From b76c3af1f671e19b5b11b49e8622931621a649f0 Mon Sep 17 00:00:00 2001 From: adriant Date: Tue, 16 Feb 2016 10:57:42 +1300 Subject: [PATCH] Renamed role project_owner to project_admin * This change brings the role name in line with the upstream (unapproved) spec: https://review.openstack.org/#/c/245629/5/specs/common-default-policy.rst * Renamed mod_or_owner decorator to mod_or_admin * Debian package version bumped to 0.1.1a4 Change-Id: I312c2a6baec22959f83ab1e09370de868076730b --- conf/conf.yaml | 8 ++++---- debian/changelog | 6 ++++++ setup.py | 2 +- stacktask/actions/models.py | 2 +- stacktask/actions/tests.py | 7 +++---- stacktask/api/utils.py | 6 +++--- stacktask/api/v1/openstack.py | 14 +++++++------- stacktask/api/v1/tasks.py | 12 ++++++------ stacktask/api/v1/tests/__init__.py | 2 +- stacktask/api/v1/tests/test_api_admin.py | 16 ++++++++-------- stacktask/api/v1/tests/test_api_openstack.py | 4 ++-- stacktask/api/v1/tests/test_api_taskview.py | 14 +++++++------- stacktask/api/v1/views.py | 8 ++++---- stacktask/test_settings.py | 6 +++--- 14 files changed, 56 insertions(+), 51 deletions(-) diff --git a/conf/conf.yaml b/conf/conf.yaml index 3be27cc..9e41adb 100644 --- a/conf/conf.yaml +++ b/conf/conf.yaml @@ -188,7 +188,7 @@ TASK_SETTINGS: ACTION_SETTINGS: NewUser: allowed_roles: - - project_owner + - project_admin - project_mod - heat_stack_owner - _member_ @@ -209,12 +209,12 @@ ACTION_SETTINGS: # mapping between roles and managable roles ROLES_MAPPING: admin: - - project_owner + - project_admin - project_mod - heat_stack_owner - _member_ - project_owner: - - project_owner + project_admin: + - project_admin - project_mod - heat_stack_owner - _member_ diff --git a/debian/changelog b/debian/changelog index 13eac31..9c09a56 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +python-stacktask (0.1.1a4) unstable; urgency=medium + + * Release with latest patches and project_admin. + + -- Dale Smith Thu, 18 Feb 2016 12:09:57 +0000 + python-stacktask (0.1.1a3) unstable; urgency=medium * Initial release. diff --git a/setup.py b/setup.py index 86af9af..a844779 100644 --- a/setup.py +++ b/setup.py @@ -6,7 +6,7 @@ with open('requirements.txt') as f: setup( name='stacktask', - version='0.1.1a3', + version='0.1.1a4', description='A user task service for openstack.', long_description=( 'A task service to sit alongside keystone and ' + diff --git a/stacktask/actions/models.py b/stacktask/actions/models.py index c9a5283..6a9ded4 100644 --- a/stacktask/actions/models.py +++ b/stacktask/actions/models.py @@ -394,7 +394,7 @@ class NewProject(UserNameAction): # NOTE(adriant): move these to a config somewhere? default_roles = { - "project_owner", "project_mod", "_member_", "heat_stack_owner" + "project_admin", "project_mod", "_member_", "heat_stack_owner" } def _validate(self): diff --git a/stacktask/actions/tests.py b/stacktask/actions/tests.py index 85b3f1e..0914b5f 100644 --- a/stacktask/actions/tests.py +++ b/stacktask/actions/tests.py @@ -232,14 +232,13 @@ class ActionTests(TestCase): token_data = {'password': '123456'} action.submit(token_data) self.assertEquals(action.valid, True) - print tests.temp_cache['users'] self.assertEquals( tests.temp_cache['users']["user_id_1"].email, 'test@example.com') project = tests.temp_cache['projects']['test_project'] self.assertEquals( sorted(project.roles["user_id_1"]), - sorted(['_member_', 'project_owner', + sorted(['_member_', 'project_admin', 'project_mod', 'heat_stack_owner'])) @mock.patch('stacktask.actions.models.user_store.IdentityManager', @@ -291,7 +290,7 @@ class ActionTests(TestCase): project = tests.temp_cache['projects']['test_project'] self.assertEquals( sorted(project.roles["user_id_1"]), - sorted(['_member_', 'project_owner', + sorted(['_member_', 'project_admin', 'project_mod', 'heat_stack_owner'])) @mock.patch('stacktask.actions.models.user_store.IdentityManager', @@ -340,7 +339,7 @@ class ActionTests(TestCase): project = tests.temp_cache['projects']['test_project'] self.assertEquals( sorted(project.roles[user.id]), - sorted(['_member_', 'project_owner', + sorted(['_member_', 'project_admin', 'project_mod', 'heat_stack_owner'])) @mock.patch('stacktask.actions.models.user_store.IdentityManager', diff --git a/stacktask/api/utils.py b/stacktask/api/utils.py index 53c86e7..620be4b 100644 --- a/stacktask/api/utils.py +++ b/stacktask/api/utils.py @@ -37,13 +37,13 @@ def require_roles(roles, func, *args, **kwargs): @decorator -def mod_or_owner(func, *args, **kwargs): +def mod_or_admin(func, *args, **kwargs): """ - Require project mod or owner. + Require project_mod or project_admin. Admin is allowed everything, so is also included. """ return require_roles( - {'project_owner', 'project_mod', 'admin'}, func, *args, **kwargs) + {'project_admin', 'project_mod', 'admin'}, func, *args, **kwargs) @decorator diff --git a/stacktask/api/v1/openstack.py b/stacktask/api/v1/openstack.py index 9052a25..0262578 100644 --- a/stacktask/api/v1/openstack.py +++ b/stacktask/api/v1/openstack.py @@ -25,7 +25,7 @@ from stacktask.api.v1 import tasks class UserList(tasks.InviteUser): - @utils.mod_or_owner + @utils.mod_or_admin def get(self, request): """Get a list of all users who have been added to a project""" class_conf = settings.TASK_SETTINGS.get('edit_user', {}) @@ -99,7 +99,7 @@ class UserList(tasks.InviteUser): class UserDetail(tasks.TaskView): task_type = 'edit_user' - @utils.mod_or_owner + @utils.mod_or_admin def get(self, request, user_id): """ Get user info based on the user id. @@ -128,7 +128,7 @@ class UserDetail(tasks.TaskView): "email": getattr(user, 'email', ''), 'roles': roles}) - @utils.mod_or_owner + @utils.mod_or_admin def delete(self, request, user_id): """ Remove this user from the project. @@ -163,7 +163,7 @@ class UserRoles(tasks.TaskView): default_action = 'EditUserRoles' task_type = 'edit_roles' - @utils.mod_or_owner + @utils.mod_or_admin def get(self, request, user_id): """ Get user info based on the user id. @@ -177,7 +177,7 @@ class UserRoles(tasks.TaskView): roles.append(role.to_dict()) return Response({"roles": roles}) - @utils.mod_or_owner + @utils.mod_or_admin def put(self, request, user_id, format=None): """ Add user roles to the current project. @@ -201,7 +201,7 @@ class UserRoles(tasks.TaskView): % timezone.now()) return self.approve(task) - @utils.mod_or_owner + @utils.mod_or_admin def delete(self, request, user_id, format=None): """ Revoke user roles to the current project. @@ -230,7 +230,7 @@ class UserRoles(tasks.TaskView): class RoleList(tasks.TaskView): task_type = 'edit_roles' - @utils.mod_or_owner + @utils.mod_or_admin def get(self, request): """Returns a list of roles that may be managed for this project""" diff --git a/stacktask/api/v1/tasks.py b/stacktask/api/v1/tasks.py index 5762080..b9e1a2b 100644 --- a/stacktask/api/v1/tasks.py +++ b/stacktask/api/v1/tasks.py @@ -346,17 +346,17 @@ class InviteUser(TaskView): default_action = 'NewUser' - @utils.mod_or_owner + @utils.mod_or_admin def get(self, request): return super(InviteUser, self).get(request) - @utils.mod_or_owner + @utils.mod_or_admin def post(self, request, format=None): """ Invites a user to the current tenant. This endpoint requires either Admin access or the - request to come from a project_owner|project_mod. + request to come from a project_admin|project_mod. As such this Task is considered pre-approved. """ self.logger.info("(%s) - New AttachUser request." % timezone.now()) @@ -434,7 +434,7 @@ class EditUser(TaskView): default_action = 'EditUser' - @utils.mod_or_owner + @utils.mod_or_admin def get(self, request): class_conf = settings.TASK_SETTINGS.get(self.task_type, {}) @@ -475,11 +475,11 @@ class EditUser(TaskView): 'required_fields': required_fields, 'users': user_list}) - @utils.mod_or_owner + @utils.mod_or_admin def post(self, request, format=None): """ This endpoint requires either mod access or the - request to come from a project_owner. + request to come from a project_admin. As such this Task is considered pre-approved. Runs process_actions, then does the approve step and post_approve validation, and creates a Token if valid. diff --git a/stacktask/api/v1/tests/__init__.py b/stacktask/api/v1/tests/__init__.py index 23d931a..9814606 100644 --- a/stacktask/api/v1/tests/__init__.py +++ b/stacktask/api/v1/tests/__init__.py @@ -36,7 +36,7 @@ def setup_temp_cache(projects, users): 'roles': { '_member_': '_member_', 'admin': 'admin', - 'project_owner': 'project_owner', + 'project_admin': 'project_admin', 'project_mod': 'project_mod', 'heat_stack_owner': 'heat_stack_owner' } diff --git a/stacktask/api/v1/tests/test_api_admin.py b/stacktask/api/v1/tests/test_api_admin.py index c33bf8e..00d87c0 100644 --- a/stacktask/api/v1/tests/test_api_admin.py +++ b/stacktask/api/v1/tests/test_api_admin.py @@ -490,7 +490,7 @@ class AdminAPITests(APITestCase): headers = { 'project_name': "test_project", 'project_id': "test_project_id", - 'roles': "project_owner,_member_,project_mod", + 'roles': "project_admin,_member_,project_mod", 'username': "test@example.com", 'user_id': "test_user_id", 'authenticated': True @@ -666,7 +666,7 @@ class AdminAPITests(APITestCase): headers = { 'project_name': "test_project", 'project_id': "test_project_id", - 'roles': "project_owner,_member_,project_mod", + 'roles': "project_admin,_member_,project_mod", 'username': "test@example.com", 'user_id': "test_user_id", 'authenticated': True @@ -712,7 +712,7 @@ class AdminAPITests(APITestCase): headers = { 'project_name': "test_project", 'project_id': "test_project_id", - 'roles': "project_owner,_member_,project_mod", + 'roles': "project_admin,_member_,project_mod", 'username': "test@example.com", 'user_id': "test_user_id", 'authenticated': True @@ -746,7 +746,7 @@ class AdminAPITests(APITestCase): headers = { 'project_name': "test_project", 'project_id': "test_project_id", - 'roles': "project_owner,_member_,project_mod", + 'roles': "project_admin,_member_,project_mod", 'username': "test@example.com", 'user_id': "test_user_id", 'authenticated': True @@ -793,7 +793,7 @@ class AdminAPITests(APITestCase): headers = { 'project_name': "test_project", 'project_id': "test_project_id", - 'roles': "project_owner,_member_,project_mod", + 'roles': "project_admin,_member_,project_mod", 'username': "test@example.com", 'user_id': "test_user_id", 'authenticated': True @@ -872,7 +872,7 @@ class AdminAPITests(APITestCase): headers = { 'project_name': "test_project", 'project_id': "test_project_id", - 'roles': "project_owner,_member_,project_mod", + 'roles': "project_admin,_member_,project_mod", 'username': "owner@example.com", 'user_id': "test_user_id", 'authenticated': True @@ -885,7 +885,7 @@ class AdminAPITests(APITestCase): headers = { 'project_name': "test_project", 'project_id': "test_project_id_2", - 'roles': "project_owner,_member_,project_mod", + 'roles': "project_admin,_member_,project_mod", 'username': "test@example.com", 'user_id': "test_user_id", 'authenticated': True @@ -920,7 +920,7 @@ class AdminAPITests(APITestCase): headers = { 'project_name': "test_project", 'project_id': "test_project_id", - 'roles': "project_owner,_member_,project_mod", + 'roles': "project_admin,_member_,project_mod", 'username': "test@example.com", 'user_id': "test_user_id", 'authenticated': True diff --git a/stacktask/api/v1/tests/test_api_openstack.py b/stacktask/api/v1/tests/test_api_openstack.py index 43bd68a..5f2d781 100644 --- a/stacktask/api/v1/tests/test_api_openstack.py +++ b/stacktask/api/v1/tests/test_api_openstack.py @@ -47,7 +47,7 @@ class OpenstackAPITests(APITestCase): headers = { 'project_name': "test_project", 'project_id': "test_project_id", - 'roles': "project_owner,_member_,project_mod", + 'roles': "project_admin,_member_,project_mod", 'username': "test@example.com", 'user_id': "test_user_id", 'authenticated': True @@ -80,7 +80,7 @@ class OpenstackAPITests(APITestCase): headers = { 'project_name': "test_project", 'project_id': "test_project_id", - 'roles': "project_owner,_member_,project_mod", + 'roles': "project_admin,_member_,project_mod", 'username': "test@example.com", 'user_id': "test_user_id", 'authenticated': True diff --git a/stacktask/api/v1/tests/test_api_taskview.py b/stacktask/api/v1/tests/test_api_taskview.py index 881fe26..3e28ff0 100644 --- a/stacktask/api/v1/tests/test_api_taskview.py +++ b/stacktask/api/v1/tests/test_api_taskview.py @@ -47,7 +47,7 @@ class TaskViewTests(APITestCase): headers = { 'project_name': "test_project", 'project_id': "test_project_id", - 'roles': "project_owner,_member_,project_mod", + 'roles': "project_admin,_member_,project_mod", 'username': "test@example.com", 'user_id': "test_user_id", 'authenticated': True @@ -76,7 +76,7 @@ class TaskViewTests(APITestCase): headers = { 'project_name': "test_project", 'project_id': "test_project_id", - 'roles': "project_owner,_member_,project_mod", + 'roles': "project_admin,_member_,project_mod", 'username': "test@example.com", 'user_id': "test_user_id", 'authenticated': True @@ -151,7 +151,7 @@ class TaskViewTests(APITestCase): headers = { 'project_name': "test_project", 'project_id': "test_project_id", - 'roles': "project_owner,_member_,project_mod", + 'roles': "project_admin,_member_,project_mod", 'username': "test@example.com", 'user_id': "test_user_id", 'authenticated': True @@ -192,7 +192,7 @@ class TaskViewTests(APITestCase): headers = { 'project_name': "test_project", 'project_id': "test_project_id", - 'roles': "project_owner,_member_,project_mod", + 'roles': "project_admin,_member_,project_mod", 'username': "test@example.com", 'user_id': "test_user_id", 'authenticated': True @@ -262,7 +262,7 @@ class TaskViewTests(APITestCase): headers = { 'project_name': "test_project", 'project_id': "test_project_id", - 'roles': "project_owner,_member_,project_mod", + 'roles': "project_admin,_member_,project_mod", 'username': "test@example.com", 'user_id': "test_user_id", 'authenticated': True @@ -308,7 +308,7 @@ class TaskViewTests(APITestCase): headers = { 'project_name': "test_project", 'project_id': "test_project_id", - 'roles': "project_owner,_member_,project_mod", + 'roles': "project_admin,_member_,project_mod", 'username': "test@example.com", 'user_id': "test_user_id", 'authenticated': True @@ -503,7 +503,7 @@ class TaskViewTests(APITestCase): headers = { 'project_name': "test_project", 'project_id': "test_project_id", - 'roles': "project_owner,_member_,project_mod", + 'roles': "project_admin,_member_,project_mod", 'username': "test@example.com", 'user_id': "test_user_id", 'authenticated': True diff --git a/stacktask/api/v1/views.py b/stacktask/api/v1/views.py index e1ba896..0288c4f 100644 --- a/stacktask/api/v1/views.py +++ b/stacktask/api/v1/views.py @@ -189,7 +189,7 @@ class TaskList(APIViewWithLogger): class TaskDetail(APIViewWithLogger): - @utils.mod_or_owner + @utils.mod_or_admin def get(self, request, uuid, format=None): """ Dict representation of a Task object @@ -442,12 +442,12 @@ class TaskDetail(APIViewWithLogger): return Response({'approved': ["this field is required."]}, status=400) - @utils.mod_or_owner + @utils.mod_or_admin def delete(self, request, uuid, format=None): """ Cancel the Task. - Project Owners and Project Mods can only cancel tasks + Project Admins and Project Mods can only cancel tasks associated with their project. """ try: @@ -501,7 +501,7 @@ class TokenList(APIViewWithLogger): token_list.append(token.to_dict()) return Response({"tokens": token_list}) - @utils.mod_or_owner + @utils.mod_or_admin def post(self, request, format=None): """ Reissue a token for an approved task. diff --git a/stacktask/test_settings.py b/stacktask/test_settings.py index 65f125a..62ee0a5 100644 --- a/stacktask/test_settings.py +++ b/stacktask/test_settings.py @@ -151,7 +151,7 @@ TASK_SETTINGS = { ACTION_SETTINGS = { 'NewUser': { - 'allowed_roles': ['project_mod', 'project_owner', "_member_"] + 'allowed_roles': ['project_mod', 'project_admin', "_member_"] }, 'ResetUser': { 'blacklisted_roles': ['admin'] @@ -170,9 +170,9 @@ ACTION_SETTINGS = { ROLES_MAPPING = { 'admin': [ - 'project_owner', 'project_mod', '_member_', 'heat_stack_owner' + 'project_admin', 'project_mod', '_member_', 'heat_stack_owner' ], - 'project_owner': [ + 'project_admin': [ 'project_mod', '_member_', 'heat_stack_owner' ], 'project_mod': [