Identity: Add support for inherited_to for role_assignments

Change-Id: I977fba4a49d8bd779fc14851ab4145cebb66d46c

openstack/cloud/_identity.py

@@ -10,10 +10,13 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+import warnings
+
 from openstack.cloud import _utils
 from openstack import exceptions
 from openstack.identity.v3._proxy import Proxy
 from openstack import utils
+from openstack import warnings as os_warnings
 
 
 class IdentityCloudMixin:
@@ -1119,7 +1122,15 @@ class IdentityCloudMixin:
                     # proxy
                     filters['scope.' + k + '.id'] = filters[k]
                 del filters[k]
-        if 'os_inherit_extension_inherited_to' in filters:
+        if 'inherited_to' in filters:
+            filters['scope.OS-INHERIT:inherited_to'] = filters['inherited_to']
+            del filters['inherited_to']
+        elif 'os_inherit_extension_inherited_to' in filters:
+            warnings.warn(
+                "os_inherit_extension_inherited_to is deprecated. Use "
+                "inherited_to instead.",
+                os_warnings.OpenStackDeprecationWarning,
+            )
             filters['scope.OS-INHERIT:inherited_to'] = filters[
                 'os_inherit_extension_inherited_to'
             ]
@@ -1138,15 +1149,17 @@ class IdentityCloudMixin:
             * 'domain' (string) - Domain ID to be used as query filter.
             * 'system' (string) - System name to be used as query filter.
             * 'role' (string) - Role ID to be used as query filter.
-            * 'os_inherit_extension_inherited_to' (string) - Return inherited
-              role assignments for either 'projects' or 'domains'
+            * 'inherited_to' (string) - Return inherited
+              role assignments for either 'projects' or 'domains'.
+            * 'os_inherit_extension_inherited_to' (string) - Deprecated; use
+              'inherited_to' instead.
             * 'effective' (boolean) - Return effective role assignments.
             * 'include_subtree' (boolean) - Include subtree
 
               'user' and 'group' are mutually exclusive, as are 'domain' and
               'project'.
 
-        :returns: A list of indentity
+        :returns: A list of identity
             :class:`openstack.identity.v3.role_assignment.RoleAssignment`
             objects
         :raises: :class:`~openstack.exceptions.SDKException` if something goes
@@ -1182,6 +1195,16 @@ class IdentityCloudMixin:
             system_scope = filters.pop('system')
             filters['scope.system'] = system_scope
 
+        if 'os_inherit_extension_inherited_to' in filters:
+            warnings.warn(
+                "os_inherit_extension_inherited_to is deprecated. Use "
+                "inherited_to instead.",
+                os_warnings.OpenStackDeprecationWarning,
+            )
+            filters['inherited_to'] = filters.pop(
+                'os_inherit_extension_inherited_to'
+            )
+
         return list(self.identity.role_assignments(**filters))
 
     @_utils.valid_kwargs('domain_id')

openstack/identity/v3/_proxy.py

@@ -1225,7 +1225,7 @@ class Proxy(proxy.Proxy):
         :param kwargs query: Optional query parameters to be sent to limit
             the resources being returned. The options
             are: group_id, role_id, scope_domain_id,
-            scope_project_id, user_id, include_names,
+            scope_project_id, inherited_to, user_id, include_names,
             include_subtree.
         :return:
             :class:`~openstack.identity.v3.role_assignment.RoleAssignment`

openstack/identity/v3/role_assignment.py

@@ -36,6 +36,7 @@ class RoleAssignment(resource.Resource):
         scope_project_id='scope.project.id',
         scope_domain_id='scope.domain.id',
         scope_system='scope.system',
+        inherited_to='scope.OS-INHERIT:inherited_to',
     )
 
     # Properties
@@ -43,7 +44,7 @@ class RoleAssignment(resource.Resource):
     links = resource.Body('links')
     #: The role (dictionary contains only id) *Type: dict*
     role = resource.Body('role', type=dict)
-    #: The scope (either domain or group dictionary contains id) *Type: dict*
+    #: The scope (either domain or project; dictionary contains only id) *Type: dict*
     scope = resource.Body('scope', type=dict)
     #: The user (dictionary contains only id) *Type: dict*
     user = resource.Body('user', type=dict)

openstack/tests/unit/identity/v3/test_role_assignment.py

@@ -32,6 +32,24 @@ class TestRoleAssignment(base.TestCase):
         self.assertEqual('/role_assignments', sot.base_path)
         self.assertTrue(sot.allow_list)
 
+        self.assertDictEqual(
+            {
+                'group_id': 'group.id',
+                'role_id': 'role.id',
+                'scope_domain_id': 'scope.domain.id',
+                'scope_project_id': 'scope.project.id',
+                'scope_system': 'scope.system',
+                'user_id': 'user.id',
+                'effective': 'effective',
+                'inherited_to': 'scope.OS-INHERIT:inherited_to',
+                'include_names': 'include_names',
+                'include_subtree': 'include_subtree',
+                'limit': 'limit',
+                'marker': 'marker',
+            },
+            sot._query_mapping._mapping,
+        )
+
     def test_make_it(self):
         sot = role_assignment.RoleAssignment(**EXAMPLE)
         self.assertEqual(EXAMPLE['id'], sot.id)

releasenotes/notes/identity-cloud-mixin-inherited-role-assignments-8fe9ac9509d99f4d.yaml

@@ -0,0 +1,11 @@
+---
+features:
+  - |
+    Add support for ``inherited_to`` filter for listing identity role
+    assignments in the cloud layer. This allows filtering by whether role
+    grants are inheritable to sub-projects.
+deprecations:
+  - |
+    Deprecate ``os-inherit-extension-inherited-to`` in favor of
+    ``inherited_to`` filter for listing identity role_assignments in the cloud
+    layer.