.identity_api.add_role_to_user_and_project(
self.assignment_api.add_role_to_user_and_project(
self.trustor['id'],
self.tenant_bar['id'],
self.role_other['id'])
for assigned_role in self.assigned_roles:
self.identity_api.remove_role_from_user_and_project(
self.assignment_api.remove_role_from_user_and_project(
self.trustor['id'], self.tenant_bar['id'], assigned_role)
request_body = self.build_v2_token_request('TWO', 'two2')

976
keystone/tests/test_backend.py
View File

File diff suppressed because it is too large Load Diff

87
keystone/tests/test_backend_ldap.py
View File

@ -273,8 +273,8 @@ class BaseLDAPIdentity(test_backend.IdentityTests):
'enabled': True,
}
self.identity_api.create_user(user['id'], user)
self.identity_api.add_user_to_project(self.tenant_baz['id'],
user['id'])
self.assignment_api.add_user_to_project(self.tenant_baz['id'],
user['id'])
driver = self.identity_api._select_identity_driver(
user['domain_id'])
driver.user.LDAP_USER = None
@ -345,7 +345,7 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity):
def test_configurable_allowed_project_actions(self):
tenant = {'id': 'fake1', 'name': 'fake1', 'enabled': True}
self.assignment_api.create_project('fake1', tenant)
tenant_ref = self.identity_api.get_project('fake1')
tenant_ref = self.assignment_api.get_project('fake1')
self.assertEqual(tenant_ref['id'], 'fake1')
tenant['enabled'] = False
@ -353,7 +353,7 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity):
self.assignment_api.delete_project('fake1')
self.assertRaises(exception.ProjectNotFound,
self.identity_api.get_project,
self.assignment_api.get_project,
'fake1')
def test_configurable_forbidden_project_actions(self):
@ -379,16 +379,16 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity):
def test_configurable_allowed_role_actions(self):
role = {'id': 'fake1', 'name': 'fake1'}
self.identity_api.create_role('fake1', role)
role_ref = self.identity_api.get_role('fake1')
self.assignment_api.create_role('fake1', role)
role_ref = self.assignment_api.get_role('fake1')
self.assertEqual(role_ref['id'], 'fake1')
role['name'] = 'fake2'
self.identity_api.update_role('fake1', role)
self.assignment_api.update_role('fake1', role)
self.identity_api.delete_role('fake1')
self.assignment_api.delete_role('fake1')
self.assertRaises(exception.RoleNotFound,
self.identity_api.get_role,
self.assignment_api.get_role,
'fake1')
def test_configurable_forbidden_role_actions(self):
@ -399,22 +399,22 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity):
role = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
self.assertRaises(exception.ForbiddenAction,
self.identity_api.create_role,
self.assignment_api.create_role,
role['id'],
role)
self.role_member['name'] = uuid.uuid4().hex
self.assertRaises(exception.ForbiddenAction,
self.identity_api.update_role,
self.assignment_api.update_role,
self.role_member['id'],
self.role_member)
self.assertRaises(exception.ForbiddenAction,
self.identity_api.delete_role,
self.assignment_api.delete_role,
self.role_member['id'])
def test_project_filter(self):
tenant_ref = self.identity_api.get_project(self.tenant_bar['id'])
tenant_ref = self.assignment_api.get_project(self.tenant_bar['id'])
self.assertDictEqual(tenant_ref, self.tenant_bar)
CONF.ldap.tenant_filter = '(CN=DOES_NOT_MATCH)'
@ -427,15 +427,15 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity):
# cache population.
self.assignment_api.get_role.invalidate(self.assignment_api,
self.role_member['id'])
self.identity_api.get_role(self.role_member['id'])
self.assignment_api.get_role(self.role_member['id'])
self.assignment_api.get_project.invalidate(self.assignment_api,
self.tenant_bar['id'])
self.assertRaises(exception.ProjectNotFound,
self.identity_api.get_project,
self.assignment_api.get_project,
self.tenant_bar['id'])
def test_role_filter(self):
role_ref = self.identity_api.get_role(self.role_member['id'])
role_ref = self.assignment_api.get_role(self.role_member['id'])
self.assertDictEqual(role_ref, self.role_member)
CONF.ldap.role_filter = '(CN=DOES_NOT_MATCH)'
@ -449,7 +449,7 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity):
self.assignment_api.get_role.invalidate(self.assignment_api,
self.role_member['id'])
self.assertRaises(exception.RoleNotFound,
self.identity_api.get_role,
self.assignment_api.get_role,
self.role_member['id'])
def test_dumb_member(self):
@ -479,7 +479,7 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity):
# cache population.
self.assignment_api.get_project.invalidate(self.assignment_api,
self.tenant_baz['id'])
tenant_ref = self.identity_api.get_project(self.tenant_baz['id'])
tenant_ref = self.assignment_api.get_project(self.tenant_baz['id'])
self.assertEqual(tenant_ref['id'], self.tenant_baz['id'])
self.assertEqual(tenant_ref['name'], self.tenant_baz['name'])
self.assertEqual(
@ -500,7 +500,7 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity):
# cache population.
self.assignment_api.get_project.invalidate(self.assignment_api,
self.tenant_baz['id'])
tenant_ref = self.identity_api.get_project(self.tenant_baz['id'])
tenant_ref = self.assignment_api.get_project(self.tenant_baz['id'])
self.assertEqual(tenant_ref['id'], self.tenant_baz['id'])
self.assertEqual(tenant_ref['name'], self.tenant_baz['description'])
self.assertEqual(tenant_ref['description'], self.tenant_baz['name'])
@ -521,7 +521,7 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity):
# cache population.
self.assignment_api.get_project.invalidate(self.assignment_api,
self.tenant_baz['id'])
tenant_ref = self.identity_api.get_project(self.tenant_baz['id'])
tenant_ref = self.assignment_api.get_project(self.tenant_baz['id'])
self.assertEqual(tenant_ref['id'], self.tenant_baz['id'])
self.assertNotIn('name', tenant_ref)
self.assertNotIn('description', tenant_ref)
@ -540,7 +540,7 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity):
# cache population.
self.assignment_api.get_role.invalidate(self.assignment_api,
self.role_member['id'])
role_ref = self.identity_api.get_role(self.role_member['id'])
role_ref = self.assignment_api.get_role(self.role_member['id'])
self.assertEqual(role_ref['id'], self.role_member['id'])
self.assertEqual(role_ref['name'], self.role_member['name'])
@ -554,7 +554,7 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity):
# cache population.
self.assignment_api.get_role.invalidate(self.assignment_api,
self.role_member['id'])
role_ref = self.identity_api.get_role(self.role_member['id'])
role_ref = self.assignment_api.get_role(self.role_member['id'])
self.assertEqual(role_ref['id'], self.role_member['id'])
self.assertNotIn('name', role_ref)
@ -571,7 +571,7 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity):
# cache population.
self.assignment_api.get_role.invalidate(self.assignment_api,
self.role_member['id'])
role_ref = self.identity_api.get_role(self.role_member['id'])
role_ref = self.assignment_api.get_role(self.role_member['id'])
self.assertEqual(role_ref['id'], self.role_member['id'])
self.assertNotIn('name', role_ref)
@ -692,11 +692,11 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity):
domain = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
'enabled': True, 'description': uuid.uuid4().hex}
self.assertRaises(exception.Forbidden,
self.identity_api.create_domain,
self.assignment_api.create_domain,
domain['id'],
domain)
self.assertRaises(exception.Conflict,
self.identity_api.create_domain,
self.assignment_api.create_domain,
CONF.identity.default_domain_id,
domain)
self.assertRaises(exception.DomainNotFound,
@ -705,21 +705,21 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity):
domain['description'] = uuid.uuid4().hex
self.assertRaises(exception.DomainNotFound,
self.identity_api.update_domain,
self.assignment_api.update_domain,
domain['id'],
domain)
self.assertRaises(exception.Forbidden,
self.identity_api.update_domain,
self.assignment_api.update_domain,
CONF.identity.default_domain_id,
domain)
self.assertRaises(exception.DomainNotFound,
self.identity_api.get_domain,
domain['id'])
self.assertRaises(exception.DomainNotFound,
self.identity_api.delete_domain,
self.assignment_api.delete_domain,
domain['id'])
self.assertRaises(exception.Forbidden,
self.identity_api.delete_domain,
self.assignment_api.delete_domain,
CONF.identity.default_domain_id)
self.assertRaises(exception.DomainNotFound,
self.identity_api.get_domain,
@ -756,12 +756,12 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity):
project['description'] = uuid.uuid4().hex
self.assignment_api.update_project(project['id'], project)
project_ref = self.identity_api.get_project(project['id'])
project_ref = self.assignment_api.get_project(project['id'])
self.assertDictEqual(project_ref, project)
self.assignment_api.delete_project(project['id'])
self.assertRaises(exception.ProjectNotFound,
self.identity_api.get_project,
self.assignment_api.get_project,
project['id'])
def test_cache_layer_project_crud(self):
@ -826,7 +826,7 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity):
role_list = []
for _ in range(2):
role = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
self.identity_api.create_role(role['id'], role)
self.assignment_api.create_role(role['id'], role)
role_list.append(role)
user1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
@ -838,11 +838,11 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity):
'domain_id': CONF.identity.default_domain_id}
self.assignment_api.create_project(project1['id'], project1)
self.identity_api.add_role_to_user_and_project(
self.assignment_api.add_role_to_user_and_project(
user_id=user1['id'],
tenant_id=project1['id'],
role_id=role_list[0]['id'])
self.identity_api.add_role_to_user_and_project(
self.assignment_api.add_role_to_user_and_project(
user_id=user1['id'],
tenant_id=project1['id'],
role_id=role_list[1]['id'])
@ -852,17 +852,18 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity):
# and group roles are combined. Only directly assigned user
# roles are available, since group grants are not yet supported
combined_role_list = self.identity_api.get_roles_for_user_and_project(
user1['id'], project1['id'])
self.assertEqual(len(combined_role_list), 2)
self.assertIn(role_list[0]['id'], combined_role_list)
self.assertIn(role_list[1]['id'], combined_role_list)
combined_list = self.assignment_api.get_roles_for_user_and_project(
user1['id'],
project1['id'])
self.assertEqual(len(combined_list), 2)
self.assertIn(role_list[0]['id'], combined_list)
self.assertIn(role_list[1]['id'], combined_list)
# Finally, although domain roles are not implemented, check we can
# issue the combined get roles call with benign results, since thus is
# used in token generation
combined_role_list = self.identity_api.get_roles_for_user_and_domain(
combined_role_list = self.assignment_api.get_roles_for_user_and_domain(
user1['id'], CONF.identity.default_domain_id)
self.assertEqual(len(combined_role_list), 0)
@ -897,7 +898,7 @@ class LDAPIdentityEnabledEmulation(LDAPIdentity):
'description': uuid.uuid4().hex}
self.assignment_api.create_project(project['id'], project)
project_ref = self.identity_api.get_project(project['id'])
project_ref = self.assignment_api.get_project(project['id'])
# self.assignment_api.create_project adds an enabled
# key with a value of True when LDAPIdentityEnabledEmulation
@ -907,12 +908,12 @@ class LDAPIdentityEnabledEmulation(LDAPIdentity):
project['description'] = uuid.uuid4().hex
self.assignment_api.update_project(project['id'], project)
project_ref = self.identity_api.get_project(project['id'])
project_ref = self.assignment_api.get_project(project['id'])
self.assertDictEqual(project_ref, project)
self.assignment_api.delete_project(project['id'])
self.assertRaises(exception.ProjectNotFound,
self.identity_api.get_project,
self.assignment_api.get_project,
project['id'])
def test_user_crud(self):

24
keystone/tests/test_backend_sql.py
View File

@ -158,8 +158,8 @@ class SqlIdentity(SqlTests, test_backend.IdentityTests):
'domain_id': DEFAULT_DOMAIN_ID,
'password': uuid.uuid4().hex}
self.identity_api.create_user(user['id'], user)
self.identity_api.add_user_to_project(self.tenant_bar['id'],
user['id'])
self.assignment_api.add_user_to_project(self.tenant_bar['id'],
user['id'])
self.identity_api.delete_user(user['id'])
self.assertRaises(exception.UserNotFound,
self.assignment_api.list_projects_for_user,
@ -191,10 +191,10 @@ class SqlIdentity(SqlTests, test_backend.IdentityTests):
tenant['id'],
tenant)
self.assertRaises(exception.ProjectNotFound,
self.identity_api.get_project,
self.assignment_api.get_project,
tenant['id'])
self.assertRaises(exception.ProjectNotFound,
self.identity_api.get_project_by_name,
self.assignment_api.get_project_by_name,
tenant['name'],
DEFAULT_DOMAIN_ID)
@ -202,11 +202,11 @@ class SqlIdentity(SqlTests, test_backend.IdentityTests):
role = {'id': uuid.uuid4().hex,
'name': None}
self.assertRaises(exception.Conflict,
self.identity_api.create_role,
self.assignment_api.create_role,
role['id'],
role)
self.assertRaises(exception.RoleNotFound,
self.identity_api.get_role,
self.assignment_api.get_role,
role['id'])
def test_delete_project_with_user_association(self):
@ -215,8 +215,8 @@ class SqlIdentity(SqlTests, test_backend.IdentityTests):
'domain_id': DEFAULT_DOMAIN_ID,
'password': 'passwd'}
self.identity_api.create_user('fake', user)
self.identity_api.add_user_to_project(self.tenant_bar['id'],
user['id'])
self.assignment_api.add_user_to_project(self.tenant_bar['id'],
user['id'])
self.assignment_api.delete_project(self.tenant_bar['id'])
tenants = self.assignment_api.list_projects_for_user(user['id'])
self.assertEqual(tenants, [])
@ -231,8 +231,8 @@ class SqlIdentity(SqlTests, test_backend.IdentityTests):
self.identity_api.create_user(user['id'], user)
role = {'id': uuid.uuid4().hex,
'name': uuid.uuid4().hex}
self.identity_api.create_role(role['id'], role)
self.identity_api.add_role_to_user_and_project(
self.assignment_api.create_role(role['id'], role)
self.assignment_api.add_role_to_user_and_project(
user['id'],
self.tenant_bar['id'],
role['id'])
@ -255,8 +255,8 @@ class SqlIdentity(SqlTests, test_backend.IdentityTests):
self.identity_api.create_user(user['id'], user)
role = {'id': uuid.uuid4().hex,
'name': uuid.uuid4().hex}
self.identity_api.create_role(role['id'], role)
self.identity_api.add_role_to_user_and_project(
self.assignment_api.create_role(role['id'], role)
self.assignment_api.add_role_to_user_and_project(
user['id'],
self.tenant_bar['id'],
role['id'])

4
keystone/tests/test_content_types.py
View File

@ -73,7 +73,7 @@ class RestfulTestCase(tests.TestCase):
# TODO(termie): add an admin user to the fixtures and use that user
# override the fixtures, for now
self.metadata_foobar = self.identity_api.add_role_to_user_and_project(
self.md_foobar = self.assignment_api.add_role_to_user_and_project(
self.user_foo['id'],
self.tenant_bar['id'],
self.role_admin['id'])
@ -412,7 +412,7 @@ class CoreApiTests(object):
expected_status=404)
def test_validate_token_service_role(self):
self.metadata_foobar = self.identity_api.add_role_to_user_and_project(
self.md_foobar = self.assignment_api.add_role_to_user_and_project(
self.user_foo['id'],
self.tenant_service['id'],
self.role_service['id'])

10
keystone/tests/test_keystoneclient.py
View File

@ -42,7 +42,7 @@ class CompatTestCase(tests.TestCase):
# TODO(termie): add an admin user to the fixtures and use that user
# override the fixtures, for now
self.metadata_foobar = self.identity_api.add_role_to_user_and_project(
self.md_foobar = self.assignment_api.add_role_to_user_and_project(
self.user_foo['id'],
self.tenant_bar['id'],
self.role_admin['id'])
@ -927,8 +927,8 @@ class KcMasterTestCase(CompatTestCase, KeystoneClientTests):
tenant = {'name': 'tenant-%s' % tenant_id, 'id': tenant_id,
'domain_id': DEFAULT_DOMAIN_ID}
self.assignment_api.create_project(tenant_id, tenant)
self.identity_api.add_user_to_project(tenant_id,
self.user_foo['id'])
self.assignment_api.add_user_to_project(tenant_id,
self.user_foo['id'])
tenants = client.tenants.list()
self.assertEqual(len(tenants), 3)
@ -954,8 +954,8 @@ class KcMasterTestCase(CompatTestCase, KeystoneClientTests):
tenant = {'name': 'tenant-%s' % tenant_id, 'id': tenant_id,
'domain_id': DEFAULT_DOMAIN_ID}
self.assignment_api.create_project(tenant_id, tenant)
self.identity_api.add_user_to_project(tenant_id,
self.user_foo['id'])
self.assignment_api.add_user_to_project(tenant_id,
self.user_foo['id'])
tenants = client.tenants.list()
self.assertEqual(len(tenants), 3)

10
keystone/tests/test_v3.py
View File

@ -100,7 +100,7 @@ class RestfulTestCase(test_content_types.RestfulTestCase):
self.domain_id = uuid.uuid4().hex
self.domain = self.new_domain_ref()
self.domain['id'] = self.domain_id
self.identity_api.create_domain(self.domain_id, self.domain)
self.assignment_api.create_domain(self.domain_id, self.domain)
self.project_id = uuid.uuid4().hex
self.project = self.new_project_ref(
@ -132,13 +132,13 @@ class RestfulTestCase(test_content_types.RestfulTestCase):
self.role = self.new_role_ref()
self.role['id'] = self.role_id
self.role['name'] = 'admin'
self.identity_api.create_role(self.role_id, self.role)
self.identity_api.add_role_to_user_and_project(
self.assignment_api.create_role(self.role_id, self.role)
self.assignment_api.add_role_to_user_and_project(
self.user_id, self.project_id, self.role_id)
self.identity_api.add_role_to_user_and_project(
self.assignment_api.add_role_to_user_and_project(
self.default_domain_user_id, self.default_domain_project_id,
self.role_id)
self.identity_api.add_role_to_user_and_project(
self.assignment_api.add_role_to_user_and_project(
self.default_domain_user_id, self.project_id,
self.role_id)

126
keystone/tests/test_v3_auth.py
View File

@ -372,7 +372,7 @@ class TestTokenRevokeSelfAndAdmin(test_v3.RestfulTestCase):
super(TestTokenRevokeSelfAndAdmin, self).setUp()
self.domainA = self.new_domain_ref()
self.identity_api.create_domain(self.domainA['id'], self.domainA)
self.assignment_api.create_domain(self.domainA['id'], self.domainA)
self.userAdminA = self.new_user_ref(domain_id=self.domainA['id'])
self.userAdminA['password'] = uuid.uuid4().hex
@ -385,11 +385,11 @@ class TestTokenRevokeSelfAndAdmin(test_v3.RestfulTestCase):
self.role1 = self.new_role_ref()
self.role1['name'] = 'admin'
self.identity_api.create_role(self.role1['id'], self.role1)
self.assignment_api.create_role(self.role1['id'], self.role1)
self.identity_api.create_grant(self.role1['id'],
user_id=self.userAdminA['id'],
domain_id=self.domainA['id'])
self.assignment_api.create_grant(self.role1['id'],
user_id=self.userAdminA['id'],
domain_id=self.domainA['id'])
# Finally, switch to the v3 sample policy file
self.orig_policy_file = CONF.policy_file
@ -503,9 +503,9 @@ class TestTokenRevoking(test_v3.RestfulTestCase):
# Start by creating a couple of domains and projects
self.domainA = self.new_domain_ref()
self.identity_api.create_domain(self.domainA['id'], self.domainA)
self.assignment_api.create_domain(self.domainA['id'], self.domainA)
self.domainB = self.new_domain_ref()
self.identity_api.create_domain(self.domainB['id'], self.domainB)
self.assignment_api.create_domain(self.domainB['id'], self.domainB)
self.projectA = self.new_project_ref(domain_id=self.domainA['id'])
self.assignment_api.create_project(self.projectA['id'], self.projectA)
self.projectB = self.new_project_ref(domain_id=self.domainA['id'])
@ -547,25 +547,25 @@ class TestTokenRevoking(test_v3.RestfulTestCase):
self.group2['id'])
self.role1 = self.new_role_ref()
self.identity_api.create_role(self.role1['id'], self.role1)
self.assignment_api.create_role(self.role1['id'], self.role1)
self.role2 = self.new_role_ref()
self.identity_api.create_role(self.role2['id'], self.role2)
self.assignment_api.create_role(self.role2['id'], self.role2)
self.identity_api.create_grant(self.role2['id'],
user_id=self.user1['id'],
domain_id=self.domainA['id'])
self.identity_api.create_grant(self.role1['id'],
user_id=self.user1['id'],
project_id=self.projectA['id'])
self.identity_api.create_grant(self.role1['id'],
user_id=self.user2['id'],
project_id=self.projectA['id'])
self.identity_api.create_grant(self.role1['id'],
user_id=self.user3['id'],
project_id=self.projectA['id'])
self.identity_api.create_grant(self.role1['id'],
group_id=self.group1['id'],
project_id=self.projectA['id'])
self.assignment_api.create_grant(self.role2['id'],
user_id=self.user1['id'],
domain_id=self.domainA['id'])
self.assignment_api.create_grant(self.role1['id'],
user_id=self.user1['id'],
project_id=self.projectA['id'])
self.assignment_api.create_grant(self.role1['id'],
user_id=self.user2['id'],
project_id=self.projectA['id'])
self.assignment_api.create_grant(self.role1['id'],
user_id=self.user3['id'],
project_id=self.projectA['id'])
self.assignment_api.create_grant(self.role1['id'],
group_id=self.group1['id'],
project_id=self.projectA['id'])
def test_unscoped_token_remains_valid_after_role_assignment(self):
r = self.post(
@ -592,7 +592,7 @@ class TestTokenRevoking(test_v3.RestfulTestCase):
# create a new role
role = self.new_role_ref()
self.identity_api.create_role(role['id'], role)
self.assignment_api.create_role(role['id'], role)
# assign a new role
self.put(
@ -685,18 +685,18 @@ class TestTokenRevoking(test_v3.RestfulTestCase):
self.identity_api.create_user(self.user6['id'], self.user6)
self.identity_api.add_user_to_group(self.user5['id'],
self.group1['id'])
self.identity_api.create_grant(self.role1['id'],
group_id=self.group1['id'],
project_id=self.projectB['id'])
self.identity_api.create_grant(self.role2['id'],
user_id=self.user4['id'],
project_id=self.projectC['id'])
self.identity_api.create_grant(self.role1['id'],
user_id=self.user6['id'],
project_id=self.projectA['id'])
self.identity_api.create_grant(self.role1['id'],
user_id=self.user6['id'],
domain_id=self.domainA['id'])
self.assignment_api.create_grant(self.role1['id'],
group_id=self.group1['id'],
project_id=self.projectB['id'])
self.assignment_api.create_grant(self.role2['id'],
user_id=self.user4['id'],
project_id=self.projectC['id'])
self.assignment_api.create_grant(self.role1['id'],
user_id=self.user6['id'],
project_id=self.projectA['id'])
self.assignment_api.create_grant(self.role1['id'],
user_id=self.user6['id'],
domain_id=self.domainA['id'])
# Now we are ready to start issuing requests
auth_data = self.build_authentication_request(
@ -1306,7 +1306,7 @@ class TestAuthJSON(test_v3.RestfulTestCase):
"""
domainA = self.new_domain_ref()
self.identity_api.create_domain(domainA['id'], domainA)
self.assignment_api.create_domain(domainA['id'], domainA)
projectA = self.new_project_ref(domain_id=domainA['id'])
self.assignment_api.create_project(projectA['id'], projectA)
@ -1337,33 +1337,33 @@ class TestAuthJSON(test_v3.RestfulTestCase):
role_list = []
for _ in range(8):
role = self.new_role_ref()
self.identity_api.create_role(role['id'], role)
self.assignment_api.create_role(role['id'], role)
role_list.append(role)
self.identity_api.create_grant(role_list[0]['id'],
user_id=user1['id'],
domain_id=domainA['id'])
self.identity_api.create_grant(role_list[1]['id'],
user_id=user1['id'],
project_id=projectA['id'])
self.identity_api.create_grant(role_list[2]['id'],
user_id=user2['id'],
domain_id=domainA['id'])
self.identity_api.create_grant(role_list[3]['id'],
user_id=user2['id'],
project_id=projectA['id'])
self.identity_api.create_grant(role_list[4]['id'],
group_id=group1['id'],
domain_id=domainA['id'])
self.identity_api.create_grant(role_list[5]['id'],
group_id=group1['id'],
project_id=projectA['id'])
self.identity_api.create_grant(role_list[6]['id'],
group_id=group2['id'],
domain_id=domainA['id'])
self.identity_api.create_grant(role_list[7]['id'],
group_id=group2['id'],
project_id=projectA['id'])
self.assignment_api.create_grant(role_list[0]['id'],
user_id=user1['id'],
domain_id=domainA['id'])
self.assignment_api.create_grant(role_list[1]['id'],
user_id=user1['id'],
project_id=projectA['id'])
self.assignment_api.create_grant(role_list[2]['id'],
user_id=user2['id'],
domain_id=domainA['id'])
self.assignment_api.create_grant(role_list[3]['id'],
user_id=user2['id'],
project_id=projectA['id'])
self.assignment_api.create_grant(role_list[4]['id'],
group_id=group1['id'],
domain_id=domainA['id'])
self.assignment_api.create_grant(role_list[5]['id'],
group_id=group1['id'],
project_id=projectA['id'])
self.assignment_api.create_grant(role_list[6]['id'],
group_id=group2['id'],
domain_id=domainA['id'])
self.assignment_api.create_grant(role_list[7]['id'],
group_id=group2['id'],
project_id=projectA['id'])
# First, get a project scoped token - which should
# contain the direct user role and the one by virtue

24
keystone/tests/test_v3_identity.py
View File

@ -156,7 +156,7 @@ class IdentityTestCase(test_v3.RestfulTestCase):
"""Call ``PATCH /domains/{domain_id}`` (set enabled=False)."""
# Create a 2nd set of entities in a 2nd domain
self.domain2 = self.new_domain_ref()
self.identity_api.create_domain(self.domain2['id'], self.domain2)
self.assignment_api.create_domain(self.domain2['id'], self.domain2)
self.project2 = self.new_project_ref(
domain_id=self.domain2['id'])
@ -167,8 +167,8 @@ class IdentityTestCase(test_v3.RestfulTestCase):
project_id=self.project2['id'])
self.identity_api.create_user(self.user2['id'], self.user2)
self.identity_api.add_user_to_project(self.project2['id'],
self.user2['id'])
self.assignment_api.add_user_to_project(self.project2['id'],
self.user2['id'])
# First check a user in that domain can authenticate, via
# Both v2 and v3
@ -254,7 +254,7 @@ class IdentityTestCase(test_v3.RestfulTestCase):
# Create a 2nd set of entities in a 2nd domain
self.domain2 = self.new_domain_ref()
self.identity_api.create_domain(self.domain2['id'], self.domain2)
self.assignment_api.create_domain(self.domain2['id'], self.domain2)
self.project2 = self.new_project_ref(
domain_id=self.domain2['id'])
@ -290,7 +290,7 @@ class IdentityTestCase(test_v3.RestfulTestCase):
self.identity_api.get_domain,
self.domain2['id'])
self.assertRaises(exception.ProjectNotFound,
self.identity_api.get_project,
self.assignment_api.get_project,
self.project2['id'])
self.assertRaises(exception.GroupNotFound,
self.identity_api.get_group,
@ -305,7 +305,7 @@ class IdentityTestCase(test_v3.RestfulTestCase):
# ...and that all self.domain entities are still here
r = self.identity_api.get_domain(self.domain['id'])
self.assertDictEqual(r, self.domain)
r = self.identity_api.get_project(self.project['id'])
r = self.assignment_api.get_project(self.project['id'])
self.assertDictEqual(r, self.project)
r = self.identity_api.get_group(self.group['id'])
self.assertDictEqual(r, self.group)
@ -1015,9 +1015,9 @@ class IdentityTestCase(test_v3.RestfulTestCase):
domain_id=self.domain['id'])
self.assignment_api.create_project(self.project1['id'], self.project1)
self.role1 = self.new_role_ref()
self.identity_api.create_role(self.role1['id'], self.role1)
self.assignment_api.create_role(self.role1['id'], self.role1)
self.role2 = self.new_role_ref()
self.identity_api.create_role(self.role2['id'], self.role2)
self.assignment_api.create_role(self.role2['id'], self.role2)
# Now add one of each of the four types of assignment
@ -1203,7 +1203,7 @@ class IdentityInheritanceTestCase(test_v3.RestfulTestCase):
role_list.append(role)
domain = self.new_domain_ref()
self.identity_api.create_domain(domain['id'], domain)
self.assignment_api.create_domain(domain['id'], domain)
user1 = self.new_user_ref(
domain_id=domain['id'])
user1['password'] = uuid.uuid4().hex
@ -1295,7 +1295,7 @@ class IdentityInheritanceTestCase(test_v3.RestfulTestCase):
role_list.append(role)
domain = self.new_domain_ref()
self.identity_api.create_domain(domain['id'], domain)
self.assignment_api.create_domain(domain['id'], domain)
user1 = self.new_user_ref(
domain_id=domain['id'])
user1['password'] = uuid.uuid4().hex
@ -1388,7 +1388,7 @@ class IdentityInheritanceTestCase(test_v3.RestfulTestCase):
role_list.append(role)
domain = self.new_domain_ref()
self.identity_api.create_domain(domain['id'], domain)
self.assignment_api.create_domain(domain['id'], domain)
user1 = self.new_user_ref(
domain_id=domain['id'])
user1['password'] = uuid.uuid4().hex
@ -1491,7 +1491,7 @@ class IdentityInheritanceTestCase(test_v3.RestfulTestCase):
role_list.append(role)
domain = self.new_domain_ref()
self.identity_api.create_domain(domain['id'], domain)
self.assignment_api.create_domain(domain['id'], domain)
user1 = self.new_user_ref(
domain_id=domain['id'])
user1['password'] = uuid.uuid4().hex

6
keystone/tests/test_v3_oauth1.py
View File

@ -507,9 +507,9 @@ class MaliciousOAuth1Tests(OAuth1Tests):
credentials = urlparse.parse_qs(content.result)
request_key = credentials.get('oauth_token')[0]
self.identity_api.remove_role_from_user_and_project(self.user_id,
self.project_id,
self.role_id)
self.assignment_api.remove_role_from_user_and_project(self.user_id,
self.project_id,
self.role_id)
url = self._authorize_request_token(request_key)
body = {'roles': [{'id': self.role_id}]}
self.admin_request(path=url, method='PUT',

34
keystone/tests/test_v3_protection.py
View File

@ -55,12 +55,12 @@ class IdentityTestProtectedCase(test_v3.RestfulTestCase):
super(IdentityTestProtectedCase, self).setUp(load_sample_data=False)
# Start by creating a couple of domains
self.domainA = self.new_domain_ref()
self.identity_api.create_domain(self.domainA['id'], self.domainA)
self.assignment_api.create_domain(self.domainA['id'], self.domainA)
self.domainB = self.new_domain_ref()
self.identity_api.create_domain(self.domainB['id'], self.domainB)
self.assignment_api.create_domain(self.domainB['id'], self.domainB)
self.domainC = self.new_domain_ref()
self.domainC['enabled'] = False
self.identity_api.create_domain(self.domainC['id'], self.domainC)
self.assignment_api.create_domain(self.domainC['id'], self.domainC)
# Now create some users, one in domainA and two of them in domainB
self.user1 = self.new_user_ref(domain_id=self.domainA['id'])
@ -85,18 +85,18 @@ class IdentityTestProtectedCase(test_v3.RestfulTestCase):
self.identity_api.create_group(self.group3['id'], self.group3)
self.role = self.new_role_ref()
self.identity_api.create_role(self.role['id'], self.role)
self.assignment_api.create_role(self.role['id'], self.role)
self.role1 = self.new_role_ref()
self.identity_api.create_role(self.role1['id'], self.role1)
self.identity_api.create_grant(self.role['id'],
user_id=self.user1['id'],
domain_id=self.domainA['id'])
self.identity_api.create_grant(self.role['id'],
user_id=self.user2['id'],
domain_id=self.domainA['id'])
self.identity_api.create_grant(self.role1['id'],
user_id=self.user1['id'],
domain_id=self.domainA['id'])
self.assignment_api.create_role(self.role1['id'], self.role1)
self.assignment_api.create_grant(self.role['id'],
user_id=self.user1['id'],
domain_id=self.domainA['id'])
self.assignment_api.create_grant(self.role['id'],
user_id=self.user2['id'],
domain_id=self.domainA['id'])
self.assignment_api.create_grant(self.role1['id'],
user_id=self.user1['id'],
domain_id=self.domainA['id'])
# Initialize the policy engine and allow us to write to a temp
# file in each test to create the policies
@ -411,9 +411,9 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase):
load_sample_data=False)
# Start by creating a couple of domains
self.domainA = self.new_domain_ref()
self.identity_api.create_domain(self.domainA['id'], self.domainA)
self.assignment_api.create_domain(self.domainA['id'], self.domainA)
self.domainB = self.new_domain_ref()
self.identity_api.create_domain(self.domainB['id'], self.domainB)
self.assignment_api.create_domain(self.domainB['id'], self.domainB)
self.admin_domain = {'id': 'admin_domain_id', 'name': 'Admin_domain'}
self.assignment_api.create_domain(self.admin_domain['id'],
self.admin_domain)
@ -442,7 +442,7 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase):
self.admin_role = {'id': uuid.uuid4().hex, 'name': 'admin'}
self.assignment_api.create_role(self.admin_role['id'], self.admin_role)
self.role = self.new_role_ref()
self.identity_api.create_role(self.role['id'], self.role)
self.assignment_api.create_role(self.role['id'], self.role)
# The cloud admin just gets the admin role
self.assignment_api.create_grant(self.admin_role['id'],

8
keystone/token/controllers.py
View File

@ -120,7 +120,7 @@ class Auth(controller.V2Controller):
roles_ref = []
for role_id in metadata_ref.get('roles', []):
role_ref = self.identity_api.get_role(role_id)
role_ref = self.assignment_api.get_role(role_id)
roles_ref.append(dict(name=role_ref['name']))
(token_id, token_data) = self.token_provider_api.issue_v2_token(
@ -331,7 +331,7 @@ class Auth(controller.V2Controller):
if tenant_name:
try:
tenant_ref = self.identity_api.get_project_by_name(
tenant_ref = self.assignment_api.get_project_by_name(
tenant_name, DEFAULT_DOMAIN_ID)
tenant_id = tenant_ref['id']
except exception.ProjectNotFound as e:
@ -364,8 +364,8 @@ class Auth(controller.V2Controller):
role_list = []
if tenant_id:
try:
tenant_ref = self.identity_api.get_project(tenant_id)
role_list = self.identity_api.get_roles_for_user_and_project(
tenant_ref = self.assignment_api.get_project(tenant_id)
role_list = self.assignment_api.get_roles_for_user_and_project(
user_id, tenant_id)
except exception.ProjectNotFound:
pass

21
keystone/token/providers/uuid.py
View File

@ -36,7 +36,7 @@ CONF = config.CONF
DEFAULT_DOMAIN_ID = CONF.identity.default_domain_id
@dependency.requires('catalog_api', 'identity_api')
@dependency.requires('assignment_api', 'catalog_api', 'identity_api')
class V2TokenDataHelper(object):
"""Creates V2 token data."""
@classmethod
@ -132,7 +132,7 @@ class V2TokenDataHelper(object):
return services.values()
@dependency.requires('catalog_api', 'identity_api')
@dependency.requires('assignment_api', 'catalog_api', 'identity_api')
class V3TokenDataHelper(object):
"""Token data helper."""
def __init__(self):
@ -144,7 +144,7 @@ class V3TokenDataHelper(object):
return {'id': domain_ref['id'], 'name': domain_ref['name']}
def _get_filtered_project(self, project_id):
project_ref = self.identity_api.get_project(project_id)
project_ref = self.assignment_api.get_project(project_id)
filtered_project = {
'id': project_ref['id'],
'name': project_ref['name']}
@ -165,12 +165,12 @@ class V3TokenDataHelper(object):
def _get_roles_for_user(self, user_id, domain_id, project_id):
roles = []
if domain_id:
roles = self.identity_api.get_roles_for_user_and_domain(
roles = self.assignment_api.get_roles_for_user_and_domain(
user_id, domain_id)
if project_id:
roles = self.identity_api.get_roles_for_user_and_project(
roles = self.assignment_api.get_roles_for_user_and_project(
user_id, project_id)
return [self.identity_api.get_role(role_id) for role_id in roles]
return [self.assignment_api.get_role(role_id) for role_id in roles]
def _populate_user(self, token_data, user_id, domain_id, project_id,
trust):
@ -215,7 +215,7 @@ class V3TokenDataHelper(object):
if access_token:
filtered_roles = []
authed_role_ids = json.loads(access_token['role_ids'])
all_roles = self.identity_api.list_roles()
all_roles = self.assignment_api.list_roles()
for role in all_roles:
for authed_role in authed_role_ids:
if authed_role == role['id']:
@ -329,7 +329,8 @@ class V3TokenDataHelper(object):
@dependency.optional('oauth_api')
@dependency.requires('token_api', 'identity_api', 'catalog_api')
@dependency.requires('assignment_api', 'catalog_api', 'identity_api',
'token_api')
class Provider(token.provider.Provider):
def __init__(self, *args, **kwargs):
super(Provider, self).__init__(*args, **kwargs)
@ -507,7 +508,7 @@ class Provider(token.provider.Provider):
trust_ref['trustor_user_id'])
if trustor_user_ref['domain_id'] != DEFAULT_DOMAIN_ID:
raise exception.Unauthorized(msg)
project_ref = self.identity_api.get_project(
project_ref = self.assignment_api.get_project(
trust_ref['project_id'])
if project_ref['domain_id'] != DEFAULT_DOMAIN_ID:
raise exception.Unauthorized(msg)
@ -535,7 +536,7 @@ class Provider(token.provider.Provider):
metadata_ref = token_ref['metadata']
roles_ref = []
for role_id in metadata_ref.get('roles', []):
roles_ref.append(self.identity_api.get_role(role_id))
roles_ref.append(self.assignment_api.get_role(role_id))
# Get a service catalog if possible
# This is needed for on-behalf-of requests

20
keystone/trust/controllers.py
View File

@ -46,7 +46,8 @@ def _admin_trustor_only(context, trust, user_id):
raise exception.Forbidden()
@dependency.requires('identity_api', 'trust_api', 'token_api')
@dependency.requires('assignment_api', 'identity_api', 'trust_api',
'token_api')
class TrustV3(controller.V3Controller):
collection_name = "trusts"
member_name = "trust"
@ -86,7 +87,7 @@ class TrustV3(controller.V3Controller):
user_id != trust['trustee_user_id']):
raise exception.Forbidden()
self._fill_in_roles(context, trust,
self.identity_api.list_roles())
self.assignment_api.list_roles())
return TrustV3.wrap_member(context, trust)
def _fill_in_roles(self, context, trust, global_roles):
@ -154,15 +155,16 @@ class TrustV3(controller.V3Controller):
trustee_ref = self.identity_api.get_user(trust['trustee_user_id'])
if not trustee_ref:
raise exception.UserNotFound(user_id=trust['trustee_user_id'])
global_roles = self.identity_api.list_roles()
global_roles = self.assignment_api.list_roles()
clean_roles = self._clean_role_list(context, trust, global_roles)
if trust.get('project_id'):
user_roles = self.identity_api.get_roles_for_user_and_project(
user_id, trust['project_id'])
user_role = self.assignment_api.get_roles_for_user_and_project(
user_id,
trust['project_id'])
else:
user_roles = []
user_role = []
for trust_role in clean_roles:
matching_roles = [x for x in user_roles
matching_roles = [x for x in user_role
if x == trust_role['id']]
if not matching_roles:
raise exception.RoleNotFound(role_id=trust_role['id'])
@ -203,7 +205,7 @@ class TrustV3(controller.V3Controller):
if user_id != calling_user_id:
raise exception.Forbidden()
trusts += self.trust_api.list_trusts_for_trustee(user_id)
global_roles = self.identity_api.list_roles()
global_roles = self.assignment_api.list_roles()
for trust in trusts:
self._fill_in_roles(context, trust, global_roles)
return TrustV3.wrap_collection(context, trusts)
@ -256,7 +258,7 @@ class TrustV3(controller.V3Controller):
if x['id'] == role_id]
if not matching_roles:
raise exception.RoleNotFound(role_id=role_id)
global_roles = self.identity_api.list_roles()
global_roles = self.assignment_api.list_roles()
matching_roles = [x for x in global_roles
if x['id'] == role_id]
if matching_roles: