2e491191e5
Fix the wrong value assignment which made the --user-domain option ignored. Unit tests are updated to verify usage of domain options to avoid further regressions. Also drop the redundant look up of domain id to avoid unnecessary API call. Closes-Bug: #2085604 Change-Id: I5112b8e831fb26eb6544615277f0d3fe4f15dc5a
251 lines
7.8 KiB
Python
251 lines
7.8 KiB
Python
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
#
|
|
|
|
"""Identity v3 Assignment action implementations"""
|
|
|
|
from openstack import exceptions as sdk_exceptions
|
|
from osc_lib.command import command
|
|
|
|
from openstackclient.i18n import _
|
|
from openstackclient.identity import common
|
|
|
|
|
|
def _format_role_assignment_(assignment, include_names):
|
|
def _get_names(attr):
|
|
return (
|
|
(
|
|
attr['name']
|
|
+ (
|
|
"@" + domain['name']
|
|
if (domain := attr.get('domain'))
|
|
else ''
|
|
)
|
|
)
|
|
or ''
|
|
if attr
|
|
else ''
|
|
)
|
|
|
|
def _get_ids(attr):
|
|
return attr['id'] or '' if attr else ''
|
|
|
|
func = _get_names if include_names else _get_ids
|
|
return (
|
|
func(assignment.role),
|
|
func(assignment.user),
|
|
func(assignment.group),
|
|
func(assignment.scope.get('project')),
|
|
func(assignment.scope.get('domain')),
|
|
'all' if assignment.scope.get("system") else '',
|
|
assignment.scope.get("OS-INHERIT:inherited_to") == 'projects',
|
|
)
|
|
|
|
|
|
def _find_sdk_id(find_command, name_or_id, **kwargs):
|
|
try:
|
|
return find_command(
|
|
name_or_id=name_or_id, ignore_missing=False, **kwargs
|
|
).id
|
|
except sdk_exceptions.ForbiddenException:
|
|
return name_or_id
|
|
|
|
|
|
class ListRoleAssignment(command.Lister):
|
|
_description = _("List role assignments")
|
|
|
|
def get_parser(self, prog_name):
|
|
parser = super().get_parser(prog_name)
|
|
parser.add_argument(
|
|
'--effective',
|
|
action="store_true",
|
|
default=None,
|
|
help=_('Returns only effective role assignments'),
|
|
)
|
|
parser.add_argument(
|
|
'--role',
|
|
metavar='<role>',
|
|
help=_('Role to filter (name or ID)'),
|
|
)
|
|
common.add_role_domain_option_to_parser(parser)
|
|
parser.add_argument(
|
|
'--names',
|
|
action="store_true",
|
|
help=_('Display names instead of IDs'),
|
|
)
|
|
user_or_group = parser.add_mutually_exclusive_group()
|
|
user_or_group.add_argument(
|
|
'--user',
|
|
metavar='<user>',
|
|
help=_('User to filter (name or ID)'),
|
|
)
|
|
common.add_user_domain_option_to_parser(parser)
|
|
user_or_group.add_argument(
|
|
'--group',
|
|
metavar='<group>',
|
|
help=_('Group to filter (name or ID)'),
|
|
)
|
|
common.add_group_domain_option_to_parser(parser)
|
|
system_or_domain_or_project = parser.add_mutually_exclusive_group()
|
|
system_or_domain_or_project.add_argument(
|
|
'--domain',
|
|
metavar='<domain>',
|
|
help=_('Domain to filter (name or ID)'),
|
|
)
|
|
system_or_domain_or_project.add_argument(
|
|
'--project',
|
|
metavar='<project>',
|
|
help=_('Project to filter (name or ID)'),
|
|
)
|
|
system_or_domain_or_project.add_argument(
|
|
'--system',
|
|
metavar='<system>',
|
|
help=_('Filter based on system role assignments'),
|
|
)
|
|
common.add_project_domain_option_to_parser(parser)
|
|
common.add_inherited_option_to_parser(parser)
|
|
parser.add_argument(
|
|
'--auth-user',
|
|
action="store_true",
|
|
dest='authuser',
|
|
help='Only list assignments for the authenticated user',
|
|
)
|
|
parser.add_argument(
|
|
'--auth-project',
|
|
action="store_true",
|
|
dest='authproject',
|
|
help='Only list assignments for the project to which the '
|
|
'authenticated user\'s token is scoped',
|
|
)
|
|
return parser
|
|
|
|
def take_action(self, parsed_args):
|
|
identity_client = self.app.client_manager.sdk_connection.identity
|
|
auth_ref = self.app.client_manager.auth_ref
|
|
|
|
role_id = None
|
|
role_domain_id = None
|
|
if parsed_args.role_domain:
|
|
role_domain_id = _find_sdk_id(
|
|
identity_client.find_domain,
|
|
name_or_id=parsed_args.role_domain,
|
|
)
|
|
if parsed_args.role:
|
|
role_id = _find_sdk_id(
|
|
identity_client.find_role,
|
|
name_or_id=parsed_args.role,
|
|
domain_id=role_domain_id,
|
|
)
|
|
|
|
user_domain_id = None
|
|
if parsed_args.user_domain:
|
|
user_domain_id = _find_sdk_id(
|
|
identity_client.find_domain,
|
|
name_or_id=parsed_args.user_domain,
|
|
)
|
|
|
|
user_id = None
|
|
if parsed_args.user:
|
|
user_id = _find_sdk_id(
|
|
identity_client.find_user,
|
|
name_or_id=parsed_args.user,
|
|
domain_id=user_domain_id,
|
|
)
|
|
elif parsed_args.authuser:
|
|
if auth_ref:
|
|
user_id = _find_sdk_id(
|
|
identity_client.find_user,
|
|
name_or_id=auth_ref.user_id,
|
|
)
|
|
|
|
system = None
|
|
if parsed_args.system:
|
|
system = parsed_args.system
|
|
|
|
domain_id = None
|
|
if parsed_args.domain:
|
|
domain_id = _find_sdk_id(
|
|
identity_client.find_domain,
|
|
name_or_id=parsed_args.domain,
|
|
)
|
|
|
|
project_domain_id = None
|
|
if parsed_args.project_domain:
|
|
project_domain_id = _find_sdk_id(
|
|
identity_client.find_domain,
|
|
name_or_id=parsed_args.project_domain,
|
|
)
|
|
|
|
project_id = None
|
|
if parsed_args.project:
|
|
project_id = _find_sdk_id(
|
|
identity_client.find_project,
|
|
name_or_id=common._get_token_resource(
|
|
identity_client, 'project', parsed_args.project
|
|
),
|
|
domain_id=project_domain_id,
|
|
)
|
|
elif parsed_args.authproject:
|
|
if auth_ref:
|
|
project_id = _find_sdk_id(
|
|
identity_client.find_project,
|
|
name_or_id=auth_ref.project_id,
|
|
)
|
|
|
|
group_domain_id = None
|
|
if parsed_args.group_domain:
|
|
group_domain_id = _find_sdk_id(
|
|
identity_client.find_domain,
|
|
name_or_id=parsed_args.group_domain,
|
|
)
|
|
|
|
group_id = None
|
|
if parsed_args.group:
|
|
group_id = _find_sdk_id(
|
|
identity_client.find_group,
|
|
name_or_id=parsed_args.group,
|
|
domain_id=group_domain_id,
|
|
)
|
|
|
|
include_names = True if parsed_args.names else None
|
|
columns = (
|
|
'Role',
|
|
'User',
|
|
'Group',
|
|
'Project',
|
|
'Domain',
|
|
'System',
|
|
'Inherited',
|
|
)
|
|
|
|
inherited_to = 'projects' if parsed_args.inherited else None
|
|
|
|
data = identity_client.role_assignments(
|
|
role_id=role_id,
|
|
user_id=user_id,
|
|
group_id=group_id,
|
|
scope_project_id=project_id,
|
|
scope_domain_id=domain_id,
|
|
scope_system=system,
|
|
effective=parsed_args.effective,
|
|
include_names=include_names,
|
|
inherited_to=inherited_to,
|
|
)
|
|
|
|
data_parsed = []
|
|
for assignment in data:
|
|
data_parsed.append(
|
|
_format_role_assignment_(assignment, include_names)
|
|
)
|
|
|
|
return columns, tuple(data_parsed)
|