keystone  18.0.0
About: OpenStack Keystone (Core Service: Identity) provides an authentication and authorization service for other OpenStack services. Provides a catalog of endpoints for all OpenStack services.
The "Victoria" series (maintained release).
  Fossies Dox: keystone-18.0.0.tar.gz  ("unofficial" and yet experimental doxygen-generated source code documentation)  

core.py
Go to the documentation of this file.
1 # Copyright 2018 SUSE Linux GmbH
2 #
3 # Licensed under the Apache License, Version 2.0 (the "License"); you may
4 # not use this file except in compliance with the License. You may obtain
5 # a copy of the License at
6 #
7 # http://www.apache.org/licenses/LICENSE-2.0
8 #
9 # Unless required by applicable law or agreed to in writing, software
10 # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
11 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
12 # License for the specific language governing permissions and limitations
13 # under the License.
14 
15 """Main entry point into the Application Credential service."""
16 
17 from keystone.common import cache
18 from keystone.common import driver_hints
19 from keystone.common import manager
20 from keystone.common import provider_api
21 import keystone.conf
22 from keystone import exception
23 from keystone import notifications
24 
25 
26 CONF = keystone.conf.CONF
27 MEMOIZE = cache.get_memoization_decorator(group='application_credential')
28 PROVIDERS = provider_api.ProviderAPIs
29 
30 
31 class Manager(manager.Manager):
32  """Default pivot point for the Application Credential backend.
33 
34  See :mod:`keystone.common.manager.Manager` for more details on how this
35  dynamically calls the backend.
36 
37  """
38 
39  driver_namespace = 'keystone.application_credential'
40  _provides_api = 'application_credential_api'
41 
42  _APP_CRED = 'application_credential'
43  _ACCESS_RULE = 'access_rule'
44 
45  def __init__(self):
46  super(Manager, self).__init__(CONF.application_credential.driver)
48 
50  notifications.register_event_callback(
51  notifications.ACTIONS.deleted, 'user',
53  notifications.register_event_callback(
54  notifications.ACTIONS.disabled, 'user',
56  notifications.register_event_callback(
57  notifications.ACTIONS.internal,
58  notifications.REMOVE_APP_CREDS_FOR_USER,
60 
62  self, service, resource_type, operation, payload):
63  user_id = payload['resource_info']
65  self._delete_access_rules_for_user(user_id)
66 
68  self, service, resource_type, operation, payload):
69  user_id = payload['resource_info']['user_id']
70  project_id = payload['resource_info']['project_id']
72  project_id)
73 
74  def _get_user_roles(self, user_id, project_id):
75  assignment_list = self.assignment_api.list_role_assignments(
76  user_id=user_id,
77  project_id=project_id,
78  effective=True)
79  return list(set([x['role_id'] for x in assignment_list]))
80 
81  def _require_user_has_role_in_project(self, roles, user_id, project_id):
82  user_roles = self._get_user_roles(user_id, project_id)
83  for role in roles:
84  if role['id'] not in user_roles:
85  raise exception.RoleAssignmentNotFound(role_id=role['id'],
86  actor_id=user_id,
87  target_id=project_id)
88 
89  def _assert_limit_not_exceeded(self, user_id):
90  user_limit = CONF.application_credential.user_limit
91  if user_limit >= 0:
92  app_cred_count = len(self.list_application_credentials(user_id))
93  if app_cred_count >= user_limit:
95  limit=user_limit)
96 
97  def _get_role_list(self, app_cred_roles):
98  roles = []
99  for role in app_cred_roles:
100  roles.append(PROVIDERS.role_api.get_role(role['id']))
101  return roles
102 
103  def authenticate(self, application_credential_id, secret):
104  """Authenticate with an application credential.
105 
106  :param str application_credential_id: Application Credential ID
107  :param str secret: Application Credential secret
108 
109  """
110  self.driver.authenticate(application_credential_id, secret)
111 
112  def _process_app_cred(self, app_cred_ref):
113  app_cred_ref = app_cred_ref.copy()
114  app_cred_ref.pop('secret_hash')
115  app_cred_ref['roles'] = self._get_role_list(
116  app_cred_ref['roles'])
117  return app_cred_ref
118 
119  def create_application_credential(self, application_credential,
120  initiator=None):
121  """Create a new application credential.
122 
123  :param dict application_credential: Application Credential data
124  :param initiator: CADF initiator
125 
126  :returns: a new application credential
127  """
128  application_credential = application_credential.copy()
129  user_id = application_credential['user_id']
130  project_id = application_credential['project_id']
131  roles = application_credential.pop('roles', [])
132  access_rules = application_credential.pop('access_rules', None)
133 
134  self._assert_limit_not_exceeded(user_id)
135  self._require_user_has_role_in_project(roles, user_id, project_id)
136  unhashed_secret = application_credential['secret']
137  ref = self.driver.create_application_credential(
138  application_credential, roles, access_rules)
139  ref['secret'] = unhashed_secret
140  ref = self._process_app_cred(ref)
141  notifications.Audit.created(
142  self._APP_CRED,
143  application_credential['id'],
144  initiator)
145  return ref
146 
147  @MEMOIZE
148  def get_application_credential(self, application_credential_id):
149  """Get application credential details.
150 
151  :param str application_credential_id: Application Credential ID
152 
153  :returns: an application credential
154  """
155  app_cred = self.driver.get_application_credential(
156  application_credential_id)
157  return self._process_app_cred(app_cred)
158 
159  def list_application_credentials(self, user_id, hints=None):
160  """List application credentials for a user.
161 
162  :param str user_id: User ID
163  :param dict hints: Properties to filter on
164 
165  :returns: a list of application credentials
166  """
167  hints = hints or driver_hints.Hints()
168  app_cred_list = self.driver.list_application_credentials_for_user(
169  user_id, hints)
170  return [self._process_app_cred(app_cred) for app_cred in app_cred_list]
171 
172  @MEMOIZE
173  def get_access_rule(self, access_rule_id):
174  """Get access rule details.
175 
176  :param str access_rule_id: Access Rule ID
177 
178  :returns: an access rule
179  """
180  return self.driver.get_access_rule(access_rule_id)
181 
182  def list_access_rules_for_user(self, user_id, hints=None):
183  """List access rules for user.
184 
185  :param str user_id: User ID
186 
187  :returns: a list of access rules
188  """
189  hints = hints or driver_hints.Hints()
190  return self.driver.list_access_rules_for_user(user_id, hints)
191 
192  def delete_application_credential(self, application_credential_id,
193  initiator=None):
194  """Delete an application credential.
195 
196  :param str application_credential_id: Application Credential ID
197  :param initiator: CADF initiator
198 
199  :raises keystone.exception.ApplicationCredentialNotFound: If the
200  application credential doesn't exist.
201  """
202  self.driver.delete_application_credential(application_credential_id)
203  self.get_application_credential.invalidate(self,
204  application_credential_id)
205  notifications.Audit.deleted(
206  self._APP_CRED, application_credential_id, initiator)
207 
209  initiator=None):
210  """Delete all application credentials for a user.
211 
212  :param str user_id: User ID
213 
214  This is triggered when a user is deleted.
215  """
216  app_creds = self.driver.list_application_credentials_for_user(
217  user_id, driver_hints.Hints())
218  self.driver.delete_application_credentials_for_user(user_id)
219  for app_cred in app_creds:
220  self.get_application_credential.invalidate(self, app_cred['id'])
221  notifications.Audit.deleted(self._APP_CRED, app_cred['id'],
222  initiator)
223 
225  project_id):
226  """Delete all application credentials for a user on a given project.
227 
228  :param str user_id: User ID
229  :param str project_id: Project ID
230 
231  This is triggered when a user loses a role assignment on a project.
232  """
233  hints = driver_hints.Hints()
234  hints.add_filter('project_id', project_id)
235  app_creds = self.driver.list_application_credentials_for_user(
236  user_id, hints)
237 
238  self.driver.delete_application_credentials_for_user_on_project(
239  user_id, project_id)
240  for app_cred in app_creds:
241  self.get_application_credential.invalidate(self, app_cred['id'])
242 
243  def delete_access_rule(self, access_rule_id, initiator=None):
244  """Delete an access rule.
245 
246  :param str: access_rule_id: Access Rule ID
247  :param initiator: CADF initiator
248 
249  :raises keystone.exception.AccessRuleNotFound: If the access rule
250  doesn't exist.
251  """
252  self.driver.delete_access_rule(access_rule_id)
253  self.get_access_rule.invalidate(self, access_rule_id)
254  notifications.Audit.deleted(
255  self._ACCESS_RULE, access_rule_id, initiator)
256 
257  def _delete_access_rules_for_user(self, user_id, initiator=None):
258  """Delete all access rules for a user.
259 
260  :param str user_id: User ID
261 
262  This is triggered when a user is deleted.
263  """
264  access_rules = self.driver.list_access_rules_for_user(
265  user_id, driver_hints.Hints())
266  self.driver.delete_access_rules_for_user(user_id)
267  for rule in access_rules:
268  self.get_access_rule.invalidate(self, rule['id'])
269  notifications.Audit.deleted(self._ACCESS_RULE, rule['id'],
270  initiator)
keystone.application_credential.core.Manager._require_user_has_role_in_project
def _require_user_has_role_in_project(self, roles, user_id, project_id)
Definition: core.py:81
keystone.application_credential.core.Manager._APP_CRED
string _APP_CRED
Definition: core.py:42
keystone.application_credential.core.Manager
Definition: core.py:31
keystone.application_credential.core.Manager.create_application_credential
def create_application_credential(self, application_credential, initiator=None)
Definition: core.py:120
keystone.application_credential.core.Manager.get_application_credential
def get_application_credential(self, application_credential_id)
Definition: core.py:148
keystone.application_credential.core.Manager.get_access_rule
def get_access_rule(self, access_rule_id)
Definition: core.py:173
keystone.application_credential.core.Manager._register_callback_listeners
def _register_callback_listeners(self)
Definition: core.py:49
keystone.application_credential.core.Manager._delete_access_rules_for_user
def _delete_access_rules_for_user(self, user_id, initiator=None)
Definition: core.py:257
keystone.application_credential.core.Manager.authenticate
def authenticate(self, application_credential_id, secret)
Definition: core.py:103
keystone.application_credential.core.Manager.list_application_credentials
def list_application_credentials(self, user_id, hints=None)
Definition: core.py:159
keystone.application_credential.core.Manager._assert_limit_not_exceeded
def _assert_limit_not_exceeded(self, user_id)
Definition: core.py:89
keystone.application_credential.core.Manager.delete_access_rule
def delete_access_rule(self, access_rule_id, initiator=None)
Definition: core.py:243
keystone.application_credential.core.Manager._delete_application_credentials_for_user_on_project
def _delete_application_credentials_for_user_on_project(self, user_id, project_id)
Definition: core.py:225
keystone.application_credential.core.Manager._delete_app_creds_on_assignment_removal
def _delete_app_creds_on_assignment_removal(self, service, resource_type, operation, payload)
Definition: core.py:68
keystone.application_credential.core.Manager._get_user_roles
def _get_user_roles(self, user_id, project_id)
Definition: core.py:74
keystone.application_credential.core.Manager._get_role_list
def _get_role_list(self, app_cred_roles)
Definition: core.py:97
keystone.application_credential.core.Manager.__init__
def __init__(self)
Definition: core.py:45
keystone.application_credential.core.Manager._delete_application_credentials_for_user
def _delete_application_credentials_for_user(self, user_id, initiator=None)
Definition: core.py:209
keystone.application_credential.core.Manager.list_access_rules_for_user
def list_access_rules_for_user(self, user_id, hints=None)
Definition: core.py:182
keystone.exception.RoleAssignmentNotFound
Definition: exception.py:439
keystone.application_credential.core.Manager.delete_application_credential
def delete_application_credential(self, application_credential_id, initiator=None)
Definition: core.py:193
keystone.conf
Definition: __init__.py:1
keystone.application_credential.core.Manager._delete_app_creds_on_user_delete_callback
def _delete_app_creds_on_user_delete_callback(self, service, resource_type, operation, payload)
Definition: core.py:62
keystone.common
Definition: __init__.py:1
keystone.application_credential.core.Manager._ACCESS_RULE
string _ACCESS_RULE
Definition: core.py:43
keystone.exception.ApplicationCredentialLimitExceeded
Definition: exception.py:220
keystone.application_credential.core.Manager._process_app_cred
def _process_app_cred(self, app_cred_ref)
Definition: core.py:112