def delete_tenant(self, tenant_id):
try:
old_tenant = self.db.get('tenant-%s' % tenant_id)
except exception.NotFound:
raise exception.TenantNotFound(tenant_id=tenant_id)
self.db.delete('tenant_name-%s' % old_tenant['name'])
self.db.delete('tenant-%s' % tenant_id)
def add_role_to_user(self, context, user_id, role_id, tenant_id=None):
"""Add a role to a user and tenant pair.
Since we're trying to ignore the idea of user-only roles we're
not implementing them in hopes that the idea will die off.
"""
self.assert_admin(context)
if tenant_id is None:
raise exception.NotImplemented(message='User roles not supported: '
'tenant_id required')
if self.identity_api.get_user(context, user_id) is None:
raise exception.UserNotFound(user_id=user_id)
if self.identity_api.get_tenant(context, tenant_id) is None:
raise exception.TenantNotFound(tenant_id=tenant_id)
if self.identity_api.get_role(context, role_id) is None:
raise exception.RoleNotFound(role_id=role_id)
# This still has the weird legacy semantics that adding a role to
# a user also adds them to a tenant
self.identity_api.add_user_to_tenant(context, tenant_id, user_id)
self.identity_api.add_role_to_user_and_tenant(context, user_id,
tenant_id, role_id)
role_ref = self.identity_api.get_role(context, role_id)
return {'role': role_ref}
def get_tenant_users(self, context, tenant_id, **kw):
self.assert_admin(context)
if self.identity_api.get_tenant(context, tenant_id) is None:
raise exception.TenantNotFound(tenant_id=tenant_id)
user_refs = self.identity_api.get_tenant_users(context, tenant_id)
return {'users': user_refs}
def remove_role_from_user(self, context, user_id, role_id, tenant_id=None):
"""Remove a role from a user and tenant pair.
Since we're trying to ignore the idea of user-only roles we're
not implementing them in hopes that the idea will die off.
"""
self.assert_admin(context)
if tenant_id is None:
raise exception.NotImplemented(message='User roles not supported: '
'tenant_id required')
if self.identity_api.get_user(context, user_id) is None:
raise exception.UserNotFound(user_id=user_id)
if self.identity_api.get_tenant(context, tenant_id) is None:
raise exception.TenantNotFound(tenant_id=tenant_id)
if self.identity_api.get_role(context, role_id) is None:
raise exception.RoleNotFound(role_id=role_id)
# This still has the weird legacy semantics that adding a role to
# a user also adds them to a tenant, so we must follow up on that
self.identity_api.remove_role_from_user_and_tenant(
context, user_id, tenant_id, role_id)
roles = self.identity_api.get_roles_for_user_and_tenant(
context, user_id, tenant_id)
if not roles:
self.identity_api.remove_user_from_tenant(context, tenant_id,
user_id)
self.token_api.revoke_tokens(context, user_id, tenant_id)
def get_tenant(self, context, tenant_id):
# TODO(termie): this stuff should probably be moved to middleware
self.assert_admin(context)
tenant = self.identity_api.get_tenant(context, tenant_id)
if tenant is None:
raise exception.TenantNotFound(tenant_id=tenant_id)
return {'tenant': tenant}
def update_tenant(self, context, tenant_id, tenant):
self.assert_admin(context)
if self.identity_api.get_tenant(context, tenant_id) is None:
raise exception.TenantNotFound(tenant_id=tenant_id)
tenant_ref = self.identity_api.update_tenant(context, tenant_id,
tenant)
return {'tenant': tenant_ref}
def get_by_name(self, name, filter=None): # pylint: disable=W0221,W0613
search_filter = ('(%s=%s)' % (self.attribute_mapping['name'],
ldap_filter.escape_filter_chars(name)))
tenants = self.get_all(search_filter)
try:
return tenants[0]
except IndexError:
raise exception.TenantNotFound(tenant_id=name)
def delete_tenant(self, tenant_id):
session = self.get_session()
with session.begin():
session.query(UserTenantMembership)\
.filter_by(tenant_id=tenant_id).delete(False)
session.query(Metadata)\
.filter_by(tenant_id=tenant_id).delete(False)
if not session.query(Tenant).filter_by(id=tenant_id).delete(False):
raise exception.TenantNotFound(tenant_id=tenant_id)
def update(self, id, values):
try:
old_obj = self.get(id)
except exception.NotFound:
raise exception.TenantNotFound(tenant_id=id)
if old_obj['name'] != values['name']:
msg = 'Changing Name not supported by LDAP'
raise exception.NotImplemented(message=msg)
super(TenantApi, self).update(id, values, old_obj)
def _assert_valid_tenant_id(self, context, tenant_id):
"""Ensure a valid tenant id.
:param context: standard context
:param user_id: expected credential owner
:raises exception.UserNotFound: on failure
"""
tenant_ref = self.identity_api.get_tenant(context=context,
tenant_id=tenant_id)
if not tenant_ref:
raise exception.TenantNotFound(tenant_id=tenant_id)
def delete_tenant(self, tenant_id):
session = self.get_session()
try:
tenant_ref = session.query(Tenant).filter_by(id=tenant_id).one()
except sql.NotFound:
raise exception.TenantNotFound(tenant_id=tenant_id)
with session.begin():
q = session.query(UserTenantMembership)
q = q.filter_by(tenant_id=tenant_id)
q.delete(False)
q = session.query(UserProjectMetadata)
q = q.filter_by(tenant_id=tenant_id)
q.delete(False)
if not session.query(Tenant).filter_by(id=tenant_id).delete(False):
raise exception.TenantNotFound(tenant_id=tenant_id)
session.delete(tenant_ref)
session.flush()
def create_user(self, context, user):
user = self._normalize_dict(user)
self.assert_admin(context)
tenant_id = user.get('tenantId', None)
if (tenant_id is not None
and self.identity_api.get_tenant(context, tenant_id) is None):
raise exception.TenantNotFound(tenant_id=tenant_id)
user_id = uuid.uuid4().hex
user_ref = user.copy()
user_ref['id'] = user_id
new_user_ref = self.identity_api.create_user(context, user_id,
user_ref)
if tenant_id:
self.identity_api.add_user_to_tenant(context, tenant_id, user_id)
return {'user': new_user_ref}
def update_project(self, project_id, project):
session = self.get_session()
with session.begin():
ref = session.query(Tenant).filter_by(id=project_id).first()
if ref is None:
raise exception.TenantNotFound(project_id=project_id)
old_dict = ref.to_dict()
for k in project:
old_dict[k] = project[k]
new_project = Tenant.from_dict(old_dict)
for attr in Tenant.attributes:
if attr != 'id':
setattr(ref, attr, getattr(new_project, attr))
ref.extra = new_project.extra
session.flush()
return ref.to_dict()
def update_tenant(self, tenant_id, tenant):
if 'name' in tenant:
tenant['name'] = clean.tenant_name(tenant['name'])
session = self.get_session()
with session.begin():
tenant_ref = session.query(Tenant).filter_by(id=tenant_id).first()
if tenant_ref is None:
raise exception.TenantNotFound(tenant_id=tenant_id)
old_tenant_dict = tenant_ref.to_dict()
for k in tenant:
old_tenant_dict[k] = tenant[k]
new_tenant = Tenant.from_dict(old_tenant_dict)
tenant_ref.name = new_tenant.name
tenant_ref.extra = new_tenant.extra
session.flush()
return tenant_ref
def create_user(self, context, user):
user = self._normalize_dict(user)
self.assert_admin(context)
if not 'name' in user or not user['name']:
msg = 'Name field is required and cannot be empty'
raise exception.ValidationError(message=msg)
tenant_id = user.get('tenantId', None)
if (tenant_id is not None
and self.identity_api.get_tenant(context, tenant_id) is None):
raise exception.TenantNotFound(tenant_id=tenant_id)
user_id = uuid.uuid4().hex
user_ref = user.copy()
user_ref['id'] = user_id
new_user_ref = self.identity_api.create_user(context, user_id,
user_ref)
if tenant_id:
self.identity_api.add_user_to_tenant(context, tenant_id, user_id)
return {'user': new_user_ref}
def update_tenant(self, tenant_id, tenant):
session = self.get_session()
if 'name' in tenant:
tenant['name'] = clean.tenant_name(tenant['name'])
try:
tenant_ref = session.query(Tenant).filter_by(id=tenant_id).one()
except sql.NotFound:
raise exception.TenantNotFound(tenant_id=tenant_id)
with session.begin():
old_tenant_dict = tenant_ref.to_dict()
for k in tenant:
old_tenant_dict[k] = tenant[k]
new_tenant = Tenant.from_dict(old_tenant_dict)
tenant_ref.name = new_tenant.name
tenant_ref.extra = new_tenant.extra
session.flush()
return tenant_ref.to_dict(include_extra_dict=True)
def get_user_roles(self, context, user_id, tenant_id=None):
"""Get the roles for a user and tenant pair.
Since we're trying to ignore the idea of user-only roles we're
not implementing them in hopes that the idea will die off.
"""
if tenant_id is None:
raise exception.NotImplemented(message='User roles not supported: '
'tenant ID required')
user = self.identity_api.get_user(context, user_id)
if user is None:
raise exception.UserNotFound(user_id=user_id)
tenant = self.identity_api.get_tenant(context, tenant_id)
if tenant is None:
raise exception.TenantNotFound(tenant_id=tenant_id)
roles = self.identity_api.get_roles_for_user_and_tenant(
context, user_id, tenant_id)
return {'roles': [self.identity_api.get_role(context, x)
for x in roles]}
def update_tenant(self, tenant_id, tenant):
if 'name' in tenant:
tenant['name'] = clean.tenant_name(tenant['name'])
try:
existing = self.db.get('tenant_name-%s' % tenant['name'])
if existing and tenant_id != existing['id']:
msg = 'Duplicate name, %s.' % tenant['name']
raise exception.Conflict(type='tenant', details=msg)
except exception.NotFound:
pass
# get the old name and delete it too
try:
old_tenant = self.db.get('tenant-%s' % tenant_id)
except exception.NotFound:
raise exception.TenantNotFound(tenant_id=tenant_id)
new_tenant = old_tenant.copy()
new_tenant.update(tenant)
new_tenant['id'] = tenant_id
self.db.delete('tenant_name-%s' % old_tenant['name'])
self.db.set('tenant-%s' % tenant_id, new_tenant)
self.db.set('tenant_name-%s' % new_tenant['name'], new_tenant)
return new_tenant
def get_tenant_by_name(self, tenant_name):
session = self.get_session()
tenant_ref = session.query(Tenant).filter_by(name=tenant_name).first()
if not tenant_ref:
raise exception.TenantNotFound(tenant_id=tenant_name)
return tenant_ref.to_dict()
def get_tenant(self, tenant_id):
session = self.get_session()
tenant_ref = session.query(Tenant).filter_by(id=tenant_id).first()
if tenant_ref is None:
raise exception.TenantNotFound(tenant_id=tenant_id)
return tenant_ref.to_dict()
def delete_tenant(self, context, tenant_id, **kw):
self.assert_admin(context)
if self.identity_api.get_tenant(context, tenant_id) is None:
raise exception.TenantNotFound(tenant_id=tenant_id)
self.identity_api.delete_tenant(context, tenant_id)
def get_tenant(self, tenant_id):
try:
return self.tenant.get(tenant_id)
except exception.NotFound:
raise exception.TenantNotFound(tenant_id=tenant_id)
def get_tenant_by_name(self, tenant_name):
try:
return self.tenant.get_by_name(tenant_name)
except exception.NotFound:
raise exception.TenantNotFound(tenant_id=tenant_name)
def get(self, id, filter=None):
"""Replaces exception.NotFound with exception.TenantNotFound."""
try:
return super(TenantApi, self).get(id, filter)
except exception.NotFound:
raise exception.TenantNotFound(tenant_id=id)
def delete_tenant(self, tenant_id):
try:
return self.tenant.delete(tenant_id)
except ldap.NO_SUCH_OBJECT:
raise exception.TenantNotFound(tenant_id=tenant_id)