Keystone let's users remove role assignments that reference non-existent
users and groups. This is nice when keystone backs to an identity store
like LDAP and users or groups are removed.
Previously, openstackclient would validate the user and group existed in
keystone before sending the request to delete the role assignment. This
commit updates the code to bypass that validation so that users can use
IDs to forcibly cleanup role assignments.
Change-Id: I102b41677736bbe37a82abaa3c5b3e1faf2475d5
Story: 2006635
Task: 36848
This patch adds the --immutable and --no-immutable option to the
role, project and domain CLI.
Related-Patch: https://review.opendev.org/#/c/712182/
Change-Id: I9c3bdd741f28bf558267fb217818d947597ce13e
1. As mentioned in [1], we should avoid using six.iteritems to achieve
iterators. We can use dict.items instead, as it will return iterators
in PY3 as well. And dict.items/keys will more readable.
2. In py2, the performance about list should be negligible,
see the link [2].
[1] https://wiki.openstack.org/wiki/Python3
[2] http://lists.openstack.org/pipermail/openstack-dev/2015-June/066391.html
Co-Authored-By: Akihiro Motoki <amotoki@gmail.com>
Change-Id: I4b9edb326444264c0f6c4ad281acaac356a07e85
Implements: blueprint replace-iteritems-with-items
The following were deprecated over two years ago and can now be
removed/changed:
* Remove ``service create`` option ``--type``
* Remove ``role list`` options ``--project`` and ``--user``
* Remove ``user role list`` command
These are backwards incompatible changes and will require a major
version bump after they are merged.
Change-Id: I29e2fc9516dffbfd83eef0bc91e834dde99b4105
Signed-off-by: Sean McGinnis <sean.mcginnis@gmail.com>
Signed-off-by: Dean Troyer <dtroyer@gmail.com>
Now user can add the description when user create's the role using OSC
``openstack role create`` command. User can add the description by adding
`--description <Description>` to OSC ``openstack role create`` command.
Co-Authored-By: Deepak Mourya<deepakmoriya7@gmail.com>
Change-Id: I858e004c3b29c687b6a39c8a1ed5fb029eb19c67
Depends-on: I230af9cc833af13064636b5d9a7ce6334c3f6e9a
Closes-Bug: #1669080
This commit adds the necessary bits to expose system role
assignments to openstackclient via python-keystoneclient.
bp system-scope
Depends-On: Iecbcbf020a15f2bec777334c648d4477f89f3b2c
Change-Id: I261e84700b51e8715eaebdc3f8f8bc46b68542c2
pycodestyle 2.40 and later enforce these rules that were not previously
enforced. Rather than just skipping them, this cleans up the trivial
instances of these violations.
This does also include some other updates that were not triggering errors
in an attempt to keep some of the style consistent.
Change-Id: Id7c0a6b8f1f835e69d844b000e3ed751852ada63
Closes-bug: #1762803
if command failed, we usually raise exception,
if command success, sometimes there is not any
output (such as set, add commands)
So modify the error handling for role and group
commands.
Change-Id: I1c0f86c04dcedd9c0d725fd73f3436be9da75ee0
Add missing multi deletion error handling for
identity delete commands.
All delete commands in identity support
error handling now.
Change-Id: I05626dcb5e516a423d610906347b02236ba7eeaf
Leverage the new cliff command class attribute (_description)
to get the help of a command, this allows us to mark strings
for translation. We could not do this before since the help
was grabbed from the docstring.
This also depends on a new release of cliff and a bump to the
minimum level in osc's requirements.
Closes-Bug: 1636209
Depends-On: Id915f6aa7d95a0ff3dc6e2ceaac5decb3f3bf0da
Change-Id: I8673080bb5625e8e3c499feaefd42dfc7121e96f
The current identity role list command (both v2 and v3) is
overloaded with listing roles as well as assignments (if you
provide user, group, project or domain options). This is in
addition to the v3 assignment list command designed for this
purpose.
This overloading complicates the fact that roles can now be
domain specific (i.e. have a domain attribute), so the
command 'role list --domain <domain-name' will soon become
ambigious (this is in a follow on patch).
This patch:
- Adds a v2 assignments list, with support for pulling the
user and project from the auth credentials
- For comapability, adds the same auth support to the
existing v3 assignments list
- Deprecates the use of role list and user role list to list
assignments
Change-Id: I65bafdef4f8c89e863dab101369d0d629fa818b8
Partial-Bug: 1605774
When an exception was caught and rethrown,
it should call 'raise' without any arguments
because it shows the place where an exception
occured initially instead of place where the exception re-raised.
Change-Id: I5fb6dea5da7fb6e1e2b339a713c7d37f8c99e407
Use file logger for all command specific logs.
This patch also fixes some usage that doesn't
follow rules in:
http://docs.openstack.org/developer/oslo.i18n/guidelines.html
After this patch, all self.log and self.app.log
will be standardized to LOG().
NOTE: In shell.py, we got the log in class OpenStackShell,
which is also known as self.app.log in other classes.
This logger is used to record non-command-specific logs.
So we leave it as-is.
Change-Id: I114f73ee6c7e84593d71e724bc1ad00d343c1896
Implements: blueprint log-usage
command.Command and command.Showone are base classes implemented
in cliff framework. Showone extends Command to allow take_action()
to return data to be formatted using a user-selectable formatter.
Most of the classes which are extended from Command in
openstackclient/identity/v3/ in some cases return data or return
nothing where it is not necessary, this commit fixes most of them.
Change-Id: I84c72ea4d6680f8bdbef5449316dd9a8af8c8286
Closes-Bug: 1550892
Previously each command logs take_action parameters explicitly
by using @utils.log_method decorator or log.debug().
Some commands have no logging.
This commit calls a logger in the base class and
drops all logging definition from individual commands.
Closes-Bug: #1532294
Change-Id: I43cd0290a4353c68c075bade9571c940733da1be
* Change session imports to keystoneauth1
* Change keystoneclient.exception imports to keystoneauth1
* Change exceptions raised from internal API from keystoneclient to openstack.common
Change-Id: I046d89f561d6fe04baae53726f9749d2e7fe2056
the docs and code had inconsistencies with how it
references other arguments, lets just remove the
backticks from around them.
Change-Id: I43d17b07364e45387c6b9d86c2aca26eeea8ed93
Instead of duplicating the same log statement throughout
the code, the same logic can be provided by a shared decorator
that abstracts away the logging capability and unifies it behind
a common function instead.
Change-Id: Icc63bced7347c8bbf0299a4c5821425a10892a79
When adding a role to a group and project OSC is mistakenly using the
group_domain to find the project which will fail if the group_domain !=
project_domain.
Change-Id: I4c1bec9b3b183c755be121b91f40e026d707192b
Closes-Bug: #1483520
The paremeter to Keystone Client was passed as
'inherited', when it should be
'os_inherit_extension_inherited'.
Closes-Bug: #1482254
Change-Id: I1cb46add532223ef0b9620763b1047cc80e19ec0
Once inherited project role grant calls are
implemented on python-keystoneclient,
python-openstackclient also should support such
calls.
This patch add such support as well as its
related tests.
Co-Authored-By: Raildo Mascena <raildo@lsd.ufcg.edu.br>
Change-Id: Id72670be8640e5c6e2490a6ef849e9ec3493b1a9
Implements: blueprint hierarchical-multitenancy
Many of the commands for the group and role resources were lacking an
option to specify the specific domain groups, projects or users belong
to. This commit fixes that.
Change-Id: I461d2bcfd01ad2dea970de38ec7ad6f4a631ceb1
Closes-bug: #1446546
If users, projects or groups are provided by name, there is a
possibility of the existence other users/projects/groups with the same
name in other domain. Even though this is not a problem if the actual
ID is given instead of a name; this is mostly a usability enhancement.
So, three options were added, one for specifying the domain where the
user belongs, another one to specify the project's domain, and finally
one to specify the group's domain.
Change-Id: Iab04b0e04fa75ea5aa3723b8ea42a45f58a6cdb2
Closes-Bug: #1421328
When using Keystone's policy.v3cloudsample.json policy file, a project admin is
supposed to be able to manage role assignments. Unfortunately, a project admin
isn't allowed to perform these operations using python-openstackclient, as we
attempt to perform list operations for any of the object types specified (users,
groups, projects). This is done in an attempt to lookup the id of the object by
name, but we perform this list operation even when the user specifies everything
by id. This causes 403 errors.
This patch still attempts to look up the object id by name, but we catch the 403
and assume that the user specified an id if the list operation is not allowed.
This is similar to what we do with the --domain option for other commands.
Closes-bug: #1445528
Change-Id: Id95a8520e935c1092d5a22ecd8ea01f572334ac8
try and add some consistency with the show and delete commands.
replace 'show x' with 'display x'
change 'delete a y' with just 'delete y'
Change-Id: I47dfa8ee23ac5c41b355796415eb515155832f65
This is part2. Add support for these objects:
identity.project(v2.0)
identity.role(v2.0)
identity.user(v2.0)
identity.project(v3)
identity.role(v3)
identity.user(v3)
identity.group(v3)
Closes-Bug: #1400597
Change-Id: I270434d657cf4ddc23c3aba2c704d6ef184b0dbc
The keystoneclient.openstack.common directory is where we sync files
from oslo incubator. It is not a public directory and should not be
being consumed by openstackclient.
Change-Id: I011bb95c2c824e2dbc4b822ca922ae77b8d9b955
The links field in the returned objects from the v3 Identity
API aren't really useful, so let's remove them.
Managed to remove most of them from the core API.
I'll likely remove the extension/contribution (oauth/federation)
related ones in another patch.
Also in this patch the code for setting services and projects
was changed. Though not incorrect, it was not needed to copy
the entire returned object, we should just need to pass in
the fields we want to update.
Change-Id: I164ca9ad8b28fa10b291e9115ef40753e387c547
Currently parts of user list and group list command are actually
functioning as role listing, which is quite counter intuitive and
misleading.
This refactor change move role related logic to a single place of role
list command. It now allows role grants listing for user/group +
domain/project combinations.
If no user or group specified, it will list all roles in the system,
which is the default behaviour.
Change-Id: I4ced6df4b76f018d01000d28b4281ad9f252ffcc
There are files containing string format arguments inside
logging messages. Using logging function parameters should
be preferred.
Change-Id: Ic749ac9eb55564ed631d57055a5a4dfc3aebd169
Keystoneclient has added the positional decorator which emits a warning
if arguments aren't passed by keyword. This means we are getting
warnings in certain places in openstackclient.
Change-Id: Ic5446cd6f122cbb56fce543011386d53bc31fe18
Closes-Bug: #1302199
* Add project, user, role and service v3 tests
* Fix issues in commands with enable/disable
* Make commands and tests more consistent between versions
* Make formatting and comments more consistent
Change-Id: Id21e7a5abd7e421a7742f937861ec46b53095fc7
* use six.iteritems()
* replace basestring with six.string_types
* convert print statements to functions (they're all debugging and should
be removed eventually anyway)
* clean up OpenStack copyright: LLC -> Foundation
Change-Id: Icb14212bcb408e63816bfec3922a697bc1a6c946
As discussed in https://review.openstack.org/#/c/36352/ for each
command, we were setting api = identity or volume... etc,
this was for an old way of calling commands that are is no longer
used.
Also removed openstackclient/common/command.py
Change-Id: I2705f35d343f2ae729dc22d6aed0b852b2f8ca19
* Add remove role
* Add --role to group list
* Add --role to user list
* Fix groups in AddRole()
* Remove the tweaks to utils.find_resource for domains; will address
that across domains, projects, users and groups in another patch.
I want to nail down the structure of these commands and get that into place
Change-Id: I8673dd8221ef88978dada5a2833c187026bdb31a
keep the functions sorted
Please review carefully as I intend to mimic this logic with
list and remove, I'm open to suggestions about handling thigs
differently
Change-Id: Ia6359134c44447f3b758870c4dc306ec1f970852
Added create/delete/set/list/show support for roles
Broken up to make reviewing easier.
Will add more functionality (add/remove) later
Change-Id: I95bddd27d8d9d251ad2fd60c3e3ee1e2cbcd7d4b
