Enable specifing domains in "role add"
If users, projects or groups are provided by name, there is a possibility of the existence other users/projects/groups with the same name in other domain. Even though this is not a problem if the actual ID is given instead of a name; this is mostly a usability enhancement. So, three options were added, one for specifying the domain where the user belongs, another one to specify the project's domain, and finally one to specify the group's domain. Change-Id: Iab04b0e04fa75ea5aa3723b8ea42a45f58a6cdb2 Closes-Bug: #1421328
This commit is contained in:
Juan Antonio Osorio Robles
parent
a6deef6ef1
commit
3ca96ef93c
@ -37,6 +37,27 @@ Add role to a user or group in a project or domain
|
||||
|
||||
.. versionadded:: 3
|
||||
|
||||
.. option:: --user-domain <user-domain>
|
||||
|
||||
Domain the user belongs to (name or ID).
|
||||
This can be used in case collisions between user names exist.
|
||||
|
||||
.. versionadded:: 3
|
||||
|
||||
.. option:: --group-domain <group-domain>
|
||||
|
||||
Domain the group belongs to (name or ID).
|
||||
This can be used in case collisions between group names exist.
|
||||
|
||||
.. versionadded:: 3
|
||||
|
||||
.. option:: --project-domain <project-domain>
|
||||
|
||||
Domain the project belongs to (name or ID).
|
||||
This can be used in case collisions between project names exist.
|
||||
|
||||
.. versionadded:: 3
|
||||
|
||||
.. describe:: <role>
|
||||
|
||||
Role to add to `<project>`:`<user>` (name or ID)
|
||||
|
||||
@ -48,23 +48,23 @@ def find_domain(identity_client, name_or_id):
|
||||
domains.Domain)
|
||||
|
||||
|
||||
def find_group(identity_client, name_or_id):
|
||||
def find_group(identity_client, name_or_id, domain_id=None):
|
||||
return _find_identity_resource(identity_client.groups, name_or_id,
|
||||
groups.Group)
|
||||
groups.Group, domain_id=domain_id)
|
||||
|
||||
|
||||
def find_project(identity_client, name_or_id):
|
||||
def find_project(identity_client, name_or_id, domain_id=None):
|
||||
return _find_identity_resource(identity_client.projects, name_or_id,
|
||||
projects.Project)
|
||||
projects.Project, domain_id=domain_id)
|
||||
|
||||
|
||||
def find_user(identity_client, name_or_id):
|
||||
def find_user(identity_client, name_or_id, domain_id=None):
|
||||
return _find_identity_resource(identity_client.users, name_or_id,
|
||||
users.User)
|
||||
users.User, domain_id=domain_id)
|
||||
|
||||
|
||||
def _find_identity_resource(identity_client_manager, name_or_id,
|
||||
resource_type):
|
||||
resource_type, **kwargs):
|
||||
"""Find a specific identity resource.
|
||||
|
||||
Using keystoneclient's manager, attempt to find a specific resource by its
|
||||
@ -92,7 +92,7 @@ def _find_identity_resource(identity_client_manager, name_or_id,
|
||||
|
||||
try:
|
||||
identity_resource = utils.find_resource(identity_client_manager,
|
||||
name_or_id)
|
||||
name_or_id, **kwargs)
|
||||
if identity_resource is not None:
|
||||
return identity_resource
|
||||
except identity_exc.Forbidden:
|
||||
|
||||
@ -63,6 +63,27 @@ class AddRole(command.Command):
|
||||
metavar='<group>',
|
||||
help='Include <group> (name or ID)',
|
||||
)
|
||||
parser.add_argument(
|
||||
'--user-domain',
|
||||
metavar='<user-domain>',
|
||||
help=('Domain the user belongs to (name or ID). '
|
||||
'This can be used in case collisions between user names '
|
||||
'exist.')
|
||||
)
|
||||
parser.add_argument(
|
||||
'--group-domain',
|
||||
metavar='<group-domain>',
|
||||
help=('Domain the group belongs to (name or ID). '
|
||||
'This can be used in case collisions between group names '
|
||||
'exist.')
|
||||
)
|
||||
parser.add_argument(
|
||||
'--project-domain',
|
||||
metavar='<project-domain>',
|
||||
help=('Domain the project belongs to (name or ID). '
|
||||
'This can be used in case collisions between project names '
|
||||
'exist.')
|
||||
)
|
||||
return parser
|
||||
|
||||
def take_action(self, parsed_args):
|
||||
@ -78,67 +99,76 @@ class AddRole(command.Command):
|
||||
parsed_args.role,
|
||||
)
|
||||
|
||||
kwargs = {}
|
||||
if parsed_args.user and parsed_args.domain:
|
||||
user = common.find_user(
|
||||
user_domain_id = self._get_domain_id_if_requested(
|
||||
parsed_args.user_domain)
|
||||
kwargs['user'] = common.find_user(
|
||||
identity_client,
|
||||
parsed_args.user,
|
||||
)
|
||||
domain = common.find_domain(
|
||||
user_domain_id,
|
||||
).id
|
||||
kwargs['domain'] = common.find_domain(
|
||||
identity_client,
|
||||
parsed_args.domain,
|
||||
)
|
||||
identity_client.roles.grant(
|
||||
role.id,
|
||||
user=user.id,
|
||||
domain=domain.id,
|
||||
)
|
||||
).id
|
||||
elif parsed_args.user and parsed_args.project:
|
||||
user = common.find_user(
|
||||
user_domain_id = self._get_domain_id_if_requested(
|
||||
parsed_args.user_domain)
|
||||
kwargs['user'] = common.find_user(
|
||||
identity_client,
|
||||
parsed_args.user,
|
||||
)
|
||||
project = common.find_project(
|
||||
user_domain_id,
|
||||
).id
|
||||
project_domain_id = self._get_domain_id_if_requested(
|
||||
parsed_args.project_domain)
|
||||
kwargs['project'] = common.find_project(
|
||||
identity_client,
|
||||
parsed_args.project,
|
||||
)
|
||||
identity_client.roles.grant(
|
||||
role.id,
|
||||
user=user.id,
|
||||
project=project.id,
|
||||
)
|
||||
project_domain_id,
|
||||
).id
|
||||
elif parsed_args.group and parsed_args.domain:
|
||||
group = common.find_group(
|
||||
group_domain_id = self._get_domain_id_if_requested(
|
||||
parsed_args.group_domain)
|
||||
kwargs['group'] = common.find_group(
|
||||
identity_client,
|
||||
parsed_args.group,
|
||||
)
|
||||
domain = common.find_domain(
|
||||
group_domain_id,
|
||||
).id
|
||||
kwargs['domain'] = common.find_domain(
|
||||
identity_client,
|
||||
parsed_args.domain,
|
||||
)
|
||||
identity_client.roles.grant(
|
||||
role.id,
|
||||
group=group.id,
|
||||
domain=domain.id,
|
||||
)
|
||||
).id
|
||||
elif parsed_args.group and parsed_args.project:
|
||||
group = common.find_group(
|
||||
group_domain_id = self._get_domain_id_if_requested(
|
||||
parsed_args.group_domain)
|
||||
kwargs['group'] = common.find_group(
|
||||
identity_client,
|
||||
parsed_args.group,
|
||||
)
|
||||
project = common.find_project(
|
||||
group_domain_id,
|
||||
).id
|
||||
project_domain_id = self._get_domain_id_if_requested(
|
||||
parsed_args.project_domain)
|
||||
kwargs['project'] = common.find_project(
|
||||
identity_client,
|
||||
parsed_args.project,
|
||||
)
|
||||
identity_client.roles.grant(
|
||||
role.id,
|
||||
group=group.id,
|
||||
project=project.id,
|
||||
)
|
||||
project_domain_id,
|
||||
).id
|
||||
else:
|
||||
sys.stderr.write("Role not added, incorrect set of arguments \
|
||||
provided. See openstack --help for more details\n")
|
||||
return
|
||||
|
||||
identity_client.roles.grant(role.id, **kwargs)
|
||||
return
|
||||
|
||||
def _get_domain_id_if_requested(self, domain_name_or_id):
|
||||
if domain_name_or_id is None:
|
||||
return None
|
||||
domain = common.find_domain(self.app.client_manager.identity,
|
||||
domain_name_or_id)
|
||||
return domain.id
|
||||
|
||||
|
||||
class CreateRole(show.ShowOne):
|
||||
"""Create new role"""
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user