def _update_project_quota(self, request, data, project_id):
disabled_quotas = quotas.get_disabled_quotas(request)
# Update the project quotas.
if api.base.is_service_enabled(request, 'compute'):
nova_data = {key: data[key] for key in
set(quotas.NOVA_QUOTA_FIELDS) - disabled_quotas}
nova.tenant_quota_update(request, project_id, **nova_data)
if cinder.is_volume_service_enabled(request):
cinder_data = dict([(key, data[key]) for key in
quotas.CINDER_QUOTA_FIELDS])
cinder.tenant_quota_update(request,
project_id,
**cinder_data)
if api.base.is_service_enabled(request, 'network') and \
api.neutron.is_quotas_extension_supported(request):
neutron_data = {}
for key in quotas.NEUTRON_QUOTA_FIELDS:
if key not in disabled_quotas:
neutron_data[key] = data[key]
api.neutron.tenant_quota_update(request,
project_id,
**neutron_data)
def _update_project_quota(self, request, data, project_id):
# Update the project quota.
nova_data = dict(
[(key, data[key]) for key in NOVA_QUOTA_FIELDS])
data['region_id'] = request.user.services_region
try:
nova.tenant_quota_update(request, project_id, region=data['region_id'], **nova_data)
if base.is_service_enabled(request, 'volume'):
cinder_data = dict([(key, data[key]) for key in
quotas.CINDER_QUOTA_FIELDS])
cinder.tenant_quota_update(request,
project_id,
region=data['region_id'],
**cinder_data)
if api.base.is_service_enabled(request, 'network') and \
api.neutron.is_quotas_extension_supported(request):
neutron_data = {}
for key in NEUTRON_QUOTA_FIELDS:
neutron_data[key] = data[key]
api.neutron.tenant_quota_update(request,
project_id,
region=data['region_id'],
**neutron_data)
except Exception:
raise
exceptions.handle(request, _('Unable to set project quotas.'))
def _update_project_quota(self, request, data, project_id):
disabled_quotas = quotas.get_disabled_quotas(request)
# Update the project quotas.
if api.base.is_service_enabled(request, 'compute'):
nova_data = {
key: data[key]
for key in quotas.NOVA_QUOTA_FIELDS - disabled_quotas
}
if nova_data:
nova.tenant_quota_update(request, project_id, **nova_data)
if cinder.is_volume_service_enabled(request):
cinder_data = {
key: data[key]
for key in quotas.CINDER_QUOTA_FIELDS - disabled_quotas
}
if cinder_data:
cinder.tenant_quota_update(request, project_id, **cinder_data)
if (api.base.is_service_enabled(request, 'network')
and api.neutron.is_quotas_extension_supported(request)):
neutron_data = {
key: data[key]
for key in quotas.NEUTRON_QUOTA_FIELDS - disabled_quotas
}
if neutron_data:
api.neutron.tenant_quota_update(request, project_id,
**neutron_data)
def _update_project_quota(self, request, data, project_id):
# update the project quota
nova_data = dict(
[(key, data[key]) for key in quotas.NOVA_QUOTA_FIELDS])
try:
nova.tenant_quota_update(request,
project_id,
**nova_data)
if base.is_service_enabled(request, 'volume'):
cinder_data = dict([(key, data[key]) for key in
quotas.CINDER_QUOTA_FIELDS])
cinder.tenant_quota_update(request,
project_id,
**cinder_data)
if api.base.is_service_enabled(request, 'network') and \
api.neutron.is_quotas_extension_supported(request):
neutron_data = {}
disabled_quotas = quotas.get_disabled_quotas(request)
for key in quotas.NEUTRON_QUOTA_FIELDS:
if key not in disabled_quotas:
neutron_data[key] = data[key]
api.neutron.tenant_quota_update(request,
project_id,
**neutron_data)
return True
except Exception:
exceptions.handle(request, _('Modified project information and '
'members, but unable to modify '
'project quotas.'))
return False
def _update_project_quota(self, request, data, project_id):
# Update the project quota.
nova_data = dict([(key, data[key])
for key in quotas.NOVA_QUOTA_FIELDS])
if is_m1_user_admin(self.request):
tenant_quota_update_nova(request, project_id, **nova_data)
else:
nova.tenant_quota_update(request, project_id, **nova_data)
if base.is_service_enabled(request, 'volume'):
cinder_data = dict([(key, data[key])
for key in quotas.CINDER_QUOTA_FIELDS])
if is_m1_user_admin(self.request):
tenant_quota_update_cinder(request, project_id, **cinder_data)
else:
cinder.tenant_quota_update(request, project_id, **cinder_data)
if api.base.is_service_enabled(request, 'network') and \
api.neutron.is_quotas_extension_supported(request):
neutron_data = {}
disabled_quotas = quotas.get_disabled_quotas(request)
for key in quotas.NEUTRON_QUOTA_FIELDS:
if key not in disabled_quotas:
neutron_data[key] = data[key]
if is_m1_user_admin(self.request):
tenant_quota_update_neutron(request, project_id,
**neutron_data)
else:
api.neutron.tenant_quota_update(request, project_id,
**neutron_data)
def _update_project_quota(self, request, data, project_id):
# Update the project quota.
enabled_quota_groups = getattr(settings, 'ENABLED_QUOTA_GROUPS', {})
nova_data = dict(
[(key, data[key]) for key in quotas.NOVA_QUOTA_FIELDS])
try:
if enabled_quota_groups.get('nova', True):
nova.tenant_quota_update(request, project_id, **nova_data)
if enabled_quota_groups.get('cinder', True):
if base.is_service_enabled(request, 'volume'):
cinder_data = dict([(key, data[key]) for key in
quotas.CINDER_QUOTA_FIELDS])
cinder.tenant_quota_update(request,
project_id,
**cinder_data)
if enabled_quota_groups.get('neutron', True):
if api.base.is_service_enabled(request, 'network') and \
api.neutron.is_quotas_extension_supported(request):
neutron_data = {}
disabled_quotas = quotas.get_disabled_quotas(request)
for key in quotas.NEUTRON_QUOTA_FIELDS:
if key not in disabled_quotas:
neutron_data[key] = data[key]
api.neutron.tenant_quota_update(request,
project_id,
**neutron_data)
except Exception:
exceptions.handle(request, _('Unable to set project quotas.'))
def _update_project_quota(self, request, data, project_id):
disabled_quotas = quotas.get_disabled_quotas(request)
# Update the project quotas.
if api.base.is_service_enabled(request, 'compute'):
nova_data = {key: data[key] for key in
set(quotas.NOVA_QUOTA_FIELDS) - disabled_quotas}
nova.tenant_quota_update(request, project_id, **nova_data)
if cinder.is_volume_service_enabled(request):
cinder_data = dict([(key, data[key]) for key in
quotas.CINDER_QUOTA_FIELDS])
cinder.tenant_quota_update(request,
project_id,
**cinder_data)
if api.base.is_service_enabled(request, 'network') and \
api.neutron.is_quotas_extension_supported(request):
neutron_data = {}
for key in quotas.NEUTRON_QUOTA_FIELDS:
if key not in disabled_quotas:
neutron_data[key] = data[key]
api.neutron.tenant_quota_update(request,
project_id,
**neutron_data)
def _update_project_quota(self, request, data, project_id):
# update the project quota
nova_data = dict(
[(key, data[key]) for key in quotas.NOVA_QUOTA_FIELDS])
try:
nova.tenant_quota_update(request,
project_id,
**nova_data)
if base.is_service_enabled(request, 'volume'):
cinder_data = dict([(key, data[key]) for key in
quotas.CINDER_QUOTA_FIELDS])
cinder.tenant_quota_update(request,
project_id,
**cinder_data)
if api.base.is_service_enabled(request, 'network') and \
api.neutron.is_quotas_extension_supported(request):
neutron_data = {}
disabled_quotas = quotas.get_disabled_quotas(request)
for key in quotas.NEUTRON_QUOTA_FIELDS:
if key not in disabled_quotas:
neutron_data[key] = data[key]
api.neutron.tenant_quota_update(request,
project_id,
**neutron_data)
return True
except Exception:
exceptions.handle(request, _('Modified project information and '
'members, but unable to modify '
'project quotas.'))
return False
def handle(self, request, data):
# create the project
domain_context = self.request.session.get('domain_context', None)
try:
desc = data['description']
self.object = api.keystone.tenant_create(request,
name=data['name'],
description=desc,
enabled=data['enabled'],
domain=domain_context)
except Exception:
exceptions.handle(request, ignore=True)
return False
project_id = self.object.id
# update project members
users_to_add = 0
try:
available_roles = api.keystone.role_list(request)
member_step = self.get_step(PROJECT_USER_MEMBER_SLUG)
# count how many users are to be added
for role in available_roles:
field_name = member_step.get_member_field_name(role.id)
role_list = data[field_name]
users_to_add += len(role_list)
# add new users to project
for role in available_roles:
field_name = member_step.get_member_field_name(role.id)
role_list = data[field_name]
users_added = 0
for user in role_list:
api.keystone.add_tenant_user_role(request,
project=project_id,
user=user,
role=role.id)
users_added += 1
users_to_add -= users_added
except Exception:
exceptions.handle(request, _('Failed to add %s project members '
'and set project quotas.')
% users_to_add)
# Update the project quota.
nova_data = dict([(key, data[key]) for key in NOVA_QUOTA_FIELDS])
try:
nova.tenant_quota_update(request, project_id, **nova_data)
if is_service_enabled(request, 'volume'):
cinder_data = dict([(key, data[key]) for key in
CINDER_QUOTA_FIELDS])
cinder.tenant_quota_update(request,
project_id,
**cinder_data)
except Exception:
exceptions.handle(request, _('Unable to set project quotas.'))
return True
def handle(self, request, data):
# create the project
domain_context = self.request.session.get('domain_context', None)
try:
desc = data['description']
self.object = api.keystone.tenant_create(request,
name=data['name'],
description=desc,
enabled=data['enabled'],
domain=domain_context)
except:
exceptions.handle(request, ignore=True)
return False
project_id = self.object.id
# update project members
users_to_add = 0
try:
available_roles = api.keystone.role_list(request)
# count how many users are to be added
for role in available_roles:
role_list = data["role_" + role.id]
users_to_add += len(role_list)
# add new users to project
for role in available_roles:
role_list = data["role_" + role.id]
users_added = 0
for user in role_list:
api.keystone.add_tenant_user_role(request,
project=project_id,
user=user,
role=role.id)
users_added += 1
users_to_add -= users_added
except:
exceptions.handle(
request,
_('Failed to add %s project members '
'and set project quotas.' % users_to_add))
# Update the project quota.
nova_data = dict([(key, data[key]) for key in NOVA_QUOTA_FIELDS])
try:
nova.tenant_quota_update(request, project_id, **nova_data)
if is_service_enabled(request, 'volume'):
cinder_data = dict([(key, data[key])
for key in CINDER_QUOTA_FIELDS])
cinder.tenant_quota_update(request, project_id, **cinder_data)
except:
exceptions.handle(request, _('Unable to set project quotas.'))
return True
def handle(self, request, data):
# create the project
try:
desc = data['description']
self.object = api.keystone.tenant_create(request,
tenant_name=data['name'],
description=desc,
enabled=data['enabled'])
except:
exceptions.handle(request, ignore=True)
return False
project_id = self.object.id
# update project members
users_to_add = 0
try:
available_roles = api.keystone.role_list(request)
# count how many users are to be added
for role in available_roles:
role_list = data["role_" + role.id]
users_to_add += len(role_list)
# add new users to project
for role in available_roles:
role_list = data["role_" + role.id]
users_added = 0
for user in role_list:
api.keystone.add_tenant_user_role(request,
tenant_id=project_id,
user_id=user,
role_id=role.id)
users_added += 1
users_to_add -= users_added
except:
exceptions.handle(request, _('Failed to add %s project members '
'and set project quotas.'
% users_to_add))
# Update the project quota.
nova_data = dict([(key, data[key]) for key in NOVA_QUOTA_FIELDS])
try:
nova.tenant_quota_update(request, project_id, **nova_data)
if is_service_enabled(request, 'volume'):
cinder_data = dict([(key, data[key]) for key in
CINDER_QUOTA_FIELDS])
cinder.tenant_quota_update(request,
project_id,
**cinder_data)
except:
exceptions.handle(request, _('Unable to set project quotas.'))
return True
def _update_project_quota(self, request, data, project_id):
disabled_quotas = quotas.get_disabled_quotas(request)
# Update the project quotas.
if api.base.is_service_enabled(request, 'compute'):
nova_data = {key: data[key] for key in
quotas.NOVA_QUOTA_FIELDS - disabled_quotas}
if nova_data:
nova.tenant_quota_update(request, project_id, **nova_data)
if cinder.is_volume_service_enabled(request):
cinder_data = {key: data[key] for key in
quotas.CINDER_QUOTA_FIELDS - disabled_quotas}
if cinder_data:
cinder.tenant_quota_update(request, project_id, **cinder_data)
if (api.base.is_service_enabled(request, 'network') and
api.neutron.is_quotas_extension_supported(request)):
neutron_data = {key: data[key] for key in
quotas.NEUTRON_QUOTA_FIELDS - disabled_quotas}
if neutron_data:
api.neutron.tenant_quota_update(request, project_id,
**neutron_data)
def handle(self, request, data):
project_id = data["project_id"]
# update project info
try:
api.keystone.tenant_update(
request,
tenant_id=project_id,
tenant_name=data["name"],
description=data["description"],
enabled=data["enabled"],
)
except:
exceptions.handle(request, ignore=True)
return False
# update project members
users_to_modify = 0
try:
available_roles = api.keystone.role_list(request)
project_members = api.keystone.user_list(request, tenant_id=project_id)
users_to_modify = len(project_members)
for user in project_members:
current_roles = [role for role in api.keystone.roles_for_user(self.request, user.id, project_id)]
effective_roles = []
for role in available_roles:
role_list = data["role_" + role.id]
if user.id in role_list:
effective_roles.append(role)
if role not in current_roles:
# user role has changed
api.keystone.add_tenant_user_role(
request, tenant_id=project_id, user_id=user.id, role_id=role.id
)
else:
# user role is unchanged
current_roles.pop(current_roles.index(role))
if (
user.id == request.user.id
and project_id == request.user.tenant_id
and any(x.name == "admin" for x in current_roles)
):
# Cannot remove "admin" role on current(admin) project
msg = _(
'You cannot remove the "admin" role from the '
"project you are currently logged into. Please "
"switch to another project with admin permissions "
"or remove the role manually via the CLI"
)
messages.warning(request, msg)
else:
# delete user's removed roles
for to_delete in current_roles:
api.keystone.remove_tenant_user_role(
request, tenant_id=project_id, user_id=user.id, role_id=to_delete.id
)
users_to_modify -= 1
# add new roles to project
for role in available_roles:
# count how many users may be added for exception handling
role_list = data["role_" + role.id]
users_to_modify += len(role_list)
for role in available_roles:
role_list = data["role_" + role.id]
users_added = 0
for user_id in role_list:
if not filter(lambda x: user_id == x.id, project_members):
api.keystone.add_tenant_user_role(
request, tenant_id=project_id, user_id=user_id, role_id=role.id
)
users_added += 1
users_to_modify -= users_added
except:
exceptions.handle(
request, _("Failed to modify %s project members " "and update project quotas." % users_to_modify)
)
return True
# update the project quota
nova_data = dict([(key, data[key]) for key in NOVA_QUOTA_FIELDS])
try:
nova.tenant_quota_update(request, project_id, **nova_data)
if is_service_enabled(request, "volume"):
cinder_data = dict([(key, data[key]) for key in CINDER_QUOTA_FIELDS])
cinder.tenant_quota_update(request, project_id, **cinder_data)
# jt
# Update the image quota. Default quota is hard-coded. should be fixed.
# Unfortunately these quotas values are always written when quotas are
# changed as we don't have access to the pre-existing values.
api.jt.set_image_quota(project_id, data["images"])
api.jt.set_expiration_date(project_id, data["expiration"])
api.jt.set_start_date(project_id, data["start_date"])
api.jt.set_dair_notice(project_id, data["dair_notice"])
api.jt.set_object_mb_quota(project_id, data["object_mb"])
api.jt.set_reseller_logo(project_id, data["reseller_logo"])
return True
except:
exceptions.handle(
request, _("Modified project information and " "members, but unable to modify " "project quotas.")
)
return True
def handle(self, request, data):
# FIXME(gabriel): This should be refactored to use Python's built-in
# sets and do this all in a single "roles to add" and "roles to remove"
# pass instead of the multi-pass thing happening now.
project_id = data['project_id']
domain_id = ''
# update project info
try:
project = api.keystone.tenant_update(
request,
project_id,
name=data['name'],
description=data['description'],
enabled=data['enabled'])
# Use the domain_id from the project if available
domain_id = getattr(project, "domain_id", None)
except Exception:
exceptions.handle(request, ignore=True)
return False
# update project members
users_to_modify = 0
# Project-user member step
member_step = self.get_step(PROJECT_USER_MEMBER_SLUG)
try:
# Get our role options
available_roles = api.keystone.role_list(request)
# Get the users currently associated with this project so we
# can diff against it.
project_members = api.keystone.user_list(request,
project=project_id)
users_to_modify = len(project_members)
for user in project_members:
# Check if there have been any changes in the roles of
# Existing project members.
current_roles = api.keystone.roles_for_user(self.request,
user.id,
project_id)
current_role_ids = [role.id for role in current_roles]
for role in available_roles:
field_name = member_step.get_member_field_name(role.id)
# Check if the user is in the list of users with this role.
if user.id in data[field_name]:
# Add it if necessary
if role.id not in current_role_ids:
# user role has changed
api.keystone.add_tenant_user_role(
request,
project=project_id,
user=user.id,
role=role.id)
else:
# User role is unchanged, so remove it from the
# remaining roles list to avoid removing it later.
index = current_role_ids.index(role.id)
current_role_ids.pop(index)
# Prevent admins from doing stupid things to themselves.
is_current_user = user.id == request.user.id
is_current_project = project_id == request.user.tenant_id
admin_roles = [role for role in current_roles
if role.name.lower() == 'admin']
if len(admin_roles):
removing_admin = any([role.id in current_role_ids
for role in admin_roles])
else:
removing_admin = False
if is_current_user and is_current_project and removing_admin:
# Cannot remove "admin" role on current(admin) project
msg = _('You cannot revoke your administrative privileges '
'from the project you are currently logged into. '
'Please switch to another project with '
'administrative privileges or remove the '
'administrative role manually via the CLI.')
messages.warning(request, msg)
# Otherwise go through and revoke any removed roles.
else:
for id_to_delete in current_role_ids:
api.keystone.remove_tenant_user_role(
request,
project=project_id,
user=user.id,
role=id_to_delete)
users_to_modify -= 1
# Grant new roles on the project.
for role in available_roles:
field_name = member_step.get_member_field_name(role.id)
# Count how many users may be added for exception handling.
users_to_modify += len(data[field_name])
for role in available_roles:
users_added = 0
field_name = member_step.get_member_field_name(role.id)
for user_id in data[field_name]:
if not filter(lambda x: user_id == x.id, project_members):
api.keystone.add_tenant_user_role(request,
project=project_id,
user=user_id,
role=role.id)
users_added += 1
users_to_modify -= users_added
except Exception:
if PROJECT_GROUP_ENABLED:
group_msg = _(", update project groups")
else:
group_msg = ""
exceptions.handle(request,
_('Failed to modify %(users_to_modify)s'
' project members%(group_msg)s and '
'update project quotas.')
% {'users_to_modify': users_to_modify,
'group_msg': group_msg})
return False
if PROJECT_GROUP_ENABLED:
# update project groups
groups_to_modify = 0
member_step = self.get_step(PROJECT_GROUP_MEMBER_SLUG)
try:
# Get the groups currently associated with this project so we
# can diff against it.
project_groups = api.keystone.group_list(request,
domain=domain_id,
project=project_id)
groups_to_modify = len(project_groups)
for group in project_groups:
# Check if there have been any changes in the roles of
# Existing project members.
current_roles = api.keystone.roles_for_group(
self.request,
group=group.id,
project=project_id)
current_role_ids = [role.id for role in current_roles]
for role in available_roles:
# Check if the group is in the list of groups with
# this role.
field_name = member_step.get_member_field_name(role.id)
if group.id in data[field_name]:
# Add it if necessary
if role.id not in current_role_ids:
# group role has changed
api.keystone.add_group_role(
request,
role=role.id,
group=group.id,
project=project_id)
else:
# Group role is unchanged, so remove it from
# the remaining roles list to avoid removing it
# later.
index = current_role_ids.index(role.id)
current_role_ids.pop(index)
# Revoke any removed roles.
for id_to_delete in current_role_ids:
api.keystone.remove_group_role(request,
role=id_to_delete,
group=group.id,
project=project_id)
groups_to_modify -= 1
# Grant new roles on the project.
for role in available_roles:
field_name = member_step.get_member_field_name(role.id)
# Count how many groups may be added for error handling.
groups_to_modify += len(data[field_name])
for role in available_roles:
groups_added = 0
field_name = member_step.get_member_field_name(role.id)
for group_id in data[field_name]:
if not filter(lambda x: group_id == x.id,
project_groups):
api.keystone.add_group_role(request,
role=role.id,
group=group_id,
project=project_id)
groups_added += 1
groups_to_modify -= groups_added
except Exception:
exceptions.handle(request,
_('Failed to modify %s project '
'members, update project groups '
'and update project quotas.')
% groups_to_modify)
return False
# update the project quota
nova_data = dict(
[(key, data[key]) for key in quotas.NOVA_QUOTA_FIELDS])
try:
nova.tenant_quota_update(request,
project_id,
**nova_data)
if base.is_service_enabled(request, 'volume'):
cinder_data = dict([(key, data[key]) for key in
quotas.CINDER_QUOTA_FIELDS])
cinder.tenant_quota_update(request,
project_id,
**cinder_data)
if api.base.is_service_enabled(request, 'network') and \
api.neutron.is_quotas_extension_supported(request):
neutron_data = {}
disabled_quotas = quotas.get_disabled_quotas(request)
for key in quotas.NEUTRON_QUOTA_FIELDS:
if key not in disabled_quotas:
neutron_data[key] = data[key]
api.neutron.tenant_quota_update(request,
project_id,
**neutron_data)
return True
except Exception:
exceptions.handle(request, _('Modified project information and '
'members, but unable to modify '
'project quotas.'))
return False
def handle(self, request, data):
# create the project
domain_id = data['domain_id']
try:
desc = data['description']
self.object = api.keystone.tenant_create(request,
name=data['name'],
description=desc,
enabled=data['enabled'],
domain=domain_id)
except Exception:
exceptions.handle(request, ignore=True)
return False
project_id = self.object.id
# update project members
users_to_add = 0
try:
available_roles = api.keystone.role_list(request)
member_step = self.get_step(PROJECT_USER_MEMBER_SLUG)
# count how many users are to be added
for role in available_roles:
field_name = member_step.get_member_field_name(role.id)
role_list = data[field_name]
users_to_add += len(role_list)
# add new users to project
for role in available_roles:
field_name = member_step.get_member_field_name(role.id)
role_list = data[field_name]
users_added = 0
for user in role_list:
api.keystone.add_tenant_user_role(request,
project=project_id,
user=user,
role=role.id)
users_added += 1
users_to_add -= users_added
except Exception:
if PROJECT_GROUP_ENABLED:
group_msg = _(", add project groups")
else:
group_msg = ""
exceptions.handle(request,
_('Failed to add %(users_to_add)s project '
'members%(group_msg)s and set project quotas.')
% {'users_to_add': users_to_add,
'group_msg': group_msg})
if PROJECT_GROUP_ENABLED:
# update project groups
groups_to_add = 0
try:
available_roles = api.keystone.role_list(request)
member_step = self.get_step(PROJECT_GROUP_MEMBER_SLUG)
# count how many groups are to be added
for role in available_roles:
field_name = member_step.get_member_field_name(role.id)
role_list = data[field_name]
groups_to_add += len(role_list)
# add new groups to project
for role in available_roles:
field_name = member_step.get_member_field_name(role.id)
role_list = data[field_name]
groups_added = 0
for group in role_list:
api.keystone.add_group_role(request,
role=role.id,
group=group,
project=project_id)
groups_added += 1
groups_to_add -= groups_added
except Exception:
exceptions.handle(request,
_('Failed to add %s project groups '
'and update project quotas.')
% groups_to_add)
# Update the project quota.
nova_data = dict(
[(key, data[key]) for key in quotas.NOVA_QUOTA_FIELDS])
try:
nova.tenant_quota_update(request, project_id, **nova_data)
if base.is_service_enabled(request, 'volume'):
cinder_data = dict([(key, data[key]) for key in
quotas.CINDER_QUOTA_FIELDS])
cinder.tenant_quota_update(request,
project_id,
**cinder_data)
if api.base.is_service_enabled(request, 'network') and \
api.neutron.is_quotas_extension_supported(request):
neutron_data = {}
disabled_quotas = quotas.get_disabled_quotas(request)
for key in quotas.NEUTRON_QUOTA_FIELDS:
if key not in disabled_quotas:
neutron_data[key] = data[key]
api.neutron.tenant_quota_update(request,
project_id,
**neutron_data)
except Exception:
exceptions.handle(request, _('Unable to set project quotas.'))
return True
def handle(self, request, data):
# create the project
try:
desc = data["description"]
self.object = api.keystone.tenant_create(
request, tenant_name=data["name"], description=desc, enabled=data["enabled"]
)
except:
exceptions.handle(request, ignore=True)
return False
project_id = self.object.id
# update project members
users_to_add = 0
try:
available_roles = api.keystone.role_list(request)
# count how many users are to be added
for role in available_roles:
role_list = data["role_" + role.id]
users_to_add += len(role_list)
# add new users to project
for role in available_roles:
role_list = data["role_" + role.id]
users_added = 0
for user in role_list:
api.keystone.add_tenant_user_role(request, tenant_id=project_id, user_id=user, role_id=role.id)
users_added += 1
users_to_add -= users_added
# jt
# Make sure admin is added to the project as a ResellerAdmin
users = api.keystone.user_list(request)
admin_id = [user.id for user in users if user.name == "admin"][0]
reseller_admin_role_id = [role.id for role in available_roles if role.name == "ResellerAdmin"][0]
api.keystone.add_tenant_user_role(
request, tenant_id=project_id, user_id=admin_id, role_id=reseller_admin_role_id
)
except:
exceptions.handle(request, _("Failed to add %s project members " "and set project quotas." % users_to_add))
# Update the project quota.
nova_data = dict([(key, data[key]) for key in NOVA_QUOTA_FIELDS])
try:
nova.tenant_quota_update(request, project_id, **nova_data)
if is_service_enabled(request, "volume"):
cinder_data = dict([(key, data[key]) for key in CINDER_QUOTA_FIELDS])
cinder.tenant_quota_update(request, project_id, **cinder_data)
# jt
# Update the custom quotas
if data["images"] != 5:
api.jt.set_image_quota(project_id, data["images"])
if data["expiration"] != "Information not available.":
api.jt.set_expiration_date(project_id, data["expiration"])
if data["start_date"] != "Information not available.":
api.jt.set_start_date(project_id, data["start_date"])
if data["dair_notice"] != "Information not available.":
api.jt.set_dair_notice(project_id, data["dair_notice"])
if data["object_mb"] != 204800:
api.jt.set_object_mb_quota(project_id, data["object_mb"])
if data["reseller_logo"] != "Information not available.":
api.jt.set_reseller_logo(project_id, data["reseller_logo"])
except:
exceptions.handle(request, _("Unable to set project quotas."))
return True
def handle(self, request, data):
project_id = data['project_id']
# update project info
try:
api.keystone.tenant_update(request,
tenant_id=project_id,
tenant_name=data['name'],
description=data['description'],
enabled=data['enabled'])
except:
exceptions.handle(request, ignore=True)
return False
# update project members
users_to_modify = 0
try:
available_roles = api.keystone.role_list(request)
project_members = api.keystone.user_list(request,
tenant_id=project_id)
users_to_modify = len(project_members)
for user in project_members:
current_roles = [
role for role in api.keystone.roles_for_user(
self.request, user.id, project_id)
]
effective_roles = []
for role in available_roles:
role_list = data["role_" + role.id]
if user.id in role_list:
effective_roles.append(role)
if role not in current_roles:
# user role has changed
api.keystone.add_tenant_user_role(
request,
tenant_id=project_id,
user_id=user.id,
role_id=role.id)
else:
# user role is unchanged
current_roles.pop(current_roles.index(role))
if user.id == request.user.id and \
project_id == request.user.tenant_id and \
any(x.name == 'admin' for x in current_roles):
# Cannot remove "admin" role on current(admin) project
msg = _('You cannot remove the "admin" role from the '
'project you are currently logged into. Please '
'switch to another project with admin permissions '
'or remove the role manually via the CLI')
messages.warning(request, msg)
else:
# delete user's removed roles
for to_delete in current_roles:
api.keystone.remove_tenant_user_role(
request,
tenant_id=project_id,
user_id=user.id,
role_id=to_delete.id)
users_to_modify -= 1
# add new roles to project
for role in available_roles:
# count how many users may be added for exception handling
role_list = data["role_" + role.id]
users_to_modify += len(role_list)
for role in available_roles:
role_list = data["role_" + role.id]
users_added = 0
for user_id in role_list:
if not filter(lambda x: user_id == x.id, project_members):
api.keystone.add_tenant_user_role(request,
tenant_id=project_id,
user_id=user_id,
role_id=role.id)
users_added += 1
users_to_modify -= users_added
except:
exceptions.handle(
request,
_('Failed to modify %s project members '
'and update project quotas.' % users_to_modify))
return True
# update the project quota
ifcb = data['injected_file_content_bytes']
try:
# TODO(gabriel): Once nova-volume is fully deprecated the
# "volumes" and "gigabytes" quotas should no longer be sent to
# the nova API to be updated anymore.
nova.tenant_quota_update(
request,
project_id,
metadata_items=data['metadata_items'],
injected_file_content_bytes=ifcb,
volumes=data['volumes'],
gigabytes=data['gigabytes'],
ram=data['ram'],
floating_ips=data['floating_ips'],
instances=data['instances'],
injected_files=data['injected_files'],
cores=data['cores'],
security_groups=data['security_groups'],
security_group_rules=data['security_group_rules'])
if is_service_enabled(request, 'volume'):
cinder.tenant_quota_update(request,
project_id,
volumes=data['volumes'],
gigabytes=data['gigabytes'])
return True
except:
exceptions.handle(
request,
_('Modified project information and '
'members, but unable to modify '
'project quotas.'))
return True
def handle(self, request, data):
# create the project
domain_context = self.request.session.get("domain_context", None)
try:
desc = data["description"]
self.object = api.keystone.tenant_create(
request, name=data["name"], description=desc, enabled=data["enabled"], domain=domain_context
)
except Exception:
exceptions.handle(request, ignore=True)
return False
project_id = self.object.id
# update project members
users_to_add = 0
try:
available_roles = api.keystone.role_list(request)
member_step = self.get_step(PROJECT_USER_MEMBER_SLUG)
# count how many users are to be added
for role in available_roles:
field_name = member_step.get_member_field_name(role.id)
role_list = data[field_name]
users_to_add += len(role_list)
# add new users to project
for role in available_roles:
field_name = member_step.get_member_field_name(role.id)
role_list = data[field_name]
users_added = 0
for user in role_list:
api.keystone.add_tenant_user_role(request, project=project_id, user=user, role=role.id)
users_added += 1
users_to_add -= users_added
except Exception:
if PROJECT_GROUP_ENABLED:
group_msg = _(", add project groups")
else:
group_msg = ""
exceptions.handle(
request,
_("Failed to add %(users_to_add)s " "project members%(group_msg)s and " "set project quotas.")
% {"users_to_add": users_to_add, "group_msg": group_msg},
)
if PROJECT_GROUP_ENABLED:
# update project groups
groups_to_add = 0
try:
available_roles = api.keystone.role_list(request)
member_step = self.get_step(PROJECT_GROUP_MEMBER_SLUG)
# count how many groups are to be added
for role in available_roles:
field_name = member_step.get_member_field_name(role.id)
role_list = data[field_name]
groups_to_add += len(role_list)
# add new groups to project
for role in available_roles:
field_name = member_step.get_member_field_name(role.id)
role_list = data[field_name]
groups_added = 0
for group in role_list:
api.keystone.add_group_role(request, role=role.id, group=group, project=project_id)
groups_added += 1
groups_to_add -= groups_added
except Exception:
exceptions.handle(
request, _("Failed to add %s project groups " "and update project quotas." % groups_to_add)
)
# Update the project quota.
nova_data = dict([(key, data[key]) for key in NOVA_QUOTA_FIELDS])
try:
nova.tenant_quota_update(request, project_id, **nova_data)
if is_service_enabled(request, "volume"):
cinder_data = dict([(key, data[key]) for key in CINDER_QUOTA_FIELDS])
cinder.tenant_quota_update(request, project_id, **cinder_data)
except Exception:
exceptions.handle(request, _("Unable to set project quotas."))
return True
def handle(self, request, data):
# FIXME(gabriel): This should be refactored to use Python's built-in
# sets and do this all in a single "roles to add" and "roles to remove"
# pass instead of the multi-pass thing happening now.
project_id = data['project_id']
# update project info
try:
api.keystone.tenant_update(request,
project_id,
name=data['name'],
description=data['description'],
enabled=data['enabled'])
except:
exceptions.handle(request, ignore=True)
return False
# update project members
users_to_modify = 0
try:
# Get our role options
available_roles = api.keystone.role_list(request)
# Get the users currently associated with this project so we
# can diff against it.
project_members = api.keystone.user_list(request,
project=project_id)
users_to_modify = len(project_members)
for user in project_members:
# Check if there have been any changes in the roles of
# Existing project members.
current_roles = api.keystone.roles_for_user(
self.request, user.id, project_id)
current_role_ids = [role.id for role in current_roles]
for role in available_roles:
# Check if the user is in the list of users with this role.
if user.id in data["role_" + role.id]:
# Add it if necessary
if role.id not in current_role_ids:
# user role has changed
api.keystone.add_tenant_user_role(
request,
project=project_id,
user=user.id,
role=role.id)
else:
# User role is unchanged, so remove it from the
# remaining roles list to avoid removing it later.
index = current_role_ids.index(role.id)
current_role_ids.pop(index)
# Prevent admins from doing stupid things to themselves.
is_current_user = user.id == request.user.id
is_current_project = project_id == request.user.tenant_id
admin_roles = [
role for role in current_roles
if role.name.lower() == 'admin'
]
if len(admin_roles):
removing_admin = any(
[role.id in current_role_ids for role in admin_roles])
else:
removing_admin = False
if is_current_user and is_current_project and removing_admin:
# Cannot remove "admin" role on current(admin) project
msg = _('You cannot revoke your administrative privileges '
'from the project you are currently logged into. '
'Please switch to another project with '
'administrative privileges or remove the '
'administrative role manually via the CLI.')
messages.warning(request, msg)
# Otherwise go through and revoke any removed roles.
else:
for id_to_delete in current_role_ids:
api.keystone.remove_tenant_user_role(
request,
project=project_id,
user=user.id,
role=id_to_delete)
users_to_modify -= 1
# Grant new roles on the project.
for role in available_roles:
# Count how many users may be added for exception handling.
users_to_modify += len(data["role_" + role.id])
for role in available_roles:
users_added = 0
for user_id in data["role_" + role.id]:
if not filter(lambda x: user_id == x.id, project_members):
api.keystone.add_tenant_user_role(request,
project=project_id,
user=user_id,
role=role.id)
users_added += 1
users_to_modify -= users_added
except:
exceptions.handle(
request,
_('Failed to modify %s project members '
'and update project quotas.' % users_to_modify))
return True
# update the project quota
nova_data = dict([(key, data[key]) for key in NOVA_QUOTA_FIELDS])
try:
nova.tenant_quota_update(request, project_id, **nova_data)
if is_service_enabled(request, 'volume'):
cinder_data = dict([(key, data[key])
for key in CINDER_QUOTA_FIELDS])
cinder.tenant_quota_update(request, project_id, **cinder_data)
return True
except:
exceptions.handle(
request,
_('Modified project information and '
'members, but unable to modify '
'project quotas.'))
return True
def handle(self, request, data):
# FIXME(gabriel): This should be refactored to use Python's built-in
# sets and do this all in a single "roles to add" and "roles to remove"
# pass instead of the multi-pass thing happening now.
project_id = data['project_id']
domain_id = ''
# update project info
try:
project = api.keystone.tenant_update(
request,
project_id,
name=data['name'],
description=data['description'],
enabled=data['enabled'])
# Use the domain_id from the project if available
domain_id = getattr(project, "domain_id", None)
except Exception:
exceptions.handle(request, ignore=True)
return False
# update project members
users_to_modify = 0
# Project-user member step
member_step = self.get_step(PROJECT_USER_MEMBER_SLUG)
try:
# Get our role options
available_roles = api.keystone.role_list(request)
# Get the users currently associated with this project so we
# can diff against it.
project_members = api.keystone.user_list(request,
project=project_id)
users_to_modify = len(project_members)
for user in project_members:
# Check if there have been any changes in the roles of
# Existing project members.
current_roles = api.keystone.roles_for_user(self.request,
user.id,
project_id)
current_role_ids = [role.id for role in current_roles]
for role in available_roles:
field_name = member_step.get_member_field_name(role.id)
# Check if the user is in the list of users with this role.
if user.id in data[field_name]:
# Add it if necessary
if role.id not in current_role_ids:
# user role has changed
api.keystone.add_tenant_user_role(
request,
project=project_id,
user=user.id,
role=role.id)
else:
# User role is unchanged, so remove it from the
# remaining roles list to avoid removing it later.
index = current_role_ids.index(role.id)
current_role_ids.pop(index)
# Prevent admins from doing stupid things to themselves.
is_current_user = user.id == request.user.id
is_current_project = project_id == request.user.tenant_id
admin_roles = [role for role in current_roles
if role.name.lower() == 'admin']
if len(admin_roles):
removing_admin = any([role.id in current_role_ids
for role in admin_roles])
else:
removing_admin = False
if is_current_user and is_current_project and removing_admin:
# Cannot remove "admin" role on current(admin) project
msg = _('You cannot revoke your administrative privileges '
'from the project you are currently logged into. '
'Please switch to another project with '
'administrative privileges or remove the '
'administrative role manually via the CLI.')
messages.warning(request, msg)
# Otherwise go through and revoke any removed roles.
else:
for id_to_delete in current_role_ids:
api.keystone.remove_tenant_user_role(
request,
project=project_id,
user=user.id,
role=id_to_delete)
users_to_modify -= 1
# Grant new roles on the project.
for role in available_roles:
field_name = member_step.get_member_field_name(role.id)
# Count how many users may be added for exception handling.
users_to_modify += len(data[field_name])
for role in available_roles:
users_added = 0
field_name = member_step.get_member_field_name(role.id)
for user_id in data[field_name]:
if not filter(lambda x: user_id == x.id, project_members):
api.keystone.add_tenant_user_role(request,
project=project_id,
user=user_id,
role=role.id)
users_added += 1
users_to_modify -= users_added
except Exception:
if PROJECT_GROUP_ENABLED:
group_msg = _(", update project groups")
else:
group_msg = ""
exceptions.handle(request, _('Failed to modify %(users_to_modify)s'
' project members%(group_msg)s and '
'update project quotas.')
% {'users_to_modify': users_to_modify,
'group_msg': group_msg})
return False
if PROJECT_GROUP_ENABLED:
# update project groups
groups_to_modify = 0
member_step = self.get_step(PROJECT_GROUP_MEMBER_SLUG)
try:
# Get the groups currently associated with this project so we
# can diff against it.
project_groups = api.keystone.group_list(request,
domain=domain_id,
project=project_id)
groups_to_modify = len(project_groups)
for group in project_groups:
# Check if there have been any changes in the roles of
# Existing project members.
current_roles = api.keystone.roles_for_group(
self.request,
group=group.id,
project=project_id)
current_role_ids = [role.id for role in current_roles]
for role in available_roles:
# Check if the group is in the list of groups with
# this role.
field_name = member_step.get_member_field_name(role.id)
if group.id in data[field_name]:
# Add it if necessary
if role.id not in current_role_ids:
# group role has changed
api.keystone.add_group_role(
request,
role=role.id,
group=group.id,
project=project_id)
else:
# Group role is unchanged, so remove it from
# the remaining roles list to avoid removing it
# later.
index = current_role_ids.index(role.id)
current_role_ids.pop(index)
# Revoke any removed roles.
for id_to_delete in current_role_ids:
api.keystone.remove_group_role(request,
role=id_to_delete,
group=group.id,
project=project_id)
groups_to_modify -= 1
# Grant new roles on the project.
for role in available_roles:
field_name = member_step.get_member_field_name(role.id)
# Count how many groups may be added for error handling.
groups_to_modify += len(data[field_name])
for role in available_roles:
groups_added = 0
field_name = member_step.get_member_field_name(role.id)
for group_id in data[field_name]:
if not filter(lambda x: group_id == x.id,
project_groups):
api.keystone.add_group_role(request,
role=role.id,
group=group_id,
project=project_id)
groups_added += 1
groups_to_modify -= groups_added
except Exception:
exceptions.handle(request, _('Failed to modify %s project '
'members, update project groups '
'and update project quotas.'
% groups_to_modify))
return False
# update the project quota
nova_data = dict(
[(key, data[key]) for key in quotas.NOVA_QUOTA_FIELDS])
try:
nova.tenant_quota_update(request,
project_id,
**nova_data)
if base.is_service_enabled(request, 'volume'):
cinder_data = dict([(key, data[key]) for key in
quotas.CINDER_QUOTA_FIELDS])
cinder.tenant_quota_update(request,
project_id,
**cinder_data)
if api.base.is_service_enabled(request, 'network') and \
api.neutron.is_quotas_extension_supported(request):
neutron_data = {}
disabled_quotas = quotas.get_disabled_quotas(request)
for key in quotas.NEUTRON_QUOTA_FIELDS:
if key not in disabled_quotas:
neutron_data[key] = data[key]
api.neutron.tenant_quota_update(request,
project_id,
**neutron_data)
return True
except Exception:
exceptions.handle(request, _('Modified project information and '
'members, but unable to modify '
'project quotas.'))
return False
def handle(self, request, data):
project_id = data['project_id']
# update project info
try:
api.keystone.tenant_update(request,
tenant_id=project_id,
tenant_name=data['name'],
description=data['description'],
enabled=data['enabled'])
except:
exceptions.handle(request, ignore=True)
return False
# update project members
users_to_modify = 0
try:
available_roles = api.keystone.role_list(request)
project_members = api.keystone.user_list(request,
tenant_id=project_id)
users_to_modify = len(project_members)
for user in project_members:
current_roles = [role for role in
api.keystone.roles_for_user(self.request,
user.id,
project_id)]
effective_roles = []
for role in available_roles:
role_list = data["role_" + role.id]
if user.id in role_list:
effective_roles.append(role)
if role not in current_roles:
# user role has changed
api.keystone.add_tenant_user_role(
request,
tenant_id=project_id,
user_id=user.id,
role_id=role.id)
else:
# user role is unchanged
current_roles.pop(current_roles.index(role))
if user.id == request.user.id and \
project_id == request.user.tenant_id and \
any(x.name == 'admin' for x in current_roles):
# Cannot remove "admin" role on current(admin) project
msg = _('You cannot remove the "admin" role from the '
'project you are currently logged into. Please '
'switch to another project with admin permissions '
'or remove the role manually via the CLI')
messages.warning(request, msg)
else:
# delete user's removed roles
for to_delete in current_roles:
api.keystone.remove_tenant_user_role(
request,
tenant_id=project_id,
user_id=user.id,
role_id=to_delete.id)
users_to_modify -= 1
# add new roles to project
for role in available_roles:
# count how many users may be added for exception handling
role_list = data["role_" + role.id]
users_to_modify += len(role_list)
for role in available_roles:
role_list = data["role_" + role.id]
users_added = 0
for user_id in role_list:
if not filter(lambda x: user_id == x.id, project_members):
api.keystone.add_tenant_user_role(request,
tenant_id=project_id,
user_id=user_id,
role_id=role.id)
users_added += 1
users_to_modify -= users_added
except:
exceptions.handle(request, _('Failed to modify %s project members '
'and update project quotas.'
% users_to_modify))
return True
# update the project quota
nova_data = dict([(key, data[key]) for key in NOVA_QUOTA_FIELDS])
try:
nova.tenant_quota_update(request,
project_id,
**nova_data)
if is_service_enabled(request, 'volume'):
cinder_data = dict([(key, data[key]) for key in
CINDER_QUOTA_FIELDS])
cinder.tenant_quota_update(request,
project_id,
**cinder_data)
return True
except:
exceptions.handle(request, _('Modified project information and '
'members, but unable to modify '
'project quotas.'))
return True
def handle(self, request, data):
project_id = data['project_id']
# update project info
try:
api.keystone.tenant_update(request,
tenant_id=project_id,
tenant_name=data['name'],
description=data['description'],
enabled=data['enabled'])
except:
exceptions.handle(request, ignore=True)
return False
# update project members
users_to_modify = 0
try:
available_roles = api.keystone.role_list(request)
project_members = api.keystone.user_list(request,
tenant_id=project_id)
users_to_modify = len(project_members)
for user in project_members:
current_roles = [
role for role in api.keystone.roles_for_user(
self.request, user.id, project_id)
]
effective_roles = []
for role in available_roles:
role_list = data["role_" + role.id]
if user.id in role_list:
effective_roles.append(role)
if role not in current_roles:
# user role has changed
api.keystone.add_tenant_user_role(
request,
tenant_id=project_id,
user_id=user.id,
role_id=role.id)
else:
# user role is unchanged
current_roles.pop(current_roles.index(role))
if user.id == request.user.id and \
project_id == request.user.tenant_id and \
any(x.name == 'admin' for x in current_roles):
# Cannot remove "admin" role on current(admin) project
msg = _('You cannot remove the "admin" role from the '
'project you are currently logged into. Please '
'switch to another project with admin permissions '
'or remove the role manually via the CLI')
messages.warning(request, msg)
else:
# delete user's removed roles
for to_delete in current_roles:
api.keystone.remove_tenant_user_role(
request,
tenant_id=project_id,
user_id=user.id,
role_id=to_delete.id)
users_to_modify -= 1
# add new roles to project
for role in available_roles:
# count how many users may be added for exception handling
role_list = data["role_" + role.id]
users_to_modify += len(role_list)
for role in available_roles:
role_list = data["role_" + role.id]
users_added = 0
for user_id in role_list:
if not filter(lambda x: user_id == x.id, project_members):
api.keystone.add_tenant_user_role(request,
tenant_id=project_id,
user_id=user_id,
role_id=role.id)
users_added += 1
users_to_modify -= users_added
except:
exceptions.handle(
request,
_('Failed to modify %s project members '
'and update project quotas.' % users_to_modify))
return True
# update the project quota
nova_data = dict([(key, data[key]) for key in NOVA_QUOTA_FIELDS])
try:
nova.tenant_quota_update(request, project_id, **nova_data)
if is_service_enabled(request, 'volume'):
cinder_data = dict([(key, data[key])
for key in CINDER_QUOTA_FIELDS])
cinder.tenant_quota_update(request, project_id, **cinder_data)
return True
except:
exceptions.handle(
request,
_('Modified project information and '
'members, but unable to modify '
'project quotas.'))
return True
def setup_new_project(request, project_id, project_name, data):
unit_id = data.get('unit', None)
cloud_table = getattr(settings, 'UNIT_TABLE', {})
if not unit_id or not unit_id in cloud_table:
return
unit_data = cloud_table[unit_id]
prj_cname = re.sub(r'\s+', "-", project_name)
flow_step = 0
try:
cinder_params = dict()
for pkey, pvalue in unit_data.items():
if pkey == 'quota_total':
cinder_params['gigabytes'] = pvalue
elif pkey == 'quota_per_volume':
cinder_params['per_volume_gigabytes'] = pvalue
elif pkey.startswith('quota_'):
cinder_params['gigabytes_' + pkey[6:]] = pvalue
if len(cinder_params):
cinder_api.tenant_quota_update(request, project_id, **cinder_params)
except:
LOG.error("Cannot setup project quota", exc_info=True)
messages.error(request, _("Cannot setup project quota"))
try:
hyper_list = unit_data.get('hypervisors', [])
if len(hyper_list):
agg_prj_cname = "%s-%s" % (unit_data.get('aggregate_prefix', unit_id), prj_cname)
avail_zone = unit_data.get('availability_zone', 'nova')
new_aggr = nova_api.aggregate_create(request, agg_prj_cname, avail_zone)
flow_step += 1
for h_item in hyper_list:
nova_api.add_host_to_aggregate(request, new_aggr.id, h_item)
flow_step += 1
all_md = { 'filter_tenant_id' : project_id }
all_md.update(unit_data.get('metadata', {}))
nova_api.aggregate_set_metadata(request, new_aggr.id, all_md)
flow_step = 0
except:
if flow_step == 0:
err_msg = _("Cannot create host aggregate")
elif flow_step == 1:
err_msg = _("Cannot insert hypervisor in aggregate")
else:
err_msg = _("Cannot set metadata for aggregate")
LOG.error(err_msg, exc_info=True)
messages.error(request, err_msg)
try:
subnet_cidr = data['%s-net' % unit_id]
prj_lan_name = "%s-lan" % prj_cname
prj_net = neutron_api.network_create(request, tenant_id=project_id, name=prj_lan_name)
flow_step += 1
net_args = {
'cidr' : subnet_cidr,
'ip_version' : 4,
'dns_nameservers' : unit_data.get('nameservers', []),
'enable_dhcp' : True,
'tenant_id' : project_id,
'name' : "sub-%s-lan" % prj_cname
}
prj_sub = neutron_api.subnet_create(request, prj_net['id'], **net_args)
flow_step += 1
if 'lan_router' in unit_data:
neutron_api.router_add_interface(request, unit_data['lan_router'],
subnet_id=prj_sub['id'])
flow_step = 0
except:
if flow_step == 0:
err_msg = _("Cannot create network")
elif flow_step == 1:
err_msg = _("Cannot create sub-network")
else:
err_msg = _("Cannot add interface to router")
LOG.error(err_msg, exc_info=True)
messages.error(request, err_msg)
try:
subnet_cidr = data['%s-net' % unit_id]
def_sec_group = None
for sg_item in neutron_api.security_group_list(request, tenant_id=project_id):
if sg_item['name'].lower() == 'default':
def_sec_group = sg_item['id']
LOG.info("Found default security group %s" % def_sec_group)
break
flow_step += 1
sg_client = neutron_api.SecurityGroupManager(request).client
if not def_sec_group:
sg_params = {
'name': 'default',
'description': 'Default Security Group for ' + project_name,
'tenant_id': project_id
}
secgroup = sg_client.create_security_group({ 'security_group' : sg_params })
def_sec_group = SecurityGroup(secgroup.get('security_group'))
flow_step += 1
#
# Workaround: the tenant_id cannot be specified through high level API
#
port22_params = {
'security_group_id': def_sec_group,
'direction': 'ingress',
'ethertype': 'IPv4',
'protocol': 'tcp',
'port_range_min': 22,
'port_range_max': 22,
'remote_ip_prefix': subnet_cidr,
'tenant_id' : project_id
}
icmp_params = {
'security_group_id': def_sec_group,
'direction': 'ingress',
'ethertype': 'IPv4',
'protocol': 'icmp',
'remote_ip_prefix': subnet_cidr,
'tenant_id' : project_id
}
sg_client.create_security_group_rule({'security_group_rule': port22_params})
sg_client.create_security_group_rule({'security_group_rule': icmp_params})
except:
if flow_step == 0:
err_msg = _("Cannot retrieve default security group")
elif flow_step == 1:
err_msg = _("Cannot create default security group")
else:
err_msg = _("Cannot insert basic rules")
LOG.error(err_msg, exc_info=True)
messages.error(request, err_msg)
try:
new_tags = list()
new_tags.append(ORG_TAG_FMT % unit_data.get('organization', 'other'))
if '%s-ou' % unit_id in data:
new_tags.append(OU_TAG_FMT % data['%s-ou' % unit_id])
kclient = keystone_api.keystoneclient(request)
kclient.projects.update_tags(project_id, new_tags)
except:
LOG.error("Cannot add organization tags", exc_info=True)
messages.error(request, _("Cannot add organization tags"))
def handle(self, request, data):
# create the project
domain_id = data['domain_id']
try:
desc = data['description']
self.object = api.keystone.tenant_create(request,
name=data['name'],
description=desc,
enabled=data['enabled'],
domain=domain_id)
except Exception:
exceptions.handle(request, ignore=True)
return False
project_id = self.object.id
# update project members
users_to_add = 0
try:
available_roles = api.keystone.role_list(request)
member_step = self.get_step(PROJECT_USER_MEMBER_SLUG)
# count how many users are to be added
for role in available_roles:
field_name = member_step.get_member_field_name(role.id)
role_list = data[field_name]
users_to_add += len(role_list)
# add new users to project
for role in available_roles:
field_name = member_step.get_member_field_name(role.id)
role_list = data[field_name]
users_added = 0
for user in role_list:
api.keystone.add_tenant_user_role(request,
project=project_id,
user=user,
role=role.id)
users_added += 1
users_to_add -= users_added
# jt
# Make sure admin is added to the project as a ResellerAdmin
users = api.keystone.user_list(request)
admin_id = [user.id for user in users if user.name == 'admin'][0]
reseller_admin_role_id = [role.id for role in available_roles if role.name == 'ResellerAdmin'][0]
api.keystone.add_tenant_user_role(request,
project=project_id,
user=admin_id,
role=reseller_admin_role_id)
except Exception:
if PROJECT_GROUP_ENABLED:
group_msg = _(", add project groups")
else:
group_msg = ""
exceptions.handle(request, _('Failed to add %(users_to_add)s '
'project members%(group_msg)s and '
'set project quotas.')
% {'users_to_add': users_to_add,
'group_msg': group_msg})
if PROJECT_GROUP_ENABLED:
# update project groups
groups_to_add = 0
try:
available_roles = api.keystone.role_list(request)
member_step = self.get_step(PROJECT_GROUP_MEMBER_SLUG)
# count how many groups are to be added
for role in available_roles:
field_name = member_step.get_member_field_name(role.id)
role_list = data[field_name]
groups_to_add += len(role_list)
# add new groups to project
for role in available_roles:
field_name = member_step.get_member_field_name(role.id)
role_list = data[field_name]
groups_added = 0
for group in role_list:
api.keystone.add_group_role(request,
role=role.id,
group=group,
project=project_id)
groups_added += 1
groups_to_add -= groups_added
except Exception:
exceptions.handle(request, _('Failed to add %s project groups '
'and update project quotas.'
% groups_to_add))
# Update the project quota.
nova_data = dict(
[(key, data[key]) for key in quotas.NOVA_QUOTA_FIELDS])
try:
nova.tenant_quota_update(request, project_id, **nova_data)
if base.is_service_enabled(request, 'volume'):
cinder_data = dict([(key, data[key]) for key in
quotas.CINDER_QUOTA_FIELDS])
cinder.tenant_quota_update(request,
project_id,
**cinder_data)
if api.base.is_service_enabled(request, 'network') and \
api.neutron.is_quotas_extension_supported(request):
neutron_data = dict([(key, data[key]) for key in
quotas.NEUTRON_QUOTA_FIELDS])
api.neutron.tenant_quota_update(request,
project_id,
**neutron_data)
# jt
if data['images'] != 5:
api.jt.set_image_quota(project_id, data['images'])
if data['expiration'] != 'Information not available.':
api.jt.set_expiration_date(project_id, data['expiration'])
if data['start_date'] != 'Information not available.':
api.jt.set_start_date(project_id, data['start_date'])
if data['dair_notice'] != '':
api.jt.set_dair_notice(project_id, data['dair_notice'])
if data['dair_notice_link'] != '':
api.jt.set_dair_notice_link(project_id, data['dair_notice_link'])
if data['object_mb'] != 204800:
api.jt.set_object_mb_quota(project_id, data['object_mb'])
if data['reseller_logo'] != 'Information not available.':
api.jt.set_reseller_logo(project_id, data['reseller_logo'])
except Exception:
exceptions.handle(request, _('Unable to set project quotas.'))
return True
def handle(self, request, data):
# create the project
try:
desc = data['description']
self.object = api.keystone.tenant_create(request,
tenant_name=data['name'],
description=desc,
enabled=data['enabled'])
except:
exceptions.handle(request, ignore=True)
return False
project_id = self.object.id
# update project members
users_to_add = 0
try:
available_roles = api.keystone.role_list(request)
# count how many users are to be added
for role in available_roles:
role_list = data["role_" + role.id]
users_to_add += len(role_list)
# add new users to project
for role in available_roles:
role_list = data["role_" + role.id]
users_added = 0
for user in role_list:
api.keystone.add_tenant_user_role(request,
tenant_id=project_id,
user_id=user,
role_id=role.id)
users_added += 1
users_to_add -= users_added
# jt
# Make sure admin is added to the project as a ResellerAdmin
users = api.keystone.user_list(request)
admin_id = [user.id for user in users if user.name == 'admin'][0]
reseller_admin_role_id = [
role.id for role in available_roles
if role.name == 'ResellerAdmin'
][0]
api.keystone.add_tenant_user_role(request,
tenant_id=project_id,
user_id=admin_id,
role_id=reseller_admin_role_id)
except:
exceptions.handle(
request,
_('Failed to add %s project members '
'and set project quotas.' % users_to_add))
# Update the project quota.
nova_data = dict([(key, data[key]) for key in NOVA_QUOTA_FIELDS])
try:
nova.tenant_quota_update(request, project_id, **nova_data)
if is_service_enabled(request, 'volume'):
cinder_data = dict([(key, data[key])
for key in CINDER_QUOTA_FIELDS])
cinder.tenant_quota_update(request, project_id, **cinder_data)
# jt
# Update the custom quotas
if data['images'] != 5:
api.jt.set_image_quota(project_id, data['images'])
if data['expiration'] != 'Information not available.':
api.jt.set_expiration_date(project_id, data['expiration'])
if data['start_date'] != 'Information not available.':
api.jt.set_start_date(project_id, data['start_date'])
if data['dair_notice'] != 'Information not available.':
api.jt.set_dair_notice(project_id, data['dair_notice'])
if data['object_mb'] != 204800:
api.jt.set_object_mb_quota(project_id, data['object_mb'])
if data['reseller_logo'] != 'Information not available.':
api.jt.set_reseller_logo(project_id, data['reseller_logo'])
except:
exceptions.handle(request, _('Unable to set project quotas.'))
return True
def handle(self, request, data):
# FIXME(gabriel): This should be refactored to use Python's built-in
# sets and do this all in a single "roles to add" and "roles to remove"
# pass instead of the multi-pass thing happening now.
project_id = data['project_id']
# update project info
try:
api.keystone.tenant_update(request,
project_id,
name=data['name'],
description=data['description'],
enabled=data['enabled'])
except:
exceptions.handle(request, ignore=True)
return False
# update project members
users_to_modify = 0
try:
# Get our role options
available_roles = api.keystone.role_list(request)
# Get the users currently associated with this project so we
# can diff against it.
project_members = api.keystone.user_list(request,
project=project_id)
users_to_modify = len(project_members)
for user in project_members:
# Check if there have been any changes in the roles of
# Existing project members.
current_roles = api.keystone.roles_for_user(self.request,
user.id,
project_id)
current_role_ids = [role.id for role in current_roles]
for role in available_roles:
# Check if the user is in the list of users with this role.
if user.id in data["role_" + role.id]:
# Add it if necessary
if role.id not in current_role_ids:
# user role has changed
api.keystone.add_tenant_user_role(
request,
project=project_id,
user=user.id,
role=role.id)
else:
# User role is unchanged, so remove it from the
# remaining roles list to avoid removing it later.
index = current_role_ids.index(role.id)
current_role_ids.pop(index)
# Prevent admins from doing stupid things to themselves.
is_current_user = user.id == request.user.id
is_current_project = project_id == request.user.tenant_id
admin_roles = [role for role in current_roles
if role.name.lower() == 'admin']
if len(admin_roles):
removing_admin = any([role.id in current_role_ids
for role in admin_roles])
else:
removing_admin = False
if is_current_user and is_current_project and removing_admin:
# Cannot remove "admin" role on current(admin) project
msg = _('You cannot revoke your administrative privileges '
'from the project you are currently logged into. '
'Please switch to another project with '
'administrative privileges or remove the '
'administrative role manually via the CLI.')
messages.warning(request, msg)
# Otherwise go through and revoke any removed roles.
else:
for id_to_delete in current_role_ids:
api.keystone.remove_tenant_user_role(
request,
project=project_id,
user=user.id,
role=id_to_delete)
users_to_modify -= 1
# Grant new roles on the project.
for role in available_roles:
# Count how many users may be added for exception handling.
users_to_modify += len(data["role_" + role.id])
for role in available_roles:
users_added = 0
for user_id in data["role_" + role.id]:
if not filter(lambda x: user_id == x.id, project_members):
api.keystone.add_tenant_user_role(request,
project=project_id,
user=user_id,
role=role.id)
users_added += 1
users_to_modify -= users_added
except:
exceptions.handle(request, _('Failed to modify %s project members '
'and update project quotas.'
% users_to_modify))
return True
# update the project quota
nova_data = dict([(key, data[key]) for key in NOVA_QUOTA_FIELDS])
try:
nova.tenant_quota_update(request,
project_id,
**nova_data)
if is_service_enabled(request, 'volume'):
cinder_data = dict([(key, data[key]) for key in
CINDER_QUOTA_FIELDS])
cinder.tenant_quota_update(request,
project_id,
**cinder_data)
return True
except:
exceptions.handle(request, _('Modified project information and '
'members, but unable to modify '
'project quotas.'))
return True
def _tenant_quota_update(self, request, project_id, data):
cinder.tenant_quota_update(request, project_id, **data)
def handle(self, request, data):
# create the project
domain_id = data['domain_id']
try:
desc = data['description']
self.object = api.keystone.tenant_create(request,
name=data['name'],
description=desc,
enabled=data['enabled'],
domain=domain_id)
except Exception:
exceptions.handle(request, ignore=True)
return False
project_id = self.object.id
# update project members
users_to_add = 0
try:
available_roles = api.keystone.role_list(request)
member_step = self.get_step(PROJECT_USER_MEMBER_SLUG)
# count how many users are to be added
for role in available_roles:
field_name = member_step.get_member_field_name(role.id)
role_list = data[field_name]
users_to_add += len(role_list)
# add new users to project
for role in available_roles:
field_name = member_step.get_member_field_name(role.id)
role_list = data[field_name]
users_added = 0
for user in role_list:
api.keystone.add_tenant_user_role(request,
project=project_id,
user=user,
role=role.id)
users_added += 1
users_to_add -= users_added
except Exception:
if PROJECT_GROUP_ENABLED:
group_msg = _(", add project groups")
else:
group_msg = ""
exceptions.handle(request, _('Failed to add %(users_to_add)s '
'project members%(group_msg)s and '
'set project quotas.')
% {'users_to_add': users_to_add,
'group_msg': group_msg})
if PROJECT_GROUP_ENABLED:
# update project groups
groups_to_add = 0
try:
available_roles = api.keystone.role_list(request)
member_step = self.get_step(PROJECT_GROUP_MEMBER_SLUG)
# count how many groups are to be added
for role in available_roles:
field_name = member_step.get_member_field_name(role.id)
role_list = data[field_name]
groups_to_add += len(role_list)
# add new groups to project
for role in available_roles:
field_name = member_step.get_member_field_name(role.id)
role_list = data[field_name]
groups_added = 0
for group in role_list:
api.keystone.add_group_role(request,
role=role.id,
group=group,
project=project_id)
groups_added += 1
groups_to_add -= groups_added
except Exception:
exceptions.handle(request, _('Failed to add %s project groups '
'and update project quotas.'
% groups_to_add))
# Update the project quota.
nova_data = dict(
[(key, data[key]) for key in quotas.NOVA_QUOTA_FIELDS])
try:
nova.tenant_quota_update(request, project_id, **nova_data)
if base.is_service_enabled(request, 'volume'):
cinder_data = dict([(key, data[key]) for key in
quotas.CINDER_QUOTA_FIELDS])
cinder.tenant_quota_update(request,
project_id,
**cinder_data)
if api.base.is_service_enabled(request, 'network') and \
api.neutron.is_quotas_extension_supported(request):
neutron_data = {}
disabled_quotas = quotas.get_disabled_quotas(request)
for key in quotas.NEUTRON_QUOTA_FIELDS:
if key not in disabled_quotas:
neutron_data[key] = data[key]
api.neutron.tenant_quota_update(request,
project_id,
**neutron_data)
except Exception:
exceptions.handle(request, _('Unable to set project quotas.'))
return True
def handle(self, request, data):
project_id = data['project_id']
# update project info
try:
api.keystone.tenant_update(request,
tenant_id=project_id,
tenant_name=data['name'],
description=data['description'],
enabled=data['enabled'])
except:
exceptions.handle(request, ignore=True)
return False
# update project members
users_to_modify = 0
try:
available_roles = api.keystone.role_list(request)
project_members = api.keystone.user_list(request,
tenant_id=project_id)
users_to_modify = len(project_members)
for user in project_members:
current_roles = [role for role in
api.keystone.roles_for_user(self.request,
user.id,
project_id)]
effective_roles = []
for role in available_roles:
role_list = data["role_" + role.id]
if user.id in role_list:
effective_roles.append(role)
if role not in current_roles:
# user role has changed
api.keystone.add_tenant_user_role(
request,
tenant_id=project_id,
user_id=user.id,
role_id=role.id)
else:
# user role is unchanged
current_roles.pop(current_roles.index(role))
if user.id == request.user.id and \
project_id == request.user.tenant_id and \
any(x.name == 'admin' for x in current_roles):
# Cannot remove "admin" role on current(admin) project
msg = _('You cannot remove the "admin" role from the '
'project you are currently logged into. Please '
'switch to another project with admin permissions '
'or remove the role manually via the CLI')
messages.warning(request, msg)
else:
# delete user's removed roles
for to_delete in current_roles:
api.keystone.remove_tenant_user_role(
request,
tenant_id=project_id,
user_id=user.id,
role_id=to_delete.id)
users_to_modify -= 1
# add new roles to project
for role in available_roles:
# count how many users may be added for exception handling
role_list = data["role_" + role.id]
users_to_modify += len(role_list)
for role in available_roles:
role_list = data["role_" + role.id]
users_added = 0
for user_id in role_list:
if not filter(lambda x: user_id == x.id, project_members):
api.keystone.add_tenant_user_role(request,
tenant_id=project_id,
user_id=user_id,
role_id=role.id)
users_added += 1
users_to_modify -= users_added
except:
exceptions.handle(request, _('Failed to modify %s project members '
'and update project quotas.'
% users_to_modify))
return True
# update the project quota
ifcb = data['injected_file_content_bytes']
try:
# TODO(gabriel): Once nova-volume is fully deprecated the
# "volumes" and "gigabytes" quotas should no longer be sent to
# the nova API to be updated anymore.
nova.tenant_quota_update(request,
project_id,
metadata_items=data['metadata_items'],
injected_file_content_bytes=ifcb,
volumes=data['volumes'],
gigabytes=data['gigabytes'],
ram=data['ram'],
floating_ips=data['floating_ips'],
instances=data['instances'],
injected_files=data['injected_files'],
cores=data['cores'])
if is_service_enabled(request, 'volume'):
cinder.tenant_quota_update(request,
project_id,
volumes=data['volumes'],
gigabytes=data['gigabytes'])
return True
except:
exceptions.handle(request, _('Modified project information and '
'members, but unable to modify '
'project quotas.'))
return True
def setup_new_project(request, project_id, project_name, data):
try:
acct_table = getattr(settings, 'ACCOUNTING', None)
if acct_table:
uid = acct_table.get('user_id', None)
roleid = acct_table.get('role_id', None)
if uid and roleid:
keystone_api.add_tenant_user_role(request, project_id, uid, roleid)
except:
LOG.error("Cannot add user for accounting", exc_info=True)
messages.error(request, _("Cannot add user for accounting"))
unit_id = data.get('unit', None)
cloud_table = get_unit_table()
if not unit_id or not unit_id in cloud_table:
return
unit_data = cloud_table[unit_id]
prj_cname = re.sub(r'\s+', "-", project_name)
flow_step = 0
try:
cinder_params = dict()
for pkey, pvalue in unit_data.items():
if pkey == 'quota_total':
cinder_params['gigabytes'] = pvalue
elif pkey == 'quota_per_volume':
cinder_params['per_volume_gigabytes'] = pvalue
elif pkey.startswith('quota_'):
cinder_params['gigabytes_' + pkey[6:]] = pvalue
if len(cinder_params):
cinder_api.tenant_quota_update(request, project_id, **cinder_params)
except:
LOG.error("Cannot setup project quota", exc_info=True)
messages.error(request, _("Cannot setup project quota"))
try:
hyper_list = unit_data.get('hypervisors', [])
if len(hyper_list):
agg_prj_cname = "%s-%s" % (unit_data.get('aggregate_prefix', unit_id), prj_cname)
avail_zone = unit_data.get('availability_zone', 'nova')
new_aggr = nova_api.aggregate_create(request, agg_prj_cname, avail_zone)
flow_step += 1
for h_item in hyper_list:
nova_api.add_host_to_aggregate(request, new_aggr.id, h_item)
flow_step += 1
all_md = { 'filter_tenant_id' : project_id }
all_md.update(unit_data.get('metadata', {}))
nova_api.aggregate_set_metadata(request, new_aggr.id, all_md)
flow_step = 0
except:
if flow_step == 0:
err_msg = _("Cannot create host aggregate")
elif flow_step == 1:
err_msg = _("Cannot insert hypervisor in aggregate")
else:
err_msg = _("Cannot set metadata for aggregate")
LOG.error(err_msg, exc_info=True)
messages.error(request, err_msg)
try:
subnet_cidr = data['%s-net' % unit_id]
prj_lan_name = "%s-lan" % prj_cname
prj_net = neutron_api.network_create(request, tenant_id=project_id, name=prj_lan_name)
flow_step += 1
net_args = {
'cidr' : subnet_cidr,
'ip_version' : 4,
'dns_nameservers' : unit_data.get('nameservers', []),
'enable_dhcp' : True,
'tenant_id' : project_id,
'name' : "sub-%s-lan" % prj_cname
}
prj_sub = neutron_api.subnet_create(request, prj_net['id'], **net_args)
flow_step += 1
if 'lan_router' in unit_data:
f_ips = [{
"ip_address" : subnet_cidr.replace('0/24', '1'),
"subnet_id" : prj_sub['id']
}]
r_port = neutron_api.port_create(request, prj_net['id'],
tenant_id=project_id,
project_id=project_id,
fixed_ips=f_ips)
neutron_api.router_add_interface(request, unit_data['lan_router'],
port_id=r_port['id'])
flow_step = 0
except:
if flow_step == 0:
err_msg = _("Cannot create network")
elif flow_step == 1:
err_msg = _("Cannot create sub-network")
else:
err_msg = _("Cannot add interface to router")
LOG.error(err_msg, exc_info=True)
messages.error(request, err_msg)
try:
subnet_cidr = data['%s-net' % unit_id]
def_sec_group = None
for sg_item in neutron_api.security_group_list(request, tenant_id=project_id):
if sg_item['name'].lower() == 'default':
def_sec_group = sg_item['id']
LOG.info("Found default security group %s" % def_sec_group)
break
flow_step += 1
sg_client = neutron_api.SecurityGroupManager(request).client
if not def_sec_group:
sg_params = {
'name': 'default',
'description': 'Default Security Group for ' + project_name,
'tenant_id': project_id
}
secgroup = sg_client.create_security_group({ 'security_group' : sg_params })
def_sec_group = SecurityGroup(secgroup.get('security_group'))
flow_step += 1
#
# Workaround: the tenant_id cannot be specified through high level API
#
port22_params = {
'security_group_id': def_sec_group,
'direction': 'ingress',
'ethertype': 'IPv4',
'protocol': 'tcp',
'port_range_min': 22,
'port_range_max': 22,
'remote_ip_prefix': "0.0.0.0/0",
'tenant_id' : project_id
}
icmp_params = {
'security_group_id': def_sec_group,
'direction': 'ingress',
'ethertype': 'IPv4',
'protocol': 'icmp',
'remote_ip_prefix': "0.0.0.0/0",
'tenant_id' : project_id
}
sg_client.create_security_group_rule({'security_group_rule': port22_params})
sg_client.create_security_group_rule({'security_group_rule': icmp_params})
except:
if flow_step == 0:
err_msg = _("Cannot retrieve default security group")
elif flow_step == 1:
err_msg = _("Cannot create default security group")
else:
err_msg = _("Cannot insert basic rules")
LOG.error(err_msg, exc_info=True)
messages.error(request, err_msg)
try:
new_tags = list()
new_tags.append(ORG_TAG_FMT % unit_data.get('organization', 'other'))
for ou_id in data.get('%s-ou' % unit_id, []):
if ou_id.strip():
new_tags.append(OU_TAG_FMT % ou_id.strip())
kclient = keystone_api.keystoneclient(request)
kclient.projects.update_tags(project_id, new_tags)
except:
LOG.error("Cannot add organization tags", exc_info=True)
messages.error(request, _("Cannot add organization tags"))
def _tenant_quota_update(self, request, project_id, data):
cinder.tenant_quota_update(request, project_id, **data)
