summaryrefslogtreecommitdiff
path: root/keystoneclient/v3/role_assignments.py
blob: 460280035d6070f2cb4dfa91e8a33bf96c3d45f6 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
#    Licensed under the Apache License, Version 2.0 (the "License"); you may
#    not use this file except in compliance with the License. You may obtain
#    a copy of the License at
#
#         http://www.apache.org/licenses/LICENSE-2.0
#
#    Unless required by applicable law or agreed to in writing, software
#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
#    License for the specific language governing permissions and limitations
#    under the License.

from keystoneclient import base
from keystoneclient import exceptions
from keystoneclient.i18n import _


class RoleAssignment(base.Resource):
    """Represents an Identity role assignment.

    Attributes:
        * role: an object which contains a role uuid
        * user or group: an object which contains either a user or
                         group uuid
        * scope: an object which has either a project or domain object
                 containing an uuid
    """

    pass


class RoleAssignmentManager(base.CrudManager):
    """Manager class for manipulating Identity roles assignments."""

    resource_class = RoleAssignment
    collection_key = 'role_assignments'
    key = 'role_assignment'

    def _check_not_user_and_group(self, user, group):
        if user and group:
            msg = _('Specify either a user or group, not both')
            raise exceptions.ValidationError(msg)

    def _check_not_domain_and_project(self, domain, project):
        if domain and project:
            msg = _('Specify either a domain or project, not both')
            raise exceptions.ValidationError(msg)

    def list(self, user=None, group=None, project=None, domain=None, role=None,
             effective=False, os_inherit_extension_inherited_to=None,
             include_subtree=False, include_names=False):
        """List role assignments.

        If no arguments are provided, all role assignments in the
        system will be listed.

        If both user and group are provided, a ValidationError will be
        raised. If both domain and project are provided, it will also
        raise a ValidationError.

        :param user: User to be used as query filter. (optional)
        :param group: Group to be used as query filter. (optional)
        :param project: Project to be used as query filter.
                        (optional)
        :param domain: Domain to be used as query
                       filter. (optional)
        :param role: Role to be used as query filter. (optional)
        :param boolean effective: return effective role
                                  assignments. (optional)
        :param string os_inherit_extension_inherited_to:
            return inherited role assignments for either 'projects' or
            'domains'. (optional)
        :param boolean include_subtree: Include subtree (optional)
        :param boolean include_names: Display names instead
                                      of IDs. (optional)
        """

        self._check_not_user_and_group(user, group)
        self._check_not_domain_and_project(domain, project)

        query_params = {}
        if user:
            query_params['user.id'] = base.getid(user)
        if group:
            query_params['group.id'] = base.getid(group)
        if project:
            query_params['scope.project.id'] = base.getid(project)
        if domain:
            query_params['scope.domain.id'] = base.getid(domain)
        if role:
            query_params['role.id'] = base.getid(role)
        if effective:
            query_params['effective'] = effective
        if include_names:
            query_params['include_names'] = include_names
        if os_inherit_extension_inherited_to:
            query_params['scope.OS-INHERIT:inherited_to'] = (
                os_inherit_extension_inherited_to)
        if include_subtree:
            query_params['include_subtree'] = include_subtree

        return super(RoleAssignmentManager, self).list(**query_params)

    def create(self, **kwargs):
        raise exceptions.MethodNotImplemented(
            _('Create not supported for role assignments'))

    def update(self, **kwargs):
        raise exceptions.MethodNotImplemented(
            _('Update not supported for role assignments'))

    def get(self, **kwargs):
        raise exceptions.MethodNotImplemented(
            _('Get not supported for role assignments'))

    def find(self, **kwargs):
        raise exceptions.MethodNotImplemented(
            _('Find not supported for role assignments'))

    def put(self, **kwargs):
        raise exceptions.MethodNotImplemented(
            _('Put not supported for role assignments'))

    def delete(self, **kwargs):
        raise exceptions.MethodNotImplemented(
            _('Delete not supported for role assignments'))