# Copyright 2013 Metacloud, Inc. # Copyright 2012 OpenStack Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. """WSGI Routers for the Assignment service.""" import functools from oslo_config import cfg from keystone.assignment import controllers from keystone.common import json_home from keystone.common import router from keystone.common import wsgi CONF = cfg.CONF build_os_inherit_relation = functools.partial( json_home.build_v3_extension_resource_relation, extension_name='OS-INHERIT', extension_version='1.0') class Public(wsgi.ComposableRouter): def add_routes(self, mapper): tenant_controller = controllers.TenantAssignment() mapper.connect('/tenants', controller=tenant_controller, action='get_projects_for_token', conditions=dict(method=['GET'])) class Admin(wsgi.ComposableRouter): def add_routes(self, mapper): # Role Operations roles_controller = controllers.RoleAssignmentV2() mapper.connect('/tenants/{tenant_id}/users/{user_id}/roles', controller=roles_controller, action='get_user_roles', conditions=dict(method=['GET'])) mapper.connect('/users/{user_id}/roles', controller=roles_controller, action='get_user_roles', conditions=dict(method=['GET'])) class Routers(wsgi.RoutersBase): def append_v3_routers(self, mapper, routers): project_controller = controllers.ProjectAssignmentV3() self._add_resource( mapper, project_controller, path='/users/{user_id}/projects', get_action='list_user_projects', rel=json_home.build_v3_resource_relation('user_projects'), path_vars={ 'user_id': json_home.Parameters.USER_ID, }) routers.append( router.Router(controllers.RoleV3(), 'roles', 'role', resource_descriptions=self.v3_resources)) grant_controller = controllers.GrantAssignmentV3() self._add_resource( mapper, grant_controller, path='/projects/{project_id}/users/{user_id}/roles/{role_id}', get_head_action='check_grant', put_action='create_grant', delete_action='revoke_grant', rel=json_home.build_v3_resource_relation('project_user_role'), path_vars={ 'project_id': json_home.Parameters.PROJECT_ID, 'role_id': json_home.Parameters.ROLE_ID, 'user_id': json_home.Parameters.USER_ID, }) self._add_resource( mapper, grant_controller, path='/projects/{project_id}/groups/{group_id}/roles/{role_id}', get_head_action='check_grant', put_action='create_grant', delete_action='revoke_grant', rel=json_home.build_v3_resource_relation('project_group_role'), path_vars={ 'group_id': json_home.Parameters.GROUP_ID, 'project_id': json_home.Parameters.PROJECT_ID, 'role_id': json_home.Parameters.ROLE_ID, }) self._add_resource( mapper, grant_controller, path='/projects/{project_id}/users/{user_id}/roles', get_action='list_grants', rel=json_home.build_v3_resource_relation('project_user_roles'), path_vars={ 'project_id': json_home.Parameters.PROJECT_ID, 'user_id': json_home.Parameters.USER_ID, }) self._add_resource( mapper, grant_controller, path='/projects/{project_id}/groups/{group_id}/roles', get_action='list_grants', rel=json_home.build_v3_resource_relation('project_group_roles'), path_vars={ 'group_id': json_home.Parameters.GROUP_ID, 'project_id': json_home.Parameters.PROJECT_ID, }) self._add_resource( mapper, grant_controller, path='/domains/{domain_id}/users/{user_id}/roles/{role_id}', get_head_action='check_grant', put_action='create_grant', delete_action='revoke_grant', rel=json_home.build_v3_resource_relation('domain_user_role'), path_vars={ 'domain_id': json_home.Parameters.DOMAIN_ID, 'role_id': json_home.Parameters.ROLE_ID, 'user_id': json_home.Parameters.USER_ID, }) self._add_resource( mapper, grant_controller, path='/domains/{domain_id}/groups/{group_id}/roles/{role_id}', get_head_action='check_grant', put_action='create_grant', delete_action='revoke_grant', rel=json_home.build_v3_resource_relation('domain_group_role'), path_vars={ 'domain_id': json_home.Parameters.DOMAIN_ID, 'group_id': json_home.Parameters.GROUP_ID, 'role_id': json_home.Parameters.ROLE_ID, }) self._add_resource( mapper, grant_controller, path='/domains/{domain_id}/users/{user_id}/roles', get_action='list_grants', rel=json_home.build_v3_resource_relation('domain_user_roles'), path_vars={ 'domain_id': json_home.Parameters.DOMAIN_ID, 'user_id': json_home.Parameters.USER_ID, }) self._add_resource( mapper, grant_controller, path='/domains/{domain_id}/groups/{group_id}/roles', get_action='list_grants', rel=json_home.build_v3_resource_relation('domain_group_roles'), path_vars={ 'domain_id': json_home.Parameters.DOMAIN_ID, 'group_id': json_home.Parameters.GROUP_ID, }) routers.append( router.Router(controllers.RoleAssignmentV3(), 'role_assignments', 'role_assignment', resource_descriptions=self.v3_resources, is_entity_implemented=False)) if CONF.os_inherit.enabled: self._add_resource( mapper, grant_controller, path='/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/' '{role_id}/inherited_to_projects', get_head_action='check_grant', put_action='create_grant', delete_action='revoke_grant', rel=build_os_inherit_relation( resource_name='domain_user_role_inherited_to_projects'), path_vars={ 'domain_id': json_home.Parameters.DOMAIN_ID, 'role_id': json_home.Parameters.ROLE_ID, 'user_id': json_home.Parameters.USER_ID, }) self._add_resource( mapper, grant_controller, path='/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/' '{role_id}/inherited_to_projects', get_head_action='check_grant', put_action='create_grant', delete_action='revoke_grant', rel=build_os_inherit_relation( resource_name='domain_group_role_inherited_to_projects'), path_vars={ 'domain_id': json_home.Parameters.DOMAIN_ID, 'group_id': json_home.Parameters.GROUP_ID, 'role_id': json_home.Parameters.ROLE_ID, }) self._add_resource( mapper, grant_controller, path='/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/' 'inherited_to_projects', get_action='list_grants', rel=build_os_inherit_relation( resource_name='domain_group_roles_inherited_to_projects'), path_vars={ 'domain_id': json_home.Parameters.DOMAIN_ID, 'group_id': json_home.Parameters.GROUP_ID, }) self._add_resource( mapper, grant_controller, path='/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/' 'inherited_to_projects', get_action='list_grants', rel=build_os_inherit_relation( resource_name='domain_user_roles_inherited_to_projects'), path_vars={ 'domain_id': json_home.Parameters.DOMAIN_ID, 'user_id': json_home.Parameters.USER_ID, }) self._add_resource( mapper, grant_controller, path='/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/' '{role_id}/inherited_to_projects', get_head_action='check_grant', put_action='create_grant', delete_action='revoke_grant', rel=build_os_inherit_relation( resource_name='project_user_role_inherited_to_projects'), path_vars={ 'project_id': json_home.Parameters.PROJECT_ID, 'user_id': json_home.Parameters.USER_ID, 'role_id': json_home.Parameters.ROLE_ID, }) self._add_resource( mapper, grant_controller, path='/OS-INHERIT/projects/{project_id}/groups/{group_id}/' 'roles/{role_id}/inherited_to_projects', get_head_action='check_grant', put_action='create_grant', delete_action='revoke_grant', rel=build_os_inherit_relation( resource_name='project_group_role_inherited_to_projects'), path_vars={ 'project_id': json_home.Parameters.PROJECT_ID, 'group_id': json_home.Parameters.GROUP_ID, 'role_id': json_home.Parameters.ROLE_ID, })