453 Commits

Author SHA1 Message Date
Cyril Roelandt
43639e1118 Fix typos
Change-Id: Idd502c8df21da79ff3b9339870f38378f5337879
2021-10-26 15:53:51 +02:00
Zuul
0fd090eff3 Merge "Add name and enabled param in ListDomain parser" 2020-12-22 13:30:59 +00:00
Stephen Finucane
f5b185c357 Make use of comparable 'FormattableColumn' subclasses
This requires fixes found in cliff 3.5.0 [1] and osc-lib 2.3.0 [2]. With
these fixes in place, we can remove the icky, still broken
'assertItemEqual' and 'assertListItemEqual' helpers.

[1] https://review.opendev.org/761421
[2] https://review.opendev.org/761394

Change-Id: Id6c26b37c3c7d5ec6761361abca57f9219b76838
Signed-off-by: Stephen Finucane <sfinucan@redhat.com>
2020-12-09 15:17:25 +00:00
Zuul
c7a43773c9 Merge "Add id and enabled param in ListIdentityProvider parser" 2020-12-01 13:50:56 +00:00
songwenping
c2df9215e1 Remove usage of six
With python3.x, classes can use 'metaclass=' instead of
'six.add_metaclass', 'six.iteritems' and 'six.iterkeys' can
be replaced by 'items' and 'keys', 'six.moves.urllib.parse'
can be replaced by 'urllib.parse', 'six.StringIO' and
'six.moves.cStringIO' can be replaced by 'io.StringIO',
'six.text_type' and 'six.string_type' are just 'str'.

Change-Id: I84848c0bf8ab3c36dd821141191e2725e4e3b58b
2020-10-07 02:15:25 +00:00
Zuul
95cc05bdf6 Merge "Bypass user and group verification in RemoveRole" 2020-08-13 06:29:54 +00:00
Lance Bragstad
e246732670 Bypass user and group verification in RemoveRole
Keystone let's users remove role assignments that reference non-existent
users and groups. This is nice when keystone backs to an identity store
like LDAP and users or groups are removed.

Previously, openstackclient would validate the user and group existed in
keystone before sending the request to delete the role assignment. This
commit updates the code to bypass that validation so that users can use
IDs to forcibly cleanup role assignments.

Change-Id: I102b41677736bbe37a82abaa3c5b3e1faf2475d5
Story: 2006635
Task: 36848
2020-08-12 12:24:17 -05:00
Vishakha Agarwal
1e053babf4 Add id and enabled param in ListIdentityProvider parser
when doing openstack identity provider list --name xyz_id,
and openstack identity provider list --enabled CLI raising
error unrecognized arguments, whereas in api-ref document [1],
user can pass name and enabled as optional query param. This
addresses the above issue, by adding param --id and --enabled in
parser of ListIdentityProvider.

[1] https://docs.openstack.org/api-ref/identity/v3-ext/?expanded=list-identity-providers-detail#list-identity-providers

Change-Id: I59ce3a5f54700ba5a735f0b3b4b3b73b3a8658fa
2020-07-24 19:22:39 +05:30
Roger Luethi
0a8753dc3e Fix reverted osc-lib interface change
The patch https://review.opendev.org/#/c/673389/ introduced a regression
by changing the osc-lib interface.

Two conflicting attempts to fix the regression were launched:

1) Reverting the patch.

2) The patch https://review.opendev.org/683119 changes the exception
   from the generic CommandError back to a specific Forbidden exception.

   The patch https://review.opendev.org/683118 catches this exception
   and passes on, i.e. re-implements the same behavior as before.

The first idea was implemented, the initial patch reverted. The second
idea was partially implemented. The change in python-openstackclient
(683118) was merged. The change in osc-lib was approved but failed to
merge because the initial change had been reverted.

Now we have again a situation where the exception produced in osc-lib
does not match the exception expected by the caller.

It is unclear if the osc-lib interface will ever get a rebased version
of https://review.opendev.org/683119 merged, so the safest way to
address the issue is to also catch the exception that used to be
thrown before the inital change and is again thrown after the inital
change has been reverted.

Change-Id: I2ea2def607ec5be112e42d53a1e660fef0cdd69c
2020-07-23 20:35:21 +02:00
Vishakha Agarwal
8628e52de7 Add name and enabled param in ListDomain parser
when doing openstack domain list --name xyz_id,
and openstack domain list --enabled CLI raising
error unrecognized arguments, whereas in api-ref
document [1], user can pass name and enabled as
optional query param. This addresses the above
issue, by adding param --name and --enabled in
parser of ListDomain.

[1]https://docs.openstack.org/api-ref/identity/v3/?expanded=list-domains-detail#list-domains

Change-Id: I3cdb511d3c7059ddfb802ca025188d8976c9302c
2020-07-21 18:24:58 +05:30
yanpuqing
533af9f1b2 Client should parse string to boolean for value 'is_domain'
When we use "--property" parameter, client get lists these the
value is string type, but the type of the value 'is_domain'
should be boolean, so we should judge it and parse it.
The patch parse string to boolean for value 'is_domain'.

Co-Authored-By: Lance Bragstad <lbragstad@gmail.com>

Change-Id: I37c9eb854524bde3a1530bfe2e3a03810fb1a676
Task: 30039
Story: 2005246
2020-05-29 07:53:13 -05:00
Vishakha Agarwal
7f66273d3f Add resource option immutable
This patch adds the --immutable and --no-immutable option to the
role, project and domain CLI.

Related-Patch: https://review.opendev.org/#/c/712182/

Change-Id: I9c3bdd741f28bf558267fb217818d947597ce13e
2020-04-08 13:51:01 +00:00
Vishakha Agarwal
05da145eae Adding options to user cli
User options [1] can be set by making POST and PATCH
request for /v3/users API calls but cannot by openstack
CLI because of no user options defined in create and update
user CLI [2]. This patch adds the user options [1] in
create user and update user CLI.

[1] https://docs.openstack.org/keystone/latest/admin/resource-options.html#multi-factor-auth-rules
[2] https://docs.openstack.org/api-ref/identity/v3/#create-user

Change-Id: I4e41bae2e8cfbe92d52b14d856991bedcd44164f
2020-03-26 22:24:39 +05:30
Zuul
fc12033f1d Merge "Now we can add description for role creation in OSC" 2020-03-20 18:59:44 +00:00
Colleen Murphy
99b0b07392 Fix copypaste errors in access rule command
Access rules are access rules, not application credentials.

Change-Id: I74d05f11ec186283e5a86d92dcbfe4eb24130eee
2020-01-21 15:08:46 -08:00
Colleen Murphy
70ab3f9dd5 Add support for app cred access rules
This commit introduces the --access-rules option for 'application
credential create' as well as new 'access rule' commands for listing,
showing, and deleting access rules.

bp whitelist-extension-for-app-creds

Change-Id: I04834b2874ec2a70da456a380b5bef03a392effa
2020-01-17 11:14:51 -08:00
lihaijing
d15bbada73 Replace six.iteritems() with .items()
1. As mentioned in [1], we should avoid using six.iteritems to achieve
   iterators. We can use dict.items instead, as it will return iterators
   in PY3 as well. And dict.items/keys will more readable.

2. In py2, the performance about list should be negligible,
   see the link [2].

[1] https://wiki.openstack.org/wiki/Python3
[2] http://lists.openstack.org/pipermail/openstack-dev/2015-June/066391.html

Co-Authored-By: Akihiro Motoki <amotoki@gmail.com>
Change-Id: I4b9edb326444264c0f6c4ad281acaac356a07e85
Implements: blueprint replace-iteritems-with-items
2020-01-09 18:41:29 +09:00
Eric Fried
cd6c285cc6 neutron: autogenerate docs
$namespace = openstack.network.v2

The subcommand documents for $namespace were hardcoded and thus prone to
drift over time. This commit removes the hardcoded content and uses the
autoprogram-cliff directive to generate them automatically from the
subcommand configuration classes.

This one turned out to be quite involved, because we support both
neutron and nova-network. When running in a real cloud, the command
classes detect whether the neutron service is present, assume
nova-network if that service is not found, and only add parser options
relevant to the detected service. But the docs need to present both sets
of options. This was easy enough when they were hardcoded, but required
a bit of additional infrastructure for generated docs.

Change-Id: I426261eb1d86bcc68656aabd61f10b7f082da402
2019-11-01 14:24:30 -05:00
Zuul
7e98aaefa9 Merge "Add parent project filter for listing projects" 2019-10-22 21:16:40 +00:00
Andreas Florath
9ad3439689 Fix osc-lib interface change: catch osc-lib Forbidden
The patch https://review.opendev.org/#/c/673389/
introduced a regression by changing the osc-lib
interface.

The patch
https://review.opendev.org/683119
changes the exception from the generic CommandError
back to a specific Forbidden exception.

This patch catches this exception and passes on, i.e.
re-implements the same behavior as before.

Story: 2006547

Change-Id: I17b1ec7abaa5b0828ccbcad40bd928565c5c59fb
Signed-off-by: Andreas Florath <Andreas.Florath@telekom.de>
2019-09-19 11:59:11 +00:00
Takashi Kajinami
7c1b6a799e Add parent project filter for listing projects
This patch introduces a new option --parent into project list,
to specify a parent project to filter projects which has
the given project as their parent.

Depends-on: https://review.opendev.org/#/c/677101
Change-Id: I6725262cf040e0ec6ceca9cf0462ce59224049c6
2019-09-02 09:05:37 +09:00
Zuul
eada2db332 Merge "Use cliff formattable columns in identity commands" 2019-06-23 04:49:33 +00:00
Akihiro Motoki
fa5046a3db Use cliff formattable columns in identity commands
Partial-Bug: #1687955
Partially implement blueprint osc-formattable-columns

Change-Id: Ia13314a012b3a7363ffb24a13c79c6ecdff1ed7b
2019-06-22 16:18:26 +00:00
Sean McGinnis
f9fdc296bc Remove deprecated identity commands and args
The following were deprecated over two years ago and can now be
removed/changed:

* Remove ``service create`` option ``--type``
* Remove ``role list`` options ``--project`` and ``--user``
* Remove ``user role list`` command

These are backwards incompatible changes and will require a major
version bump after they are merged.

Change-Id: I29e2fc9516dffbfd83eef0bc91e834dde99b4105
Signed-off-by: Sean McGinnis <sean.mcginnis@gmail.com>
Signed-off-by: Dean Troyer <dtroyer@gmail.com>
2019-05-19 12:54:33 -05:00
Zuul
e90b79be4c Merge "Fix RuntimeError when showing project which has extra properties" 2019-05-17 23:07:57 +00:00
Jose Castro Leon
04e03b2a1f Fix bug in endpoint group deletion
There is a typo in the endpoint group deletion, due to this you
can't remove endpoint groups once assigned. I am adding also the
unit tests to avoid this kind of issues in the future

Task: 30640
Story: 2005521
Change-Id: Ie938f2c9894bb39b4c0ed1f7aa3a6a751a303058
2019-05-08 16:22:27 -05:00
Zuul
ea2e6d6bfb Merge "Modify the help message for 'registered limit set'" 2018-12-18 07:17:25 +00:00
Vishakha Agarwal
eb06a24e4f Modify the help message for 'registered limit set'
Regsitered limit set CLI takes --service, --region and
--resource-name as param which can be updated along with
--default limit for existing registered limit.

Default limit can be updated with same value and CLI
return the success. But --service, --region and --resource-
name cannot be same as existing one. CLI return 409
for this case. Which is valid behaviour because more than
one limit with same service and same resource cannot exist.

But help message of --service, --region and --resource-name
are not much clear to tell that they cannot be passed with
same value.

This patch clarifies the help message for resigtered limit set CLI.

Reference Scenario:
*  openstack registered limit set --default-limit 91 64c2e97fbe904b888544ffdcab21989b
limit updated sucessfully

Updating limit with exsiting service and resource-name:

* openstack registered limit set --default-limit 92 --resource-name snapshot 64c2e97fbe904b888544ffdcab21989b
Conflict occurred attempting to store registered_limit - Duplicate entry. (HTTP 409)

*openstack registered limit set --default-limit 93 --service compute 64c2e97fbe904b888544ffdcab21989b
Conflict occurred attempting to store registered_limit - Duplicate entry. (HTTP 409)

*openstack registered limit set --default-limit 91 --resource-name snapshot --service glance 64c2e97fbe904b888544ffdcab21989b
Conflict occurred attempting to store registered_limit - Duplicate entry. (HTTP 409)

Change-Id: I9e78a6250567cd981adde96946818bb016760a49
2018-11-09 08:15:40 +05:30
Vishakha Agarwal
81fd5c995d Updated the take_actions for unified limits
When user passes --region None, the find_resource
of osc_lib calls get() of region. The get API of
region ignores the name param returning all the
regions in result. As the find_resource checks
many cases against the result returned by get API.
The output comes greater than 1, thus returning
"More than one region ID exist" which is incorrect.
However in case of region which cannot be filtered
by name we do not require to check these many cases.

The solution is to directly call the get method of
APIs and returning No resource name exist with the
xyz" on passing invaid parameter. And returning all
in case of None.

Thus created a new function get_resource which can
be used in future too by these types of API's.

Change-Id: Ib3f881d34a82af97199ce51bfbefc6f3f08599f1
Closes-bug: #1799153
2018-11-09 07:53:55 +05:30
Vishakha Agarwal
0d764cdb5a Add project param in LimitList parser
when doing openstack limit list --project xyz_id,
CLI raising error unrecognized arguments, whereas
in api-ref document [1], user can pass project_id
as query param.This addresses the above issue, by
adding param --project in parser of LimitList.

[1] https://developer.openstack.org/api-ref/identity/v3/index.html

Change-Id: If4644cc99a3803f61f4a688b828aeb73977fc0dd
Closes-Bug: #1798744
2018-11-08 11:19:24 -06:00
Julie Pichon
91a2d88862 Allow endpoint filtering on both project and project-domain
The --project and --project-domain flags are currently mutually
exclusive for listing endpoints, however the --project-domain argument
is supposed to help with filtering projects with colliding names. They
should be allowed together.

Story: 2004018
Task: 27007
Change-Id: I7340e01f509e3515f07cb46f175fb603f1ce8b67
2018-10-09 13:23:49 +00:00
M V P Nitesh
eb001733fd Now we can add description for role creation in OSC
Now user can add the description when user create's the role using OSC
``openstack role create`` command. User can add the description by adding
`--description <Description>` to OSC ``openstack role create`` command.

Co-Authored-By: Deepak Mourya<deepakmoriya7@gmail.com>
Change-Id: I858e004c3b29c687b6a39c8a1ed5fb029eb19c67
Depends-on: I230af9cc833af13064636b5d9a7ce6334c3f6e9a
Closes-Bug: #1669080
2018-09-18 08:56:11 +05:30
Lance Bragstad
735896eb1a Implement support for project limits
This commit let's users manage limits via the command line.

bp unified-limits

Change-Id: I7c44bbb60557378b66c5c43a7ba917f40dc2b633
2018-07-23 21:52:00 +00:00
Lance Bragstad
641a4faac1 Implement support for registered limits
This commit adds support for users to manage registered limits via
the command line.

bp unified-limits

Depends-On: https://review.openstack.org/#/c/574391/
Change-Id: Id8377363f7a3248b45aeeba21d2acc02684a0305
2018-07-23 21:18:50 +00:00
Sami MAKKI
08dbd154e5 Fix the role implies list command.
The code was calling an unexisting function which never existed.
The module refers now to the correct `InferenceRuleManager`. It
also allows the compatibility with the future python-keystoneclient
in which the compatibility method will be removed from the
RoleManager.

Change-Id: I08f785dc9e840da2e16915683eecfe49189c44b3
2018-06-24 02:17:02 +02:00
Yang Youseok
71f138b172 Fix RuntimeError when showing project which has extra properties
If you use python3, items() returns iterator which is not allowed to
remove item during iteration. Fix to iterate by copied list.

Change-Id: I64c037d04e2b127d8f19f56cab65122af89a7200
Closes-Bug: 1740232
2018-06-09 13:16:34 -05:00
Lance Bragstad
8bfa180430 Add system role functionality
This commit adds the necessary bits to expose system role
assignments to openstackclient via python-keystoneclient.

bp system-scope

Depends-On: Iecbcbf020a15f2bec777334c648d4477f89f3b2c
Change-Id: I261e84700b51e8715eaebdc3f8f8bc46b68542c2
2018-06-04 20:09:14 +00:00
Sean McGinnis
d601415259 Clean up W503 and E402 pep8 errors
pycodestyle 2.40 and later enforce these rules that were not previously
enforced. Rather than just skipping them, this cleans up the trivial
instances of these violations.

This does also include some other updates that were not triggering errors
in an attempt to keep some of the style consistent.

Change-Id: Id7c0a6b8f1f835e69d844b000e3ed751852ada63
Closes-bug: #1762803
2018-04-15 12:23:06 +09:00
Zuul
f21b0a073f Merge "Fix additional output encoding issues" 2018-03-29 04:23:16 +00:00
Dean Troyer
6df58b6366 Fix additional output encoding issues
This is a followup to https://review.openstack.org/#/c/541609/ that
changes most outstanding direct uses of sys.stdout to use the encoded
stdout set up by cliff.

Change-Id: I07cfc418385fc787d3b7d3c32d39676cf81bb91f
2018-03-20 15:40:23 -05:00
Zuul
e78c9bc00d Merge "Add CRUD support for application credentials" 2018-03-14 02:16:35 +00:00
Zuul
c24451e19c Merge "Add support for endpoint group commands" 2018-02-25 01:05:18 +00:00
Jose Castro Leon
1eae301c4f Add support for endpoint group commands
Implements the commands for endpoint group filter management.
Includes the CRUD management of the endpoint groups and the
association management between them and the projects that are
using this method.

Implements: blueprint keystone-endpoint-filter
Change-Id: I4265f7f8598d028191e90d76781b7b6ece6fef64
2018-02-23 20:36:04 +00:00
Gage Hugo
d32664150f Add project tags functionality
This change adds tags functionality for projects in keystone. A user
can add a single tag with "--tag", chain "--tag" to add multiple
tags, or clear tags with "--no-tag".

Change-Id: I31cfef3e76dcefe299dacb00c11bb1a10a252628
Partially-Implements: bp project-tags
2018-02-23 20:26:57 +00:00
Colleen Murphy
375964f270 Add CRUD support for application credentials
Add support for creating, retrieving, and deleting application
credentials. Application credentials do not support updates.

In order to provide a positive user experience for the `--role` option,
this patch also includes an improvement to the
`identity.common._get_token_resource()` function that allows it to
introspect the roles list within a token. This way there is no need to
make a request to keystone to retrieve a role object, which would fail
most of the time anyway due to keystone's default policy prohibiting
unprivileged users from retrieving roles.

bp application-credentials

Change-Id: I29e03b72acd931305cbdac5a9ff666854d05c6d7
2018-01-30 21:50:01 +01:00
Zuul
21b656ca4a Merge "Add support for endpoing filter commands" 2017-12-13 02:18:43 +00:00
Jose Castro Leon
12ee186108 Add support for endpoing filter commands
Implements the commands that allow to link and endpoint to
a project for endpoint filter management.

Implements: blueprint keystone-endpoint-filter

Change-Id: Iecf61495664fb8413d35ef69f07ea929d190d002
2017-11-21 07:58:48 +01:00
yangweiwei
0f749cacc2 Fix credentials in create, update and list.
Now, keystone has supported serverl auth method, like 'totp'.
Before we use this method, we should create the credential first.
And we need create it with type 'totp'. But now we cannot create
credential with this method.

Also, I think the type should not have constrains. We can create
any type in keystone project. So, we should do these actions too.
The type would be more which We cannot control.

Change-Id: Ie0482da3133fb515e4bb8e45f8c54f509589cc5e
Closes-bug: #1731848
2017-11-17 11:39:15 +08:00
Anton Frolov
f6f5ce03c5 Optimize getting endpoint list
Currently ListEndpoint.take_action method unconditionally iterates
over all endpoints and issue GET /v3/services/<ep.service_id>
request for each endpoint. In case of HTTPS keystone endpoint this
can take significant amout of time, and it only getting worse in
case of multiple regions.

This commit change this logic to making just two GET requests: first
it gets endpoint list, then it gets service list, searching service
in the list instead of issuing GET /v3/services/<id> request.

Change-Id: I22b61c0b45b0205a2f5a4608c2473cb7814fe3cf
Closes-Bug: 1719413
2017-09-26 14:31:07 -07:00
Harry Rybacki
8cd3e258c5 Implied Roles
Allow the user to create an inference rule between
two roles. The first, called the prior role
is the role explicitly assigned to an individual.
The second, called the implied role, is one that
the user gets implicitly. For example:

Role B implies Role A.
User X is assigned Role B.
Therefore User X also assigned Role A.

The management and maintenance of the rules is
performed in the Keystone server.

Change-Id: If547c2f16e812bc7fffd742ec37e6a26011f3185
2017-08-22 17:08:30 +00:00