def take_action(self, parsed_args):
self.log.debug('take_action(%s)', parsed_args)
identity_client = self.app.client_manager.identity
if parsed_args.domain:
domain = common.find_domain(identity_client, parsed_args.domain).id
else:
domain = None
enabled = True
if parsed_args.disable:
enabled = False
kwargs = {}
if parsed_args.property:
kwargs = parsed_args.property.copy()
project = identity_client.projects.create(
name=parsed_args.name,
domain=domain,
description=parsed_args.description,
enabled=enabled,
**kwargs
)
info = {}
info.update(project._info)
return zip(*sorted(six.iteritems(info)))
def _determine_ec2_user(parsed_args, client_manager):
"""Determine a user several different ways.
Assumes parsed_args has user and user_domain arguments. Attempts to find
the user if domain scoping is provided, otherwise revert to a basic user
call. Lastly use the currently authenticated user.
"""
user_domain = None
if parsed_args.user_domain:
user_domain = common.find_domain(client_manager.identity,
parsed_args.user_domain)
if parsed_args.user:
if user_domain is not None:
user = utils.find_resource(client_manager.identity.users,
parsed_args.user,
domain_id=user_domain.id).id
else:
user = utils.find_resource(
client_manager.identity.users,
parsed_args.user).id
else:
# Get the user from the current auth
user = client_manager.auth_ref.user_id
return user
def take_action(self, parsed_args):
identity_client = self.app.client_manager.identity
if (not parsed_args.user and not parsed_args.domain
and not parsed_args.group and not parsed_args.project):
sys.stderr.write(_("Incorrect set of arguments provided. "
"See openstack --help for more details\n"))
return
domain_id = None
if parsed_args.role_domain:
domain_id = common.find_domain(identity_client,
parsed_args.role_domain).id
role = utils.find_resource(
identity_client.roles,
parsed_args.role,
domain_id=domain_id
)
kwargs = _process_identity_and_resource_options(
parsed_args, self.app.client_manager.identity)
if not kwargs:
sys.stderr.write(_("Role not removed, incorrect set of arguments "
"provided. See openstack --help for more "
"details\n"))
return
identity_client.roles.revoke(role.id, **kwargs)
def take_action(self, parsed_args):
identity_client = self.app.client_manager.identity
domain = None
if parsed_args.domain:
domain = common.find_domain(identity_client, parsed_args.domain)
errors = 0
for user in parsed_args.users:
try:
if domain is not None:
user_obj = utils.find_resource(identity_client.users,
user,
domain_id=domain.id)
else:
user_obj = utils.find_resource(identity_client.users,
user)
identity_client.users.delete(user_obj.id)
except Exception as e:
errors += 1
LOG.error(_("Failed to delete user with "
"name or ID '%(user)s': %(e)s"),
{'user': user, 'e': e})
if errors > 0:
total = len(parsed_args.users)
msg = (_("%(errors)s of %(total)s users failed "
"to delete.") % {'errors': errors, 'total': total})
raise exceptions.CommandError(msg)
def take_action(self, parsed_args):
identity_client = self.app.client_manager.identity
domain = None
if parsed_args.domain:
domain = common.find_domain(identity_client,
parsed_args.domain).id
if parsed_args.user:
user = common.find_user(
identity_client,
parsed_args.user,
parsed_args.user_domain,
).id
else:
user = None
# List groups
if parsed_args.long:
columns = ('ID', 'Name', 'Domain ID', 'Description')
else:
columns = ('ID', 'Name')
data = identity_client.groups.list(
domain=domain,
user=user,
)
return (
columns,
(utils.get_item_properties(
s, columns,
formatters={},
) for s in data)
)
def take_action(self, parsed_args):
identity_client = self.app.client_manager.identity
if parsed_args.domain:
domain = common.find_domain(identity_client, parsed_args.domain)
project = utils.find_resource(
identity_client.projects,
parsed_args.project,
domain_id=domain.id,
parents_as_list=parsed_args.parents,
subtree_as_list=parsed_args.children)
else:
project = utils.find_resource(
identity_client.projects,
parsed_args.project,
parents_as_list=parsed_args.parents,
subtree_as_list=parsed_args.children)
if project._info.get('parents'):
project._info['parents'] = [str(p['project']['id'])
for p in project._info['parents']]
if project._info.get('subtree'):
project._info['subtree'] = [str(p['project']['id'])
for p in project._info['subtree']]
project._info.pop('links')
return zip(*sorted(six.iteritems(project._info)))
def take_action(self, parsed_args):
identity_client = self.app.client_manager.identity
if parsed_args.long:
columns = ('ID', 'Name', 'Domain ID', 'Description', 'Enabled')
else:
columns = ('ID', 'Name')
kwargs = {}
domain_id = None
if parsed_args.domain:
domain_id = common.find_domain(identity_client,
parsed_args.domain).id
kwargs['domain'] = domain_id
if parsed_args.user:
if parsed_args.domain:
user_id = utils.find_resource(identity_client.users,
parsed_args.user,
domain_id=domain_id).id
else:
user_id = utils.find_resource(identity_client.users,
parsed_args.user).id
kwargs['user'] = user_id
data = identity_client.projects.list(**kwargs)
return (columns,
(utils.get_item_properties(
s, columns,
formatters={},
) for s in data))
def take_action(self, parsed_args):
self.log.debug('take_action(%s)', parsed_args)
identity_client = self.app.client_manager.identity
if (not parsed_args.name
and not parsed_args.description
and not parsed_args.domain
and not parsed_args.enable
and not parsed_args.property
and not parsed_args.disable):
return
project = utils.find_resource(
identity_client.projects,
parsed_args.project,
)
kwargs = {}
if parsed_args.name:
kwargs['name'] = parsed_args.name
if parsed_args.domain:
kwargs['domain'] = common.find_domain(identity_client,
parsed_args.domain).id
if parsed_args.description:
kwargs['description'] = parsed_args.description
if parsed_args.enable:
kwargs['enabled'] = True
if parsed_args.disable:
kwargs['enabled'] = False
if parsed_args.property:
kwargs.update(parsed_args.property)
identity_client.projects.update(project.id, **kwargs)
return
def take_action(self, parsed_args):
identity_client = self.app.client_manager.identity
project_str = common._get_token_resource(identity_client, "project", parsed_args.project)
if parsed_args.domain:
domain = common.find_domain(identity_client, parsed_args.domain)
project = utils.find_resource(
identity_client.projects,
project_str,
domain_id=domain.id,
parents_as_list=parsed_args.parents,
subtree_as_list=parsed_args.children,
)
else:
project = utils.find_resource(
identity_client.projects,
project_str,
parents_as_list=parsed_args.parents,
subtree_as_list=parsed_args.children,
)
if project._info.get("parents"):
project._info["parents"] = [str(p["project"]["id"]) for p in project._info["parents"]]
if project._info.get("subtree"):
project._info["subtree"] = [str(p["project"]["id"]) for p in project._info["subtree"]]
project._info.pop("links")
return zip(*sorted(six.iteritems(project._info)))
def take_action(self, parsed_args):
identity_client = self.app.client_manager.identity
client_manager = self.app.client_manager
user = _determine_ec2_user(parsed_args, client_manager)
project_domain = None
if parsed_args.project_domain:
project_domain = common.find_domain(identity_client,
parsed_args.project_domain)
if parsed_args.project:
if project_domain is not None:
project = utils.find_resource(identity_client.projects,
parsed_args.project,
domain_id=project_domain.id).id
else:
project = utils.find_resource(
identity_client.projects,
parsed_args.project).id
else:
# Get the project from the current auth
project = self.app.client_manager.auth_ref.project_id
creds = identity_client.ec2.create(user, project)
info = {}
info.update(creds._info)
if 'tenant_id' in info:
info.update(
{'project_id': info.pop('tenant_id')}
)
return zip(*sorted(six.iteritems(info)))
def take_action(self, parsed_args):
identity_client = self.app.client_manager.identity
domain_id = None
if parsed_args.domain:
domain_id = common.find_domain(identity_client,
parsed_args.domain).id
errors = 0
for role in parsed_args.roles:
try:
role_obj = utils.find_resource(
identity_client.roles,
role,
domain_id=domain_id
)
identity_client.roles.delete(role_obj.id)
except Exception as e:
errors += 1
LOG.error(_("Failed to delete role with "
"name or ID '%(role)s': %(e)s"),
{'role': role, 'e': e})
if errors > 0:
total = len(parsed_args.roles)
msg = (_("%(errors)s of %(total)s roles failed "
"to delete.") % {'errors': errors, 'total': total})
raise exceptions.CommandError(msg)
def take_action(self, parsed_args):
self.log.debug('take_action(%s)', parsed_args)
identity_client = self.app.client_manager.identity
domain = None
if parsed_args.domain:
domain = common.find_domain(identity_client,
parsed_args.domain).id
try:
group = identity_client.groups.create(
name=parsed_args.name,
domain=domain,
description=parsed_args.description)
except ksc_exc.Conflict as e:
if parsed_args.or_show:
group = utils.find_resource(identity_client.groups,
parsed_args.name,
domain_id=domain)
self.log.info('Returning existing group %s', group.name)
else:
raise e
group._info.pop('links')
return zip(*sorted(six.iteritems(group._info)))
def take_action(self, parsed_args):
identity_client = self.app.client_manager.identity
if parsed_args.remote_id_file:
file_content = utils.read_blob_file_contents(
parsed_args.remote_id_file)
remote_ids = file_content.splitlines()
remote_ids = list(map(str.strip, remote_ids))
else:
remote_ids = (parsed_args.remote_id
if parsed_args.remote_id else None)
domain_id = None
if parsed_args.domain:
domain_id = common.find_domain(identity_client,
parsed_args.domain).id
idp = identity_client.federation.identity_providers.create(
id=parsed_args.identity_provider_id,
remote_ids=remote_ids,
description=parsed_args.description,
domain_id=domain_id,
enabled=parsed_args.enabled)
idp._info.pop('links', None)
remote_ids = utils.format_list(idp._info.pop('remote_ids', []))
idp._info['remote_ids'] = remote_ids
return zip(*sorted(six.iteritems(idp._info)))
def _process_identity_and_resource_options(parsed_args,
identity_client_manager):
kwargs = {}
if parsed_args.user and parsed_args.domain:
kwargs['user'] = common.find_user(
identity_client_manager,
parsed_args.user,
parsed_args.user_domain,
).id
kwargs['domain'] = common.find_domain(
identity_client_manager,
parsed_args.domain,
).id
elif parsed_args.user and parsed_args.project:
kwargs['user'] = common.find_user(
identity_client_manager,
parsed_args.user,
parsed_args.user_domain,
).id
kwargs['project'] = common.find_project(
identity_client_manager,
parsed_args.project,
parsed_args.project_domain,
).id
elif parsed_args.group and parsed_args.domain:
kwargs['group'] = common.find_group(
identity_client_manager,
parsed_args.group,
parsed_args.group_domain,
).id
kwargs['domain'] = common.find_domain(
identity_client_manager,
parsed_args.domain,
).id
elif parsed_args.group and parsed_args.project:
kwargs['group'] = common.find_group(
identity_client_manager,
parsed_args.group,
parsed_args.group_domain,
).id
kwargs['project'] = common.find_project(
identity_client_manager,
parsed_args.project,
parsed_args.project_domain,
).id
kwargs['os_inherit_extension_inherited'] = parsed_args.inherited
return kwargs
def _process_identity_and_resource_options(parsed_args, identity_client_manager):
kwargs = {}
if parsed_args.user and parsed_args.domain:
kwargs["user"] = common.find_user(identity_client_manager, parsed_args.user, parsed_args.user_domain).id
kwargs["domain"] = common.find_domain(identity_client_manager, parsed_args.domain).id
elif parsed_args.user and parsed_args.project:
kwargs["user"] = common.find_user(identity_client_manager, parsed_args.user, parsed_args.user_domain).id
kwargs["project"] = common.find_project(
identity_client_manager, parsed_args.project, parsed_args.project_domain
).id
elif parsed_args.group and parsed_args.domain:
kwargs["group"] = common.find_group(identity_client_manager, parsed_args.group, parsed_args.group_domain).id
kwargs["domain"] = common.find_domain(identity_client_manager, parsed_args.domain).id
elif parsed_args.group and parsed_args.project:
kwargs["group"] = common.find_group(identity_client_manager, parsed_args.group, parsed_args.group_domain).id
kwargs["project"] = common.find_project(
identity_client_manager, parsed_args.project, parsed_args.project_domain
).id
kwargs["os_inherit_extension_inherited"] = parsed_args.inherited
return kwargs
def take_action(self, parsed_args):
identity_client = self.app.client_manager.identity
domain = None
if parsed_args.domain:
domain = common.find_domain(identity_client, parsed_args.domain)
for project in parsed_args.projects:
if domain is not None:
project_obj = utils.find_resource(identity_client.projects, project, domain_id=domain.id)
else:
project_obj = utils.find_resource(identity_client.projects, project)
identity_client.projects.delete(project_obj.id)
def take_action(self, parsed_args):
identity_client = self.app.client_manager.identity
domain_id = None
if parsed_args.domain:
domain_id = common.find_domain(identity_client,
parsed_args.domain).id
role = utils.find_resource(identity_client.roles,
parsed_args.role,
domain_id=domain_id)
identity_client.roles.update(role.id, name=parsed_args.name)
def take_action(self, parsed_args):
identity_client = self.app.client_manager.identity
if parsed_args.domain:
domain = common.find_domain(identity_client, parsed_args.domain)
user = utils.find_resource(identity_client.users,
parsed_args.user,
domain_id=domain.id)
else:
user = utils.find_resource(identity_client.users,
parsed_args.user)
user._info.pop('links')
return zip(*sorted(six.iteritems(user._info)))
def take_action(self, parsed_args):
identity_client = self.app.client_manager.identity
domain_id = None
if parsed_args.domain:
domain_id = common.find_domain(identity_client,
parsed_args.domain).id
role = utils.find_resource(identity_client.roles,
parsed_args.role,
domain_id=domain_id)
role._info.pop('links')
return zip(*sorted(six.iteritems(role._info)))
def take_action(self, parsed_args):
compute_client = self.app.client_manager.compute
volume_client = self.app.client_manager.volume
project_id = None
if parsed_args.project is not None:
identity_client = self.app.client_manager.identity
if parsed_args.domain is not None:
domain = identity_common.find_domain(identity_client,
parsed_args.domain)
project_id = utils.find_resource(identity_client.projects,
parsed_args.project,
domain_id=domain.id).id
else:
project_id = utils.find_resource(identity_client.projects,
parsed_args.project).id
compute_limits = None
volume_limits = None
if self.app.client_manager.is_compute_endpoint_enabled():
compute_limits = compute_client.limits.get(parsed_args.is_reserved,
tenant_id=project_id)
if self.app.client_manager.is_volume_endpoint_enabled(volume_client):
volume_limits = volume_client.limits.get()
data = []
if parsed_args.is_absolute:
if compute_limits:
data.append(compute_limits.absolute)
if volume_limits:
data.append(volume_limits.absolute)
columns = ["Name", "Value"]
return (columns, (utils.get_item_properties(s, columns)
for s in itertools.chain(*data)))
elif parsed_args.is_rate:
if compute_limits:
data.append(compute_limits.rate)
if volume_limits:
data.append(volume_limits.rate)
columns = ["Verb", "URI", "Value", "Remain", "Unit",
"Next Available"]
return (columns, (utils.get_item_properties(s, columns)
for s in itertools.chain(*data)))
else:
return {}, {}
def take_action(self, parsed_args):
identity_client = self.app.client_manager.identity
domain_id = None
if parsed_args.domain:
domain_id = common.find_domain(identity_client,
parsed_args.domain).id
for role in parsed_args.roles:
role_obj = utils.find_resource(
identity_client.roles,
role,
domain_id=domain_id
)
identity_client.roles.delete(role_obj.id)
def take_action(self, parsed_args):
self.log.debug('take_action(%s)', parsed_args)
identity_client = self.app.client_manager.identity
if parsed_args.domain:
domain = common.find_domain(identity_client,
parsed_args.domain).id
else:
domain = None
group = identity_client.groups.create(
name=parsed_args.name,
domain=domain,
description=parsed_args.description)
group._info.pop('links')
return zip(*sorted(six.iteritems(group._info)))
def take_action(self, parsed_args):
identity_client = self.app.client_manager.identity
domain = None
if parsed_args.domain:
domain = common.find_domain(identity_client, parsed_args.domain)
for user in parsed_args.users:
if domain is not None:
user_obj = utils.find_resource(identity_client.users,
user,
domain_id=domain.id)
else:
user_obj = utils.find_resource(identity_client.users,
user)
identity_client.users.delete(user_obj.id)
def take_action(self, parsed_args):
self.log.debug('take_action(%s)', parsed_args)
identity_client = self.app.client_manager.identity
if parsed_args.domain:
domain = common.find_domain(identity_client, parsed_args.domain)
group = utils.find_resource(identity_client.groups,
parsed_args.group,
domain_id=domain.id)
else:
group = utils.find_resource(identity_client.groups,
parsed_args.group)
group._info.pop('links')
return zip(*sorted(six.iteritems(group._info)))
def take_action(self, parsed_args):
self.log.debug('take_action(%s)', parsed_args)
identity_client = self.app.client_manager.identity
if parsed_args.password_prompt:
parsed_args.password = utils.get_password(self.app.stdin)
if (not parsed_args.name
and not parsed_args.name
and not parsed_args.password
and not parsed_args.email
and not parsed_args.domain
and not parsed_args.project
and not parsed_args.description
and not parsed_args.enable
and not parsed_args.disable):
return
user = utils.find_resource(
identity_client.users,
parsed_args.user,
)
kwargs = {}
if parsed_args.name:
kwargs['name'] = parsed_args.name
if parsed_args.email:
kwargs['email'] = parsed_args.email
if parsed_args.password:
kwargs['password'] = parsed_args.password
if parsed_args.description:
kwargs['description'] = parsed_args.description
if parsed_args.project:
project_id = utils.find_resource(
identity_client.projects, parsed_args.project).id
kwargs['project'] = project_id
if parsed_args.domain:
kwargs['domain'] = common.find_domain(identity_client,
parsed_args.domain).id
kwargs['enabled'] = user.enabled
if parsed_args.enable:
kwargs['enabled'] = True
if parsed_args.disable:
kwargs['enabled'] = False
identity_client.users.update(user.id, **kwargs)
return
def take_action(self, parsed_args):
self.log.debug('take_action(%s)', parsed_args)
identity_client = self.app.client_manager.identity
if parsed_args.domain:
domain = common.find_domain(identity_client, parsed_args.domain)
project = utils.find_resource(identity_client.projects,
parsed_args.project,
domain_id=domain.id)
else:
project = utils.find_resource(identity_client.projects,
parsed_args.project)
project._info.pop('links')
# TODO(stevemar): Remove the line below when we support multitenancy
project._info.pop('parent_id', None)
return zip(*sorted(six.iteritems(project._info)))
def take_action(self, parsed_args):
self.log.debug('take_action(%s)', parsed_args)
identity_client = self.app.client_manager.identity
domain = None
if parsed_args.domain:
domain = common.find_domain(identity_client, parsed_args.domain)
for group in parsed_args.groups:
if domain is not None:
group_obj = utils.find_resource(identity_client.groups,
group,
domain_id=domain.id)
else:
group_obj = utils.find_resource(identity_client.groups,
group)
identity_client.groups.delete(group_obj.id)
return
def take_action(self, parsed_args):
self.log.debug('take_action(%s)', parsed_args)
identity_client = self.app.client_manager.identity
if parsed_args.long:
columns = ('ID', 'Name', 'Domain ID', 'Description', 'Enabled')
else:
columns = ('ID', 'Name')
kwargs = {}
if parsed_args.domain:
domain = common.find_domain(identity_client, parsed_args.domain)
kwargs['domain'] = domain.id
data = identity_client.projects.list(**kwargs)
return (columns,
(utils.get_item_properties(
s, columns,
formatters={},
) for s in data))
def take_action(self, parsed_args):
self.log.debug('take_action(%s)', parsed_args)
identity_client = self.app.client_manager.identity
group = utils.find_resource(identity_client.groups, parsed_args.group)
kwargs = {}
if parsed_args.name:
kwargs['name'] = parsed_args.name
if parsed_args.description:
kwargs['description'] = parsed_args.description
if parsed_args.domain:
kwargs['domain'] = common.find_domain(identity_client,
parsed_args.domain).id
if not len(kwargs):
sys.stderr.write("Group not updated, no arguments present")
return
identity_client.groups.update(group.id, **kwargs)
return
def take_action(self, parsed_args):
identity_client = self.app.client_manager.identity
project_id = None
if parsed_args.project:
project_id = common.find_project(identity_client,
parsed_args.project,
parsed_args.project_domain).id
domain_id = None
if parsed_args.domain:
domain_id = common.find_domain(identity_client,
parsed_args.domain).id
enabled = True
if parsed_args.disable:
enabled = False
if parsed_args.password_prompt:
parsed_args.password = utils.get_password(self.app.stdin)
if not parsed_args.password:
LOG.warning(_("No password was supplied, authentication will fail "
"when a user does not have a password."))
try:
user = identity_client.users.create(
name=parsed_args.name,
domain=domain_id,
default_project=project_id,
password=parsed_args.password,
email=parsed_args.email,
description=parsed_args.description,
enabled=enabled
)
except ks_exc.Conflict:
if parsed_args.or_show:
user = utils.find_resource(identity_client.users,
parsed_args.name,
domain_id=domain_id)
LOG.info(_('Returning existing user %s'), user.name)
else:
raise
user._info.pop('links')
return zip(*sorted(six.iteritems(user._info)))
def take_action(self, parsed_args):
identity_client = self.app.client_manager.identity
auth_ref = self.app.client_manager.auth_ref
role = None
role_domain_id = None
if parsed_args.role_domain:
role_domain_id = common.find_domain(identity_client,
parsed_args.role_domain).id
if parsed_args.role:
role = utils.find_resource(identity_client.roles,
parsed_args.role,
domain_id=role_domain_id)
user = None
if parsed_args.user:
user = common.find_user(
identity_client,
parsed_args.user,
parsed_args.user_domain,
)
elif parsed_args.authuser:
if auth_ref:
user = common.find_user(identity_client, auth_ref.user_id)
domain = None
if parsed_args.domain:
domain = common.find_domain(
identity_client,
parsed_args.domain,
)
project = None
if parsed_args.project:
project = common.find_project(
identity_client,
parsed_args.project,
parsed_args.project_domain,
)
elif parsed_args.authproject:
if auth_ref:
project = common.find_project(identity_client,
auth_ref.project_id)
group = None
if parsed_args.group:
group = common.find_group(
identity_client,
parsed_args.group,
parsed_args.group_domain,
)
include_names = True if parsed_args.names else False
effective = True if parsed_args.effective else False
columns = ('Role', 'User', 'Group', 'Project', 'Domain', 'Inherited')
inherited_to = 'projects' if parsed_args.inherited else None
data = identity_client.role_assignments.list(
domain=domain,
user=user,
group=group,
project=project,
role=role,
effective=effective,
os_inherit_extension_inherited_to=inherited_to,
include_names=include_names)
data_parsed = []
for assignment in data:
# Removing the extra "scope" layer in the assignment json
scope = assignment.scope
if 'project' in scope:
if include_names:
prj = '@'.join([
scope['project']['name'],
scope['project']['domain']['name']
])
setattr(assignment, 'project', prj)
else:
setattr(assignment, 'project', scope['project']['id'])
assignment.domain = ''
elif 'domain' in scope:
if include_names:
setattr(assignment, 'domain', scope['domain']['name'])
else:
setattr(assignment, 'domain', scope['domain']['id'])
assignment.project = ''
else:
assignment.domain = ''
assignment.project = ''
inherited = scope.get('OS-INHERIT:inherited_to') == 'projects'
assignment.inherited = inherited
del assignment.scope
if hasattr(assignment, 'user'):
if include_names:
usr = '******'.join([
assignment.user['name'],
assignment.user['domain']['name']
])
setattr(assignment, 'user', usr)
else:
setattr(assignment, 'user', assignment.user['id'])
assignment.group = ''
elif hasattr(assignment, 'group'):
if include_names:
grp = '@'.join([
assignment.group['name'],
assignment.group['domain']['name']
])
setattr(assignment, 'group', grp)
else:
setattr(assignment, 'group', assignment.group['id'])
assignment.user = ''
else:
assignment.user = ''
assignment.group = ''
if hasattr(assignment, 'role'):
if include_names:
# TODO(henry-nash): If this is a domain specific role it
# would be good show this as role@domain, although this
# domain info is not yet included in the response from the
# server. Although we could get it by re-reading the role
# from the ID, let's wait until the server does the right
# thing.
setattr(assignment, 'role', assignment.role['name'])
else:
setattr(assignment, 'role', assignment.role['id'])
else:
assignment.role = ''
# Creating a tuple from data object fields
# (including the blank ones)
data_parsed.append(self._as_tuple(assignment))
return columns, tuple(data_parsed)
def take_action(self, parsed_args):
identity_client = self.app.client_manager.identity
role = None
if parsed_args.role:
role = utils.find_resource(
identity_client.roles,
parsed_args.role,
)
user = None
if parsed_args.user:
user = common.find_user(
identity_client,
parsed_args.user,
parsed_args.user_domain,
)
domain = None
if parsed_args.domain:
domain = common.find_domain(
identity_client,
parsed_args.domain,
)
project = None
if parsed_args.project:
project = common.find_project(
identity_client,
parsed_args.project,
parsed_args.project_domain,
)
group = None
if parsed_args.group:
group = common.find_group(
identity_client,
parsed_args.group,
parsed_args.group_domain,
)
include_names = True if parsed_args.names else False
effective = True if parsed_args.effective else False
columns = ('Role', 'User', 'Group', 'Project', 'Domain', 'Inherited')
inherited_to = 'projects' if parsed_args.inherited else None
data = identity_client.role_assignments.list(
domain=domain,
user=user,
group=group,
project=project,
role=role,
effective=effective,
os_inherit_extension_inherited_to=inherited_to,
include_names=include_names)
data_parsed = []
for assignment in data:
# Removing the extra "scope" layer in the assignment json
scope = assignment.scope
if 'project' in scope:
if include_names:
prj = '@'.join([
scope['project']['name'],
scope['project']['domain']['name']
])
setattr(assignment, 'project', prj)
else:
setattr(assignment, 'project', scope['project']['id'])
assignment.domain = ''
elif 'domain' in scope:
if include_names:
setattr(assignment, 'domain', scope['domain']['name'])
else:
setattr(assignment, 'domain', scope['domain']['id'])
assignment.project = ''
else:
assignment.domain = ''
assignment.project = ''
inherited = scope.get('OS-INHERIT:inherited_to') == 'projects'
assignment.inherited = inherited
del assignment.scope
if hasattr(assignment, 'user'):
if include_names:
usr = '******'.join([
assignment.user['name'],
assignment.user['domain']['name']
])
setattr(assignment, 'user', usr)
else:
setattr(assignment, 'user', assignment.user['id'])
assignment.group = ''
elif hasattr(assignment, 'group'):
if include_names:
grp = '@'.join([
assignment.group['name'],
assignment.group['domain']['name']
])
setattr(assignment, 'group', grp)
else:
setattr(assignment, 'group', assignment.group['id'])
assignment.user = ''
else:
assignment.user = ''
assignment.group = ''
if hasattr(assignment, 'role'):
if include_names:
setattr(assignment, 'role', assignment.role['name'])
else:
setattr(assignment, 'role', assignment.role['id'])
else:
assignment.role = ''
# Creating a tuple from data object fields
# (including the blank ones)
data_parsed.append(self._as_tuple(assignment))
return columns, tuple(data_parsed)
def take_action(self, parsed_args):
self.log.debug('take_action(%s)' % parsed_args)
identity_client = self.app.client_manager.identity
if parsed_args.user:
user = common.find_user(
identity_client,
parsed_args.user,
parsed_args.user_domain,
)
elif parsed_args.group:
group = common.find_group(
identity_client,
parsed_args.group,
parsed_args.group_domain,
)
if parsed_args.domain:
domain = common.find_domain(
identity_client,
parsed_args.domain,
)
elif parsed_args.project:
project = common.find_project(
identity_client,
parsed_args.project,
parsed_args.project_domain,
)
# no user or group specified, list all roles in the system
if not parsed_args.user and not parsed_args.group:
columns = ('ID', 'Name')
data = identity_client.roles.list()
elif parsed_args.user and parsed_args.domain:
columns = ('ID', 'Name', 'Domain', 'User')
data = identity_client.roles.list(
user=user,
domain=domain,
os_inherit_extension_inherited=parsed_args.inherited
)
for user_role in data:
user_role.user = user.name
user_role.domain = domain.name
elif parsed_args.user and parsed_args.project:
columns = ('ID', 'Name', 'Project', 'User')
data = identity_client.roles.list(
user=user,
project=project,
os_inherit_extension_inherited=parsed_args.inherited
)
for user_role in data:
user_role.user = user.name
user_role.project = project.name
elif parsed_args.user:
columns = ('ID', 'Name')
data = identity_client.roles.list(
user=user,
domain='default',
os_inherit_extension_inherited=parsed_args.inherited
)
elif parsed_args.group and parsed_args.domain:
columns = ('ID', 'Name', 'Domain', 'Group')
data = identity_client.roles.list(
group=group,
domain=domain,
os_inherit_extension_inherited=parsed_args.inherited
)
for group_role in data:
group_role.group = group.name
group_role.domain = domain.name
elif parsed_args.group and parsed_args.project:
columns = ('ID', 'Name', 'Project', 'Group')
data = identity_client.roles.list(
group=group,
project=project,
os_inherit_extension_inherited=parsed_args.inherited
)
for group_role in data:
group_role.group = group.name
group_role.project = project.name
else:
sys.stderr.write("Error: If a user or group is specified, either "
"--domain or --project must also be specified to "
"list role grants.\n")
return ([], [])
return (columns,
(utils.get_item_properties(
s, columns,
formatters={},
) for s in data))
def _process_identity_and_resource_options(parsed_args,
identity_client_manager,
validate_actor_existence=True):
def _find_user():
try:
return common.find_user(
identity_client_manager,
parsed_args.user,
parsed_args.user_domain
).id
except exceptions.CommandError:
if not validate_actor_existence:
return parsed_args.user
raise
def _find_group():
try:
return common.find_group(
identity_client_manager,
parsed_args.group,
parsed_args.group_domain
).id
except exceptions.CommandError:
if not validate_actor_existence:
return parsed_args.group
raise
kwargs = {}
if parsed_args.user and parsed_args.system:
kwargs['user'] = _find_user()
kwargs['system'] = parsed_args.system
elif parsed_args.user and parsed_args.domain:
kwargs['user'] = _find_user()
kwargs['domain'] = common.find_domain(
identity_client_manager,
parsed_args.domain,
).id
elif parsed_args.user and parsed_args.project:
kwargs['user'] = _find_user()
kwargs['project'] = common.find_project(
identity_client_manager,
parsed_args.project,
parsed_args.project_domain,
).id
elif parsed_args.group and parsed_args.system:
kwargs['group'] = _find_group()
kwargs['system'] = parsed_args.system
elif parsed_args.group and parsed_args.domain:
kwargs['group'] = _find_group()
kwargs['domain'] = common.find_domain(
identity_client_manager,
parsed_args.domain,
).id
elif parsed_args.group and parsed_args.project:
kwargs['group'] = _find_group()
kwargs['project'] = common.find_project(
identity_client_manager,
parsed_args.project,
parsed_args.project_domain,
).id
kwargs['os_inherit_extension_inherited'] = parsed_args.inherited
return kwargs
def take_action(self, parsed_args):
identity_client = self.app.client_manager.identity
domain = None
if parsed_args.domain:
domain = common.find_domain(identity_client,
parsed_args.domain).id
group = None
if parsed_args.group:
group = common.find_group(identity_client,
parsed_args.group,
parsed_args.domain).id
if parsed_args.project:
if domain is not None:
project = utils.find_resource(
identity_client.projects,
parsed_args.project,
domain_id=domain
).id
else:
project = utils.find_resource(
identity_client.projects,
parsed_args.project,
).id
assignments = identity_client.role_assignments.list(
project=project)
# NOTE(stevemar): If a user has more than one role on a project
# then they will have two entries in the returned data. Since we
# are looking for any role, let's just track unique user IDs.
user_ids = set()
for assignment in assignments:
if hasattr(assignment, 'user'):
user_ids.add(assignment.user['id'])
# NOTE(stevemar): Call find_resource once we have unique IDs, so
# it's fewer trips to the Identity API, then collect the data.
data = []
for user_id in user_ids:
user = utils.find_resource(identity_client.users, user_id)
data.append(user)
else:
data = identity_client.users.list(
domain=domain,
group=group,
)
# Column handling
if parsed_args.long:
columns = ['ID', 'Name', 'Default Project Id', 'Domain Id',
'Description', 'Email', 'Enabled']
column_headers = copy.deepcopy(columns)
column_headers[2] = 'Project'
column_headers[3] = 'Domain'
else:
columns = ['ID', 'Name']
column_headers = columns
return (
column_headers,
(utils.get_item_properties(
s, columns,
formatters={},
) for s in data)
)
def take_action(self, parsed_args):
identity_client = self.app.client_manager.identity
if parsed_args.user:
user = common.find_user(
identity_client,
parsed_args.user,
parsed_args.user_domain,
)
elif parsed_args.group:
group = common.find_group(
identity_client,
parsed_args.group,
parsed_args.group_domain,
)
if parsed_args.domain:
domain = common.find_domain(
identity_client,
parsed_args.domain,
)
elif parsed_args.project:
project = common.find_project(
identity_client,
parsed_args.project,
parsed_args.project_domain,
)
# no user or group specified, list all roles in the system
if not parsed_args.user and not parsed_args.group:
if not parsed_args.domain:
columns = ('ID', 'Name')
data = identity_client.roles.list()
else:
columns = ('ID', 'Name', 'Domain')
data = identity_client.roles.list(domain_id=domain.id)
for role in data:
role.domain = domain.name
elif parsed_args.user and parsed_args.domain:
columns = ('ID', 'Name', 'Domain', 'User')
data = identity_client.roles.list(
user=user,
domain=domain,
os_inherit_extension_inherited=parsed_args.inherited)
for user_role in data:
user_role.user = user.name
user_role.domain = domain.name
self.log.warning(
_('Listing assignments using role list is '
'deprecated. Use role assignment list --user '
'<user-name> --domain <domain-name> --names '
'instead.'))
elif parsed_args.user and parsed_args.project:
columns = ('ID', 'Name', 'Project', 'User')
data = identity_client.roles.list(
user=user,
project=project,
os_inherit_extension_inherited=parsed_args.inherited)
for user_role in data:
user_role.user = user.name
user_role.project = project.name
self.log.warning(
_('Listing assignments using role list is '
'deprecated. Use role assignment list --user '
'<user-name> --project <project-name> --names '
'instead.'))
elif parsed_args.user:
columns = ('ID', 'Name')
data = identity_client.roles.list(
user=user,
domain='default',
os_inherit_extension_inherited=parsed_args.inherited)
self.log.warning(
_('Listing assignments using role list is '
'deprecated. Use role assignment list --user '
'<user-name> --domain default --names '
'instead.'))
elif parsed_args.group and parsed_args.domain:
columns = ('ID', 'Name', 'Domain', 'Group')
data = identity_client.roles.list(
group=group,
domain=domain,
os_inherit_extension_inherited=parsed_args.inherited)
for group_role in data:
group_role.group = group.name
group_role.domain = domain.name
self.log.warning(
_('Listing assignments using role list is '
'deprecated. Use role assignment list --group '
'<group-name> --domain <domain-name> --names '
'instead.'))
elif parsed_args.group and parsed_args.project:
columns = ('ID', 'Name', 'Project', 'Group')
data = identity_client.roles.list(
group=group,
project=project,
os_inherit_extension_inherited=parsed_args.inherited)
for group_role in data:
group_role.group = group.name
group_role.project = project.name
self.log.warning(
_('Listing assignments using role list is '
'deprecated. Use role assignment list --group '
'<group-name> --project <project-name> --names '
'instead.'))
else:
msg = _("Error: If a user or group is specified, "
"either --domain or --project must also be "
"specified to list role grants.")
raise exceptions.CommandError(msg)
return (columns, (utils.get_item_properties(
s,
columns,
formatters={},
) for s in data))
def _process_identity_and_resource_options(parsed_args,
identity_client_manager):
kwargs = {}
if parsed_args.user and parsed_args.system:
kwargs['user'] = common.find_user(
identity_client_manager,
parsed_args.user,
parsed_args.user_domain,
).id
kwargs['system'] = parsed_args.system
elif parsed_args.user and parsed_args.domain:
kwargs['user'] = common.find_user(
identity_client_manager,
parsed_args.user,
parsed_args.user_domain,
).id
kwargs['domain'] = common.find_domain(
identity_client_manager,
parsed_args.domain,
).id
elif parsed_args.user and parsed_args.project:
kwargs['user'] = common.find_user(
identity_client_manager,
parsed_args.user,
parsed_args.user_domain,
).id
kwargs['project'] = common.find_project(
identity_client_manager,
parsed_args.project,
parsed_args.project_domain,
).id
elif parsed_args.group and parsed_args.system:
kwargs['group'] = common.find_group(
identity_client_manager,
parsed_args.group,
parsed_args.group_domain,
).id
kwargs['system'] = parsed_args.system
elif parsed_args.group and parsed_args.domain:
kwargs['group'] = common.find_group(
identity_client_manager,
parsed_args.group,
parsed_args.group_domain,
).id
kwargs['domain'] = common.find_domain(
identity_client_manager,
parsed_args.domain,
).id
elif parsed_args.group and parsed_args.project:
kwargs['group'] = common.find_group(
identity_client_manager,
parsed_args.group,
parsed_args.group_domain,
).id
kwargs['project'] = common.find_project(
identity_client_manager,
parsed_args.project,
parsed_args.project_domain,
).id
kwargs['os_inherit_extension_inherited'] = parsed_args.inherited
return kwargs
def take_action(self, parsed_args):
self.log.debug('take_action(%s)' % parsed_args)
identity_client = self.app.client_manager.identity
if parsed_args.project_domain:
project_domain = common.find_domain(identity_client,
parsed_args.project_domain).id
else:
project_domain = None
if parsed_args.trustor_domain:
trustor_domain = common.find_domain(identity_client,
parsed_args.trustor_domain).id
else:
trustor_domain = None
if parsed_args.trustee_domain:
trustee_domain = common.find_domain(identity_client,
parsed_args.trustee_domain).id
else:
trustee_domain = None
# NOTE(stevemar): Find the two users, project and roles that
# are necessary for making a trust usable, the API dictates that
# trustee, project and role are optional, but that makes the trust
# pointless, and trusts are immutable, so let's enforce it at the
# client level.
trustor_id = utils.find_resource(identity_client.users,
parsed_args.trustor,
domain_id=trustor_domain).id
trustee_id = utils.find_resource(identity_client.users,
parsed_args.trustee,
domain_id=trustee_domain).id
project_id = utils.find_resource(identity_client.projects,
parsed_args.project,
domain_id=project_domain).id
role_names = []
for role in parsed_args.role:
role_name = utils.find_resource(
identity_client.roles,
role,
).name
role_names.append(role_name)
expires_at = None
if parsed_args.expiration:
expires_at = datetime.datetime.strptime(parsed_args.expiration,
'%Y-%m-%dT%H:%M:%S')
trust = identity_client.trusts.create(
trustee_id,
trustor_id,
impersonation=parsed_args.impersonate,
project=project_id,
role_names=role_names,
expires_at=expires_at,
)
trust._info.pop('roles_links', None)
trust._info.pop('links', None)
# Format roles into something sensible
roles = trust._info.pop('roles')
msg = ''.join([r['name'] + ' ' for r in roles])
trust._info['roles'] = msg
return zip(*sorted(six.iteritems(trust._info)))
