backends Package

kvs Module

class keystone.assignment.backends.kvs.Assignment(*args, **kwargs)[source]

Bases: keystone.common.kvs.legacy.Base, keystone.assignment.core.Driver

KVS Assignment backend.

This backend uses the following mappings to store data:

  • Domains:
    • domain_list -> [domain_id, ...]
    • domain-{id} -> domain_ref
    • domain_name-{name} -> domain_ref
  • Projects:
    • tenant-{id} -> project_ref
    • tenant_name-{name} -> project_ref
  • Roles:
    • role_list -> [role_id, ...]
    • role-{id} -> role_ref
  • Role assignments:
    • metadata_user-{target}-{user_id} -> {‘roles’: [{‘id’: role-id, ...}, ...]}
    • metadata_group-{target}-{group_id} -> {‘roles’: [{‘id’: role-id, ...}, ...]}
add_role_to_user_and_project(user_id, tenant_id, role_id)[source]
create_domain(domain_id, domain)[source]
create_grant(role_id, user_id=None, group_id=None, domain_id=None, project_id=None, inherited_to_projects=False)[source]
create_project(tenant_id, tenant)[source]
create_role(role_id, role)[source]
delete_domain(domain_id)[source]
delete_grant(role_id, user_id=None, group_id=None, domain_id=None, project_id=None, inherited_to_projects=False)[source]
delete_group(group_id)[source]

Deletes all assignments for a group.

Raises :keystone.exception.RoleNotFound
delete_project(tenant_id)[source]
delete_role(role_id)[source]
delete_user(user_id)[source]

Deletes all assignments for a user.

Raises :keystone.exception.RoleNotFound
get_domain(domain_id)[source]
get_domain_by_name(domain_name)[source]
get_grant(role_id, user_id=None, group_id=None, domain_id=None, project_id=None, inherited_to_projects=False)[source]
get_group_project_roles(groups, project_id, project_domain_id)[source]
get_project(tenant_id)[source]
get_project_by_name(tenant_name, domain_id)[source]
get_role(role_id)[source]
get_roles_for_groups(group_ids, project_id=None, domain_id=None)[source]
list_domains(hints)[source]
list_domains_for_groups(group_ids)[source]
list_domains_for_user(user_id, group_ids, hints)[source]
list_grants(user_id=None, group_id=None, domain_id=None, project_id=None, inherited_to_projects=False)[source]
list_projects(hints)[source]
list_projects_for_groups(group_ids)[source]
list_projects_for_user(user_id, group_ids, hints)[source]
list_projects_in_domain(domain_id)[source]
list_role_assignments()[source]

List the role assignments.

We enumerate the metadata entries and extract the targets, actors, and roles.

list_roles(hints)[source]
list_user_ids_for_project(tenant_id)[source]
remove_role_from_user_and_project(user_id, tenant_id, role_id)[source]
update_domain(domain_id, domain)[source]
update_project(tenant_id, tenant)[source]
update_role(role_id, role)[source]

ldap Module

class keystone.assignment.backends.ldap.Assignment[source]

Bases: keystone.assignment.core.Driver

add_role_to_user_and_project(user_id, tenant_id, role_id)[source]
create_domain(domain_id, domain)[source]
create_grant(role_id, user_id=None, group_id=None, domain_id=None, project_id=None, inherited_to_projects=False)[source]
create_project(tenant_id, tenant)[source]
create_role(role_id, role)[source]
delete_domain(domain_id)[source]
delete_grant(role_id, user_id=None, group_id=None, domain_id=None, project_id=None, inherited_to_projects=False)[source]
delete_group(group_id)[source]

Called when the group was deleted.

Any role assignments for the group should be cleaned up.

delete_project(tenant_id)[source]
delete_role(role_id)[source]
delete_user(user_id)[source]
get_domain(domain_id)[source]
get_domain_by_name(domain_name)[source]
get_grant(role_id, user_id=None, group_id=None, domain_id=None, project_id=None, inherited_to_projects=False)[source]
get_group_project_roles(groups, project_id, project_domain_id)[source]
get_project(tenant_id)[source]
get_project_by_name(tenant_name, domain_id)[source]
get_role(role_id)[source]
get_roles_for_groups(group_ids, project_id=None, domain_id=None)[source]
list_domains(hints)[source]
list_domains_for_groups(group_ids)[source]
list_domains_for_user(user_id, group_ids, hints)[source]
list_grants(user_id=None, group_id=None, domain_id=None, project_id=None, inherited_to_projects=False)[source]
list_projects(hints)[source]
list_projects_for_groups(group_ids)[source]
list_projects_for_user(user_id, group_ids, hints)[source]
list_projects_in_domain(domain_id)[source]
list_role_assignments()[source]
list_roles(hints)[source]
list_user_ids_for_project(tenant_id)[source]
remove_role_from_user_and_project(user_id, tenant_id, role_id)[source]
update_domain(domain_id, domain)[source]
update_project(tenant_id, tenant)[source]
update_role(role_id, role)[source]
class keystone.assignment.backends.ldap.GroupRoleAssociation(group_dn=None, role_dn=None, tenant_dn=None, *args, **kw)[source]

Bases: object

Role Grant model.

class keystone.assignment.backends.ldap.ProjectApi(conf)[source]

Bases: keystone.common.ldap.core.EnabledEmuMixIn, keystone.common.ldap.core.BaseLdap

DEFAULT_ID_ATTR = 'cn'
DEFAULT_MEMBER_ATTRIBUTE = 'member'
DEFAULT_OBJECTCLASS = 'groupOfNames'
DEFAULT_OU = 'ou=Groups'
DEFAULT_STRUCTURAL_CLASSES = []
NotFound

alias of ProjectNotFound

attribute_options_names = {'domain_id': 'domain_id', 'enabled': 'enabled', 'name': 'name', 'description': 'desc'}
create(values)[source]
get_user_dns(tenant_id, rolegrants, role_dn=None)[source]
get_user_projects(user_dn, associations)[source]

Returns list of tenants a user has access to

immutable_attrs = ['name']
model

alias of Project

notfound_arg = 'project_id'
options_name = 'project'
update(project_id, values)[source]
class keystone.assignment.backends.ldap.RoleApi(conf, user_api)[source]

Bases: keystone.common.ldap.core.BaseLdap

DEFAULT_MEMBER_ATTRIBUTE = 'roleOccupant'
DEFAULT_OBJECTCLASS = 'organizationalRole'
DEFAULT_OU = 'ou=Roles'
DEFAULT_STRUCTURAL_CLASSES = []
NotFound

alias of RoleNotFound

add_user(role_id, role_dn, user_dn, user_id, tenant_id=None)[source]
attribute_options_names = {'name': 'name'}
create(values)[source]
delete(role_id, tenant_dn)[source]
delete_user(role_dn, user_dn, role_id)[source]
get(role_id, role_filter=None)[source]
get_role_assignments(tenant_dn)[source]
immutable_attrs = ['id']
list_global_roles_for_user(user_dn)[source]
list_project_roles_for_group(group_dn, project_subtree)[source]
list_project_roles_for_user(user_dn, project_subtree)[source]
list_role_assignments(project_tree_dn)[source]

Returns a list of all the role assignments linked to project_tree_dn attribute.

model

alias of Role

options_name = 'role'
roles_delete_subtree_by_project(tenant_dn)[source]
update(role_id, role)[source]
class keystone.assignment.backends.ldap.UserRoleAssociation(user_dn=None, role_dn=None, tenant_dn=None, *args, **kw)[source]

Bases: object

Role Grant model.

sql Module

class keystone.assignment.backends.sql.Assignment[source]

Bases: keystone.assignment.core.Driver

add_role_to_user_and_project(user_id, tenant_id, role_id)[source]
create_domain(*args, **kwargs)[source]
create_grant(role_id, user_id=None, group_id=None, domain_id=None, project_id=None, inherited_to_projects=False)[source]
create_project(*args, **kwargs)[source]
create_role(*args, **kwargs)[source]
delete_domain(domain_id)[source]
delete_grant(role_id, user_id=None, group_id=None, domain_id=None, project_id=None, inherited_to_projects=False)[source]
delete_group(group_id)[source]
delete_project(*args, **kwargs)[source]
delete_role(role_id)[source]
delete_user(user_id)[source]
get_domain(domain_id)[source]
get_domain_by_name(domain_name)[source]
get_grant(role_id, user_id=None, group_id=None, domain_id=None, project_id=None, inherited_to_projects=False)[source]
get_group_project_roles(groups, project_id, project_domain_id)[source]
get_project(tenant_id)[source]
get_project_by_name(tenant_name, domain_id)[source]
get_role(role_id)[source]
get_roles_for_groups(group_ids, project_id=None, domain_id=None)[source]
list_domains(hints, *args, **kwargs)[source]
list_domains_for_groups(group_ids)[source]
list_domains_for_user(user_id, group_ids, hints)[source]
list_grants(user_id=None, group_id=None, domain_id=None, project_id=None, inherited_to_projects=False)[source]
list_projects(hints, *args, **kwargs)[source]
list_projects_for_groups(group_ids)[source]
list_projects_for_user(user_id, group_ids, hints)[source]
list_projects_in_domain(domain_id)[source]
list_role_assignments()[source]
list_roles(hints, *args, **kwargs)[source]
list_user_ids_for_project(tenant_id)[source]
remove_role_from_user_and_project(user_id, tenant_id, role_id)[source]
update_domain(*args, **kwargs)[source]
update_project(*args, **kwargs)[source]
update_role(*args, **kwargs)[source]
class keystone.assignment.backends.sql.AssignmentType[source]
GROUP_DOMAIN = 'GroupDomain'
GROUP_PROJECT = 'GroupProject'
USER_DOMAIN = 'UserDomain'
USER_PROJECT = 'UserProject'
class keystone.assignment.backends.sql.Domain(*args, **kwargs)[source]

Bases: sqlalchemy.ext.declarative.api.Base, keystone.common.sql.core.DictBase

attributes = ['id', 'name', 'enabled']
enabled
extra
id
name
class keystone.assignment.backends.sql.Project(*args, **kwargs)[source]

Bases: sqlalchemy.ext.declarative.api.Base, keystone.common.sql.core.DictBase

attributes = ['id', 'name', 'domain_id', 'description', 'enabled']
description
domain_id
enabled
extra
id
name
class keystone.assignment.backends.sql.Role(*args, **kwargs)[source]

Bases: sqlalchemy.ext.declarative.api.Base, keystone.common.sql.core.DictBase

attributes = ['id', 'name']
extra
id
name
class keystone.assignment.backends.sql.RoleAssignment(*args, **kwargs)[source]

Bases: sqlalchemy.ext.declarative.api.Base, keystone.common.sql.core.DictBase

actor_id
attributes = ['type', 'actor_id', 'target_id', 'role_id', 'inherited']
inherited
role_id
target_id
to_dict()[source]

Override parent to_dict() method with a simpler implementation.

RoleAssignment doesn’t have non-indexed ‘extra’ attributes, so the parent implementation is not applicable.

type
keystone.assignment.backends.sql.false()

Return a constant False_ construct.

E.g.:

>>> from sqlalchemy import false
>>> print select([t.c.x]).where(false())
SELECT x FROM t WHERE false

A backend which does not support true/false constants will render as an expression against 1 or 0:

>>> print select([t.c.x]).where(false())
SELECT x FROM t WHERE 0 = 1

The true() and false() constants also feature “short circuit” operation within an and_() or or_() conjunction:

>>> print select([t.c.x]).where(or_(t.c.x > 5, true()))
SELECT x FROM t WHERE true

>>> print select([t.c.x]).where(and_(t.c.x > 5, false()))
SELECT x FROM t WHERE false

Changed in version 0.9: true() and false() feature better integrated behavior within conjunctions and on dialects that don’t support true/false constants.

See also

true()

Table Of Contents

Previous topic

assignment Package

Next topic

auth Package

This Page