def __init__(self): backends.load_backends() self.admin_password = None self.admin_username = None self.project_id = None self.project_name = None self.reader_role_id = None self.reader_role_name = 'reader' self.member_role_id = None self.member_role_name = 'member' self.admin_role_id = None self.admin_role_name = None self.region_id = None self.service_name = None self.public_url = None self.internal_url = None self.admin_url = None self.endpoints = {} self.default_domain_id = None self.admin_user_id = None self.immutable_roles = False
def __init__(self): backends.load_backends() self.admin_password = None self.admin_username = None self.project_id = None self.project_name = None self.reader_role_id = None self.reader_role_name = 'reader' self.member_role_id = None self.member_role_name = 'member' self.admin_role_id = None self.admin_role_name = None self.region_id = None self.service_name = None self.public_url = None self.internal_url = None self.admin_url = None self.endpoints = {} self.default_domain_id = None self.admin_user_id = None
def load_backends(self): drivers = backends.load_backends() self.resource_manager = drivers["resource_api"] self.identity_manager = drivers["identity_api"] self.assignment_manager = drivers["assignment_api"] self.catalog_manager = drivers["catalog_api"] self.role_manager = drivers["role_api"]
def setup_backends(load_extra_backends_fn=lambda: {}, startup_application_fn=lambda: None): drivers = backends.load_backends() drivers.update(load_extra_backends_fn()) res = startup_application_fn() drivers.update(dependency.resolve_future_dependencies()) return drivers, res
def load_backends(self): drivers = backends.load_backends() self.resource_manager = drivers['resource_api'] self.identity_manager = drivers['identity_api'] self.assignment_manager = drivers['assignment_api'] self.catalog_manager = drivers['catalog_api'] self.role_manager = drivers['role_api']
def main(): def validate_options(): # NOTE(henry-nash): It would be nice to use the argparse automated # checking for this validation, but the only way I can see doing # that is to make the default (i.e. if no optional parameters # are specified) to purge all mappings - and that sounds too # dangerous as a default. So we use it in a slightly # unconventional way, where all parameters are optional, but you # must specify at least one. if ( CONF.command.all is False and CONF.command.domain_name is None and CONF.command.public_id is None and CONF.command.local_id is None and CONF.command.type is None ): raise ValueError(_("At least one option must be provided")) if CONF.command.all is True and ( CONF.command.domain_name is not None or CONF.command.public_id is not None or CONF.command.local_id is not None or CONF.command.type is not None ): raise ValueError(_("--all option cannot be mixed with " "other options")) def get_domain_id(name): try: return resource_manager.get_domain_by_name(name)["id"] except KeyError: raise ValueError(_("Unknown domain '%(name)s' specified by " "--domain-name") % {"name": name}) validate_options() drivers = backends.load_backends() resource_manager = drivers["resource_api"] mapping_manager = drivers["id_mapping_api"] # Now that we have validated the options, we know that at least one # option has been specified, and if it was the --all option then this # was the only option specified. # # The mapping dict is used to filter which mappings are purged, so # leaving it empty means purge them all mapping = {} if CONF.command.domain_name is not None: mapping["domain_id"] = get_domain_id(CONF.command.domain_name) if CONF.command.public_id is not None: mapping["public_id"] = CONF.command.public_id if CONF.command.local_id is not None: mapping["local_id"] = CONF.command.local_id if CONF.command.type is not None: mapping["type"] = CONF.command.type mapping_manager.purge_mappings(mapping)
def main(): def validate_options(): # NOTE(henry-nash): It would be nice to use the argparse automated # checking for this validation, but the only way I can see doing # that is to make the default (i.e. if no optional parameters # are specified) to purge all mappings - and that sounds too # dangerous as a default. So we use it in a slightly # unconventional way, where all parameters are optional, but you # must specify at least one. if (CONF.command.all is False and CONF.command.domain_name is None and CONF.command.public_id is None and CONF.command.local_id is None and CONF.command.type is None): raise ValueError(_('At least one option must be provided')) if (CONF.command.all is True and (CONF.command.domain_name is not None or CONF.command.public_id is not None or CONF.command.local_id is not None or CONF.command.type is not None)): raise ValueError( _('--all option cannot be mixed with ' 'other options')) def get_domain_id(name): try: return resource_manager.get_domain_by_name(name)['id'] except KeyError: raise ValueError( _("Unknown domain '%(name)s' specified by " "--domain-name") % {'name': name}) validate_options() drivers = backends.load_backends() resource_manager = drivers['resource_api'] mapping_manager = drivers['id_mapping_api'] # Now that we have validated the options, we know that at least one # option has been specified, and if it was the --all option then this # was the only option specified. # # The mapping dict is used to filter which mappings are purged, so # leaving it empty means purge them all mapping = {} if CONF.command.domain_name is not None: mapping['domain_id'] = get_domain_id(CONF.command.domain_name) if CONF.command.public_id is not None: mapping['public_id'] = CONF.command.public_id if CONF.command.local_id is not None: mapping['local_id'] = CONF.command.local_id if CONF.command.type is not None: mapping['type'] = CONF.command.type mapping_manager.purge_mappings(mapping)
def main(): try: token_id = input("Enter token: ") drivers = backends.load_backends() token_provider_api = drivers['token_provider_api'] token = token_provider_api._validate_token(token_id) print("user: %s" % token.user) print("issued-at: %s" % token.issued_at) print("expires-at: %s" % token.expires_at) if token.domain_scoped: print("domain-scoped token") print("domain: %s" % token.domain) elif token.project_scoped: print("project-scoped token") print("project: %s" % token.project) elif token.unscoped: print("un-scoped token") elif token.system_scoped: print("system-scoped token") elif token.oauth_scoped: print("oauth-scoped token") print("token: %s" % token.access_token) elif token.trust_scoped: print("trust-scoped token") print("trust: %s" % token.trust) print("roles: %s" % token.roles) try: token_provider_api.validate_token(token_id) print("token is valid") except Exception as e: print("token is not valid: %s" % e) except Exception as e: print("failed: %s" % e)
def __init__(self): drivers = backends.load_backends() self.credential_provider_api = drivers['credential_provider_api'] self.credential_api = drivers['credential_api']
def load_backends(self): drivers = backends.load_backends() self.resource_manager = drivers['resource_api'] self.domain_config_manager = drivers['domain_config_api']
def setup_backends(load_extra_backends_fn=lambda: {}, startup_application_fn=lambda: None): drivers = backends.load_backends() drivers.update(load_extra_backends_fn()) res = startup_application_fn() return drivers, res
def main(): keystone.conf.configure() backends.load_backends() return upgradecheck.main(CONF, 'keystone', Checks())
def load_backends(cls): drivers = backends.load_backends() cls.identity_api = drivers['identity_api'] cls.resource_api = drivers['resource_api']
def main(): # caches domain_cache = {} project_cache = {} user_cache = {} group_cache = {} def get_domain(id): result = None if id not in domain_cache: domain = resource_manager.get_domain(id) if domain: result = domain_cache[id] = domain['name'] else: result = domain_cache[id] return result def get_project(id): result = None if id not in project_cache: project = resource_manager.get_project(id) if project: result = project_cache[id] = project['name'] else: result = project_cache[id] return result def get_user(id): result = None if id not in user_cache: user = identity_api.get_user(id) if user: result = user_cache[id] = user['name'] else: result = user_cache[id] return result def get_group(id): result = None if id not in group_cache: group = identity_api.get_group(id) if group: result = group_cache[id] = group['name'] else: result = group_cache[id] return result drivers = backends.load_backends() identity_api = drivers['identity_api'] resource_manager = drivers['resource_api'] assignment_manager = drivers['assignment_api'] LOG.info("repairing orphaned role-assignments...") # load all users & groups once, so their id's are in the mapping table domains = resource_manager.list_domains(driver_hints.Hints()) for domain in domains: identity_api.list_users(domain_scope=domain['id']) identity_api.list_groups(domain_scope=domain['id']) assignments = assignment_manager.list_role_assignments() for assignment in assignments: try: if 'project_id' in assignment: get_project(assignment['project_id']) elif 'domain_id' in assignment: get_domain(assignment['domain_id']) if 'user_id' in assignment: get_user(assignment['user_id']) if 'group_id' in assignment: get_group(assignment['group_id']) except exception.UserNotFound as e: if CONF.command.dry_run: LOG.warning( "%s -> found orphaned role-assignments for user %s (%s)" % (e.message, assignment['user_id'], assignment)) else: LOG.warning( "%s -> deleting role-assignments for user %s (%s)" % (e.message, assignment['user_id'], assignment)) assignment_manager.driver.delete_user_assignments( assignment['user_id']) except exception.GroupNotFound as e: if CONF.command.dry_run: LOG.warning( "%s -> found orphaned role-assignments for group %s (%s)" % (e.message, assignment['group_id'], assignment)) else: LOG.warning( "%s -> deleting role-assignments for group %s (%s)" % (e.message, assignment['group_id'], assignment)) assignment_manager.driver.delete_group_assignments( assignment['group_id']) except exception.DomainNotFound as e: if CONF.command.dry_run: LOG.warning( "%s -> found orphaned role-assignments for domain %s (%s)" % (e.message, assignment['domain_id'], assignment)) else: LOG.warning( "%s -> deleting role-assignments for domain %s (%s)" % (e.message, assignment['domain_id'], assignment)) assignment_manager.driver.delete_domain_assignments( assignment['domain_id']) except exception.ProjectNotFound as e: if CONF.command.dry_run: LOG.warning( "%s -> found orphaned role-assignments for project %s (%s)" % (e.message, assignment['project_id'], assignment)) else: LOG.warning( "%s -> deleting role-assignments for project %s (%s)" % (e.message, assignment['project_id'], assignment)) assignment_manager.driver.delete_project_assignments( assignment['project_id']) except Exception as e: LOG.error("%s %s" % (e, assignment)) LOG.info("repairing orphaned role-assignments done.")
def main(): # caches user_cache = {} domain_cache = {} def get_user(id): result = None if id not in user_cache: user = identity_api.get_user(id) if user: result = user_cache[id] = user else: result = user_cache[id] return result def get_domain(id): result = None if id not in domain_cache: domain = resource_manager.get_domain(id) if domain: result = domain_cache[id] = domain['name'] else: result = domain_cache[id] return result def delete_mapping(entry): LOG.info("Deleting mapping %s in domain %s" % (entry['local_id'], get_domain(entry['domain_id']))) if not CONF.command.dry_run: mapping_manager.purge_mappings(entry) drivers = backends.load_backends() identity_api = drivers['identity_api'] resource_manager = drivers['resource_api'] mapping_manager = drivers['id_mapping_api'] assignment_manager = drivers['assignment_api'] # load all users once, so their id's are in the mapping table domains = resource_manager.list_domains(driver_hints.Hints()) for domain in domains: identity_api.list_users(domain_scope=domain['id']) # load all id-mappings mappings = [] with sql.session_for_read() as session: query = session.query(IDMapping).filter_by(entity_type='user') for entry in query: mappings.append(entry.to_dict()) for entry in mappings: try: user = get_user(entry['public_id']) domain = get_domain(user['domain_id']) if domain not in ['cc3test', 'Default']: if entry['local_id'] != user['name'].strip().upper(): roles = assignment_manager.list_role_assignments( user_id=entry['public_id']) if len(roles) > 0: LOG.error("User %s@%s (%s) has roles: %s" % (entry['local_id'], get_domain(entry['domain_id']), entry['public_id'], roles)) else: delete_mapping(entry) elif not re.match(CID_REGEX, user['name']): if not re.match(T_REGEX, user['name']): LOG.error("Invalid username %s@%s" % (entry['local_id'], get_domain(entry['domain_id']))) except exception.UserNotFound: roles = assignment_manager.list_role_assignments( user_id=entry['public_id']) if len(roles) > 0: LOG.error( "User %s@%s (%s) has roles: %s" % (entry['local_id'], get_domain( entry['domain_id']), entry['public_id'], roles)) else: delete_mapping(entry)