def add_to_group(self, user, group):
self._require_user_and_group(user, group)
base_url = '/groups/%s' % base.getid(group)
return super(UserManager, self).put(
base_url=base_url,
user_id=base.getid(user))
def list(self, project=None, domain=None, group=None, default_project=None,
**kwargs):
"""List users.
If project, domain or group are provided, then filter
users with those attributes.
If ``**kwargs`` are provided, then filter users with
attributes matching ``**kwargs``.
.. warning::
The project argument is deprecated, use default_project instead.
If both default_project and project is provided, the default_project
will be used.
"""
if project:
LOG.warning(_LW("The project argument is deprecated, "
"use default_project instead."))
default_project_id = base.getid(default_project) or base.getid(project)
if group:
base_url = '/groups/%s' % base.getid(group)
else:
base_url = None
return super(UserManager, self).list(
base_url=base_url,
domain_id=base.getid(domain),
default_project_id=default_project_id,
**kwargs)
def update(self, user, name=None, domain=None, project=None, password=None,
email=None, description=None, enabled=None,
default_project=None, **kwargs):
"""Update a user.
.. warning::
The project argument is deprecated as of the 1.7.0 release in favor
of default_project and may be removed in the 2.0.0 release.
If both default_project and project is provided, the default_project
will be used.
"""
default_project_id = base.getid(default_project) or base.getid(project)
user_data = base.filter_none(name=name,
domain_id=base.getid(domain),
default_project_id=default_project_id,
password=password,
email=email,
description=description,
enabled=enabled,
**kwargs)
return self._update('/users/%s' % base.getid(user),
{'user': user_data},
'user',
method='PATCH',
log=False)
def update(self, credential, user, type=None, blob=None, project=None,
**kwargs):
"""Update a credential.
:param credential: the credential to be updated on the server
:type credential: str or
:class:`keystoneclient.v3.credentials.Credential`
:param user: the new user to which the credential belongs
:type user: str or :class:`keystoneclient.v3.users.User`
:param str type: the new type of the credential, valid values are:
``ec2``, ``cert`` or ``totp``
:param str blob: the new blob of the credential data
and may be removed in the future release.
:param project: the new project which limits the scope of the
credential, this attribute is mandatory if the
credential type is ec2
:type project: str or :class:`keystoneclient.v3.projects.Project`
:param kwargs: any other attribute provided will be passed to the
server
:returns: the updated credential
:rtype: :class:`keystoneclient.v3.credentials.Credential`
"""
return super(CredentialManager, self).update(
credential_id=base.getid(credential),
user_id=base.getid(user),
type=type,
blob=blob,
project_id=base.getid(project),
**kwargs)
def create(self, trustee_user, trustor_user, role_names=None,
project=None, impersonation=False, expires_at=None):
"""Create a Trust.
:param string trustee_user: user who's authorization is being delegated
:param string trustor_user: user who is capable of consuming the trust
:param string role_names: subset of trustor's roles to be granted
:param string project: project which the trustor is delegating
:param boolean impersonation: enable explicit impersonation
:param datetime.datetime expires_at: expiry time
"""
# Convert role_names list into list-of-dict API format
if role_names:
roles = [{'name': n} for n in role_names]
else:
roles = None
# Convert datetime.datetime expires_at to iso format string
if expires_at:
expires_str = timeutils.isotime(at=expires_at, subsecond=True)
else:
expires_str = None
return super(TrustManager, self).create(
expires_at=expires_str,
impersonation=impersonation,
project_id=base.getid(project),
roles=roles,
trustee_user_id=base.getid(trustee_user),
trustor_user_id=base.getid(trustor_user))
def create(self, name, domain=None, project=None, password=None,
email=None, description=None, enabled=True,
default_project=None, **kwargs):
"""Create a user.
.. warning::
The project argument is deprecated as of the 1.7.0 release in favor
of default_project and may be removed in the 2.0.0 release.
If both default_project and project is provided, the default_project
will be used.
"""
default_project_id = base.getid(default_project) or base.getid(project)
user_data = base.filter_none(name=name,
domain_id=base.getid(domain),
default_project_id=default_project_id,
password=password,
email=email,
description=description,
enabled=enabled,
**kwargs)
return self._post('/users', {'user': user_data}, 'user',
log=not bool(password))
def create(self, user, type, blob=None, data=None, project=None, **kwargs):
return super(CredentialManager, self).create(
user_id=base.getid(user),
type=type,
blob=self._get_data_blob(blob, data),
project_id=base.getid(project),
**kwargs)
def create(self, name, domain, description=None,
enabled=True, parent=None, **kwargs):
"""Create a project.
:param str name: the name of the project.
:param domain: the domain of the project.
:type domain: str or :class:`keystoneclient.v3.domains.Domain`
:param str description: the description of the project.
:param bool enabled: whether the project is enabled.
:param parent: the parent of the project in the hierarchy.
:type parent: str or :class:`keystoneclient.v3.projects.Project`
:param kwargs: any other attribute provided will be passed to the
server.
:returns: the created project returned from server.
:rtype: :class:`keystoneclient.v3.projects.Project`
"""
# NOTE(rodrigods): the API must be backwards compatible, so if an
# application was passing a 'parent_id' before as kwargs, the call
# should not fail. If both 'parent' and 'parent_id' are provided,
# 'parent' will be preferred.
if parent:
kwargs['parent_id'] = base.getid(parent)
return super(ProjectManager, self).create(
domain_id=base.getid(domain),
name=name,
description=description,
enabled=enabled,
**kwargs)
def list_user_role_assignments(self, user=None, organization=None,
application=None, default_organization=False):
"""Lists role assignments for users.
If no arguments are provided, all role assignments in the
system will be listed.
:param user: User to be used as query filter. (optional)
:param organization: Project to be used as query filter.
(optional)
:param application: Application to be used as query
filter. (optional)
:param default_organization: If set to true, the endpoint will filter role assignments
only in the default_project_id and the organization param is ignored. (optional)
"""
query_params = {}
if user:
query_params['user_id'] = base.getid(user)
if organization:
query_params['organization_id'] = base.getid(organization)
if application:
query_params['application_id'] = base.getid(application)
if default_organization:
query_params['default_organization'] = True
base_url = self.base_url + '/users'
return super(RoleAssignmentManager, self).list(base_url=base_url,
**query_params)
def create(self, service, resource_name, default_limit,
description=None, region=None, **kwargs):
"""Create a registered limit.
:param service: a UUID that identifies the service for the limit.
:type service: str
:param resource_name: the name of the resource to limit.
:type resource_name: str
:param default_limit: the default limit for projects to assume.
:type default_limit: int
:param description: a string that describes the limit
:type description: str
:param region: a UUID that identifies the region for the limit.
:type region: str
:returns: a reference of the created registered limit.
:rtype: :class:`keystoneclient.v3.registered_limits.RegisteredLimit`
"""
# NOTE(lbragstad): Keystone's registered limit API supports creation of
# limits in batches. This client accepts a single limit and passes it
# to the identity service as a list of a single item.
limit_data = base.filter_none(
service_id=base.getid(service),
resource_name=resource_name,
default_limit=default_limit,
description=description,
region_id=base.getid(region),
**kwargs
)
body = {self.collection_key: [limit_data]}
resp, body = self.client.post('/registered_limits', body=body)
registered_limit = body[self.collection_key].pop()
return self.resource_class(self, registered_limit)
def create(self, name, domain=None, project=None, password=None,
email=None, description=None, enabled=True,
default_project=None, **kwargs):
"""Create a user.
.. warning::
The project argument is deprecated, use default_project instead.
If both default_project and project is provided, the default_project
will be used.
"""
if project:
LOG.warning("The project argument is deprecated, "
"use default_project instead.")
default_project_id = base.getid(default_project) or base.getid(project)
return super(UserManager, self).create(
name=name,
domain_id=base.getid(domain),
default_project_id=default_project_id,
password=password,
email=email,
description=description,
enabled=enabled,
**kwargs)
def list(self, domain=None, user=None, **kwargs):
"""List projects.
:param domain: the domain of the projects to be filtered on.
:type domain: str or :class:`keystoneclient.v3.domains.Domain`
:param user: filter in projects the specified user has role
assignments on.
:type user: str or :class:`keystoneclient.v3.users.User`
:param kwargs: any other attribute provided will filter projects on.
Project tags filter keyword: ``tags``, ``tags_any``,
``not_tags``, and ``not_tags_any``. tag attribute type
string. Pass in a comma separated string to filter
with multiple tags.
:returns: a list of projects.
:rtype: list of :class:`keystoneclient.v3.projects.Project`
"""
base_url = '/users/%s' % base.getid(user) if user else None
projects = super(ProjectManager, self).list(
base_url=base_url,
domain_id=base.getid(domain),
fallback_to_auth=True,
**kwargs)
for p in projects:
p.tags = self._encode_tags(getattr(p, 'tags', []))
return projects
def remove_from_role(self, role, permission):
self._require_role_and_permission(role, permission)
base_url = self.base_url + '/roles/%s' % base.getid(role)
return super(PermissionManager, self).delete(
base_url=base_url,
permission_id=base.getid(permission))
def add_to_role(self, role, permission):
self._require_role_and_permission(role, permission)
base_url = self.base_url + '/roles/%s' % base.getid(role)
return super(PermissionManager, self).put(
base_url=base_url,
permission_id=base.getid(permission))
def check_in_group(self, user, group):
self._require_user_and_group(user, group)
base_url = '/groups/%s' % base.getid(group)
return super(UserManager, self).head(
base_url=base_url,
user_id=base.getid(user))
def create(self, name, domain, description=None,
enabled=True, parent=None, **kwargs):
"""Create a project.
:param str name: project name.
:param domain: the project domain.
:type domain: :py:class:`keystoneclient.v3.domains.Domain` or str
:param str description: the project description. (optional)
:param boolean enabled: if the project is enabled. (optional)
:param parent: the project's parent in the hierarchy. (optional)
:type parent: :py:class:`keystoneclient.v3.projects.Project` or str
"""
# NOTE(rodrigods): the API must be backwards compatible, so if an
# application was passing a 'parent_id' before as kwargs, the call
# should not fail. If both 'parent' and 'parent_id' are provided,
# 'parent' will be preferred.
if parent:
kwargs['parent_id'] = base.getid(parent)
return super(ProjectManager, self).create(
domain_id=base.getid(domain),
name=name,
description=description,
enabled=enabled,
**kwargs)
def remove_from_group(self, user, group):
self._require_user_and_group(user, group)
base_url = '/groups/%s' % base.getid(group)
return super(UserManager, self).delete(
base_url=base_url,
user_id=base.getid(user))
def test_getid(self):
self.assertEqual(base.getid(4), 4)
class TmpObject(object):
id = 4
self.assertEqual(base.getid(TmpObject), 4)
def list(self, project=None, domain=None, group=None, default_project=None,
**kwargs):
"""List users.
If project, domain or group are provided, then filter
users with those attributes.
If ``**kwargs`` are provided, then filter users with
attributes matching ``**kwargs``.
.. warning::
The project argument is deprecated as of the 1.7.0 release in favor
of default_project and may be removed in the 2.0.0 release.
If both default_project and project is provided, the default_project
will be used.
"""
default_project_id = base.getid(default_project) or base.getid(project)
if group:
base_url = '/groups/%s' % base.getid(group)
else:
base_url = None
return super(UserManager, self).list(
base_url=base_url,
domain_id=base.getid(domain),
default_project_id=default_project_id,
**kwargs)
def update(self, user, name=None, domain=None, project=None, password=None,
email=None, description=None, enabled=None,
default_project=None, **kwargs):
"""Update a user.
.. warning::
The project argument is deprecated, use default_project instead.
If both default_project and project is provided, the default_project
will be used.
"""
if project:
LOG.warning(_LW("The project argument is deprecated, "
"use default_project instead."))
default_project_id = base.getid(default_project) or base.getid(project)
user_data = base.filter_none(name=name,
domain_id=base.getid(domain),
default_project_id=default_project_id,
password=password,
email=email,
description=description,
enabled=enabled,
**kwargs)
return self._update('/users/%s' % base.getid(user),
{'user': user_data},
'user',
method='PATCH',
log=False)
def create(self, user, type, blob, project=None, **kwargs):
"""Create a credential.
:param user: the user to which the credential belongs
:type user: str or :class:`keystoneclient.v3.users.User`
:param str type: the type of the credential, valid values are:
``ec2``, ``cert`` or ``totp``
:param str blob: the arbitrary blob of the credential data, to be
parsed according to the type
:param project: the project which limits the scope of the credential,
this attribbute is mandatory if the credential type is
ec2
:type project: str or :class:`keystoneclient.v3.projects.Project`
:param kwargs: any other attribute provided will be passed to the
server
:returns: the created credential
:rtype: :class:`keystoneclient.v3.credentials.Credential`
"""
return super(CredentialManager, self).create(
user_id=base.getid(user),
type=type,
blob=blob,
project_id=base.getid(project),
**kwargs)
def create(self, name, domain=None, project=None, password=None,
email=None, description=None, enabled=True,
default_project=None, **kwargs):
"""Create a user.
.. warning::
The project argument is deprecated, use default_project instead.
If both default_project and project is provided, the default_project
will be used.
"""
if project:
LOG.warning(_LW("The project argument is deprecated, "
"use default_project instead."))
default_project_id = base.getid(default_project) or base.getid(project)
user_data = base.filter_none(name=name,
domain_id=base.getid(domain),
default_project_id=default_project_id,
password=password,
email=email,
description=description,
enabled=enabled,
**kwargs)
return self._create('/users', {'user': user_data}, 'user',
log=not bool(password))
def list(self, trustee_user=None, trustor_user=None, **kwargs):
"""List Trusts."""
trustee_user_id = base.getid(trustee_user)
trustor_user_id = base.getid(trustor_user)
return super(TrustManager, self).list(trustee_user_id=trustee_user_id,
trustor_user_id=trustor_user_id,
**kwargs)
def update_password(self, user, password):
"""Update password."""
params = {"user": {"id": base.getid(user),
"password": password}}
return self._update("/users/%s/OS-KSADM/password" % base.getid(user),
params, "user", log=False)
def create(self, project, service, resource_name, resource_limit,
description=None, region=None, **kwargs):
"""Create a project-specific limit.
:param project: the project to create a limit for.
:type project: str or :class:`keystoneclient.v3.projects.Project`
:param service: the service that owns the resource to limit.
:type service: str or :class:`keystoneclient.v3.services.Service`
:param resource_name: the name of the resource to limit
:type resource_name: str
:param resource_limit: the quantity of the limit
:type resource_limit: int
:param description: a description of the limit
:type description: str
:param region: region the limit applies to
:type region: str or :class:`keystoneclient.v3.regions.Region`
:returns: a reference of the created limit
:rtype: :class:`keystoneclient.v3.limits.Limit`
"""
limit_data = base.filter_none(
project_id=base.getid(project),
service_id=base.getid(service),
resource_name=resource_name,
resource_limit=resource_limit,
description=description,
region_id=base.getid(region),
**kwargs
)
body = {self.collection_key: [limit_data]}
resp, body = self.client.post('/limits', body=body)
limit = body[self.collection_key].pop()
return self.resource_class(self, limit)
def update(self, registered_limit, service=None, resource_name=None,
default_limit=None, description=None, region=None, **kwargs):
"""Update a registered limit.
:param registered_limit:
the UUID or reference of the registered limit to update.
:param registered_limit:
str or :class:`keystoneclient.v3.registered_limits.RegisteredLimit`
:param service: a UUID that identifies the service for the limit.
:type service: str
:param resource_name: the name of the resource to limit.
:type resource_name: str
:param default_limit: the default limit for projects to assume.
:type default_limit: int
:param description: a string that describes the limit
:type description: str
:param region: a UUID that identifies the region for the limit.
:type region: str
:returns: a reference of the updated registered limit.
:rtype: :class:`keystoneclient.v3.registered_limits.RegisteredLimit`
"""
return super(RegisteredLimitManager, self).update(
registered_limit_id=base.getid(registered_limit),
service_id=base.getid(service),
resource_name=resource_name,
default_limit=default_limit,
description=description,
region=region,
**kwargs
)
def update_enabled(self, user, enabled):
"""Update enabled-ness."""
params = {"user": {"id": base.getid(user),
"enabled": enabled}}
self._update("/users/%s/OS-KSADM/enabled" % base.getid(user), params,
"user")
def update(self, credential, user, type=None, blob=None, data=None,
project=None, **kwargs):
"""Update a credential.
:param credential: Credential to update
:type credential: :class:`Credential` or str
:param user: User
:type user: :class:`keystoneclient.v3.users.User` or str
:param str type: credential type, should be either ``ec2`` or ``cert``
:param JSON blob: Credential data
:param JSON data: Deprecated as of the 1.7.0 release in favor of blob
and may be removed in the 2.0.0 release.
:param project: Project
:type project: :class:`keystoneclient.v3.projects.Project` or str
:param kwargs: Extra attributes passed to create.
:raises ValueError: if one of ``blob`` or ``data`` is not specified.
"""
return super(CredentialManager, self).update(
credential_id=base.getid(credential),
user_id=base.getid(user),
type=type,
blob=self._get_data_blob(blob, data),
project_id=base.getid(project),
**kwargs)
def update(self, limit, project=None, service=None, resource_name=None,
resource_limit=None, description=None, **kwargs):
"""Update a project-specific limit.
:param limit: a limit to update
:param project: the project ID of the limit to update
:type project: str or :class:`keystoneclient.v3.projects.Project`
:param resource_limit: the limit of the limit's resource to update
:type: resource_limit: int
:param description: a description of the limit
:type description: str
:returns: a reference of the updated limit.
:rtype: :class:`keystoneclient.v3.limits.Limit`
"""
return super(LimitManager, self).update(
limit_id=base.getid(limit),
project_id=base.getid(project),
service_id=base.getid(service),
resource_name=resource_name,
resource_limit=resource_limit,
description=description,
**kwargs
)
def update(self, credential, user, type=None, data=None, project=None):
return super(CredentialManager, self).update(
credential_id=base.getid(credential),
user_id=base.getid(user),
type=type,
data=data,
project_id=base.getid(project))
def check_in_group(self, user, group):
self._require_user_and_group(user, group)
base_url = '/groups/%s' % base.getid(group)
return super(UserManager, self).head(base_url=base_url,
user_id=base.getid(user))
def endpoints(self, token):
return self._get("/tokens/%s/endpoints" % base.getid(token), "token")
def delete(self, domain):
return super(DomainManager, self).delete(domain_id=base.getid(domain))
def update(self, entity, blob=None, type=None):
return super(PolicyManager, self).update(policy_id=base.getid(entity),
blob=blob,
type=type)
def update_password(self, user, password):
"""Update password."""
params = {"user": {"id": base.getid(user), "password": password}}
return self._update("/users/%s/OS-KSADM/password" % base.getid(user),
params, "user")
def get(self, user):
return self._get("/users/%s" % base.getid(user), "user")
def list_roles(self, user, tenant=None):
return self.api.roles.roles_for_user(base.getid(user),
base.getid(tenant))
def delete(self, trust):
"""Delete a trust."""
return super(TrustManager, self).delete(trust_id=base.getid(trust))
def add_to_group(self, user, group):
self._require_user_and_group(user, group)
base_url = '/groups/%s' % base.getid(group)
return super(UserManager, self).put(base_url=base_url,
user_id=base.getid(user))
def get(self, user):
return super(UserManager, self).get(user_id=base.getid(user))
def update(self, role, name=None):
return super(RoleManager, self).update(role_id=base.getid(role),
name=name)
def get(self, role):
return super(RoleManager, self).get(role_id=base.getid(role))
def delete(self, user):
"""Delete a user."""
return self._delete("/users/%s" % base.getid(user))
def remove_from_group(self, user, group):
self._require_user_and_group(user, group)
base_url = '/groups/%s' % base.getid(group)
return super(UserManager, self).delete(base_url=base_url,
user_id=base.getid(user))
def list_roles(self, tenant=None):
return self.manager.list_roles(self.id, base.getid(tenant))
def delete(self, user):
return super(UserManager, self).delete(user_id=base.getid(user))
def update_enabled(self, user, enabled):
"""Update enabled-ness."""
params = {"user": {"id": base.getid(user), "enabled": enabled}}
self._update("/users/%s/OS-KSADM/enabled" % base.getid(user), params,
"user")
def list_users(self, tenant):
""" List users for a tenant. """
return self.api.users.list(base.getid(tenant))
def get(self, policy):
return super(PolicyManager, self).get(policy_id=base.getid(policy))
def add_user(self, user, role):
return self.manager.api.roles.add_user_role(base.getid(user),
base.getid(role), self.id)
def delete(self, policy):
return super(PolicyManager, self).delete(policy_id=base.getid(policy))
def list_users(self, tenant):
"""List users for a tenant."""
return self.user_manager.list(base.getid(tenant))
def get(self, domain):
return super(DomainManager, self).get(domain_id=base.getid(domain))
def add_user(self, tenant, user, role):
"""Add a user to a tenant with the given role."""
return self.role_manager.add_user_role(base.getid(user),
base.getid(role),
base.getid(tenant))
def delete(self, token):
return self._delete("/tokens/%s" % base.getid(token))
def remove_user(self, tenant, user, role):
"""Remove the specified role from the user on the tenant."""
return self.role_manager.remove_user_role(base.getid(user),
base.getid(role),
base.getid(tenant))
def delete(self, tenant):
"""
Delete a tenant.
"""
return self._delete("/tenants/%s" % (base.getid(tenant)))
def remove_user(self, user, role):
return self.manager.role_manager.remove_user_role(base.getid(user),
base.getid(role),
self.id)
def delete(self, role):
return super(RoleManager, self).delete(role_id=base.getid(role))
def get(self, trust):
"""Get a specific trust."""
return super(TrustManager, self).get(trust_id=base.getid(trust))