openstack
/
keystone
Code Issues Proposed changes

Add missing initiators in api calling providers 

followup for Iae525ee13dec72af6a7d70db2bb59a77c682a177

some more mutating API methods were found not providing
an audit initiator to the underlying providers' methods.
These include deletion of project tags, ec2 creds api
and os-inherit api.

Change-Id: If7474a90aa545760d2dd4eadf1e4d7d7a7f35a06
This commit is contained in:
Pavlo Shchelokovskyy 2024-04-11 17:07:24 +03:00
parent 8ca73f758b
commit f5dab591b7
3 changed files with 18 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
keystone/api/os_inherit.py
View File

@ -102,7 +102,7 @@ def _build_enforcement_target_attr(role_id=None, user_id=None, group_id=None,
return target
class OSInheritDomainGroupRolesResource(flask_restful.Resource):
class OSInheritDomainGroupRolesResource(ks_flask.ResourceBase):
def get(self, domain_id, group_id, role_id):
"""Check for an inherited grant for a group on a domain.
@ -134,7 +134,7 @@ class OSInheritDomainGroupRolesResource(flask_restful.Resource):
role_id=role_id))
PROVIDERS.assignment_api.create_grant(
domain_id=domain_id, group_id=group_id, role_id=role_id,
inherited_to_projects=True)
inherited_to_projects=True, initiator=self.audit_initiator)
return None, http.client.NO_CONTENT
def delete(self, domain_id, group_id, role_id):
@ -151,7 +151,7 @@ class OSInheritDomainGroupRolesResource(flask_restful.Resource):
role_id=role_id))
PROVIDERS.assignment_api.delete_grant(
domain_id=domain_id, group_id=group_id, role_id=role_id,
inherited_to_projects=True)
inherited_to_projects=True, initiator=self.audit_initiator)
return None, http.client.NO_CONTENT
@ -173,7 +173,7 @@ class OSInheritDomainGroupRolesListResource(flask_restful.Resource):
refs, collection_name='roles')
class OSInheritDomainUserRolesResource(flask_restful.Resource):
class OSInheritDomainUserRolesResource(ks_flask.ResourceBase):
def get(self, domain_id, user_id, role_id):
"""Check for an inherited grant for a user on a domain.
@ -205,7 +205,7 @@ class OSInheritDomainUserRolesResource(flask_restful.Resource):
role_id=role_id))
PROVIDERS.assignment_api.create_grant(
domain_id=domain_id, user_id=user_id, role_id=role_id,
inherited_to_projects=True)
inherited_to_projects=True, initiator=self.audit_initiator)
return None, http.client.NO_CONTENT
def delete(self, domain_id, user_id, role_id):
@ -222,7 +222,7 @@ class OSInheritDomainUserRolesResource(flask_restful.Resource):
role_id=role_id))
PROVIDERS.assignment_api.delete_grant(
domain_id=domain_id, user_id=user_id, role_id=role_id,
inherited_to_projects=True)
inherited_to_projects=True, initiator=self.audit_initiator)
return None, http.client.NO_CONTENT
@ -244,7 +244,7 @@ class OSInheritDomainUserRolesListResource(flask_restful.Resource):
refs, collection_name='roles')
class OSInheritProjectUserResource(flask_restful.Resource):
class OSInheritProjectUserResource(ks_flask.ResourceBase):
def get(self, project_id, user_id, role_id):
"""Check for an inherited grant for a user on a project.
@ -276,7 +276,7 @@ class OSInheritProjectUserResource(flask_restful.Resource):
role_id=role_id))
PROVIDERS.assignment_api.create_grant(
project_id=project_id, user_id=user_id, role_id=role_id,
inherited_to_projects=True)
inherited_to_projects=True, initiator=self.audit_initiator)
return None, http.client.NO_CONTENT
def delete(self, project_id, user_id, role_id):
@ -293,11 +293,11 @@ class OSInheritProjectUserResource(flask_restful.Resource):
role_id=role_id))
PROVIDERS.assignment_api.delete_grant(
project_id=project_id, user_id=user_id, role_id=role_id,
inherited_to_projects=True)
inherited_to_projects=True, initiator=self.audit_initiator)
return None, http.client.NO_CONTENT
class OSInheritProjectGroupResource(flask_restful.Resource):
class OSInheritProjectGroupResource(ks_flask.ResourceBase):
def get(self, project_id, group_id, role_id):
"""Check for an inherited grant for a group on a project.
@ -329,7 +329,7 @@ class OSInheritProjectGroupResource(flask_restful.Resource):
role_id=role_id))
PROVIDERS.assignment_api.create_grant(
project_id=project_id, group_id=group_id, role_id=role_id,
inherited_to_projects=True)
inherited_to_projects=True, initiator=self.audit_initiator)
return None, http.client.NO_CONTENT
def delete(self, project_id, group_id, role_id):
@ -346,7 +346,7 @@ class OSInheritProjectGroupResource(flask_restful.Resource):
role_id=role_id))
PROVIDERS.assignment_api.delete_grant(
project_id=project_id, group_id=group_id, role_id=role_id,
inherited_to_projects=True)
inherited_to_projects=True, initiator=self.audit_initiator)
return None, http.client.NO_CONTENT

3
keystone/api/projects.py
View File

@ -267,7 +267,8 @@ class ProjectTagsResource(_ProjectTagResourceBase):
action='identity:delete_project_tags',
build_target=_build_project_target_enforcement
)
PROVIDERS.resource_api.update_project_tags(project_id, [])
PROVIDERS.resource_api.update_project_tags(
project_id, [], initiator=self.audit_initiator)
return None, http.client.NO_CONTENT

6
keystone/api/users.py
View File

@ -404,7 +404,8 @@ class UserOSEC2CredentialsResourceListCreate(_UserOSEC2CredBaseResource):
id=credential_id,
type=CRED_TYPE_EC2
)
PROVIDERS.credential_api.create_credential(credential_id, cred_data)
PROVIDERS.credential_api.create_credential(
credential_id, cred_data, initiator=self.audit_initiator)
ref = _convert_v3_to_ec2_credential(cred_data)
return self.wrap_member(ref), http.client.CREATED
@ -443,7 +444,8 @@ class UserOSEC2CredentialsResourceGetDelete(_UserOSEC2CredBaseResource):
PROVIDERS.identity_api.get_user(user_id)
ec2_cred_id = utils.hash_access_key(credential_id)
self._get_cred_data(ec2_cred_id)
PROVIDERS.credential_api.delete_credential(ec2_cred_id)
PROVIDERS.credential_api.delete_credential(
ec2_cred_id, initiator=self.audit_initiator)
return None, http.client.NO_CONTENT