Beispiel #1
0
    def __init__(self, request, *args, **kwargs):
        super(UpdateRuleUsersAction, self).__init__(request, *args, **kwargs)
        err_msg = _('Unable to retrieve user list. Please try again later.')

        project_id = self.initial['project_id']

        # The user-selection widget we're using thinks in terms of roles.  We only want
        #  one, simple list so we will collect them in the stand-in 'user' role.
        default_role_name = self.get_default_role_field_name()
        self.fields[default_role_name] = forms.CharField(required=False)
        self.fields[default_role_name].initial = self.role_name

        # Get list of available users
        all_users = []
        try:
            # We can't use the default user_list function because it requires
            #  us to be an admin user.
            users = keystone.keystoneclient(request).users.list(
                default_project=project_id)
            all_users = [
                keystone.VERSIONS.upgrade_v2_user(user) for user in users
            ]
            all_users_dict = {user.id: user for user in all_users}
        except Exception:
            exceptions.handle(request, err_msg)

        # The v3 user list doesn't actually filter by project (code comments
        #  to the contrary) so we have to dig through the role list to find
        #  out who's actually in our project.
        # Anyone who is in all_users_dict and also has a role in the
        #  project is a potential sudoer.
        project_users = set()
        manager = keystone.keystoneclient(request).role_assignments
        project_role_assignments = manager.list(project=project_id)
        for role_assignment in project_role_assignments:
            if not hasattr(role_assignment, 'user'):
                continue
            user_id = role_assignment.user['id']
            if user_id in NO_SUDO_FOR:
                continue
            if user_id in all_users_dict:
                project_users.add(all_users_dict[user_id])

        users_list = [(user.id, user.name) for user in project_users]
        users_list.insert(0, anyUserTuple())
        users_list.insert(0, allUsersTuple(project_id))

        # Add a field to collect the list of users with role 'user'
        field_name = self.get_member_field_name(self.role_name)
        label = self.role_name
        self.fields[field_name] = forms.MultipleChoiceField(required=False,
                                                            label=label)
        self.fields[field_name].choices = users_list
        self.fields[field_name].initial = self.initial[self.role_name]
Beispiel #2
0
def get_admin_roleid(request):
    global TENANTADMIN_ROLEID
    if TENANTADMIN_ROLEID == None:
        for role in keystone_api.keystoneclient(request).roles.list():
            if role.name == TENANTADMIN_ROLE:
                TENANTADMIN_ROLEID = role.id
    return TENANTADMIN_ROLEID
Beispiel #3
0
    def handle(self, request, data):
        try:

            with transaction.atomic():
                c_prj = Project.objects.filter(projectid=data['projectid'])[0]

                if PrjRole.objects.filter(registration__userid = request.user.id,
                                          project = c_prj).count() == 0:
                    messages.error(request, _("Operation not allowed"))
                    return False

                kclient = keystone_api.keystoneclient(request)
                for p_tag in kclient.projects.list_tags(c_prj.projectid):
                    if p_tag.startswith('OU='):
                        data['ou'] = p_tag[3:]
                    if p_tag.startswith('O='):
                        data['org'] = p_tag[2:]

                new_descr = encode_course_info(data)
                c_prj.description = new_descr
                c_prj.status = PRJ_COURSE
                c_prj.save()

        except:
            LOG.error("Cannot edit course parameters", exc_info=True)
            messages.error(request, _("Cannot edit course parameters"))
            return False

        return True
Beispiel #4
0
def get_admin_roleid(request):
    global TENANTADMIN_ROLEID
    if TENANTADMIN_ROLEID == None:
        for role in keystone_api.keystoneclient(request).roles.list():
            if role.name == TENANTADMIN_ROLE:
                TENANTADMIN_ROLEID = role.id
    return TENANTADMIN_ROLEID
Beispiel #5
0
def sso_jump(request, service):
    endpoint = base.url_for(request, service)
    ks = keystone.keystoneclient(request)
    auth_url = ks.get_endpoint(None).replace('v2.0', 'v3')
    auth_methods = [v3_auth.TokenMethod(token=request.user.token.id)]
    plugin = v3_auth.Auth(auth_url, auth_methods, project_id=request.user.tenant_id, include_catalog=False)
    token = plugin.get_auth_ref(ks.session).auth_token
    redirect_url = ('%s?vdcId=%s&token=%s'%(endpoint, request.user.tenant_id, token))
    return shortcuts.redirect(redirect_url)
Beispiel #6
0
    def get_data(self):

        course_org_list = settings.HORIZON_CONFIG.get('course_for', {}).keys()
    
        result = list()
        try:
            tenants = super(IndexView, self).get_data()
            if len(tenants) == 0:
                return result
            
            prj_table = dict()
            for item in tenants:
                prj_table[item.name] = ExtPrjItem(item)

            kprj_man = keystone_api.keystoneclient(self.request).projects

            with transaction.atomic():

                prj_list = Project.objects.filter(projectname__in=prj_table.keys())

                role_list = PrjRole.objects.filter(
                    registration__userid = self.request.user.id,
                    project__in = prj_list
                )
                for r_item in role_list:
                    prj_table[r_item.project.projectname].isadmin = True

                for prj_item in prj_list:
                    prjname = prj_item.projectname
                    prj_table[prjname].status = prj_item.status
                    prj_table[prjname].managed = True

                    is_curr_admin = self.request.user.tenant_name == prjname
                    is_curr_admin = is_curr_admin and prj_table[prjname].isadmin

                    can_list_tags = self.request.user.is_superuser or is_curr_admin

                    if prj_item.projectid and can_list_tags:
                        prj_table[prjname].tags = set(kprj_man.list_tags(prj_item.projectid))
                    else:
                        prj_table[prjname].tags = set()

                    if is_curr_admin:
                        for item in course_org_list:
                            if (ORG_TAG_FMT % item) in prj_table[prjname].tags:
                                prj_table[prjname].handle_course = True

            tmplist = prj_table.keys()
            tmplist.sort()
            for item in tmplist:
                result.append(prj_table[item])
            
        except Exception:
            exceptions.handle(self.request, _("Unable to retrieve project list."))
        return result
Beispiel #7
0
    def get_initial(self):
        result = {
            'projectid' : self.get_object().projectid,
        }

        try:
            kprj_man = keystone_api.keystoneclient(self.request).projects
            init_tags = kprj_man.list_tags(self.kwargs['project_id'])
            result['taglist'] = ", ".join(init_tags)
        except:
            LOG.error("Cannot retrieve tags", exc_info=True)

        return result
Beispiel #8
0
    def handle(self, request, data):
        try:

            kclient = keystone_api.keystoneclient(request)
            
            kclient.projects.update_tags(data['projectid'], data['ptags'])

        except:
            LOG.error("Cannot edit tags", exc_info=True)
            messages.error(request, _("Cannot edit tags"))
            return False

        return True
Beispiel #9
0
    def handle(self, request, data):
        try:

            kclient = keystone_api.keystoneclient(request)
            kclient.projects.update_tags(data['projectid'], [])
            kclient.projects.update_tags(data['projectid'], data['ptags'])

        except:
            LOG.error("Cannot edit tags", exc_info=True)
            messages.error(request, _("Cannot edit tags"))
            return False

        return True
Beispiel #10
0
def get_project_managers(request, project_id):
    result = list()

    kclient = keystone_api.keystoneclient(request, admin=True)
    tntadm_role_id = get_admin_roleid(request)
    
    url = '/role_assignments?scope.project.id=%s&role.id=%s'
    resp, body = kclient.get(url % (project_id, tntadm_role_id))
    
    for item in body['role_assignments']:
        tntadmin = keystone_api.user_get(request, item['user']['id'])
        LOG.debug('Found tenant admin %s' % tntadmin.name)
        result.append(tntadmin)
        
    return result
Beispiel #11
0
def recordIsProxy(request, record):
    global PROXYIP
    if not PROXYIP:
        # Leap of faith:  Assume the proxy-api host is also the proxy host.
        #  So, get the proxy endpoint from keystone, convert to an IP,
        #  and compare to 'record'

        client = keystone.keystoneclient(request)
        services = client.services.list()

        proxyservices = [service for service in services if service.name == 'proxy']
        endpoints = client.endpoints.list(service=proxyservices[0].id)
        proxyurl = endpoints[0].url

        parsed_uri = urlparse(proxyurl)
        domain = parsed_uri.hostname
        PROXYIP = socket.gethostbyname_ex(domain)[2][0]

    return record.data == PROXYIP
Beispiel #12
0
def logout(request):

    use_slo = settings.HORIZON_CONFIG.get('enable_slo', False)
    #use_slo = use_slo and request.user.is_federated
    use_slo = use_slo and not 'finalstep' in request.GET

    if not use_slo:
        return basic_logout(request)

    try:
        site_name = request.META['SERVER_NAME']
        site_port = int(request.META['SERVER_PORT'])

        redir_url = 'https://%s:%d/dashboard/auth/logout?finalstep=true'

        utoken = request.session.get('unscoped_token')
        token_data = keystone_api.keystoneclient(
            request).tokens.get_token_data(utoken)

        redir_str = None
        if "openid" in token_data['token']['methods']:
            redir_para = 'logout'
            redir_str = "https://%s:%d/v3/auth/OS-FEDERATION/websso/openid/redirect?%s"
        elif "mapped" in token_data['token']['methods']:
            redir_para = 'return'
            redir_str = 'https://%s:%d/Shibboleth.sso/Logout?%s'

        if redir_str:
            param_str = urlencode(
                {redir_para: redir_url % (site_name, site_port)})
            srv_table = settings.HORIZON_CONFIG.get('srv_bind_table', {})
            ks_name = srv_table.get(site_name, site_name)
            jumpto = redir_str % (ks_name, site_port, param_str)

            return django_http.HttpResponseRedirect(jumpto)

    except:
        LOG.error("SLO failure", exc_info=True)

    return basic_logout(request)
Beispiel #13
0
def setup_new_project(request, project_id, project_name, data):

    unit_id = data.get('unit', None)

    cloud_table = getattr(settings, 'UNIT_TABLE', {})
    if not unit_id or not unit_id in cloud_table:
        return

    unit_data = cloud_table[unit_id]
    prj_cname = re.sub(r'\s+', "-", project_name)
    flow_step = 0

    try:

        cinder_params = dict()
        for pkey, pvalue in unit_data.items():
            if pkey == 'quota_total':
                cinder_params['gigabytes'] = pvalue
            elif pkey == 'quota_per_volume':
                cinder_params['per_volume_gigabytes'] = pvalue
            elif pkey.startswith('quota_'):
                cinder_params['gigabytes_' + pkey[6:]] = pvalue

        if len(cinder_params):
            cinder_api.tenant_quota_update(request, project_id, **cinder_params)

    except:
            LOG.error("Cannot setup project quota", exc_info=True)
            messages.error(request, _("Cannot setup project quota"))

    try:

        hyper_list = unit_data.get('hypervisors', [])
        if len(hyper_list):
            agg_prj_cname = "%s-%s" % (unit_data.get('aggregate_prefix', unit_id), prj_cname)
            avail_zone = unit_data.get('availability_zone', 'nova')

            new_aggr = nova_api.aggregate_create(request, agg_prj_cname, avail_zone)
            flow_step += 1

            for h_item in hyper_list:
                nova_api.add_host_to_aggregate(request, new_aggr.id, h_item)
            flow_step += 1

            all_md = { 'filter_tenant_id' : project_id }
            all_md.update(unit_data.get('metadata', {}))

            nova_api.aggregate_set_metadata(request, new_aggr.id, all_md)
            flow_step = 0

    except:
        if flow_step == 0:
            err_msg = _("Cannot create host aggregate")
        elif flow_step == 1:
            err_msg = _("Cannot insert hypervisor in aggregate")
        else:
            err_msg = _("Cannot set metadata for aggregate")
        LOG.error(err_msg, exc_info=True)
        messages.error(request, err_msg)

    try:

        subnet_cidr = data['%s-net' % unit_id]
        prj_lan_name = "%s-lan" % prj_cname

        prj_net = neutron_api.network_create(request, tenant_id=project_id, name=prj_lan_name)
        flow_step += 1

        net_args = {
            'cidr' : subnet_cidr,
            'ip_version' : 4,
            'dns_nameservers' : unit_data.get('nameservers', []),
            'enable_dhcp' : True,
            'tenant_id' : project_id,
            'name' : "sub-%s-lan" % prj_cname
        }
        prj_sub = neutron_api.subnet_create(request, prj_net['id'], **net_args)
        flow_step += 1

        if 'lan_router' in unit_data:
            neutron_api.router_add_interface(request, unit_data['lan_router'], 
                                            subnet_id=prj_sub['id'])
        flow_step = 0

    except:
        if flow_step == 0:
            err_msg = _("Cannot create network")
        elif flow_step == 1:
            err_msg = _("Cannot create sub-network")
        else:
            err_msg = _("Cannot add interface to router")
        LOG.error(err_msg, exc_info=True)
        messages.error(request, err_msg)

    try:
        subnet_cidr = data['%s-net' % unit_id]
        def_sec_group = None
        for sg_item in neutron_api.security_group_list(request, tenant_id=project_id):
            if sg_item['name'].lower() == 'default':
                def_sec_group = sg_item['id']
                LOG.info("Found default security group %s" % def_sec_group)
                break
        flow_step += 1

        sg_client = neutron_api.SecurityGroupManager(request).client

        if not def_sec_group:
            sg_params = {
                'name': 'default',
                'description': 'Default Security Group for ' + project_name,
                'tenant_id': project_id
            }
            secgroup = sg_client.create_security_group({ 'security_group' : sg_params })
            def_sec_group = SecurityGroup(secgroup.get('security_group'))
        flow_step += 1

        #
        # Workaround: the tenant_id cannot be specified through high level API
        #
        port22_params = {
            'security_group_id': def_sec_group,
            'direction': 'ingress',
            'ethertype': 'IPv4',
            'protocol': 'tcp',
            'port_range_min': 22,
            'port_range_max': 22,
            'remote_ip_prefix': subnet_cidr,
            'tenant_id' : project_id
        }

        icmp_params = {
            'security_group_id': def_sec_group,
            'direction': 'ingress',
            'ethertype': 'IPv4',
            'protocol': 'icmp',
            'remote_ip_prefix': subnet_cidr,
            'tenant_id' : project_id
        }

        sg_client.create_security_group_rule({'security_group_rule': port22_params})

        sg_client.create_security_group_rule({'security_group_rule': icmp_params})

    except:
        if flow_step == 0:
            err_msg = _("Cannot retrieve default security group")
        elif flow_step == 1:
            err_msg = _("Cannot create default security group")
        else:
            err_msg = _("Cannot insert basic rules")
        LOG.error(err_msg, exc_info=True)
        messages.error(request, err_msg)

    try:

        new_tags = list()
        new_tags.append(ORG_TAG_FMT % unit_data.get('organization', 'other'))

        if '%s-ou' % unit_id in data:
            new_tags.append(OU_TAG_FMT % data['%s-ou' % unit_id])

        kclient = keystone_api.keystoneclient(request)
        kclient.projects.update_tags(project_id, new_tags)

    except:
        LOG.error("Cannot add organization tags", exc_info=True)
        messages.error(request, _("Cannot add organization tags"))
Beispiel #14
0
def setup_new_project(request, project_id, project_name, data):

    try:
        acct_table = getattr(settings, 'ACCOUNTING', None)
        if acct_table:
            uid = acct_table.get('user_id', None)
            roleid = acct_table.get('role_id', None)
            if uid and roleid:
                keystone_api.add_tenant_user_role(request, project_id, uid, roleid)
    except:
        LOG.error("Cannot add user for accounting", exc_info=True)
        messages.error(request, _("Cannot add user for accounting"))

    unit_id = data.get('unit', None)

    cloud_table = get_unit_table()
    if not unit_id or not unit_id in cloud_table:
        return

    unit_data = cloud_table[unit_id]
    prj_cname = re.sub(r'\s+', "-", project_name)
    flow_step = 0

    try:

        cinder_params = dict()
        for pkey, pvalue in unit_data.items():
            if pkey == 'quota_total':
                cinder_params['gigabytes'] = pvalue
            elif pkey == 'quota_per_volume':
                cinder_params['per_volume_gigabytes'] = pvalue
            elif pkey.startswith('quota_'):
                cinder_params['gigabytes_' + pkey[6:]] = pvalue

        if len(cinder_params):
            cinder_api.tenant_quota_update(request, project_id, **cinder_params)

    except:
            LOG.error("Cannot setup project quota", exc_info=True)
            messages.error(request, _("Cannot setup project quota"))

    try:

        hyper_list = unit_data.get('hypervisors', [])
        if len(hyper_list):
            agg_prj_cname = "%s-%s" % (unit_data.get('aggregate_prefix', unit_id), prj_cname)
            avail_zone = unit_data.get('availability_zone', 'nova')

            new_aggr = nova_api.aggregate_create(request, agg_prj_cname, avail_zone)
            flow_step += 1

            for h_item in hyper_list:
                nova_api.add_host_to_aggregate(request, new_aggr.id, h_item)
            flow_step += 1

            all_md = { 'filter_tenant_id' : project_id }
            all_md.update(unit_data.get('metadata', {}))

            nova_api.aggregate_set_metadata(request, new_aggr.id, all_md)
            flow_step = 0

    except:
        if flow_step == 0:
            err_msg = _("Cannot create host aggregate")
        elif flow_step == 1:
            err_msg = _("Cannot insert hypervisor in aggregate")
        else:
            err_msg = _("Cannot set metadata for aggregate")
        LOG.error(err_msg, exc_info=True)
        messages.error(request, err_msg)

    try:

        subnet_cidr = data['%s-net' % unit_id]
        prj_lan_name = "%s-lan" % prj_cname

        prj_net = neutron_api.network_create(request, tenant_id=project_id, name=prj_lan_name)
        flow_step += 1

        net_args = {
            'cidr' : subnet_cidr,
            'ip_version' : 4,
            'dns_nameservers' : unit_data.get('nameservers', []),
            'enable_dhcp' : True,
            'tenant_id' : project_id,
            'name' : "sub-%s-lan" % prj_cname
        }
        prj_sub = neutron_api.subnet_create(request, prj_net['id'], **net_args)
        flow_step += 1

        if 'lan_router' in unit_data:
            f_ips = [{
                "ip_address" : subnet_cidr.replace('0/24', '1'),
                "subnet_id" : prj_sub['id']
            }]
            r_port = neutron_api.port_create(request, prj_net['id'],
                                             tenant_id=project_id,
                                             project_id=project_id,
                                             fixed_ips=f_ips)

            neutron_api.router_add_interface(request, unit_data['lan_router'], 
                                            port_id=r_port['id'])
        flow_step = 0

    except:
        if flow_step == 0:
            err_msg = _("Cannot create network")
        elif flow_step == 1:
            err_msg = _("Cannot create sub-network")
        else:
            err_msg = _("Cannot add interface to router")
        LOG.error(err_msg, exc_info=True)
        messages.error(request, err_msg)

    try:
        subnet_cidr = data['%s-net' % unit_id]
        def_sec_group = None
        for sg_item in neutron_api.security_group_list(request, tenant_id=project_id):
            if sg_item['name'].lower() == 'default':
                def_sec_group = sg_item['id']
                LOG.info("Found default security group %s" % def_sec_group)
                break
        flow_step += 1

        sg_client = neutron_api.SecurityGroupManager(request).client

        if not def_sec_group:
            sg_params = {
                'name': 'default',
                'description': 'Default Security Group for ' + project_name,
                'tenant_id': project_id
            }
            secgroup = sg_client.create_security_group({ 'security_group' : sg_params })
            def_sec_group = SecurityGroup(secgroup.get('security_group'))
        flow_step += 1

        #
        # Workaround: the tenant_id cannot be specified through high level API
        #
        port22_params = {
            'security_group_id': def_sec_group,
            'direction': 'ingress',
            'ethertype': 'IPv4',
            'protocol': 'tcp',
            'port_range_min': 22,
            'port_range_max': 22,
            'remote_ip_prefix': "0.0.0.0/0",
            'tenant_id' : project_id
        }

        icmp_params = {
            'security_group_id': def_sec_group,
            'direction': 'ingress',
            'ethertype': 'IPv4',
            'protocol': 'icmp',
            'remote_ip_prefix': "0.0.0.0/0",
            'tenant_id' : project_id
        }

        sg_client.create_security_group_rule({'security_group_rule': port22_params})

        sg_client.create_security_group_rule({'security_group_rule': icmp_params})

    except:
        if flow_step == 0:
            err_msg = _("Cannot retrieve default security group")
        elif flow_step == 1:
            err_msg = _("Cannot create default security group")
        else:
            err_msg = _("Cannot insert basic rules")
        LOG.error(err_msg, exc_info=True)
        messages.error(request, err_msg)

    try:

        new_tags = list()
        new_tags.append(ORG_TAG_FMT % unit_data.get('organization', 'other'))

        for ou_id in data.get('%s-ou' % unit_id, []):
            if ou_id.strip():
                new_tags.append(OU_TAG_FMT % ou_id.strip())

        kclient = keystone_api.keystoneclient(request)
        kclient.projects.update_tags(project_id, new_tags)

    except:
        LOG.error("Cannot add organization tags", exc_info=True)
        messages.error(request, _("Cannot add organization tags"))