def __init__(self, request, *args, **kwargs): super(UpdateRuleUsersAction, self).__init__(request, *args, **kwargs) err_msg = _('Unable to retrieve user list. Please try again later.') project_id = self.initial['project_id'] # The user-selection widget we're using thinks in terms of roles. We only want # one, simple list so we will collect them in the stand-in 'user' role. default_role_name = self.get_default_role_field_name() self.fields[default_role_name] = forms.CharField(required=False) self.fields[default_role_name].initial = self.role_name # Get list of available users all_users = [] try: # We can't use the default user_list function because it requires # us to be an admin user. users = keystone.keystoneclient(request).users.list( default_project=project_id) all_users = [ keystone.VERSIONS.upgrade_v2_user(user) for user in users ] all_users_dict = {user.id: user for user in all_users} except Exception: exceptions.handle(request, err_msg) # The v3 user list doesn't actually filter by project (code comments # to the contrary) so we have to dig through the role list to find # out who's actually in our project. # Anyone who is in all_users_dict and also has a role in the # project is a potential sudoer. project_users = set() manager = keystone.keystoneclient(request).role_assignments project_role_assignments = manager.list(project=project_id) for role_assignment in project_role_assignments: if not hasattr(role_assignment, 'user'): continue user_id = role_assignment.user['id'] if user_id in NO_SUDO_FOR: continue if user_id in all_users_dict: project_users.add(all_users_dict[user_id]) users_list = [(user.id, user.name) for user in project_users] users_list.insert(0, anyUserTuple()) users_list.insert(0, allUsersTuple(project_id)) # Add a field to collect the list of users with role 'user' field_name = self.get_member_field_name(self.role_name) label = self.role_name self.fields[field_name] = forms.MultipleChoiceField(required=False, label=label) self.fields[field_name].choices = users_list self.fields[field_name].initial = self.initial[self.role_name]
def get_admin_roleid(request): global TENANTADMIN_ROLEID if TENANTADMIN_ROLEID == None: for role in keystone_api.keystoneclient(request).roles.list(): if role.name == TENANTADMIN_ROLE: TENANTADMIN_ROLEID = role.id return TENANTADMIN_ROLEID
def handle(self, request, data): try: with transaction.atomic(): c_prj = Project.objects.filter(projectid=data['projectid'])[0] if PrjRole.objects.filter(registration__userid = request.user.id, project = c_prj).count() == 0: messages.error(request, _("Operation not allowed")) return False kclient = keystone_api.keystoneclient(request) for p_tag in kclient.projects.list_tags(c_prj.projectid): if p_tag.startswith('OU='): data['ou'] = p_tag[3:] if p_tag.startswith('O='): data['org'] = p_tag[2:] new_descr = encode_course_info(data) c_prj.description = new_descr c_prj.status = PRJ_COURSE c_prj.save() except: LOG.error("Cannot edit course parameters", exc_info=True) messages.error(request, _("Cannot edit course parameters")) return False return True
def sso_jump(request, service): endpoint = base.url_for(request, service) ks = keystone.keystoneclient(request) auth_url = ks.get_endpoint(None).replace('v2.0', 'v3') auth_methods = [v3_auth.TokenMethod(token=request.user.token.id)] plugin = v3_auth.Auth(auth_url, auth_methods, project_id=request.user.tenant_id, include_catalog=False) token = plugin.get_auth_ref(ks.session).auth_token redirect_url = ('%s?vdcId=%s&token=%s'%(endpoint, request.user.tenant_id, token)) return shortcuts.redirect(redirect_url)
def get_data(self): course_org_list = settings.HORIZON_CONFIG.get('course_for', {}).keys() result = list() try: tenants = super(IndexView, self).get_data() if len(tenants) == 0: return result prj_table = dict() for item in tenants: prj_table[item.name] = ExtPrjItem(item) kprj_man = keystone_api.keystoneclient(self.request).projects with transaction.atomic(): prj_list = Project.objects.filter(projectname__in=prj_table.keys()) role_list = PrjRole.objects.filter( registration__userid = self.request.user.id, project__in = prj_list ) for r_item in role_list: prj_table[r_item.project.projectname].isadmin = True for prj_item in prj_list: prjname = prj_item.projectname prj_table[prjname].status = prj_item.status prj_table[prjname].managed = True is_curr_admin = self.request.user.tenant_name == prjname is_curr_admin = is_curr_admin and prj_table[prjname].isadmin can_list_tags = self.request.user.is_superuser or is_curr_admin if prj_item.projectid and can_list_tags: prj_table[prjname].tags = set(kprj_man.list_tags(prj_item.projectid)) else: prj_table[prjname].tags = set() if is_curr_admin: for item in course_org_list: if (ORG_TAG_FMT % item) in prj_table[prjname].tags: prj_table[prjname].handle_course = True tmplist = prj_table.keys() tmplist.sort() for item in tmplist: result.append(prj_table[item]) except Exception: exceptions.handle(self.request, _("Unable to retrieve project list.")) return result
def get_initial(self): result = { 'projectid' : self.get_object().projectid, } try: kprj_man = keystone_api.keystoneclient(self.request).projects init_tags = kprj_man.list_tags(self.kwargs['project_id']) result['taglist'] = ", ".join(init_tags) except: LOG.error("Cannot retrieve tags", exc_info=True) return result
def handle(self, request, data): try: kclient = keystone_api.keystoneclient(request) kclient.projects.update_tags(data['projectid'], data['ptags']) except: LOG.error("Cannot edit tags", exc_info=True) messages.error(request, _("Cannot edit tags")) return False return True
def handle(self, request, data): try: kclient = keystone_api.keystoneclient(request) kclient.projects.update_tags(data['projectid'], []) kclient.projects.update_tags(data['projectid'], data['ptags']) except: LOG.error("Cannot edit tags", exc_info=True) messages.error(request, _("Cannot edit tags")) return False return True
def get_project_managers(request, project_id): result = list() kclient = keystone_api.keystoneclient(request, admin=True) tntadm_role_id = get_admin_roleid(request) url = '/role_assignments?scope.project.id=%s&role.id=%s' resp, body = kclient.get(url % (project_id, tntadm_role_id)) for item in body['role_assignments']: tntadmin = keystone_api.user_get(request, item['user']['id']) LOG.debug('Found tenant admin %s' % tntadmin.name) result.append(tntadmin) return result
def recordIsProxy(request, record): global PROXYIP if not PROXYIP: # Leap of faith: Assume the proxy-api host is also the proxy host. # So, get the proxy endpoint from keystone, convert to an IP, # and compare to 'record' client = keystone.keystoneclient(request) services = client.services.list() proxyservices = [service for service in services if service.name == 'proxy'] endpoints = client.endpoints.list(service=proxyservices[0].id) proxyurl = endpoints[0].url parsed_uri = urlparse(proxyurl) domain = parsed_uri.hostname PROXYIP = socket.gethostbyname_ex(domain)[2][0] return record.data == PROXYIP
def logout(request): use_slo = settings.HORIZON_CONFIG.get('enable_slo', False) #use_slo = use_slo and request.user.is_federated use_slo = use_slo and not 'finalstep' in request.GET if not use_slo: return basic_logout(request) try: site_name = request.META['SERVER_NAME'] site_port = int(request.META['SERVER_PORT']) redir_url = 'https://%s:%d/dashboard/auth/logout?finalstep=true' utoken = request.session.get('unscoped_token') token_data = keystone_api.keystoneclient( request).tokens.get_token_data(utoken) redir_str = None if "openid" in token_data['token']['methods']: redir_para = 'logout' redir_str = "https://%s:%d/v3/auth/OS-FEDERATION/websso/openid/redirect?%s" elif "mapped" in token_data['token']['methods']: redir_para = 'return' redir_str = 'https://%s:%d/Shibboleth.sso/Logout?%s' if redir_str: param_str = urlencode( {redir_para: redir_url % (site_name, site_port)}) srv_table = settings.HORIZON_CONFIG.get('srv_bind_table', {}) ks_name = srv_table.get(site_name, site_name) jumpto = redir_str % (ks_name, site_port, param_str) return django_http.HttpResponseRedirect(jumpto) except: LOG.error("SLO failure", exc_info=True) return basic_logout(request)
def setup_new_project(request, project_id, project_name, data): unit_id = data.get('unit', None) cloud_table = getattr(settings, 'UNIT_TABLE', {}) if not unit_id or not unit_id in cloud_table: return unit_data = cloud_table[unit_id] prj_cname = re.sub(r'\s+', "-", project_name) flow_step = 0 try: cinder_params = dict() for pkey, pvalue in unit_data.items(): if pkey == 'quota_total': cinder_params['gigabytes'] = pvalue elif pkey == 'quota_per_volume': cinder_params['per_volume_gigabytes'] = pvalue elif pkey.startswith('quota_'): cinder_params['gigabytes_' + pkey[6:]] = pvalue if len(cinder_params): cinder_api.tenant_quota_update(request, project_id, **cinder_params) except: LOG.error("Cannot setup project quota", exc_info=True) messages.error(request, _("Cannot setup project quota")) try: hyper_list = unit_data.get('hypervisors', []) if len(hyper_list): agg_prj_cname = "%s-%s" % (unit_data.get('aggregate_prefix', unit_id), prj_cname) avail_zone = unit_data.get('availability_zone', 'nova') new_aggr = nova_api.aggregate_create(request, agg_prj_cname, avail_zone) flow_step += 1 for h_item in hyper_list: nova_api.add_host_to_aggregate(request, new_aggr.id, h_item) flow_step += 1 all_md = { 'filter_tenant_id' : project_id } all_md.update(unit_data.get('metadata', {})) nova_api.aggregate_set_metadata(request, new_aggr.id, all_md) flow_step = 0 except: if flow_step == 0: err_msg = _("Cannot create host aggregate") elif flow_step == 1: err_msg = _("Cannot insert hypervisor in aggregate") else: err_msg = _("Cannot set metadata for aggregate") LOG.error(err_msg, exc_info=True) messages.error(request, err_msg) try: subnet_cidr = data['%s-net' % unit_id] prj_lan_name = "%s-lan" % prj_cname prj_net = neutron_api.network_create(request, tenant_id=project_id, name=prj_lan_name) flow_step += 1 net_args = { 'cidr' : subnet_cidr, 'ip_version' : 4, 'dns_nameservers' : unit_data.get('nameservers', []), 'enable_dhcp' : True, 'tenant_id' : project_id, 'name' : "sub-%s-lan" % prj_cname } prj_sub = neutron_api.subnet_create(request, prj_net['id'], **net_args) flow_step += 1 if 'lan_router' in unit_data: neutron_api.router_add_interface(request, unit_data['lan_router'], subnet_id=prj_sub['id']) flow_step = 0 except: if flow_step == 0: err_msg = _("Cannot create network") elif flow_step == 1: err_msg = _("Cannot create sub-network") else: err_msg = _("Cannot add interface to router") LOG.error(err_msg, exc_info=True) messages.error(request, err_msg) try: subnet_cidr = data['%s-net' % unit_id] def_sec_group = None for sg_item in neutron_api.security_group_list(request, tenant_id=project_id): if sg_item['name'].lower() == 'default': def_sec_group = sg_item['id'] LOG.info("Found default security group %s" % def_sec_group) break flow_step += 1 sg_client = neutron_api.SecurityGroupManager(request).client if not def_sec_group: sg_params = { 'name': 'default', 'description': 'Default Security Group for ' + project_name, 'tenant_id': project_id } secgroup = sg_client.create_security_group({ 'security_group' : sg_params }) def_sec_group = SecurityGroup(secgroup.get('security_group')) flow_step += 1 # # Workaround: the tenant_id cannot be specified through high level API # port22_params = { 'security_group_id': def_sec_group, 'direction': 'ingress', 'ethertype': 'IPv4', 'protocol': 'tcp', 'port_range_min': 22, 'port_range_max': 22, 'remote_ip_prefix': subnet_cidr, 'tenant_id' : project_id } icmp_params = { 'security_group_id': def_sec_group, 'direction': 'ingress', 'ethertype': 'IPv4', 'protocol': 'icmp', 'remote_ip_prefix': subnet_cidr, 'tenant_id' : project_id } sg_client.create_security_group_rule({'security_group_rule': port22_params}) sg_client.create_security_group_rule({'security_group_rule': icmp_params}) except: if flow_step == 0: err_msg = _("Cannot retrieve default security group") elif flow_step == 1: err_msg = _("Cannot create default security group") else: err_msg = _("Cannot insert basic rules") LOG.error(err_msg, exc_info=True) messages.error(request, err_msg) try: new_tags = list() new_tags.append(ORG_TAG_FMT % unit_data.get('organization', 'other')) if '%s-ou' % unit_id in data: new_tags.append(OU_TAG_FMT % data['%s-ou' % unit_id]) kclient = keystone_api.keystoneclient(request) kclient.projects.update_tags(project_id, new_tags) except: LOG.error("Cannot add organization tags", exc_info=True) messages.error(request, _("Cannot add organization tags"))
def setup_new_project(request, project_id, project_name, data): try: acct_table = getattr(settings, 'ACCOUNTING', None) if acct_table: uid = acct_table.get('user_id', None) roleid = acct_table.get('role_id', None) if uid and roleid: keystone_api.add_tenant_user_role(request, project_id, uid, roleid) except: LOG.error("Cannot add user for accounting", exc_info=True) messages.error(request, _("Cannot add user for accounting")) unit_id = data.get('unit', None) cloud_table = get_unit_table() if not unit_id or not unit_id in cloud_table: return unit_data = cloud_table[unit_id] prj_cname = re.sub(r'\s+', "-", project_name) flow_step = 0 try: cinder_params = dict() for pkey, pvalue in unit_data.items(): if pkey == 'quota_total': cinder_params['gigabytes'] = pvalue elif pkey == 'quota_per_volume': cinder_params['per_volume_gigabytes'] = pvalue elif pkey.startswith('quota_'): cinder_params['gigabytes_' + pkey[6:]] = pvalue if len(cinder_params): cinder_api.tenant_quota_update(request, project_id, **cinder_params) except: LOG.error("Cannot setup project quota", exc_info=True) messages.error(request, _("Cannot setup project quota")) try: hyper_list = unit_data.get('hypervisors', []) if len(hyper_list): agg_prj_cname = "%s-%s" % (unit_data.get('aggregate_prefix', unit_id), prj_cname) avail_zone = unit_data.get('availability_zone', 'nova') new_aggr = nova_api.aggregate_create(request, agg_prj_cname, avail_zone) flow_step += 1 for h_item in hyper_list: nova_api.add_host_to_aggregate(request, new_aggr.id, h_item) flow_step += 1 all_md = { 'filter_tenant_id' : project_id } all_md.update(unit_data.get('metadata', {})) nova_api.aggregate_set_metadata(request, new_aggr.id, all_md) flow_step = 0 except: if flow_step == 0: err_msg = _("Cannot create host aggregate") elif flow_step == 1: err_msg = _("Cannot insert hypervisor in aggregate") else: err_msg = _("Cannot set metadata for aggregate") LOG.error(err_msg, exc_info=True) messages.error(request, err_msg) try: subnet_cidr = data['%s-net' % unit_id] prj_lan_name = "%s-lan" % prj_cname prj_net = neutron_api.network_create(request, tenant_id=project_id, name=prj_lan_name) flow_step += 1 net_args = { 'cidr' : subnet_cidr, 'ip_version' : 4, 'dns_nameservers' : unit_data.get('nameservers', []), 'enable_dhcp' : True, 'tenant_id' : project_id, 'name' : "sub-%s-lan" % prj_cname } prj_sub = neutron_api.subnet_create(request, prj_net['id'], **net_args) flow_step += 1 if 'lan_router' in unit_data: f_ips = [{ "ip_address" : subnet_cidr.replace('0/24', '1'), "subnet_id" : prj_sub['id'] }] r_port = neutron_api.port_create(request, prj_net['id'], tenant_id=project_id, project_id=project_id, fixed_ips=f_ips) neutron_api.router_add_interface(request, unit_data['lan_router'], port_id=r_port['id']) flow_step = 0 except: if flow_step == 0: err_msg = _("Cannot create network") elif flow_step == 1: err_msg = _("Cannot create sub-network") else: err_msg = _("Cannot add interface to router") LOG.error(err_msg, exc_info=True) messages.error(request, err_msg) try: subnet_cidr = data['%s-net' % unit_id] def_sec_group = None for sg_item in neutron_api.security_group_list(request, tenant_id=project_id): if sg_item['name'].lower() == 'default': def_sec_group = sg_item['id'] LOG.info("Found default security group %s" % def_sec_group) break flow_step += 1 sg_client = neutron_api.SecurityGroupManager(request).client if not def_sec_group: sg_params = { 'name': 'default', 'description': 'Default Security Group for ' + project_name, 'tenant_id': project_id } secgroup = sg_client.create_security_group({ 'security_group' : sg_params }) def_sec_group = SecurityGroup(secgroup.get('security_group')) flow_step += 1 # # Workaround: the tenant_id cannot be specified through high level API # port22_params = { 'security_group_id': def_sec_group, 'direction': 'ingress', 'ethertype': 'IPv4', 'protocol': 'tcp', 'port_range_min': 22, 'port_range_max': 22, 'remote_ip_prefix': "0.0.0.0/0", 'tenant_id' : project_id } icmp_params = { 'security_group_id': def_sec_group, 'direction': 'ingress', 'ethertype': 'IPv4', 'protocol': 'icmp', 'remote_ip_prefix': "0.0.0.0/0", 'tenant_id' : project_id } sg_client.create_security_group_rule({'security_group_rule': port22_params}) sg_client.create_security_group_rule({'security_group_rule': icmp_params}) except: if flow_step == 0: err_msg = _("Cannot retrieve default security group") elif flow_step == 1: err_msg = _("Cannot create default security group") else: err_msg = _("Cannot insert basic rules") LOG.error(err_msg, exc_info=True) messages.error(request, err_msg) try: new_tags = list() new_tags.append(ORG_TAG_FMT % unit_data.get('organization', 'other')) for ou_id in data.get('%s-ou' % unit_id, []): if ou_id.strip(): new_tags.append(OU_TAG_FMT % ou_id.strip()) kclient = keystone_api.keystoneclient(request) kclient.projects.update_tags(project_id, new_tags) except: LOG.error("Cannot add organization tags", exc_info=True) messages.error(request, _("Cannot add organization tags"))