openstack/python-keystoneclient
Code Issues Proposed changes

Merge "Inherited role domain calls on keystoneclient v3"

Browse Source
This commit is contained in:
Jenkins
2015-04-18 18:37:40 +00:00
committed by Gerrit Code Review
parent 81ff5a277a 57b0fe2c8f
commit 08fd4b1cd7
3 changed files with 194 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
keystoneclient/base.py
View File

@@ -305,6 +305,8 @@ class CrudManager(Manager):
If a `base_url` is provided, the generated URL will be appended to it.
If a 'tail' is provided, it will be appended to the end of the URL.
"""
if dict_args_in_out is None:
dict_args_in_out = {}
@@ -317,6 +319,9 @@ class CrudManager(Manager):
if entity_id is not None:
url += '/%s' % entity_id
if dict_args_in_out.get('tail'):
url += dict_args_in_out['tail']
return url
@filter_kwargs

122
keystoneclient/tests/unit/v3/test_roles.py
View File

@@ -17,6 +17,7 @@ import uuid
from keystoneclient import exceptions
from keystoneclient.tests.unit.v3 import utils
from keystoneclient.v3 import roles
from testtools import matchers
class RoleTests(utils.TestCase, utils.CrudTests):
@@ -44,6 +45,20 @@ class RoleTests(utils.TestCase, utils.CrudTests):
self.manager.grant(role=ref['id'], domain=domain_id, user=user_id)
def test_domain_role_grant_inherited(self):
user_id = uuid.uuid4().hex
domain_id = uuid.uuid4().hex
ref = self.new_ref()
self.stub_url('PUT',
['OS-INHERIT', 'domains', domain_id, 'users', user_id,
self.collection_key, ref['id'],
'inherited_to_projects'],
status_code=201)
self.manager.grant(role=ref['id'], domain=domain_id, user=user_id,
os_inherit_extension_inherited=True)
def test_domain_group_role_grant(self):
group_id = uuid.uuid4().hex
domain_id = uuid.uuid4().hex
@@ -56,6 +71,20 @@ class RoleTests(utils.TestCase, utils.CrudTests):
self.manager.grant(role=ref['id'], domain=domain_id, group=group_id)
def test_domain_group_role_grant_inherited(self):
group_id = uuid.uuid4().hex
domain_id = uuid.uuid4().hex
ref = self.new_ref()
self.stub_url('PUT',
['OS-INHERIT', 'domains', domain_id, 'groups', group_id,
self.collection_key, ref['id'],
'inherited_to_projects'],
status_code=201)
self.manager.grant(role=ref['id'], domain=domain_id, group=group_id,
os_inherit_extension_inherited=True)
def test_domain_role_list(self):
user_id = uuid.uuid4().hex
domain_id = uuid.uuid4().hex
@@ -67,6 +96,23 @@ class RoleTests(utils.TestCase, utils.CrudTests):
self.manager.list(domain=domain_id, user=user_id)
def test_domain_role_list_inherited(self):
user_id = uuid.uuid4().hex
domain_id = uuid.uuid4().hex
ref_list = [self.new_ref(), self.new_ref()]
self.stub_entity('GET',
['OS-INHERIT',
'domains', domain_id, 'users', user_id,
self.collection_key, 'inherited_to_projects'],
entity=ref_list)
returned_list = self.manager.list(domain=domain_id, user=user_id,
os_inherit_extension_inherited=True)
self.assertThat(ref_list, matchers.HasLength(len(returned_list)))
[self.assertIsInstance(r, self.model) for r in returned_list]
def test_domain_group_role_list(self):
group_id = uuid.uuid4().hex
domain_id = uuid.uuid4().hex
@@ -78,6 +124,23 @@ class RoleTests(utils.TestCase, utils.CrudTests):
self.manager.list(domain=domain_id, group=group_id)
def test_domain_group_role_list_inherited(self):
group_id = uuid.uuid4().hex
domain_id = uuid.uuid4().hex
ref_list = [self.new_ref(), self.new_ref()]
self.stub_entity('GET',
['OS-INHERIT',
'domains', domain_id, 'groups', group_id,
self.collection_key, 'inherited_to_projects'],
entity=ref_list)
returned_list = self.manager.list(domain=domain_id, group=group_id,
os_inherit_extension_inherited=True)
self.assertThat(ref_list, matchers.HasLength(len(returned_list)))
[self.assertIsInstance(r, self.model) for r in returned_list]
def test_domain_role_check(self):
user_id = uuid.uuid4().hex
domain_id = uuid.uuid4().hex
@@ -91,6 +154,21 @@ class RoleTests(utils.TestCase, utils.CrudTests):
self.manager.check(role=ref['id'], domain=domain_id,
user=user_id)
def test_domain_role_check_inherited(self):
user_id = uuid.uuid4().hex
domain_id = uuid.uuid4().hex
ref = self.new_ref()
self.stub_url('HEAD',
['OS-INHERIT',
'domains', domain_id, 'users', user_id,
self.collection_key, ref['id'],
'inherited_to_projects'],
status_code=204)
self.manager.check(role=ref['id'], domain=domain_id,
user=user_id, os_inherit_extension_inherited=True)
def test_domain_group_role_check(self):
return
group_id = uuid.uuid4().hex
@@ -104,6 +182,21 @@ class RoleTests(utils.TestCase, utils.CrudTests):
self.manager.check(role=ref['id'], domain=domain_id, group=group_id)
def test_domain_group_role_check_inherited(self):
group_id = uuid.uuid4().hex
domain_id = uuid.uuid4().hex
ref = self.new_ref()
self.stub_url('HEAD',
['OS-INHERIT',
'domains', domain_id, 'groups', group_id,
self.collection_key, ref['id'],
'inherited_to_projects'],
status_code=204)
self.manager.check(role=ref['id'], domain=domain_id,
group=group_id, os_inherit_extension_inherited=True)
def test_domain_role_revoke(self):
user_id = uuid.uuid4().hex
domain_id = uuid.uuid4().hex
@@ -128,6 +221,35 @@ class RoleTests(utils.TestCase, utils.CrudTests):
self.manager.revoke(role=ref['id'], domain=domain_id, group=group_id)
def test_domain_role_revoke_inherited(self):
user_id = uuid.uuid4().hex
domain_id = uuid.uuid4().hex
ref = self.new_ref()
self.stub_url('DELETE',
['OS-INHERIT', 'domains', domain_id, 'users', user_id,
self.collection_key, ref['id'],
'inherited_to_projects'],
status_code=204)
self.manager.revoke(role=ref['id'], domain=domain_id,
user=user_id, os_inherit_extension_inherited=True)
def test_domain_group_role_revoke_inherited(self):
group_id = uuid.uuid4().hex
domain_id = uuid.uuid4().hex
ref = self.new_ref()
self.stub_url('DELETE',
['OS-INHERIT', 'domains', domain_id, 'groups', group_id,
self.collection_key, ref['id'],
'inherited_to_projects'],
status_code=200)
self.manager.revoke(role=ref['id'], domain=domain_id,
group=group_id,
os_inherit_extension_inherited=True)
def test_project_role_grant(self):
user_id = uuid.uuid4().hex
project_id = uuid.uuid4().hex

86
keystoneclient/v3/roles.py
View File

@@ -37,7 +37,8 @@ class RoleManager(base.CrudManager):
collection_key = 'roles'
key = 'role'
def _role_grants_base_url(self, user, group, domain, project):
def _role_grants_base_url(self, user, group, domain, project,
use_inherit_extension):
# When called, we have already checked that only one of user & group
# and one of domain & project have been specified
params = {}
@@ -49,6 +50,9 @@ class RoleManager(base.CrudManager):
params['domain_id'] = base.getid(domain)
base_url = '/domains/%(domain_id)s'
if use_inherit_extension:
base_url = '/OS-INHERIT' + base_url
if user:
params['user_id'] = base.getid(user)
base_url += '/users/%(user_id)s'
@@ -85,7 +89,8 @@ class RoleManager(base.CrudManager):
role_id=base.getid(role))
@utils.positional(enforcement=utils.positional.WARN)
def list(self, user=None, group=None, domain=None, project=None, **kwargs):
def list(self, user=None, group=None, domain=None,
project=None, os_inherit_extension_inherited=False, **kwargs):
"""Lists roles and role grants.
If no arguments are provided, all roles in the system will be
@@ -95,16 +100,22 @@ class RoleManager(base.CrudManager):
domain or project to list role grants on that pair. And if
``**kwargs`` are provided, then also filter roles with
attributes matching ``**kwargs``.
If 'os_inherit_extension_inherited' is passed, then OS-INHERIT will be
used. It provides the ability for projects to inherit role assignments
from their domains or from projects in the hierarchy.
"""
if os_inherit_extension_inherited:
kwargs['tail'] = '/inherited_to_projects'
if user or group:
self._require_user_xor_group(user, group)
self._require_domain_xor_project(domain, project)
return super(RoleManager, self).list(
base_url=self._role_grants_base_url(user, group,
domain, project),
**kwargs)
base_url = self._role_grants_base_url(
user, group, domain, project, os_inherit_extension_inherited)
return super(RoleManager, self).list(base_url=base_url,
**kwargs)
return super(RoleManager, self).list(**kwargs)
@@ -120,31 +131,68 @@ class RoleManager(base.CrudManager):
role_id=base.getid(role))
@utils.positional(enforcement=utils.positional.WARN)
def grant(self, role, user=None, group=None, domain=None, project=None):
"""Grants a role to a user or group on a domain or project."""
def grant(self, role, user=None, group=None, domain=None, project=None,
os_inherit_extension_inherited=False, **kwargs):
"""Grants a role to a user or group on a domain or project.
If 'os_inherit_extension_inherited' is passed, then OS-INHERIT will be
used. It provides the ability for projects to inherit role assignments
from their domains or from projects in the hierarchy.
"""
self._require_domain_xor_project(domain, project)
self._require_user_xor_group(user, group)
return super(RoleManager, self).put(
base_url=self._role_grants_base_url(user, group, domain, project),
role_id=base.getid(role))
if os_inherit_extension_inherited:
kwargs['tail'] = '/inherited_to_projects'
base_url = self._role_grants_base_url(
user, group, domain, project, os_inherit_extension_inherited)
return super(RoleManager, self).put(base_url=base_url,
role_id=base.getid(role),
**kwargs)
@utils.positional(enforcement=utils.positional.WARN)
def check(self, role, user=None, group=None, domain=None, project=None):
"""Checks if a user or group has a role on a domain or project."""
def check(self, role, user=None, group=None, domain=None, project=None,
os_inherit_extension_inherited=False, **kwargs):
"""Checks if a user or group has a role on a domain or project.
If 'os_inherit_extension_inherited' is passed, then OS-INHERIT will be
used. It provides the ability for projects to inherit role assignments
from their domains or from projects in the hierarchy.
"""
self._require_domain_xor_project(domain, project)
self._require_user_xor_group(user, group)
if os_inherit_extension_inherited:
kwargs['tail'] = '/inherited_to_projects'
base_url = self._role_grants_base_url(
user, group, domain, project, os_inherit_extension_inherited)
return super(RoleManager, self).head(
base_url=self._role_grants_base_url(user, group, domain, project),
role_id=base.getid(role))
base_url=base_url,
role_id=base.getid(role),
os_inherit_extension_inherited=os_inherit_extension_inherited,
**kwargs)
@utils.positional(enforcement=utils.positional.WARN)
def revoke(self, role, user=None, group=None, domain=None, project=None):
"""Revokes a role from a user or group on a domain or project."""
def revoke(self, role, user=None, group=None, domain=None, project=None,
os_inherit_extension_inherited=False, **kwargs):
"""Revokes a role from a user or group on a domain or project.
If 'os_inherit_extension_inherited' is passed, then OS-INHERIT will be
used. It provides the ability for projects to inherit role assignments
from their domains or from projects in the hierarchy.
"""
self._require_domain_xor_project(domain, project)
self._require_user_xor_group(user, group)
if os_inherit_extension_inherited:
kwargs['tail'] = '/inherited_to_projects'
base_url = self._role_grants_base_url(
user, group, domain, project, os_inherit_extension_inherited)
return super(RoleManager, self).delete(
base_url=self._role_grants_base_url(user, group, domain, project),
role_id=base.getid(role))
base_url=base_url,
role_id=base.getid(role),
os_inherit_extension_inherited=os_inherit_extension_inherited,
**kwargs)