def create_role_ref(self, admin_token, user_id, role_ref):
self.__validate_service_or_keystone_admin_token(admin_token)
duser = api.USER.get(user_id)
if not duser:
raise fault.ItemNotFoundFault("The user could not be found")
if not isinstance(role_ref, RoleRef):
raise fault.BadRequestFault("Expecting a Role Ref")
if role_ref.role_id == None:
raise fault.BadRequestFault("Expecting a Role Id")
drole = api.ROLE.get(role_ref.role_id)
if drole == None:
raise fault.ItemNotFoundFault("The role not found")
if role_ref.tenant_id != None:
dtenant = api.TENANT.get(role_ref.tenant_id)
if dtenant == None:
raise fault.ItemNotFoundFault("The tenant not found")
drole_ref = models.UserRoleAssociation()
drole_ref.user_id = duser.id
drole_ref.role_id = drole.id
if role_ref.tenant_id != None:
drole_ref.tenant_id = dtenant.id
user_role_ref = api.USER.user_role_add(drole_ref)
role_ref.role_ref_id = user_role_ref.id
return role_ref
def grant_role(role, user, tenant=None):
"""Grants `role` to `user` (and optionally, on `tenant`)"""
obj = db_models.UserRoleAssociation()
obj.role_id = role
obj.user_id = user
obj.tenant_id = tenant
return db_api.USER.user_role_add(obj)
def add_global_role_to_user(self, admin_token, user_id, role_id):
self.__validate_service_or_keystone_admin_token(admin_token)
duser = api.USER.get(user_id)
if not duser:
raise fault.ItemNotFoundFault("The user could not be found")
drole = api.ROLE.get(role_id)
if drole == None:
raise fault.ItemNotFoundFault("The role not found")
drole_ref = models.UserRoleAssociation()
drole_ref.user_id = duser.id
drole_ref.role_id = drole.id
api.USER.user_role_add(drole_ref)
def grant_role(role, user, tenant=None):
"""Grants `role` to `user` (and optionally, on `tenant`)"""
role = db_api.ROLE.get_by_name(name=role).id
user = db_api.USER.get_by_name(name=user).id
if tenant:
tenant = db_api.TENANT.get_by_name(name=tenant).id
obj = db_models.UserRoleAssociation()
obj.role_id = role
obj.user_id = user
obj.tenant_id = tenant
return db_api.USER.user_role_add(obj)
def grant_role(self, user_id, role_id, tenant_id=None):
self.get_user(user_id)
self.get_role(role_id)
self.get_tenant(tenant_id)
# this is a bit of a hack to validate that the grant doesn't exist
grant = self.grant_manager.rolegrant_get_by_ids(
user_id, role_id, tenant_id)
if grant is not None:
raise KeyError('Grant already exists for User ID %s, '
'Role ID %s and Tenant ID %s' %
(user_id, role_id, tenant_id))
obj = models.UserRoleAssociation()
obj.user_id = user_id
obj.role_id = role_id
obj.tenant_id = tenant_id
self.user_manager.user_role_add(obj)