def delete_project(self, tenant_id):
session = self.get_session()
try:
tenant_ref = session.query(Project).filter_by(id=tenant_id).one()
except sql.NotFound:
raise exception.ProjectNotFound(project_id=tenant_id)
with session.begin():
q = session.query(UserProjectGrant)
q = q.filter_by(project_id=tenant_id)
q.delete(False)
q = session.query(UserProjectGrant)
q = q.filter_by(project_id=tenant_id)
q.delete(False)
q = session.query(GroupProjectGrant)
q = q.filter_by(project_id=tenant_id)
q.delete(False)
delete_query = session.query(Project).filter_by(id=tenant_id)
if not delete_query.delete(False):
raise exception.ProjectNotFound(project_id=tenant_id)
session.delete(tenant_ref)
session.flush()
def _lookup_project(self, project_info):
project_id = project_info.get('id')
project_name = project_info.get('name')
try:
if project_name:
if (CONF.resource.project_name_url_safe == 'strict' and
utils.is_not_url_safe(project_name)):
msg = 'Project name cannot contain reserved characters.'
tr_msg = _('Project name cannot contain reserved '
'characters.')
LOG.warning(msg)
raise exception.Unauthorized(message=tr_msg)
if 'domain' not in project_info:
raise exception.ValidationError(attribute='domain',
target='project')
domain_ref = self._lookup_domain(project_info['domain'])
project_ref = PROVIDERS.resource_api.get_project_by_name(
project_name, domain_ref['id'])
else:
project_ref = PROVIDERS.resource_api.get_project(project_id)
domain_id = project_ref['domain_id']
if not domain_id:
raise exception.ProjectNotFound(project_id=project_id)
# NOTE(morganfainberg): The _lookup_domain method will raise
# exception.Unauthorized if the domain isn't found or is
# disabled.
self._lookup_domain({'id': domain_id})
except exception.ProjectNotFound as e:
LOG.warning(e)
raise exception.Unauthorized(e)
self._assert_project_is_enabled(project_ref)
return project_ref
def _get_filtered_project(self, project_id):
"""Ensure the project and parent domain is enabled.
:param project_id: The ID of the project to validate
:return: A dictionary containing up to three keys, the `id` of the
project, the `name` of the project, and the parent `domain`.
"""
project_ref = self.resource_api.get_project(project_id)
if not project_ref.get('enabled'):
msg = _('Unable to validate token because project %(id)s is '
'disabled') % {
'id': project_ref['id']
}
LOG.warning(msg)
raise exception.ProjectNotFound(msg)
filtered_project = {
'id': project_ref['id'],
'name': project_ref['name']
}
if project_ref['domain_id'] is not None:
filtered_project['domain'] = (self._get_filtered_domain(
project_ref['domain_id']))
else:
# Projects acting as a domain do not have a domain_id attribute
filtered_project['domain'] = None
return filtered_project
def get_project_by_name(self, project_name, domain_id):
with sql.session_for_read() as session:
query = session.query(Project)
query = query.filter_by(name=project_name)
if domain_id is None:
query = query.filter_by(domain_id=base.NULL_DOMAIN_ID)
else:
query = query.filter_by(domain_id=domain_id)
try:
project_ref = query.one()
except sql.NotFound:
raise exception.ProjectNotFound(project_id=project_name)
if self._is_hidden_ref(project_ref):
raise exception.ProjectNotFound(project_id=project_name)
return project_ref.to_dict()
def delete_project(self, tenant_id):
try:
old_project = self.db.get('tenant-%s' % tenant_id)
except exception.NotFound:
raise exception.ProjectNotFound(project_id=tenant_id)
self.db.delete('tenant_name-%s' % old_project['name'])
self.db.delete('tenant-%s' % tenant_id)
def create_user(self, context, user):
user = self._normalize_dict(user)
self.assert_admin(context)
if 'name' not in user or not user['name']:
msg = 'Name field is required and cannot be empty'
raise exception.ValidationError(message=msg)
if 'enabled' in user and not isinstance(user['enabled'], bool):
msg = 'Enabled field must be a boolean'
raise exception.ValidationError(message=msg)
default_tenant_id = user.get('tenantId', None)
if (default_tenant_id is not None
and self.identity_api.get_project(context,
default_tenant_id) is None):
raise exception.ProjectNotFound(project_id=default_tenant_id)
user_id = uuid.uuid4().hex
user_ref = self._normalize_domain_id(context, user.copy())
user_ref['id'] = user_id
new_user_ref = self.identity_api.create_user(
context, user_id, user_ref)
if default_tenant_id:
self.identity_api.add_user_to_project(context,
default_tenant_id, user_id)
return {'user': self._filter_domain_id(new_user_ref)}
def delete_project(self, project_id):
if self._is_domain(project_id):
try:
self.driver.delete_domain(project_id)
except exception.DomainNotFound:
raise exception.ProjectNotFound(project_id=project_id)
else:
self.driver.delete_project(project_id)
def get_project_by_name(self, project_name, domain_id):
if domain_id is None:
try:
domain_ref = self.driver.get_domain_by_name(project_name)
return get_project_from_domain(domain_ref)
except exception.DomainNotFound:
raise exception.ProjectNotFound(project_id=project_name)
else:
return self.driver.get_project_by_name(project_name, domain_id)
def get_project_by_name(self, tenant_name, domain_id):
with sql.transaction() as session:
query = session.query(Project)
query = query.filter_by(name=tenant_name)
query = query.filter_by(domain_id=domain_id)
try:
project_ref = query.one()
except sql.NotFound:
raise exception.ProjectNotFound(project_id=tenant_name)
return project_ref.to_dict()
def remove_role_from_user_default_org(self, context, role_id, user_id,
application_id):
user = self.identity_api.get_user(user_id)
organization_id = user.get('default_project_id', None)
if organization_id:
self.roles_api.remove_role_from_user(role_id, user_id,
organization_id, application_id)
else:
raise exception.ProjectNotFound(
message='This user has no default organization')
def _assert_valid_project_id(self, tenant_id):
"""Ensure a valid tenant id.
:param context: standard context
:param tenant_id: expected tenant
:raises exception.ProjectNotFound: on failure
"""
tenant_ref = self.identity_api.get_project(tenant_id)
if not tenant_ref:
raise exception.ProjectNotFound(project_id=tenant_id)
def _assert_valid_project_id(self, project_id):
"""Ensure a valid project id.
:param context: standard context
:param project_id: expected project
:raises exception.ProjectNotFound: on failure
"""
project_ref = self.assignment_api.get_project(project_id)
if not project_ref:
raise exception.ProjectNotFound(project_id=project_id)
def _validate_token_resources(self):
if self.project and not self.project.get('enabled'):
msg = _('Unable to validate token because project %(id)s is '
'disabled') % {
'id': self.project_id
}
LOG.warning(msg)
raise exception.ProjectNotFound(msg)
if self.project and not self.project_domain.get('enabled'):
msg = _('Unable to validate token because domain %(id)s is '
'disabled') % {
'id': self.project_domain['id']
}
LOG.warning(msg)
raise exception.DomainNotFound(msg)
def list_role_user_assignments(self, context):
filters = context['query_string']
use_default_org = filters.pop('default_organization', False)
user_id = filters.get('user_id', False)
if use_default_org and user_id:
user = self.identity_api.get_user(user_id)
organization_id = user.get('default_project_id', None)
if not organization_id:
raise exception.ProjectNotFound(
message='This user has no default organization')
filters['organization_id'] = organization_id
ref = self.roles_api.list_role_user_assignments(**filters)
return RoleUserAssignmentV3.wrap_collection(context, ref)
def update_project(self, tenant_id, tenant):
session = self.get_session()
if 'name' in tenant:
tenant['name'] = clean.project_name(tenant['name'])
try:
tenant_ref = session.query(Project).filter_by(id=tenant_id).one()
except sql.NotFound:
raise exception.ProjectNotFound(project_id=tenant_id)
with session.begin():
old_project_dict = tenant_ref.to_dict()
for k in tenant:
old_project_dict[k] = tenant[k]
new_project = Project.from_dict(old_project_dict)
for attr in Project.attributes:
if attr != 'id':
setattr(tenant_ref, attr, getattr(new_project, attr))
tenant_ref.extra = new_project.extra
session.flush()
return tenant_ref.to_dict(include_extra_dict=True)
def update_project(self, tenant_id, tenant):
if 'name' in tenant:
tenant['name'] = clean.project_name(tenant['name'])
try:
existing = self.db.get('tenant_name-%s' % tenant['name'])
if existing and tenant_id != existing['id']:
msg = 'Duplicate name, %s.' % tenant['name']
raise exception.Conflict(type='tenant', details=msg)
except exception.NotFound:
pass
# get the old name and delete it too
try:
old_project = self.db.get('tenant-%s' % tenant_id)
except exception.NotFound:
raise exception.ProjectNotFound(project_id=tenant_id)
new_project = old_project.copy()
new_project.update(tenant)
new_project['id'] = tenant_id
self.db.delete('tenant_name-%s' % old_project['name'])
self.db.set('tenant-%s' % tenant_id, new_project)
self.db.set('tenant_name-%s' % new_project['name'], new_project)
return new_project
def _assert_resource_exist(self, unified_limit, target):
try:
service_id = unified_limit.get('service_id')
if service_id is not None:
PROVIDERS.catalog_api.get_service(service_id)
region_id = unified_limit.get('region_id')
if region_id is not None:
PROVIDERS.catalog_api.get_region(region_id)
project_id = unified_limit.get('project_id')
if project_id is not None:
project = PROVIDERS.resource_api.get_project(project_id)
# Keystone now does not support domain-level limits. This
# check can be removed if it'll be supported in the future.
if project['is_domain']:
raise exception.ProjectNotFound(project_id=project_id)
except exception.ServiceNotFound:
raise exception.ValidationError(attribute='service_id',
target=target)
except exception.RegionNotFound:
raise exception.ValidationError(attribute='region_id',
target=target)
except exception.ProjectNotFound:
raise exception.ValidationError(attribute='project_id',
target=target)
def get_project_by_name(self, tenant_name, domain_id):
try:
return self.db.get('tenant_name-%s' % tenant_name)
except exception.NotFound:
raise exception.ProjectNotFound(project_id=tenant_name)
def get_project(self, tenant_id):
try:
return self.db.get('tenant-%s' % tenant_id)
except exception.NotFound:
raise exception.ProjectNotFound(project_id=tenant_id)
def _get_project(self, session, project_id):
project_ref = session.query(sql_model.Project).get(project_id)
if project_ref is None or self._is_hidden_ref(project_ref):
raise exception.ProjectNotFound(project_id=project_id)
return project_ref
def _get_project(self, session, project_id):
project_ref = session.query(Project).get(project_id)
if project_ref is None:
raise exception.ProjectNotFound(project_id=project_id)
return project_ref
def get_project(self, tenant_id):
session = self.get_session()
tenant_ref = session.query(Project).filter_by(id=tenant_id).first()
if tenant_ref is None:
raise exception.ProjectNotFound(project_id=tenant_id)
return tenant_ref.to_dict()
def _assert_not_is_domain_project(self, project_id, project_ref=None):
# Projects acting as a domain should not be visible via v2
if not project_ref:
project_ref = self.resource_api.get_project(project_id)
if project_ref.get('is_domain'):
raise exception.ProjectNotFound(project_id)
