keystone.assignment.backends.base module

class keystone.assignment.backends.base.AssignmentDriverBase[source]

Bases: object

abstract add_role_to_user_and_project(user_id, project_id, role_id)[source]

Add a role to a user within given project.

Raises

keystone.exception.Conflict – If a duplicate role assignment exists.

abstract check_grant_role_id(role_id, user_id=None, group_id=None, domain_id=None, project_id=None, inherited_to_projects=False)[source]

Check an assignment/grant role id.

Raises

keystone.exception.RoleAssignmentNotFound – If the role assignment doesn’t exist.

Returns

None or raises an exception if grant not found

abstract check_system_grant(role_id, actor_id, target_id, inherited)[source]

Check if a user or group has a specific role on the system.

Parameters
  • role_id – the unique ID of the role to grant to the user

  • actor_id – the unique ID of the user or group

  • target_id – the unique ID or string representing the target

  • inherited – a boolean denoting if the assignment is inherited or not

abstract create_grant(role_id, user_id=None, group_id=None, domain_id=None, project_id=None, inherited_to_projects=False)[source]

Create a new assignment/grant.

If the assignment is to a domain, then optionally it may be specified as inherited to owned projects (this requires the OS-INHERIT extension to be enabled).

abstract create_system_grant(role_id, actor_id, target_id, assignment_type, inherited)[source]

Grant a user or group a role on the system.

Parameters
  • role_id – the unique ID of the role to grant to the user

  • actor_id – the unique ID of the user or group

  • target_id – the unique ID or string representing the target

  • assignment_type – a string describing the relationship of the assignment

  • inherited – a boolean denoting if the assignment is inherited or not

abstract delete_domain_assignments(domain_id)[source]

Delete all assignments for a domain.

abstract delete_grant(role_id, user_id=None, group_id=None, domain_id=None, project_id=None, inherited_to_projects=False)[source]

Delete assignments/grants.

Raises

keystone.exception.RoleAssignmentNotFound – If the role assignment doesn’t exist.

abstract delete_group_assignments(group_id)[source]

Delete all assignments for a group.

Raises

keystone.exception.RoleNotFound – If the role doesn’t exist.

abstract delete_project_assignments(project_id)[source]

Delete all assignments for a project.

Raises

keystone.exception.ProjectNotFound – If the project doesn’t exist.

abstract delete_role_assignments(role_id)[source]

Delete all assignments for a role.

abstract delete_system_grant(role_id, actor_id, target_id, inherited)[source]

Remove a system assignment from a user or group.

Parameters
  • role_id – the unique ID of the role to grant to the user

  • actor_id – the unique ID of the user or group

  • target_id – the unique ID or string representing the target

  • inherited – a boolean denoting if the assignment is inherited or not

abstract delete_user_assignments(user_id)[source]

Delete all assignments for a user.

Raises

keystone.exception.RoleNotFound – If the role doesn’t exist.

abstract list_grant_role_ids(user_id=None, group_id=None, domain_id=None, project_id=None, inherited_to_projects=False)[source]

List role ids for assignments/grants.

abstract list_role_assignments(role_id=None, user_id=None, group_ids=None, domain_id=None, project_ids=None, inherited_to_projects=None)[source]

Return a list of role assignments for actors on targets.

Available parameters represent values in which the returned role assignments attributes need to be filtered on.

abstract list_system_grants(actor_id, target_id, assignment_type)[source]

Return a list of all system assignments for a specific entity.

Parameters
  • actor_id – the unique ID of the actor

  • target_id – the unique ID of the target

  • assignment_type – the type of assignment to return

abstract list_system_grants_by_role(role_id)[source]

Return a list of system assignments associated to a role.

Parameters

role_id – the unique ID of the role to grant to the user

abstract remove_role_from_user_and_project(user_id, project_id, role_id)[source]

Remove a role from a user within given project.

Raises

keystone.exception.RoleNotFound – If the role doesn’t exist.