Merged list_roles

nova/auth/ldapdriver.py

@@ -181,7 +181,7 @@ class LdapDriver(object):
         if member_uids != None:
             for member_uid in member_uids:
                 if not self.__user_exists(member_uid):
-                    raise exception.NotFound("Project can't be created "
+                            raise exception.NotFound("Project can't be created "
                             "because user %s doesn't exist" % member_uid)
                 members.append(self.__uid_to_dn(member_uid))
         # always add the manager as a member because members is required
@@ -236,6 +236,26 @@ class LdapDriver(object):
         role_dn = self.__role_to_dn(role, project_id)
         return self.__remove_from_group(uid, role_dn)
 
+    def get_user_roles(self, uid, project_id=None):
+        """Retrieve list of roles for user (or user and project)"""
+        if project_id is None:
+            # NOTE(vish): This is unneccesarily slow, but since we can't
+            #             guarantee that the global roles are located
+            #             together in the ldap tree, we're doing this version.
+            roles = []
+            for role in FLAGS.allowed_roles:
+                role_dn = self.__role_to_dn(role)
+                if self.__is_in_group(uid, role_dn):
+                    roles.append(role)
+            return roles
+        else:
+            project_dn = 'cn=%s,%s' % (project_id, FLAGS.ldap_project_subtree)
+            roles = self.__find_objects(project_dn,
+                                        '(&(&(objectclass=groupOfNames)'
+                                        '(!(objectclass=novaProject)))'
+                                        '(member=%s))' % self.__uid_to_dn(uid))
+            return [role['cn'][0] for role in roles]
+
     def delete_user(self, uid):
         """Delete a user"""
         if not self.__user_exists(uid):
@@ -253,24 +273,24 @@ class LdapDriver(object):
         self.conn.delete_s('cn=%s,uid=%s,%s' % (key_name, uid,
                                           FLAGS.ldap_user_subtree))
 
-    def delete_project(self, name):
+    def delete_project(self, project_id):
         """Delete a project"""
-        project_dn = 'cn=%s,%s' % (name, FLAGS.ldap_project_subtree)
+        project_dn = 'cn=%s,%s' % (project_id, FLAGS.ldap_project_subtree)
         self.__delete_roles(project_dn)
         self.__delete_group(project_dn)
 
-    def __user_exists(self, name):
+    def __user_exists(self, uid):
         """Check if user exists"""
-        return self.get_user(name) != None
+        return self.get_user(uid) != None
 
     def __key_pair_exists(self, uid, key_name):
         """Check if key pair exists"""
         return self.get_user(uid) != None
         return self.get_key_pair(uid, key_name) != None
 
-    def __project_exists(self, name):
+    def __project_exists(self, project_id):
         """Check if project exists"""
-        return self.get_project(name) != None
+        return self.get_project(project_id) != None
 
     def __find_object(self, dn, query=None, scope=None):
         """Find an object by dn and query"""

nova/auth/manager.py

@@ -38,6 +38,10 @@ from nova.network import vpn
 
 FLAGS = flags.FLAGS
 
+flags.DEFINE_list('allowed_roles',
+                  ['cloudadmin', 'itsec', 'sysadmin', 'netadmin', 'developer'],
+                  'Allowed roles for project')
+
 # NOTE(vish): a user with one of these roles will be a superuser and
 #             have access to all api commands
 flags.DEFINE_list('superuser_roles', ['cloudadmin'],
@@ -432,6 +436,10 @@ class AuthManager(object):
         @type project: Project or project_id
         @param project: Project in which to add local role.
         """
+        if role not in FLAGS.allowed_roles:
+            raise exception.NotFound("The %s role can not be found" % role)
+        if project is not None and role in FLAGS.global_roles:
+            raise exception.NotFound("The %s role is global only" % role)
         with self.driver() as drv:
             drv.add_role(User.safe_id(user), role, Project.safe_id(project))
 
@@ -455,6 +463,19 @@ class AuthManager(object):
         with self.driver() as drv:
             drv.remove_role(User.safe_id(user), role, Project.safe_id(project))
 
+    def get_roles(self, project_roles=True):
+        """Get list of allowed roles"""
+        if project_roles:
+            return list(set(FLAGS.allowed_roles) - set(FLAGS.global_roles))
+        else:
+            return FLAGS.allowed_roles
+
+    def get_user_roles(self, user, project=None):
+        """Get user global or per-project roles"""
+        with self.driver() as drv:
+            return drv.get_user_roles(User.safe_id(user),
+                                      Project.safe_id(project))
+
     def get_project(self, pid):
         """Get project object by id"""
         with self.driver() as drv:

nova/tests/auth_unittest.py

@@ -179,7 +179,21 @@ class AuthTestCase(test.BaseTestCase):
         project.add_role('test1', 'sysadmin')
         self.assertTrue(project.has_role('test1', 'sysadmin'))
 
-    def test_211_can_remove_project_role(self):
+    def test_211_can_list_project_roles(self):
+        project = self.manager.get_project('testproj')
+        user = self.manager.get_user('test1')
+        self.manager.add_role(user, 'netadmin', project)
+        roles = self.manager.get_user_roles(user)
+        self.assertTrue('sysadmin' in roles)
+        self.assertFalse('netadmin' in roles)
+        project_roles = self.manager.get_user_roles(user, project)
+        self.assertTrue('sysadmin' in project_roles)
+        self.assertTrue('netadmin' in project_roles)
+        # has role should be false because global role is missing
+        self.assertFalse(self.manager.has_role(user, 'netadmin', project))
+
+
+    def test_212_can_remove_project_role(self):
         project = self.manager.get_project('testproj')
         self.assertTrue(project.has_role('test1', 'sysadmin'))
         project.remove_role('test1', 'sysadmin')