keystone.assignment package

Submodules

keystone.assignment.controllers module

Workflow Logic the Assignment service.

class keystone.assignment.controllers.DomainV3[source]

Bases: keystone.common.controller.V3Controller

collection_name = 'domains'
create_domain(context, *args, **kwargs)[source]
delete_domain(context, *args, **kwargs)[source]
get_domain(context, *args, **kwargs)[source]
list_domains(context, **kwargs)[source]
member_name = 'domain'
update_domain(context, *args, **kwargs)[source]
class keystone.assignment.controllers.ProjectV3[source]

Bases: keystone.common.controller.V3Controller

collection_name = 'projects'
create_project(context, *args, **kwargs)[source]
delete_project(context, *args, **kwargs)[source]
get_project(context, *args, **kwargs)[source]
list_projects(context, **kwargs)[source]
list_user_projects(context, **kwargs)[source]
member_name = 'project'
update_project(context, *args, **kwargs)[source]
class keystone.assignment.controllers.Role(*args, **kwargs)[source]

Bases: keystone.common.controller.V2Controller

add_role_to_user(context, user_id, role_id, tenant_id=None)[source]

Add a role to a user and tenant pair.

Since we’re trying to ignore the idea of user-only roles we’re not implementing them in hopes that the idea will die off.

create_role(context, role)[source]
create_role_ref(context, user_id, role)[source]

This is actually used for adding a user to a tenant.

In the legacy data model adding a user to a tenant required setting a role.

delete_role(context, role_id)[source]
delete_role_ref(context, user_id, role_ref_id)[source]

This is actually used for deleting a user from a tenant.

In the legacy data model removing a user from a tenant required deleting a role.

To emulate this, we encode the tenant and role in the role_ref_id, and if this happens to be the last role for the user-tenant pair, we remove the user from the tenant.

get_role(context, role_id)[source]
get_role_refs(context, user_id)[source]

Ultimate hack to get around having to make role_refs first-class.

This will basically iterate over the various roles the user has in all tenants the user is a member of and create fake role_refs where the id encodes the user-tenant-role information so we can look up the appropriate data when we need to delete them.

get_roles(context)[source]
get_user_roles(context, user_id, tenant_id=None)[source]

Get the roles for a user and tenant pair.

Since we’re trying to ignore the idea of user-only roles we’re not implementing them in hopes that the idea will die off.

remove_role_from_user(context, user_id, role_id, tenant_id=None)[source]

Remove a role from a user and tenant pair.

Since we’re trying to ignore the idea of user-only roles we’re not implementing them in hopes that the idea will die off.

class keystone.assignment.controllers.RoleAssignmentV3(*args, **kwargs)[source]

Bases: keystone.common.controller.V3Controller

collection_name = 'role_assignments'
delete_role_assignment(context, *args, **kwargs)[source]
get_role_assignment(context, *args, **kwargs)[source]
list_role_assignments(context, **kwargs)[source]
member_name = 'role_assignment'
update_role_assignment(context, *args, **kwargs)[source]
classmethod wrap_member(context, ref)[source]
class keystone.assignment.controllers.RoleV3[source]

Bases: keystone.common.controller.V3Controller

check_grant(context, *args, **kwargs)[source]

Checks if a role has been granted on either a domain or project.

collection_name = 'roles'
create_grant(context, *args, **kwargs)[source]

Grants a role to a user or group on either a domain or project.

create_role(context, *args, **kwargs)[source]
delete_role(context, *args, **kwargs)[source]
get_role(context, *args, **kwargs)[source]
list_grants(context, *args, **kwargs)[source]

Lists roles granted to user/group on either a domain or project.

list_roles(context, **kwargs)[source]
member_name = 'role'
revoke_grant(context, *args, **kwargs)[source]

Revokes a role from user/group on either a domain or project.

update_role(context, *args, **kwargs)[source]
class keystone.assignment.controllers.Tenant(*args, **kwargs)[source]

Bases: keystone.common.controller.V2Controller

create_project(context, tenant)[source]
delete_project(context, tenant_id)[source]
get_all_projects(context, **kw)[source]

Gets a list of all tenants for an admin user.

get_project(context, tenant_id)[source]
get_project_by_name(context, tenant_name)[source]
get_project_users(context, tenant_id, **kw)[source]
get_projects_for_token(context, **kw)[source]

Get valid tenants for token based on token used to authenticate.

Pulls the token from the context, validates it and gets the valid tenants for the user in the token.

Doesn’t care about token scopedness.

update_project(context, tenant_id, tenant)[source]

keystone.assignment.core module

Main entry point into the assignment service.

class keystone.assignment.core.Driver[source]

Bases: object

add_role_to_user_and_project(user_id, tenant_id, role_id)[source]

Add a role to a user within given tenant.

Raises:keystone.exception.UserNotFound, keystone.exception.ProjectNotFound, keystone.exception.RoleNotFound
create_domain(domain_id, domain)[source]

Creates a new domain.

Raises:keystone.exception.Conflict
create_grant(role_id, user_id=None, group_id=None, domain_id=None, project_id=None, inherited_to_projects=False)[source]

Creates a new assignment/grant.

If the assignment is to a domain, then optionally it may be specified as inherited to owned projects (this requires the OS-INHERIT extension to be enabled).

Raises:keystone.exception.DomainNotFound, keystone.exception.ProjectNotFound, keystone.exception.RoleNotFound
create_project(project_id, project)[source]

Creates a new project.

Raises:keystone.exception.Conflict
create_role(role_id, role)[source]

Creates a new role.

Raises:keystone.exception.Conflict
delete_domain(domain_id)[source]

Deletes an existing domain.

Raises:keystone.exception.DomainNotFound
delete_grant(role_id, user_id=None, group_id=None, domain_id=None, project_id=None, inherited_to_projects=False)[source]

Deletes assignments/grants.

Raises:keystone.exception.ProjectNotFound, keystone.exception.DomainNotFound, keystone.exception.RoleNotFound
delete_group(group_id)[source]

Deletes all assignments for a group.

Raises:keystone.exception.RoleNotFound
delete_project(project_id)[source]

Deletes an existing project.

Raises:keystone.exception.ProjectNotFound
delete_role(role_id)[source]

Deletes an existing role.

Raises:keystone.exception.RoleNotFound
delete_user(user_id)[source]

Deletes all assignments for a user.

Raises:keystone.exception.RoleNotFound
get_domain(domain_id)[source]

Get a domain by ID.

Returns:domain_ref
Raises:keystone.exception.DomainNotFound
get_domain_by_name(domain_name)[source]

Get a domain by name.

Returns:domain_ref
Raises:keystone.exception.DomainNotFound
get_grant(role_id, user_id=None, group_id=None, domain_id=None, project_id=None, inherited_to_projects=False)[source]

Lists assignments/grants.

Raises:keystone.exception.UserNotFound, keystone.exception.GroupNotFound, keystone.exception.ProjectNotFound, keystone.exception.DomainNotFound, keystone.exception.RoleNotFound
get_project(project_id)[source]

Get a project by ID.

Returns:project_ref
Raises:keystone.exception.ProjectNotFound
get_project_by_name(tenant_name, domain_id)[source]

Get a tenant by name.

Returns:tenant_ref
Raises:keystone.exception.ProjectNotFound
get_role(role_id)[source]

Get a role by ID.

Returns:role_ref
Raises:keystone.exception.RoleNotFound
get_roles_for_groups(group_ids, project_id=None, domain_id=None)[source]

List all the roles assigned to groups on either domain or project.

If the project_id is not None, this value will be used, no matter what was specified in the domain_id.

Parameters:
  • group_ids – iterable with group ids
  • project_id – id of the project
  • domain_id – id of the domain
Raises:

AttributeError: In case both project_id and domain_id are set to None

Returns:

a list of Role entities matching groups and project_id or domain_id

list_domains(hints)[source]

List domains in the system.

Parameters:hints – filter hints which the driver should implement if at all possible.
Returns:a list of domain_refs or an empty list.
list_domains_for_groups(group_ids)[source]

List domains accessible to specified groups.

Parameters:group_ids – List of group ids.
Returns:List of domains accessible to specified groups.
list_grants(user_id=None, group_id=None, domain_id=None, project_id=None, inherited_to_projects=False)[source]

Lists assignments/grants.

Raises:keystone.exception.UserNotFound, keystone.exception.GroupNotFound, keystone.exception.ProjectNotFound, keystone.exception.DomainNotFound, keystone.exception.RoleNotFound
list_projects(hints)[source]

List projects in the system.

Parameters:hints – filter hints which the driver should implement if at all possible.
Returns:a list of project_refs or an empty list.
list_projects_for_groups(group_ids)[source]

List projects accessible to specified groups.

Parameters:group_ids – List of group ids.
Returns:List of projects accessible to specified groups.
list_projects_for_user(user_id, group_ids, hints)[source]

List all projects associated with a given user.

Parameters:
  • user_id – the user in question
  • group_ids – the groups this user is a member of. This list is built in the Manager, so that the driver itself does not have to call across to identity.
  • hints – filter hints which the driver should implement if at all possible.
Returns:

a list of project_refs or an empty list.

list_projects_in_domain(domain_id)[source]

List projects in the domain.

Parameters:domain_id – the driver MUST only return projects within this domain.
Returns:a list of project_refs or an empty list.
list_role_assignments()[source]
list_roles(hints)[source]

List roles in the system.

Parameters:hints – filter hints which the driver should implement if at all possible.
Returns:a list of role_refs or an empty list.
list_user_ids_for_project(tenant_id)[source]

Lists all user IDs with a role assignment in the specified project.

Returns:a list of user_ids or an empty set.
Raises:keystone.exception.ProjectNotFound
remove_role_from_user_and_project(user_id, tenant_id, role_id)[source]

Remove a role from a user within given tenant.

Raises:keystone.exception.UserNotFound, keystone.exception.ProjectNotFound, keystone.exception.RoleNotFound
update_domain(domain_id, domain)[source]

Updates an existing domain.

Raises:keystone.exception.DomainNotFound, keystone.exception.Conflict
update_project(project_id, project)[source]

Updates an existing project.

Raises:keystone.exception.ProjectNotFound, keystone.exception.Conflict
update_role(role_id, role)[source]

Updates an existing role.

Raises:keystone.exception.RoleNotFound, keystone.exception.Conflict
keystone.assignment.core.EXPIRATION_TIME()
class keystone.assignment.core.Manager(*args, **kwargs)[source]

Bases: keystone.common.manager.Manager

Default pivot point for the Assignment backend.

See keystone.common.manager.Manager for more details on how this dynamically calls the backend. assignment.Manager() and identity.Manager() have a circular dependency. The late import works around this. The if block prevents creation of the api object by both managers.

add_user_to_project(tenant_id, user_id)[source]

Add user to a tenant by creating a default role relationship.

Raises:keystone.exception.ProjectNotFound, keystone.exception.UserNotFound
create_domain(*args, **kwargs)[source]

Send a notification if the wrapped callable is successful.

create_project(*args, **kwargs)[source]

Send a notification if the wrapped callable is successful.

create_role(*args, **kwargs)[source]

Send a notification if the wrapped callable is successful.

delete_domain(*args, **kwargs)[source]

Send a notification if the wrapped callable is successful.

delete_grant(role_id, user_id=None, group_id=None, domain_id=None, project_id=None, inherited_to_projects=False)[source]
delete_project(*args, **kwargs)[source]

Send a notification if the wrapped callable is successful.

delete_role(*args, **kwargs)[source]

Send a notification if the wrapped callable is successful.

get_domain(*arg, **kw)[source]
get_domain_by_name(*arg, **kw)[source]
get_project(*arg, **kw)[source]
get_project_by_name(*arg, **kw)[source]
get_role(*arg, **kw)[source]
get_roles_for_user_and_domain(user_id, domain_id)[source]

Get the roles associated with a user within given domain.

Returns:a list of role ids.
Raises:keystone.exception.UserNotFound, keystone.exception.DomainNotFound
get_roles_for_user_and_project(user_id, tenant_id)[source]

Get the roles associated with a user within given project.

This includes roles directly assigned to the user on the project, as well as those by virtue of group membership. If the OS-INHERIT extension is enabled, then this will also include roles inherited from the domain.

Returns:a list of role ids.
Raises:keystone.exception.UserNotFound, keystone.exception.ProjectNotFound
list_domains(*args, **kwargs)[source]
list_projects(*args, **kwargs)[source]
list_projects_for_user(user_id, hints=None)[source]
list_projects_in_domain(domain_id)[source]
list_role_assignments_for_role(role_id=None)[source]
list_roles(*args, **kwargs)[source]
list_user_projects(user_id, hints=None)[source]
remove_role_from_user_and_project(user_id, tenant_id, role_id)[source]
remove_user_from_project(tenant_id, user_id)[source]

Remove user from a tenant

Raises:keystone.exception.ProjectNotFound, keystone.exception.UserNotFound
update_domain(*args, **kwargs)[source]

Send a notification if the wrapped callable is successful.

update_project(*args, **kwargs)[source]

Send a notification if the wrapped callable is successful.

update_role(*args, **kwargs)[source]

Send a notification if the wrapped callable is successful.

keystone.assignment.core.calc_default_domain()[source]

keystone.assignment.routers module

WSGI Routers for the Assignment service.

class keystone.assignment.routers.Admin(mapper=None)[source]

Bases: keystone.common.wsgi.ComposableRouter

add_routes(mapper)[source]
class keystone.assignment.routers.Public(mapper=None)[source]

Bases: keystone.common.wsgi.ComposableRouter

add_routes(mapper)[source]
keystone.assignment.routers.append_v3_routers(mapper, routers)[source]

Module contents