openstack/python-openstackclient
Code Issues Proposed changes

Merge "Add assignment list to v2 identity and deprecate alternate listing"

Browse Source
This commit is contained in:
Jenkins 2016-07-23 00:04:39 +00:00 committed by Gerrit Code Review
commit a8880e8b34
11 changed files with 556 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
doc/source/command-objects/role-assignment.rst
View File

@ -2,7 +2,7 @@
role assignment
===============
Identity v3
Identity v2, v3
role assignment list
--------------------
@ -23,11 +23,14 @@ List role assignments
[--project-domain <project-domain>]
[--effective]
[--inherited]
[--names]
.. option:: --role <role>
Role to filter (name or ID)
.. versionadded:: 3
.. option:: --user <user>
User to filter (name or ID)
@ -37,19 +40,27 @@ List role assignments
Domain the user belongs to (name or ID).
This can be used in case collisions between user names exist.
.. versionadded:: 3
.. option:: --group <group>
Group to filter (name or ID)
.. versionadded:: 3
.. option:: --group-domain <group-domain>
Domain the group belongs to (name or ID).
This can be used in case collisions between group names exist.
.. versionadded:: 3
.. option:: --domain <domain>
Domain to filter (name or ID)
.. versionadded:: 3
.. option:: --project <project>
Project to filter (name or ID)
@ -59,14 +70,29 @@ List role assignments
Domain the project belongs to (name or ID).
This can be used in case collisions between project names exist.
.. versionadded:: 3
.. option:: --effective
Returns only effective role assignments (defaults to False)
.. versionadded:: 3
.. option:: --inherited
Specifies if the role grant is inheritable to the sub projects
.. versionadded:: 3
.. option:: --names
Returns role assignments with names instead of IDs
.. option:: --auth-user
Returns role assignments for the authenticated user.
.. option:: --auth-project
Returns role assignments for the project to which the authenticated user
is scoped.

20
doc/source/command-objects/role.rst
View File

@ -7,7 +7,7 @@ Identity v2, v3
role add
--------
Add role to a user or group in a project or domain
Add role assignment to a user or group in a project or domain
.. program:: role add
.. code:: bash
@ -123,31 +123,33 @@ List roles
Filter roles by <domain> (name or ID)
.. versionadded:: 3
(Deprecated, please use ``role assignment list`` instead)
.. option:: --project <project>
Filter roles by <project> (name or ID)
.. versionadded:: 3
(Deprecated, please use ``role assignment list`` instead)
.. option:: --user <user>
Filter roles by <user> (name or ID)
.. versionadded:: 3
(Deprecated, please use ``role assignment list`` instead)
.. option:: --group <group>
Filter roles by <group> (name or ID)
.. versionadded:: 3
(Deprecated, please use ``role assignment list`` instead)
.. option:: --user-domain <user-domain>
Domain the user belongs to (name or ID).
This can be used in case collisions between user names exist.
(Deprecated, please use ``role assignment list`` instead)
.. versionadded:: 3
.. option:: --group-domain <group-domain>
@ -155,6 +157,8 @@ List roles
Domain the group belongs to (name or ID).
This can be used in case collisions between group names exist.
(Deprecated, please use ``role assignment list`` instead)
.. versionadded:: 3
.. option:: --project-domain <project-domain>
@ -162,18 +166,22 @@ List roles
Domain the project belongs to (name or ID).
This can be used in case collisions between project names exist.
(Deprecated, please use ``role assignment list`` instead)
.. versionadded:: 3
.. option:: --inherited
Specifies if the role grant is inheritable to the sub projects.
(Deprecated, please use ``role assignment list`` instead)
.. versionadded:: 3
role remove
-----------
Remove role from domain/project : user/group
Remove role assignment from domain/project : user/group
.. program:: role remove
.. code:: bash

16
openstackclient/identity/v2_0/role.py
View File

@ -150,6 +150,15 @@ class ListRole(command.Lister):
return parser
def take_action(self, parsed_args):
def _deprecated():
# NOTE(henry-nash): Deprecated as of Newton, so we should remove
# this in the 'P' release.
self.log.warning(_('Listing assignments using role list is '
'deprecated as of the Newton release. Use role '
'assignment list --user <user-name> --project '
'<project-name> --names instead.'))
identity_client = self.app.client_manager.identity
auth_ref = self.app.client_manager.auth_ref
@ -166,6 +175,7 @@ class ListRole(command.Lister):
identity_client.projects,
parsed_args.project,
)
_deprecated()
data = identity_client.roles.roles_for_user(user.id, project.id)
elif parsed_args.user:
@ -181,6 +191,7 @@ class ListRole(command.Lister):
else:
msg = _("Project must be specified")
raise exceptions.CommandError(msg)
_deprecated()
data = identity_client.roles.roles_for_user(user.id, project.id)
elif parsed_args.project:
project = utils.find_resource(
@ -195,6 +206,7 @@ class ListRole(command.Lister):
else:
msg = _("User must be specified")
raise exceptions.CommandError(msg)
_deprecated()
data = identity_client.roles.roles_for_user(user.id, project.id)
if parsed_args.user or parsed_args.project:
@ -249,6 +261,10 @@ class ListUserRole(command.Lister):
msg = _("User must be specified")
raise exceptions.CommandError(msg)
self.log.warning(_('Listing assignments using user role list is '
'deprecated as of the Newton release. Use role '
'assignment list --user <user-name> --project '
'<project-name> --names instead.'))
project = utils.find_resource(
identity_client.tenants,
parsed_args.project,

113
openstackclient/identity/v2_0/role_assignment.py Normal file
View File

@ -0,0 +1,113 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
"""Identity v2 Assignment action implementations """
from openstackclient.common import command
from openstackclient.common import exceptions
from openstackclient.common import utils
from openstackclient.i18n import _ # noqa
class ListRoleAssignment(command.Lister):
"""List role assignments"""
def get_parser(self, prog_name):
parser = super(ListRoleAssignment, self).get_parser(prog_name)
parser.add_argument(
'--user',
metavar='<user>',
help='User to filter (name or ID)',
)
parser.add_argument(
'--project',
metavar='<project>',
help='Project to filter (name or ID)',
)
parser.add_argument(
'--names',
action="store_true",
help='Display names instead of IDs',
)
parser.add_argument(
'--auth-user',
action="store_true",
dest='authuser',
help='Only list assignments for the authenticated user',
)
parser.add_argument(
'--auth-project',
action="store_true",
dest='authproject',
help='Only list assignments for the project to which the '
'authenticated user\'s token is scoped',
)
return parser
def take_action(self, parsed_args):
identity_client = self.app.client_manager.identity
auth_ref = self.app.client_manager.auth_ref
include_names = True if parsed_args.names else False
user = None
if parsed_args.user:
user = utils.find_resource(
identity_client.users,
parsed_args.user,
)
elif parsed_args.authuser:
if auth_ref:
user = utils.find_resource(
identity_client.users,
auth_ref.user_id
)
project = None
if parsed_args.project:
project = utils.find_resource(
identity_client.projects,
parsed_args.project,
)
elif parsed_args.authproject:
if auth_ref:
project = utils.find_resource(
identity_client.projects,
auth_ref.project_id
)
# If user or project is not specified, we would ideally list all
# relevant assignments in the system (to be compatible with v3).
# However, there is no easy way of doing that in v2.
if not user or not project:
msg = _("Project and User must be specified")
raise exceptions.CommandError(msg)
else:
data = identity_client.roles.roles_for_user(user.id, project.id)
columns = ('Role', 'User', 'Project')
for user_role in data:
if include_names:
setattr(user_role, 'role', user_role.name)
user_role.user = user.name
user_role.project = project.name
else:
setattr(user_role, 'role', user_role.id)
user_role.user = user.id
user_role.project = project.id
return (columns,
(utils.get_item_properties(
s, columns,
formatters={},
) for s in data))

20
openstackclient/identity/v3/role.py
View File

@ -251,6 +251,10 @@ class ListRole(command.Lister):
for user_role in data:
user_role.user = user.name
user_role.domain = domain.name
self.log.warning(_('Listing assignments using role list is '
'deprecated. Use role assignment list --user '
'<user-name> --domain <domain-name> --names '
'instead.'))
elif parsed_args.user and parsed_args.project:
columns = ('ID', 'Name', 'Project', 'User')
data = identity_client.roles.list(
@ -261,6 +265,10 @@ class ListRole(command.Lister):
for user_role in data:
user_role.user = user.name
user_role.project = project.name
self.log.warning(_('Listing assignments using role list is '
'deprecated. Use role assignment list --user '
'<user-name> --project <project-name> --names '
'instead.'))
elif parsed_args.user:
columns = ('ID', 'Name')
data = identity_client.roles.list(
@ -268,6 +276,10 @@ class ListRole(command.Lister):
domain='default',
os_inherit_extension_inherited=parsed_args.inherited
)
self.log.warning(_('Listing assignments using role list is '
'deprecated. Use role assignment list --user '
'<user-name> --domain default --names '
'instead.'))
elif parsed_args.group and parsed_args.domain:
columns = ('ID', 'Name', 'Domain', 'Group')
data = identity_client.roles.list(
@ -278,6 +290,10 @@ class ListRole(command.Lister):
for group_role in data:
group_role.group = group.name
group_role.domain = domain.name
self.log.warning(_('Listing assignments using role list is '
'deprecated. Use role assignment list --group '
'<group-name> --domain <domain-name> --names '
'instead.'))
elif parsed_args.group and parsed_args.project:
columns = ('ID', 'Name', 'Project', 'Group')
data = identity_client.roles.list(
@ -288,6 +304,10 @@ class ListRole(command.Lister):
for group_role in data:
group_role.group = group.name
group_role.project = project.name
self.log.warning(_('Listing assignments using role list is '
'deprecated. Use role assignment list --group '
'<group-name> --project <project-name> --names '
'instead.'))
else:
sys.stderr.write(_("Error: If a user or group is specified, "
"either --domain or --project must also be "

26
openstackclient/identity/v3/role_assignment.py
View File

@ -67,6 +67,19 @@ class ListRoleAssignment(command.Lister):
)
common.add_project_domain_option_to_parser(parser)
common.add_inherited_option_to_parser(parser)
parser.add_argument(
'--auth-user',
action="store_true",
dest='authuser',
help='Only list assignments for the authenticated user',
)
parser.add_argument(
'--auth-project',
action="store_true",
dest='authproject',
help='Only list assignments for the project to which the '
'authenticated user\'s token is scoped',
)
return parser
def _as_tuple(self, assignment):
@ -75,6 +88,7 @@ class ListRoleAssignment(command.Lister):
def take_action(self, parsed_args):
identity_client = self.app.client_manager.identity
auth_ref = self.app.client_manager.auth_ref
role = None
if parsed_args.role:
@ -90,6 +104,12 @@ class ListRoleAssignment(command.Lister):
parsed_args.user,
parsed_args.user_domain,
)
elif parsed_args.authuser:
if auth_ref:
user = common.find_user(
identity_client,
auth_ref.user_id
)
domain = None
if parsed_args.domain:
@ -105,6 +125,12 @@ class ListRoleAssignment(command.Lister):
parsed_args.project,
parsed_args.project_domain,
)
elif parsed_args.authproject:
if auth_ref:
project = common.find_project(
identity_client,
auth_ref.project_id
)
group = None
if parsed_args.group:

5
openstackclient/tests/identity/v2_0/fakes.py
View File

@ -50,6 +50,11 @@ ROLE = {
'name': role_name,
}
ROLE_2 = {
'id': '2',
'name': 'bigboss',
}
service_id = '1925-10-11'
service_name = 'elmore'
service_description = 'Leonard, Elmore, rip'

270
openstackclient/tests/identity/v2_0/test_role_assignment.py Normal file
View File

@ -0,0 +1,270 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
import copy
import mock
from openstackclient.common import exceptions
from openstackclient.identity.v2_0 import role_assignment
from openstackclient.tests import fakes
from openstackclient.tests.identity.v2_0 import fakes as identity_fakes
class TestRoleAssignment(identity_fakes.TestIdentityv2):
def setUp(self):
super(TestRoleAssignment, self).setUp()
class TestRoleAssignmentList(TestRoleAssignment):
columns = (
'Role',
'User',
'Project',
)
def setUp(self):
super(TestRoleAssignment, self).setUp()
# Get a shortcut to the UserManager Mock
self.users_mock = self.app.client_manager.identity.users
self.users_mock.reset_mock()
# Get a shortcut to the ProjectManager Mock
self.projects_mock = self.app.client_manager.identity.projects
self.projects_mock.reset_mock()
# Get a shortcut to the RoleManager Mock
self.roles_mock = self.app.client_manager.identity.roles
self.roles_mock.reset_mock()
self.projects_mock.get.return_value = fakes.FakeResource(
None,
copy.deepcopy(identity_fakes.PROJECT),
loaded=True,
)
self.users_mock.get.return_value = fakes.FakeResource(
None,
copy.deepcopy(identity_fakes.USER),
loaded=True,
)
self.roles_mock.roles_for_user.return_value = [
fakes.FakeResource(
None,
copy.deepcopy(identity_fakes.ROLE),
loaded=True,
),
]
# Get the command object to test
self.cmd = role_assignment.ListRoleAssignment(self.app, None)
def test_role_assignment_list_no_filters(self):
arglist = []
verifylist = []
parsed_args = self.check_parser(self.cmd, arglist, verifylist)
# This argument combination should raise a CommandError
self.assertRaises(
exceptions.CommandError,
self.cmd.take_action,
parsed_args,
)
def test_role_assignment_list_only_project_filter(self):
arglist = [
'--project', identity_fakes.project_name,
]
verifylist = [
('project', identity_fakes.project_name),
]
parsed_args = self.check_parser(self.cmd, arglist, verifylist)
# This argument combination should raise a CommandError
self.assertRaises(
exceptions.CommandError,
self.cmd.take_action,
parsed_args,
)
def test_role_assignment_list_only_user_filter(self):
arglist = [
'--user', identity_fakes.user_name,
]
verifylist = [
('user', identity_fakes.user_name),
]
parsed_args = self.check_parser(self.cmd, arglist, verifylist)
# This argument combination should raise a CommandError
self.assertRaises(
exceptions.CommandError,
self.cmd.take_action,
parsed_args,
)
def test_role_assignment_list_project_and_user(self):
self.roles_mock.roles_for_user.return_value = [
fakes.FakeResource(
None,
copy.deepcopy(
identity_fakes.ROLE),
loaded=True,
),
fakes.FakeResource(
None,
copy.deepcopy(
identity_fakes.ROLE_2),
loaded=True,
),
]
arglist = [
'--project', identity_fakes.project_name,
'--user', identity_fakes.user_name,
]
verifylist = [
('user', identity_fakes.user_name),
('project', identity_fakes.project_name),
]
parsed_args = self.check_parser(self.cmd, arglist, verifylist)
# In base command class Lister in cliff, abstract method take_action()
# returns a tuple containing the column names and an iterable
# containing the data to be listed.
columns, data = self.cmd.take_action(parsed_args)
self.roles_mock.roles_for_user.assert_called_with(
identity_fakes.user_id,
identity_fakes.project_id,
)
self.assertEqual(self.columns, columns)
datalist = ((
identity_fakes.role_id,
identity_fakes.user_id,
identity_fakes.project_id,
), (identity_fakes.ROLE_2['id'],
identity_fakes.user_id,
identity_fakes.project_id,
),)
self.assertEqual(datalist, tuple(data))
def test_role_assignment_list_def_creds(self):
auth_ref = self.app.client_manager.auth_ref = mock.MagicMock()
auth_ref.project_id.return_value = identity_fakes.project_id
auth_ref.user_id.return_value = identity_fakes.user_id
self.roles_mock.roles_for_user.return_value = [
fakes.FakeResource(
None,
copy.deepcopy(
identity_fakes.ROLE),
loaded=True,
),
fakes.FakeResource(
None,
copy.deepcopy(
identity_fakes.ROLE_2),
loaded=True,
),
]
arglist = [
'--auth-user',
'--auth-project',
]
verifylist = [
('authuser', True),
('authproject', True),
]
parsed_args = self.check_parser(self.cmd, arglist, verifylist)
# In base command class Lister in cliff, abstract method take_action()
# returns a tuple containing the column names and an iterable
# containing the data to be listed.
columns, data = self.cmd.take_action(parsed_args)
self.roles_mock.roles_for_user.assert_called_with(
identity_fakes.user_id,
identity_fakes.project_id,
)
self.assertEqual(self.columns, columns)
datalist = ((
identity_fakes.role_id,
identity_fakes.user_id,
identity_fakes.project_id,
), (identity_fakes.ROLE_2['id'],
identity_fakes.user_id,
identity_fakes.project_id,
),)
self.assertEqual(datalist, tuple(data))
def test_role_assignment_list_by_name_project_and_user(self):
self.roles_mock.roles_for_user.return_value = [
fakes.FakeResource(
None,
copy.deepcopy(
identity_fakes.ROLE),
loaded=True,
),
fakes.FakeResource(
None,
copy.deepcopy(
identity_fakes.ROLE_2),
loaded=True,
),
]
arglist = [
'--project', identity_fakes.project_name,
'--user', identity_fakes.user_name,
'--names'
]
verifylist = [
('user', identity_fakes.user_name),
('project', identity_fakes.project_name),
('names', True),
]
parsed_args = self.check_parser(self.cmd, arglist, verifylist)
# In base command class Lister in cliff, abstract method take_action()
# returns a tuple containing the column names and an iterable
# containing the data to be listed.
columns, data = self.cmd.take_action(parsed_args)
self.roles_mock.roles_for_user.assert_called_with(
identity_fakes.user_id,
identity_fakes.project_id,
)
self.assertEqual(self.columns, columns)
datalist = ((
identity_fakes.role_name,
identity_fakes.user_name,
identity_fakes.project_name,
), (identity_fakes.ROLE_2['name'],
identity_fakes.user_name,
identity_fakes.project_name,
),)
self.assertEqual(datalist, tuple(data))

60
openstackclient/tests/identity/v3/test_role_assignment.py
View File

@ -12,6 +12,7 @@
#
import copy
import mock
from openstackclient.identity.v3 import role_assignment
from openstackclient.tests import fakes
@ -374,6 +375,65 @@ class TestRoleAssignmentList(TestRoleAssignment):
),)
self.assertEqual(datalist, tuple(data))
def test_role_assignment_list_def_creds(self):
auth_ref = self.app.client_manager.auth_ref = mock.MagicMock()
auth_ref.project_id.return_value = identity_fakes.project_id
auth_ref.user_id.return_value = identity_fakes.user_id
self.role_assignments_mock.list.return_value = [
fakes.FakeResource(
None,
copy.deepcopy(
identity_fakes.ASSIGNMENT_WITH_PROJECT_ID_AND_USER_ID),
loaded=True,
),
]
arglist = [
'--auth-user',
'--auth-project',
]
verifylist = [
('user', None),
('group', None),
('domain', None),
('project', None),
('role', None),
('effective', False),
('inherited', False),
('names', False),
('authuser', True),
('authproject', True),
]
parsed_args = self.check_parser(self.cmd, arglist, verifylist)
# In base command class Lister in cliff, abstract method take_action()
# returns a tuple containing the column names and an iterable
# containing the data to be listed.
columns, data = self.cmd.take_action(parsed_args)
self.role_assignments_mock.list.assert_called_with(
domain=None,
user=self.users_mock.get(),
group=None,
project=self.projects_mock.get(),
role=None,
effective=False,
os_inherit_extension_inherited_to=None,
include_names=False)
self.assertEqual(self.columns, columns)
datalist = ((
identity_fakes.role_id,
identity_fakes.user_id,
'',
identity_fakes.project_id,
'',
False
),)
self.assertEqual(datalist, tuple(data))
def test_role_assignment_list_effective(self):
self.role_assignments_mock.list.return_value = [

4
releasenotes/notes/bug-1605774-28aec51f6ec4926e.yaml Normal file
View File

@ -0,0 +1,4 @@
---
features:
- Deprecate ``role list`` arguments in favor of ``role assignment`` command.
[Bug `1605774 <https://bugs.launchpad.net/python-openstackclient/+bug/1605774>`_]

1
setup.cfg
View File

@ -172,6 +172,7 @@ openstack.identity.v2 =
role_list = openstackclient.identity.v2_0.role:ListRole
role_remove = openstackclient.identity.v2_0.role:RemoveRole
role_show = openstackclient.identity.v2_0.role:ShowRole
role_assignment_list = openstackclient.identity.v2_0.role_assignment:ListRoleAssignment
service_create = openstackclient.identity.v2_0.service:CreateService
service_delete = openstackclient.identity.v2_0.service:DeleteService