 de9d0f9e1b
			
		
	
	de9d0f9e1b
	
	
	
		
			
			Depends-On: https://review.opendev.org/c/openstack/openstacksdk/+/913448 Change-Id: I579775d2dc4110951e934e00b51bf8d7546e207b
		
			
				
	
	
		
			230 lines
		
	
	
		
			7.2 KiB
		
	
	
	
		
			Python
		
	
	
	
	
	
			
		
		
	
	
			230 lines
		
	
	
		
			7.2 KiB
		
	
	
	
		
			Python
		
	
	
	
	
	
| #   Licensed under the Apache License, Version 2.0 (the "License"); you may
 | |
| #   not use this file except in compliance with the License. You may obtain
 | |
| #   a copy of the License at
 | |
| #
 | |
| #        http://www.apache.org/licenses/LICENSE-2.0
 | |
| #
 | |
| #   Unless required by applicable law or agreed to in writing, software
 | |
| #   distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 | |
| #   WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 | |
| #   License for the specific language governing permissions and limitations
 | |
| #   under the License.
 | |
| #
 | |
| 
 | |
| """Identity v3 Assignment action implementations"""
 | |
| 
 | |
| from openstack import exceptions as sdk_exceptions
 | |
| from osc_lib.command import command
 | |
| 
 | |
| from openstackclient.i18n import _
 | |
| from openstackclient.identity import common
 | |
| 
 | |
| 
 | |
| def _format_role_assignment_(assignment, include_names):
 | |
|     def _get_names(attr):
 | |
|         return (
 | |
|             (
 | |
|                 attr['name']
 | |
|                 + (
 | |
|                     "@" + domain['name']
 | |
|                     if (domain := attr.get('domain'))
 | |
|                     else ''
 | |
|                 )
 | |
|             )
 | |
|             or ''
 | |
|             if attr
 | |
|             else ''
 | |
|         )
 | |
| 
 | |
|     def _get_ids(attr):
 | |
|         return attr['id'] or '' if attr else ''
 | |
| 
 | |
|     func = _get_names if include_names else _get_ids
 | |
|     return (
 | |
|         func(assignment.role),
 | |
|         func(assignment.user),
 | |
|         func(assignment.group),
 | |
|         func(assignment.scope.get('project')),
 | |
|         func(assignment.scope.get('domain')),
 | |
|         'all' if assignment.scope.get("system") else '',
 | |
|         assignment.scope.get("OS-INHERIT:inherited_to") == 'projects',
 | |
|     )
 | |
| 
 | |
| 
 | |
| def _find_sdk_id(find_command, name_or_id, **kwargs):
 | |
|     try:
 | |
|         return find_command(
 | |
|             name_or_id=name_or_id, ignore_missing=False, **kwargs
 | |
|         ).id
 | |
|     except sdk_exceptions.ForbiddenException:
 | |
|         return name_or_id
 | |
| 
 | |
| 
 | |
| class ListRoleAssignment(command.Lister):
 | |
|     _description = _("List role assignments")
 | |
| 
 | |
|     def get_parser(self, prog_name):
 | |
|         parser = super().get_parser(prog_name)
 | |
|         parser.add_argument(
 | |
|             '--effective',
 | |
|             action="store_true",
 | |
|             default=None,
 | |
|             help=_('Returns only effective role assignments'),
 | |
|         )
 | |
|         parser.add_argument(
 | |
|             '--role',
 | |
|             metavar='<role>',
 | |
|             help=_('Role to filter (name or ID)'),
 | |
|         )
 | |
|         common.add_role_domain_option_to_parser(parser)
 | |
|         parser.add_argument(
 | |
|             '--names',
 | |
|             action="store_true",
 | |
|             help=_('Display names instead of IDs'),
 | |
|         )
 | |
|         user_or_group = parser.add_mutually_exclusive_group()
 | |
|         user_or_group.add_argument(
 | |
|             '--user',
 | |
|             metavar='<user>',
 | |
|             help=_('User to filter (name or ID)'),
 | |
|         )
 | |
|         common.add_user_domain_option_to_parser(parser)
 | |
|         user_or_group.add_argument(
 | |
|             '--group',
 | |
|             metavar='<group>',
 | |
|             help=_('Group to filter (name or ID)'),
 | |
|         )
 | |
|         common.add_group_domain_option_to_parser(parser)
 | |
|         system_or_domain_or_project = parser.add_mutually_exclusive_group()
 | |
|         system_or_domain_or_project.add_argument(
 | |
|             '--domain',
 | |
|             metavar='<domain>',
 | |
|             help=_('Domain to filter (name or ID)'),
 | |
|         )
 | |
|         system_or_domain_or_project.add_argument(
 | |
|             '--project',
 | |
|             metavar='<project>',
 | |
|             help=_('Project to filter (name or ID)'),
 | |
|         )
 | |
|         system_or_domain_or_project.add_argument(
 | |
|             '--system',
 | |
|             metavar='<system>',
 | |
|             help=_('Filter based on system role assignments'),
 | |
|         )
 | |
|         common.add_project_domain_option_to_parser(parser)
 | |
|         common.add_inherited_option_to_parser(parser)
 | |
|         parser.add_argument(
 | |
|             '--auth-user',
 | |
|             action="store_true",
 | |
|             dest='authuser',
 | |
|             help='Only list assignments for the authenticated user',
 | |
|         )
 | |
|         parser.add_argument(
 | |
|             '--auth-project',
 | |
|             action="store_true",
 | |
|             dest='authproject',
 | |
|             help='Only list assignments for the project to which the '
 | |
|             'authenticated user\'s token is scoped',
 | |
|         )
 | |
|         return parser
 | |
| 
 | |
|     def take_action(self, parsed_args):
 | |
|         identity_client = self.app.client_manager.sdk_connection.identity
 | |
|         auth_ref = self.app.client_manager.auth_ref
 | |
| 
 | |
|         role_id = None
 | |
|         role_domain_id = None
 | |
|         if parsed_args.role_domain:
 | |
|             role_domain_id = _find_sdk_id(
 | |
|                 identity_client.find_domain,
 | |
|                 name_or_id=parsed_args.role_domain,
 | |
|             )
 | |
|         if parsed_args.role:
 | |
|             role_id = _find_sdk_id(
 | |
|                 identity_client.find_role,
 | |
|                 name_or_id=parsed_args.role,
 | |
|                 domain_id=role_domain_id,
 | |
|             )
 | |
| 
 | |
|         user_id = None
 | |
|         if parsed_args.user:
 | |
|             user_id = _find_sdk_id(
 | |
|                 identity_client.find_user,
 | |
|                 name_or_id=parsed_args.user,
 | |
|                 domain_id=parsed_args.user_domain,
 | |
|             )
 | |
|         elif parsed_args.authuser:
 | |
|             if auth_ref:
 | |
|                 user_id = _find_sdk_id(
 | |
|                     identity_client.find_user,
 | |
|                     name_or_id=auth_ref.user_id,
 | |
|                 )
 | |
| 
 | |
|         system = None
 | |
|         if parsed_args.system:
 | |
|             system = parsed_args.system
 | |
| 
 | |
|         domain_id = None
 | |
|         if parsed_args.domain:
 | |
|             domain_id = _find_sdk_id(
 | |
|                 identity_client.find_domain,
 | |
|                 name_or_id=parsed_args.domain,
 | |
|             )
 | |
| 
 | |
|         project_id = None
 | |
|         if parsed_args.project:
 | |
|             project_id = _find_sdk_id(
 | |
|                 identity_client.find_project,
 | |
|                 name_or_id=common._get_token_resource(
 | |
|                     identity_client, 'project', parsed_args.project
 | |
|                 ),
 | |
|                 domain_id=parsed_args.project_domain,
 | |
|             )
 | |
|         elif parsed_args.authproject:
 | |
|             if auth_ref:
 | |
|                 project_id = _find_sdk_id(
 | |
|                     identity_client.find_project,
 | |
|                     name_or_id=auth_ref.project_id,
 | |
|                 )
 | |
| 
 | |
|         group_id = None
 | |
|         if parsed_args.group:
 | |
|             group_id = _find_sdk_id(
 | |
|                 identity_client.find_group,
 | |
|                 name_or_id=parsed_args.group,
 | |
|                 domain_id=parsed_args.group_domain,
 | |
|             )
 | |
| 
 | |
|         include_names = True if parsed_args.names else None
 | |
|         columns = (
 | |
|             'Role',
 | |
|             'User',
 | |
|             'Group',
 | |
|             'Project',
 | |
|             'Domain',
 | |
|             'System',
 | |
|             'Inherited',
 | |
|         )
 | |
| 
 | |
|         inherited_to = 'projects' if parsed_args.inherited else None
 | |
| 
 | |
|         data = identity_client.role_assignments(
 | |
|             role_id=role_id,
 | |
|             user_id=user_id,
 | |
|             group_id=group_id,
 | |
|             scope_project_id=project_id,
 | |
|             scope_domain_id=domain_id,
 | |
|             scope_system=system,
 | |
|             effective=parsed_args.effective,
 | |
|             include_names=include_names,
 | |
|             inherited_to=inherited_to,
 | |
|         )
 | |
| 
 | |
|         data_parsed = []
 | |
|         for assignment in data:
 | |
|             data_parsed.append(
 | |
|                 _format_role_assignment_(assignment, include_names)
 | |
|             )
 | |
| 
 | |
|         return columns, tuple(data_parsed)
 |