The synaps.auth.manager Module

WARNING: This code is deprecated and will be removed. Keystone is the recommended solution for auth management.

Synaps authentication management

class AuthBase

Bases: object

Base class for objects relating to auth

Objects derived from this class should be stupid data objects with an id member. They may optionally contain methods that delegate to AuthManager, but should not implement logic themselves.

classmethod safe_id(obj)

Safely get object id.

This method will return the id of the object if the object is of this class, otherwise it will return the original object. This allows methods to accept objects or ids as parameters.

class AuthManager(driver=None, *args, **kwargs)

Bases: object

Manager Singleton for dealing with Users, Projects, and Keypairs

Methods accept objects or ids.

AuthManager uses a driver object to make requests to the data backend. See ldapdriver for reference.

AuthManager also manages associated data related to Auth objects that need to be more accessible, such as vpn ips and ports.

add_role(user, role, project=None)

Adds role for user

If project is not specified, adds a global role. If project is specified, adds a local role.

The ‘projectmanager’ role is special and can’t be added or removed.

Parameters:

• user (User or uid) – User to which to add role.
• role (str) – Role to add.
• project (Project or project_id) – Project in which to add local role.

add_to_project(user, project)

Add user to project

authenticate(access, signature, params, verb='GET', server_string='127.0.0.1:8773', path='/', check_type='cloudwatch', headers=None)

Authenticates AWS request using access key and signature

If the project is not specified, attempts to authenticate to a project with the same name as the user. This way, older tools that have no project knowledge will still work.

Parameters:

• access (str) – Access key for user in the form “access:project”.
• signature (str) – Signature of the request.
• params (list of str) – Web paramaters used for the signature.
• verb (str) – Web request verb (‘GET’ or ‘POST’).
• server_string (str) – Web request server string.
• path (str) – Web request path.
• check_type (str) – Type of signature to check. It’ll be ‘cloudwatch’. Any other value will cause signature not to be checked.

Return type:

tuple (User, Project)

Returns:

User and project that the request represents.

create_project(name, manager_user, description=None, member_users=None)

Create a project

Parameters:

• name (str) – Name of the project to create. The name will also be used as the project id.
• manager_user (User or uid) – This user will be the project manager.
• project – Description of the project. If no description is specified, the name of the project will be used.

Param :

Initial project members. The project manager will always be added as a member, even if he isn’t specified in this list.

Return type:

Project

Returns:

The new project.

create_user(name, access=None, secret=None, admin=False)

Creates a user

Parameters:

• name (str) – Name of the user to create.
• access (str) – Access Key (defaults to a random uuid)
• secret (str) – Secret Key (defaults to a random uuid)
• admin (bool) – Whether to set the admin flag. The admin flag gives superuser status regardless of roles specified for the user.

Param :

Whether to create a project for the user with the same name.

Return type:

User

Returns:

The new user.

delete_project(project)

Deletes a project

get_access_key(user, project)

Get an access key that includes user and project

get_active_roles(user, project=None)

Get all active roles for context

get_environment_rc(user, project=None, use_dmz=True)

Get environment rc for user in project

get_project(pid)

Get project object by id

get_projects(user=None)

Retrieves list of projects, optionally filtered by user

static get_roles(project_roles=True)

Get list of allowed roles

get_user(uid)

Retrieves a user by id

get_user_from_access_key(access_key)

Retrieves a user by access key

get_user_roles(user, project=None)

Get user global or per-project roles

get_users()

Retrieves a list of all users

has_role(user, role, project=None)

Checks existence of role for user

If project is not specified, checks for a global role. If project is specified, checks for the union of the global role and the project role.

Role ‘projectmanager’ only works for projects and simply checks to see if the user is the project_manager of the specified project. It is the same as calling is_project_manager(user, project).

Parameters:

• user (User or uid) – User to check.
• role (str) – Role to check.
• project (Project or project_id) – Project in which to look for local role.

Return type:

bool

Returns:

True if the user has the role.

is_admin(user)

Checks for admin status, allowing user to access all projects

Parameters:user (User or uid) – User to check. Return type:bool Returns:True for admin.

is_project_manager(user, project)

Checks if user is project manager

is_project_member(user, project)

Checks to see if user is a member of project

is_superuser(user)

Checks for superuser status, allowing user to bypass authorization

Parameters:user (User or uid) – User to check. Return type:bool Returns:True for superuser.

mc = None

modify_project(project, manager_user=None, description=None)

Modify a project

Parameters:

• project – The project to modify.
• manager_user (User or uid) – This user will be the new project manager.
• project – This will be the new description of the project.

modify_user(user, access_key=None, secret_key=None, admin=None)

Modify credentials for a user

remove_from_project(user, project)

Removes a user from a project

remove_role(user, role, project=None)

Removes role for user

If project is not specified, removes a global role. If project is specified, removes a local role.

The ‘projectmanager’ role is special and can’t be added or removed.

Parameters:

• user (User or uid) – User from which to remove role.
• role (str) – Role to remove.
• project (Project or project_id) – Project in which to remove local role.

class Project(id, name, project_manager_id, description, member_ids)

Bases: synaps.auth.manager.AuthBase

Represents a Project returned from the datastore

add_role(user, role)

has_manager(user)

has_member(user)

has_role(user, role)

project_manager

remove_role(user, role)

vpn_ip

vpn_port

class User(id, name, access, secret, admin)

Bases: synaps.auth.manager.AuthBase

Object representing a user

The following attributes are defined:

id

A system identifier for the user. A string (for LDAP)

name

The user name, potentially in some more friendly format

access

The ‘username’ for EC2 authentication

secret

The ‘password’ for EC2 authenticatoin

admin

???

add_role(role)

has_role(role)

is_admin()

is_project_manager(project)

is_project_member(project)

is_superuser()

remove_role(role)