8bfa180430
This commit adds the necessary bits to expose system role assignments to openstackclient via python-keystoneclient. bp system-scope Depends-On: Iecbcbf020a15f2bec777334c648d4477f89f3b2c Change-Id: I261e84700b51e8715eaebdc3f8f8bc46b68542c2
255 lines
9.2 KiB
Python
255 lines
9.2 KiB
Python
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
#
|
|
|
|
"""Identity v3 Assignment action implementations"""
|
|
|
|
from osc_lib.command import command
|
|
from osc_lib import utils
|
|
|
|
from openstackclient.i18n import _
|
|
from openstackclient.identity import common
|
|
|
|
|
|
class ListRoleAssignment(command.Lister):
|
|
_description = _("List role assignments")
|
|
|
|
def get_parser(self, prog_name):
|
|
parser = super(ListRoleAssignment, self).get_parser(prog_name)
|
|
parser.add_argument(
|
|
'--effective',
|
|
action="store_true",
|
|
default=False,
|
|
help=_('Returns only effective role assignments'),
|
|
)
|
|
parser.add_argument(
|
|
'--role',
|
|
metavar='<role>',
|
|
help=_('Role to filter (name or ID)'),
|
|
)
|
|
common.add_role_domain_option_to_parser(parser)
|
|
parser.add_argument(
|
|
'--names',
|
|
action="store_true",
|
|
help=_('Display names instead of IDs'),
|
|
)
|
|
user_or_group = parser.add_mutually_exclusive_group()
|
|
user_or_group.add_argument(
|
|
'--user',
|
|
metavar='<user>',
|
|
help=_('User to filter (name or ID)'),
|
|
)
|
|
common.add_user_domain_option_to_parser(parser)
|
|
user_or_group.add_argument(
|
|
'--group',
|
|
metavar='<group>',
|
|
help=_('Group to filter (name or ID)'),
|
|
)
|
|
common.add_group_domain_option_to_parser(parser)
|
|
system_or_domain_or_project = parser.add_mutually_exclusive_group()
|
|
system_or_domain_or_project.add_argument(
|
|
'--domain',
|
|
metavar='<domain>',
|
|
help=_('Domain to filter (name or ID)'),
|
|
)
|
|
system_or_domain_or_project.add_argument(
|
|
'--project',
|
|
metavar='<project>',
|
|
help=_('Project to filter (name or ID)'),
|
|
)
|
|
system_or_domain_or_project.add_argument(
|
|
'--system',
|
|
metavar='<system>',
|
|
help=_('Filter based on system role assignments'),
|
|
)
|
|
common.add_project_domain_option_to_parser(parser)
|
|
common.add_inherited_option_to_parser(parser)
|
|
parser.add_argument(
|
|
'--auth-user',
|
|
action="store_true",
|
|
dest='authuser',
|
|
help='Only list assignments for the authenticated user',
|
|
)
|
|
parser.add_argument(
|
|
'--auth-project',
|
|
action="store_true",
|
|
dest='authproject',
|
|
help='Only list assignments for the project to which the '
|
|
'authenticated user\'s token is scoped',
|
|
)
|
|
return parser
|
|
|
|
def _as_tuple(self, assignment):
|
|
return (assignment.role, assignment.user, assignment.group,
|
|
assignment.project, assignment.domain, assignment.system,
|
|
assignment.inherited)
|
|
|
|
def take_action(self, parsed_args):
|
|
identity_client = self.app.client_manager.identity
|
|
auth_ref = self.app.client_manager.auth_ref
|
|
|
|
role = None
|
|
role_domain_id = None
|
|
if parsed_args.role_domain:
|
|
role_domain_id = common.find_domain(identity_client,
|
|
parsed_args.role_domain).id
|
|
if parsed_args.role:
|
|
role = utils.find_resource(
|
|
identity_client.roles,
|
|
parsed_args.role,
|
|
domain_id=role_domain_id
|
|
)
|
|
|
|
user = None
|
|
if parsed_args.user:
|
|
user = common.find_user(
|
|
identity_client,
|
|
parsed_args.user,
|
|
parsed_args.user_domain,
|
|
)
|
|
elif parsed_args.authuser:
|
|
if auth_ref:
|
|
user = common.find_user(
|
|
identity_client,
|
|
auth_ref.user_id
|
|
)
|
|
|
|
system = None
|
|
if parsed_args.system:
|
|
system = parsed_args.system
|
|
|
|
domain = None
|
|
if parsed_args.domain:
|
|
domain = common.find_domain(
|
|
identity_client,
|
|
parsed_args.domain,
|
|
)
|
|
|
|
project = None
|
|
if parsed_args.project:
|
|
project = common.find_project(
|
|
identity_client,
|
|
common._get_token_resource(identity_client, 'project',
|
|
parsed_args.project),
|
|
parsed_args.project_domain,
|
|
)
|
|
elif parsed_args.authproject:
|
|
if auth_ref:
|
|
project = common.find_project(
|
|
identity_client,
|
|
auth_ref.project_id
|
|
)
|
|
|
|
group = None
|
|
if parsed_args.group:
|
|
group = common.find_group(
|
|
identity_client,
|
|
parsed_args.group,
|
|
parsed_args.group_domain,
|
|
)
|
|
|
|
include_names = True if parsed_args.names else False
|
|
effective = True if parsed_args.effective else False
|
|
columns = (
|
|
'Role', 'User', 'Group', 'Project', 'Domain', 'System', 'Inherited'
|
|
)
|
|
|
|
inherited_to = 'projects' if parsed_args.inherited else None
|
|
data = identity_client.role_assignments.list(
|
|
domain=domain,
|
|
user=user,
|
|
group=group,
|
|
project=project,
|
|
system=system,
|
|
role=role,
|
|
effective=effective,
|
|
os_inherit_extension_inherited_to=inherited_to,
|
|
include_names=include_names)
|
|
|
|
data_parsed = []
|
|
for assignment in data:
|
|
# Removing the extra "scope" layer in the assignment json
|
|
scope = assignment.scope
|
|
if 'project' in scope:
|
|
if include_names:
|
|
prj = '@'.join([scope['project']['name'],
|
|
scope['project']['domain']['name']])
|
|
setattr(assignment, 'project', prj)
|
|
else:
|
|
setattr(assignment, 'project', scope['project']['id'])
|
|
assignment.domain = ''
|
|
assignment.system = ''
|
|
elif 'domain' in scope:
|
|
if include_names:
|
|
setattr(assignment, 'domain', scope['domain']['name'])
|
|
else:
|
|
setattr(assignment, 'domain', scope['domain']['id'])
|
|
assignment.project = ''
|
|
assignment.system = ''
|
|
elif 'system' in scope:
|
|
# NOTE(lbragstad): If, or when, keystone supports role
|
|
# assignments on subsets of a system, this will have to evolve
|
|
# to handle that case instead of hardcoding to the entire
|
|
# system.
|
|
setattr(assignment, 'system', 'all')
|
|
assignment.domain = ''
|
|
assignment.project = ''
|
|
else:
|
|
assignment.system = ''
|
|
assignment.domain = ''
|
|
assignment.project = ''
|
|
|
|
inherited = scope.get('OS-INHERIT:inherited_to') == 'projects'
|
|
assignment.inherited = inherited
|
|
|
|
del assignment.scope
|
|
|
|
if hasattr(assignment, 'user'):
|
|
if include_names:
|
|
usr = '@'.join([assignment.user['name'],
|
|
assignment.user['domain']['name']])
|
|
setattr(assignment, 'user', usr)
|
|
else:
|
|
setattr(assignment, 'user', assignment.user['id'])
|
|
assignment.group = ''
|
|
elif hasattr(assignment, 'group'):
|
|
if include_names:
|
|
grp = '@'.join([assignment.group['name'],
|
|
assignment.group['domain']['name']])
|
|
setattr(assignment, 'group', grp)
|
|
else:
|
|
setattr(assignment, 'group', assignment.group['id'])
|
|
assignment.user = ''
|
|
else:
|
|
assignment.user = ''
|
|
assignment.group = ''
|
|
|
|
if hasattr(assignment, 'role'):
|
|
if include_names:
|
|
# TODO(henry-nash): If this is a domain specific role it
|
|
# would be good show this as role@domain, although this
|
|
# domain info is not yet included in the response from the
|
|
# server. Although we could get it by re-reading the role
|
|
# from the ID, let's wait until the server does the right
|
|
# thing.
|
|
setattr(assignment, 'role', assignment.role['name'])
|
|
else:
|
|
setattr(assignment, 'role', assignment.role['id'])
|
|
else:
|
|
assignment.role = ''
|
|
|
|
# Creating a tuple from data object fields
|
|
# (including the blank ones)
|
|
data_parsed.append(self._as_tuple(assignment))
|
|
|
|
return columns, tuple(data_parsed)
|