Source code for keystone.resource.backends.sql

# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.

from oslo_log import log
from sqlalchemy import orm
from sqlalchemy.sql import expression

from keystone.common import driver_hints
from keystone.common import resource_options
from keystone.common import sql
from keystone import exception
from keystone.resource.backends import base
from keystone.resource.backends import sql_model


LOG = log.getLogger(__name__)


[docs]class Resource(base.ResourceDriverBase): def _encode_domain_id(self, ref): if 'domain_id' in ref and ref['domain_id'] is None: new_ref = ref.copy() new_ref['domain_id'] = base.NULL_DOMAIN_ID return new_ref else: return ref def _is_hidden_ref(self, ref): return ref.id == base.NULL_DOMAIN_ID def _get_project(self, session, project_id): project_ref = session.query(sql_model.Project).get(project_id) if project_ref is None or self._is_hidden_ref(project_ref): raise exception.ProjectNotFound(project_id=project_id) return project_ref
[docs] def get_project(self, project_id): with sql.session_for_read() as session: return self._get_project(session, project_id).to_dict()
[docs] def get_project_by_name(self, project_name, domain_id): with sql.session_for_read() as session: query = session.query(sql_model.Project) query = query.filter_by(name=project_name) if domain_id is None: query = query.filter_by( domain_id=base.NULL_DOMAIN_ID) else: query = query.filter_by(domain_id=domain_id) try: project_ref = query.one() except sql.NotFound: raise exception.ProjectNotFound(project_id=project_name) if self._is_hidden_ref(project_ref): raise exception.ProjectNotFound(project_id=project_name) return project_ref.to_dict()
[docs] @driver_hints.truncated def list_projects(self, hints): # If there is a filter on domain_id and the value is None, then to # ensure that the sql filtering works correctly, we need to patch # the value to be NULL_DOMAIN_ID. This is safe to do here since we # know we are able to satisfy any filter of this type in the call to # filter_limit_query() below, which will remove the filter from the # hints (hence ensuring our substitution is not exposed to the caller). for f in hints.filters: if (f['name'] == 'domain_id' and f['value'] is None): f['value'] = base.NULL_DOMAIN_ID with sql.session_for_read() as session: query = session.query(sql_model.Project) query = query.filter(sql_model.Project.id != base.NULL_DOMAIN_ID) project_refs = sql.filter_limit_query(sql_model.Project, query, hints) return [project_ref.to_dict() for project_ref in project_refs]
[docs] def list_projects_from_ids(self, ids): if not ids: return [] else: with sql.session_for_read() as session: query = session.query(sql_model.Project) query = query.filter(sql_model.Project.id.in_(ids)) return [project_ref.to_dict() for project_ref in query.all() if not self._is_hidden_ref(project_ref)]
[docs] def list_project_ids_from_domain_ids(self, domain_ids): if not domain_ids: return [] else: with sql.session_for_read() as session: query = session.query(sql_model.Project.id) query = ( query.filter(sql_model.Project.domain_id.in_(domain_ids))) return [x.id for x in query.all() if not self._is_hidden_ref(x)]
[docs] def list_projects_in_domain(self, domain_id): with sql.session_for_read() as session: try: self._get_project(session, domain_id) except exception.ProjectNotFound: raise exception.DomainNotFound(domain_id=domain_id) query = session.query(sql_model.Project) project_refs = query.filter( sql_model.Project.domain_id == domain_id) return [project_ref.to_dict() for project_ref in project_refs]
[docs] def list_projects_acting_as_domain(self, hints): hints.add_filter('is_domain', True) return self.list_projects(hints)
def _get_children(self, session, project_ids, domain_id=None): query = session.query(sql_model.Project) query = query.filter(sql_model.Project.parent_id.in_(project_ids)) project_refs = query.all() return [project_ref.to_dict() for project_ref in project_refs]
[docs] def list_projects_in_subtree(self, project_id): with sql.session_for_read() as session: children = self._get_children(session, [project_id]) subtree = [] examined = set([project_id]) while children: children_ids = set() for ref in children: if ref['id'] in examined: msg = ('Circular reference or a repeated ' 'entry found in projects hierarchy - ' '%(project_id)s.') LOG.error(msg, {'project_id': ref['id']}) return children_ids.add(ref['id']) examined.update(children_ids) subtree += children children = self._get_children(session, children_ids) return subtree
[docs] def list_project_parents(self, project_id): with sql.session_for_read() as session: project = self._get_project(session, project_id).to_dict() parents = [] examined = set() while project.get('parent_id') is not None: if project['id'] in examined: msg = ('Circular reference or a repeated ' 'entry found in projects hierarchy - ' '%(project_id)s.') LOG.error(msg, {'project_id': project['id']}) return examined.add(project['id']) parent_project = self._get_project( session, project['parent_id']).to_dict() parents.append(parent_project) project = parent_project return parents
[docs] def is_leaf_project(self, project_id): with sql.session_for_read() as session: project_refs = self._get_children(session, [project_id]) return not project_refs
[docs] def list_projects_by_tags(self, filters): filtered_ids = [] with sql.session_for_read() as session: query = session.query(sql_model.ProjectTag) if 'tags' in filters.keys(): filtered_ids += self._filter_ids_by_tags( query, filters['tags'].split(',')) if 'tags-any' in filters.keys(): any_tags = filters['tags-any'].split(',') subq = query.filter(sql_model.ProjectTag.name.in_(any_tags)) any_tags = [ptag['project_id'] for ptag in subq] if 'tags' in filters.keys(): any_tags = set(any_tags) & set(filtered_ids) filtered_ids = any_tags if 'not-tags' in filters.keys(): blacklist_ids = self._filter_ids_by_tags( query, filters['not-tags'].split(',')) filtered_ids = self._filter_not_tags(session, filtered_ids, blacklist_ids) if 'not-tags-any' in filters.keys(): any_tags = filters['not-tags-any'].split(',') subq = query.filter(sql_model.ProjectTag.name.in_(any_tags)) blacklist_ids = [ptag['project_id'] for ptag in subq] if 'not-tags' in filters.keys(): filtered_ids += blacklist_ids else: filtered_ids = self._filter_not_tags(session, filtered_ids, blacklist_ids) if not filtered_ids: return [] query = session.query(sql_model.Project) query = query.filter(sql_model.Project.id.in_(filtered_ids)) return [project_ref.to_dict() for project_ref in query.all() if not self._is_hidden_ref(project_ref)]
def _filter_ids_by_tags(self, query, tags): filtered_ids = [] subq = query.filter(sql_model.ProjectTag.name.in_(tags)) for ptag in subq: subq_tags = query.filter(sql_model.ProjectTag.project_id == ptag['project_id']) result = map(lambda x: x['name'], subq_tags.all()) if set(tags) <= set(result): filtered_ids.append(ptag['project_id']) return filtered_ids def _filter_not_tags(self, session, filtered_ids, blacklist_ids): subq = session.query(sql_model.Project) valid_ids = [q['id'] for q in subq if q['id'] not in blacklist_ids] if filtered_ids: valid_ids = list(set(valid_ids) & set(filtered_ids)) return valid_ids # CRUD
[docs] @sql.handle_conflicts(conflict_type='project') def create_project(self, project_id, project): new_project = self._encode_domain_id(project) with sql.session_for_write() as session: project_ref = sql_model.Project.from_dict(new_project) session.add(project_ref) # Set resource options passed on creation resource_options.resource_options_ref_to_mapper( project_ref, sql_model.ProjectOption ) return project_ref.to_dict()
[docs] @sql.handle_conflicts(conflict_type='project') def update_project(self, project_id, project): update_project = self._encode_domain_id(project) with sql.session_for_write() as session: project_ref = self._get_project(session, project_id) old_project_dict = project_ref.to_dict() for k in update_project: old_project_dict[k] = update_project[k] # When we read the old_project_dict, any "null" domain_id will have # been decoded, so we need to re-encode it old_project_dict = self._encode_domain_id(old_project_dict) new_project = sql_model.Project.from_dict(old_project_dict) for attr in sql_model.Project.attributes: if attr != 'id': setattr(project_ref, attr, getattr(new_project, attr)) # Move the "_resource_options" attribute over to the real ref # so that resource_options.resource_options_ref_to_mapper can # handle the work. setattr(project_ref, '_resource_options', getattr(new_project, '_resource_options', {})) # Move options into the proper attribute mapper construct resource_options.resource_options_ref_to_mapper( project_ref, sql_model.ProjectOption) project_ref.extra = new_project.extra return project_ref.to_dict(include_extra_dict=True)
[docs] @sql.handle_conflicts(conflict_type='project') def delete_project(self, project_id): with sql.session_for_write() as session: project_ref = self._get_project(session, project_id) session.delete(project_ref)
[docs] @sql.handle_conflicts(conflict_type='project') def delete_projects_from_ids(self, project_ids): if not project_ids: return with sql.session_for_write() as session: query = session.query(sql_model.Project).filter( sql_model.Project.id.in_(project_ids)) project_ids_from_bd = [p['id'] for p in query.all()] for project_id in project_ids: if (project_id not in project_ids_from_bd or project_id == base.NULL_DOMAIN_ID): LOG.warning('Project %s does not exist and was not ' 'deleted.', project_id) query.delete(synchronize_session=False)
[docs] def check_project_depth(self, max_depth): with sql.session_for_read() as session: obj_list = [] # Using db table self outerjoin to find the project descendants. # # We'll only outerjoin the project table `max_depth` times to # check whether current project tree exceed the max depth limit. # # For example: # # If max_depth is 2, we will take the outerjoin 2 times, then the # SQL result may be like: # # +---- +-------------+-------------+-------------+ # | No. | project1_id | project2_id | project3_id | # +--- -+-------------+-------------+-------------+ # | 1 | domain_x | | | # +- ---+-------------+-------------+-------------+ # | 2 | project_a | | | # +- ---+-------------+-------------+-------------+ # | 3 | domain_y | project_a | | # +- ---+-------------+-------------+-------------+ # | 4 | project_b | project_c | | # +- ---+-------------+-------------+-------------+ # | 5 | domain_y | project_b | project_c | # +- ---+-------------+-------------+-------------+ # # `project1_id` column is the root. It is a project or a domain. # If `project1_id` is a project, there must exist a line that # `project1` is its domain. # # We got 5 lines here. It includes three scenarios: # # 1). The No.1 line means there is a domain `domain_x` which has no # children. The depth is 1. # # 2). The No.2 and No.3 lines mean project `project_a` has no child # and its parent is domain `domain_y`. The depth is 2. # # 3). The No.4 and No.5 lines mean project `project_b` has a child # `project_c` and its parent is domain `domain_y`. The depth is # 3. This tree hit the max depth # # So we can see that if column "project3_id" has value, it means # some trees hit the max depth limit. for _ in range(max_depth + 1): obj_list.append(orm.aliased(sql_model.Project)) query = session.query(*obj_list) for index in range(max_depth): query = query.outerjoin( obj_list[index + 1], obj_list[index].id == obj_list[index + 1].parent_id) exceeded_lines = query.filter( obj_list[-1].id != expression.null()) if exceeded_lines: return [line[max_depth].id for line in exceeded_lines]