def _require_user_has_role_in_project(self, roles, user_id, project_id):
user_roles = self._get_user_roles(user_id, project_id)
for role in roles:
if role['id'] not in user_roles:
raise exception.RoleAssignmentNotFound(role_id=role['id'],
actor_id=user_id,
target_id=project_id)
def delete_grant(self,
role_id,
user_id=None,
group_id=None,
domain_id=None,
project_id=None,
inherited_to_projects=False):
try:
metadata_ref = self._get_metadata(user_id, project_id, domain_id,
group_id)
except exception.MetadataNotFound:
metadata_ref = {}
try:
if user_id is None:
metadata_ref['roles'] = (
self._remove_role_from_group_and_project(
group_id, project_id, role_id))
else:
metadata_ref['roles'] = self.remove_role_from_user_and_project(
user_id, project_id, role_id)
except (exception.RoleNotFound, KeyError):
actor_id = user_id or group_id
target_id = domain_id or project_id
raise exception.RoleAssignmentNotFound(role_id=role_id,
actor_id=actor_id,
target_id=target_id)
def delete_grant(self,
role_id,
user_id=None,
group_id=None,
domain_id=None,
project_id=None,
inherited_to_projects=False):
self.check_grant_role_id(role_id,
user_id=user_id,
group_id=group_id,
domain_id=domain_id,
project_id=project_id,
inherited_to_projects=inherited_to_projects)
try:
if user_id is None:
self._remove_role_from_group_and_project(
group_id, project_id, role_id)
else:
self.remove_role_from_user_and_project(user_id, project_id,
role_id)
except (exception.RoleNotFound, KeyError):
actor_id = user_id or group_id
target_id = domain_id or project_id
raise exception.RoleAssignmentNotFound(role_id=role_id,
actor_id=actor_id,
target_id=target_id)
def _require_user_has_role_in_project(self, roles, user_id, project_id):
user_roles = self._get_user_roles(user_id, project_id)
for role in roles:
matching_roles = [x for x in user_roles if x == role['id']]
if not matching_roles:
raise exception.RoleAssignmentNotFound(role_id=role['id'],
actor_id=user_id,
target_id=project_id)
def delete_system_grant(self, role_id, actor_id, target_id, inherited):
with sql.session_for_write() as session:
q = session.query(SystemRoleAssignment)
q = q.filter_by(actor_id=actor_id)
q = q.filter_by(target_id=target_id)
q = q.filter_by(role_id=role_id)
q = q.filter_by(inherited=inherited)
if not q.delete(False):
raise exception.RoleAssignmentNotFound(
role_id=role_id, actor_id=actor_id, target_id=target_id
)
def delete_grant(self, role_id, user_id=None, group_id=None,
domain_id=None, project_id=None,
inherited_to_projects=False):
with sql.transaction() as session:
q = self._build_grant_filter(
session, role_id, user_id, group_id, domain_id, project_id,
inherited_to_projects)
if not q.delete(False):
actor_id = user_id or group_id
target_id = domain_id or project_id
raise exception.RoleAssignmentNotFound(role_id=role_id,
actor_id=actor_id,
target_id=target_id)
def check_system_grant(self, role_id, actor_id, target_id, inherited):
with sql.session_for_read() as session:
try:
q = session.query(SystemRoleAssignment)
q = q.filter_by(actor_id=actor_id)
q = q.filter_by(target_id=target_id)
q = q.filter_by(role_id=role_id)
q = q.filter_by(inherited=inherited)
q.one()
except sql.NotFound:
raise exception.RoleAssignmentNotFound(
role_id=role_id, actor_id=actor_id, target_id=target_id
)
def check_grant_role_id(self, role_id, user_id=None, group_id=None,
domain_id=None, project_id=None,
inherited_to_projects=False):
with sql.transaction() as session:
try:
q = self._build_grant_filter(
session, role_id, user_id, group_id, domain_id, project_id,
inherited_to_projects)
q.one()
except sql.NotFound:
actor_id = user_id or group_id
target_id = domain_id or project_id
raise exception.RoleAssignmentNotFound(role_id=role_id,
actor_id=actor_id,
target_id=target_id)
def check_grant_role_id(self, role_id, user_id=None, group_id=None,
domain_id=None, project_id=None,
inherited_to_projects=False):
try:
metadata_ref = self._get_metadata(user_id, project_id,
domain_id, group_id)
except exception.MetadataNotFound:
metadata_ref = {}
role_ids = set(self._roles_from_role_dicts(
metadata_ref.get('roles', []), inherited_to_projects))
if role_id not in role_ids:
actor_id = user_id or group_id
target_id = domain_id or project_id
raise exception.RoleAssignmentNotFound(role_id=role_id,
actor_id=actor_id,
target_id=target_id)
def check_grant_role_id(self,
role_id,
user_id=None,
group_id=None,
domain_id=None,
project_id=None,
inherited_to_projects=False):
self._assert_not_domain_grant(domain_id)
if not self.list_role_assignments(
role_id=role_id,
user_id=user_id,
group_ids=[group_id] if group_id else [],
project_ids=[project_id] if project_id else []):
actor_id = user_id or group_id
target_id = domain_id or project_id
raise exception.RoleAssignmentNotFound(role_id=role_id,
actor_id=actor_id,
target_id=target_id)
