diff options
Diffstat (limited to 'keystone-moon/keystone/assignment/role_backends')
3 files changed, 0 insertions, 327 deletions
diff --git a/keystone-moon/keystone/assignment/role_backends/__init__.py b/keystone-moon/keystone/assignment/role_backends/__init__.py deleted file mode 100644 index e69de29b..00000000 --- a/keystone-moon/keystone/assignment/role_backends/__init__.py +++ /dev/null diff --git a/keystone-moon/keystone/assignment/role_backends/ldap.py b/keystone-moon/keystone/assignment/role_backends/ldap.py deleted file mode 100644 index 6e5e038e..00000000 --- a/keystone-moon/keystone/assignment/role_backends/ldap.py +++ /dev/null @@ -1,125 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -from __future__ import absolute_import - -from oslo_config import cfg -from oslo_log import log - -from keystone import assignment -from keystone.common import ldap as common_ldap -from keystone.common import models -from keystone import exception -from keystone.i18n import _ -from keystone.identity.backends import ldap as ldap_identity - - -CONF = cfg.CONF -LOG = log.getLogger(__name__) - - -class Role(assignment.RoleDriverV8): - - def __init__(self): - super(Role, self).__init__() - self.LDAP_URL = CONF.ldap.url - self.LDAP_USER = CONF.ldap.user - self.LDAP_PASSWORD = CONF.ldap.password - self.suffix = CONF.ldap.suffix - - # This is the only deep dependency from resource back - # to identity. The assumption is that if you are using - # LDAP for resource, you are using it for identity as well. - self.user = ldap_identity.UserApi(CONF) - self.role = RoleApi(CONF, self.user) - - def get_role(self, role_id): - return self.role.get(role_id) - - def list_roles(self, hints): - return self.role.get_all() - - def list_roles_from_ids(self, ids): - return [self.get_role(id) for id in ids] - - def create_role(self, role_id, role): - self.role.check_allow_create() - try: - self.get_role(role_id) - except exception.NotFound: - pass - else: - msg = _('Duplicate ID, %s.') % role_id - raise exception.Conflict(type='role', details=msg) - - try: - self.role.get_by_name(role['name']) - except exception.NotFound: - pass - else: - msg = _('Duplicate name, %s.') % role['name'] - raise exception.Conflict(type='role', details=msg) - - return self.role.create(role) - - def delete_role(self, role_id): - self.role.check_allow_delete() - return self.role.delete(role_id) - - def update_role(self, role_id, role): - self.role.check_allow_update() - self.get_role(role_id) - return self.role.update(role_id, role) - - -# NOTE(heny-nash): A mixin class to enable the sharing of the LDAP structure -# between here and the assignment LDAP. -class RoleLdapStructureMixin(object): - DEFAULT_OU = 'ou=Roles' - DEFAULT_STRUCTURAL_CLASSES = [] - DEFAULT_OBJECTCLASS = 'organizationalRole' - DEFAULT_MEMBER_ATTRIBUTE = 'roleOccupant' - NotFound = exception.RoleNotFound - options_name = 'role' - attribute_options_names = {'name': 'name'} - immutable_attrs = ['id'] - model = models.Role - - -# TODO(termie): turn this into a data object and move logic to driver -class RoleApi(RoleLdapStructureMixin, common_ldap.BaseLdap): - - def __init__(self, conf, user_api): - super(RoleApi, self).__init__(conf) - self._user_api = user_api - - def get(self, role_id, role_filter=None): - model = super(RoleApi, self).get(role_id, role_filter) - return model - - def create(self, values): - return super(RoleApi, self).create(values) - - def update(self, role_id, role): - new_name = role.get('name') - if new_name is not None: - try: - old_role = self.get_by_name(new_name) - if old_role['id'] != role_id: - raise exception.Conflict( - _('Cannot duplicate name %s') % old_role) - except exception.NotFound: - pass - return super(RoleApi, self).update(role_id, role) - - def delete(self, role_id): - super(RoleApi, self).delete(role_id) diff --git a/keystone-moon/keystone/assignment/role_backends/sql.py b/keystone-moon/keystone/assignment/role_backends/sql.py deleted file mode 100644 index 1045f23a..00000000 --- a/keystone-moon/keystone/assignment/role_backends/sql.py +++ /dev/null @@ -1,202 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -from oslo_db import exception as db_exception - -from keystone import assignment -from keystone.common import driver_hints -from keystone.common import sql -from keystone import exception - -# NOTE(henry-nash): From the manager and above perspective, the domain_id -# attribute of a role is nullable. However, to ensure uniqueness in -# multi-process configurations, it is better to still use a sql uniqueness -# constraint. Since the support for a nullable component of a uniqueness -# constraint across different sql databases is mixed, we instead store a -# special value to represent null, as defined in NULL_DOMAIN_ID below. -NULL_DOMAIN_ID = '<<null>>' - - -class Role(assignment.RoleDriverV9): - - @sql.handle_conflicts(conflict_type='role') - def create_role(self, role_id, role): - with sql.session_for_write() as session: - ref = RoleTable.from_dict(role) - session.add(ref) - return ref.to_dict() - - @driver_hints.truncated - def list_roles(self, hints): - # If there is a filter on domain_id and the value is None, then to - # ensure that the sql filtering works correctly, we need to patch - # the value to be NULL_DOMAIN_ID. This is safe to do here since we - # know we are able to satisfy any filter of this type in the call to - # filter_limit_query() below, which will remove the filter from the - # hints (hence ensuring our substitution is not exposed to the caller). - for f in hints.filters: - if (f['name'] == 'domain_id' and f['value'] is None): - f['value'] = NULL_DOMAIN_ID - - with sql.session_for_read() as session: - query = session.query(RoleTable) - refs = sql.filter_limit_query(RoleTable, query, hints) - return [ref.to_dict() for ref in refs] - - def list_roles_from_ids(self, ids): - if not ids: - return [] - else: - with sql.session_for_read() as session: - query = session.query(RoleTable) - query = query.filter(RoleTable.id.in_(ids)) - role_refs = query.all() - return [role_ref.to_dict() for role_ref in role_refs] - - def _get_role(self, session, role_id): - ref = session.query(RoleTable).get(role_id) - if ref is None: - raise exception.RoleNotFound(role_id=role_id) - return ref - - def get_role(self, role_id): - with sql.session_for_read() as session: - return self._get_role(session, role_id).to_dict() - - @sql.handle_conflicts(conflict_type='role') - def update_role(self, role_id, role): - with sql.session_for_write() as session: - ref = self._get_role(session, role_id) - old_dict = ref.to_dict() - for k in role: - old_dict[k] = role[k] - new_role = RoleTable.from_dict(old_dict) - for attr in RoleTable.attributes: - if attr != 'id': - setattr(ref, attr, getattr(new_role, attr)) - ref.extra = new_role.extra - return ref.to_dict() - - def delete_role(self, role_id): - with sql.session_for_write() as session: - ref = self._get_role(session, role_id) - session.delete(ref) - - def _get_implied_role(self, session, prior_role_id, implied_role_id): - query = session.query( - ImpliedRoleTable).filter( - ImpliedRoleTable.prior_role_id == prior_role_id).filter( - ImpliedRoleTable.implied_role_id == implied_role_id) - try: - ref = query.one() - except sql.NotFound: - raise exception.ImpliedRoleNotFound( - prior_role_id=prior_role_id, - implied_role_id=implied_role_id) - return ref - - @sql.handle_conflicts(conflict_type='implied_role') - def create_implied_role(self, prior_role_id, implied_role_id): - with sql.session_for_write() as session: - inference = {'prior_role_id': prior_role_id, - 'implied_role_id': implied_role_id} - ref = ImpliedRoleTable.from_dict(inference) - try: - session.add(ref) - except db_exception.DBReferenceError: - # We don't know which role threw this. - # Query each to trigger the exception. - self._get_role(session, prior_role_id) - self._get_role(session, implied_role_id) - return ref.to_dict() - - def delete_implied_role(self, prior_role_id, implied_role_id): - with sql.session_for_write() as session: - ref = self._get_implied_role(session, prior_role_id, - implied_role_id) - session.delete(ref) - - def list_implied_roles(self, prior_role_id): - with sql.session_for_read() as session: - query = session.query( - ImpliedRoleTable).filter( - ImpliedRoleTable.prior_role_id == prior_role_id) - refs = query.all() - return [ref.to_dict() for ref in refs] - - def list_role_inference_rules(self): - with sql.session_for_read() as session: - query = session.query(ImpliedRoleTable) - refs = query.all() - return [ref.to_dict() for ref in refs] - - def get_implied_role(self, prior_role_id, implied_role_id): - with sql.session_for_read() as session: - ref = self._get_implied_role(session, prior_role_id, - implied_role_id) - return ref.to_dict() - - -class ImpliedRoleTable(sql.ModelBase, sql.DictBase): - __tablename__ = 'implied_role' - attributes = ['prior_role_id', 'implied_role_id'] - prior_role_id = sql.Column( - sql.String(64), - sql.ForeignKey('role.id', ondelete="CASCADE"), - primary_key=True) - implied_role_id = sql.Column( - sql.String(64), - sql.ForeignKey('role.id', ondelete="CASCADE"), - primary_key=True) - - @classmethod - def from_dict(cls, dictionary): - new_dictionary = dictionary.copy() - return cls(**new_dictionary) - - def to_dict(self): - """Return a dictionary with model's attributes. - - overrides the `to_dict` function from the base class - to avoid having an `extra` field. - """ - d = dict() - for attr in self.__class__.attributes: - d[attr] = getattr(self, attr) - return d - - -class RoleTable(sql.ModelBase, sql.DictBase): - - def to_dict(self, include_extra_dict=False): - d = super(RoleTable, self).to_dict( - include_extra_dict=include_extra_dict) - if d['domain_id'] == NULL_DOMAIN_ID: - d['domain_id'] = None - return d - - @classmethod - def from_dict(cls, role_dict): - if 'domain_id' in role_dict and role_dict['domain_id'] is None: - new_dict = role_dict.copy() - new_dict['domain_id'] = NULL_DOMAIN_ID - else: - new_dict = role_dict - return super(RoleTable, cls).from_dict(new_dict) - - __tablename__ = 'role' - attributes = ['id', 'name', 'domain_id'] - id = sql.Column(sql.String(64), primary_key=True) - name = sql.Column(sql.String(255), nullable=False) - domain_id = sql.Column(sql.String(64), nullable=False, - server_default=NULL_DOMAIN_ID) - extra = sql.Column(sql.JsonBlob()) - __table_args__ = (sql.UniqueConstraint('name', 'domain_id'),) |