def create_image(): data = parse_request_data(_SCHEMA.create_allowed, _SCHEMA.create_required) is_public = data.get('global', 'project' not in data) if is_public: _assert_param_absent('project', data, 'public') auth.assert_admin() client_set = g.client_set else: if 'project' not in data: raise exc.MissingElement('project') client_set = auth.client_set_for_tenant(data['project']) props = {} if data['disk-format'] == 'ami': # TODO(imelnikov): check that images have correct types if 'kernel' in data: props['kernel_id'] = data['kernel'] if 'ramdisk' in data: props['ramdisk_id'] = data['ramdisk'] else: _assert_param_absent('kernel', data, data['disk-format']) _assert_param_absent('ramdisk', data, data['disk-format']) image = client_set.image.images.create( name=data['name'], disk_format=data['disk-format'], container_format=data['container-format'], is_public=is_public, properties=props) set_audit_resource_id(image) return make_json_response(_image_to_view(image))
def _grant_admin(user_id): """Grant admin permission. Add admin role with in admin tenant (aka systenant). """ auth.assert_admin() g.client_set.identity_admin.roles.add_user_role( user_id, auth.admin_role_id(), auth.default_tenant_id())
def delete_users_ssh_key(user_id, key_name): if user_id != auth.current_user_id(): auth.assert_admin() mgr = auth.admin_client_set().compute_ext.user_keypairs try: mgr.delete(user_id, key_name) except osc_exc.NotFound: abort(404) return make_json_response(None, 204)
def _invite_user(user, data): inv = InvitesDAO.create(user.id, user.email) send_mail = data.get('send-invite-mail', True) if send_mail: send_invitation(user.email, inv.code, data.get('link-template'), greeting=getattr(user, 'fullname', '')) else: auth.assert_admin() return user_to_view(user, inv, send_code=not send_mail)
def _grant_admin(user_id): """Grant admin permission. Add admin role with in admin tenant (aka systenant). """ auth.assert_admin() g.client_set.identity_admin.roles.add_user_role(user_id, auth.admin_role_id(), auth.default_tenant_id())
def create_users_ssh_key(user_id): data = parse_request_data(required=_SCHEMA.required) if user_id != auth.current_user_id(): auth.assert_admin() fetch_user(user_id, g.is_admin) # check that user exists and is visible mgr = auth.admin_client_set().compute_ext.user_keypairs try: kp = mgr.create(user_id, data['name'], data['public-key']) except osc_exc.BadRequest, e: raise exc.InvalidRequest(str(e))
def _revoke_admin(user_id): """Revoke admin permission. Remove admin role in admin tenant (aka systenant). """ auth.assert_admin() try: g.client_set.identity_admin.roles.remove_user_role( user_id, auth.admin_role_id(), auth.default_tenant_id()) except osc_exc.NotFound: pass # user was not admin
def _add_user_to_projects(user, projects): if not projects: return auth.assert_admin() role_id = member_role_id() for project in projects: try: g.client_set.identity_admin.roles.add_user_role( user=user, role=role_id, tenant=project) except osc_exc.NotFound: raise exc.InvalidElementValue('projects', 'link object', project, 'Project does not exist')
def _add_user_to_projects(user, projects): if not projects: return auth.assert_admin() role_id = member_role_id() for project in projects: try: g.client_set.identity_admin.roles.add_user_role(user=user, role=role_id, tenant=project) except osc_exc.NotFound: raise exc.InvalidElementValue('projects', 'link object', project, 'Project does not exist')
def _fetch_image(image_id, to_modify): try: image = auth.admin_client_set().image.images.get(image_id) except osc_exc.NotFound: abort(404) # NOTE(imelnikov): yes, glance may return False as string if image.deleted and image.deleted != 'False': abort(404) if image.owner == auth.default_tenant_id(): if to_modify: auth.assert_admin() else: auth.assert_admin_or_project_user(image.owner) return image
def send_invite_for_user(user_id): if not g.config('invitations', 'enabled'): # TODO(imelnikov): consider if this is error 403, not 400 raise exc.InvalidRequest('Invitations disabled') data = parse_request_data(_SEND_INVITE_SCHEMA) user = fetch_user(user_id, g.is_admin) if data.get('disable-user', False): auth.assert_admin() update_user_data(user, {'enabled': False, 'password': None}) result = _invite_user(user, data) return make_json_response(result)
def remove_project_user(project_id, user_id): tenant = get_tenant(project_id) if user_id != current_user_id(): assert_admin() try: user_mgr = admin_client_set().identity_admin.users roles = user_mgr.list_roles(user_id, project_id) except osc_exc.NotFound: abort(404) if not roles: abort(404) # user was not member of the project for role in roles: try: tenant.remove_user(user_id, role.id) except osc_exc.NotFound: pass # already deleted by someone else return make_json_response(None, status_code=204)
def update_user(user_id): param = parse_request_data(_SCHEMA.updatable) user = fetch_user(user_id, g.is_admin) set_audit_resource_id(user_id) if 'admin' in param: auth.assert_admin() update_user_data(user, param) admin = param.get('admin') if admin == True: _grant_admin(user_id) elif admin == False: _revoke_admin(user_id) # get updated user user = fetch_user(user_id, g.is_admin) return make_json_response(user_to_view(user))