openstack/horizon
Code Issues Proposed changes

Domain Role assignment to Users

Browse Source 
Added Domain User step in the Domain Update workflow for managing
domain-role assignment to User.
Change-Id: I629449c635319e3a4292a4e2be35c5d9fc8a7cf9
Implements: blueprint user-domain-role-assignment
This commit is contained in:
lin-hua-cheng 2014-07-27 12:19:17 -07:00
parent a9fcc934b8
commit 7a7a1d1c61
8 changed files with 404 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
openstack_dashboard/api/keystone.py
View File

@ -17,6 +17,7 @@
# License for the specific language governing permissions and limitations # License for the specific language governing permissions and limitations
# under the License. # under the License.
import collections
import logging import logging
from django.conf import settings from django.conf import settings
@ -495,23 +496,49 @@ def role_list(request):
return keystoneclient(request, admin=True).roles.list() return keystoneclient(request, admin=True).roles.list()
def roles_for_user(request, user, project): def roles_for_user(request, user, project=None, domain=None):
"""Returns a list of user roles scoped to a project or domain."""
manager = keystoneclient(request, admin=True).roles manager = keystoneclient(request, admin=True).roles
if VERSIONS.active < 3: if VERSIONS.active < 3:
return manager.roles_for_user(user, project) return manager.roles_for_user(user, project)
else: else:
return manager.list(user=user, project=project) return manager.list(user=user, domain=domain, project=project)
def get_domain_users_roles(request, domain):
users_roles = collections.defaultdict(list)
domain_role_assignments = role_assignments_list(request,
domain=domain)
for role_assignment in domain_role_assignments:
if not hasattr(role_assignment, 'user'):
continue
user_id = role_assignment.user['id']
role_id = role_assignment.role['id']
users_roles[user_id].append(role_id)
return users_roles
def add_domain_user_role(request, user, role, domain):
"""Adds a role for a user on a domain."""
manager = keystoneclient(request, admin=True).roles
return manager.grant(role, user=user, domain=domain)
def remove_domain_user_role(request, user, role, domain=None):
"""Removes a given single role for a user from a domain."""
manager = keystoneclient(request, admin=True).roles
return manager.revoke(role, user=user, domain=domain)
def get_project_users_roles(request, project): def get_project_users_roles(request, project):
users_roles = {} users_roles = collections.defaultdict(list)
if VERSIONS.active < 3: if VERSIONS.active < 3:
project_users = user_list(request, project=project) project_users = user_list(request, project=project)
for user in project_users: for user in project_users:
roles = roles_for_user(request, user.id, project) roles = roles_for_user(request, user.id, project)
roles_ids = [role.id for role in roles] roles_ids = [role.id for role in roles]
users_roles[user.id] = roles_ids users_roles[user.id].extend(roles_ids)
else: else:
project_role_assignments = role_assignments_list(request, project_role_assignments = role_assignments_list(request,
project=project) project=project)
@ -520,10 +547,7 @@ def get_project_users_roles(request, project):
continue continue
user_id = role_assignment.user['id'] user_id = role_assignment.user['id']
role_id = role_assignment.role['id'] role_id = role_assignment.role['id']
if user_id in users_roles: users_roles[user_id].append(role_id)
users_roles[user_id].append(role_id)
else:
users_roles[user_id] = [role_id]
return users_roles return users_roles

1
openstack_dashboard/dashboards/identity/domains/constants.py
View File

@ -20,3 +20,4 @@ DOMAINS_INDEX_VIEW_TEMPLATE = 'identity/domains/index.html'
DOMAINS_CREATE_URL = 'horizon:identity:domains:create' DOMAINS_CREATE_URL = 'horizon:identity:domains:create'
DOMAINS_UPDATE_URL = 'horizon:identity:domains:update' DOMAINS_UPDATE_URL = 'horizon:identity:domains:update'
DOMAIN_GROUP_MEMBER_SLUG = "update_group_members" DOMAIN_GROUP_MEMBER_SLUG = "update_group_members"
DOMAIN_USER_MEMBER_SLUG = "update_user_members"

20
openstack_dashboard/dashboards/identity/domains/tables.py
View File

@ -32,6 +32,22 @@ from openstack_dashboard.dashboards.identity.domains import constants
LOG = logging.getLogger(__name__) LOG = logging.getLogger(__name__)
class ViewUsersLink(tables.LinkAction):
name = "users"
verbose_name = _("Modify Users")
url = "horizon:identity:domains:update"
classes = ("ajax-modal",)
policy_rules = (("identity", "identity:list_users"),
("identity", "identity:list_roles"),
("identity", "identity:list_role_assignments"))
def get_link_url(self, domain):
step = 'update_user_members'
base_url = reverse(self.url, args=[domain.id])
param = urlencode({"step": step})
return "?".join([base_url, param])
class ViewGroupsLink(tables.LinkAction): class ViewGroupsLink(tables.LinkAction):
name = "groups" name = "groups"
verbose_name = _("Modify Groups") verbose_name = _("Modify Groups")
@ -173,7 +189,7 @@ class DomainsTable(tables.DataTable):
class Meta: class Meta:
name = "domains" name = "domains"
verbose_name = _("Domains") verbose_name = _("Domains")
row_actions = (SetDomainContext, ViewGroupsLink, EditDomainLink, row_actions = (SetDomainContext, ViewUsersLink, ViewGroupsLink,
DeleteDomainsAction) EditDomainLink, DeleteDomainsAction)
table_actions = (DomainFilterAction, CreateDomainLink, table_actions = (DomainFilterAction, CreateDomainLink,
DeleteDomainsAction, UnsetDomainContext) DeleteDomainsAction, UnsetDomainContext)

94
openstack_dashboard/dashboards/identity/domains/tests.py
View File

@ -31,6 +31,7 @@ from openstack_dashboard.dashboards.identity.domains import workflows
DOMAINS_INDEX_URL = reverse(constants.DOMAINS_INDEX_URL) DOMAINS_INDEX_URL = reverse(constants.DOMAINS_INDEX_URL)
DOMAIN_CREATE_URL = reverse(constants.DOMAINS_CREATE_URL) DOMAIN_CREATE_URL = reverse(constants.DOMAINS_CREATE_URL)
DOMAIN_UPDATE_URL = reverse(constants.DOMAINS_UPDATE_URL, args=[1]) DOMAIN_UPDATE_URL = reverse(constants.DOMAINS_UPDATE_URL, args=[1])
USER_ROLE_PREFIX = constants.DOMAIN_USER_MEMBER_SLUG + "_role_"
GROUP_ROLE_PREFIX = constants.DOMAIN_GROUP_MEMBER_SLUG + "_role_" GROUP_ROLE_PREFIX = constants.DOMAIN_GROUP_MEMBER_SLUG + "_role_"
@ -177,6 +178,14 @@ class UpdateDomainWorkflowTests(test.BaseAdminViewTests):
domain_info = self._get_domain_info(domain) domain_info = self._get_domain_info(domain)
return domain_info return domain_info
def _get_all_users(self, domain_id=None):
if not domain_id:
users = self.users.list()
else:
users = [user for user in self.users.list()
if user.domain_id == domain_id]
return users
def _get_all_groups(self, domain_id): def _get_all_groups(self, domain_id):
if not domain_id: if not domain_id:
groups = self.groups.list() groups = self.groups.list()
@ -189,22 +198,35 @@ class UpdateDomainWorkflowTests(test.BaseAdminViewTests):
# all domain groups have role assignments # all domain groups have role assignments
return self._get_all_groups(domain_id) return self._get_all_groups(domain_id)
def _get_domain_role_assignment(self, domain_id):
domain_scope = {'domain': {'id': domain_id}}
return self.role_assignments.filter(scope=domain_scope)
@test.create_stubs({api.keystone: ('domain_get', @test.create_stubs({api.keystone: ('domain_get',
'get_default_role', 'get_default_role',
'role_list', 'role_list',
'user_list',
'role_assignments_list',
'group_list', 'group_list',
'roles_for_group')}) 'roles_for_group')})
def test_update_domain_get(self): def test_update_domain_get(self):
default_role = self.roles.first() default_role = self.roles.first()
domain = self.domains.get(id="1") domain = self.domains.get(id="1")
users = self._get_all_users(domain.id)
groups = self._get_all_groups(domain.id) groups = self._get_all_groups(domain.id)
roles = self.roles.list() roles = self.roles.list()
role_assignments = self._get_domain_role_assignment(domain.id)
api.keystone.domain_get(IsA(http.HttpRequest), '1').AndReturn(domain) api.keystone.domain_get(IsA(http.HttpRequest), '1').AndReturn(domain)
api.keystone.get_default_role(IsA(http.HttpRequest)) \ api.keystone.get_default_role(IsA(http.HttpRequest)) \
.MultipleTimes().AndReturn(default_role) .MultipleTimes().AndReturn(default_role)
api.keystone.role_list(IsA(http.HttpRequest)) \ api.keystone.role_list(IsA(http.HttpRequest)) \
.MultipleTimes().AndReturn(roles) .MultipleTimes().AndReturn(roles)
api.keystone.user_list(IsA(http.HttpRequest), domain=domain.id) \
.AndReturn(users)
api.keystone.role_assignments_list(IsA(http.HttpRequest),
domain=domain.id) \
.AndReturn(role_assignments)
api.keystone.group_list(IsA(http.HttpRequest), domain=domain.id) \ api.keystone.group_list(IsA(http.HttpRequest), domain=domain.id) \
.AndReturn(groups) .AndReturn(groups)
@ -230,12 +252,18 @@ class UpdateDomainWorkflowTests(test.BaseAdminViewTests):
domain.description) domain.description)
self.assertQuerysetEqual(workflow.steps, self.assertQuerysetEqual(workflow.steps,
['<UpdateDomainInfo: update_domain>', ['<UpdateDomainInfo: update_domain>',
'<UpdateDomainUsers: update_user_members>',
'<UpdateDomainGroups: update_group_members>']) '<UpdateDomainGroups: update_group_members>'])
@test.create_stubs({api.keystone: ('domain_get', @test.create_stubs({api.keystone: ('domain_get',
'domain_update', 'domain_update',
'get_default_role', 'get_default_role',
'role_list', 'role_list',
'user_list',
'role_assignments_list',
'roles_for_user',
'add_domain_user_role',
'remove_domain_user_role',
'group_list', 'group_list',
'roles_for_group', 'roles_for_group',
'remove_group_role', 'remove_group_role',
@ -244,15 +272,22 @@ class UpdateDomainWorkflowTests(test.BaseAdminViewTests):
default_role = self.roles.first() default_role = self.roles.first()
domain = self.domains.get(id="1") domain = self.domains.get(id="1")
test_description = 'updated description' test_description = 'updated description'
users = self._get_all_users(domain.id)
groups = self._get_all_groups(domain.id) groups = self._get_all_groups(domain.id)
domain_groups = self._get_domain_groups(domain.id) domain_groups = self._get_domain_groups(domain.id)
roles = self.roles.list() roles = self.roles.list()
role_assignments = self._get_domain_role_assignment(domain.id)
api.keystone.domain_get(IsA(http.HttpRequest), '1').AndReturn(domain) api.keystone.domain_get(IsA(http.HttpRequest), '1').AndReturn(domain)
api.keystone.get_default_role(IsA(http.HttpRequest)) \ api.keystone.get_default_role(IsA(http.HttpRequest)) \
.MultipleTimes().AndReturn(default_role) .MultipleTimes().AndReturn(default_role)
api.keystone.role_list(IsA(http.HttpRequest)) \ api.keystone.role_list(IsA(http.HttpRequest)) \
.MultipleTimes().AndReturn(roles) .MultipleTimes().AndReturn(roles)
api.keystone.user_list(IsA(http.HttpRequest), domain=domain.id) \
.AndReturn(users)
api.keystone.role_assignments_list(IsA(http.HttpRequest),
domain=domain.id) \
.AndReturn(role_assignments)
api.keystone.group_list(IsA(http.HttpRequest), domain=domain.id) \ api.keystone.group_list(IsA(http.HttpRequest), domain=domain.id) \
.AndReturn(groups) .AndReturn(groups)
@ -265,7 +300,9 @@ class UpdateDomainWorkflowTests(test.BaseAdminViewTests):
workflow_data = self._get_workflow_data(domain) workflow_data = self._get_workflow_data(domain)
# update some fields # update some fields
workflow_data['description'] = test_description workflow_data['description'] = test_description
# User assignment form data
workflow_data[USER_ROLE_PREFIX + "1"] = ['3'] # admin role
workflow_data[USER_ROLE_PREFIX + "2"] = ['2'] # member role
# Group assignment form data # Group assignment form data
workflow_data[GROUP_ROLE_PREFIX + "1"] = ['3'] # admin role workflow_data[GROUP_ROLE_PREFIX + "1"] = ['3'] # admin role
workflow_data[GROUP_ROLE_PREFIX + "2"] = ['2'] # member role workflow_data[GROUP_ROLE_PREFIX + "2"] = ['2'] # member role
@ -277,6 +314,49 @@ class UpdateDomainWorkflowTests(test.BaseAdminViewTests):
enabled=domain.enabled, enabled=domain.enabled,
name=domain.name).AndReturn(None) name=domain.name).AndReturn(None)
api.keystone.user_list(IsA(http.HttpRequest),
domain=domain.id).AndReturn(users)
# admin user - try to remove all roles on current domain, warning
api.keystone.roles_for_user(IsA(http.HttpRequest), '1',
domain=domain.id) \
.AndReturn(roles)
# member user 1 - has role 1, will remove it
api.keystone.roles_for_user(IsA(http.HttpRequest), '2',
domain=domain.id) \
.AndReturn((roles[0],))
# remove role 1
api.keystone.remove_domain_user_role(IsA(http.HttpRequest),
domain=domain.id,
user='2',
role='1')
# add role 2
api.keystone.add_domain_user_role(IsA(http.HttpRequest),
domain=domain.id,
user='2',
role='2')
# member user 3 - has role 2
api.keystone.roles_for_user(IsA(http.HttpRequest), '3',
domain=domain.id) \
.AndReturn((roles[1],))
# remove role 2
api.keystone.remove_domain_user_role(IsA(http.HttpRequest),
domain=domain.id,
user='3',
role='2')
# add role 1
api.keystone.add_domain_user_role(IsA(http.HttpRequest),
domain=domain.id,
user='3',
role='1')
# member user 5 - do nothing
api.keystone.roles_for_user(IsA(http.HttpRequest), '5',
domain=domain.id) \
.AndReturn([])
# Group assignments # Group assignments
api.keystone.group_list(IsA(http.HttpRequest), api.keystone.group_list(IsA(http.HttpRequest),
domain=domain.id).AndReturn(domain_groups) domain=domain.id).AndReturn(domain_groups)
@ -349,20 +429,29 @@ class UpdateDomainWorkflowTests(test.BaseAdminViewTests):
'domain_update', 'domain_update',
'get_default_role', 'get_default_role',
'role_list', 'role_list',
'user_list',
'role_assignments_list',
'group_list', 'group_list',
'roles_for_group')}) 'roles_for_group')})
def test_update_domain_post_error(self): def test_update_domain_post_error(self):
default_role = self.roles.first() default_role = self.roles.first()
domain = self.domains.get(id="1") domain = self.domains.get(id="1")
test_description = 'updated description' test_description = 'updated description'
users = self._get_all_users(domain.id)
groups = self._get_all_groups(domain.id) groups = self._get_all_groups(domain.id)
roles = self.roles.list() roles = self.roles.list()
role_assignments = self._get_domain_role_assignment(domain.id)
api.keystone.domain_get(IsA(http.HttpRequest), '1').AndReturn(domain) api.keystone.domain_get(IsA(http.HttpRequest), '1').AndReturn(domain)
api.keystone.get_default_role(IsA(http.HttpRequest)) \ api.keystone.get_default_role(IsA(http.HttpRequest)) \
.MultipleTimes().AndReturn(default_role) .MultipleTimes().AndReturn(default_role)
api.keystone.role_list(IsA(http.HttpRequest)) \ api.keystone.role_list(IsA(http.HttpRequest)) \
.MultipleTimes().AndReturn(roles) .MultipleTimes().AndReturn(roles)
api.keystone.user_list(IsA(http.HttpRequest), domain=domain.id) \
.AndReturn(users)
api.keystone.role_assignments_list(IsA(http.HttpRequest),
domain=domain.id) \
.AndReturn(role_assignments)
api.keystone.group_list(IsA(http.HttpRequest), domain=domain.id) \ api.keystone.group_list(IsA(http.HttpRequest), domain=domain.id) \
.AndReturn(groups) .AndReturn(groups)
@ -376,6 +465,9 @@ class UpdateDomainWorkflowTests(test.BaseAdminViewTests):
# update some fields # update some fields
workflow_data['description'] = test_description workflow_data['description'] = test_description
# User assignment form data
workflow_data[USER_ROLE_PREFIX + "1"] = ['3'] # admin role
workflow_data[USER_ROLE_PREFIX + "2"] = ['2'] # member role
# Group assignment form data # Group assignment form data
workflow_data[GROUP_ROLE_PREFIX + "1"] = ['3'] # admin role workflow_data[GROUP_ROLE_PREFIX + "1"] = ['3'] # admin role
workflow_data[GROUP_ROLE_PREFIX + "2"] = ['2'] # member role workflow_data[GROUP_ROLE_PREFIX + "2"] = ['2'] # member role

231
openstack_dashboard/dashboards/identity/domains/workflows.py
View File

@ -20,6 +20,7 @@ from django.utils.translation import ugettext_lazy as _
from horizon import exceptions from horizon import exceptions
from horizon import forms from horizon import forms
from horizon import messages
from horizon import workflows from horizon import workflows
from openstack_dashboard import api from openstack_dashboard import api
@ -53,15 +54,111 @@ class CreateDomainInfo(workflows.Step):
"enabled") "enabled")
class UpdateDomainUsersAction(workflows.MembershipAction):
def __init__(self, request, *args, **kwargs):
super(UpdateDomainUsersAction, self).__init__(request,
*args,
**kwargs)
domain_id = self.initial.get("domain_id", '')
# Get the default role
try:
default_role = api.keystone.get_default_role(self.request)
# Default role is necessary to add members to a domain
if default_role is None:
default = getattr(settings,
"OPENSTACK_KEYSTONE_DEFAULT_ROLE", None)
msg = _('Could not find default role "%s" in Keystone') % \
default
raise exceptions.NotFound(msg)
except Exception:
exceptions.handle(self.request,
_('Unable to find default role.'),
redirect=reverse(constants.DOMAINS_INDEX_URL))
default_role_name = self.get_default_role_field_name()
self.fields[default_role_name] = forms.CharField(required=False)
self.fields[default_role_name].initial = default_role.id
# Get list of available users
all_users = []
try:
all_users = api.keystone.user_list(request,
domain=domain_id)
except Exception:
exceptions.handle(request, _('Unable to retrieve user list.'))
users_list = [(user.id, user.name) for user in all_users]
# Get list of roles
role_list = []
try:
role_list = api.keystone.role_list(request)
except Exception:
exceptions.handle(request,
_('Unable to retrieve role list.'),
redirect=reverse(constants.DOMAINS_INDEX_URL))
for role in role_list:
field_name = self.get_member_field_name(role.id)
label = role.name
self.fields[field_name] = forms.MultipleChoiceField(required=False,
label=label)
self.fields[field_name].choices = users_list
self.fields[field_name].initial = []
# Figure out users & roles
if domain_id:
try:
users_roles = api.keystone.get_domain_users_roles(request,
domain_id)
except Exception:
exceptions.handle(request,
_('Unable to retrieve user domain role '
'assignments.'),
redirect=reverse(
constants.DOMAINS_INDEX_URL))
for user_id in users_roles:
roles_ids = users_roles[user_id]
for role_id in roles_ids:
field_name = self.get_member_field_name(role_id)
self.fields[field_name].initial.append(user_id)
class Meta:
name = _("Domain Members")
slug = constants.DOMAIN_USER_MEMBER_SLUG
class UpdateDomainUsers(workflows.UpdateMembersStep):
action_class = UpdateDomainUsersAction
available_list_title = _("All Users")
members_list_title = _("Domain Members")
no_available_text = _("No users found.")
no_members_text = _("No users.")
def contribute(self, data, context):
context = super(UpdateDomainUsers, self).contribute(data, context)
if data:
try:
roles = api.keystone.role_list(self.workflow.request)
except Exception:
exceptions.handle(self.workflow.request,
_('Unable to retrieve role list.'),
redirect=reverse(
constants.DOMAINS_INDEX_URL))
post = self.workflow.request.POST
for role in roles:
field = self.get_member_field_name(role.id)
context[field] = post.getlist(field)
return context
class UpdateDomainGroupsAction(workflows.MembershipAction): class UpdateDomainGroupsAction(workflows.MembershipAction):
def __init__(self, request, *args, **kwargs): def __init__(self, request, *args, **kwargs):
super(UpdateDomainGroupsAction, self).__init__(request, super(UpdateDomainGroupsAction, self).__init__(request,
*args, *args,
**kwargs) **kwargs)
err_msg = _('Unable to retrieve group list. Please try again later.') err_msg = _('Unable to retrieve group list. Please try again later.')
domain_id = '' domain_id = self.initial.get("domain_id", '')
if 'domain_id' in args[0]:
domain_id = args[0]['domain_id']
# Get the default role # Get the default role
try: try:
@ -135,6 +232,7 @@ class UpdateDomainGroups(workflows.UpdateMembersStep):
no_members_text = _("No groups.") no_members_text = _("No groups.")
def contribute(self, data, context): def contribute(self, data, context):
context = super(UpdateDomainGroups, self).contribute(data, context)
if data: if data:
try: try:
roles = api.keystone.role_list(self.workflow.request) roles = api.keystone.role_list(self.workflow.request)
@ -200,25 +298,109 @@ class UpdateDomain(workflows.Workflow):
failure_message = _('Unable to modify domain "%s".') failure_message = _('Unable to modify domain "%s".')
success_url = constants.DOMAINS_INDEX_URL success_url = constants.DOMAINS_INDEX_URL
default_steps = (UpdateDomainInfo, default_steps = (UpdateDomainInfo,
UpdateDomainUsers,
UpdateDomainGroups) UpdateDomainGroups)
def format_status_message(self, message): def format_status_message(self, message):
return message % self.context.get('name', 'unknown domain') return message % self.context.get('name', 'unknown domain')
def handle(self, request, data): def _update_domain_members(self, request, domain_id, data):
domain_id = data.pop('domain_id') # update domain members
users_to_modify = 0
# Project-user member step
member_step = self.get_step(constants.DOMAIN_USER_MEMBER_SLUG)
try: try:
LOG.info('Updating domain with name "%s"' % data['name']) # Get our role options
api.keystone.domain_update(request, available_roles = api.keystone.role_list(request)
domain_id=domain_id, # Get the users currently associated with this project so we
name=data['name'], # can diff against it.
description=data['description'], domain_members = api.keystone.user_list(request,
enabled=data['enabled']) domain=domain_id)
users_to_modify = len(domain_members)
for user in domain_members:
# Check if there have been any changes in the roles of
# Existing project members.
current_roles = api.keystone.roles_for_user(self.request,
user.id,
domain=domain_id)
current_role_ids = [role.id for role in current_roles]
for role in available_roles:
field_name = member_step.get_member_field_name(role.id)
# Check if the user is in the list of users with this role.
if user.id in data[field_name]:
# Add it if necessary
if role.id not in current_role_ids:
# user role has changed
api.keystone.add_domain_user_role(
request,
domain=domain_id,
user=user.id,
role=role.id)
else:
# User role is unchanged, so remove it from the
# remaining roles list to avoid removing it later.
index = current_role_ids.index(role.id)
current_role_ids.pop(index)
# Prevent admins from doing stupid things to themselves.
is_current_user = user.id == request.user.id
# TODO(lcheng) When Horizon moves to Domain scoped token for
# invoking identity operation, replace this with:
# domain_id == request.user.domain_id
is_current_domain = True
admin_roles = [role for role in current_roles
if role.name.lower() == 'admin']
if len(admin_roles):
removing_admin = any([role.id in current_role_ids
for role in admin_roles])
else:
removing_admin = False
if is_current_user and is_current_domain and removing_admin:
# Cannot remove "admin" role on current(admin) domain
msg = _('You cannot revoke your administrative privileges '
'from the domain you are currently logged into. '
'Please switch to another domain with '
'administrative privileges or remove the '
'administrative role manually via the CLI.')
messages.warning(request, msg)
# Otherwise go through and revoke any removed roles.
else:
for id_to_delete in current_role_ids:
api.keystone.remove_domain_user_role(
request,
domain=domain_id,
user=user.id,
role=id_to_delete)
users_to_modify -= 1
# Grant new roles on the project.
for role in available_roles:
field_name = member_step.get_member_field_name(role.id)
# Count how many users may be added for exception handling.
users_to_modify += len(data[field_name])
for role in available_roles:
users_added = 0
field_name = member_step.get_member_field_name(role.id)
for user_id in data[field_name]:
if not filter(lambda x: user_id == x.id, domain_members):
api.keystone.add_tenant_user_role(request,
project=domain_id,
user=user_id,
role=role.id)
users_added += 1
users_to_modify -= users_added
return True
except Exception: except Exception:
exceptions.handle(request, ignore=True) exceptions.handle(request, _('Failed to modify %s project '
'members and update domain groups.')
% users_to_modify)
return False return False
def _update_domain_groups(self, request, domain_id, data):
# update domain groups # update domain groups
groups_to_modify = 0 groups_to_modify = 0
member_step = self.get_step(constants.DOMAIN_GROUP_MEMBER_SLUG) member_step = self.get_step(constants.DOMAIN_GROUP_MEMBER_SLUG)
@ -282,10 +464,31 @@ class UpdateDomain(workflows.Workflow):
domain=domain_id) domain=domain_id)
groups_added += 1 groups_added += 1
groups_to_modify -= groups_added groups_to_modify -= groups_added
return True
except Exception: except Exception:
exceptions.handle(request, exceptions.handle(request,
_('Failed to modify %s domain groups.') _('Failed to modify %s domain groups.')
% groups_to_modify) % groups_to_modify)
return True return False
def handle(self, request, data):
domain_id = data.pop('domain_id')
try:
LOG.info('Updating domain with name "%s"' % data['name'])
api.keystone.domain_update(request,
domain_id=domain_id,
name=data['name'],
description=data['description'],
enabled=data['enabled'])
except Exception:
exceptions.handle(request, ignore=True)
return False
if not self._update_domain_members(request, domain_id, data):
return False
if not self._update_domain_groups(request, domain_id, data):
return False
return True return True

12
openstack_dashboard/dashboards/identity/projects/tests.py
View File

@ -749,6 +749,10 @@ class UpdateProjectWorkflowTests(test.BaseAdminViewTests):
return [group for group in self.groups.list() return [group for group in self.groups.list()
if group.project_id == project_id] if group.project_id == project_id]
def _get_proj_role_assignment(self, project_id):
project_scope = {'project': {'id': project_id}}
return self.role_assignments.filter(scope=project_scope)
@test.create_stubs({api.keystone: ('get_default_role', @test.create_stubs({api.keystone: ('get_default_role',
'roles_for_user', 'roles_for_user',
'tenant_get', 'tenant_get',
@ -771,7 +775,7 @@ class UpdateProjectWorkflowTests(test.BaseAdminViewTests):
groups = self._get_all_groups(domain_id) groups = self._get_all_groups(domain_id)
roles = self.roles.list() roles = self.roles.list()
proj_users = self._get_proj_users(project.id) proj_users = self._get_proj_users(project.id)
role_assignments = self.role_assignments.list() role_assignments = self._get_proj_role_assignment(project.id)
api.keystone.tenant_get(IsA(http.HttpRequest), api.keystone.tenant_get(IsA(http.HttpRequest),
self.tenant.id, admin=True) \ self.tenant.id, admin=True) \
@ -868,7 +872,7 @@ class UpdateProjectWorkflowTests(test.BaseAdminViewTests):
groups = self._get_all_groups(domain_id) groups = self._get_all_groups(domain_id)
proj_groups = self._get_proj_groups(project.id) proj_groups = self._get_proj_groups(project.id)
roles = self.roles.list() roles = self.roles.list()
role_assignments = self.role_assignments.list() role_assignments = self._get_proj_role_assignment(project.id)
# get/init # get/init
api.keystone.tenant_get(IsA(http.HttpRequest), api.keystone.tenant_get(IsA(http.HttpRequest),
@ -1235,7 +1239,7 @@ class UpdateProjectWorkflowTests(test.BaseAdminViewTests):
groups = self._get_all_groups(domain_id) groups = self._get_all_groups(domain_id)
proj_groups = self._get_proj_groups(project.id) proj_groups = self._get_proj_groups(project.id)
roles = self.roles.list() roles = self.roles.list()
role_assignments = self.role_assignments.list() role_assignments = self._get_proj_role_assignment(project.id)
# get/init # get/init
api.keystone.tenant_get(IsA(http.HttpRequest), self.tenant.id, api.keystone.tenant_get(IsA(http.HttpRequest), self.tenant.id,
@ -1408,7 +1412,7 @@ class UpdateProjectWorkflowTests(test.BaseAdminViewTests):
proj_users = self._get_proj_users(project.id) proj_users = self._get_proj_users(project.id)
groups = self._get_all_groups(domain_id) groups = self._get_all_groups(domain_id)
roles = self.roles.list() roles = self.roles.list()
role_assignments = self.role_assignments.list() role_assignments = self._get_proj_role_assignment(project.id)
# get/init # get/init
api.keystone.tenant_get(IsA(http.HttpRequest), self.tenant.id, api.keystone.tenant_get(IsA(http.HttpRequest), self.tenant.id,

4
openstack_dashboard/test/helpers.py
View File

@ -137,6 +137,7 @@ class TestCase(horizon_helpers.TestCase):
self.setActiveUser(id=self.user.id, self.setActiveUser(id=self.user.id,
token=self.token, token=self.token,
username=self.user.name, username=self.user.name,
domain_id=self.domain.id,
tenant_id=self.tenant.id, tenant_id=self.tenant.id,
service_catalog=self.service_catalog, service_catalog=self.service_catalog,
authorized_tenants=tenants) authorized_tenants=tenants)
@ -157,11 +158,12 @@ class TestCase(horizon_helpers.TestCase):
def setActiveUser(self, id=None, token=None, username=None, tenant_id=None, def setActiveUser(self, id=None, token=None, username=None, tenant_id=None,
service_catalog=None, tenant_name=None, roles=None, service_catalog=None, tenant_name=None, roles=None,
authorized_tenants=None, enabled=True): authorized_tenants=None, enabled=True, domain_id=None):
def get_user(request): def get_user(request):
return user.User(id=id, return user.User(id=id,
token=token, token=token,
user=username, user=username,
domain_id=domain_id,
tenant_id=tenant_id, tenant_id=tenant_id,
service_catalog=service_catalog, service_catalog=service_catalog,
roles=roles, roles=roles,

40
openstack_dashboard/test/test_data/keystone_data.py
View File

@ -249,27 +249,51 @@ def data(TEST):
role_assignments_dict = {'user': {'id': '1'}, role_assignments_dict = {'user': {'id': '1'},
'role': {'id': '1'}, 'role': {'id': '1'},
'scope': {'project': {'id': '1'}}} 'scope': {'project': {'id': '1'}}}
role_assignment1 = role_assignments.RoleAssignment( proj_role_assignment1 = role_assignments.RoleAssignment(
role_assignments.RoleAssignmentManager, role_assignments_dict) role_assignments.RoleAssignmentManager, role_assignments_dict)
role_assignments_dict = {'user': {'id': '2'}, role_assignments_dict = {'user': {'id': '2'},
'role': {'id': '2'}, 'role': {'id': '2'},
'scope': {'project': {'id': '1'}}} 'scope': {'project': {'id': '1'}}}
role_assignment2 = role_assignments.RoleAssignment( proj_role_assignment2 = role_assignments.RoleAssignment(
role_assignments.RoleAssignmentManager, role_assignments_dict) role_assignments.RoleAssignmentManager, role_assignments_dict)
role_assignments_dict = {'group': {'id': '1'}, role_assignments_dict = {'group': {'id': '1'},
'role': {'id': '2'}, 'role': {'id': '2'},
'scope': {'project': {'id': '1'}}} 'scope': {'project': {'id': '1'}}}
role_assignment3 = role_assignments.RoleAssignment( proj_role_assignment3 = role_assignments.RoleAssignment(
role_assignments.RoleAssignmentManager, role_assignments_dict) role_assignments.RoleAssignmentManager, role_assignments_dict)
role_assignments_dict = {'user': {'id': '3'}, role_assignments_dict = {'user': {'id': '3'},
'role': {'id': '2'}, 'role': {'id': '2'},
'scope': {'project': {'id': '1'}}} 'scope': {'project': {'id': '1'}}}
role_assignment4 = role_assignments.RoleAssignment( proj_role_assignment4 = role_assignments.RoleAssignment(
role_assignments.RoleAssignmentManager, role_assignments_dict) role_assignments.RoleAssignmentManager, role_assignments_dict)
TEST.role_assignments.add(role_assignment1, role_assignments_dict = {'user': {'id': '1'},
role_assignment2, 'role': {'id': '1'},
role_assignment3, 'scope': {'domain': {'id': '1'}}}
role_assignment4) domain_role_assignment1 = role_assignments.RoleAssignment(
role_assignments.RoleAssignmentManager, role_assignments_dict)
role_assignments_dict = {'user': {'id': '2'},
'role': {'id': '2'},
'scope': {'domain': {'id': '1'}}}
domain_role_assignment2 = role_assignments.RoleAssignment(
role_assignments.RoleAssignmentManager, role_assignments_dict)
role_assignments_dict = {'group': {'id': '1'},
'role': {'id': '2'},
'scope': {'domain': {'id': '1'}}}
domain_role_assignment3 = role_assignments.RoleAssignment(
role_assignments.RoleAssignmentManager, role_assignments_dict)
role_assignments_dict = {'user': {'id': '3'},
'role': {'id': '2'},
'scope': {'domain': {'id': '1'}}}
domain_role_assignment4 = role_assignments.RoleAssignment(
role_assignments.RoleAssignmentManager, role_assignments_dict)
TEST.role_assignments.add(proj_role_assignment1,
proj_role_assignment2,
proj_role_assignment3,
proj_role_assignment4,
domain_role_assignment1,
domain_role_assignment2,
domain_role_assignment3,
domain_role_assignment4)
tenant_dict = {'id': "1", tenant_dict = {'id': "1",
'name': 'test_tenant', 'name': 'test_tenant',