This patch introduces a new option --parent into project list,
to specify a parent project to filter projects which has
the given project as their parent.
Depends-on: https://review.opendev.org/#/c/677101
Change-Id: I6725262cf040e0ec6ceca9cf0462ce59224049c6
The following were deprecated over two years ago and can now be
removed/changed:
* Remove ``service create`` option ``--type``
* Remove ``role list`` options ``--project`` and ``--user``
* Remove ``user role list`` command
These are backwards incompatible changes and will require a major
version bump after they are merged.
Change-Id: I29e2fc9516dffbfd83eef0bc91e834dde99b4105
Signed-off-by: Sean McGinnis <sean.mcginnis@gmail.com>
Signed-off-by: Dean Troyer <dtroyer@gmail.com>
There is a typo in the endpoint group deletion, due to this you
can't remove endpoint groups once assigned. I am adding also the
unit tests to avoid this kind of issues in the future
Task: 30640
Story: 2005521
Change-Id: Ie938f2c9894bb39b4c0ed1f7aa3a6a751a303058
Regsitered limit set CLI takes --service, --region and
--resource-name as param which can be updated along with
--default limit for existing registered limit.
Default limit can be updated with same value and CLI
return the success. But --service, --region and --resource-
name cannot be same as existing one. CLI return 409
for this case. Which is valid behaviour because more than
one limit with same service and same resource cannot exist.
But help message of --service, --region and --resource-name
are not much clear to tell that they cannot be passed with
same value.
This patch clarifies the help message for resigtered limit set CLI.
Reference Scenario:
* openstack registered limit set --default-limit 91 64c2e97fbe904b888544ffdcab21989b
limit updated sucessfully
Updating limit with exsiting service and resource-name:
* openstack registered limit set --default-limit 92 --resource-name snapshot 64c2e97fbe904b888544ffdcab21989b
Conflict occurred attempting to store registered_limit - Duplicate entry. (HTTP 409)
*openstack registered limit set --default-limit 93 --service compute 64c2e97fbe904b888544ffdcab21989b
Conflict occurred attempting to store registered_limit - Duplicate entry. (HTTP 409)
*openstack registered limit set --default-limit 91 --resource-name snapshot --service glance 64c2e97fbe904b888544ffdcab21989b
Conflict occurred attempting to store registered_limit - Duplicate entry. (HTTP 409)
Change-Id: I9e78a6250567cd981adde96946818bb016760a49
When user passes --region None, the find_resource
of osc_lib calls get() of region. The get API of
region ignores the name param returning all the
regions in result. As the find_resource checks
many cases against the result returned by get API.
The output comes greater than 1, thus returning
"More than one region ID exist" which is incorrect.
However in case of region which cannot be filtered
by name we do not require to check these many cases.
The solution is to directly call the get method of
APIs and returning No resource name exist with the
xyz" on passing invaid parameter. And returning all
in case of None.
Thus created a new function get_resource which can
be used in future too by these types of API's.
Change-Id: Ib3f881d34a82af97199ce51bfbefc6f3f08599f1
Closes-bug: #1799153
when doing openstack limit list --project xyz_id,
CLI raising error unrecognized arguments, whereas
in api-ref document [1], user can pass project_id
as query param.This addresses the above issue, by
adding param --project in parser of LimitList.
[1] https://developer.openstack.org/api-ref/identity/v3/index.html
Change-Id: If4644cc99a3803f61f4a688b828aeb73977fc0dd
Closes-Bug: #1798744
The --project and --project-domain flags are currently mutually
exclusive for listing endpoints, however the --project-domain argument
is supposed to help with filtering projects with colliding names. They
should be allowed together.
Story: 2004018
Task: 27007
Change-Id: I7340e01f509e3515f07cb46f175fb603f1ce8b67
This commit adds support for users to manage registered limits via
the command line.
bp unified-limits
Depends-On: https://review.openstack.org/#/c/574391/
Change-Id: Id8377363f7a3248b45aeeba21d2acc02684a0305
The code was calling an unexisting function which never existed.
The module refers now to the correct `InferenceRuleManager`. It
also allows the compatibility with the future python-keystoneclient
in which the compatibility method will be removed from the
RoleManager.
Change-Id: I08f785dc9e840da2e16915683eecfe49189c44b3
If you use python3, items() returns iterator which is not allowed to
remove item during iteration. Fix to iterate by copied list.
Change-Id: I64c037d04e2b127d8f19f56cab65122af89a7200
Closes-Bug: 1740232
This commit adds the necessary bits to expose system role
assignments to openstackclient via python-keystoneclient.
bp system-scope
Depends-On: Iecbcbf020a15f2bec777334c648d4477f89f3b2c
Change-Id: I261e84700b51e8715eaebdc3f8f8bc46b68542c2
pycodestyle 2.40 and later enforce these rules that were not previously
enforced. Rather than just skipping them, this cleans up the trivial
instances of these violations.
This does also include some other updates that were not triggering errors
in an attempt to keep some of the style consistent.
Change-Id: Id7c0a6b8f1f835e69d844b000e3ed751852ada63
Closes-bug: #1762803
This is a followup to https://review.openstack.org/#/c/541609/ that
changes most outstanding direct uses of sys.stdout to use the encoded
stdout set up by cliff.
Change-Id: I07cfc418385fc787d3b7d3c32d39676cf81bb91f
Implements the commands for endpoint group filter management.
Includes the CRUD management of the endpoint groups and the
association management between them and the projects that are
using this method.
Implements: blueprint keystone-endpoint-filter
Change-Id: I4265f7f8598d028191e90d76781b7b6ece6fef64
This change adds tags functionality for projects in keystone. A user
can add a single tag with "--tag", chain "--tag" to add multiple
tags, or clear tags with "--no-tag".
Change-Id: I31cfef3e76dcefe299dacb00c11bb1a10a252628
Partially-Implements: bp project-tags
Add support for creating, retrieving, and deleting application
credentials. Application credentials do not support updates.
In order to provide a positive user experience for the `--role` option,
this patch also includes an improvement to the
`identity.common._get_token_resource()` function that allows it to
introspect the roles list within a token. This way there is no need to
make a request to keystone to retrieve a role object, which would fail
most of the time anyway due to keystone's default policy prohibiting
unprivileged users from retrieving roles.
bp application-credentials
Change-Id: I29e03b72acd931305cbdac5a9ff666854d05c6d7
Implements the commands that allow to link and endpoint to
a project for endpoint filter management.
Implements: blueprint keystone-endpoint-filter
Change-Id: Iecf61495664fb8413d35ef69f07ea929d190d002
Now, keystone has supported serverl auth method, like 'totp'.
Before we use this method, we should create the credential first.
And we need create it with type 'totp'. But now we cannot create
credential with this method.
Also, I think the type should not have constrains. We can create
any type in keystone project. So, we should do these actions too.
The type would be more which We cannot control.
Change-Id: Ie0482da3133fb515e4bb8e45f8c54f509589cc5e
Closes-bug: #1731848
Currently ListEndpoint.take_action method unconditionally iterates
over all endpoints and issue GET /v3/services/<ep.service_id>
request for each endpoint. In case of HTTPS keystone endpoint this
can take significant amout of time, and it only getting worse in
case of multiple regions.
This commit change this logic to making just two GET requests: first
it gets endpoint list, then it gets service list, searching service
in the list instead of issuing GET /v3/services/<id> request.
Change-Id: I22b61c0b45b0205a2f5a4608c2473cb7814fe3cf
Closes-Bug: 1719413
Allow the user to create an inference rule between
two roles. The first, called the prior role
is the role explicitly assigned to an individual.
The second, called the implied role, is one that
the user gets implicitly. For example:
Role B implies Role A.
User X is assigned Role B.
Therefore User X also assigned Role A.
The management and maintenance of the rules is
performed in the Keystone server.
Change-Id: If547c2f16e812bc7fffd742ec37e6a26011f3185
In keystone version 3.5, "type" optional attribute has been added
to list credentials. This patch add "user_id" and "type" optional
parameter in openstack client.
Change-Id: Ia09ee7c39204fdff2dfd7b9b606d888d007caac5
Identity providers are now associated with domains. This change
allows a user to specify a domain by ID or by name when creating
an identity provider. [0]
This also adds the column for Domain ID in listing.
Updating a domain for an identity provider is not supported, so
that isn't changed.
[0]. Id18b8b2fe853b97631bc990df8188ed64a6e1275
Closes-Bug: 1698390
Change-Id: Icc408e2fe88f257d5863bd3df716a777d52befcc
The 'domain' filter not work well in commands 'project show',
'user show' and 'user set'.
Depends-On: I490900d6249f01654d4cba43bddd3e7af7928a84
Closes-Bug: #1704097
Change-Id: Ib4f47cbaba27eb56c4a41d187fee74a995e62dc7
This changes create a trust to use ids instead of names because of
the possibility of roles sharing a name. Even if the user
uniquely identified a role by inputting the id, the request sent
to the identity service would used the name, therefore the command
would fail in the case that two roles share a name.
This does not change how trusts are displayed during trust list or
trust show, a name will still be shown instead of an id.
Depends-On: I38e0ac35946ee6e53128babac3ea759a380572e0
Change-Id: I5bdf89f1e288954a7f5c2704231f270bc7d196f5
Closes-Bug: 1696111
If project matches the project from access token,
we do not have to send an API request to /projects?name=...,
because the project ID is already known.
This API request may require additional permissions, so
we want to avoid it, if possible.
Change-Id: Ice1af8686bceea6b67229dcab7cf82eef821163e
Closes-Bug: #1658189
Similar delete commands in OSC, we can also support add/remove
multi users for one specified group, this review implement it.
Change-Id: I8ccf99d4ee83a18778fa3ff5c0a42bc7c6ff21fb
Implements: bp support-multi-add-remove
Due to a default Keystone policy until Newtown,
and the use of resource_find, non-admins are unable
to list their own projects.
This patch bypasses this problem while also introducing better
UX for non-admins wishing to get their project list.
'openstack project list' retains the default of 'list all projects'
but on a forbidden error will default instead to 'list my projects'.
This way for non-admins 'list my projects' feels like the default
without breaking the expected admin default.
Adding the '--my-projects' option allows admins to easily list their
own projects or allows non-admins to be explicit and bypass the
forbidden error fallback.
Change-Id: I1021276f69fbbf28e13e17c4e567d932fce7ed8b
Closes-Bug: #1627555
When checking whether a given user is in a given group, keystone will
return a 404 Not Found if all went well but the user was not in the
group. It may also return a 403 if the user and the group are in
different backends, which would also mean that the user was not in the
group[1]. Any other 400 response is a client error and any 500 response
is a server error to which the user should be alerted.
Without this patch, openstackclient treats any exception as a valid "not
found" and may end up hiding server errors. This patch reduces the
caught exceptions to 403 and 404 responses and treats everything else as
an error.
[1] https://developer.openstack.org/api-ref/identity/v3/?expanded=check-whether-user-belongs-to-group-detail#check-whether-user-belongs-to-group
Closes-bug: #1672634
Change-Id: Id3f3b2409b7cee480ee3c19b6d6c3070599ffe8f
Add sort support to project list by sorting items in the client side.
By default list will be sorted by name.
Change-Id: I00011406846b4003aff075eeeb88ac18fa5e2820
Closes-Bug: #1596818
The parents_as_list and subtree_as_list query parameters limit the
result to only parents and subtree where the user making the call has
role assignments in. Since OSC only displays the IDs, the call would be
the same as the similar *_as_ids queries, the difference is that the
later doesn't enforce the role assignments (making it more useful).
Output example by using this patch:
$ openstack project show --children root
+-------------+------------------------------+
| Field | Value |
+-------------+------------------------------+
| description | |
| domain_id | default |
| enabled | True |
| id | 123 |
| is_domain | False |
| name | root |
| parent_id | default |
| subtree | {u'456': None, u'789': None} |
+-------------+------------------------------+
Change-Id: Ib7b37ae8f55190a7efcc375d5be4a2823d02d1a4
OSC support to filter OpenStack endpoints by service type, name and ID,
but help message and document don't contain "type" for "--service"
option of "endpoint list" command.
Change-Id: I5c8bc28e037b4c6f96ec83525a319353f01f256a
Closes-Bug: #1666841
if command failed, we usually raise exception,
if command success, sometimes there is not any
output (such as set, add commands)
So modify the error handling for role and group
commands.
Change-Id: I1c0f86c04dcedd9c0d725fd73f3436be9da75ee0
Options "--parents" and "--children" don't work in "project show"
command, fix the issue and add related unit and functional tests.
Change-Id: Id9965267a037442f1077f8e1929d0527981f643d
Closes-Bug: #1499657
This patch adds the ability to specify the domain context for making
changes to a user with `--domain` flag.
Example:
$ openstack user set test_user --domain test_domain --enable
Change-Id: I2b3241785c22e72e19181394acff650422299b0e
Closes-Bug: #1658147
