keystone  18.0.0
About: OpenStack Keystone (Core Service: Identity) provides an authentication and authorization service for other OpenStack services. Provides a catalog of endpoints for all OpenStack services.
The "Victoria" series (maintained release).
  Fossies Dox: keystone-18.0.0.tar.gz  ("unofficial" and yet experimental doxygen-generated source code documentation)  

system.py
Go to the documentation of this file.
1 # Licensed under the Apache License, Version 2.0 (the "License"); you may
2 # not use this file except in compliance with the License. You may obtain
3 # a copy of the License at
4 #
5 # http://www.apache.org/licenses/LICENSE-2.0
6 #
7 # Unless required by applicable law or agreed to in writing, software
8 # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
9 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
10 # License for the specific language governing permissions and limitations
11 # under the License.
12 
13 # This file handles all flask-restful resources for /v3/system
14 
15 import flask
16 import flask_restful
17 import functools
18 import http.client
19 
20 from keystone.common import json_home
21 from keystone.common import provider_api
22 from keystone.common import rbac_enforcer
23 from keystone import exception
24 from keystone.server import flask as ks_flask
25 
26 
27 ENFORCER = rbac_enforcer.RBACEnforcer
28 PROVIDERS = provider_api.ProviderAPIs
29 
30 
31 def _build_enforcement_target(allow_non_existing=False):
32  target = {}
33  if flask.request.view_args:
34  if flask.request.view_args.get('role_id'):
35  target['role'] = PROVIDERS.role_api.get_role(
36  flask.request.view_args['role_id'])
37  if flask.request.view_args.get('user_id'):
38  try:
39  target['user'] = PROVIDERS.identity_api.get_user(
40  flask.request.view_args['user_id'])
42  if not allow_non_existing:
43  raise
44  else:
45  try:
46  target['group'] = PROVIDERS.identity_api.get_group(
47  flask.request.view_args.get('group_id'))
49  if not allow_non_existing:
50  raise
51  return target
52 
53 
54 class SystemUsersListResource(flask_restful.Resource):
55  def get(self, user_id):
56  """List all system grants for a specific user.
57 
58  GET/HEAD /system/users/{user_id}/roles
59  """
60  ENFORCER.enforce_call(action='identity:list_system_grants_for_user',
61  build_target=_build_enforcement_target)
62  refs = PROVIDERS.assignment_api.list_system_grants_for_user(user_id)
63  return ks_flask.ResourceBase.wrap_collection(
64  refs, collection_name='roles')
65 
66 
67 class SystemUsersResource(flask_restful.Resource):
68  def get(self, user_id, role_id):
69  """Check if a user has a specific role on the system.
70 
71  GET/HEAD /system/users/{user_id}/roles/{role_id}
72  """
73  ENFORCER.enforce_call(action='identity:check_system_grant_for_user',
74  build_target=_build_enforcement_target)
75  PROVIDERS.assignment_api.check_system_grant_for_user(user_id, role_id)
76  return None, http.client.NO_CONTENT
77 
78  def put(self, user_id, role_id):
79  """Grant a role to a user on the system.
80 
81  PUT /system/users/{user_id}/roles/{role_id}
82  """
83  ENFORCER.enforce_call(action='identity:create_system_grant_for_user',
84  build_target=_build_enforcement_target)
85  PROVIDERS.assignment_api.create_system_grant_for_user(user_id, role_id)
86  return None, http.client.NO_CONTENT
87 
88  def delete(self, user_id, role_id):
89  """Revoke a role from user on the system.
90 
91  DELETE /system/users/{user_id}/roles/{role_id}
92  """
93  ENFORCER.enforce_call(
94  action='identity:revoke_system_grant_for_user',
95  build_target=functools.partial(
96  _build_enforcement_target,
97  allow_non_existing=True))
98  PROVIDERS.assignment_api.delete_system_grant_for_user(user_id, role_id)
99  return None, http.client.NO_CONTENT
100 
101 
102 class SystemGroupsRolesListResource(flask_restful.Resource):
103  def get(self, group_id):
104  """List all system grants for a specific group.
105 
106  GET/HEAD /system/groups/{group_id}/roles
107  """
108  ENFORCER.enforce_call(action='identity:list_system_grants_for_group',
109  build_target=_build_enforcement_target)
110  refs = PROVIDERS.assignment_api.list_system_grants_for_group(group_id)
111  return ks_flask.ResourceBase.wrap_collection(
112  refs, collection_name='roles')
113 
114 
115 class SystemGroupsRolestResource(flask_restful.Resource):
116  def get(self, group_id, role_id):
117  """Check if a group has a specific role on the system.
118 
119  GET/HEAD /system/groups/{group_id}/roles/{role_id}
120  """
121  ENFORCER.enforce_call(action='identity:check_system_grant_for_group',
122  build_target=_build_enforcement_target)
123  PROVIDERS.assignment_api.check_system_grant_for_group(
124  group_id, role_id)
125  return None, http.client.NO_CONTENT
126 
127  def put(self, group_id, role_id):
128  """Grant a role to a group on the system.
129 
130  PUT /system/groups/{group_id}/roles/{role_id}
131  """
132  ENFORCER.enforce_call(action='identity:create_system_grant_for_group',
133  build_target=_build_enforcement_target)
134  PROVIDERS.assignment_api.create_system_grant_for_group(
135  group_id, role_id)
136  return None, http.client.NO_CONTENT
137 
138  def delete(self, group_id, role_id):
139  """Revoke a role from the group on the system.
140 
141  DELETE /system/groups/{group_id}/roles/{role_id}
142  """
143  ENFORCER.enforce_call(
144  action='identity:revoke_system_grant_for_group',
145  build_target=functools.partial(
146  _build_enforcement_target,
147  allow_non_existing=True))
148  PROVIDERS.assignment_api.delete_system_grant_for_group(
149  group_id, role_id)
150  return None, http.client.NO_CONTENT
151 
152 
153 class SystemAPI(ks_flask.APIBase):
154  _name = 'system'
155  _import_name = __name__
156  resources = []
157  resource_mapping = [
158  ks_flask.construct_resource_map(
159  resource=SystemUsersListResource,
160  url='/system/users/<string:user_id>/roles',
161  resource_kwargs={},
162  rel='system_user_roles',
163  path_vars={'user_id': json_home.Parameters.USER_ID}),
164  ks_flask.construct_resource_map(
165  resource=SystemUsersResource,
166  url='/system/users/<string:user_id>/roles/<string:role_id>',
167  resource_kwargs={},
168  rel='system_user_role',
169  path_vars={
170  'role_id': json_home.Parameters.ROLE_ID,
171  'user_id': json_home.Parameters.USER_ID}),
172  ks_flask.construct_resource_map(
173  resource=SystemGroupsRolesListResource,
174  url='/system/groups/<string:group_id>/roles',
175  resource_kwargs={},
176  rel='system_group_roles',
177  path_vars={'group_id': json_home.Parameters.GROUP_ID}),
178  ks_flask.construct_resource_map(
179  resource=SystemGroupsRolestResource,
180  url='/system/groups/<string:group_id>/roles/<string:role_id>',
181  resource_kwargs={},
182  rel='system_group_role',
183  path_vars={
184  'role_id': json_home.Parameters.ROLE_ID,
185  'group_id': json_home.Parameters.GROUP_ID})
186  ]
187 
188 
189 APIs = (SystemAPI,)
keystone.api.system.SystemGroupsRolestResource.delete
def delete(self, group_id, role_id)
Definition: system.py:138
keystone.api.system.SystemGroupsRolestResource.put
def put(self, group_id, role_id)
Definition: system.py:127
keystone.exception.UserNotFound
Definition: exception.py:469
keystone.api.system.SystemUsersResource
Definition: system.py:67
keystone.api.system.SystemUsersListResource.get
def get(self, user_id)
Definition: system.py:55
keystone.api.system.SystemUsersResource.put
def put(self, user_id, role_id)
Definition: system.py:78
keystone.api.system.SystemUsersListResource
Definition: system.py:54
keystone.api.system.SystemGroupsRolestResource.get
def get(self, group_id, role_id)
Definition: system.py:116
keystone.api.system.SystemAPI
Definition: system.py:153
keystone.api.system.SystemGroupsRolestResource
Definition: system.py:115
keystone.api.system.SystemUsersResource.delete
def delete(self, user_id, role_id)
Definition: system.py:88
keystone.api.system.SystemGroupsRolesListResource.get
def get(self, group_id)
Definition: system.py:103
keystone.api.system.SystemGroupsRolesListResource
Definition: system.py:102
keystone.exception.GroupNotFound
Definition: exception.py:473
keystone.api.system.SystemUsersResource.get
def get(self, user_id, role_id)
Definition: system.py:68
keystone.server
Definition: __init__.py:1
keystone.api.system._build_enforcement_target
def _build_enforcement_target(allow_non_existing=False)
Definition: system.py:31
keystone.common
Definition: __init__.py:1