156 Commits

Author SHA1 Message Date
Steve Martinelli
070fa5091d Remove links from federation related commands in identity v3
We should remove the 'links' portion from the returned object
for the following commands:

* create/show federation protocol
* create/show mapping
* create/show identity provider

Change-Id: I55654cce1f89de8e532f9acd8092257be33efd85
2014-11-13 16:04:49 -05:00
Dean Troyer
42d0b20ebc Add --or-show option to user create
The --or-show option is added to create commands for the common case
of needing to ensure an object exists and getting its properties if
it does or creating a new one if it does not exist.

Note that if the object exists, any additional options that would
set values in a newly created object are ignored if the object
exists.

FakeResource needs the __name__ attribute to fall through utils.find_resource.

Prove the concept on v2 user create then propogate once we're happy with it...

Change-Id: I6268566514840c284e6a1d44b409a81d6699ef99
2014-11-07 12:28:42 -06:00
Matthieu Huin
631ed3c802 Unscoped federated user-specific commands
A federated user can authenticate with the v3unscopedsaml plugin and
list the domains and projects she is allowed to scope to.
This patch introduces the new commands 'federation domain list' and
'federation project list'.
Note that for these commands -and plugin- to be available, the lxml
library must be installed.

Change-Id: I2707b624befcfb0a01b40a094e12fd68a3ee7773
Co-Authored-By: Florent Flament <florent.flament-ext@cloudwatt.com>
2014-10-30 17:27:28 +01:00
Dean Troyer
cd368bb816 Fix token issue after auth changeup
IssueToken.take_action() was missed in updating the structure of
the ClientManager.

Also, TOKEN_WITH_TENANT_ID in v3 is just wrong...

Closes-Bug: #1383396

Change-Id: If2dd82a26af1d743ee9df73e0c1aebce497bf22e
2014-10-20 18:21:51 +00:00
Dean Troyer
2166d7d3af Remove ClientManager._service_catalog
Anything that needs a service catalog can get it directly from
auth_ref.service_catalog, no need to carry the extra attribute.

ClientManager.get_endpoint_for_service_type() reamins the proper
method to get an endpoint for clients that still need one directly.

Change-Id: I809091c9c71d08f29606d7fd8b500898ff2cb8ae
2014-10-18 00:01:52 -05:00
Jenkins
79a9331f95 Merge "Remove 'links' section from several v3 Identity objects" 2014-10-13 03:26:27 +00:00
Jenkins
49c74229b4 Merge "Mark identity v2 resources for translation" 2014-10-12 18:50:27 +00:00
Jenkins
5fcd462ead Merge "Add translation markers for user v2 actions" 2014-10-12 07:20:09 +00:00
Jenkins
c39867f980 Merge "Fix issue token for v3" 2014-10-12 07:11:20 +00:00
Steve Martinelli
a8d4b0eebb Remove 'links' section from several v3 Identity objects
The links field in the returned objects from the v3 Identity
API aren't really useful, so let's remove them.
Managed to remove most of them from the core API.
I'll likely remove the extension/contribution (oauth/federation)
related ones in another patch.

Also in this patch the code for setting services and projects
was changed. Though not incorrect, it was not needed to copy
the entire returned object, we should just need to pass in
the fields we want to update.

Change-Id: I164ca9ad8b28fa10b291e9115ef40753e387c547
2014-10-11 22:35:12 -04:00
Steve Martinelli
1b3c7ec122 Fix issue token for v3
Currently the code is broken as it references a part of
keystoneclient that does not exist.

Change-Id: I7fbc754537fbb4acffb166b5854840acfaef1fb8
Closes-Bug: #1379871
2014-10-11 20:34:09 -04:00
Nathan Kinder
f0c57e17c9 Allow --domain to be used for identity commands without lookup
Performing create, list, or set operations for users, groups, and projects
with the --domain option attempts to look up the domain for name to ID
conversion.  In the case of an environment using Keystone domains, it is
desired to allow a domain admin to perform these operations for objects in
their domain without allowing them to list or show domains. The current
behavior prevents the domain admin from performing these operations since
they will be forbidden to perform the underlying list_domains operation.

This patch makes the domain lookup error a soft failure, and falls back
to using the passed in domain argument directly as a domain ID in the
request that it sends to Keystone.

Change-Id: I5139097f8cedc53693f6f71297518917ac72e50a
Closes-Bug: #1378565
2014-10-09 13:29:21 -07:00
Steve Martinelli
b61db3eb72 Add translation markers for user v2 actions
implements bp use_i18n

Change-Id: I86508a232c9cf88695b7982dad0b9b02eaf8b3a1
2014-10-09 14:47:19 -04:00
Steve Martinelli
364071a90b Add domain parameters to user show for Identity V3
Update `user show` for Identity V3 to account for a domain argument,
in doing so, also update `find resource` to be more flexible by
allowing **kwargs.
Also update `group show` and `project show` since they follow the
same logic as a user within a group.

Change-Id: Ib828e4dbeb0bd31164396069ce8a64c873179779
Closes-Bug: #1378165
2014-10-09 14:34:48 -04:00
Steve Martinelli
bb71df9ced Mark identity v2 resources for translation
mark v2 catalog, ec2, endpoint, project, role, service and token

Change-Id: I14a5852bfee4ca9e25130d001fdadd7778ad0996
2014-10-09 14:16:45 -04:00
Matthieu Huin
0c77a9fe8b Support for keystone auth plugins
This patch allows the user to choose which authentication plugin
to use with the CLI. The arguments needed by the auth plugins are
automatically added to the argument parser. Some examples with
the currently available authentication plugins::

  OS_USERNAME=admin OS_PROJECT_NAME=admin OS_AUTH_URL=http://keystone:5000/v2.0 \
  OS_PASSWORD=admin openstack user list

  OS_USERNAME=admin OS_PROJECT_DOMAIN_NAME=default OS_USER_DOMAIN_NAME=default \
  OS_PROJECT_NAME=admin OS_AUTH_URL=http://keystone:5000/v3 OS_PASSWORD=admin \
  OS_IDENTITY_API_VERSION=3 OS_AUTH_PLUGIN=v3password openstack project list

  OS_TOKEN=1234 OS_URL=http://service_url:35357/v2.0 \
  OS_IDENTITY_API_VERSION=2.0 openstack user list

The --os-auth-plugin option can be omitted; if so the CLI will attempt to
guess which plugin to use from the other options.

Change-Id: I330c20ddb8d96b3a4287c68b57c36c4a0f869669
Co-Authored-By: Florent Flament <florent.flament-ext@cloudwatt.com>
2014-10-09 12:34:47 +02:00
Jenkins
8554fd24fe Merge "CRUD operations for federated protocols" 2014-10-09 03:59:33 +00:00
Jenkins
d87868720e Merge "Pass in domain and project as positional args, not kwargs" 2014-10-09 03:23:03 +00:00
Marek Denis
14c61a0ace CRUD operations for federated protocols
Openstackclient needs to have a capability to manage federated protocols
(like saml2, openid connect, abfab). This patch allows users to
administrate such operations from the commandline.

Change-Id: I59eef2acdda60c7ec795d1bfe31e8e960b4478a1
Implements: bp/add-openstackclient-federation-crud
2014-10-08 21:12:38 -04:00
Marek Denis
30b0a41ce7 Implement CRUD operations for Mapping objects
Change-Id: I4b8f2e77e741cf74f50aba98ab975af7321b02c6
Implements: bp/add-openstackclient-federation-crud
2014-10-08 18:35:11 +02:00
Steve Martinelli
d972b8364c Pass in domain and project as positional args, not kwargs
The signature for users.set in keystoneclient dictates that
domain and project be sent in, not domainId and projectId,
which are being incorrectly sent in as 'extra' data.

Closes-Bug: #1376833

Change-Id: I44df3e492f61eab2241f3758dee622417bb6f399
2014-10-02 14:32:12 -04:00
wanghong
2d1225624c v3 credential set always needs --user option
Change-Id: Ieca76bb6ee2f328f4e33010623c25eb9c18e6952
Closes-Bug: #1372744
2014-09-23 14:52:44 +08:00
Victor Silva
bfff44fc17 Fixing typo and improving docstring of find_domain
This should make it easier to understand the
purpose of find_domain - I believe the reason
for which find_resource wasn't enough was not
quite clear.

Change-Id: I6a1cdfa86f52401d95c6da2cd38d7c95a140b4a1
2014-09-19 19:51:01 +00:00
Jenkins
0ee7073170 Merge "Add service catalog commands" 2014-09-19 02:42:55 +00:00
Dean Troyer
da45b34828 Add service catalog commands
'catalog list' and 'catalog show' for Identity v2

Identity v2 only so far.

Change-Id: I9df0dac3d5bb7c18f38a81bd7d29f8119462d3a5
2014-09-18 15:42:10 -05:00
Dean Troyer
845de41635 Return current user/project for user/project show commands
If non-admin user attempts 'project show' or 'user show' on the currently
authenticated project or user return the information that is already in the
service catalog rather than throwing a Forbidden error.

Change-Id: Ieeb6eacf71a471e410fbd3c09e7871740547e890
2014-09-14 22:53:35 -05:00
Dean Troyer
ae957b176e Use Keystone client session.Session
This replaces the restapi requests wrapper with the one from Keystone client so
we can take advantage of the auth plugins.

As a first step only the v2 and v3 token and password plugins are supported.
This maintainis no changes to the command options or environment variables.

The next steps will include reworking the other API client interfaces to
fully utilize the single auth session.

Blueprint: ksc-session-auth
Change-Id: I47ec63291e4c3cf36c8061299a4764f60b36ab89
2014-09-08 00:06:52 -05:00
Jenkins
3317e0abf6 Merge "Add action 'user password set' for identiy v3" 2014-09-07 15:12:18 +00:00
Mouad Benchchaoui
0069adef5c Add action 'user password set' for identiy v3
This new action will allow a user to change their own password by
either providing the new password as an argument (--password) or by
being prompted to enter the new password.
In both cases user will be prompted to enter their current password
as required by the v3 API.

Closes-Bug: #1337245
Change-Id: I5e1e0fd2b46a4502318da57f7cce2b236fb2d93d
2014-09-07 02:37:54 -04:00
Jenkins
dc9ce6d608 Merge "Change app.restapi to app.client_manager.session" 2014-09-06 21:46:40 +00:00
Jenkins
b7816f3997 Merge "add service/interface/region filter for endpoint v3" 2014-09-06 17:02:45 +00:00
Dean Troyer
1ab38679b6 Make Identity client load like the others
This does a couple of things:
* Loads the Identity client module in the same manner as the other
  'base' clients (where 'base' == 'included in the OSC repo')
* Changes the entry point group name for the base clients to
  'openstack.cli.base'.  The extension group name remains the same.
* Loads the base modules first followed by the extension modules.
  This load order ensures that the extension module commands are all
  loaded _after_ the base commands, allowing extensions to now override
  the base commands.

Change-Id: I4b9ca7f1df6eb8bbe8e3f663f3065c2ed80ce20b
2014-08-28 08:29:32 -05:00
Dean Troyer
4bbd03210f Change app.restapi to app.client_manager.session
This is step 1 toward using Keystone client's session.Session as the
primary session/requests interface in OSC.

* Move the session create into ClientManager and rename 'restapi' attribute to 'session'
* Set up ClientManager and session loggers
* Fix container and object command references to restapi/api

Change-Id: I013d81520b336c7a6422cd22c05d1d65655e64f8
2014-08-25 13:38:03 -05:00
Jenkins
7a8c9a7a8a Merge "add tests for identity v3 endpoint" 2014-08-23 16:42:08 +00:00
wanghong
181f16da8a add service/interface/region filter for endpoint v3
Change-Id: I7eac5b2ff5f5a6f3f08b22dd3a48a5ae7e2c056b
Closes-Bug: #1281888
2014-08-18 16:41:15 +08:00
wanghong
99ad9ef92e add tests for identity v3 endpoint
Change-Id: I1479460473656ea4e2a48a976808371e840b49c1
Closes-Bug: #1348867
2014-08-14 20:17:54 +08:00
wanghong
2dc060cff3 add tests for identity v3 domain
Change-Id: I478215f62b51e6e73283f0304ea1b0736177d1b1
2014-08-14 20:11:00 +08:00
Jenkins
b3b59c20d2 Merge "user create v2.0 depends on tenantId in response" 2014-08-07 20:26:07 +00:00
Steve Martinelli
e2ebeb7fdc user create v2.0 depends on tenantId in response
User create for v2.0 no longer always contains a tenantId in the
response. Add a guard to check for tenantId first before pop'ing it.

Change-Id: I428dbc26520bb86efad33768ce04f584217ad168
Closes-Bug: #1352119
2014-08-04 00:04:13 -04:00
wanghong
a9fb5fa102 v3 endpoint set shouldn't always need service option
Change-Id: I71aab1ee4f467dc963e7afa7fc1c82b4255ea822
Closes-Bug: #1351121
2014-08-04 02:00:21 +00:00
wanghong
81d11799c6 fix typo in identity/v3/endpoint.py
Change-Id: Idf57a6a988f5c0f20f3b0b19ab896642ce10d70b
2014-07-29 15:37:24 +08:00
Dean Troyer
b96d9d374c More make_client() logging cleanup
Change-Id: I5af4b9c52c69d6e31e6ca5f90d5880c097880a71
2014-07-26 12:22:50 -06:00
Jenkins
e0cf68f995 Merge "Normalize more help strings" 2014-07-24 22:09:28 +00:00
Dean Troyer
5bb6c72ef7 Normalize more help strings
Change-Id: I2b21bc904e35c1cc50da369d148e607fe3e8cf90
2014-07-24 11:22:29 -05:00
Jamie Lennox
5e7e94d59e Fix IDP commands
identity_client.identity_providers doesn't exist as a manager. These are
located at identity_client.federation.identity_providers. Fix the
routes.

Also fix passing id to .create() as a positional argument. This is not
allowed from keystoneclient it should be passed as a keyword argument.

Change-Id: I912c27fcee58b0723e27e9147def2cbd1c62c288
2014-07-21 10:04:47 +10:00
Jenkins
70283744a0 Merge "Domain administrator cannot do project operations" 2014-07-09 08:18:23 +00:00
Dean Troyer
21bd4619ae Clean up make_client() logging
Change-Id: I0b6760a6401b50e3dfb891af75424ae89df42ebc
2014-07-08 01:44:55 -05:00
Terry Howe
b638488697 Domain administrator cannot do project operations
Domain administrator cannot do project operations because the
require access to the domain API (which they don't have).  When
attempting to find a domain for project operations, ignore errors
because the API returns nothing without indicating there is a
problem.  The domain administrators will have to use a domain id,
but they will still be able to do project operations.  If the user
does not have permission to read the domain table, they cannot
use domain names.

Change-Id: Ieed5d420022a407c8296a0bb3569d9469c89d752
Closes-Bug: #1317478
Closes-Bug: #1317485
2014-07-07 20:18:39 +00:00
Matthieu Huin
5672c688d1 trust authentication
This patch enables authenticating by using a trust. The trust ID
must be set with the parameter --os-trust-id or the env variable
OS_TRUST_ID. Trusts are available for the identity v3 API.

Co-Authored-By: Florent Flament <florent.flament@cloudwatt.com>
Change-Id: Iacc389b203bbadda53ca31a7f5a9b8b6e1a1f522
2014-07-03 10:12:02 +02:00
Jenkins
4bebd8ac12 Merge "Rename token classes to match command" 2014-06-27 17:48:25 +00:00