1e435e6dcd
This commit adds the necessary bits to be able to use system role assignments from python-keystoneclient. bp system-scope Change-Id: Iecbcbf020a15f2bec777334c648d4477f89f3b2c
149 lines
5.7 KiB
Python
149 lines
5.7 KiB
Python
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
from keystoneclient import base
|
|
from keystoneclient import exceptions
|
|
from keystoneclient.i18n import _
|
|
|
|
|
|
class RoleAssignment(base.Resource):
|
|
"""Represents an Identity role assignment.
|
|
|
|
Attributes:
|
|
* role: an object which contains a role uuid
|
|
* user or group: an object which contains either a user or
|
|
group uuid
|
|
* scope: an object which has either a project or domain object
|
|
containing an uuid
|
|
"""
|
|
|
|
pass
|
|
|
|
|
|
class RoleAssignmentManager(base.CrudManager):
|
|
"""Manager class for manipulating Identity roles assignments."""
|
|
|
|
resource_class = RoleAssignment
|
|
collection_key = 'role_assignments'
|
|
key = 'role_assignment'
|
|
|
|
def _check_not_user_and_group(self, user, group):
|
|
if user and group:
|
|
msg = _('Specify either a user or group, not both')
|
|
raise exceptions.ValidationError(msg)
|
|
|
|
def _check_not_domain_and_project(self, domain, project):
|
|
if domain and project:
|
|
msg = _('Specify either a domain or project, not both')
|
|
raise exceptions.ValidationError(msg)
|
|
|
|
def _check_not_system_and_domain(self, system, domain):
|
|
if system and domain:
|
|
msg = _('Specify either system or domain, not both')
|
|
raise exceptions.ValidationError(msg)
|
|
|
|
def _check_not_system_and_project(self, system, project):
|
|
if system and project:
|
|
msg = _('Specify either system or project, not both')
|
|
raise exceptions.ValidationError(msg)
|
|
|
|
def _check_system_value(self, system):
|
|
if system and system != 'all':
|
|
msg = _("Only a system scope of 'all' is currently supported")
|
|
raise exceptions.ValidationError(msg)
|
|
|
|
def list(self, user=None, group=None, project=None, domain=None,
|
|
system=False, role=None, effective=False,
|
|
os_inherit_extension_inherited_to=None, include_subtree=False,
|
|
include_names=False):
|
|
"""List role assignments.
|
|
|
|
If no arguments are provided, all role assignments in the
|
|
system will be listed.
|
|
|
|
If both user and group are provided, a ValidationError will be
|
|
raised. If both domain and project are provided, it will also
|
|
raise a ValidationError.
|
|
|
|
:param user: User to be used as query filter. (optional)
|
|
:param group: Group to be used as query filter. (optional)
|
|
:param project: Project to be used as query filter.
|
|
(optional)
|
|
:param domain: Domain to be used as query
|
|
filter. (optional)
|
|
:param system: Boolean to be used to filter system assignments.
|
|
(optional)
|
|
:param role: Role to be used as query filter. (optional)
|
|
:param boolean effective: return effective role
|
|
assignments. (optional)
|
|
:param string os_inherit_extension_inherited_to:
|
|
return inherited role assignments for either 'projects' or
|
|
'domains'. (optional)
|
|
:param boolean include_subtree: Include subtree (optional)
|
|
:param boolean include_names: Display names instead
|
|
of IDs. (optional)
|
|
"""
|
|
self._check_not_user_and_group(user, group)
|
|
self._check_not_domain_and_project(domain, project)
|
|
self._check_not_system_and_domain(system, domain)
|
|
self._check_not_system_and_project(system, project)
|
|
self._check_system_value(system)
|
|
|
|
query_params = {}
|
|
if user:
|
|
query_params['user.id'] = base.getid(user)
|
|
if group:
|
|
query_params['group.id'] = base.getid(group)
|
|
if project:
|
|
query_params['scope.project.id'] = base.getid(project)
|
|
if domain:
|
|
query_params['scope.domain.id'] = base.getid(domain)
|
|
if system:
|
|
query_params['scope.system'] = system
|
|
if role:
|
|
query_params['role.id'] = base.getid(role)
|
|
if effective:
|
|
query_params['effective'] = effective
|
|
if include_names:
|
|
query_params['include_names'] = include_names
|
|
if os_inherit_extension_inherited_to:
|
|
query_params['scope.OS-INHERIT:inherited_to'] = (
|
|
os_inherit_extension_inherited_to)
|
|
if include_subtree:
|
|
query_params['include_subtree'] = include_subtree
|
|
|
|
return super(RoleAssignmentManager, self).list(**query_params)
|
|
|
|
def create(self, **kwargs):
|
|
raise exceptions.MethodNotImplemented(
|
|
_('Create not supported for role assignments'))
|
|
|
|
def update(self, **kwargs):
|
|
raise exceptions.MethodNotImplemented(
|
|
_('Update not supported for role assignments'))
|
|
|
|
def get(self, **kwargs):
|
|
raise exceptions.MethodNotImplemented(
|
|
_('Get not supported for role assignments'))
|
|
|
|
def find(self, **kwargs):
|
|
raise exceptions.MethodNotImplemented(
|
|
_('Find not supported for role assignments'))
|
|
|
|
def put(self, **kwargs):
|
|
raise exceptions.MethodNotImplemented(
|
|
_('Put not supported for role assignments'))
|
|
|
|
def delete(self, **kwargs):
|
|
raise exceptions.MethodNotImplemented(
|
|
_('Delete not supported for role assignments'))
|