def __init__(self):
backends.load_backends()
self.admin_password = None
self.admin_username = None
self.project_id = None
self.project_name = None
self.reader_role_id = None
self.reader_role_name = 'reader'
self.member_role_id = None
self.member_role_name = 'member'
self.admin_role_id = None
self.admin_role_name = None
self.region_id = None
self.service_name = None
self.public_url = None
self.internal_url = None
self.admin_url = None
self.endpoints = {}
self.default_domain_id = None
self.admin_user_id = None
self.immutable_roles = False
def __init__(self):
backends.load_backends()
self.admin_password = None
self.admin_username = None
self.project_id = None
self.project_name = None
self.reader_role_id = None
self.reader_role_name = 'reader'
self.member_role_id = None
self.member_role_name = 'member'
self.admin_role_id = None
self.admin_role_name = None
self.region_id = None
self.service_name = None
self.public_url = None
self.internal_url = None
self.admin_url = None
self.endpoints = {}
self.default_domain_id = None
self.admin_user_id = None
def load_backends(self):
drivers = backends.load_backends()
self.resource_manager = drivers["resource_api"]
self.identity_manager = drivers["identity_api"]
self.assignment_manager = drivers["assignment_api"]
self.catalog_manager = drivers["catalog_api"]
self.role_manager = drivers["role_api"]
def setup_backends(load_extra_backends_fn=lambda: {},
startup_application_fn=lambda: None):
drivers = backends.load_backends()
drivers.update(load_extra_backends_fn())
res = startup_application_fn()
drivers.update(dependency.resolve_future_dependencies())
return drivers, res
def setup_backends(load_extra_backends_fn=lambda: {},
startup_application_fn=lambda: None):
drivers = backends.load_backends()
drivers.update(load_extra_backends_fn())
res = startup_application_fn()
drivers.update(dependency.resolve_future_dependencies())
return drivers, res
def load_backends(self):
drivers = backends.load_backends()
self.resource_manager = drivers['resource_api']
self.identity_manager = drivers['identity_api']
self.assignment_manager = drivers['assignment_api']
self.catalog_manager = drivers['catalog_api']
self.role_manager = drivers['role_api']
def main():
def validate_options():
# NOTE(henry-nash): It would be nice to use the argparse automated
# checking for this validation, but the only way I can see doing
# that is to make the default (i.e. if no optional parameters
# are specified) to purge all mappings - and that sounds too
# dangerous as a default. So we use it in a slightly
# unconventional way, where all parameters are optional, but you
# must specify at least one.
if (
CONF.command.all is False
and CONF.command.domain_name is None
and CONF.command.public_id is None
and CONF.command.local_id is None
and CONF.command.type is None
):
raise ValueError(_("At least one option must be provided"))
if CONF.command.all is True and (
CONF.command.domain_name is not None
or CONF.command.public_id is not None
or CONF.command.local_id is not None
or CONF.command.type is not None
):
raise ValueError(_("--all option cannot be mixed with " "other options"))
def get_domain_id(name):
try:
return resource_manager.get_domain_by_name(name)["id"]
except KeyError:
raise ValueError(_("Unknown domain '%(name)s' specified by " "--domain-name") % {"name": name})
validate_options()
drivers = backends.load_backends()
resource_manager = drivers["resource_api"]
mapping_manager = drivers["id_mapping_api"]
# Now that we have validated the options, we know that at least one
# option has been specified, and if it was the --all option then this
# was the only option specified.
#
# The mapping dict is used to filter which mappings are purged, so
# leaving it empty means purge them all
mapping = {}
if CONF.command.domain_name is not None:
mapping["domain_id"] = get_domain_id(CONF.command.domain_name)
if CONF.command.public_id is not None:
mapping["public_id"] = CONF.command.public_id
if CONF.command.local_id is not None:
mapping["local_id"] = CONF.command.local_id
if CONF.command.type is not None:
mapping["type"] = CONF.command.type
mapping_manager.purge_mappings(mapping)
def main():
def validate_options():
# NOTE(henry-nash): It would be nice to use the argparse automated
# checking for this validation, but the only way I can see doing
# that is to make the default (i.e. if no optional parameters
# are specified) to purge all mappings - and that sounds too
# dangerous as a default. So we use it in a slightly
# unconventional way, where all parameters are optional, but you
# must specify at least one.
if (CONF.command.all is False and CONF.command.domain_name is None
and CONF.command.public_id is None
and CONF.command.local_id is None
and CONF.command.type is None):
raise ValueError(_('At least one option must be provided'))
if (CONF.command.all is True
and (CONF.command.domain_name is not None
or CONF.command.public_id is not None
or CONF.command.local_id is not None
or CONF.command.type is not None)):
raise ValueError(
_('--all option cannot be mixed with '
'other options'))
def get_domain_id(name):
try:
return resource_manager.get_domain_by_name(name)['id']
except KeyError:
raise ValueError(
_("Unknown domain '%(name)s' specified by "
"--domain-name") % {'name': name})
validate_options()
drivers = backends.load_backends()
resource_manager = drivers['resource_api']
mapping_manager = drivers['id_mapping_api']
# Now that we have validated the options, we know that at least one
# option has been specified, and if it was the --all option then this
# was the only option specified.
#
# The mapping dict is used to filter which mappings are purged, so
# leaving it empty means purge them all
mapping = {}
if CONF.command.domain_name is not None:
mapping['domain_id'] = get_domain_id(CONF.command.domain_name)
if CONF.command.public_id is not None:
mapping['public_id'] = CONF.command.public_id
if CONF.command.local_id is not None:
mapping['local_id'] = CONF.command.local_id
if CONF.command.type is not None:
mapping['type'] = CONF.command.type
mapping_manager.purge_mappings(mapping)
def main():
try:
token_id = input("Enter token: ")
drivers = backends.load_backends()
token_provider_api = drivers['token_provider_api']
token = token_provider_api._validate_token(token_id)
print("user: %s" % token.user)
print("issued-at: %s" % token.issued_at)
print("expires-at: %s" % token.expires_at)
if token.domain_scoped:
print("domain-scoped token")
print("domain: %s" % token.domain)
elif token.project_scoped:
print("project-scoped token")
print("project: %s" % token.project)
elif token.unscoped:
print("un-scoped token")
elif token.system_scoped:
print("system-scoped token")
elif token.oauth_scoped:
print("oauth-scoped token")
print("token: %s" % token.access_token)
elif token.trust_scoped:
print("trust-scoped token")
print("trust: %s" % token.trust)
print("roles: %s" % token.roles)
try:
token_provider_api.validate_token(token_id)
print("token is valid")
except Exception as e:
print("token is not valid: %s" % e)
except Exception as e:
print("failed: %s" % e)
def __init__(self):
drivers = backends.load_backends()
self.credential_provider_api = drivers['credential_provider_api']
self.credential_api = drivers['credential_api']
def load_backends(self):
drivers = backends.load_backends()
self.resource_manager = drivers['resource_api']
self.domain_config_manager = drivers['domain_config_api']
def setup_backends(load_extra_backends_fn=lambda: {},
startup_application_fn=lambda: None):
drivers = backends.load_backends()
drivers.update(load_extra_backends_fn())
res = startup_application_fn()
return drivers, res
def main():
keystone.conf.configure()
backends.load_backends()
return upgradecheck.main(CONF, 'keystone', Checks())
def load_backends(self):
drivers = backends.load_backends()
self.resource_manager = drivers['resource_api']
self.domain_config_manager = drivers['domain_config_api']
def setup_backends(load_extra_backends_fn=lambda: {},
startup_application_fn=lambda: None):
drivers = backends.load_backends()
drivers.update(load_extra_backends_fn())
res = startup_application_fn()
return drivers, res
def load_backends(cls):
drivers = backends.load_backends()
cls.identity_api = drivers['identity_api']
cls.resource_api = drivers['resource_api']
def __init__(self):
drivers = backends.load_backends()
self.credential_provider_api = drivers['credential_provider_api']
self.credential_api = drivers['credential_api']
def main():
# caches
domain_cache = {}
project_cache = {}
user_cache = {}
group_cache = {}
def get_domain(id):
result = None
if id not in domain_cache:
domain = resource_manager.get_domain(id)
if domain:
result = domain_cache[id] = domain['name']
else:
result = domain_cache[id]
return result
def get_project(id):
result = None
if id not in project_cache:
project = resource_manager.get_project(id)
if project:
result = project_cache[id] = project['name']
else:
result = project_cache[id]
return result
def get_user(id):
result = None
if id not in user_cache:
user = identity_api.get_user(id)
if user:
result = user_cache[id] = user['name']
else:
result = user_cache[id]
return result
def get_group(id):
result = None
if id not in group_cache:
group = identity_api.get_group(id)
if group:
result = group_cache[id] = group['name']
else:
result = group_cache[id]
return result
drivers = backends.load_backends()
identity_api = drivers['identity_api']
resource_manager = drivers['resource_api']
assignment_manager = drivers['assignment_api']
LOG.info("repairing orphaned role-assignments...")
# load all users & groups once, so their id's are in the mapping table
domains = resource_manager.list_domains(driver_hints.Hints())
for domain in domains:
identity_api.list_users(domain_scope=domain['id'])
identity_api.list_groups(domain_scope=domain['id'])
assignments = assignment_manager.list_role_assignments()
for assignment in assignments:
try:
if 'project_id' in assignment:
get_project(assignment['project_id'])
elif 'domain_id' in assignment:
get_domain(assignment['domain_id'])
if 'user_id' in assignment:
get_user(assignment['user_id'])
if 'group_id' in assignment:
get_group(assignment['group_id'])
except exception.UserNotFound as e:
if CONF.command.dry_run:
LOG.warning(
"%s -> found orphaned role-assignments for user %s (%s)"
% (e.message, assignment['user_id'], assignment))
else:
LOG.warning(
"%s -> deleting role-assignments for user %s (%s)" %
(e.message, assignment['user_id'], assignment))
assignment_manager.driver.delete_user_assignments(
assignment['user_id'])
except exception.GroupNotFound as e:
if CONF.command.dry_run:
LOG.warning(
"%s -> found orphaned role-assignments for group %s (%s)"
% (e.message, assignment['group_id'], assignment))
else:
LOG.warning(
"%s -> deleting role-assignments for group %s (%s)" %
(e.message, assignment['group_id'], assignment))
assignment_manager.driver.delete_group_assignments(
assignment['group_id'])
except exception.DomainNotFound as e:
if CONF.command.dry_run:
LOG.warning(
"%s -> found orphaned role-assignments for domain %s (%s)"
% (e.message, assignment['domain_id'], assignment))
else:
LOG.warning(
"%s -> deleting role-assignments for domain %s (%s)" %
(e.message, assignment['domain_id'], assignment))
assignment_manager.driver.delete_domain_assignments(
assignment['domain_id'])
except exception.ProjectNotFound as e:
if CONF.command.dry_run:
LOG.warning(
"%s -> found orphaned role-assignments for project %s (%s)"
% (e.message, assignment['project_id'], assignment))
else:
LOG.warning(
"%s -> deleting role-assignments for project %s (%s)" %
(e.message, assignment['project_id'], assignment))
assignment_manager.driver.delete_project_assignments(
assignment['project_id'])
except Exception as e:
LOG.error("%s %s" % (e, assignment))
LOG.info("repairing orphaned role-assignments done.")
def load_backends(cls):
drivers = backends.load_backends()
cls.identity_api = drivers['identity_api']
cls.resource_api = drivers['resource_api']
def main():
# caches
user_cache = {}
domain_cache = {}
def get_user(id):
result = None
if id not in user_cache:
user = identity_api.get_user(id)
if user:
result = user_cache[id] = user
else:
result = user_cache[id]
return result
def get_domain(id):
result = None
if id not in domain_cache:
domain = resource_manager.get_domain(id)
if domain:
result = domain_cache[id] = domain['name']
else:
result = domain_cache[id]
return result
def delete_mapping(entry):
LOG.info("Deleting mapping %s in domain %s" %
(entry['local_id'], get_domain(entry['domain_id'])))
if not CONF.command.dry_run:
mapping_manager.purge_mappings(entry)
drivers = backends.load_backends()
identity_api = drivers['identity_api']
resource_manager = drivers['resource_api']
mapping_manager = drivers['id_mapping_api']
assignment_manager = drivers['assignment_api']
# load all users once, so their id's are in the mapping table
domains = resource_manager.list_domains(driver_hints.Hints())
for domain in domains:
identity_api.list_users(domain_scope=domain['id'])
# load all id-mappings
mappings = []
with sql.session_for_read() as session:
query = session.query(IDMapping).filter_by(entity_type='user')
for entry in query:
mappings.append(entry.to_dict())
for entry in mappings:
try:
user = get_user(entry['public_id'])
domain = get_domain(user['domain_id'])
if domain not in ['cc3test', 'Default']:
if entry['local_id'] != user['name'].strip().upper():
roles = assignment_manager.list_role_assignments(
user_id=entry['public_id'])
if len(roles) > 0:
LOG.error("User %s@%s (%s) has roles: %s" %
(entry['local_id'],
get_domain(entry['domain_id']),
entry['public_id'], roles))
else:
delete_mapping(entry)
elif not re.match(CID_REGEX, user['name']):
if not re.match(T_REGEX, user['name']):
LOG.error("Invalid username %s@%s" %
(entry['local_id'],
get_domain(entry['domain_id'])))
except exception.UserNotFound:
roles = assignment_manager.list_role_assignments(
user_id=entry['public_id'])
if len(roles) > 0:
LOG.error(
"User %s@%s (%s) has roles: %s" %
(entry['local_id'], get_domain(
entry['domain_id']), entry['public_id'], roles))
else:
delete_mapping(entry)
