def rolegrant_get_by_ids(self, user_id, role_id, tenant_id): conn = self.api.get_connection() user_dn = self.api.user._id_to_dn(user_id) query = '(&(objectClass=keystoneTenantRole)(member=%s))' % (user_dn,) if tenant_id is not None: tenant_dn = self.api.tenant._id_to_dn(tenant_id) try: roles = conn.search_s(tenant_dn, ldap.SCOPE_ONELEVEL, query) except ldap.NO_SUCH_OBJECT: return None if len(roles) == 0: return None for role_dn, _ in roles: ldap_role_id = self._dn_to_id(role_dn) if role_id == ldap_role_id: res = models.UserRoleAssociation( id=self._create_ref(role_id, tenant_id, user_id), user_id=user_id, role_id=role_id, tenant_id=tenant_id) return res else: try: roles = self.get_all('(member=%s)' % (user_dn,)) except ldap.NO_SUCH_OBJECT: return None if len(roles) == 0: return None for role in roles: if role.id == role_id: return models.UserRoleAssociation( id=self._create_ref(role.id, None, user_id), role_id=role.id, user_id=user_id) return None
def list_tenant_roles_for_user(self, user_id, tenant_id=None): conn = self.api.get_connection() user_dn = self.api.user._id_to_dn(user_id) query = '(&(objectClass=keystoneTenantRole)(member=%s))' % (user_dn,) if tenant_id is not None: tenant_dn = self.api.tenant._id_to_dn(tenant_id) try: roles = conn.search_s(tenant_dn, ldap.SCOPE_ONELEVEL, query) except ldap.NO_SUCH_OBJECT: return [] res = [] for role_dn, _ in roles: role_id = self._dn_to_id(role_dn) res.append(models.UserRoleAssociation( id=self._create_ref(role_id, tenant_id, user_id), user_id=user_id, role_id=role_id, tenant_id=tenant_id)) return res else: try: roles = conn.search_s(self.api.tenant.tree_dn, ldap.SCOPE_SUBTREE, query) except ldap.NO_SUCH_OBJECT: return [] res = [] for role_dn, _ in roles: role_id = self._dn_to_id(role_dn) tenant_id = ldap.dn.str2dn(role_dn)[1][0][1] res.append(models.UserRoleAssociation( id=self._create_ref(role_id, tenant_id, user_id), user_id=user_id, role_id=role_id, tenant_id=tenant_id)) return res
def add_user(self, role_id, user_id, tenant_id=None): user = self.api.user.get(user_id) if user is None: raise exception.NotFound("User %s not found" % (user_id,)) role_dn = self._subrole_id_to_dn(role_id, tenant_id) conn = self.api.get_connection() user_dn = self.api.user._id_to_dn(user_id) try: conn.modify_s(role_dn, [(ldap.MOD_ADD, 'member', user_dn)]) except ldap.TYPE_OR_VALUE_EXISTS: raise exception.Duplicate( "User %s already has role %s in tenant %s" % (user_id, role_id, tenant_id)) except ldap.NO_SUCH_OBJECT: if tenant_id is None or self.get(role_id) is None: raise exception.NotFound("Role %s not found" % (role_id,)) if tenant_id is not None: tenant_dn = self.api.tenant._id_to_dn(tenant_id) else: tenant_dn = None attrs = [ ('objectClass', ['keystoneTenantRole', 'groupOfNames']), ('member', [user_dn]), ('keystoneRole', self._id_to_dn(role_id)), ] if self.use_dumb_member: attrs[1][1].append(self.DUMB_MEMBER_DN) conn.add_s(role_dn, attrs) return models.UserRoleAssociation( id=self._create_ref(role_id, tenant_id, user_id), role_id=role_id, user_id=user_id, tenant_id=tenant_id)
def rolegrant_list_by_role(self, id): role_dn = self._id_to_dn(id) try: roles = self.get_all('(keystoneRole=%s)' % (role_dn,)) except ldap.NO_SUCH_OBJECT: return [] res = [] for role_dn, attrs in roles: try: user_dns = attrs['member'] tenant_dns = attrs['tenant'] except KeyError: continue for user_dn in user_dns: if self.use_dumb_member and user_dn == self.DUMB_MEMBER_DN: continue user_id = self.api.user._dn_to_id(user_dn) tenant_id = None if tenant_dns is not None: for tenant_dn in tenant_dns: tenant_id = self.api.tenant._dn_to_id(tenant_dn) role_id = self._dn_to_id(role_dn) res.append(models.UserRoleAssociation( id=self._create_ref(role_id, tenant_id, user_id), user_id=user_id, role_id=role_id, tenant_id=tenant_id)) return res
def list_global_roles_for_user(self, user_id): user_dn = self.api.user._id_to_dn(user_id) roles = self.get_all('(member=%s)' % (user_dn,)) return [models.UserRoleAssociation( id=self._create_ref(role.id, None, user_id), role_id=role.id, user_id=user_id) for role in roles]
def get_role_assignments(self, tenant_id): conn = self.api.get_connection() query = '(objectClass=keystoneTenantRole)' tenant_dn = self.api.tenant._id_to_dn(tenant_id) try: roles = conn.search_s(tenant_dn, ldap.SCOPE_ONELEVEL, query) except ldap.NO_SUCH_OBJECT: return [] res = [] for role_dn, attrs in roles: try: user_dns = attrs['member'] except KeyError: continue for user_dn in user_dns: if self.use_dumb_member and user_dn == self.DUMB_MEMBER_DN: continue user_id = self.api.user._dn_to_id(user_dn) role_id = self._dn_to_id(role_dn) res.append(models.UserRoleAssociation( id=self._create_ref(role_id, tenant_id, user_id), user_id=user_id, role_id=role_id, tenant_id=tenant_id)) return res
def rolegrant_get(self, id): role_id, tenant_id, user_id = self._explode_ref(id) user_dn = self.api.user._id_to_dn(user_id) role_dn = self._subrole_id_to_dn(role_id, tenant_id) query = '(&(objectClass=keystoneTenantRole)(member=%s))' % (user_dn,) conn = self.api.get_connection() try: res = conn.search_s(role_dn, ldap.SCOPE_BASE, query) except ldap.NO_SUCH_OBJECT: return None if len(res) == 0: return None return models.UserRoleAssociation(id=id, role_id=role_id, tenant_id=tenant_id, user_id=user_id)