1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from keystoneclient import base
from keystoneclient import exceptions
from keystoneclient.i18n import _
class RoleAssignment(base.Resource):
"""Represents an Identity role assignment.
Attributes:
* role: an object which contains a role uuid
* user or group: an object which contains either a user or
group uuid
* scope: an object which has either a project or domain object
containing an uuid
"""
pass
class RoleAssignmentManager(base.CrudManager):
"""Manager class for manipulating Identity roles assignments."""
resource_class = RoleAssignment
collection_key = 'role_assignments'
key = 'role_assignment'
def _check_not_user_and_group(self, user, group):
if user and group:
msg = _('Specify either a user or group, not both')
raise exceptions.ValidationError(msg)
def _check_not_domain_and_project(self, domain, project):
if domain and project:
msg = _('Specify either a domain or project, not both')
raise exceptions.ValidationError(msg)
def _check_not_system_and_domain(self, system, domain):
if system and domain:
msg = _('Specify either system or domain, not both')
raise exceptions.ValidationError(msg)
def _check_not_system_and_project(self, system, project):
if system and project:
msg = _('Specify either system or project, not both')
raise exceptions.ValidationError(msg)
def _check_system_value(self, system):
if system and system != 'all':
msg = _("Only a system scope of 'all' is currently supported")
raise exceptions.ValidationError(msg)
def list(self, user=None, group=None, project=None, domain=None,
system=False, role=None, effective=False,
os_inherit_extension_inherited_to=None, include_subtree=False,
include_names=False):
"""List role assignments.
If no arguments are provided, all role assignments in the
system will be listed.
If both user and group are provided, a ValidationError will be
raised. If both domain and project are provided, it will also
raise a ValidationError.
:param user: User to be used as query filter. (optional)
:param group: Group to be used as query filter. (optional)
:param project: Project to be used as query filter.
(optional)
:param domain: Domain to be used as query
filter. (optional)
:param system: Boolean to be used to filter system assignments.
(optional)
:param role: Role to be used as query filter. (optional)
:param boolean effective: return effective role
assignments. (optional)
:param string os_inherit_extension_inherited_to:
return inherited role assignments for either 'projects' or
'domains'. (optional)
:param boolean include_subtree: Include subtree (optional)
:param boolean include_names: Display names instead
of IDs. (optional)
"""
self._check_not_user_and_group(user, group)
self._check_not_domain_and_project(domain, project)
self._check_not_system_and_domain(system, domain)
self._check_not_system_and_project(system, project)
self._check_system_value(system)
query_params = {}
if user:
query_params['user.id'] = base.getid(user)
if group:
query_params['group.id'] = base.getid(group)
if project:
query_params['scope.project.id'] = base.getid(project)
if domain:
query_params['scope.domain.id'] = base.getid(domain)
if system:
query_params['scope.system'] = system
if role:
query_params['role.id'] = base.getid(role)
if effective:
query_params['effective'] = effective
if include_names:
query_params['include_names'] = include_names
if os_inherit_extension_inherited_to:
query_params['scope.OS-INHERIT:inherited_to'] = (
os_inherit_extension_inherited_to)
if include_subtree:
query_params['include_subtree'] = include_subtree
return super(RoleAssignmentManager, self).list(**query_params)
def create(self, **kwargs):
raise exceptions.MethodNotImplemented(
_('Create not supported for role assignments'))
def update(self, **kwargs):
raise exceptions.MethodNotImplemented(
_('Update not supported for role assignments'))
def get(self, **kwargs):
raise exceptions.MethodNotImplemented(
_('Get not supported for role assignments'))
def find(self, **kwargs):
raise exceptions.MethodNotImplemented(
_('Find not supported for role assignments'))
def put(self, **kwargs):
raise exceptions.MethodNotImplemented(
_('Put not supported for role assignments'))
def delete(self, **kwargs):
raise exceptions.MethodNotImplemented(
_('Delete not supported for role assignments'))
|
