def rolegrant_get_by_ids(self, user_id, role_id, tenant_id):
conn = self.api.get_connection()
user_dn = self.api.user._id_to_dn(user_id)
query = '(&(objectClass=keystoneTenantRole)(member=%s))' % (user_dn,)
if tenant_id is not None:
tenant_dn = self.api.tenant._id_to_dn(tenant_id)
try:
roles = conn.search_s(tenant_dn, ldap.SCOPE_ONELEVEL, query)
except ldap.NO_SUCH_OBJECT:
return None
if len(roles) == 0:
return None
for role_dn, _ in roles:
ldap_role_id = self._dn_to_id(role_dn)
if role_id == ldap_role_id:
res = models.UserRoleAssociation(
id=self._create_ref(role_id, tenant_id, user_id),
user_id=user_id,
role_id=role_id,
tenant_id=tenant_id)
return res
else:
try:
roles = self.get_all('(member=%s)' % (user_dn,))
except ldap.NO_SUCH_OBJECT:
return None
if len(roles) == 0:
return None
for role in roles:
if role.id == role_id:
return models.UserRoleAssociation(
id=self._create_ref(role.id, None, user_id),
role_id=role.id,
user_id=user_id)
return None
def list_tenant_roles_for_user(self, user_id, tenant_id=None):
conn = self.api.get_connection()
user_dn = self.api.user._id_to_dn(user_id)
query = '(&(objectClass=keystoneTenantRole)(member=%s))' % (user_dn,)
if tenant_id is not None:
tenant_dn = self.api.tenant._id_to_dn(tenant_id)
try:
roles = conn.search_s(tenant_dn, ldap.SCOPE_ONELEVEL, query)
except ldap.NO_SUCH_OBJECT:
return []
res = []
for role_dn, _ in roles:
role_id = self._dn_to_id(role_dn)
res.append(models.UserRoleAssociation(
id=self._create_ref(role_id, tenant_id, user_id),
user_id=user_id,
role_id=role_id,
tenant_id=tenant_id))
return res
else:
try:
roles = conn.search_s(self.api.tenant.tree_dn,
ldap.SCOPE_SUBTREE, query)
except ldap.NO_SUCH_OBJECT:
return []
res = []
for role_dn, _ in roles:
role_id = self._dn_to_id(role_dn)
tenant_id = ldap.dn.str2dn(role_dn)[1][0][1]
res.append(models.UserRoleAssociation(
id=self._create_ref(role_id, tenant_id, user_id),
user_id=user_id,
role_id=role_id,
tenant_id=tenant_id))
return res
def add_user(self, role_id, user_id, tenant_id=None):
user = self.api.user.get(user_id)
if user is None:
raise exception.NotFound("User %s not found" % (user_id,))
role_dn = self._subrole_id_to_dn(role_id, tenant_id)
conn = self.api.get_connection()
user_dn = self.api.user._id_to_dn(user_id)
try:
conn.modify_s(role_dn, [(ldap.MOD_ADD, 'member', user_dn)])
except ldap.TYPE_OR_VALUE_EXISTS:
raise exception.Duplicate(
"User %s already has role %s in tenant %s" % (user_id,
role_id, tenant_id))
except ldap.NO_SUCH_OBJECT:
if tenant_id is None or self.get(role_id) is None:
raise exception.NotFound("Role %s not found" % (role_id,))
if tenant_id is not None:
tenant_dn = self.api.tenant._id_to_dn(tenant_id)
else:
tenant_dn = None
attrs = [
('objectClass', ['keystoneTenantRole', 'groupOfNames']),
('member', [user_dn]),
('keystoneRole', self._id_to_dn(role_id)),
]
if self.use_dumb_member:
attrs[1][1].append(self.DUMB_MEMBER_DN)
conn.add_s(role_dn, attrs)
return models.UserRoleAssociation(
id=self._create_ref(role_id, tenant_id, user_id),
role_id=role_id, user_id=user_id, tenant_id=tenant_id)
def rolegrant_list_by_role(self, id):
role_dn = self._id_to_dn(id)
try:
roles = self.get_all('(keystoneRole=%s)' % (role_dn,))
except ldap.NO_SUCH_OBJECT:
return []
res = []
for role_dn, attrs in roles:
try:
user_dns = attrs['member']
tenant_dns = attrs['tenant']
except KeyError:
continue
for user_dn in user_dns:
if self.use_dumb_member and user_dn == self.DUMB_MEMBER_DN:
continue
user_id = self.api.user._dn_to_id(user_dn)
tenant_id = None
if tenant_dns is not None:
for tenant_dn in tenant_dns:
tenant_id = self.api.tenant._dn_to_id(tenant_dn)
role_id = self._dn_to_id(role_dn)
res.append(models.UserRoleAssociation(
id=self._create_ref(role_id, tenant_id, user_id),
user_id=user_id,
role_id=role_id,
tenant_id=tenant_id))
return res
def list_global_roles_for_user(self, user_id):
user_dn = self.api.user._id_to_dn(user_id)
roles = self.get_all('(member=%s)' % (user_dn,))
return [models.UserRoleAssociation(
id=self._create_ref(role.id, None, user_id),
role_id=role.id,
user_id=user_id) for role in roles]
def get_role_assignments(self, tenant_id):
conn = self.api.get_connection()
query = '(objectClass=keystoneTenantRole)'
tenant_dn = self.api.tenant._id_to_dn(tenant_id)
try:
roles = conn.search_s(tenant_dn, ldap.SCOPE_ONELEVEL, query)
except ldap.NO_SUCH_OBJECT:
return []
res = []
for role_dn, attrs in roles:
try:
user_dns = attrs['member']
except KeyError:
continue
for user_dn in user_dns:
if self.use_dumb_member and user_dn == self.DUMB_MEMBER_DN:
continue
user_id = self.api.user._dn_to_id(user_dn)
role_id = self._dn_to_id(role_dn)
res.append(models.UserRoleAssociation(
id=self._create_ref(role_id, tenant_id, user_id),
user_id=user_id,
role_id=role_id,
tenant_id=tenant_id))
return res
def rolegrant_get(self, id):
role_id, tenant_id, user_id = self._explode_ref(id)
user_dn = self.api.user._id_to_dn(user_id)
role_dn = self._subrole_id_to_dn(role_id, tenant_id)
query = '(&(objectClass=keystoneTenantRole)(member=%s))' % (user_dn,)
conn = self.api.get_connection()
try:
res = conn.search_s(role_dn, ldap.SCOPE_BASE, query)
except ldap.NO_SUCH_OBJECT:
return None
if len(res) == 0:
return None
return models.UserRoleAssociation(id=id, role_id=role_id,
tenant_id=tenant_id, user_id=user_id)
