aboutsummaryrefslogtreecommitdiffstats
path: root/keystone-moon/keystone/assignment/role_backends
diff options
context:
space:
mode:
authorRHE <rebirthmonkey@gmail.com>2017-11-24 13:54:26 +0100
committerRHE <rebirthmonkey@gmail.com>2017-11-24 13:54:26 +0100
commit920a49cfa055733d575282973e23558c33087a4a (patch)
treed371dab34efa5028600dad2e7ca58063626e7ba4 /keystone-moon/keystone/assignment/role_backends
parentef3eefca70d8abb4a00dafb9419ad32738e934b2 (diff)
remove keystone-moon
Change-Id: I80d7c9b669f19d5f6607e162de8e0e55c2f80fdd Signed-off-by: RHE <rebirthmonkey@gmail.com>
Diffstat (limited to 'keystone-moon/keystone/assignment/role_backends')
-rw-r--r--keystone-moon/keystone/assignment/role_backends/__init__.py0
-rw-r--r--keystone-moon/keystone/assignment/role_backends/ldap.py125
-rw-r--r--keystone-moon/keystone/assignment/role_backends/sql.py202
3 files changed, 0 insertions, 327 deletions
diff --git a/keystone-moon/keystone/assignment/role_backends/__init__.py b/keystone-moon/keystone/assignment/role_backends/__init__.py
deleted file mode 100644
index e69de29b..00000000
--- a/keystone-moon/keystone/assignment/role_backends/__init__.py
+++ /dev/null
diff --git a/keystone-moon/keystone/assignment/role_backends/ldap.py b/keystone-moon/keystone/assignment/role_backends/ldap.py
deleted file mode 100644
index 6e5e038e..00000000
--- a/keystone-moon/keystone/assignment/role_backends/ldap.py
+++ /dev/null
@@ -1,125 +0,0 @@
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-from __future__ import absolute_import
-
-from oslo_config import cfg
-from oslo_log import log
-
-from keystone import assignment
-from keystone.common import ldap as common_ldap
-from keystone.common import models
-from keystone import exception
-from keystone.i18n import _
-from keystone.identity.backends import ldap as ldap_identity
-
-
-CONF = cfg.CONF
-LOG = log.getLogger(__name__)
-
-
-class Role(assignment.RoleDriverV8):
-
- def __init__(self):
- super(Role, self).__init__()
- self.LDAP_URL = CONF.ldap.url
- self.LDAP_USER = CONF.ldap.user
- self.LDAP_PASSWORD = CONF.ldap.password
- self.suffix = CONF.ldap.suffix
-
- # This is the only deep dependency from resource back
- # to identity. The assumption is that if you are using
- # LDAP for resource, you are using it for identity as well.
- self.user = ldap_identity.UserApi(CONF)
- self.role = RoleApi(CONF, self.user)
-
- def get_role(self, role_id):
- return self.role.get(role_id)
-
- def list_roles(self, hints):
- return self.role.get_all()
-
- def list_roles_from_ids(self, ids):
- return [self.get_role(id) for id in ids]
-
- def create_role(self, role_id, role):
- self.role.check_allow_create()
- try:
- self.get_role(role_id)
- except exception.NotFound:
- pass
- else:
- msg = _('Duplicate ID, %s.') % role_id
- raise exception.Conflict(type='role', details=msg)
-
- try:
- self.role.get_by_name(role['name'])
- except exception.NotFound:
- pass
- else:
- msg = _('Duplicate name, %s.') % role['name']
- raise exception.Conflict(type='role', details=msg)
-
- return self.role.create(role)
-
- def delete_role(self, role_id):
- self.role.check_allow_delete()
- return self.role.delete(role_id)
-
- def update_role(self, role_id, role):
- self.role.check_allow_update()
- self.get_role(role_id)
- return self.role.update(role_id, role)
-
-
-# NOTE(heny-nash): A mixin class to enable the sharing of the LDAP structure
-# between here and the assignment LDAP.
-class RoleLdapStructureMixin(object):
- DEFAULT_OU = 'ou=Roles'
- DEFAULT_STRUCTURAL_CLASSES = []
- DEFAULT_OBJECTCLASS = 'organizationalRole'
- DEFAULT_MEMBER_ATTRIBUTE = 'roleOccupant'
- NotFound = exception.RoleNotFound
- options_name = 'role'
- attribute_options_names = {'name': 'name'}
- immutable_attrs = ['id']
- model = models.Role
-
-
-# TODO(termie): turn this into a data object and move logic to driver
-class RoleApi(RoleLdapStructureMixin, common_ldap.BaseLdap):
-
- def __init__(self, conf, user_api):
- super(RoleApi, self).__init__(conf)
- self._user_api = user_api
-
- def get(self, role_id, role_filter=None):
- model = super(RoleApi, self).get(role_id, role_filter)
- return model
-
- def create(self, values):
- return super(RoleApi, self).create(values)
-
- def update(self, role_id, role):
- new_name = role.get('name')
- if new_name is not None:
- try:
- old_role = self.get_by_name(new_name)
- if old_role['id'] != role_id:
- raise exception.Conflict(
- _('Cannot duplicate name %s') % old_role)
- except exception.NotFound:
- pass
- return super(RoleApi, self).update(role_id, role)
-
- def delete(self, role_id):
- super(RoleApi, self).delete(role_id)
diff --git a/keystone-moon/keystone/assignment/role_backends/sql.py b/keystone-moon/keystone/assignment/role_backends/sql.py
deleted file mode 100644
index 1045f23a..00000000
--- a/keystone-moon/keystone/assignment/role_backends/sql.py
+++ /dev/null
@@ -1,202 +0,0 @@
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-from oslo_db import exception as db_exception
-
-from keystone import assignment
-from keystone.common import driver_hints
-from keystone.common import sql
-from keystone import exception
-
-# NOTE(henry-nash): From the manager and above perspective, the domain_id
-# attribute of a role is nullable. However, to ensure uniqueness in
-# multi-process configurations, it is better to still use a sql uniqueness
-# constraint. Since the support for a nullable component of a uniqueness
-# constraint across different sql databases is mixed, we instead store a
-# special value to represent null, as defined in NULL_DOMAIN_ID below.
-NULL_DOMAIN_ID = '<<null>>'
-
-
-class Role(assignment.RoleDriverV9):
-
- @sql.handle_conflicts(conflict_type='role')
- def create_role(self, role_id, role):
- with sql.session_for_write() as session:
- ref = RoleTable.from_dict(role)
- session.add(ref)
- return ref.to_dict()
-
- @driver_hints.truncated
- def list_roles(self, hints):
- # If there is a filter on domain_id and the value is None, then to
- # ensure that the sql filtering works correctly, we need to patch
- # the value to be NULL_DOMAIN_ID. This is safe to do here since we
- # know we are able to satisfy any filter of this type in the call to
- # filter_limit_query() below, which will remove the filter from the
- # hints (hence ensuring our substitution is not exposed to the caller).
- for f in hints.filters:
- if (f['name'] == 'domain_id' and f['value'] is None):
- f['value'] = NULL_DOMAIN_ID
-
- with sql.session_for_read() as session:
- query = session.query(RoleTable)
- refs = sql.filter_limit_query(RoleTable, query, hints)
- return [ref.to_dict() for ref in refs]
-
- def list_roles_from_ids(self, ids):
- if not ids:
- return []
- else:
- with sql.session_for_read() as session:
- query = session.query(RoleTable)
- query = query.filter(RoleTable.id.in_(ids))
- role_refs = query.all()
- return [role_ref.to_dict() for role_ref in role_refs]
-
- def _get_role(self, session, role_id):
- ref = session.query(RoleTable).get(role_id)
- if ref is None:
- raise exception.RoleNotFound(role_id=role_id)
- return ref
-
- def get_role(self, role_id):
- with sql.session_for_read() as session:
- return self._get_role(session, role_id).to_dict()
-
- @sql.handle_conflicts(conflict_type='role')
- def update_role(self, role_id, role):
- with sql.session_for_write() as session:
- ref = self._get_role(session, role_id)
- old_dict = ref.to_dict()
- for k in role:
- old_dict[k] = role[k]
- new_role = RoleTable.from_dict(old_dict)
- for attr in RoleTable.attributes:
- if attr != 'id':
- setattr(ref, attr, getattr(new_role, attr))
- ref.extra = new_role.extra
- return ref.to_dict()
-
- def delete_role(self, role_id):
- with sql.session_for_write() as session:
- ref = self._get_role(session, role_id)
- session.delete(ref)
-
- def _get_implied_role(self, session, prior_role_id, implied_role_id):
- query = session.query(
- ImpliedRoleTable).filter(
- ImpliedRoleTable.prior_role_id == prior_role_id).filter(
- ImpliedRoleTable.implied_role_id == implied_role_id)
- try:
- ref = query.one()
- except sql.NotFound:
- raise exception.ImpliedRoleNotFound(
- prior_role_id=prior_role_id,
- implied_role_id=implied_role_id)
- return ref
-
- @sql.handle_conflicts(conflict_type='implied_role')
- def create_implied_role(self, prior_role_id, implied_role_id):
- with sql.session_for_write() as session:
- inference = {'prior_role_id': prior_role_id,
- 'implied_role_id': implied_role_id}
- ref = ImpliedRoleTable.from_dict(inference)
- try:
- session.add(ref)
- except db_exception.DBReferenceError:
- # We don't know which role threw this.
- # Query each to trigger the exception.
- self._get_role(session, prior_role_id)
- self._get_role(session, implied_role_id)
- return ref.to_dict()
-
- def delete_implied_role(self, prior_role_id, implied_role_id):
- with sql.session_for_write() as session:
- ref = self._get_implied_role(session, prior_role_id,
- implied_role_id)
- session.delete(ref)
-
- def list_implied_roles(self, prior_role_id):
- with sql.session_for_read() as session:
- query = session.query(
- ImpliedRoleTable).filter(
- ImpliedRoleTable.prior_role_id == prior_role_id)
- refs = query.all()
- return [ref.to_dict() for ref in refs]
-
- def list_role_inference_rules(self):
- with sql.session_for_read() as session:
- query = session.query(ImpliedRoleTable)
- refs = query.all()
- return [ref.to_dict() for ref in refs]
-
- def get_implied_role(self, prior_role_id, implied_role_id):
- with sql.session_for_read() as session:
- ref = self._get_implied_role(session, prior_role_id,
- implied_role_id)
- return ref.to_dict()
-
-
-class ImpliedRoleTable(sql.ModelBase, sql.DictBase):
- __tablename__ = 'implied_role'
- attributes = ['prior_role_id', 'implied_role_id']
- prior_role_id = sql.Column(
- sql.String(64),
- sql.ForeignKey('role.id', ondelete="CASCADE"),
- primary_key=True)
- implied_role_id = sql.Column(
- sql.String(64),
- sql.ForeignKey('role.id', ondelete="CASCADE"),
- primary_key=True)
-
- @classmethod
- def from_dict(cls, dictionary):
- new_dictionary = dictionary.copy()
- return cls(**new_dictionary)
-
- def to_dict(self):
- """Return a dictionary with model's attributes.
-
- overrides the `to_dict` function from the base class
- to avoid having an `extra` field.
- """
- d = dict()
- for attr in self.__class__.attributes:
- d[attr] = getattr(self, attr)
- return d
-
-
-class RoleTable(sql.ModelBase, sql.DictBase):
-
- def to_dict(self, include_extra_dict=False):
- d = super(RoleTable, self).to_dict(
- include_extra_dict=include_extra_dict)
- if d['domain_id'] == NULL_DOMAIN_ID:
- d['domain_id'] = None
- return d
-
- @classmethod
- def from_dict(cls, role_dict):
- if 'domain_id' in role_dict and role_dict['domain_id'] is None:
- new_dict = role_dict.copy()
- new_dict['domain_id'] = NULL_DOMAIN_ID
- else:
- new_dict = role_dict
- return super(RoleTable, cls).from_dict(new_dict)
-
- __tablename__ = 'role'
- attributes = ['id', 'name', 'domain_id']
- id = sql.Column(sql.String(64), primary_key=True)
- name = sql.Column(sql.String(255), nullable=False)
- domain_id = sql.Column(sql.String(64), nullable=False,
- server_default=NULL_DOMAIN_ID)
- extra = sql.Column(sql.JsonBlob())
- __table_args__ = (sql.UniqueConstraint('name', 'domain_id'),)