Beispiel #1
0
    def append_v3_routers(self, mapper, routers):

        project_controller = controllers.ProjectAssignmentV3()
        self._add_resource(
            mapper,
            project_controller,
            path='/users/{user_id}/projects',
            get_action='list_user_projects',
            rel=json_home.build_v3_resource_relation('user_projects'),
            path_vars={
                'user_id': json_home.Parameters.USER_ID,
            })

        routers.append(
            router.Router(controllers.RoleV3(),
                          'roles',
                          'role',
                          resource_descriptions=self.v3_resources,
                          method_template='%s_wrapper'))

        implied_roles_controller = controllers.ImpliedRolesV3()
        self._add_resource(
            mapper,
            implied_roles_controller,
            path='/roles/{prior_role_id}/implies',
            rel=json_home.build_v3_resource_relation('implied_roles'),
            get_action='list_implied_roles',
            status=json_home.Status.EXPERIMENTAL,
            path_vars={
                'prior_role_id': json_home.Parameters.ROLE_ID,
            })

        self._add_resource(
            mapper,
            implied_roles_controller,
            path='/roles/{prior_role_id}/implies/{implied_role_id}',
            put_action='create_implied_role',
            delete_action='delete_implied_role',
            head_action='check_implied_role',
            get_action='get_implied_role',
            rel=json_home.build_v3_resource_relation('implied_role'),
            status=json_home.Status.EXPERIMENTAL,
            path_vars={
                'prior_role_id': json_home.Parameters.ROLE_ID,
                'implied_role_id': json_home.Parameters.ROLE_ID
            })
        self._add_resource(
            mapper,
            implied_roles_controller,
            path='/role_inferences',
            get_action='list_role_inference_rules',
            rel=json_home.build_v3_resource_relation('role_inferences'),
            status=json_home.Status.EXPERIMENTAL,
            path_vars={})

        grant_controller = controllers.GrantAssignmentV3()
        self._add_resource(
            mapper,
            grant_controller,
            path='/projects/{project_id}/users/{user_id}/roles/{role_id}',
            get_head_action='check_grant',
            put_action='create_grant',
            delete_action='revoke_grant',
            rel=json_home.build_v3_resource_relation('project_user_role'),
            path_vars={
                'project_id': json_home.Parameters.PROJECT_ID,
                'role_id': json_home.Parameters.ROLE_ID,
                'user_id': json_home.Parameters.USER_ID,
            })
        self._add_resource(
            mapper,
            grant_controller,
            path='/projects/{project_id}/groups/{group_id}/roles/{role_id}',
            get_head_action='check_grant',
            put_action='create_grant',
            delete_action='revoke_grant',
            rel=json_home.build_v3_resource_relation('project_group_role'),
            path_vars={
                'group_id': json_home.Parameters.GROUP_ID,
                'project_id': json_home.Parameters.PROJECT_ID,
                'role_id': json_home.Parameters.ROLE_ID,
            })
        self._add_resource(
            mapper,
            grant_controller,
            path='/projects/{project_id}/users/{user_id}/roles',
            get_action='list_grants',
            rel=json_home.build_v3_resource_relation('project_user_roles'),
            path_vars={
                'project_id': json_home.Parameters.PROJECT_ID,
                'user_id': json_home.Parameters.USER_ID,
            })
        self._add_resource(
            mapper,
            grant_controller,
            path='/projects/{project_id}/groups/{group_id}/roles',
            get_action='list_grants',
            rel=json_home.build_v3_resource_relation('project_group_roles'),
            path_vars={
                'group_id': json_home.Parameters.GROUP_ID,
                'project_id': json_home.Parameters.PROJECT_ID,
            })
        self._add_resource(
            mapper,
            grant_controller,
            path='/domains/{domain_id}/users/{user_id}/roles/{role_id}',
            get_head_action='check_grant',
            put_action='create_grant',
            delete_action='revoke_grant',
            rel=json_home.build_v3_resource_relation('domain_user_role'),
            path_vars={
                'domain_id': json_home.Parameters.DOMAIN_ID,
                'role_id': json_home.Parameters.ROLE_ID,
                'user_id': json_home.Parameters.USER_ID,
            })
        self._add_resource(
            mapper,
            grant_controller,
            path='/domains/{domain_id}/groups/{group_id}/roles/{role_id}',
            get_head_action='check_grant',
            put_action='create_grant',
            delete_action='revoke_grant',
            rel=json_home.build_v3_resource_relation('domain_group_role'),
            path_vars={
                'domain_id': json_home.Parameters.DOMAIN_ID,
                'group_id': json_home.Parameters.GROUP_ID,
                'role_id': json_home.Parameters.ROLE_ID,
            })
        self._add_resource(
            mapper,
            grant_controller,
            path='/domains/{domain_id}/users/{user_id}/roles',
            get_action='list_grants',
            rel=json_home.build_v3_resource_relation('domain_user_roles'),
            path_vars={
                'domain_id': json_home.Parameters.DOMAIN_ID,
                'user_id': json_home.Parameters.USER_ID,
            })
        self._add_resource(
            mapper,
            grant_controller,
            path='/domains/{domain_id}/groups/{group_id}/roles',
            get_action='list_grants',
            rel=json_home.build_v3_resource_relation('domain_group_roles'),
            path_vars={
                'domain_id': json_home.Parameters.DOMAIN_ID,
                'group_id': json_home.Parameters.GROUP_ID,
            })

        self._add_resource(
            mapper,
            controllers.RoleAssignmentV3(),
            path='/role_assignments',
            get_action='list_role_assignments_wrapper',
            rel=json_home.build_v3_resource_relation('role_assignments'))

        if CONF.os_inherit.enabled:
            self._add_resource(
                mapper,
                grant_controller,
                path='/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/'
                '{role_id}/inherited_to_projects',
                get_head_action='check_grant',
                put_action='create_grant',
                delete_action='revoke_grant',
                rel=build_os_inherit_relation(
                    resource_name='domain_user_role_inherited_to_projects'),
                path_vars={
                    'domain_id': json_home.Parameters.DOMAIN_ID,
                    'role_id': json_home.Parameters.ROLE_ID,
                    'user_id': json_home.Parameters.USER_ID,
                })
            self._add_resource(
                mapper,
                grant_controller,
                path='/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/'
                '{role_id}/inherited_to_projects',
                get_head_action='check_grant',
                put_action='create_grant',
                delete_action='revoke_grant',
                rel=build_os_inherit_relation(
                    resource_name='domain_group_role_inherited_to_projects'),
                path_vars={
                    'domain_id': json_home.Parameters.DOMAIN_ID,
                    'group_id': json_home.Parameters.GROUP_ID,
                    'role_id': json_home.Parameters.ROLE_ID,
                })
            self._add_resource(
                mapper,
                grant_controller,
                path='/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/'
                'inherited_to_projects',
                get_action='list_grants',
                rel=build_os_inherit_relation(
                    resource_name='domain_group_roles_inherited_to_projects'),
                path_vars={
                    'domain_id': json_home.Parameters.DOMAIN_ID,
                    'group_id': json_home.Parameters.GROUP_ID,
                })
            self._add_resource(
                mapper,
                grant_controller,
                path='/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/'
                'inherited_to_projects',
                get_action='list_grants',
                rel=build_os_inherit_relation(
                    resource_name='domain_user_roles_inherited_to_projects'),
                path_vars={
                    'domain_id': json_home.Parameters.DOMAIN_ID,
                    'user_id': json_home.Parameters.USER_ID,
                })
            self._add_resource(
                mapper,
                grant_controller,
                path='/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/'
                '{role_id}/inherited_to_projects',
                get_head_action='check_grant',
                put_action='create_grant',
                delete_action='revoke_grant',
                rel=build_os_inherit_relation(
                    resource_name='project_user_role_inherited_to_projects'),
                path_vars={
                    'project_id': json_home.Parameters.PROJECT_ID,
                    'user_id': json_home.Parameters.USER_ID,
                    'role_id': json_home.Parameters.ROLE_ID,
                })
            self._add_resource(
                mapper,
                grant_controller,
                path='/OS-INHERIT/projects/{project_id}/groups/{group_id}/'
                'roles/{role_id}/inherited_to_projects',
                get_head_action='check_grant',
                put_action='create_grant',
                delete_action='revoke_grant',
                rel=build_os_inherit_relation(
                    resource_name='project_group_role_inherited_to_projects'),
                path_vars={
                    'project_id': json_home.Parameters.PROJECT_ID,
                    'group_id': json_home.Parameters.GROUP_ID,
                    'role_id': json_home.Parameters.ROLE_ID,
                })
Beispiel #2
0
    def append_v3_routers(self, mapper, routers):
        routers.append(
            router.Router(controllers.DomainV3(), 'domains', 'domain'))

        project_controller = controllers.ProjectV3()
        routers.append(router.Router(project_controller, 'projects',
                                     'project'))

        self._add_resource(mapper,
                           project_controller,
                           path='/users/{user_id}/projects',
                           get_action='list_user_projects')

        role_controller = controllers.RoleV3()
        routers.append(router.Router(role_controller, 'roles', 'role'))

        self._add_resource(
            mapper,
            role_controller,
            path='/projects/{project_id}/users/{user_id}/roles/{role_id}',
            get_head_action='check_grant',
            put_action='create_grant',
            delete_action='revoke_grant')
        self._add_resource(
            mapper,
            role_controller,
            path='/projects/{project_id}/groups/{group_id}/roles/{role_id}',
            get_head_action='check_grant',
            put_action='create_grant',
            delete_action='revoke_grant')
        self._add_resource(mapper,
                           role_controller,
                           path='/projects/{project_id}/users/{user_id}/roles',
                           get_action='list_grants')
        self._add_resource(
            mapper,
            role_controller,
            path='/projects/{project_id}/groups/{group_id}/roles',
            get_action='list_grants')
        self._add_resource(
            mapper,
            role_controller,
            path='/domains/{domain_id}/users/{user_id}/roles/{role_id}',
            get_head_action='check_grant',
            put_action='create_grant',
            delete_action='revoke_grant')
        self._add_resource(
            mapper,
            role_controller,
            path='/domains/{domain_id}/groups/{group_id}/roles/{role_id}',
            get_head_action='check_grant',
            put_action='create_grant',
            delete_action='revoke_grant')
        self._add_resource(mapper,
                           role_controller,
                           path='/domains/{domain_id}/users/{user_id}/roles',
                           get_action='list_grants')
        self._add_resource(mapper,
                           role_controller,
                           path='/domains/{domain_id}/groups/{group_id}/roles',
                           get_action='list_grants')

        routers.append(
            router.Router(controllers.RoleAssignmentV3(), 'role_assignments',
                          'role_assignment'))

        if config.CONF.os_inherit.enabled:
            self._add_resource(
                mapper,
                role_controller,
                path='/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/'
                '{role_id}/inherited_to_projects',
                get_head_action='check_grant',
                put_action='create_grant',
                delete_action='revoke_grant')
            self._add_resource(
                mapper,
                role_controller,
                path='/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/'
                '{role_id}/inherited_to_projects',
                get_head_action='check_grant',
                put_action='create_grant',
                delete_action='revoke_grant')
            self._add_resource(
                mapper,
                role_controller,
                path='/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/'
                'inherited_to_projects',
                get_action='list_grants')
            self._add_resource(
                mapper,
                role_controller,
                path='/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/'
                'inherited_to_projects',
                get_action='list_grants')
Beispiel #3
0
    def append_v3_routers(self, mapper, routers):

        project_controller = controllers.ProjectAssignmentV3()
        self._add_resource(
            mapper,
            project_controller,
            path='/users/{user_id}/projects',
            get_action='list_user_projects',
            rel=json_home.build_v3_resource_relation('user_projects'),
            path_vars={
                'user_id': json_home.Parameters.USER_ID,
            })

        routers.append(
            router.Router(controllers.RoleV3(),
                          'roles',
                          'role',
                          resource_descriptions=self.v3_resources))

        grant_controller = controllers.GrantAssignmentV3()
        self._add_resource(
            mapper,
            grant_controller,
            path='/projects/{project_id}/users/{user_id}/roles/{role_id}',
            get_head_action='check_grant',
            put_action='create_grant',
            delete_action='revoke_grant',
            rel=json_home.build_v3_resource_relation('project_user_role'),
            path_vars={
                'project_id': json_home.Parameters.PROJECT_ID,
                'role_id': json_home.Parameters.ROLE_ID,
                'user_id': json_home.Parameters.USER_ID,
            })
        self._add_resource(
            mapper,
            grant_controller,
            path='/projects/{project_id}/groups/{group_id}/roles/{role_id}',
            get_head_action='check_grant',
            put_action='create_grant',
            delete_action='revoke_grant',
            rel=json_home.build_v3_resource_relation('project_group_role'),
            path_vars={
                'group_id': json_home.Parameters.GROUP_ID,
                'project_id': json_home.Parameters.PROJECT_ID,
                'role_id': json_home.Parameters.ROLE_ID,
            })
        self._add_resource(
            mapper,
            grant_controller,
            path='/projects/{project_id}/users/{user_id}/roles',
            get_action='list_grants',
            rel=json_home.build_v3_resource_relation('project_user_roles'),
            path_vars={
                'project_id': json_home.Parameters.PROJECT_ID,
                'user_id': json_home.Parameters.USER_ID,
            })
        self._add_resource(
            mapper,
            grant_controller,
            path='/projects/{project_id}/groups/{group_id}/roles',
            get_action='list_grants',
            rel=json_home.build_v3_resource_relation('project_group_roles'),
            path_vars={
                'group_id': json_home.Parameters.GROUP_ID,
                'project_id': json_home.Parameters.PROJECT_ID,
            })
        self._add_resource(
            mapper,
            grant_controller,
            path='/domains/{domain_id}/users/{user_id}/roles/{role_id}',
            get_head_action='check_grant',
            put_action='create_grant',
            delete_action='revoke_grant',
            rel=json_home.build_v3_resource_relation('domain_user_role'),
            path_vars={
                'domain_id': json_home.Parameters.DOMAIN_ID,
                'role_id': json_home.Parameters.ROLE_ID,
                'user_id': json_home.Parameters.USER_ID,
            })
        self._add_resource(
            mapper,
            grant_controller,
            path='/domains/{domain_id}/groups/{group_id}/roles/{role_id}',
            get_head_action='check_grant',
            put_action='create_grant',
            delete_action='revoke_grant',
            rel=json_home.build_v3_resource_relation('domain_group_role'),
            path_vars={
                'domain_id': json_home.Parameters.DOMAIN_ID,
                'group_id': json_home.Parameters.GROUP_ID,
                'role_id': json_home.Parameters.ROLE_ID,
            })
        self._add_resource(
            mapper,
            grant_controller,
            path='/domains/{domain_id}/users/{user_id}/roles',
            get_action='list_grants',
            rel=json_home.build_v3_resource_relation('domain_user_roles'),
            path_vars={
                'domain_id': json_home.Parameters.DOMAIN_ID,
                'user_id': json_home.Parameters.USER_ID,
            })
        self._add_resource(
            mapper,
            grant_controller,
            path='/domains/{domain_id}/groups/{group_id}/roles',
            get_action='list_grants',
            rel=json_home.build_v3_resource_relation('domain_group_roles'),
            path_vars={
                'domain_id': json_home.Parameters.DOMAIN_ID,
                'group_id': json_home.Parameters.GROUP_ID,
            })

        routers.append(
            router.Router(controllers.RoleAssignmentV3(),
                          'role_assignments',
                          'role_assignment',
                          resource_descriptions=self.v3_resources,
                          is_entity_implemented=False))

        if CONF.os_inherit.enabled:
            self._add_resource(
                mapper,
                grant_controller,
                path='/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/'
                '{role_id}/inherited_to_projects',
                get_head_action='check_grant',
                put_action='create_grant',
                delete_action='revoke_grant',
                rel=build_os_inherit_relation(
                    resource_name='domain_user_role_inherited_to_projects'),
                path_vars={
                    'domain_id': json_home.Parameters.DOMAIN_ID,
                    'role_id': json_home.Parameters.ROLE_ID,
                    'user_id': json_home.Parameters.USER_ID,
                })
            self._add_resource(
                mapper,
                grant_controller,
                path='/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/'
                '{role_id}/inherited_to_projects',
                get_head_action='check_grant',
                put_action='create_grant',
                delete_action='revoke_grant',
                rel=build_os_inherit_relation(
                    resource_name='domain_group_role_inherited_to_projects'),
                path_vars={
                    'domain_id': json_home.Parameters.DOMAIN_ID,
                    'group_id': json_home.Parameters.GROUP_ID,
                    'role_id': json_home.Parameters.ROLE_ID,
                })
            self._add_resource(
                mapper,
                grant_controller,
                path='/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/'
                'inherited_to_projects',
                get_action='list_grants',
                rel=build_os_inherit_relation(
                    resource_name='domain_group_roles_inherited_to_projects'),
                path_vars={
                    'domain_id': json_home.Parameters.DOMAIN_ID,
                    'group_id': json_home.Parameters.GROUP_ID,
                })
            self._add_resource(
                mapper,
                grant_controller,
                path='/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/'
                'inherited_to_projects',
                get_action='list_grants',
                rel=build_os_inherit_relation(
                    resource_name='domain_user_roles_inherited_to_projects'),
                path_vars={
                    'domain_id': json_home.Parameters.DOMAIN_ID,
                    'user_id': json_home.Parameters.USER_ID,
                })
            self._add_resource(
                mapper,
                grant_controller,
                path='/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/'
                '{role_id}/inherited_to_projects',
                get_head_action='check_grant',
                put_action='create_grant',
                delete_action='revoke_grant',
                rel=build_os_inherit_relation(
                    resource_name='project_user_role_inherited_to_projects'),
                path_vars={
                    'project_id': json_home.Parameters.PROJECT_ID,
                    'user_id': json_home.Parameters.USER_ID,
                    'role_id': json_home.Parameters.ROLE_ID,
                })
            self._add_resource(
                mapper,
                grant_controller,
                path='/OS-INHERIT/projects/{project_id}/groups/{group_id}/'
                'roles/{role_id}/inherited_to_projects',
                get_head_action='check_grant',
                put_action='create_grant',
                delete_action='revoke_grant',
                rel=build_os_inherit_relation(
                    resource_name='project_group_role_inherited_to_projects'),
                path_vars={
                    'project_id': json_home.Parameters.PROJECT_ID,
                    'group_id': json_home.Parameters.GROUP_ID,
                    'role_id': json_home.Parameters.ROLE_ID,
                })
Beispiel #4
0
def append_v3_routers(mapper, routers):
    routers.append(router.Router(controllers.DomainV3(), 'domains', 'domain'))

    project_controller = controllers.ProjectV3()
    routers.append(router.Router(project_controller, 'projects', 'project'))
    mapper.connect('/users/{user_id}/projects',
                   controller=project_controller,
                   action='list_user_projects',
                   conditions=dict(method=['GET']))

    role_controller = controllers.RoleV3()
    routers.append(router.Router(role_controller, 'roles', 'role'))
    mapper.connect('/projects/{project_id}/users/{user_id}/roles/{role_id}',
                   controller=role_controller,
                   action='create_grant',
                   conditions=dict(method=['PUT']))
    mapper.connect('/projects/{project_id}/groups/{group_id}/roles/{role_id}',
                   controller=role_controller,
                   action='create_grant',
                   conditions=dict(method=['PUT']))
    mapper.connect('/projects/{project_id}/users/{user_id}/roles/{role_id}',
                   controller=role_controller,
                   action='check_grant',
                   conditions=dict(method=['HEAD']))
    mapper.connect('/projects/{project_id}/groups/{group_id}/roles/{role_id}',
                   controller=role_controller,
                   action='check_grant',
                   conditions=dict(method=['HEAD']))
    mapper.connect('/projects/{project_id}/users/{user_id}/roles',
                   controller=role_controller,
                   action='list_grants',
                   conditions=dict(method=['GET']))
    mapper.connect('/projects/{project_id}/groups/{group_id}/roles',
                   controller=role_controller,
                   action='list_grants',
                   conditions=dict(method=['GET']))
    mapper.connect('/projects/{project_id}/users/{user_id}/roles/{role_id}',
                   controller=role_controller,
                   action='revoke_grant',
                   conditions=dict(method=['DELETE']))
    mapper.connect('/projects/{project_id}/groups/{group_id}/roles/{role_id}',
                   controller=role_controller,
                   action='revoke_grant',
                   conditions=dict(method=['DELETE']))
    mapper.connect('/domains/{domain_id}/users/{user_id}/roles/{role_id}',
                   controller=role_controller,
                   action='create_grant',
                   conditions=dict(method=['PUT']))
    mapper.connect('/domains/{domain_id}/groups/{group_id}/roles/{role_id}',
                   controller=role_controller,
                   action='create_grant',
                   conditions=dict(method=['PUT']))
    mapper.connect('/domains/{domain_id}/users/{user_id}/roles/{role_id}',
                   controller=role_controller,
                   action='check_grant',
                   conditions=dict(method=['HEAD']))
    mapper.connect('/domains/{domain_id}/groups/{group_id}/roles/{role_id}',
                   controller=role_controller,
                   action='check_grant',
                   conditions=dict(method=['HEAD']))
    mapper.connect('/domains/{domain_id}/users/{user_id}/roles',
                   controller=role_controller,
                   action='list_grants',
                   conditions=dict(method=['GET']))
    mapper.connect('/domains/{domain_id}/groups/{group_id}/roles',
                   controller=role_controller,
                   action='list_grants',
                   conditions=dict(method=['GET']))
    mapper.connect('/domains/{domain_id}/users/{user_id}/roles/{role_id}',
                   controller=role_controller,
                   action='revoke_grant',
                   conditions=dict(method=['DELETE']))
    mapper.connect('/domains/{domain_id}/groups/{group_id}/roles/{role_id}',
                   controller=role_controller,
                   action='revoke_grant',
                   conditions=dict(method=['DELETE']))

    if config.CONF.os_inherit.enabled:
        mapper.connect(('/OS-INHERIT/domains/{domain_id}/users/{user_id}'
                        '/roles/{role_id}/inherited_to_projects'),
                       controller=role_controller,
                       action='create_grant',
                       conditions=dict(method=['PUT']))
        mapper.connect(('/OS-INHERIT/domains/{domain_id}/groups/{group_id}'
                        '/roles/{role_id}/inherited_to_projects'),
                       controller=role_controller,
                       action='create_grant',
                       conditions=dict(method=['PUT']))
        mapper.connect(('/OS-INHERIT/domains/{domain_id}/users/{user_id}'
                        '/roles/{role_id}/inherited_to_projects'),
                       controller=role_controller,
                       action='check_grant',
                       conditions=dict(method=['HEAD']))
        mapper.connect(('/OS-INHERIT/domains/{domain_id}/groups/{group_id}'
                        '/roles/{role_id}/inherited_to_projects'),
                       controller=role_controller,
                       action='check_grant',
                       conditions=dict(method=['HEAD']))
        mapper.connect(('/OS-INHERIT/domains/{domain_id}/users/{user_id}'
                        '/roles/inherited_to_projects'),
                       controller=role_controller,
                       action='list_grants',
                       conditions=dict(method=['GET']))
        mapper.connect(('/OS-INHERIT/domains/{domain_id}/groups/{group_id}'
                        '/roles/inherited_to_projects'),
                       controller=role_controller,
                       action='list_grants',
                       conditions=dict(method=['GET']))
        mapper.connect(('/OS-INHERIT/domains/{domain_id}/users/{user_id}'
                        '/roles/{role_id}/inherited_to_projects'),
                       controller=role_controller,
                       action='revoke_grant',
                       conditions=dict(method=['DELETE']))
        mapper.connect(('/OS-INHERIT/domains/{domain_id}/groups/{group_id}'
                        '/roles/{role_id}/inherited_to_projects'),
                       controller=role_controller,
                       action='revoke_grant',
                       conditions=dict(method=['DELETE']))
    routers.append(
        router.Router(controllers.RoleAssignmentV3(), 'role_assignments',
                      'role_assignment'))