1 files changed, 17 insertions, 8 deletions

diff --git a/keystone-moon/keystone/contrib/revoke/core.py b/keystone-moon/keystone/contrib/revoke/core.py
index c7335690..e1ab87c8 100644
--- a/keystone-moon/keystone/contrib/revoke/core.py
+++ b/keystone-moon/keystone/contrib/revoke/core.py
@@ -10,11 +10,14 @@
 # License for the specific language governing permissions and limitations
 # under the License.
 
+"""Main entry point into the Revoke service."""
+
 import abc
 import datetime
 
 from oslo_config import cfg
 from oslo_log import log
+from oslo_log import versionutils
 from oslo_utils import timeutils
 import six
 
@@ -26,7 +29,6 @@ from keystone.contrib.revoke import model
 from keystone import exception
 from keystone.i18n import _
 from keystone import notifications
-from keystone.openstack.common import versionutils
 
 
 CONF = cfg.CONF
@@ -64,12 +66,17 @@ def revoked_before_cutoff_time():
 
 @dependency.provider('revoke_api')
 class Manager(manager.Manager):
-    """Revoke API Manager.
+    """Default pivot point for the Revoke backend.
 
     Performs common logic for recording revocations.
 
+    See :mod:`keystone.common.manager.Manager` for more details on
+    how this dynamically calls the backend.
+
     """
 
+    driver_namespace = 'keystone.revoke'
+
     def __init__(self):
         super(Manager, self).__init__(CONF.revoke.driver)
         self._register_listeners()
@@ -109,11 +116,12 @@ class Manager(manager.Manager):
         self.revoke(
             model.RevokeEvent(access_token_id=payload['resource_info']))
 
-    def _group_callback(self, service, resource_type, operation, payload):
-        user_ids = (u['id'] for u in self.identity_api.list_users_in_group(
-            payload['resource_info']))
-        for uid in user_ids:
-            self.revoke(model.RevokeEvent(user_id=uid))
+    def _role_assignment_callback(self, service, resource_type, operation,
+                                  payload):
+        info = payload['resource_info']
+        self.revoke_by_grant(role_id=info['role_id'], user_id=info['user_id'],
+                             domain_id=info.get('domain_id'),
+                             project_id=info.get('project_id'))
 
     def _register_listeners(self):
         callbacks = {
@@ -124,6 +132,7 @@ class Manager(manager.Manager):
                 ['role', self._role_callback],
                 ['user', self._user_callback],
                 ['project', self._project_callback],
+                ['role_assignment', self._role_assignment_callback]
             ],
             notifications.ACTIONS.disabled: [
                 ['user', self._user_callback],
@@ -136,7 +145,7 @@ class Manager(manager.Manager):
             ]
         }
 
-        for event, cb_info in six.iteritems(callbacks):
+        for event, cb_info in callbacks.items():
             for resource_type, callback_fns in cb_info:
                 notifications.register_event_callback(event, resource_type,
                                                       callback_fns)