diff options
| author | Jenkins <jenkins@review.openstack.org> | 2015-04-18 18:37:40 +0000 |
|---|---|---|
| committer | Gerrit Code Review <review@openstack.org> | 2015-04-18 18:37:40 +0000 |
| commit | 08fd4b1cd763fa7d529ce5d39e89bee8f619f70d (patch) | |
| tree | ac1e16ad692fd7a49472d57f018c6fdf9a326259 | |
| parent | 81ff5a277a0ea5d1ff62ec3d522fbbe3060be4ab (diff) | |
| parent | 57b0fe2c8f471c99de01aa59907fb50d5067da1f (diff) | |
| download | python-keystoneclient-08fd4b1cd763fa7d529ce5d39e89bee8f619f70d.tar.gz | |
Merge "Inherited role domain calls on keystoneclient v3"1.4.0
| -rw-r--r-- | keystoneclient/base.py | 5 | ||||
| -rw-r--r-- | keystoneclient/tests/unit/v3/test_roles.py | 122 | ||||
| -rw-r--r-- | keystoneclient/v3/roles.py | 86 |
3 files changed, 194 insertions, 19 deletions
diff --git a/keystoneclient/base.py b/keystoneclient/base.py index 2af38b9..025362b 100644 --- a/keystoneclient/base.py +++ b/keystoneclient/base.py @@ -305,6 +305,8 @@ class CrudManager(Manager): If a `base_url` is provided, the generated URL will be appended to it. + If a 'tail' is provided, it will be appended to the end of the URL. + """ if dict_args_in_out is None: dict_args_in_out = {} @@ -317,6 +319,9 @@ class CrudManager(Manager): if entity_id is not None: url += '/%s' % entity_id + if dict_args_in_out.get('tail'): + url += dict_args_in_out['tail'] + return url @filter_kwargs diff --git a/keystoneclient/tests/unit/v3/test_roles.py b/keystoneclient/tests/unit/v3/test_roles.py index 2a71bf3..79ac07d 100644 --- a/keystoneclient/tests/unit/v3/test_roles.py +++ b/keystoneclient/tests/unit/v3/test_roles.py @@ -17,6 +17,7 @@ import uuid from keystoneclient import exceptions from keystoneclient.tests.unit.v3 import utils from keystoneclient.v3 import roles +from testtools import matchers class RoleTests(utils.TestCase, utils.CrudTests): @@ -44,6 +45,20 @@ class RoleTests(utils.TestCase, utils.CrudTests): self.manager.grant(role=ref['id'], domain=domain_id, user=user_id) + def test_domain_role_grant_inherited(self): + user_id = uuid.uuid4().hex + domain_id = uuid.uuid4().hex + ref = self.new_ref() + + self.stub_url('PUT', + ['OS-INHERIT', 'domains', domain_id, 'users', user_id, + self.collection_key, ref['id'], + 'inherited_to_projects'], + status_code=201) + + self.manager.grant(role=ref['id'], domain=domain_id, user=user_id, + os_inherit_extension_inherited=True) + def test_domain_group_role_grant(self): group_id = uuid.uuid4().hex domain_id = uuid.uuid4().hex @@ -56,6 +71,20 @@ class RoleTests(utils.TestCase, utils.CrudTests): self.manager.grant(role=ref['id'], domain=domain_id, group=group_id) + def test_domain_group_role_grant_inherited(self): + group_id = uuid.uuid4().hex + domain_id = uuid.uuid4().hex + ref = self.new_ref() + + self.stub_url('PUT', + ['OS-INHERIT', 'domains', domain_id, 'groups', group_id, + self.collection_key, ref['id'], + 'inherited_to_projects'], + status_code=201) + + self.manager.grant(role=ref['id'], domain=domain_id, group=group_id, + os_inherit_extension_inherited=True) + def test_domain_role_list(self): user_id = uuid.uuid4().hex domain_id = uuid.uuid4().hex @@ -67,6 +96,23 @@ class RoleTests(utils.TestCase, utils.CrudTests): self.manager.list(domain=domain_id, user=user_id) + def test_domain_role_list_inherited(self): + user_id = uuid.uuid4().hex + domain_id = uuid.uuid4().hex + ref_list = [self.new_ref(), self.new_ref()] + + self.stub_entity('GET', + ['OS-INHERIT', + 'domains', domain_id, 'users', user_id, + self.collection_key, 'inherited_to_projects'], + entity=ref_list) + + returned_list = self.manager.list(domain=domain_id, user=user_id, + os_inherit_extension_inherited=True) + + self.assertThat(ref_list, matchers.HasLength(len(returned_list))) + [self.assertIsInstance(r, self.model) for r in returned_list] + def test_domain_group_role_list(self): group_id = uuid.uuid4().hex domain_id = uuid.uuid4().hex @@ -78,6 +124,23 @@ class RoleTests(utils.TestCase, utils.CrudTests): self.manager.list(domain=domain_id, group=group_id) + def test_domain_group_role_list_inherited(self): + group_id = uuid.uuid4().hex + domain_id = uuid.uuid4().hex + ref_list = [self.new_ref(), self.new_ref()] + + self.stub_entity('GET', + ['OS-INHERIT', + 'domains', domain_id, 'groups', group_id, + self.collection_key, 'inherited_to_projects'], + entity=ref_list) + + returned_list = self.manager.list(domain=domain_id, group=group_id, + os_inherit_extension_inherited=True) + + self.assertThat(ref_list, matchers.HasLength(len(returned_list))) + [self.assertIsInstance(r, self.model) for r in returned_list] + def test_domain_role_check(self): user_id = uuid.uuid4().hex domain_id = uuid.uuid4().hex @@ -91,6 +154,21 @@ class RoleTests(utils.TestCase, utils.CrudTests): self.manager.check(role=ref['id'], domain=domain_id, user=user_id) + def test_domain_role_check_inherited(self): + user_id = uuid.uuid4().hex + domain_id = uuid.uuid4().hex + ref = self.new_ref() + + self.stub_url('HEAD', + ['OS-INHERIT', + 'domains', domain_id, 'users', user_id, + self.collection_key, ref['id'], + 'inherited_to_projects'], + status_code=204) + + self.manager.check(role=ref['id'], domain=domain_id, + user=user_id, os_inherit_extension_inherited=True) + def test_domain_group_role_check(self): return group_id = uuid.uuid4().hex @@ -104,6 +182,21 @@ class RoleTests(utils.TestCase, utils.CrudTests): self.manager.check(role=ref['id'], domain=domain_id, group=group_id) + def test_domain_group_role_check_inherited(self): + group_id = uuid.uuid4().hex + domain_id = uuid.uuid4().hex + ref = self.new_ref() + + self.stub_url('HEAD', + ['OS-INHERIT', + 'domains', domain_id, 'groups', group_id, + self.collection_key, ref['id'], + 'inherited_to_projects'], + status_code=204) + + self.manager.check(role=ref['id'], domain=domain_id, + group=group_id, os_inherit_extension_inherited=True) + def test_domain_role_revoke(self): user_id = uuid.uuid4().hex domain_id = uuid.uuid4().hex @@ -128,6 +221,35 @@ class RoleTests(utils.TestCase, utils.CrudTests): self.manager.revoke(role=ref['id'], domain=domain_id, group=group_id) + def test_domain_role_revoke_inherited(self): + user_id = uuid.uuid4().hex + domain_id = uuid.uuid4().hex + ref = self.new_ref() + + self.stub_url('DELETE', + ['OS-INHERIT', 'domains', domain_id, 'users', user_id, + self.collection_key, ref['id'], + 'inherited_to_projects'], + status_code=204) + + self.manager.revoke(role=ref['id'], domain=domain_id, + user=user_id, os_inherit_extension_inherited=True) + + def test_domain_group_role_revoke_inherited(self): + group_id = uuid.uuid4().hex + domain_id = uuid.uuid4().hex + ref = self.new_ref() + + self.stub_url('DELETE', + ['OS-INHERIT', 'domains', domain_id, 'groups', group_id, + self.collection_key, ref['id'], + 'inherited_to_projects'], + status_code=200) + + self.manager.revoke(role=ref['id'], domain=domain_id, + group=group_id, + os_inherit_extension_inherited=True) + def test_project_role_grant(self): user_id = uuid.uuid4().hex project_id = uuid.uuid4().hex diff --git a/keystoneclient/v3/roles.py b/keystoneclient/v3/roles.py index 3eb68d1..ce72d70 100644 --- a/keystoneclient/v3/roles.py +++ b/keystoneclient/v3/roles.py @@ -37,7 +37,8 @@ class RoleManager(base.CrudManager): collection_key = 'roles' key = 'role' - def _role_grants_base_url(self, user, group, domain, project): + def _role_grants_base_url(self, user, group, domain, project, + use_inherit_extension): # When called, we have already checked that only one of user & group # and one of domain & project have been specified params = {} @@ -49,6 +50,9 @@ class RoleManager(base.CrudManager): params['domain_id'] = base.getid(domain) base_url = '/domains/%(domain_id)s' + if use_inherit_extension: + base_url = '/OS-INHERIT' + base_url + if user: params['user_id'] = base.getid(user) base_url += '/users/%(user_id)s' @@ -85,7 +89,8 @@ class RoleManager(base.CrudManager): role_id=base.getid(role)) @utils.positional(enforcement=utils.positional.WARN) - def list(self, user=None, group=None, domain=None, project=None, **kwargs): + def list(self, user=None, group=None, domain=None, + project=None, os_inherit_extension_inherited=False, **kwargs): """Lists roles and role grants. If no arguments are provided, all roles in the system will be @@ -95,16 +100,22 @@ class RoleManager(base.CrudManager): domain or project to list role grants on that pair. And if ``**kwargs`` are provided, then also filter roles with attributes matching ``**kwargs``. + + If 'os_inherit_extension_inherited' is passed, then OS-INHERIT will be + used. It provides the ability for projects to inherit role assignments + from their domains or from projects in the hierarchy. """ + if os_inherit_extension_inherited: + kwargs['tail'] = '/inherited_to_projects' if user or group: self._require_user_xor_group(user, group) self._require_domain_xor_project(domain, project) - return super(RoleManager, self).list( - base_url=self._role_grants_base_url(user, group, - domain, project), - **kwargs) + base_url = self._role_grants_base_url( + user, group, domain, project, os_inherit_extension_inherited) + return super(RoleManager, self).list(base_url=base_url, + **kwargs) return super(RoleManager, self).list(**kwargs) @@ -120,31 +131,68 @@ class RoleManager(base.CrudManager): role_id=base.getid(role)) @utils.positional(enforcement=utils.positional.WARN) - def grant(self, role, user=None, group=None, domain=None, project=None): - """Grants a role to a user or group on a domain or project.""" + def grant(self, role, user=None, group=None, domain=None, project=None, + os_inherit_extension_inherited=False, **kwargs): + """Grants a role to a user or group on a domain or project. + + If 'os_inherit_extension_inherited' is passed, then OS-INHERIT will be + used. It provides the ability for projects to inherit role assignments + from their domains or from projects in the hierarchy. + """ self._require_domain_xor_project(domain, project) self._require_user_xor_group(user, group) - return super(RoleManager, self).put( - base_url=self._role_grants_base_url(user, group, domain, project), - role_id=base.getid(role)) + if os_inherit_extension_inherited: + kwargs['tail'] = '/inherited_to_projects' + + base_url = self._role_grants_base_url( + user, group, domain, project, os_inherit_extension_inherited) + return super(RoleManager, self).put(base_url=base_url, + role_id=base.getid(role), + **kwargs) @utils.positional(enforcement=utils.positional.WARN) - def check(self, role, user=None, group=None, domain=None, project=None): - """Checks if a user or group has a role on a domain or project.""" + def check(self, role, user=None, group=None, domain=None, project=None, + os_inherit_extension_inherited=False, **kwargs): + """Checks if a user or group has a role on a domain or project. + + If 'os_inherit_extension_inherited' is passed, then OS-INHERIT will be + used. It provides the ability for projects to inherit role assignments + from their domains or from projects in the hierarchy. + """ self._require_domain_xor_project(domain, project) self._require_user_xor_group(user, group) + if os_inherit_extension_inherited: + kwargs['tail'] = '/inherited_to_projects' + + base_url = self._role_grants_base_url( + user, group, domain, project, os_inherit_extension_inherited) return super(RoleManager, self).head( - base_url=self._role_grants_base_url(user, group, domain, project), - role_id=base.getid(role)) + base_url=base_url, + role_id=base.getid(role), + os_inherit_extension_inherited=os_inherit_extension_inherited, + **kwargs) @utils.positional(enforcement=utils.positional.WARN) - def revoke(self, role, user=None, group=None, domain=None, project=None): - """Revokes a role from a user or group on a domain or project.""" + def revoke(self, role, user=None, group=None, domain=None, project=None, + os_inherit_extension_inherited=False, **kwargs): + """Revokes a role from a user or group on a domain or project. + + If 'os_inherit_extension_inherited' is passed, then OS-INHERIT will be + used. It provides the ability for projects to inherit role assignments + from their domains or from projects in the hierarchy. + """ self._require_domain_xor_project(domain, project) self._require_user_xor_group(user, group) + if os_inherit_extension_inherited: + kwargs['tail'] = '/inherited_to_projects' + + base_url = self._role_grants_base_url( + user, group, domain, project, os_inherit_extension_inherited) return super(RoleManager, self).delete( - base_url=self._role_grants_base_url(user, group, domain, project), - role_id=base.getid(role)) + base_url=base_url, + role_id=base.getid(role), + os_inherit_extension_inherited=os_inherit_extension_inherited, + **kwargs) |