Merge "Move audit initiator creation to request"

This commit is contained in:
Jenkins 2016-10-08 00:58:51 +00:00 committed by Gerrit Code Review
commit eb55c2c9f1
11 changed files with 165 additions and 152 deletions

View File

@ -30,7 +30,6 @@ from keystone.common import wsgi
import keystone.conf
from keystone import exception
from keystone.i18n import _
from keystone import notifications
CONF = keystone.conf.CONF
@ -106,15 +105,15 @@ class Role(controller.V2Controller):
role_id = uuid.uuid4().hex
role['id'] = role_id
initiator = notifications._get_request_audit_info(request.context_dict)
role_ref = self.role_api.create_role(role_id, role, initiator)
role_ref = self.role_api.create_role(role_id,
role,
request.audit_initiator)
return {'role': role_ref}
@controller.v2_deprecated
def delete_role(self, request, role_id):
self.assert_admin(request)
initiator = notifications._get_request_audit_info(request.context_dict)
self.role_api.delete_role(role_id, initiator)
self.role_api.delete_role(role_id, request.audit_initiator)
@controller.v2_deprecated
def get_roles(self, request):
@ -319,12 +318,12 @@ class RoleV3(controller.V3Controller):
@controller.protected()
def create_role(self, request, role):
validation.lazy_validate(schema.role_create, role)
return self._create_role(request.context_dict, role)
return self._create_role(request, role)
@controller.protected()
def create_domain_role(self, request, role):
validation.lazy_validate(schema.role_create, role)
return self._create_role(request.context_dict, role)
return self._create_role(request, role)
def list_roles_wrapper(self, request):
if request.params.get('domain_id'):
@ -348,11 +347,11 @@ class RoleV3(controller.V3Controller):
@controller.protected()
def get_role(self, request, role_id):
return self._get_role(request.context_dict, role_id)
return self._get_role(request, role_id)
@controller.protected()
def get_domain_role(self, request, role_id):
return self._get_role(request.context_dict, role_id)
return self._get_role(request, role_id)
def update_role_wrapper(self, context, role_id, role):
# Since we don't allow you change whether a role is global or domain
@ -367,12 +366,12 @@ class RoleV3(controller.V3Controller):
@controller.protected()
def update_role(self, request, role_id, role):
validation.lazy_validate(schema.role_update, role)
return self._update_role(request.context_dict, role_id, role)
return self._update_role(request, role_id, role)
@controller.protected()
def update_domain_role(self, request, role_id, role):
validation.lazy_validate(schema.role_update, role)
return self._update_role(request.context_dict, role_id, role)
return self._update_role(request, role_id, role)
def delete_role_wrapper(self, context, role_id):
if self._is_domain_role_target(role_id):
@ -382,13 +381,13 @@ class RoleV3(controller.V3Controller):
@controller.protected()
def delete_role(self, request, role_id):
return self._delete_role(request.context_dict, role_id)
return self._delete_role(request, role_id)
@controller.protected()
def delete_domain_role(self, request, role_id):
return self._delete_role(request.context_dict, role_id)
return self._delete_role(request, role_id)
def _create_role(self, context, role):
def _create_role(self, request, role):
if role['name'] == CONF.member_role_name:
# Use the configured member role ID when creating the configured
# member role name. This avoids the potential of creating a
@ -398,29 +397,27 @@ class RoleV3(controller.V3Controller):
role = self._assign_unique_id(role)
ref = self._normalize_dict(role)
initiator = notifications._get_request_audit_info(context)
ref = self.role_api.create_role(ref['id'], ref, initiator)
return RoleV3.wrap_member(context, ref)
ref = self.role_api.create_role(ref['id'],
ref,
request.audit_initiator)
return RoleV3.wrap_member(request.context_dict, ref)
def _list_roles(self, request, filters):
hints = RoleV3.build_driver_hints(request, filters)
refs = self.role_api.list_roles(hints=hints)
return RoleV3.wrap_collection(request.context_dict, refs, hints=hints)
def _get_role(self, context, role_id):
def _get_role(self, request, role_id):
ref = self.role_api.get_role(role_id)
return RoleV3.wrap_member(context, ref)
return RoleV3.wrap_member(request.context_dict, ref)
def _update_role(self, context, role_id, role):
def _update_role(self, request, role_id, role):
self._require_matching_id(role_id, role)
initiator = notifications._get_request_audit_info(context)
ref = self.role_api.update_role(role_id, role, initiator)
return RoleV3.wrap_member(context, ref)
ref = self.role_api.update_role(role_id, role, request.audit_initiator)
return RoleV3.wrap_member(request.context_dict, ref)
def _delete_role(self, context, role_id):
initiator = notifications._get_request_audit_info(context)
self.role_api.delete_role(role_id, initiator)
def _delete_role(self, request, role_id):
self.role_api.delete_role(role_id, request.audit_initiator)
@classmethod
def build_driver_hints(cls, request, supported_filters):

View File

@ -81,7 +81,7 @@ def handle_scoped_token(request, auth_payload, auth_context, token_ref,
group_ids = token_ref.federation_group_ids
send_notification = functools.partial(
notifications.send_saml_audit_notification, 'authenticate',
request.context_dict, user_id, group_ids, identity_provider, protocol,
request, user_id, group_ids, identity_provider, protocol,
token_audit_id)
utils.assert_enabled_identity_provider(federation_api, identity_provider)
@ -171,7 +171,7 @@ def handle_unscoped_token(request, auth_payload, auth_context,
# after sending the notification
outcome = taxonomy.OUTCOME_FAILURE
notifications.send_saml_audit_notification('authenticate',
request.context_dict,
request,
user_id, group_ids,
identity_provider,
protocol, token_id,
@ -180,7 +180,7 @@ def handle_unscoped_token(request, auth_payload, auth_context,
else:
outcome = taxonomy.OUTCOME_SUCCESS
notifications.send_saml_audit_notification('authenticate',
request.context_dict,
request,
user_id, group_ids,
identity_provider,
protocol, token_id,

View File

@ -50,8 +50,7 @@ class Service(controller.V2Controller):
@controller.v2_deprecated
def delete_service(self, request, service_id):
self.assert_admin(request)
initiator = notifications._get_request_audit_info(request.context_dict)
self.catalog_api.delete_service(service_id, initiator)
self.catalog_api.delete_service(service_id, request.audit_initiator)
@controller.v2_deprecated
def create_service(self, request, OS_KSADM_service):
@ -60,9 +59,8 @@ class Service(controller.V2Controller):
service_id = uuid.uuid4().hex
service_ref = OS_KSADM_service.copy()
service_ref['id'] = service_id
initiator = notifications._get_request_audit_info(request.context_dict)
new_service_ref = self.catalog_api.create_service(
service_id, service_ref, initiator)
service_id, service_ref, request.audit_initiator)
return {'OS-KSADM:service': new_service_ref}
@ -147,14 +145,12 @@ class Endpoint(controller.V2Controller):
if interface_url:
utils.check_endpoint_url(interface_url)
initiator = notifications._get_request_audit_info(request.context_dict)
if endpoint.get('region') is not None:
try:
self.catalog_api.get_region(endpoint['region'])
except exception.RegionNotFound:
region = dict(id=endpoint['region'])
self.catalog_api.create_region(region, initiator)
self.catalog_api.create_region(region, request.audit_initiator)
legacy_endpoint_ref = endpoint.copy()
@ -178,8 +174,9 @@ class Endpoint(controller.V2Controller):
endpoint_ref['interface'] = interface
endpoint_ref['url'] = url
endpoint_ref['region_id'] = endpoint_ref.pop('region')
self.catalog_api.create_endpoint(endpoint_ref['id'], endpoint_ref,
initiator)
self.catalog_api.create_endpoint(endpoint_ref['id'],
endpoint_ref,
request.audit_initiator)
legacy_endpoint_ref['id'] = legacy_endpoint_id
return {'endpoint': legacy_endpoint_ref}
@ -188,12 +185,12 @@ class Endpoint(controller.V2Controller):
def delete_endpoint(self, request, endpoint_id):
"""Delete up to three v3 endpoint refs based on a legacy ref ID."""
self.assert_admin(request)
initiator = notifications._get_request_audit_info(request.context_dict)
deleted_at_least_one = False
for endpoint in self.catalog_api.list_endpoints():
if endpoint['legacy_endpoint_id'] == endpoint_id:
self.catalog_api.delete_endpoint(endpoint['id'], initiator)
self.catalog_api.delete_endpoint(endpoint['id'],
request.audit_initiator)
deleted_at_least_one = True
if not deleted_at_least_one:
@ -228,8 +225,7 @@ class RegionV3(controller.V3Controller):
if not ref.get('id'):
ref = self._assign_unique_id(ref)
initiator = notifications._get_request_audit_info(request.context_dict)
ref = self.catalog_api.create_region(ref, initiator)
ref = self.catalog_api.create_region(ref, request.audit_initiator)
return wsgi.render_response(
RegionV3.wrap_member(request.context_dict, ref),
status=(http_client.CREATED,
@ -252,14 +248,15 @@ class RegionV3(controller.V3Controller):
def update_region(self, request, region_id, region):
validation.lazy_validate(schema.region_update, region)
self._require_matching_id(region_id, region)
initiator = notifications._get_request_audit_info(request.context_dict)
ref = self.catalog_api.update_region(region_id, region, initiator)
ref = self.catalog_api.update_region(region_id,
region,
request.audit_initiator)
return RegionV3.wrap_member(request.context_dict, ref)
@controller.protected()
def delete_region(self, request, region_id):
initiator = notifications._get_request_audit_info(request.context_dict)
return self.catalog_api.delete_region(region_id, initiator)
return self.catalog_api.delete_region(region_id,
request.audit_initiator)
@dependency.requires('catalog_api')
@ -275,8 +272,9 @@ class ServiceV3(controller.V3Controller):
def create_service(self, request, service):
validation.lazy_validate(schema.service_create, service)
ref = self._assign_unique_id(self._normalize_dict(service))
initiator = notifications._get_request_audit_info(request.context_dict)
ref = self.catalog_api.create_service(ref['id'], ref, initiator)
ref = self.catalog_api.create_service(ref['id'],
ref,
request.audit_initiator)
return ServiceV3.wrap_member(request.context_dict, ref)
@controller.filterprotected('type', 'name')
@ -296,14 +294,15 @@ class ServiceV3(controller.V3Controller):
def update_service(self, request, service_id, service):
validation.lazy_validate(schema.service_update, service)
self._require_matching_id(service_id, service)
initiator = notifications._get_request_audit_info(request.context_dict)
ref = self.catalog_api.update_service(service_id, service, initiator)
ref = self.catalog_api.update_service(service_id,
service,
request.audit_initiator)
return ServiceV3.wrap_member(request.context_dict, ref)
@controller.protected()
def delete_service(self, request, service_id):
initiator = notifications._get_request_audit_info(request.context_dict)
return self.catalog_api.delete_service(service_id, initiator)
return self.catalog_api.delete_service(service_id,
request.audit_initiator)
@dependency.requires('catalog_api')
@ -327,7 +326,7 @@ class EndpointV3(controller.V3Controller):
ref = cls.filter_endpoint(ref)
return super(EndpointV3, cls).wrap_member(context, ref)
def _validate_endpoint_region(self, endpoint, context=None):
def _validate_endpoint_region(self, endpoint, request):
"""Ensure the region for the endpoint exists.
If 'region_id' is used to specify the region, then we will let the
@ -346,8 +345,7 @@ class EndpointV3(controller.V3Controller):
self.catalog_api.get_region(endpoint['region_id'])
except exception.RegionNotFound:
region = dict(id=endpoint['region_id'])
initiator = notifications._get_request_audit_info(context)
self.catalog_api.create_region(region, initiator)
self.catalog_api.create_region(region, request.audit_initiator)
return endpoint
@ -356,9 +354,10 @@ class EndpointV3(controller.V3Controller):
validation.lazy_validate(schema.endpoint_create, endpoint)
utils.check_endpoint_url(endpoint['url'])
ref = self._assign_unique_id(self._normalize_dict(endpoint))
ref = self._validate_endpoint_region(ref, request.context_dict)
initiator = notifications._get_request_audit_info(request.context_dict)
ref = self.catalog_api.create_endpoint(ref['id'], ref, initiator)
ref = self._validate_endpoint_region(ref, request)
ref = self.catalog_api.create_endpoint(ref['id'],
ref,
request.audit_initiator)
return EndpointV3.wrap_member(request.context_dict, ref)
@controller.filterprotected('interface', 'service_id', 'region_id')
@ -380,17 +379,17 @@ class EndpointV3(controller.V3Controller):
self._require_matching_id(endpoint_id, endpoint)
endpoint = self._validate_endpoint_region(endpoint.copy(),
request.context_dict)
request)
initiator = notifications._get_request_audit_info(request.context_dict)
ref = self.catalog_api.update_endpoint(endpoint_id, endpoint,
initiator)
ref = self.catalog_api.update_endpoint(endpoint_id,
endpoint,
request.audit_initiator)
return EndpointV3.wrap_member(request.context_dict, ref)
@controller.protected()
def delete_endpoint(self, request, endpoint_id):
initiator = notifications._get_request_audit_info(request.context_dict)
return self.catalog_api.delete_endpoint(endpoint_id, initiator)
return self.catalog_api.delete_endpoint(endpoint_id,
request.audit_initiator)
@dependency.requires('catalog_api', 'resource_api')

View File

@ -12,11 +12,15 @@
import logging
from pycadf import cadftaxonomy as taxonomy
from pycadf import host
from pycadf import resource
import webob
from webob.descriptors import environ_getter
from keystone.common import authorization
from keystone.common import context
from keystone.common import utils
import keystone.conf
from keystone import exception
from keystone.i18n import _, _LW
@ -90,6 +94,26 @@ class Request(webob.Request):
# auth_context didn't decode anything we can use
raise exception.Unauthorized()
@property
def audit_initiator(self):
"""A pyCADF initiator describing the current authenticated context."""
pycadf_host = host.Host(address=self.remote_addr,
agent=self.user_agent)
initiator = resource.Resource(typeURI=taxonomy.ACCOUNT_USER,
host=pycadf_host)
if self.context.user_id:
initiator.id = utils.resource_uuid(self.context.user_id)
initiator.user_id = self.context.user_id
if self.context.project_id:
initiator.project_id = self.context.project_id
if self.context.domain_id:
initiator.domain_id = self.context.domain_id
return initiator
auth_type = environ_getter('AUTH_TYPE', None)
remote_domain = environ_getter('REMOTE_DOMAIN', None)
context = environ_getter(context.REQUEST_CONTEXT_ENV, None)

View File

@ -23,7 +23,6 @@ import keystone.conf
from keystone import exception
from keystone.i18n import _LW
from keystone.identity import schema
from keystone import notifications
CONF = keystone.conf.CONF
@ -77,9 +76,8 @@ class User(controller.V2Controller):
# The manager layer will generate the unique ID for users
user_ref = self._normalize_domain_id(request, user.copy())
initiator = notifications._get_request_audit_info(request.context_dict)
new_user_ref = self.v3_to_v2_user(
self.identity_api.create_user(user_ref, initiator))
self.identity_api.create_user(user_ref, request.audit_initiator))
if default_project_id is not None:
self.assignment_api.add_user_to_project(default_project_id,
@ -113,9 +111,10 @@ class User(controller.V2Controller):
# user update.
self.resource_api.get_project(default_project_id)
initiator = notifications._get_request_audit_info(request.context_dict)
user_ref = self.v3_to_v2_user(
self.identity_api.update_user(user_id, user, initiator))
user_ref = self.identity_api.update_user(user_id,
user,
request.audit_initiator)
user_ref = self.v3_to_v2_user(user_ref)
# If 'tenantId' is in either ref, we might need to add or remove the
# user from a project.
@ -160,8 +159,7 @@ class User(controller.V2Controller):
@controller.v2_deprecated
def delete_user(self, request, user_id):
self.assert_admin(request)
initiator = notifications._get_request_audit_info(request.context_dict)
self.identity_api.delete_user(user_id, initiator)
self.identity_api.delete_user(user_id, request.audit_initiator)
@controller.v2_deprecated
def set_user_enabled(self, request, user_id, user):
@ -213,8 +211,7 @@ class UserV3(controller.V3Controller):
# The manager layer will generate the unique ID for users
ref = self._normalize_dict(user)
ref = self._normalize_domain_id(request, ref)
initiator = notifications._get_request_audit_info(request.context_dict)
ref = self.identity_api.create_user(ref, initiator)
ref = self.identity_api.create_user(ref, request.audit_initiator)
return UserV3.wrap_member(request.context_dict, ref)
@controller.filterprotected('domain_id', 'enabled', 'name')
@ -236,23 +233,25 @@ class UserV3(controller.V3Controller):
ref = self.identity_api.get_user(user_id)
return UserV3.wrap_member(request.context_dict, ref)
def _update_user(self, context, user_id, user):
def _update_user(self, request, user_id, user):
self._require_matching_id(user_id, user)
self._require_matching_domain_id(
user_id, user, self.identity_api.get_user)
initiator = notifications._get_request_audit_info(context)
ref = self.identity_api.update_user(user_id, user, initiator)
return UserV3.wrap_member(context, ref)
ref = self.identity_api.update_user(user_id,
user,
request.audit_initiator)
return UserV3.wrap_member(request.context_dict, ref)
@controller.protected()
def update_user(self, request, user_id, user):
validation.lazy_validate(schema.user_update, user)
return self._update_user(request.context_dict, user_id, user)
return self._update_user(request, user_id, user)
@controller.protected(callback=_check_user_and_group_protection)
def add_user_to_group(self, request, user_id, group_id):
initiator = notifications._get_request_audit_info(request.context_dict)
self.identity_api.add_user_to_group(user_id, group_id, initiator)
self.identity_api.add_user_to_group(user_id,
group_id,
request.audit_initiator)
@controller.protected(callback=_check_user_and_group_protection)
def check_user_in_group(self, request, user_id, group_id):
@ -260,13 +259,13 @@ class UserV3(controller.V3Controller):
@controller.protected(callback=_check_user_and_group_protection)
def remove_user_from_group(self, request, user_id, group_id):
initiator = notifications._get_request_audit_info(request.context_dict)
self.identity_api.remove_user_from_group(user_id, group_id, initiator)
self.identity_api.remove_user_from_group(user_id,
group_id,
request.audit_initiator)
@controller.protected()
def delete_user(self, request, user_id):
initiator = notifications._get_request_audit_info(request.context_dict)
return self.identity_api.delete_user(user_id, initiator)
return self.identity_api.delete_user(user_id, request.audit_initiator)
@controller.protected()
def change_password(self, request, user_id, user):
@ -306,8 +305,7 @@ class GroupV3(controller.V3Controller):
# The manager layer will generate the unique ID for groups
ref = self._normalize_dict(group)
ref = self._normalize_domain_id(request, ref)
initiator = notifications._get_request_audit_info(request.context_dict)
ref = self.identity_api.create_group(ref, initiator)
ref = self.identity_api.create_group(ref, request.audit_initiator)
return GroupV3.wrap_member(request.context_dict, ref)
@controller.filterprotected('domain_id', 'name')
@ -334,11 +332,11 @@ class GroupV3(controller.V3Controller):
self._require_matching_id(group_id, group)
self._require_matching_domain_id(
group_id, group, self.identity_api.get_group)
initiator = notifications._get_request_audit_info(request.context_dict)
ref = self.identity_api.update_group(group_id, group, initiator)
ref = self.identity_api.update_group(group_id,
group,
request.audit_initiator)
return GroupV3.wrap_member(request.context_dict, ref)
@controller.protected()
def delete_group(self, request, group_id):
initiator = notifications._get_request_audit_info(request.context_dict)
self.identity_api.delete_group(group_id, initiator)
self.identity_api.delete_group(group_id, request.audit_initiator)

View File

@ -481,19 +481,18 @@ class CadfNotificationWrapper(object):
def __call__(self, f):
@functools.wraps(f)
def wrapper(wrapped_self, request, user_id, *args, **kwargs):
# Always send a notification.
initiator = _get_request_audit_info(request.context_dict, user_id)
"""Alway send a notification."""
target = resource.Resource(typeURI=taxonomy.ACCOUNT_USER)
try:
result = f(wrapped_self, request, user_id, *args, **kwargs)
except Exception:
# For authentication failure send a cadf event as well
_send_audit_notification(self.action, initiator,
_send_audit_notification(self.action, request.audit_initiator,
taxonomy.OUTCOME_FAILURE,
target, self.event_type)
raise
else:
_send_audit_notification(self.action, initiator,
_send_audit_notification(self.action, request.audit_initiator,
taxonomy.OUTCOME_SUCCESS,
target, self.event_type)
return result
@ -603,15 +602,15 @@ class CadfRoleAssignmentNotificationWrapper(object):
return wrapper
def send_saml_audit_notification(action, context, user_id, group_ids,
def send_saml_audit_notification(action, request, user_id, group_ids,
identity_provider, protocol, token_id,
outcome):
"""Send notification to inform observers about SAML events.
:param action: Action being audited
:type action: str
:param context: Current request context to collect request info from
:type context: dict
:param request: Current request to collect request info from
:type request: keystone.common.request.Request
:param user_id: User ID from Keystone token
:type user_id: str
:param group_ids: List of Group IDs from Keystone token
@ -625,7 +624,7 @@ def send_saml_audit_notification(action, context, user_id, group_ids,
:param outcome: One of :class:`pycadf.cadftaxonomy`
:type outcome: str
"""
initiator = _get_request_audit_info(context)
initiator = request.audit_initiator
target = resource.Resource(typeURI=taxonomy.ACCOUNT_USER)
audit_type = SAML_AUDIT_TYPE
user_id = user_id or taxonomy.UNKNOWN

View File

@ -65,8 +65,8 @@ class ConsumerCrudV3(controller.V3Controller):
def create_consumer(self, request, consumer):
validation.lazy_validate(schema.consumer_create, consumer)
ref = self._assign_unique_id(self._normalize_dict(consumer))
initiator = notifications._get_request_audit_info(request.context_dict)
consumer_ref = self.oauth_api.create_consumer(ref, initiator)
consumer_ref = self.oauth_api.create_consumer(ref,
request.audit_initiator)
return ConsumerCrudV3.wrap_member(request.context_dict, consumer_ref)
@controller.protected()
@ -74,8 +74,9 @@ class ConsumerCrudV3(controller.V3Controller):
validation.lazy_validate(schema.consumer_update, consumer)
self._require_matching_id(consumer_id, consumer)
ref = self._normalize_dict(consumer)
initiator = notifications._get_request_audit_info(request.context_dict)
ref = self.oauth_api.update_consumer(consumer_id, ref, initiator)
ref = self.oauth_api.update_consumer(consumer_id,
ref,
request.audit_initiator)
return ConsumerCrudV3.wrap_member(request.context_dict, ref)
@controller.protected()
@ -94,8 +95,7 @@ class ConsumerCrudV3(controller.V3Controller):
payload = {'user_id': user_token_ref.user_id,
'consumer_id': consumer_id}
_emit_user_oauth_consumer_token_invalidate(payload)
initiator = notifications._get_request_audit_info(request.context_dict)
self.oauth_api.delete_consumer(consumer_id, initiator)
self.oauth_api.delete_consumer(consumer_id, request.audit_initiator)
@dependency.requires('oauth_api')
@ -140,9 +140,9 @@ class AccessTokenCrudV3(controller.V3Controller):
consumer_id = access_token['consumer_id']
payload = {'user_id': user_id, 'consumer_id': consumer_id}
_emit_user_oauth_consumer_token_invalidate(payload)
initiator = notifications._get_request_audit_info(request.context_dict)
return self.oauth_api.delete_access_token(
user_id, access_token_id, initiator)
return self.oauth_api.delete_access_token(user_id,
access_token_id,
request.audit_initiator)
@staticmethod
def _get_user_id(entity):
@ -248,11 +248,11 @@ class OAuthControllerV3(controller.V3Controller):
# show the details of the failure.
oauth1.validate_oauth_params(b)
request_token_duration = CONF.oauth1.request_token_duration
initiator = notifications._get_request_audit_info(request.context_dict)
token_ref = self.oauth_api.create_request_token(consumer_id,
requested_project_id,
request_token_duration,
initiator)
token_ref = self.oauth_api.create_request_token(
consumer_id,
requested_project_id,
request_token_duration,
request.audit_initiator)
result = ('oauth_token=%(key)s&oauth_token_secret=%(secret)s'
% {'key': token_ref['id'],
@ -340,10 +340,9 @@ class OAuthControllerV3(controller.V3Controller):
raise exception.Unauthorized(message=msg)
access_token_duration = CONF.oauth1.access_token_duration
initiator = notifications._get_request_audit_info(request.context_dict)
token_ref = self.oauth_api.create_access_token(request_token_id,
access_token_duration,
initiator)
request.audit_initiator)
result = ('oauth_token=%(key)s&oauth_token_secret=%(secret)s'
% {'key': token_ref['id'],

View File

@ -15,7 +15,6 @@
from keystone.common import controller
from keystone.common import dependency
from keystone.common import validation
from keystone import notifications
from keystone.policy import schema
@ -28,8 +27,9 @@ class PolicyV3(controller.V3Controller):
def create_policy(self, request, policy):
validation.lazy_validate(schema.policy_create, policy)
ref = self._assign_unique_id(self._normalize_dict(policy))
initiator = notifications._get_request_audit_info(request.context_dict)
ref = self.policy_api.create_policy(ref['id'], ref, initiator)
ref = self.policy_api.create_policy(ref['id'],
ref,
request.audit_initiator)
return PolicyV3.wrap_member(request.context_dict, ref)
@controller.filterprotected('type')
@ -47,11 +47,12 @@ class PolicyV3(controller.V3Controller):
@controller.protected()
def update_policy(self, request, policy_id, policy):
validation.lazy_validate(schema.policy_update, policy)
initiator = notifications._get_request_audit_info(request.context_dict)
ref = self.policy_api.update_policy(policy_id, policy, initiator)
ref = self.policy_api.update_policy(policy_id,
policy,
request.audit_initiator)
return PolicyV3.wrap_member(request.context_dict, ref)
@controller.protected()
def delete_policy(self, request, policy_id):
initiator = notifications._get_request_audit_info(request.context_dict)
return self.policy_api.delete_policy(policy_id, initiator)
return self.policy_api.delete_policy(policy_id,
request.audit_initiator)

View File

@ -26,7 +26,6 @@ from keystone.common import wsgi
import keystone.conf
from keystone import exception
from keystone.i18n import _
from keystone import notifications
from keystone.resource import schema
@ -94,11 +93,10 @@ class Tenant(controller.V2Controller):
self.resource_api.ensure_default_domain_exists()
tenant_ref['id'] = tenant_ref.get('id', uuid.uuid4().hex)
initiator = notifications._get_request_audit_info(request.context_dict)
tenant = self.resource_api.create_project(
tenant_ref['id'],
self._normalize_domain_id(request, tenant_ref),
initiator)
request.audit_initiator)
return {'tenant': self.v3_to_v2_project(tenant)}
@controller.v2_deprecated
@ -107,17 +105,15 @@ class Tenant(controller.V2Controller):
self.assert_admin(request)
self._assert_not_is_domain_project(tenant_id)
initiator = notifications._get_request_audit_info(request.context_dict)
tenant_ref = self.resource_api.update_project(
tenant_id, tenant, initiator)
tenant_id, tenant, request.audit_initiator)
return {'tenant': self.v3_to_v2_project(tenant_ref)}
@controller.v2_deprecated
def delete_project(self, request, tenant_id):
self.assert_admin(request)
self._assert_not_is_domain_project(tenant_id)
initiator = notifications._get_request_audit_info(request.context_dict)
self.resource_api.delete_project(tenant_id, initiator)
self.resource_api.delete_project(tenant_id, request.audit_initiator)
@dependency.requires('resource_api')
@ -133,8 +129,9 @@ class DomainV3(controller.V3Controller):
def create_domain(self, request, domain):
validation.lazy_validate(schema.domain_create, domain)
ref = self._assign_unique_id(self._normalize_dict(domain))
initiator = notifications._get_request_audit_info(request.context_dict)
ref = self.resource_api.create_domain(ref['id'], ref, initiator)
ref = self.resource_api.create_domain(ref['id'],
ref,
request.audit_initiator)
return DomainV3.wrap_member(request.context_dict, ref)
@controller.filterprotected('enabled', 'name')
@ -153,14 +150,15 @@ class DomainV3(controller.V3Controller):
def update_domain(self, request, domain_id, domain):
validation.lazy_validate(schema.domain_update, domain)
self._require_matching_id(domain_id, domain)
initiator = notifications._get_request_audit_info(request.context_dict)
ref = self.resource_api.update_domain(domain_id, domain, initiator)
ref = self.resource_api.update_domain(domain_id,
domain,
request.audit_initiator)
return DomainV3.wrap_member(request.context_dict, ref)
@controller.protected()
def delete_domain(self, request, domain_id):
initiator = notifications._get_request_audit_info(request.context_dict)
return self.resource_api.delete_domain(domain_id, initiator)
return self.resource_api.delete_domain(domain_id,
request.audit_initiator)
@dependency.requires('domain_config_api')
@ -241,10 +239,11 @@ class ProjectV3(controller.V3Controller):
if not ref.get('parent_id'):
ref['parent_id'] = ref.get('domain_id')
initiator = notifications._get_request_audit_info(request.context_dict)
try:
ref = self.resource_api.create_project(ref['id'], ref,
initiator=initiator)
ref = self.resource_api.create_project(
ref['id'],
ref,
initiator=request.audit_initiator)
except (exception.DomainNotFound, exception.ProjectNotFound) as e:
raise exception.ValidationError(e)
return ProjectV3.wrap_member(request.context_dict, ref)
@ -316,13 +315,14 @@ class ProjectV3(controller.V3Controller):
self._require_matching_id(project_id, project)
self._require_matching_domain_id(
project_id, project, self.resource_api.get_project)
initiator = notifications._get_request_audit_info(request.context_dict)
ref = self.resource_api.update_project(project_id, project,
initiator=initiator)
ref = self.resource_api.update_project(
project_id,
project,
initiator=request.audit_initiator)
return ProjectV3.wrap_member(request.context_dict, ref)
@controller.protected()
def delete_project(self, request, project_id):
initiator = notifications._get_request_audit_info(request.context_dict)
return self.resource_api.delete_project(project_id,
initiator=initiator)
return self.resource_api.delete_project(
project_id,
initiator=request.audit_initiator)

View File

@ -1619,7 +1619,7 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin):
super(FederatedTokenTests, self).setUp()
self._notifications = []
def fake_saml_notify(action, context, user_id, group_ids,
def fake_saml_notify(action, request, user_id, group_ids,
identity_provider, protocol, token_id, outcome):
note = {
'action': action,

View File

@ -24,7 +24,6 @@ from keystone.common import utils
from keystone.common import validation
from keystone import exception
from keystone.i18n import _
from keystone import notifications
from keystone.trust import schema
@ -137,12 +136,10 @@ class TrustV3(controller.V3Controller):
trust['expires_at'] = self._parse_expiration_date(
trust.get('expires_at'))
trust_id = uuid.uuid4().hex
initiator = notifications._get_request_audit_info(request.context_dict)
new_trust = self.trust_api.create_trust(trust_id, trust,
normalized_roles,
redelegated_trust,
initiator)
request.audit_initiator)
self._fill_in_roles(request.context_dict, new_trust)
return TrustV3.wrap_member(request.context_dict, new_trust)
@ -227,8 +224,7 @@ class TrustV3(controller.V3Controller):
not request.context.is_admin):
raise exception.Forbidden()
initiator = notifications._get_request_audit_info(request.context_dict)
self.trust_api.delete_trust(trust_id, initiator)
self.trust_api.delete_trust(trust_id, request.audit_initiator)
@controller.protected()
def list_roles_for_trust(self, request, trust_id):