4c107e6f1b
When using Keystone's policy.v3cloudsample.json policy file, a project admin is supposed to be able to manage role assignments. Unfortunately, a project admin isn't allowed to perform these operations using python-openstackclient, as we attempt to perform list operations for any of the object types specified (users, groups, projects). This is done in an attempt to lookup the id of the object by name, but we perform this list operation even when the user specifies everything by id. This causes 403 errors. This patch still attempts to look up the object id by name, but we catch the 403 and assume that the user specified an id if the list operation is not allowed. This is similar to what we do with the --domain option for other commands. Closes-bug: #1445528 Change-Id: Id95a8520e935c1092d5a22ecd8ea01f572334ac8
117 lines
4.3 KiB
Python
117 lines
4.3 KiB
Python
# Copyright 2012-2013 OpenStack Foundation
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
#
|
|
|
|
"""Common identity code"""
|
|
|
|
from keystoneclient import exceptions as identity_exc
|
|
from keystoneclient.v3 import domains
|
|
from keystoneclient.v3 import groups
|
|
from keystoneclient.v3 import projects
|
|
from keystoneclient.v3 import users
|
|
from openstackclient.common import exceptions
|
|
from openstackclient.common import utils
|
|
|
|
|
|
def find_service(identity_client, name_type_or_id):
|
|
"""Find a service by id, name or type."""
|
|
|
|
try:
|
|
# search for the usual ID or name
|
|
return utils.find_resource(identity_client.services, name_type_or_id)
|
|
except exceptions.CommandError:
|
|
try:
|
|
# search for service type
|
|
return identity_client.services.find(type=name_type_or_id)
|
|
# FIXME(dtroyer): This exception should eventually come from
|
|
# common client exceptions
|
|
except identity_exc.NotFound:
|
|
msg = ("No service with a type, name or ID of '%s' exists."
|
|
% name_type_or_id)
|
|
raise exceptions.CommandError(msg)
|
|
|
|
|
|
def find_domain(identity_client, name_or_id):
|
|
"""Find a domain.
|
|
|
|
If the user does not have permissions to access the v3 domain API, e.g.,
|
|
if the user is a project admin, assume that the domain given is the id
|
|
rather than the name. This method is used by the project list command,
|
|
so errors accessing the domain will be ignored and if the user has
|
|
access to the project API, everything will work fine.
|
|
|
|
Closes bugs #1317478 and #1317485.
|
|
"""
|
|
try:
|
|
dom = utils.find_resource(identity_client.domains, name_or_id)
|
|
if dom is not None:
|
|
return dom
|
|
except identity_exc.Forbidden:
|
|
pass
|
|
return domains.Domain(None, {'id': name_or_id, 'name': name_or_id})
|
|
|
|
|
|
def find_group(identity_client, name_or_id):
|
|
"""Find a group.
|
|
|
|
If the user does not have permissions to to perform a list groups call,
|
|
e.g., if the user is a project admin, assume that the group given is the
|
|
id rather than the name. This method is used by the role add command to
|
|
allow a role to be assigned to a group by a project admin who does not
|
|
have permission to list groups.
|
|
"""
|
|
try:
|
|
group = utils.find_resource(identity_client.groups, name_or_id)
|
|
if group is not None:
|
|
return group
|
|
except identity_exc.Forbidden:
|
|
pass
|
|
return groups.Group(None, {'id': name_or_id, 'name': name_or_id})
|
|
|
|
|
|
def find_project(identity_client, name_or_id):
|
|
"""Find a project.
|
|
|
|
If the user does not have permissions to to perform a list projects
|
|
call, e.g., if the user is a project admin, assume that the project
|
|
given is the id rather than the name. This method is used by the role
|
|
add command to allow a role to be assigned to a user by a project admin
|
|
who does not have permission to list projects.
|
|
"""
|
|
try:
|
|
project = utils.find_resource(identity_client.projects, name_or_id)
|
|
if project is not None:
|
|
return project
|
|
except identity_exc.Forbidden:
|
|
pass
|
|
return projects.Project(None, {'id': name_or_id, 'name': name_or_id})
|
|
|
|
|
|
def find_user(identity_client, name_or_id):
|
|
"""Find a user.
|
|
|
|
If the user does not have permissions to to perform a list users call,
|
|
e.g., if the user is a project admin, assume that the user given is the
|
|
id rather than the name. This method is used by the role add command to
|
|
allow a role to be assigned to a user by a project admin who does not
|
|
have permission to list users.
|
|
"""
|
|
try:
|
|
user = utils.find_resource(identity_client.users, name_or_id)
|
|
if user is not None:
|
|
return user
|
|
except identity_exc.Forbidden:
|
|
pass
|
|
return users.User(None, {'id': name_or_id, 'name': name_or_id})
|