def create_user(self, name, email, password=None, enabled=True): """ ADMIN ONLY. Creates a new user for this tenant (account). The username and email address must be supplied. You may optionally supply the password for this user; if not, the API server generates a password and return it in the 'password' attribute of the resulting User object. NOTE: this is the ONLY time the password is returned; after the initial user creation, there is NO WAY to retrieve the user's password. You may also specify that the user should be created but not active by passing False to the enabled parameter. """ # NOTE: the OpenStack docs say that the name key in the following dict # is supposed to be 'username', but the service actually expects 'name'. data = {"user": { "username": name, "email": email, "enabled": enabled, }} if password: data["user"]["OS-KSADM:password"] = password resp, resp_body = self.method_post("users", data=data, admin=True) if resp.status_code == 201: return User(self, resp_body.get("user", resp_body)) elif resp.status_code in (401, 403, 404): raise exc.AuthorizationFailure("You are not authorized to create " "users.") elif resp.status_code == 409: raise exc.DuplicateUser("User '%s' already exists." % name) elif resp.status_code == 400: message = resp_body["badRequest"]["message"] if "Expecting valid email address" in message: raise exc.InvalidEmail("%s is not valid" % email) else: raise exc.BadRequest(message)
def list_users(self): """ ADMIN ONLY. Returns a list of objects for all users for the tenant (account) if this request is issued by a user holding the admin role (identity:user-admin). """ resp = self.method_get("users", admin=True) if resp.status_code in (401, 403, 404): raise exc.AuthorizationFailure("You are not authorized to list " "users.") users = resp.json() # The API is inconsistent; if only one user exists, it will not return # a list. if "users" in users: users = users["users"] else: users = [users] # The returned values may contain password data. Strip that out. for user in users: bad_keys = [ key for key in user.keys() if "password" in key.lower() ] for bad_key in bad_keys: user.pop(bad_key) return [User(self, user) for user in users]
def get_token_endpoints(self): """ ADMIN ONLY. Returns a list of all endpoints for the current auth token. """ resp, resp_body = self.method_get("tokens/%s/endpoints" % self.token, admin=True) if resp.status_code in (401, 403, 404): raise exc.AuthorizationFailure("You are not authorized to list " "token endpoints.") return resp_body.get("access", {}).get("endpoints")
def revoke_token(self, token): """ ADMIN ONLY. Returns True or False, depending on whether deletion of the specified token was successful. """ resp, resp_body = self.method_delete("tokens/%s" % token, admin=True) if resp.status_code in (401, 403): raise exc.AuthorizationFailure("You must be an admin to make this " "call.") return 200 <= resp.status_code < 300
def list_tokens(self): """ ADMIN ONLY. Returns a dict containing tokens, endpoints, user info, and role metadata. """ resp, resp_body = self.method_get("tokens/%s" % self.token, admin=True) if resp.status_code in (401, 403): raise exc.AuthorizationFailure("You must be an admin to make this " "call.") return resp_body.get("access")
def check_token(self, token=None): """ ADMIN ONLY. Returns True or False, depending on whether the current token is valid. """ if token is None: token = self.token resp, resp_body = self.method_head("tokens/%s" % token, admin=True) if resp.status_code in (401, 403): raise exc.AuthorizationFailure("You must be an admin to make this " "call.") return 200 <= resp.status_code < 300
def _list_tenants(self, admin): """ Returns either a list of all tenants (admin=True), or the tenant for the currently-authenticated user (admin=False). """ resp, resp_body = self.method_get("tenants", admin=admin) if 200 <= resp.status_code < 300: tenants = resp_body.get("tenants", []) return [Tenant(self, tenant) for tenant in tenants] elif resp.status_code in (401, 403): raise exc.AuthorizationFailure("You are not authorized to list " "tenants.") else: raise exc.TenantNotFound("Could not get a list of tenants.")
def list_roles_for_user(self, user): """ ADMIN ONLY. Returns a list of roles for the specified user. Each role will be a 3-tuple, consisting of (role_id, role_name, role_description). """ user_id = utils.get_id(user) uri = "users/%s/roles" % user_id resp, resp_body = self.method_get(uri) if resp.status_code in (401, 403): raise exc.AuthorizationFailure("You are not authorized to list " "user roles.") roles = resp_body.get("roles") return roles
def delete_user(self, user): """ ADMIN ONLY. Removes the user from the system. There is no 'undo' available, so you should be certain that the user specified is the user you wish to delete. """ user_id = utils.get_id(user) uri = "users/%s" % user_id resp, resp_body = self.method_delete(uri) if resp.status_code == 404: raise exc.UserNotFound("User '%s' does not exist." % user) elif resp.status_code in (401, 403): raise exc.AuthorizationFailure("You are not authorized to delete " "users.")
def update_user(self, user, email=None, username=None, uid=None, enabled=None): """ ADMIN ONLY. Updates the user attributes with the supplied values. """ user_id = utils.get_id(user) uri = "users/%s" % user_id upd = {"id": user_id} if email is not None: upd["email"] = email if username is not None: upd["username"] = username if enabled is not None: upd["enabled"] = enabled data = {"user": upd} resp, resp_body = self.method_put(uri, data=data) if resp.status_code in (401, 403, 404): raise exc.AuthorizationFailure("You are not authorized to update " "users.") return User(self, resp_body)