def create_user(self, name, email, password=None, enabled=True):
"""
ADMIN ONLY. Creates a new user for this tenant (account). The username
and email address must be supplied. You may optionally supply the
password for this user; if not, the API server generates a password and
return it in the 'password' attribute of the resulting User object.
NOTE: this is the ONLY time the password is returned; after the initial
user creation, there is NO WAY to retrieve the user's password.
You may also specify that the user should be created but not active by
passing False to the enabled parameter.
"""
# NOTE: the OpenStack docs say that the name key in the following dict
# is supposed to be 'username', but the service actually expects 'name'.
data = {"user": {
"username": name,
"email": email,
"enabled": enabled,
}}
if password:
data["user"]["OS-KSADM:password"] = password
resp, resp_body = self.method_post("users", data=data, admin=True)
if resp.status_code == 201:
return User(self, resp_body.get("user", resp_body))
elif resp.status_code in (401, 403, 404):
raise exc.AuthorizationFailure("You are not authorized to create "
"users.")
elif resp.status_code == 409:
raise exc.DuplicateUser("User '%s' already exists." % name)
elif resp.status_code == 400:
message = resp_body["badRequest"]["message"]
if "Expecting valid email address" in message:
raise exc.InvalidEmail("%s is not valid" % email)
else:
raise exc.BadRequest(message)
def list_users(self):
"""
ADMIN ONLY. Returns a list of objects for all users for the tenant
(account) if this request is issued by a user holding the admin role
(identity:user-admin).
"""
resp = self.method_get("users", admin=True)
if resp.status_code in (401, 403, 404):
raise exc.AuthorizationFailure("You are not authorized to list "
"users.")
users = resp.json()
# The API is inconsistent; if only one user exists, it will not return
# a list.
if "users" in users:
users = users["users"]
else:
users = [users]
# The returned values may contain password data. Strip that out.
for user in users:
bad_keys = [
key for key in user.keys() if "password" in key.lower()
]
for bad_key in bad_keys:
user.pop(bad_key)
return [User(self, user) for user in users]
def get_token_endpoints(self):
"""
ADMIN ONLY. Returns a list of all endpoints for the current auth token.
"""
resp, resp_body = self.method_get("tokens/%s/endpoints" % self.token,
admin=True)
if resp.status_code in (401, 403, 404):
raise exc.AuthorizationFailure("You are not authorized to list "
"token endpoints.")
return resp_body.get("access", {}).get("endpoints")
def revoke_token(self, token):
"""
ADMIN ONLY. Returns True or False, depending on whether deletion of the
specified token was successful.
"""
resp, resp_body = self.method_delete("tokens/%s" % token, admin=True)
if resp.status_code in (401, 403):
raise exc.AuthorizationFailure("You must be an admin to make this "
"call.")
return 200 <= resp.status_code < 300
def list_tokens(self):
"""
ADMIN ONLY. Returns a dict containing tokens, endpoints, user info, and
role metadata.
"""
resp, resp_body = self.method_get("tokens/%s" % self.token, admin=True)
if resp.status_code in (401, 403):
raise exc.AuthorizationFailure("You must be an admin to make this "
"call.")
return resp_body.get("access")
def check_token(self, token=None):
"""
ADMIN ONLY. Returns True or False, depending on whether the current
token is valid.
"""
if token is None:
token = self.token
resp, resp_body = self.method_head("tokens/%s" % token, admin=True)
if resp.status_code in (401, 403):
raise exc.AuthorizationFailure("You must be an admin to make this "
"call.")
return 200 <= resp.status_code < 300
def _list_tenants(self, admin):
"""
Returns either a list of all tenants (admin=True), or the tenant for
the currently-authenticated user (admin=False).
"""
resp, resp_body = self.method_get("tenants", admin=admin)
if 200 <= resp.status_code < 300:
tenants = resp_body.get("tenants", [])
return [Tenant(self, tenant) for tenant in tenants]
elif resp.status_code in (401, 403):
raise exc.AuthorizationFailure("You are not authorized to list "
"tenants.")
else:
raise exc.TenantNotFound("Could not get a list of tenants.")
def list_roles_for_user(self, user):
"""
ADMIN ONLY. Returns a list of roles for the specified user. Each role
will be a 3-tuple, consisting of (role_id, role_name,
role_description).
"""
user_id = utils.get_id(user)
uri = "users/%s/roles" % user_id
resp, resp_body = self.method_get(uri)
if resp.status_code in (401, 403):
raise exc.AuthorizationFailure("You are not authorized to list "
"user roles.")
roles = resp_body.get("roles")
return roles
def delete_user(self, user):
"""
ADMIN ONLY. Removes the user from the system. There is no 'undo'
available, so you should be certain that the user specified is the user
you wish to delete.
"""
user_id = utils.get_id(user)
uri = "users/%s" % user_id
resp, resp_body = self.method_delete(uri)
if resp.status_code == 404:
raise exc.UserNotFound("User '%s' does not exist." % user)
elif resp.status_code in (401, 403):
raise exc.AuthorizationFailure("You are not authorized to delete "
"users.")
def update_user(self, user, email=None, username=None,
uid=None, enabled=None):
"""
ADMIN ONLY. Updates the user attributes with the supplied values.
"""
user_id = utils.get_id(user)
uri = "users/%s" % user_id
upd = {"id": user_id}
if email is not None:
upd["email"] = email
if username is not None:
upd["username"] = username
if enabled is not None:
upd["enabled"] = enabled
data = {"user": upd}
resp, resp_body = self.method_put(uri, data=data)
if resp.status_code in (401, 403, 404):
raise exc.AuthorizationFailure("You are not authorized to update "
"users.")
return User(self, resp_body)
