keystone.assignment.controllers module¶

Workflow Logic the Assignment service.

class keystone.assignment.controllers.GrantAssignmentV3[source]¶

Bases: keystone.common.controller.V3Controller

The V3 Grant Assignment APIs.

check_grant(request, *args, **kwargs)[source]¶

Check if a role has been granted on either a domain or project.

check_system_grant_for_group(request, *args, **kwargs)[source]¶

Check if a group has a specific role on the system.

Parameters:	request – the request object role_id – the ID of the role to check group_id – the ID of the group to check

check_system_grant_for_user(request, *args, **kwargs)[source]¶

Check if a user has a specific role on the system.

Parameters:	request – the request object role_id – the ID of the role to check user_id – the ID of the user to check

collection_name = 'roles'¶

create_grant(request, *args, **kwargs)[source]¶

Grant a role to a user or group on either a domain or project.

create_system_grant_for_group(request, *args, **kwargs)[source]¶

Grant a role to a group on the system.

Parameters:	request – the request object role_id – the ID of the role to grant to the group group_id – the ID of the group

create_system_grant_for_user(request, *args, **kwargs)[source]¶

Grant a role to a user on the system.

Parameters:	request – the request object role_id – the ID of the role to grant to the user user_id – the ID of the user

list_grants(request, *args, **kwargs)[source]¶

List roles granted to user/group on either a domain or project.

list_system_grants_for_group(request, *args, **kwargs)[source]¶

List all system grants for a specific group.

Parameters:	request – the request object group_id – ID of the group
Returns:	a list of grants the group has on the system

list_system_grants_for_user(request, *args, **kwargs)[source]¶

List all system grants for a specific user.

Parameters:	request – the request object user_id – ID of the user
Returns:	a list of grants the user has on the system

member_name = 'role'¶

revoke_grant(request, *args, **kwargs)[source]¶

Revoke a role from user/group on either a domain or project.

revoke_system_grant_for_group(request, *args, **kwargs)[source]¶

Revoke a role from the group on the system.

Parameters:	request – the request object role_id – the ID of the role to remove user_id – the ID of the user

revoke_system_grant_for_user(request, *args, **kwargs)[source]¶

Revoke a role from user on the system.

Parameters:	request – the request object role_id – the ID of the role to remove user_id – the ID of the user

class keystone.assignment.controllers.ProjectAssignmentV3[source]¶

Bases: keystone.common.controller.V3Controller

The V3 Project APIs that are processing assignments.

collection_name = 'projects'¶

list_user_projects(request, **kwargs)[source]¶

member_name = 'project'¶

class keystone.assignment.controllers.RoleAssignmentV3[source]¶

Bases: keystone.common.controller.V3Controller

The V3 Role Assignment APIs, really just list_role_assignment().

collection_name = 'role_assignments'¶

list_role_assignments(request, **kwargs)[source]¶

list_role_assignments_for_tree(request, **kwargs)[source]¶

list_role_assignments_wrapper(request)[source]¶

Main entry point from router for list role assignments.

Since we want different policy file rules to be applicable based on whether there the include_subtree query parameter is part of the API call, this method checks for this and then calls the appropriate protected entry point.

member_name = 'role_assignment'¶

classmethod wrap_member(context, ref)[source]¶