openstack/python-openstackclient
Code Issues Proposed changes
da7eda66e9
python-openstackclient/openstackclient/identity/v3/role_assignment.py
ArtofBugs de9d0f9e1b Identity: Migrate 'role assignment' commands to SDK 
Depends-On: https://review.opendev.org/c/openstack/openstacksdk/+/913448
Change-Id: I579775d2dc4110951e934e00b51bf8d7546e207b
2024-06-13 16:00:54 -07:00

230 lines
7.2 KiB
Python
Raw Blame History

# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
"""Identity v3 Assignment action implementations"""
from openstack import exceptions as sdk_exceptions
from osc_lib.command import command
from openstackclient.i18n import _
from openstackclient.identity import common
def _format_role_assignment_(assignment, include_names):
def _get_names(attr):
return (
(
attr['name']
+ (
"@" + domain['name']
if (domain := attr.get('domain'))
else ''
)
)
or ''
if attr
else ''
)
def _get_ids(attr):
return attr['id'] or '' if attr else ''
func = _get_names if include_names else _get_ids
return (
func(assignment.role),
func(assignment.user),
func(assignment.group),
func(assignment.scope.get('project')),
func(assignment.scope.get('domain')),
'all' if assignment.scope.get("system") else '',
assignment.scope.get("OS-INHERIT:inherited_to") == 'projects',
)
def _find_sdk_id(find_command, name_or_id, **kwargs):
try:
return find_command(
name_or_id=name_or_id, ignore_missing=False, **kwargs
).id
except sdk_exceptions.ForbiddenException:
return name_or_id
class ListRoleAssignment(command.Lister):
_description = _("List role assignments")
def get_parser(self, prog_name):
parser = super().get_parser(prog_name)
parser.add_argument(
'--effective',
action="store_true",
default=None,
help=_('Returns only effective role assignments'),
)
parser.add_argument(
'--role',
metavar='<role>',
help=_('Role to filter (name or ID)'),
)
common.add_role_domain_option_to_parser(parser)
parser.add_argument(
'--names',
action="store_true",
help=_('Display names instead of IDs'),
)
user_or_group = parser.add_mutually_exclusive_group()
user_or_group.add_argument(
'--user',
metavar='<user>',
help=_('User to filter (name or ID)'),
)
common.add_user_domain_option_to_parser(parser)
user_or_group.add_argument(
'--group',
metavar='<group>',
help=_('Group to filter (name or ID)'),
)
common.add_group_domain_option_to_parser(parser)
system_or_domain_or_project = parser.add_mutually_exclusive_group()
system_or_domain_or_project.add_argument(
'--domain',
metavar='<domain>',
help=_('Domain to filter (name or ID)'),
)
system_or_domain_or_project.add_argument(
'--project',
metavar='<project>',
help=_('Project to filter (name or ID)'),
)
system_or_domain_or_project.add_argument(
'--system',
metavar='<system>',
help=_('Filter based on system role assignments'),
)
common.add_project_domain_option_to_parser(parser)
common.add_inherited_option_to_parser(parser)
parser.add_argument(
'--auth-user',
action="store_true",
dest='authuser',
help='Only list assignments for the authenticated user',
)
parser.add_argument(
'--auth-project',
action="store_true",
dest='authproject',
help='Only list assignments for the project to which the '
'authenticated user\'s token is scoped',
)
return parser
def take_action(self, parsed_args):
identity_client = self.app.client_manager.sdk_connection.identity
auth_ref = self.app.client_manager.auth_ref
role_id = None
role_domain_id = None
if parsed_args.role_domain:
role_domain_id = _find_sdk_id(
identity_client.find_domain,
name_or_id=parsed_args.role_domain,
)
if parsed_args.role:
role_id = _find_sdk_id(
identity_client.find_role,
name_or_id=parsed_args.role,
domain_id=role_domain_id,
)
user_id = None
if parsed_args.user:
user_id = _find_sdk_id(
identity_client.find_user,
name_or_id=parsed_args.user,
domain_id=parsed_args.user_domain,
)
elif parsed_args.authuser:
if auth_ref:
user_id = _find_sdk_id(
identity_client.find_user,
name_or_id=auth_ref.user_id,
)
system = None
if parsed_args.system:
system = parsed_args.system
domain_id = None
if parsed_args.domain:
domain_id = _find_sdk_id(
identity_client.find_domain,
name_or_id=parsed_args.domain,
)
project_id = None
if parsed_args.project:
project_id = _find_sdk_id(
identity_client.find_project,
name_or_id=common._get_token_resource(
identity_client, 'project', parsed_args.project
),
domain_id=parsed_args.project_domain,
)
elif parsed_args.authproject:
if auth_ref:
project_id = _find_sdk_id(
identity_client.find_project,
name_or_id=auth_ref.project_id,
)
group_id = None
if parsed_args.group:
group_id = _find_sdk_id(
identity_client.find_group,
name_or_id=parsed_args.group,
domain_id=parsed_args.group_domain,
)
include_names = True if parsed_args.names else None
columns = (
'Role',
'User',
'Group',
'Project',
'Domain',
'System',
'Inherited',
)
inherited_to = 'projects' if parsed_args.inherited else None
data = identity_client.role_assignments(
role_id=role_id,
user_id=user_id,
group_id=group_id,
scope_project_id=project_id,
scope_domain_id=domain_id,
scope_system=system,
effective=parsed_args.effective,
include_names=include_names,
inherited_to=inherited_to,
)
data_parsed = []
for assignment in data:
data_parsed.append(
_format_role_assignment_(assignment, include_names)
)
return columns, tuple(data_parsed)
View Git Blame Copy Permalink