Exemplo n.º 1
0
def create_image():
    data = parse_request_data(_SCHEMA.create_allowed, _SCHEMA.create_required)

    is_public = data.get('global', 'project' not in data)
    if is_public:
        _assert_param_absent('project', data, 'public')
        auth.assert_admin()
        client_set = g.client_set
    else:
        if 'project' not in data:
            raise exc.MissingElement('project')
        client_set = auth.client_set_for_tenant(data['project'])

    props = {}
    if data['disk-format'] == 'ami':
        # TODO(imelnikov): check that images have correct types
        if 'kernel' in data:
            props['kernel_id'] = data['kernel']
        if 'ramdisk' in data:
            props['ramdisk_id'] = data['ramdisk']
    else:
        _assert_param_absent('kernel', data, data['disk-format'])
        _assert_param_absent('ramdisk', data, data['disk-format'])

    image = client_set.image.images.create(
        name=data['name'],
        disk_format=data['disk-format'],
        container_format=data['container-format'],
        is_public=is_public,
        properties=props)
    set_audit_resource_id(image)
    return make_json_response(_image_to_view(image))
Exemplo n.º 2
0
def create_image():
    data = parse_request_data(_SCHEMA.create_allowed, _SCHEMA.create_required)

    is_public = data.get('global', 'project' not in data)
    if is_public:
        _assert_param_absent('project', data, 'public')
        auth.assert_admin()
        client_set = g.client_set
    else:
        if 'project' not in data:
            raise exc.MissingElement('project')
        client_set = auth.client_set_for_tenant(data['project'])

    props = {}
    if data['disk-format'] == 'ami':
        # TODO(imelnikov): check that images have correct types
        if 'kernel' in data:
            props['kernel_id'] = data['kernel']
        if 'ramdisk' in data:
            props['ramdisk_id'] = data['ramdisk']
    else:
        _assert_param_absent('kernel', data, data['disk-format'])
        _assert_param_absent('ramdisk', data, data['disk-format'])

    image = client_set.image.images.create(
        name=data['name'],
        disk_format=data['disk-format'],
        container_format=data['container-format'],
        is_public=is_public,
        properties=props)
    set_audit_resource_id(image)
    return make_json_response(_image_to_view(image))
Exemplo n.º 3
0
def _grant_admin(user_id):
    """Grant admin permission.

    Add admin role with in admin tenant (aka systenant).

    """
    auth.assert_admin()
    g.client_set.identity_admin.roles.add_user_role(
        user_id, auth.admin_role_id(), auth.default_tenant_id())
Exemplo n.º 4
0
def delete_users_ssh_key(user_id, key_name):
    if user_id != auth.current_user_id():
        auth.assert_admin()

    mgr = auth.admin_client_set().compute_ext.user_keypairs
    try:
        mgr.delete(user_id, key_name)
    except osc_exc.NotFound:
        abort(404)
    return make_json_response(None, 204)
Exemplo n.º 5
0
def delete_users_ssh_key(user_id, key_name):
    if user_id != auth.current_user_id():
        auth.assert_admin()

    mgr = auth.admin_client_set().compute_ext.user_keypairs
    try:
        mgr.delete(user_id, key_name)
    except osc_exc.NotFound:
        abort(404)
    return make_json_response(None, 204)
Exemplo n.º 6
0
def _invite_user(user, data):
    inv = InvitesDAO.create(user.id, user.email)
    send_mail = data.get('send-invite-mail', True)
    if send_mail:
        send_invitation(user.email, inv.code,
                        data.get('link-template'),
                        greeting=getattr(user, 'fullname', ''))
    else:
        auth.assert_admin()
    return user_to_view(user, inv, send_code=not send_mail)
Exemplo n.º 7
0
def _grant_admin(user_id):
    """Grant admin permission.

    Add admin role with in admin tenant (aka systenant).

    """
    auth.assert_admin()
    g.client_set.identity_admin.roles.add_user_role(user_id,
                                                    auth.admin_role_id(),
                                                    auth.default_tenant_id())
Exemplo n.º 8
0
def _invite_user(user, data):
    inv = InvitesDAO.create(user.id, user.email)
    send_mail = data.get('send-invite-mail', True)
    if send_mail:
        send_invitation(user.email,
                        inv.code,
                        data.get('link-template'),
                        greeting=getattr(user, 'fullname', ''))
    else:
        auth.assert_admin()
    return user_to_view(user, inv, send_code=not send_mail)
Exemplo n.º 9
0
def create_users_ssh_key(user_id):
    data = parse_request_data(required=_SCHEMA.required)

    if user_id != auth.current_user_id():
        auth.assert_admin()
    fetch_user(user_id, g.is_admin)  # check that user exists and is visible

    mgr = auth.admin_client_set().compute_ext.user_keypairs
    try:
        kp = mgr.create(user_id, data['name'], data['public-key'])
    except osc_exc.BadRequest, e:
        raise exc.InvalidRequest(str(e))
Exemplo n.º 10
0
def create_users_ssh_key(user_id):
    data = parse_request_data(required=_SCHEMA.required)

    if user_id != auth.current_user_id():
        auth.assert_admin()
    fetch_user(user_id, g.is_admin)  # check that user exists and is visible

    mgr = auth.admin_client_set().compute_ext.user_keypairs
    try:
        kp = mgr.create(user_id, data['name'], data['public-key'])
    except osc_exc.BadRequest, e:
        raise exc.InvalidRequest(str(e))
Exemplo n.º 11
0
def _revoke_admin(user_id):
    """Revoke admin permission.

    Remove admin role in admin tenant (aka systenant).

    """
    auth.assert_admin()
    try:
        g.client_set.identity_admin.roles.remove_user_role(
            user_id, auth.admin_role_id(), auth.default_tenant_id())
    except osc_exc.NotFound:
        pass  # user was not admin
Exemplo n.º 12
0
def _add_user_to_projects(user, projects):
    if not projects:
        return
    auth.assert_admin()
    role_id = member_role_id()
    for project in projects:
        try:
            g.client_set.identity_admin.roles.add_user_role(
                user=user, role=role_id, tenant=project)
        except osc_exc.NotFound:
            raise exc.InvalidElementValue('projects', 'link object', project,
                                          'Project does not exist')
Exemplo n.º 13
0
def _revoke_admin(user_id):
    """Revoke admin permission.

    Remove admin role in admin tenant (aka systenant).

    """
    auth.assert_admin()
    try:
        g.client_set.identity_admin.roles.remove_user_role(
            user_id, auth.admin_role_id(), auth.default_tenant_id())
    except osc_exc.NotFound:
        pass  # user was not admin
Exemplo n.º 14
0
def _add_user_to_projects(user, projects):
    if not projects:
        return
    auth.assert_admin()
    role_id = member_role_id()
    for project in projects:
        try:
            g.client_set.identity_admin.roles.add_user_role(user=user,
                                                            role=role_id,
                                                            tenant=project)
        except osc_exc.NotFound:
            raise exc.InvalidElementValue('projects', 'link object', project,
                                          'Project does not exist')
Exemplo n.º 15
0
def _fetch_image(image_id, to_modify):
    try:
        image = auth.admin_client_set().image.images.get(image_id)
    except osc_exc.NotFound:
        abort(404)
    # NOTE(imelnikov): yes, glance may return False as string
    if image.deleted and image.deleted != 'False':
        abort(404)
    if image.owner == auth.default_tenant_id():
        if to_modify:
            auth.assert_admin()
    else:
        auth.assert_admin_or_project_user(image.owner)
    return image
Exemplo n.º 16
0
def send_invite_for_user(user_id):
    if not g.config('invitations', 'enabled'):
        # TODO(imelnikov): consider if this is error 403, not 400
        raise exc.InvalidRequest('Invitations disabled')

    data = parse_request_data(_SEND_INVITE_SCHEMA)
    user = fetch_user(user_id, g.is_admin)

    if data.get('disable-user', False):
        auth.assert_admin()
        update_user_data(user, {'enabled': False, 'password': None})

    result = _invite_user(user, data)
    return make_json_response(result)
Exemplo n.º 17
0
def send_invite_for_user(user_id):
    if not g.config('invitations', 'enabled'):
        # TODO(imelnikov): consider if this is error 403, not 400
        raise exc.InvalidRequest('Invitations disabled')

    data = parse_request_data(_SEND_INVITE_SCHEMA)
    user = fetch_user(user_id, g.is_admin)

    if data.get('disable-user', False):
        auth.assert_admin()
        update_user_data(user, {'enabled': False, 'password': None})

    result = _invite_user(user, data)
    return make_json_response(result)
Exemplo n.º 18
0
def _fetch_image(image_id, to_modify):
    try:
        image = auth.admin_client_set().image.images.get(image_id)
    except osc_exc.NotFound:
        abort(404)
    # NOTE(imelnikov): yes, glance may return False as string
    if image.deleted and image.deleted != 'False':
        abort(404)
    if image.owner == auth.default_tenant_id():
        if to_modify:
            auth.assert_admin()
    else:
        auth.assert_admin_or_project_user(image.owner)
    return image
Exemplo n.º 19
0
def remove_project_user(project_id, user_id):
    tenant = get_tenant(project_id)
    if user_id != current_user_id():
        assert_admin()

    try:
        user_mgr = admin_client_set().identity_admin.users
        roles = user_mgr.list_roles(user_id, project_id)
    except osc_exc.NotFound:
        abort(404)
    if not roles:
        abort(404)  # user was not member of the project

    for role in roles:
        try:
            tenant.remove_user(user_id, role.id)
        except osc_exc.NotFound:
            pass  # already deleted by someone else
    return make_json_response(None, status_code=204)
Exemplo n.º 20
0
def remove_project_user(project_id, user_id):
    tenant = get_tenant(project_id)
    if user_id != current_user_id():
        assert_admin()

    try:
        user_mgr = admin_client_set().identity_admin.users
        roles = user_mgr.list_roles(user_id, project_id)
    except osc_exc.NotFound:
        abort(404)
    if not roles:
        abort(404)  # user was not member of the project

    for role in roles:
        try:
            tenant.remove_user(user_id, role.id)
        except osc_exc.NotFound:
            pass  # already deleted by someone else
    return make_json_response(None, status_code=204)
Exemplo n.º 21
0
def update_user(user_id):
    param = parse_request_data(_SCHEMA.updatable)
    user = fetch_user(user_id, g.is_admin)

    set_audit_resource_id(user_id)
    if 'admin' in param:
        auth.assert_admin()

    update_user_data(user, param)

    admin = param.get('admin')
    if admin == True:
        _grant_admin(user_id)
    elif admin == False:
        _revoke_admin(user_id)

    # get updated user
    user = fetch_user(user_id, g.is_admin)
    return make_json_response(user_to_view(user))
Exemplo n.º 22
0
def update_user(user_id):
    param = parse_request_data(_SCHEMA.updatable)
    user = fetch_user(user_id, g.is_admin)

    set_audit_resource_id(user_id)
    if 'admin' in param:
        auth.assert_admin()

    update_user_data(user, param)

    admin = param.get('admin')
    if admin == True:
        _grant_admin(user_id)
    elif admin == False:
        _revoke_admin(user_id)

    # get updated user
    user = fetch_user(user_id, g.is_admin)
    return make_json_response(user_to_view(user))