Once inherited project role grant calls are
implemented on python-keystoneclient,
python-openstackclient also should support such
calls.
This patch add such support as well as its
related tests.
Co-Authored-By: Raildo Mascena <raildo@lsd.ufcg.edu.br>
Change-Id: Id72670be8640e5c6e2490a6ef849e9ec3493b1a9
Implements: blueprint hierarchical-multitenancy
ec2creds.py was referencing a function on self, but wasn't there.
Correctly reference the right function.
Change-Id: I62f09c497be9dbb394341914388d60634e8b80c2
Closes-Bug: 1465561
the oidc plugin should be included in the list of valid federation
protocols that can leverage `federation project list`
Change-Id: I3f5c5ab262c7097273716a81618a2dcbb159dd6f
Many of the commands for the group and role resources were lacking an
option to specify the specific domain groups, projects or users belong
to. This commit fixes that.
Change-Id: I461d2bcfd01ad2dea970de38ec7ad6f4a631ceb1
Closes-bug: #1446546
`project` argument is deprecated in keystoneclient for V3 API,
and use `default_project` instead, should use `default_project`
as the argument name in the openstackclient accordingly.
Change-Id: Ib9d70801c933a184afcdab75204393efa764fa87
Closes-Bug: #1462389
Re-sync the text in v2 and v3 help and the docs
Depends-On: If4ac5356ade8cff347bb9eb9f88d1ace82bb7275
Change-Id: Iabef2f271fcf46748295c29713fea1811dcab29c
A follow up work item from I52ff2020ef2fcbdc8a98280b73c6fd4a93bc8e0f
to support domain scoped users and projects for ec2creds in the
v3 identity api.
Related-Bug: 1236326
Change-Id: If4ac5356ade8cff347bb9eb9f88d1ace82bb7275
EC2 support is provided for the v2 identity API and is available in
almost exactly the same format in the v3 API and enabled by default.
Supporting EC2 in the v3 identity API in OSC will make it much easier to
transition devstack to a v3 only state.
Closes-Bug: 1236326
Change-Id: I52ff2020ef2fcbdc8a98280b73c6fd4a93bc8e0f
The payload data of credentials is the unfortunately named blob.
Currently when listing credentials the payload is excluded as OSC is
looking for a column called data which does not exist.
Change-Id: I6fa4579d7ec9ba393ede550191dbd8aa29767bf4
Currently argument 'domain' is not supported by command 'os project
set', but it is required by keystone v3 update project API to match
the domain id.
Closes-Bug: #1460122
Change-Id: I1b32f67f78b369f6134a74cdf9a4811b7539d44b
If users, projects or groups are provided by name, there is a
possibility of the existence other users/projects/groups with the same
name in other domain. Even though this is not a problem if the actual
ID is given instead of a name; this is mostly a usability enhancement.
So, three options were added, one for specifying the domain where the
user belongs, another one to specify the project's domain, and finally
one to specify the group's domain.
Change-Id: Iab04b0e04fa75ea5aa3723b8ea42a45f58a6cdb2
Closes-Bug: #1421328
Based on the comments made in this patch:
https://review.openstack.org/#/c/174908/2/
We should simplify and refactor the way we handle finding identity
resources.
Change-Id: I77db2e3564faa90a917082a6c6cb87269e93aebe
In several places we had else branches where a reasonable default
would do the job. This makes the code a mean cleaer and easier to
read.
Change-Id: I231e09aab85fd32b8300bc33c48d0899b728b96e
When using Keystone's policy.v3cloudsample.json policy file, a project admin is
supposed to be able to manage role assignments. Unfortunately, a project admin
isn't allowed to perform these operations using python-openstackclient, as we
attempt to perform list operations for any of the object types specified (users,
groups, projects). This is done in an attempt to lookup the id of the object by
name, but we perform this list operation even when the user specifies everything
by id. This causes 403 errors.
This patch still attempts to look up the object id by name, but we catch the 403
and assume that the user specified an id if the list operation is not allowed.
This is similar to what we do with the --domain option for other commands.
Closes-bug: #1445528
Change-Id: Id95a8520e935c1092d5a22ecd8ea01f572334ac8
This patch adds service providers to command-objects, and makes
a few changes to the help text, to align it more with the
already established identity provider resource.
Change-Id: Ibf3d2bc04bf5588d1fc9c37b8ca28c007496c021
Adds CRUD support for service providers as it's now available through
keystoneclient
Closes-Bug: 1435962
Depends-On: If802e8a47e45ae00112de3739334b4b5482d0500
Change-Id: Ic55101e50209070aa49ca2adc91c89ba754c8c68
The federation APIs for the identity providers introduce a new parameter
for every identity provider, named remote_ids, which contains a list of
entity ID associated with. This parameter can be provided during the creation
of the identity provider and can be updated at any time. For more information
look at the blueprint:
https://blueprints.launchpad.net/keystone/+spec/idp-id-registration
This patch add the support to this new parameter in the command line by
inserting the option "--remote-id" in the following commands:
- "identity provider create"
- "identity provider set"
Additionally, the values can be read from a file, specified by
"--remote-id-file", containing an entity id per line.
Change-Id: Ie93340ee57e54128daa70d8a7bd0a9975ff7eef4
Depends-On: I12a262c55b5f6b5cc7007865edf30f14269da537
Implements: blueprint idp-id-registration
Adding the possibility to create projects hierarchies by adding
the parent field in the create project call.
Co-Authored-By: Victor Silva <victor@lsd.ufcg.edu.br>
Implements: bp hierarchical-multitenancy
Change-Id: I4eac4f5bc067634cc38c305dacc59ab1da63c153
Some service catalogs in the wild have services without region names defined.
Let's be nice and stuff in a default value indicating this state.
Closes-Bug: #1429211
Change-Id: I3ebe2534dc6e3438aaeddc7757fb2db4117eae4b
Not returning a value is the same as returning None. In the event that
someone asks ClientManager for an attribute that doesn't exist it should
raise AttributeError in the same way as other python objects rather
than return an empty value.
Change-Id: Id0ee825e6527c831c38e3a671958ded362fb96e1
Similar to projects, we shouldn't allow users and groups to
change domains. The server side tosses up an error but osc
should restrict that behaviour in the first place.
Related-Bug: #1418384
Change-Id: I860291a5859c576021b18e35d1a12c32abfb6ca5
Keystone Server already surfaces an error for this operation, but
we should restrict the user, and not offer --domain to be changed
for a project.
Change-Id: I48317e8accfea3c285e6ad213e75b783de8070ac
Closes-Bug: #1418384
Added new module in identity v3 api to handle create, read, and delete
operations of trust resources.
Co-Authored-By: Lance Bragstad <lbragstad@gmail.com>
Co-Authored-By: Steve Martinelli <stevemar@ca.ibm.com>
Closes-Bug: #1413718
Change-Id: I2b360b141ff70d4f396466abede859a3db6644f4
We do not take into account region names for identity and volume
clients.
Change-Id: I4263e9013226b0adc6b9ad7540d6ad3efb42e809
Co-Authored-By: Eric Helgeson <erichelgeson@gmail.com>
Related-Bug: #1405416
Changes to the 'service list' commands for Identity v2 and v3:
* Document support for --long
* Add Description to v3 output with --long
* v3 output is now (ID, Name, Type), with (Description, Enabled) added with --long
* Change v2 output to match v3 output, with the absense of Enabled.
* Update doc to match
Closes-Bug: #1411337
Change-Id: I999e3df22f61350cdeba63bbb7d01145c2ffeeaf
