diff options
author | Colleen Murphy <colleen.murphy@suse.de> | 2019-03-18 14:20:15 +0100 |
---|---|---|
committer | Colleen Murphy <colleen.murphy@suse.de> | 2019-03-27 17:15:00 +0100 |
commit | be452fee80fabe252b2dae3be76c1d46fdd857e4 (patch) | |
tree | 9b8d3b15b968fc229313e8d5e15c2306c5bdfa56 /keystone/api/users.py | |
parent | 947e0a2e394fe47047ca1568e3a6f8b19b3c1f78 (diff) | |
download | keystone-be452fee80fabe252b2dae3be76c1d46fdd857e4.tar.gz |
Add domain scope support for group policies
This commit adds support for the domain scope type for the group API
policies. It defines appropriate policies for the reader, member, and
admin role and adds tests for each case.
Change-Id: Iaff3c0e45423ef427ef1458250c402c44be4b1d6
Closes-bug: #1808859
Partial-Bug: #968696
Diffstat (limited to 'keystone/api/users.py')
-rw-r--r-- | keystone/api/users.py | 21 |
1 files changed, 18 insertions, 3 deletions
diff --git a/keystone/api/users.py b/keystone/api/users.py index cf2bf7a40..97626da9b 100644 --- a/keystone/api/users.py +++ b/keystone/api/users.py @@ -98,6 +98,10 @@ def _build_user_target_enforcement(): target['user'] = PROVIDERS.identity_api.get_user( flask.request.view_args.get('user_id') ) + if flask.request.view_args.get('group_id'): + target['group'] = PROVIDERS.identity_api.get_group( + flask.request.view_args.get('group_id') + ) except ks_exception.NotFound: # nosec # Defer existence in the event the user doesn't exist, we'll # check this later anyway. @@ -285,10 +289,15 @@ class UserGroupsResource(ks_flask.ResourceBase): @staticmethod def _built_target_attr_enforcement(): - ref = {} + ref = None if flask.request.view_args: - ref['user'] = PROVIDERS.identity_api.get_user( - flask.request.view_args.get('user_id')) + try: + ref = {'user': PROVIDERS.identity_api.get_user( + flask.request.view_args.get('user_id'))} + except ks_exception.NotFound: # nosec + # Defer existence in the event the user doesn't exist, we'll + # check this later anyway. + pass return ref def get(self, user_id): @@ -303,6 +312,12 @@ class UserGroupsResource(ks_flask.ResourceBase): filters=filters) refs = PROVIDERS.identity_api.list_groups_for_user(user_id=user_id, hints=hints) + if (self.oslo_context.domain_id): + filtered_refs = [] + for ref in refs: + if ref['domain_id'] == self.oslo_context.domain_id: + filtered_refs.append(ref) + refs = filtered_refs return self.wrap_collection(refs, hints=hints) |