def change_passwords(self, users):
for user in users:
# Use the model to check validity.
username = user['name']
self._check_username(username)
hostname = user['host']
password = user['password']
if (username, hostname) not in self.users:
raise rd_exception.UserNotFound(
"User %s@%s cannot be found on the instance." %
(username, hostname))
self.users[(username, hostname)]['password'] = password
def revoke_access(self, username, hostname, database):
"""Remove a database from a users's grant list."""
if (username, hostname) not in self.users:
raise rd_exception.UserNotFound(
"User %s cannot be found on the instance." % username)
if database not in self.grants.get((username, hostname), set()):
raise rd_exception.DatabaseNotFound(
"Database %s cannot be found on the instance." % database)
current_grants = self.grants.get((username, hostname), set())
if database in current_grants:
current_grants.remove(database)
self.grants[(username, hostname)] = current_grants
def update(self, req, body, tenant_id, instance_id, user_id):
"""Grant access for a user to one or more databases."""
LOG.info(_("Granting user access for instance '%s'") % instance_id)
LOG.info(_("req : '%s'\n\n") % req)
context = req.environ[wsgi.CONTEXT_KEY]
user = self._get_user(context, instance_id, user_id)
if not user:
LOG.error(_("No such user: %(user)s " % {'user': user}))
raise exception.UserNotFound(uuid=user)
username, hostname = unquote_user_host(user_id)
databases = [db['name'] for db in body['databases']]
models.User.grant(context, instance_id, username, hostname, databases)
return wsgi.Result(None, 202)
def _find_user(self, context, username):
"""Lookup a user with a given username.
Return a new Postgres user instance or raise if no match is found.
"""
results = pgutil.query(
pgutil.UserQuery.get(name=username),
timeout=30,
)
if results:
return self._build_user(context, username)
raise exception.UserNotFound()
def index(self, req, tenant_id, instance_id, user_id):
"""Show permissions for the given user."""
LOG.info(_("Showing user access for instance '%s'") % instance_id)
LOG.info(_("req : '%s'\n\n") % req)
context = req.environ[wsgi.CONTEXT_KEY]
# Make sure this user exists.
user = self._get_user(context, instance_id, user_id)
if not user:
LOG.error(_("No such user: %(user)s " % {'user': user}))
raise exception.UserNotFound(uuid=user)
username, hostname = unquote_user_host(user_id)
access = models.User.access(context, instance_id, username, hostname)
view = views.UserAccessView(access.databases)
return wsgi.Result(view.data(), 200)
def show(self, req, tenant_id, instance_id, id):
"""Return a single user."""
LOG.info(_("Showing a user for instance '%s'") % instance_id)
LOG.info(_("req : '%s'\n\n") % req)
context = req.environ[wsgi.CONTEXT_KEY]
username, host = unquote_user_host(id)
user = None
try:
user = models.User.load(context, instance_id, username, host)
except (ValueError, AttributeError) as e:
raise exception.BadRequest(msg=str(e))
if not user:
raise exception.UserNotFound(uuid=id)
view = views.UserView(user)
return wsgi.Result(view.data(), 200)
def root_delete(self, req, tenant_id, instance_id, is_cluster):
if is_cluster:
raise exception.ClusterOperationNotSupported(
operation='disable_root')
LOG.info(_LI("Disabling root for instance '%s'.") % instance_id)
LOG.info(_LI("req : '%s'\n\n") % req)
context = req.environ[wsgi.CONTEXT_KEY]
try:
found_user = self._find_root_user(context, instance_id)
except (ValueError, AttributeError) as e:
raise exception.BadRequest(msg=str(e))
if not found_user:
raise exception.UserNotFound(uuid="root")
models.Root.delete(context, instance_id)
return wsgi.Result(None, 200)
def delete(self, req, tenant_id, instance_id, user_id, id):
"""Revoke access for a user."""
LOG.info(_("Revoking user access for instance '%s'") % instance_id)
LOG.info(_("req : '%s'\n\n") % req)
context = req.environ[wsgi.CONTEXT_KEY]
user = self._get_user(context, instance_id, user_id)
if not user:
LOG.error(_("No such user: %(user)s " % {'user': user}))
raise exception.UserNotFound(uuid=user)
username, hostname = unquote_user_host(user_id)
access = models.User.access(context, instance_id, username, hostname)
databases = [db.name for db in access.databases]
if id not in databases:
raise exception.DatabaseNotFound(uuid=id)
models.User.revoke(context, instance_id, username, hostname, id)
return wsgi.Result(None, 202)
def update(self, req, body, tenant_id, instance_id, id):
"""Change attributes for one user."""
LOG.info(_("Updating user attributes for instance '%s'") % instance_id)
LOG.info(_("req : '%s'\n\n") % req)
context = req.environ[wsgi.CONTEXT_KEY]
username, hostname = unquote_user_host(id)
user = None
user_attrs = body['user']
try:
user = models.User.load(context, instance_id, username, hostname)
except (ValueError, AttributeError) as e:
raise exception.BadRequest(msg=str(e))
if not user:
raise exception.UserNotFound(uuid=id)
models.User.update_attributes(context, instance_id, username, hostname,
user_attrs)
return wsgi.Result(None, 202)
def delete(self, req, tenant_id, instance_id, id):
LOG.info(_("Deleting user for instance '%s'") % instance_id)
LOG.info(_("req : '%s'\n\n") % req)
context = req.environ[wsgi.CONTEXT_KEY]
username, host = unquote_user_host(id)
user = None
try:
user = guest_models.MySQLUser()
user.name = username
user.host = host
found_user = models.User.load(context, instance_id, username, host)
if not found_user:
user = None
except (ValueError, AttributeError) as e:
raise exception.BadRequest(msg=str(e))
if not user:
raise exception.UserNotFound(uuid=id)
models.User.delete(context, instance_id, user.serialize())
return wsgi.Result(None, 202)
def index(self, req, tenant_id, instance_id, user_id):
"""Show permissions for the given user."""
LOG.info("Showing user access for instance '%(id)s'\n"
"req : '%(req)s'\n\n",
{"id": instance_id, "req": req})
context = req.environ[wsgi.CONTEXT_KEY]
self.authorize_target_action(
context, 'user_access:index', instance_id)
# Make sure this user exists.
user_id = correct_id_with_req(user_id, req)
user = self._get_user(context, instance_id, user_id)
if not user:
LOG.error("No such user: %(user)s ", {'user': user})
raise exception.UserNotFound(uuid=user)
username, hostname = unquote_user_host(user_id)
access = models.User.access(context, instance_id, username, hostname)
view = views.UserAccessView(access.databases)
return wsgi.Result(view.data(), 200)
def show(self, req, tenant_id, instance_id, id):
"""Return a single user."""
LOG.info("Showing a user for instance '%(id)s'\n"
"req : '%(req)s'\n\n",
{"id": instance_id, "req": req})
context = req.environ[wsgi.CONTEXT_KEY]
self.authorize_target_action(context, 'user:show', instance_id)
id = correct_id_with_req(id, req)
username, host = unquote_user_host(id)
user = None
try:
user = models.User.load(context, instance_id, username, host)
except (ValueError, AttributeError) as e:
raise exception.BadRequest(_("User show error: %(e)s")
% {'e': e})
if not user:
raise exception.UserNotFound(uuid=id)
view = views.UserView(user)
return wsgi.Result(view.data(), 200)
def update_all(self, req, body, tenant_id, instance_id):
"""Change the password of one or more users."""
LOG.info(
_("Updating user password for instance '%(id)s'\n"
"req : '%(req)s'\n\n") % {
"id": instance_id,
"req": strutils.mask_password(req)
})
context = req.environ[wsgi.CONTEXT_KEY]
self.authorize_target_action(context, 'user:update_all', instance_id)
context.notification = notification.DBaaSUserChangePassword(
context, request=req)
users = body['users']
model_users = []
with StartNotification(context,
instance_id=instance_id,
username="******".join(
[user['name'] for user in users])):
for user in users:
try:
mu = guest_models.MySQLUser(name=user['name'],
host=user.get('host'),
password=user['password'])
found_user = models.User.load(context, instance_id,
mu.name, mu.host)
if not found_user:
user_and_host = mu.name
if mu.host:
user_and_host += '@' + mu.host
raise exception.UserNotFound(uuid=user_and_host)
model_users.append(mu)
except (ValueError, AttributeError) as e:
raise exception.BadRequest(
_("Error loading user: %(e)s") % {'e': e})
try:
models.User.change_password(context, instance_id, model_users)
except (ValueError, AttributeError) as e:
raise exception.BadRequest(
_("User password update error: "
"%(e)s") % {'e': e})
return wsgi.Result(None, 202)
def update(self, req, body, tenant_id, instance_id, user_id):
"""Grant access for a user to one or more databases."""
LOG.info("Granting user access for instance '%(id)s'\n"
"req : '%(req)s'\n\n",
{"id": instance_id, "req": req})
context = req.environ[wsgi.CONTEXT_KEY]
self.authorize_target_action(
context, 'user_access:update', instance_id)
context.notification = notification.DBaaSUserGrant(
context, request=req)
user_id = correct_id_with_req(user_id, req)
user = self._get_user(context, instance_id, user_id)
if not user:
LOG.error("No such user: %(user)s ", {'user': user})
raise exception.UserNotFound(uuid=user)
username, hostname = unquote_user_host(user_id)
databases = [db['name'] for db in body['databases']]
with StartNotification(context, instance_id=instance_id,
username=username, database=databases):
models.User.grant(context, instance_id, username, hostname,
databases)
return wsgi.Result(None, 202)
def delete(self, req, tenant_id, instance_id, user_id, id):
"""Revoke access for a user."""
LOG.info("Revoking user access for instance '%(id)s'\n"
"req : '%(req)s'\n\n",
{"id": instance_id, "req": req})
context = req.environ[wsgi.CONTEXT_KEY]
self.authorize_target_action(
context, 'user_access:delete', instance_id)
context.notification = notification.DBaaSUserRevoke(
context, request=req)
user_id = correct_id_with_req(user_id, req)
user = self._get_user(context, instance_id, user_id)
if not user:
LOG.error("No such user: %(user)s ", {'user': user})
raise exception.UserNotFound(uuid=user)
username, hostname = unquote_user_host(user_id)
access = models.User.access(context, instance_id, username, hostname)
databases = [db.name for db in access.databases]
with StartNotification(context, instance_id=instance_id,
username=username, database=databases):
if id not in databases:
raise exception.DatabaseNotFound(uuid=id)
models.User.revoke(context, instance_id, username, hostname, id)
return wsgi.Result(None, 202)