keystone.resource.core module¶
Main entry point into the Resource service.
-
class
keystone.resource.core.DomainConfigManager[source]¶ Bases:
keystone.common.manager.ManagerDefault pivot point for the Domain Config backend.
-
create_config(domain_id, config)[source]¶ Create config for a domain.
- Parameters
domain_id – the domain in question
config – the dict of config groups/options to assign to the domain
Creates a new config, overwriting any previous config (no Conflict error will be generated).
- Returns
a dict of group dicts containing the options, with any that are sensitive removed
- Raises
keystone.exception.InvalidDomainConfig – when the config contains options we do not support
-
delete_config(domain_id, group=None, option=None)[source]¶ Delete config, or partial config, for the domain.
- Parameters
domain_id – the domain in question
group – an optional specific group of options
option – an optional specific option within the group
If group and option are None, then the entire config for the domain is deleted. If group is not None, then just that group of options will be deleted. If group and option are both specified, then just that option is deleted.
- Raises
keystone.exception.InvalidDomainConfig – when group/option parameters specify an option we do not support or one that does not exist in the original config.
-
driver_namespace= 'keystone.resource.domain_config'¶
-
get_config(domain_id, group=None, option=None)[source]¶ Get config, or partial config, for a domain.
- Parameters
domain_id – the domain in question
group – an optional specific group of options
option – an optional specific option within the group
- Returns
a dict of group dicts containing the whitelisted options, filtered by group and option specified
- Raises
keystone.exception.DomainConfigNotFound – when no config found that matches domain_id, group and option specified
keystone.exception.InvalidDomainConfig – when the config and group/option parameters specify an option we do not support
An example response:
{ 'ldap': { 'url': 'myurl' 'user_tree_dn': 'OU=myou'}, 'identity': { 'driver': 'ldap'} }
-
get_config_default(group=None, option=None)[source]¶ Get default config, or partial default config.
- Parameters
group – an optional specific group of options
option – an optional specific option within the group
- Returns
a dict of group dicts containing the default options, filtered by group and option if specified
- Raises
keystone.exception.InvalidDomainConfig – when the config and group/option parameters specify an option we do not support (or one that is not whitelisted).
An example response:
{ 'ldap': { 'url': 'myurl', 'user_tree_dn': 'OU=myou', ....}, 'identity': { 'driver': 'ldap'} }
-
get_config_with_sensitive_info(domain_id)[source]¶ Get config for a domain with sensitive info included.
This method is not exposed via the public API, but is used by the identity manager to initialize a domain with the fully formed config options.
-
get_security_compliance_config(domain_id, group, option=None)[source]¶ Get full or partial security compliance config from configuration.
- Parameters
domain_id – the domain in question
group – a specific group of options
option – an optional specific option within the group
- Returns
a dict of group dicts containing the whitelisted options, filtered by group and option specified
- Raises
keystone.exception.InvalidDomainConfig – when the config and group/option parameters specify an option we do not support
An example response:
{ 'security_compliance': { 'password_regex': '^(?=.*\d)(?=.*[a-zA-Z]).{7,}$' 'password_regex_description': 'A password must consist of at least 1 letter, ' '1 digit, and have a minimum length of 7 characters' } }
-
sensitive_options= {'identity': [], 'ldap': ['password']}¶
-
update_config(domain_id, config, group=None, option=None)[source]¶ Update config, or partial config, for a domain.
- Parameters
domain_id – the domain in question
config – the config dict containing and groups/options being updated
group – an optional specific group of options, which if specified must appear in config, with no other groups
option – an optional specific option within the group, which if specified must appear in config, with no other options
The contents of the supplied config will be merged with the existing config for this domain, updating or creating new options if these did not previously exist. If group or option is specified, then the update will be limited to those specified items and the inclusion of other options in the supplied config will raise an exception, as will the situation when those options do not already exist in the current config.
- Returns
a dict of groups containing all whitelisted options
- Raises
keystone.exception.InvalidDomainConfig – when the config and group/option parameters specify an option we do not support or one that does not exist in the original config
-
whitelisted_options= {'identity': ['driver', 'list_limit'], 'ldap': ['url', 'user', 'suffix', 'query_scope', 'page_size', 'alias_dereferencing', 'debug_level', 'chase_referrals', 'user_tree_dn', 'user_filter', 'user_objectclass', 'user_id_attribute', 'user_name_attribute', 'user_mail_attribute', 'user_description_attribute', 'user_pass_attribute', 'user_enabled_attribute', 'user_enabled_invert', 'user_enabled_mask', 'user_enabled_default', 'user_attribute_ignore', 'user_default_project_id_attribute', 'user_enabled_emulation', 'user_enabled_emulation_dn', 'user_enabled_emulation_use_group_config', 'user_additional_attribute_mapping', 'group_tree_dn', 'group_filter', 'group_objectclass', 'group_id_attribute', 'group_name_attribute', 'group_members_are_ids', 'group_member_attribute', 'group_desc_attribute', 'group_attribute_ignore', 'group_additional_attribute_mapping', 'tls_cacertfile', 'tls_cacertdir', 'use_tls', 'tls_req_cert', 'use_pool', 'pool_size', 'pool_retry_max', 'pool_retry_delay', 'pool_connection_timeout', 'pool_connection_lifetime', 'use_auth_pool', 'auth_pool_size', 'auth_pool_connection_lifetime']}¶
-
-
class
keystone.resource.core.Manager[source]¶ Bases:
keystone.common.manager.ManagerDefault pivot point for the Resource backend.
See
keystone.common.manager.Managerfor more details on how this dynamically calls the backend.-
assert_domain_enabled(domain_id, domain=None)[source]¶ Assert the Domain is enabled.
- Raises
AssertionError – if domain is disabled.
-
assert_domain_not_federated(domain_id, domain)[source]¶ Assert the Domain’s name and id do not match the reserved keyword.
Note that the reserved keyword is defined in the configuration file, by default, it is ‘Federated’, it is also case insensitive. If config’s option is empty the default hardcoded value ‘Federated’ will be used.
- Raises
AssertionError – if domain named match the value in the config.
-
assert_project_enabled(project_id, project=None)[source]¶ Assert the project is enabled and its associated domain is enabled.
- Raises
AssertionError – if the project or domain is disabled.
-
create_project_tag(project_id, tag, initiator=None)[source]¶ Create a new tag on project.
- Parameters
project_id – ID of a project to create a tag for
tag – The string value of a tag to add
- Returns
The value of the created tag
-
delete_project(project_id, initiator=None, cascade=False)[source]¶ Delete one project or a subtree.
- Parameters
cascade (boolean) – If true, the specified project and all its sub-projects are deleted. Otherwise, only the specified project is deleted.
- Raises
keystone.exception.ValidationError – if project is a domain
keystone.exception.Forbidden – if project is not a leaf
-
delete_project_tag(project_id, tag)[source]¶ Delete single tag from project.
- Parameters
project_id – The ID of the project
tag – The tag value to delete
- Raises
keystone.exception.ProjectTagNotFound – If the tag name does not exist on the project
-
driver_namespace= 'keystone.resource'¶
-
get_project_parents_as_ids(project)[source]¶ Get the IDs from the parents from a given project.
The project IDs are returned as a structured dictionary traversing up the hierarchy to the top level project. For example, considering the following project hierarchy:
A | +-B-+ | | C D
If we query for project C parents, the expected return is the following dictionary:
'parents': { B['id']: { A['id']: None } }
-
get_project_tag(project_id, tag_name)[source]¶ Return information for a single tag on a project.
- Parameters
project_id – ID of a project to retrive a tag from
tag_name – Name of a tag to return
- Raises
keystone.exception.ProjectTagNotFound – If the tag name does not exist on the project
- Returns
The tag value
-
get_projects_in_subtree_as_ids(project_id)[source]¶ Get the IDs from the projects in the subtree from a given project.
The project IDs are returned as a structured dictionary representing their hierarchy. For example, considering the following project hierarchy:
A | +-B-+ | | C D
If we query for project A subtree, the expected return is the following dictionary:
'subtree': { B['id']: { C['id']: None, D['id']: None } }
-
list_domains_from_ids(domain_ids)[source]¶ List domains for the provided list of ids.
- Parameters
domain_ids – list of ids
- Returns
a list of domain_refs.
This method is used internally by the assignment manager to bulk read a set of domains given their ids.
List all tags on project.
- Parameters
project_id – The ID of a project
- Returns
A list of tags from a project
Update all tags on a project.
- Parameters
project_id – The ID of the project to update
tags – A list of tags to update on the project
- Returns
A list of tags
-
