keystone.assignment.controllers module¶

Workflow Logic the Assignment service.

class keystone.assignment.controllers.GrantAssignmentV3[source]¶

Bases: keystone.common.controller.V3Controller

The V3 Grant Assignment APIs.

check_grant(request, *args, **kwargs)[source]¶

Check if a role has been granted on either a domain or project.

check_system_grant_for_group(request, *args, **kwargs)[source]¶

Check if a group has a specific role on the system.

Parameters:	request – the request object role_id – the ID of the role to check group_id – the ID of the group to check

check_system_grant_for_user(request, *args, **kwargs)[source]¶

Check if a user has a specific role on the system.

Parameters:	request – the request object role_id – the ID of the role to check user_id – the ID of the user to check

collection_name = 'roles'¶

create_grant(request, *args, **kwargs)[source]¶

Grant a role to a user or group on either a domain or project.

create_system_grant_for_group(request, *args, **kwargs)[source]¶

Grant a role to a group on the system.

Parameters:	request – the request object role_id – the ID of the role to grant to the group group_id – the ID of the group

create_system_grant_for_user(request, *args, **kwargs)[source]¶

Grant a role to a user on the system.

Parameters:	request – the request object role_id – the ID of the role to grant to the user user_id – the ID of the user

list_grants(request, *args, **kwargs)[source]¶

List roles granted to user/group on either a domain or project.

list_system_grants_for_group(request, *args, **kwargs)[source]¶

List all system grants for a specific group.

Parameters:	request – the request object group_id – ID of the group
Returns:	a list of grants the group has on the system

list_system_grants_for_user(request, *args, **kwargs)[source]¶

List all system grants for a specific user.

Parameters:	request – the request object user_id – ID of the user
Returns:	a list of grants the user has on the system

member_name = 'role'¶

revoke_grant(request, *args, **kwargs)[source]¶

Revoke a role from user/group on either a domain or project.

revoke_system_grant_for_group(request, *args, **kwargs)[source]¶

Revoke a role from the group on the system.

Parameters:	request – the request object role_id – the ID of the role to remove user_id – the ID of the user

revoke_system_grant_for_user(request, *args, **kwargs)[source]¶

Revoke a role from user on the system.

Parameters:	request – the request object role_id – the ID of the role to remove user_id – the ID of the user

class keystone.assignment.controllers.ImpliedRolesV3[source]¶

Bases: keystone.common.controller.V3Controller

The V3 ImpliedRoles CRD APIs. There is no Update.

check_implied_role(request, *args, **kwargs)[source]¶

create_implied_role(request, *args, **kwargs)[source]¶

delete_implied_role(request, *args, **kwargs)[source]¶

get_implied_role(request, *args, **kwargs)[source]¶

list_implied_roles(request, *args, **kwargs)[source]¶

list_role_inference_rules(request, *args, **kwargs)[source]¶

class keystone.assignment.controllers.ProjectAssignmentV3[source]¶

Bases: keystone.common.controller.V3Controller

The V3 Project APIs that are processing assignments.

collection_name = 'projects'¶

list_user_projects(request, **kwargs)[source]¶

member_name = 'project'¶

class keystone.assignment.controllers.RoleAssignmentV3[source]¶

Bases: keystone.common.controller.V3Controller

The V3 Role Assignment APIs, really just list_role_assignment().

collection_name = 'role_assignments'¶

list_role_assignments(request, **kwargs)[source]¶

list_role_assignments_for_tree(request, **kwargs)[source]¶

list_role_assignments_wrapper(request)[source]¶

Main entry point from router for list role assignments.

Since we want different policy file rules to be applicable based on whether there the include_subtree query parameter is part of the API call, this method checks for this and then calls the appropriate protected entry point.

member_name = 'role_assignment'¶

classmethod wrap_member(context, ref)[source]¶

class keystone.assignment.controllers.RoleV3[source]¶

Bases: keystone.common.controller.V3Controller

The V3 Role CRUD APIs.

To ease complexity (and hence risk) in writing the policy rules for the role APIs, we create separate policy actions for roles that are domain specific, as opposed to those that are global. In order to achieve this each of the role API methods has a wrapper method that checks to see if the role is global or domain specific.

NOTE (henry-nash): If this separate global vs scoped policy action pattern becomes repeated for other entities, we should consider encapsulating this into a specialized router class.

classmethod build_driver_hints(request, supported_filters)[source]¶

Build list hints based on the context query string.

Parameters:	request – the current request supported_filters – list of filters supported, so ignore any keys in query_dict that are not in this list.

collection_name = 'roles'¶

create_domain_role(request, *args, **kwargs)[source]¶

create_role(request, *args, **kwargs)[source]¶

create_role_wrapper(request, role)[source]¶

delete_domain_role(request, *args, **kwargs)[source]¶

delete_role(request, *args, **kwargs)[source]¶

delete_role_wrapper(request, role_id)[source]¶

get_domain_role(request, *args, **kwargs)[source]¶

get_role(request, *args, **kwargs)[source]¶

get_role_wrapper(request, role_id)[source]¶

list_domain_roles(request, **kwargs)[source]¶

list_roles(request, **kwargs)[source]¶

list_roles_wrapper(request)[source]¶

member_name = 'role'¶

update_domain_role(request, *args, **kwargs)[source]¶

update_role(request, *args, **kwargs)[source]¶

update_role_wrapper(request, role_id, role)[source]¶