def on_identity_loaded(sender, identity):
"""Add admin and project participation roles.
If user is authenticated and user has admin role in systenant,
he has role admin permission.
If user is authenticated and user participates in a tenant,
he has project member permission.
Exclude endpoints which do not require authentication/authorization.
"""
is_anon = identity.name == 'anon'
loose_endpoints = flask.current_app.config['ANONYMOUS_ALLOWED']
is_loose = flask.request.endpoint in loose_endpoints
if is_loose or is_anon:
return
roles = (clients.admin_clients().identity_admin.roles.
roles_for_user(identity.name))
is_admin = False
for role_tenant in roles:
if clients.role_tenant_is_admin(role_tenant):
is_admin = True
if clients.role_is_member(role_tenant.role["name"]):
identity.provides.add(
('role', 'member', role_tenant.tenant["id"]))
if is_admin:
identity.provides.add(('role', 'admin'))
def on_identity_loaded(sender, identity):
"""Add admin and project participation roles.
If user is authenticated and user has admin role in systenant,
he has role admin permission.
If user is authenticated and user participates in a tenant,
he has project member permission.
Exclude endpoints which do not require authentication/authorization.
"""
is_anon = identity.name == 'anon'
loose_endpoints = flask.current_app.config['ANONYMOUS_ALLOWED']
is_loose = flask.request.endpoint in loose_endpoints
if is_loose or is_anon:
return
roles = (clients.admin_clients().identity_admin.roles.roles_for_user(
identity.name))
is_admin = False
for role_tenant in roles:
if clients.role_tenant_is_admin(role_tenant):
is_admin = True
if clients.role_is_member(role_tenant.role["name"]):
identity.provides.add(('role', 'member', role_tenant.tenant["id"]))
if is_admin:
identity.provides.add(('role', 'admin'))
def user_tenants_list(keystone_user):
"""
Returns a list of tenants in which keystone_user has
admin or member role.
Important: Should return dicts instead of Keystone client internal objects
because this value will be stored in session and cannot be normally
serialized.
"""
roles = (clients.admin_clients().identity_admin.roles.
roles_for_user(keystone_user))
user_tenants = {}
for role_tenant in roles:
if (clients.role_is_admin(role_tenant.role["name"]) or
clients.role_is_member(role_tenant.role["name"])):
user_tenants[role_tenant.tenant["id"]] = role_tenant.tenant
return user_tenants.values()
def user_tenants_list(keystone_user):
"""
Returns a list of tenants in which keystone_user has
admin or member role.
Important: Should return dicts instead of Keystone client internal objects
because this value will be stored in session and cannot be normally
serialized.
"""
roles = (clients.admin_clients().identity_admin.roles.roles_for_user(
keystone_user))
user_tenants = {}
for role_tenant in roles:
if (clients.role_is_admin(role_tenant.role["name"])
or clients.role_is_member(role_tenant.role["name"])):
user_tenants[role_tenant.tenant["id"]] = role_tenant.tenant
return user_tenants.values()
