Hot-keys on this page

r m x p   toggle line displays

j k   next/prev highlighted chunk

0   (zero) top of page

1   (one) first highlighted chunk

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

# Copyright 2011 OpenStack LLC. 

# Copyright 2011 Nebula, Inc. 

# All Rights Reserved. 

# 

#    Licensed under the Apache License, Version 2.0 (the "License"); you may 

#    not use this file except in compliance with the License. You may obtain 

#    a copy of the License at 

# 

#         http://www.apache.org/licenses/LICENSE-2.0 

# 

#    Unless required by applicable law or agreed to in writing, software 

#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 

#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 

#    License for the specific language governing permissions and limitations 

#    under the License. 

 

from keystoneclient import base 

from keystoneclient import exceptions 

 

 

class Role(base.Resource): 

    """Represents an Identity role. 

 

    Attributes: 

        * id: a uuid that identifies the role 

        * name: user-facing identifier 

 

    """ 

    pass 

 

 

class RoleManager(base.CrudManager): 

    """Manager class for manipulating Identity roles.""" 

    resource_class = Role 

    collection_key = 'roles' 

    key = 'role' 

 

    def _role_grants_base_url(self, user, group, domain, project): 

        # When called, we have already checked that only one of user & group 

        # and one of domain & project have been specified 

        params = {} 

 

        if project: 

            params['project_id'] = base.getid(project) 

            base_url = '/projects/%(project_id)s' 

50        elif domain: 

            params['domain_id'] = base.getid(domain) 

            base_url = '/domains/%(domain_id)s' 

 

        if user: 

            params['user_id'] = base.getid(user) 

            base_url += '/users/%(user_id)s' 

57        elif group: 

            params['group_id'] = base.getid(group) 

            base_url += '/groups/%(group_id)s' 

 

        return base_url % params 

 

    def _require_domain_xor_project(self, domain, project): 

        if (domain and project) or (not domain and not project): 

            msg = 'Specify either a domain or project, not both' 

            raise exceptions.ValidationError(msg) 

 

    def _require_user_xor_group(self, user, group): 

        if (user and group) or (not user and not group): 

            msg = 'Specify either a user or group, not both' 

            raise exceptions.ValidationError(msg) 

 

    def create(self, name): 

        return super(RoleManager, self).create( 

            name=name) 

 

    def get(self, role): 

        return super(RoleManager, self).get( 

            role_id=base.getid(role)) 

 

    def list(self, user=None, group=None, domain=None, project=None, **kwargs): 

        """Lists roles and role grants. 

 

        If no arguments are provided, all roles in the system will be 

        listed. 

 

        If a user or group is specified, you must also specify either a 

        domain or project to list role grants on that pair. And if 

        ``**kwargs`` are provided, then also filter roles with 

        attributes matching ``**kwargs``. 

        """ 

 

        if user or group: 

            self._require_user_xor_group(user, group) 

            self._require_domain_xor_project(domain, project) 

 

            return super(RoleManager, self).list( 

                base_url=self._role_grants_base_url(user, group, 

                                                    domain, project), 

                **kwargs) 

 

        return super(RoleManager, self).list() 

 

    def update(self, role, name=None): 

        return super(RoleManager, self).update( 

            role_id=base.getid(role), 

            name=name) 

 

    def delete(self, role): 

        return super(RoleManager, self).delete( 

            role_id=base.getid(role)) 

 

    def grant(self, role, user=None, group=None, domain=None, project=None): 

        """Grants a role to a user or group on a domain or project.""" 

        self._require_domain_xor_project(domain, project) 

        self._require_user_xor_group(user, group) 

 

        return super(RoleManager, self).put( 

            base_url=self._role_grants_base_url(user, group, domain, project), 

            role_id=base.getid(role)) 

 

    def check(self, role, user=None, group=None, domain=None, project=None): 

        """Checks if a user or group has a role on a domain or project.""" 

        self._require_domain_xor_project(domain, project) 

        self._require_user_xor_group(user, group) 

 

        return super(RoleManager, self).head( 

            base_url=self._role_grants_base_url(user, group, domain, project), 

            role_id=base.getid(role)) 

 

    def revoke(self, role, user=None, group=None, domain=None, project=None): 

        """Revokes a role from a user or group on a domain or project.""" 

        self._require_domain_xor_project(domain, project) 

        self._require_user_xor_group(user, group) 

 

        return super(RoleManager, self).delete( 

            base_url=self._role_grants_base_url(user, group, domain, project), 

            role_id=base.getid(role))