openstack/python-keystoneclient
Code Issues Proposed changes

Merge "Inherited role domain calls on keystoneclient v3"

Browse Source
This commit is contained in:
Jenkins
2015-04-18 18:37:40 +00:00
committed by Gerrit Code Review
parent 81ff5a277a 57b0fe2c8f
commit 08fd4b1cd7
3 changed files with 194 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
keystoneclient/base.py
View File

@@ -305,6 +305,8 @@ class CrudManager(Manager):
If a `base_url` is provided, the generated URL will be appended to it. If a `base_url` is provided, the generated URL will be appended to it.
If a 'tail' is provided, it will be appended to the end of the URL.
""" """
if dict_args_in_out is None: if dict_args_in_out is None:
dict_args_in_out = {} dict_args_in_out = {}
@@ -317,6 +319,9 @@ class CrudManager(Manager):
if entity_id is not None: if entity_id is not None:
url += '/%s' % entity_id url += '/%s' % entity_id
if dict_args_in_out.get('tail'):
url += dict_args_in_out['tail']
return url return url
@filter_kwargs @filter_kwargs

122
keystoneclient/tests/unit/v3/test_roles.py
View File

@@ -17,6 +17,7 @@ import uuid
from keystoneclient import exceptions from keystoneclient import exceptions
from keystoneclient.tests.unit.v3 import utils from keystoneclient.tests.unit.v3 import utils
from keystoneclient.v3 import roles from keystoneclient.v3 import roles
from testtools import matchers
class RoleTests(utils.TestCase, utils.CrudTests): class RoleTests(utils.TestCase, utils.CrudTests):
@@ -44,6 +45,20 @@ class RoleTests(utils.TestCase, utils.CrudTests):
self.manager.grant(role=ref['id'], domain=domain_id, user=user_id) self.manager.grant(role=ref['id'], domain=domain_id, user=user_id)
def test_domain_role_grant_inherited(self):
user_id = uuid.uuid4().hex
domain_id = uuid.uuid4().hex
ref = self.new_ref()
self.stub_url('PUT',
['OS-INHERIT', 'domains', domain_id, 'users', user_id,
self.collection_key, ref['id'],
'inherited_to_projects'],
status_code=201)
self.manager.grant(role=ref['id'], domain=domain_id, user=user_id,
os_inherit_extension_inherited=True)
def test_domain_group_role_grant(self): def test_domain_group_role_grant(self):
group_id = uuid.uuid4().hex group_id = uuid.uuid4().hex
domain_id = uuid.uuid4().hex domain_id = uuid.uuid4().hex
@@ -56,6 +71,20 @@ class RoleTests(utils.TestCase, utils.CrudTests):
self.manager.grant(role=ref['id'], domain=domain_id, group=group_id) self.manager.grant(role=ref['id'], domain=domain_id, group=group_id)
def test_domain_group_role_grant_inherited(self):
group_id = uuid.uuid4().hex
domain_id = uuid.uuid4().hex
ref = self.new_ref()
self.stub_url('PUT',
['OS-INHERIT', 'domains', domain_id, 'groups', group_id,
self.collection_key, ref['id'],
'inherited_to_projects'],
status_code=201)
self.manager.grant(role=ref['id'], domain=domain_id, group=group_id,
os_inherit_extension_inherited=True)
def test_domain_role_list(self): def test_domain_role_list(self):
user_id = uuid.uuid4().hex user_id = uuid.uuid4().hex
domain_id = uuid.uuid4().hex domain_id = uuid.uuid4().hex
@@ -67,6 +96,23 @@ class RoleTests(utils.TestCase, utils.CrudTests):
self.manager.list(domain=domain_id, user=user_id) self.manager.list(domain=domain_id, user=user_id)
def test_domain_role_list_inherited(self):
user_id = uuid.uuid4().hex
domain_id = uuid.uuid4().hex
ref_list = [self.new_ref(), self.new_ref()]
self.stub_entity('GET',
['OS-INHERIT',
'domains', domain_id, 'users', user_id,
self.collection_key, 'inherited_to_projects'],
entity=ref_list)
returned_list = self.manager.list(domain=domain_id, user=user_id,
os_inherit_extension_inherited=True)
self.assertThat(ref_list, matchers.HasLength(len(returned_list)))
[self.assertIsInstance(r, self.model) for r in returned_list]
def test_domain_group_role_list(self): def test_domain_group_role_list(self):
group_id = uuid.uuid4().hex group_id = uuid.uuid4().hex
domain_id = uuid.uuid4().hex domain_id = uuid.uuid4().hex
@@ -78,6 +124,23 @@ class RoleTests(utils.TestCase, utils.CrudTests):
self.manager.list(domain=domain_id, group=group_id) self.manager.list(domain=domain_id, group=group_id)
def test_domain_group_role_list_inherited(self):
group_id = uuid.uuid4().hex
domain_id = uuid.uuid4().hex
ref_list = [self.new_ref(), self.new_ref()]
self.stub_entity('GET',
['OS-INHERIT',
'domains', domain_id, 'groups', group_id,
self.collection_key, 'inherited_to_projects'],
entity=ref_list)
returned_list = self.manager.list(domain=domain_id, group=group_id,
os_inherit_extension_inherited=True)
self.assertThat(ref_list, matchers.HasLength(len(returned_list)))
[self.assertIsInstance(r, self.model) for r in returned_list]
def test_domain_role_check(self): def test_domain_role_check(self):
user_id = uuid.uuid4().hex user_id = uuid.uuid4().hex
domain_id = uuid.uuid4().hex domain_id = uuid.uuid4().hex
@@ -91,6 +154,21 @@ class RoleTests(utils.TestCase, utils.CrudTests):
self.manager.check(role=ref['id'], domain=domain_id, self.manager.check(role=ref['id'], domain=domain_id,
user=user_id) user=user_id)
def test_domain_role_check_inherited(self):
user_id = uuid.uuid4().hex
domain_id = uuid.uuid4().hex
ref = self.new_ref()
self.stub_url('HEAD',
['OS-INHERIT',
'domains', domain_id, 'users', user_id,
self.collection_key, ref['id'],
'inherited_to_projects'],
status_code=204)
self.manager.check(role=ref['id'], domain=domain_id,
user=user_id, os_inherit_extension_inherited=True)
def test_domain_group_role_check(self): def test_domain_group_role_check(self):
return return
group_id = uuid.uuid4().hex group_id = uuid.uuid4().hex
@@ -104,6 +182,21 @@ class RoleTests(utils.TestCase, utils.CrudTests):
self.manager.check(role=ref['id'], domain=domain_id, group=group_id) self.manager.check(role=ref['id'], domain=domain_id, group=group_id)
def test_domain_group_role_check_inherited(self):
group_id = uuid.uuid4().hex
domain_id = uuid.uuid4().hex
ref = self.new_ref()
self.stub_url('HEAD',
['OS-INHERIT',
'domains', domain_id, 'groups', group_id,
self.collection_key, ref['id'],
'inherited_to_projects'],
status_code=204)
self.manager.check(role=ref['id'], domain=domain_id,
group=group_id, os_inherit_extension_inherited=True)
def test_domain_role_revoke(self): def test_domain_role_revoke(self):
user_id = uuid.uuid4().hex user_id = uuid.uuid4().hex
domain_id = uuid.uuid4().hex domain_id = uuid.uuid4().hex
@@ -128,6 +221,35 @@ class RoleTests(utils.TestCase, utils.CrudTests):
self.manager.revoke(role=ref['id'], domain=domain_id, group=group_id) self.manager.revoke(role=ref['id'], domain=domain_id, group=group_id)
def test_domain_role_revoke_inherited(self):
user_id = uuid.uuid4().hex
domain_id = uuid.uuid4().hex
ref = self.new_ref()
self.stub_url('DELETE',
['OS-INHERIT', 'domains', domain_id, 'users', user_id,
self.collection_key, ref['id'],
'inherited_to_projects'],
status_code=204)
self.manager.revoke(role=ref['id'], domain=domain_id,
user=user_id, os_inherit_extension_inherited=True)
def test_domain_group_role_revoke_inherited(self):
group_id = uuid.uuid4().hex
domain_id = uuid.uuid4().hex
ref = self.new_ref()
self.stub_url('DELETE',
['OS-INHERIT', 'domains', domain_id, 'groups', group_id,
self.collection_key, ref['id'],
'inherited_to_projects'],
status_code=200)
self.manager.revoke(role=ref['id'], domain=domain_id,
group=group_id,
os_inherit_extension_inherited=True)
def test_project_role_grant(self): def test_project_role_grant(self):
user_id = uuid.uuid4().hex user_id = uuid.uuid4().hex
project_id = uuid.uuid4().hex project_id = uuid.uuid4().hex

84
keystoneclient/v3/roles.py
View File

@@ -37,7 +37,8 @@ class RoleManager(base.CrudManager):
collection_key = 'roles' collection_key = 'roles'
key = 'role' key = 'role'
def _role_grants_base_url(self, user, group, domain, project): def _role_grants_base_url(self, user, group, domain, project,
use_inherit_extension):
# When called, we have already checked that only one of user & group # When called, we have already checked that only one of user & group
# and one of domain & project have been specified # and one of domain & project have been specified
params = {} params = {}
@@ -49,6 +50,9 @@ class RoleManager(base.CrudManager):
params['domain_id'] = base.getid(domain) params['domain_id'] = base.getid(domain)
base_url = '/domains/%(domain_id)s' base_url = '/domains/%(domain_id)s'
if use_inherit_extension:
base_url = '/OS-INHERIT' + base_url
if user: if user:
params['user_id'] = base.getid(user) params['user_id'] = base.getid(user)
base_url += '/users/%(user_id)s' base_url += '/users/%(user_id)s'
@@ -85,7 +89,8 @@ class RoleManager(base.CrudManager):
role_id=base.getid(role)) role_id=base.getid(role))
@utils.positional(enforcement=utils.positional.WARN) @utils.positional(enforcement=utils.positional.WARN)
def list(self, user=None, group=None, domain=None, project=None, **kwargs): def list(self, user=None, group=None, domain=None,
project=None, os_inherit_extension_inherited=False, **kwargs):
"""Lists roles and role grants. """Lists roles and role grants.
If no arguments are provided, all roles in the system will be If no arguments are provided, all roles in the system will be
@@ -95,15 +100,21 @@ class RoleManager(base.CrudManager):
domain or project to list role grants on that pair. And if domain or project to list role grants on that pair. And if
``**kwargs`` are provided, then also filter roles with ``**kwargs`` are provided, then also filter roles with
attributes matching ``**kwargs``. attributes matching ``**kwargs``.
If 'os_inherit_extension_inherited' is passed, then OS-INHERIT will be
used. It provides the ability for projects to inherit role assignments
from their domains or from projects in the hierarchy.
""" """
if os_inherit_extension_inherited:
kwargs['tail'] = '/inherited_to_projects'
if user or group: if user or group:
self._require_user_xor_group(user, group) self._require_user_xor_group(user, group)
self._require_domain_xor_project(domain, project) self._require_domain_xor_project(domain, project)
return super(RoleManager, self).list( base_url = self._role_grants_base_url(
base_url=self._role_grants_base_url(user, group, user, group, domain, project, os_inherit_extension_inherited)
domain, project), return super(RoleManager, self).list(base_url=base_url,
**kwargs) **kwargs)
return super(RoleManager, self).list(**kwargs) return super(RoleManager, self).list(**kwargs)
@@ -120,31 +131,68 @@ class RoleManager(base.CrudManager):
role_id=base.getid(role)) role_id=base.getid(role))
@utils.positional(enforcement=utils.positional.WARN) @utils.positional(enforcement=utils.positional.WARN)
def grant(self, role, user=None, group=None, domain=None, project=None): def grant(self, role, user=None, group=None, domain=None, project=None,
"""Grants a role to a user or group on a domain or project.""" os_inherit_extension_inherited=False, **kwargs):
"""Grants a role to a user or group on a domain or project.
If 'os_inherit_extension_inherited' is passed, then OS-INHERIT will be
used. It provides the ability for projects to inherit role assignments
from their domains or from projects in the hierarchy.
"""
self._require_domain_xor_project(domain, project) self._require_domain_xor_project(domain, project)
self._require_user_xor_group(user, group) self._require_user_xor_group(user, group)
return super(RoleManager, self).put( if os_inherit_extension_inherited:
base_url=self._role_grants_base_url(user, group, domain, project), kwargs['tail'] = '/inherited_to_projects'
role_id=base.getid(role))
base_url = self._role_grants_base_url(
user, group, domain, project, os_inherit_extension_inherited)
return super(RoleManager, self).put(base_url=base_url,
role_id=base.getid(role),
**kwargs)
@utils.positional(enforcement=utils.positional.WARN) @utils.positional(enforcement=utils.positional.WARN)
def check(self, role, user=None, group=None, domain=None, project=None): def check(self, role, user=None, group=None, domain=None, project=None,
"""Checks if a user or group has a role on a domain or project.""" os_inherit_extension_inherited=False, **kwargs):
"""Checks if a user or group has a role on a domain or project.
If 'os_inherit_extension_inherited' is passed, then OS-INHERIT will be
used. It provides the ability for projects to inherit role assignments
from their domains or from projects in the hierarchy.
"""
self._require_domain_xor_project(domain, project) self._require_domain_xor_project(domain, project)
self._require_user_xor_group(user, group) self._require_user_xor_group(user, group)
if os_inherit_extension_inherited:
kwargs['tail'] = '/inherited_to_projects'
base_url = self._role_grants_base_url(
user, group, domain, project, os_inherit_extension_inherited)
return super(RoleManager, self).head( return super(RoleManager, self).head(
base_url=self._role_grants_base_url(user, group, domain, project), base_url=base_url,
role_id=base.getid(role)) role_id=base.getid(role),
os_inherit_extension_inherited=os_inherit_extension_inherited,
**kwargs)
@utils.positional(enforcement=utils.positional.WARN) @utils.positional(enforcement=utils.positional.WARN)
def revoke(self, role, user=None, group=None, domain=None, project=None): def revoke(self, role, user=None, group=None, domain=None, project=None,
"""Revokes a role from a user or group on a domain or project.""" os_inherit_extension_inherited=False, **kwargs):
"""Revokes a role from a user or group on a domain or project.
If 'os_inherit_extension_inherited' is passed, then OS-INHERIT will be
used. It provides the ability for projects to inherit role assignments
from their domains or from projects in the hierarchy.
"""
self._require_domain_xor_project(domain, project) self._require_domain_xor_project(domain, project)
self._require_user_xor_group(user, group) self._require_user_xor_group(user, group)
if os_inherit_extension_inherited:
kwargs['tail'] = '/inherited_to_projects'
base_url = self._role_grants_base_url(
user, group, domain, project, os_inherit_extension_inherited)
return super(RoleManager, self).delete( return super(RoleManager, self).delete(
base_url=self._role_grants_base_url(user, group, domain, project), base_url=base_url,
role_id=base.getid(role)) role_id=base.getid(role),
os_inherit_extension_inherited=os_inherit_extension_inherited,
**kwargs)