def _require_user_has_role_in_project(self, roles, user_id, project_id): user_roles = self._get_user_roles(user_id, project_id) for role in roles: if role['id'] not in user_roles: raise exception.RoleAssignmentNotFound(role_id=role['id'], actor_id=user_id, target_id=project_id)
def delete_grant(self, role_id, user_id=None, group_id=None, domain_id=None, project_id=None, inherited_to_projects=False): try: metadata_ref = self._get_metadata(user_id, project_id, domain_id, group_id) except exception.MetadataNotFound: metadata_ref = {} try: if user_id is None: metadata_ref['roles'] = ( self._remove_role_from_group_and_project( group_id, project_id, role_id)) else: metadata_ref['roles'] = self.remove_role_from_user_and_project( user_id, project_id, role_id) except (exception.RoleNotFound, KeyError): actor_id = user_id or group_id target_id = domain_id or project_id raise exception.RoleAssignmentNotFound(role_id=role_id, actor_id=actor_id, target_id=target_id)
def delete_grant(self, role_id, user_id=None, group_id=None, domain_id=None, project_id=None, inherited_to_projects=False): self.check_grant_role_id(role_id, user_id=user_id, group_id=group_id, domain_id=domain_id, project_id=project_id, inherited_to_projects=inherited_to_projects) try: if user_id is None: self._remove_role_from_group_and_project( group_id, project_id, role_id) else: self.remove_role_from_user_and_project(user_id, project_id, role_id) except (exception.RoleNotFound, KeyError): actor_id = user_id or group_id target_id = domain_id or project_id raise exception.RoleAssignmentNotFound(role_id=role_id, actor_id=actor_id, target_id=target_id)
def _require_user_has_role_in_project(self, roles, user_id, project_id): user_roles = self._get_user_roles(user_id, project_id) for role in roles: matching_roles = [x for x in user_roles if x == role['id']] if not matching_roles: raise exception.RoleAssignmentNotFound(role_id=role['id'], actor_id=user_id, target_id=project_id)
def delete_system_grant(self, role_id, actor_id, target_id, inherited): with sql.session_for_write() as session: q = session.query(SystemRoleAssignment) q = q.filter_by(actor_id=actor_id) q = q.filter_by(target_id=target_id) q = q.filter_by(role_id=role_id) q = q.filter_by(inherited=inherited) if not q.delete(False): raise exception.RoleAssignmentNotFound( role_id=role_id, actor_id=actor_id, target_id=target_id )
def delete_grant(self, role_id, user_id=None, group_id=None, domain_id=None, project_id=None, inherited_to_projects=False): with sql.transaction() as session: q = self._build_grant_filter( session, role_id, user_id, group_id, domain_id, project_id, inherited_to_projects) if not q.delete(False): actor_id = user_id or group_id target_id = domain_id or project_id raise exception.RoleAssignmentNotFound(role_id=role_id, actor_id=actor_id, target_id=target_id)
def check_system_grant(self, role_id, actor_id, target_id, inherited): with sql.session_for_read() as session: try: q = session.query(SystemRoleAssignment) q = q.filter_by(actor_id=actor_id) q = q.filter_by(target_id=target_id) q = q.filter_by(role_id=role_id) q = q.filter_by(inherited=inherited) q.one() except sql.NotFound: raise exception.RoleAssignmentNotFound( role_id=role_id, actor_id=actor_id, target_id=target_id )
def check_grant_role_id(self, role_id, user_id=None, group_id=None, domain_id=None, project_id=None, inherited_to_projects=False): with sql.transaction() as session: try: q = self._build_grant_filter( session, role_id, user_id, group_id, domain_id, project_id, inherited_to_projects) q.one() except sql.NotFound: actor_id = user_id or group_id target_id = domain_id or project_id raise exception.RoleAssignmentNotFound(role_id=role_id, actor_id=actor_id, target_id=target_id)
def check_grant_role_id(self, role_id, user_id=None, group_id=None, domain_id=None, project_id=None, inherited_to_projects=False): try: metadata_ref = self._get_metadata(user_id, project_id, domain_id, group_id) except exception.MetadataNotFound: metadata_ref = {} role_ids = set(self._roles_from_role_dicts( metadata_ref.get('roles', []), inherited_to_projects)) if role_id not in role_ids: actor_id = user_id or group_id target_id = domain_id or project_id raise exception.RoleAssignmentNotFound(role_id=role_id, actor_id=actor_id, target_id=target_id)
def check_grant_role_id(self, role_id, user_id=None, group_id=None, domain_id=None, project_id=None, inherited_to_projects=False): self._assert_not_domain_grant(domain_id) if not self.list_role_assignments( role_id=role_id, user_id=user_id, group_ids=[group_id] if group_id else [], project_ids=[project_id] if project_id else []): actor_id = user_id or group_id target_id = domain_id or project_id raise exception.RoleAssignmentNotFound(role_id=role_id, actor_id=actor_id, target_id=target_id)