python-openstackclient/openstackclient/identity/common.py

#   Copyright 2012-2013 OpenStack Foundation
#
#   Licensed under the Apache License, Version 2.0 (the "License"); you may
#   not use this file except in compliance with the License. You may obtain
#   a copy of the License at
#
#        http://www.apache.org/licenses/LICENSE-2.0
#
#   Unless required by applicable law or agreed to in writing, software
#   distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
#   WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
#   License for the specific language governing permissions and limitations
#   under the License.
#

"""Common identity code"""

from keystoneclient import exceptions as identity_exc
from keystoneclient.v3 import domains
from keystoneclient.v3 import groups
from keystoneclient.v3 import projects
from keystoneclient.v3 import users
from openstackclient.common import exceptions
from openstackclient.common import utils


def find_service(identity_client, name_type_or_id):
    """Find a service by id, name or type."""

    try:
        # search for the usual ID or name
        return utils.find_resource(identity_client.services, name_type_or_id)
    except exceptions.CommandError:
        try:
            # search for service type
            return identity_client.services.find(type=name_type_or_id)
        # FIXME(dtroyer): This exception should eventually come from
        #                 common client exceptions
        except identity_exc.NotFound:
            msg = ("No service with a type, name or ID of '%s' exists."
                   % name_type_or_id)
            raise exceptions.CommandError(msg)


def find_domain(identity_client, name_or_id):
    """Find a domain.

       If the user does not have permissions to access the v3 domain API, e.g.,
       if the user is a project admin, assume that the domain given is the id
       rather than the name. This method is used by the project list command,
       so errors accessing the domain will be ignored and if the user has
       access to the project API, everything will work fine.

       Closes bugs #1317478 and #1317485.
    """
    try:
        dom = utils.find_resource(identity_client.domains, name_or_id)
        if dom is not None:
            return dom
    except identity_exc.Forbidden:
        pass
    return domains.Domain(None, {'id': name_or_id, 'name': name_or_id})


def find_group(identity_client, name_or_id):
    """Find a group.

       If the user does not have permissions to to perform a list groups call,
       e.g., if the user is a project admin, assume that the group given is the
       id rather than the name.  This method is used by the role add command to
       allow a role to be assigned to a group by a project admin who does not
       have permission to list groups.
    """
    try:
        group = utils.find_resource(identity_client.groups, name_or_id)
        if group is not None:
            return group
    except identity_exc.Forbidden:
        pass
    return groups.Group(None, {'id': name_or_id, 'name': name_or_id})


def find_project(identity_client, name_or_id):
    """Find a project.

       If the user does not have permissions to to perform a list projects
       call, e.g., if the user is a project admin, assume that the project
       given is the id rather than the name.  This method is used by the role
       add command to allow a role to be assigned to a user by a project admin
       who does not have permission to list projects.
    """
    try:
        project = utils.find_resource(identity_client.projects, name_or_id)
        if project is not None:
            return project
    except identity_exc.Forbidden:
        pass
    return projects.Project(None, {'id': name_or_id, 'name': name_or_id})


def find_user(identity_client, name_or_id):
    """Find a user.

       If the user does not have permissions to to perform a list users call,
       e.g., if the user is a project admin, assume that the user given is the
       id rather than the name.  This method is used by the role add command to
       allow a role to be assigned to a user by a project admin who does not
       have permission to list users.
    """
    try:
        user = utils.find_resource(identity_client.users, name_or_id)
        if user is not None:
            return user
    except identity_exc.Forbidden:
        pass
    return users.User(None, {'id': name_or_id, 'name': name_or_id})
Make endpoint commands more consistent Make endpoints more consistent across create, show, etc * Make the name option required for create * Use a common function to fetch services by id, name or type * Have show work by endpoint id or by service id, type or name * Have show display all the fields by default * Remove capability to filter queries by attribute value pairs Change-Id: Idaa4b8d930ba859fd62de777e44a10b1ed58c79b Partial-Bug: #1184012 2014-03-12 11:51:17 -06:00			`# Copyright 2012-2013 OpenStack Foundation`
			`#`
			`# Licensed under the Apache License, Version 2.0 (the "License"); you may`
			`# not use this file except in compliance with the License. You may obtain`
			`# a copy of the License at`
			`#`
			`# http://www.apache.org/licenses/LICENSE-2.0`
			`#`
			`# Unless required by applicable law or agreed to in writing, software`
			`# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT`
			`# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the`
			`# License for the specific language governing permissions and limitations`
			`# under the License.`
			`#`

			`"""Common identity code"""`

			`from keystoneclient import exceptions as identity_exc`
Domain administrator cannot do project operations Domain administrator cannot do project operations because the require access to the domain API (which they don't have). When attempting to find a domain for project operations, ignore errors because the API returns nothing without indicating there is a problem. The domain administrators will have to use a domain id, but they will still be able to do project operations. If the user does not have permission to read the domain table, they cannot use domain names. Change-Id: Ieed5d420022a407c8296a0bb3569d9469c89d752 Closes-Bug: #1317478 Closes-Bug: #1317485 2014-05-30 10:38:20 -06:00			`from keystoneclient.v3 import domains`
Role operations should not require list object permission When using Keystone's policy.v3cloudsample.json policy file, a project admin is supposed to be able to manage role assignments. Unfortunately, a project admin isn't allowed to perform these operations using python-openstackclient, as we attempt to perform list operations for any of the object types specified (users, groups, projects). This is done in an attempt to lookup the id of the object by name, but we perform this list operation even when the user specifies everything by id. This causes 403 errors. This patch still attempts to look up the object id by name, but we catch the 403 and assume that the user specified an id if the list operation is not allowed. This is similar to what we do with the --domain option for other commands. Closes-bug: #1445528 Change-Id: Id95a8520e935c1092d5a22ecd8ea01f572334ac8 2015-04-16 19:12:45 -07:00			`from keystoneclient.v3 import groups`
			`from keystoneclient.v3 import projects`
			`from keystoneclient.v3 import users`
Make endpoint commands more consistent Make endpoints more consistent across create, show, etc * Make the name option required for create * Use a common function to fetch services by id, name or type * Have show work by endpoint id or by service id, type or name * Have show display all the fields by default * Remove capability to filter queries by attribute value pairs Change-Id: Idaa4b8d930ba859fd62de777e44a10b1ed58c79b Partial-Bug: #1184012 2014-03-12 11:51:17 -06:00			`from openstackclient.common import exceptions`
			`from openstackclient.common import utils`


			`def find_service(identity_client, name_type_or_id):`
			`"""Find a service by id, name or type."""`

			`try:`
			`# search for the usual ID or name`
			`return utils.find_resource(identity_client.services, name_type_or_id)`
			`except exceptions.CommandError:`
			`try:`
			`# search for service type`
			`return identity_client.services.find(type=name_type_or_id)`
			`# FIXME(dtroyer): This exception should eventually come from`
			`# common client exceptions`
			`except identity_exc.NotFound:`
			`msg = ("No service with a type, name or ID of '%s' exists."`
			`% name_type_or_id)`
			`raise exceptions.CommandError(msg)`
Domain administrator cannot do project operations Domain administrator cannot do project operations because the require access to the domain API (which they don't have). When attempting to find a domain for project operations, ignore errors because the API returns nothing without indicating there is a problem. The domain administrators will have to use a domain id, but they will still be able to do project operations. If the user does not have permission to read the domain table, they cannot use domain names. Change-Id: Ieed5d420022a407c8296a0bb3569d9469c89d752 Closes-Bug: #1317478 Closes-Bug: #1317485 2014-05-30 10:38:20 -06:00

			`def find_domain(identity_client, name_or_id):`
			`"""Find a domain.`

Fixing typo and improving docstring of find_domain This should make it easier to understand the purpose of find_domain - I believe the reason for which find_resource wasn't enough was not quite clear. Change-Id: I6a1cdfa86f52401d95c6da2cd38d7c95a140b4a1 2014-09-19 19:17:38 +00:00			`If the user does not have permissions to access the v3 domain API, e.g.,`
			`if the user is a project admin, assume that the domain given is the id`
			`rather than the name. This method is used by the project list command,`
			`so errors accessing the domain will be ignored and if the user has`
			`access to the project API, everything will work fine.`
Domain administrator cannot do project operations Domain administrator cannot do project operations because the require access to the domain API (which they don't have). When attempting to find a domain for project operations, ignore errors because the API returns nothing without indicating there is a problem. The domain administrators will have to use a domain id, but they will still be able to do project operations. If the user does not have permission to read the domain table, they cannot use domain names. Change-Id: Ieed5d420022a407c8296a0bb3569d9469c89d752 Closes-Bug: #1317478 Closes-Bug: #1317485 2014-05-30 10:38:20 -06:00
			`Closes bugs #1317478 and #1317485.`
			`"""`
			`try:`
			`dom = utils.find_resource(identity_client.domains, name_or_id)`
			`if dom is not None:`
			`return dom`
			`except identity_exc.Forbidden:`
			`pass`
Role operations should not require list object permission When using Keystone's policy.v3cloudsample.json policy file, a project admin is supposed to be able to manage role assignments. Unfortunately, a project admin isn't allowed to perform these operations using python-openstackclient, as we attempt to perform list operations for any of the object types specified (users, groups, projects). This is done in an attempt to lookup the id of the object by name, but we perform this list operation even when the user specifies everything by id. This causes 403 errors. This patch still attempts to look up the object id by name, but we catch the 403 and assume that the user specified an id if the list operation is not allowed. This is similar to what we do with the --domain option for other commands. Closes-bug: #1445528 Change-Id: Id95a8520e935c1092d5a22ecd8ea01f572334ac8 2015-04-16 19:12:45 -07:00			`return domains.Domain(None, {'id': name_or_id, 'name': name_or_id})`


			`def find_group(identity_client, name_or_id):`
			`"""Find a group.`

			`If the user does not have permissions to to perform a list groups call,`
			`e.g., if the user is a project admin, assume that the group given is the`
			`id rather than the name. This method is used by the role add command to`
			`allow a role to be assigned to a group by a project admin who does not`
			`have permission to list groups.`
			`"""`
			`try:`
			`group = utils.find_resource(identity_client.groups, name_or_id)`
			`if group is not None:`
			`return group`
			`except identity_exc.Forbidden:`
			`pass`
			`return groups.Group(None, {'id': name_or_id, 'name': name_or_id})`


			`def find_project(identity_client, name_or_id):`
			`"""Find a project.`

			`If the user does not have permissions to to perform a list projects`
			`call, e.g., if the user is a project admin, assume that the project`
			`given is the id rather than the name. This method is used by the role`
			`add command to allow a role to be assigned to a user by a project admin`
			`who does not have permission to list projects.`
			`"""`
			`try:`
			`project = utils.find_resource(identity_client.projects, name_or_id)`
			`if project is not None:`
			`return project`
			`except identity_exc.Forbidden:`
			`pass`
			`return projects.Project(None, {'id': name_or_id, 'name': name_or_id})`


			`def find_user(identity_client, name_or_id):`
			`"""Find a user.`

			`If the user does not have permissions to to perform a list users call,`
			`e.g., if the user is a project admin, assume that the user given is the`
			`id rather than the name. This method is used by the role add command to`
			`allow a role to be assigned to a user by a project admin who does not`
			`have permission to list users.`
			`"""`
			`try:`
			`user = utils.find_resource(identity_client.users, name_or_id)`
			`if user is not None:`
			`return user`
			`except identity_exc.Forbidden:`
			`pass`
			`return users.User(None, {'id': name_or_id, 'name': name_or_id})`