summaryrefslogtreecommitdiffstats
path: root/keystone-moon/keystone/trust/controllers.py
diff options
context:
space:
mode:
Diffstat (limited to 'keystone-moon/keystone/trust/controllers.py')
-rw-r--r--keystone-moon/keystone/trust/controllers.py42
1 files changed, 18 insertions, 24 deletions
diff --git a/keystone-moon/keystone/trust/controllers.py b/keystone-moon/keystone/trust/controllers.py
index 39cf0110..00581304 100644
--- a/keystone-moon/keystone/trust/controllers.py
+++ b/keystone-moon/keystone/trust/controllers.py
@@ -14,9 +14,6 @@
import uuid
-from oslo_config import cfg
-from oslo_log import log
-from oslo_log import versionutils
from oslo_utils import timeutils
import six
@@ -31,11 +28,6 @@ from keystone import notifications
from keystone.trust import schema
-CONF = cfg.CONF
-
-LOG = log.getLogger(__name__)
-
-
def _trustor_trustee_only(trust, user_id):
if (user_id != trust.get('trustee_user_id') and
user_id != trust.get('trustor_user_id')):
@@ -47,8 +39,8 @@ def _admin_trustor_only(context, trust, user_id):
raise exception.Forbidden()
-@dependency.requires('assignment_api', 'identity_api', 'role_api',
- 'token_provider_api', 'trust_api')
+@dependency.requires('assignment_api', 'identity_api', 'resource_api',
+ 'role_api', 'token_provider_api', 'trust_api')
class TrustV3(controller.V3Controller):
collection_name = "trusts"
member_name = "trust"
@@ -56,7 +48,6 @@ class TrustV3(controller.V3Controller):
@classmethod
def base_url(cls, context, path=None):
"""Construct a path and pass it to V3Controller.base_url method."""
-
# NOTE(stevemar): Overriding path to /OS-TRUST/trusts so that
# V3Controller.base_url handles setting the self link correctly.
path = '/OS-TRUST/' + cls.collection_name
@@ -113,7 +104,7 @@ class TrustV3(controller.V3Controller):
trust_roles.append({'id':
all_role_names[rolename]['id']})
else:
- raise exception.RoleNotFound("role %s is not defined" %
+ raise exception.RoleNotFound(_("role %s is not defined") %
rolename)
else:
raise exception.ValidationError(attribute='id or name',
@@ -128,7 +119,6 @@ class TrustV3(controller.V3Controller):
The user creating the trust must be the trustor.
"""
-
auth_context = context.get('environment',
{}).get('KEYSTONE_AUTH_CONTEXT', {})
@@ -178,17 +168,27 @@ class TrustV3(controller.V3Controller):
raise exception.Forbidden(
_('At least one role should be specified.'))
- def _get_user_role(self, trust):
+ def _get_trustor_roles(self, trust):
+ original_trust = trust.copy()
+ while original_trust.get('redelegated_trust_id'):
+ original_trust = self.trust_api.get_trust(
+ original_trust['redelegated_trust_id'])
+
if not self._attribute_is_empty(trust, 'project_id'):
- return self.assignment_api.get_roles_for_user_and_project(
- trust['trustor_user_id'], trust['project_id'])
+ self.resource_api.get_project(original_trust['project_id'])
+ # Get a list of roles including any domain specific roles
+ assignment_list = self.assignment_api.list_role_assignments(
+ user_id=original_trust['trustor_user_id'],
+ project_id=original_trust['project_id'],
+ effective=True, strip_domain_roles=False)
+ return list(set([x['role_id'] for x in assignment_list]))
else:
return []
def _require_trustor_has_role_in_project(self, trust):
- user_roles = self._get_user_role(trust)
+ trustor_roles = self._get_trustor_roles(trust)
for trust_role in trust['roles']:
- matching_roles = [x for x in user_roles
+ matching_roles = [x for x in trustor_roles
if x == trust_role['id']]
if not matching_roles:
raise exception.RoleNotFound(role_id=trust_role['id'])
@@ -262,12 +262,6 @@ class TrustV3(controller.V3Controller):
return {'roles': trust['roles'],
'links': trust['roles_links']}
- @versionutils.deprecated(
- versionutils.deprecated.KILO,
- remove_in=+2)
- def check_role_for_trust(self, context, trust_id, role_id):
- return self._check_role_for_trust(self, context, trust_id, role_id)
-
@controller.protected()
def get_role_for_trust(self, context, trust_id, role_id):
"""Get a role that has been assigned to a trust."""