"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "keystone/api/trusts.py" between
keystone-16.0.1.tar.gz and keystone-17.0.0.tar.gz

About: OpenStack Keystone (Core Service: Identity) provides an authentication and authorization service for other OpenStack services. Provides a catalog of endpoints for all OpenStack services.
The "Ussuri" series (latest release).

trusts.py  (keystone-16.0.1):trusts.py  (keystone-17.0.0)
skipping to change at line 20 skipping to change at line 20
# License for the specific language governing permissions and limitations # License for the specific language governing permissions and limitations
# under the License. # under the License.
# This file handles all flask-restful resources for /v3/OS-TRUST # This file handles all flask-restful resources for /v3/OS-TRUST
# TODO(morgan): Deprecate /v3/OS-TRUST/trusts path in favour of /v3/trusts. # TODO(morgan): Deprecate /v3/OS-TRUST/trusts path in favour of /v3/trusts.
# /v3/OS-TRUST should remain indefinitely. # /v3/OS-TRUST should remain indefinitely.
import flask import flask
import flask_restful import flask_restful
import http.client
from oslo_log import log from oslo_log import log
from oslo_policy import _checks as op_checks from oslo_policy import _checks as op_checks
from six.moves import http_client
from keystone.api._shared import json_home_relations from keystone.api._shared import json_home_relations
from keystone.common import context from keystone.common import context
from keystone.common import json_home from keystone.common import json_home
from keystone.common import provider_api from keystone.common import provider_api
from keystone.common import rbac_enforcer from keystone.common import rbac_enforcer
from keystone.common.rbac_enforcer import policy from keystone.common.rbac_enforcer import policy
from keystone.common import utils from keystone.common import utils
from keystone.common import validation from keystone.common import validation
from keystone import exception from keystone import exception
skipping to change at line 225 skipping to change at line 225
# identity:list_trusts rule and there are new policies in-code to # identity:list_trusts rule and there are new policies in-code to
# enforce identity:list_trusts_for_trustor and # enforce identity:list_trusts_for_trustor and
# identity:list_trusts_for_trustee. However, in case the # identity:list_trusts_for_trustee. However, in case the
# identity:list_trusts rule has been locally overridden by the default # identity:list_trusts rule has been locally overridden by the default
# that would have been produced by the sample config, we need to # that would have been produced by the sample config, we need to
# enforce it again and warn that the behavior is changing. # enforce it again and warn that the behavior is changing.
rules = policy._ENFORCER._enforcer.rules.get('identity:list_trusts') rules = policy._ENFORCER._enforcer.rules.get('identity:list_trusts')
# rule check_str is "" # rule check_str is ""
if isinstance(rules, op_checks.TrueCheck): if isinstance(rules, op_checks.TrueCheck):
LOG.warning( LOG.warning(
"The policy check string for rule \"identity:list_trusts\" has b "The policy check string for rule \"identity:list_trusts\" "
een overridden " "has been overridden to \"always true\". In the next release, "
"to \"always true\". In the next release, this will cause the " "this will cause the \"identity:list_trusts\" action to be "
"\"identity:list_trusts\" action to be fully permissive as hardc "fully permissive as hardcoded enforcement will be removed. "
oded " "To correct this issue, either stop overriding the "
"enforcement will be removed. To correct this issue, either stop "\"identity:list_trusts\" rule in config to accept the "
overriding the " "defaults, or explicitly set a rule that is not empty."
"\"identity:list_trusts\" rule in config to accept the defaults,
or explicitly "
"set a rule that is not empty."
) )
if not flask.request.args: if not flask.request.args:
# NOTE(morgan): Admin can list all trusts. # NOTE(morgan): Admin can list all trusts.
ENFORCER.enforce_call(action='admin_required') ENFORCER.enforce_call(action='admin_required')
if not flask.request.args: if not flask.request.args:
trusts += PROVIDERS.trust_api.list_trusts() trusts += PROVIDERS.trust_api.list_trusts()
elif trustor_user_id: elif trustor_user_id:
trusts += PROVIDERS.trust_api.list_trusts_for_trustor(trustor_user_i trusts += PROVIDERS.trust_api.list_trusts_for_trustor(
d) trustor_user_id)
elif trustee_user_id: elif trustee_user_id:
trusts += PROVIDERS.trust_api.list_trusts_for_trustee(trustee_user_i trusts += PROVIDERS.trust_api.list_trusts_for_trustee(
d) trustee_user_id)
for trust in trusts: for trust in trusts:
# get_trust returns roles, list_trusts does not # get_trust returns roles, list_trusts does not
# It seems in some circumstances, roles does not # It seems in some circumstances, roles does not
# exist in the query response, so check first # exist in the query response, so check first
if 'roles' in trust: if 'roles' in trust:
del trust['roles'] del trust['roles']
if trust.get('expires_at') is not None: if trust.get('expires_at') is not None:
trust['expires_at'] = utils.isotime(trust['expires_at'], trust['expires_at'] = utils.isotime(trust['expires_at'],
skipping to change at line 299 skipping to change at line 302
trust = self._assign_unique_id(trust) trust = self._assign_unique_id(trust)
redelegated_trust = self._find_redelegated_trust() redelegated_trust = self._find_redelegated_trust()
return_trust = PROVIDERS.trust_api.create_trust( return_trust = PROVIDERS.trust_api.create_trust(
trust_id=trust['id'], trust_id=trust['id'],
trust=trust, trust=trust,
roles=trust['roles'], roles=trust['roles'],
redelegated_trust=redelegated_trust, redelegated_trust=redelegated_trust,
initiator=self.audit_initiator) initiator=self.audit_initiator)
_normalize_trust_expires_at(return_trust) _normalize_trust_expires_at(return_trust)
_normalize_trust_roles(return_trust) _normalize_trust_roles(return_trust)
return self.wrap_member(return_trust), http_client.CREATED return self.wrap_member(return_trust), http.client.CREATED
def delete(self, trust_id): def delete(self, trust_id):
ENFORCER.enforce_call(action='identity:delete_trust', ENFORCER.enforce_call(action='identity:delete_trust',
build_target=_build_trust_target_enforcement) build_target=_build_trust_target_enforcement)
self._check_unrestricted() self._check_unrestricted()
# NOTE(cmurphy) As of Train, the default policies enforce the # NOTE(cmurphy) As of Train, the default policies enforce the
# identity:delete_trust rule. However, in case the # identity:delete_trust rule. However, in case the
# identity:delete_trust rule has been locally overridden by the # identity:delete_trust rule has been locally overridden by the
# default that would have been produced by the sample config, we need # default that would have been produced by the sample config, we need
skipping to change at line 330 skipping to change at line 333
"\"identity:delete_trust\" rule in config to accept the " "\"identity:delete_trust\" rule in config to accept the "
"defaults, or explicitly set a rule that is not empty." "defaults, or explicitly set a rule that is not empty."
) )
trust = PROVIDERS.trust_api.get_trust(trust_id) trust = PROVIDERS.trust_api.get_trust(trust_id)
if (self.oslo_context.user_id != trust.get('trustor_user_id') and if (self.oslo_context.user_id != trust.get('trustor_user_id') and
not self.oslo_context.is_admin): not self.oslo_context.is_admin):
action = _('Only admin or trustor can delete a trust') action = _('Only admin or trustor can delete a trust')
raise exception.ForbiddenAction(action=action) raise exception.ForbiddenAction(action=action)
PROVIDERS.trust_api.delete_trust(trust_id, PROVIDERS.trust_api.delete_trust(trust_id,
initiator=self.audit_initiator) initiator=self.audit_initiator)
return '', http_client.NO_CONTENT return '', http.client.NO_CONTENT
# NOTE(morgan): Since this Resource is not being used with the automatic # NOTE(morgan): Since this Resource is not being used with the automatic
# URL additions and does not have a collection key/member_key, we use # URL additions and does not have a collection key/member_key, we use
# the flask-restful Resource, not the keystone ResourceBase # the flask-restful Resource, not the keystone ResourceBase
class RolesForTrustListResource(flask_restful.Resource): class RolesForTrustListResource(flask_restful.Resource):
@property @property
def oslo_context(self): def oslo_context(self):
return flask.request.environ.get(context.REQUEST_CONTEXT_ENV, None) return flask.request.environ.get(context.REQUEST_CONTEXT_ENV, None)
 End of changes. 7 change blocks. 
17 lines changed or deleted 14 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)