Skip to content

Commit 713d92d

Browse files
henrynashDean Troyer
henrynash
authored and
Dean Troyer
committed
Add assignment list to v2 identity and deprecate alternate listing
The current identity role list command (both v2 and v3) is overloaded with listing roles as well as assignments (if you provide user, group, project or domain options). This is in addition to the v3 assignment list command designed for this purpose. This overloading complicates the fact that roles can now be domain specific (i.e. have a domain attribute), so the command 'role list --domain <domain-name' will soon become ambigious (this is in a follow on patch). This patch: - Adds a v2 assignments list, with support for pulling the user and project from the auth credentials - For comapability, adds the same auth support to the existing v3 assignments list - Deprecates the use of role list and user role list to list assignments Change-Id: I65bafdef4f8c89e863dab101369d0d629fa818b8 Partial-Bug: 1605774
1 parent 719c5d7 commit 713d92d

11 files changed

Lines changed: 556 additions & 7 deletions

File tree

doc/source/command-objects/role-assignment.rst

Lines changed: 27 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
role assignment
33
===============
44

5-
Identity v3
5+
Identity v2, v3
66

77
role assignment list
88
--------------------
@@ -23,11 +23,14 @@ List role assignments
2323
[--project-domain <project-domain>]
2424
[--effective]
2525
[--inherited]
26+
[--names]
2627
2728
.. option:: --role <role>
2829

2930
Role to filter (name or ID)
3031

32+
.. versionadded:: 3
33+
3134
.. option:: --user <user>
3235

3336
User to filter (name or ID)
@@ -37,19 +40,27 @@ List role assignments
3740
Domain the user belongs to (name or ID).
3841
This can be used in case collisions between user names exist.
3942

43+
.. versionadded:: 3
44+
4045
.. option:: --group <group>
4146

4247
Group to filter (name or ID)
4348

49+
.. versionadded:: 3
50+
4451
.. option:: --group-domain <group-domain>
4552

4653
Domain the group belongs to (name or ID).
4754
This can be used in case collisions between group names exist.
4855

56+
.. versionadded:: 3
57+
4958
.. option:: --domain <domain>
5059

5160
Domain to filter (name or ID)
5261

62+
.. versionadded:: 3
63+
5364
.. option:: --project <project>
5465

5566
Project to filter (name or ID)
@@ -59,14 +70,29 @@ List role assignments
5970
Domain the project belongs to (name or ID).
6071
This can be used in case collisions between project names exist.
6172

73+
.. versionadded:: 3
74+
6275
.. option:: --effective
6376

6477
Returns only effective role assignments (defaults to False)
6578

79+
.. versionadded:: 3
80+
6681
.. option:: --inherited
6782

6883
Specifies if the role grant is inheritable to the sub projects
6984

85+
.. versionadded:: 3
86+
7087
.. option:: --names
7188

7289
Returns role assignments with names instead of IDs
90+
91+
.. option:: --auth-user
92+
93+
Returns role assignments for the authenticated user.
94+
95+
.. option:: --auth-project
96+
97+
Returns role assignments for the project to which the authenticated user
98+
is scoped.

doc/source/command-objects/role.rst

Lines changed: 14 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@ Identity v2, v3
77
role add
88
--------
99

10-
Add role to a user or group in a project or domain
10+
Add role assignment to a user or group in a project or domain
1111

1212
.. program:: role add
1313
.. code:: bash
@@ -123,57 +123,65 @@ List roles
123123

124124
Filter roles by <domain> (name or ID)
125125

126-
.. versionadded:: 3
126+
(Deprecated, please use ``role assignment list`` instead)
127127

128128
.. option:: --project <project>
129129

130130
Filter roles by <project> (name or ID)
131131

132-
.. versionadded:: 3
132+
(Deprecated, please use ``role assignment list`` instead)
133133

134134
.. option:: --user <user>
135135

136136
Filter roles by <user> (name or ID)
137137

138-
.. versionadded:: 3
138+
(Deprecated, please use ``role assignment list`` instead)
139139

140140
.. option:: --group <group>
141141

142142
Filter roles by <group> (name or ID)
143143

144-
.. versionadded:: 3
144+
(Deprecated, please use ``role assignment list`` instead)
145145

146146
.. option:: --user-domain <user-domain>
147147

148148
Domain the user belongs to (name or ID).
149149
This can be used in case collisions between user names exist.
150150

151+
(Deprecated, please use ``role assignment list`` instead)
152+
151153
.. versionadded:: 3
152154

153155
.. option:: --group-domain <group-domain>
154156

155157
Domain the group belongs to (name or ID).
156158
This can be used in case collisions between group names exist.
157159

160+
(Deprecated, please use ``role assignment list`` instead)
161+
158162
.. versionadded:: 3
159163

160164
.. option:: --project-domain <project-domain>
161165

162166
Domain the project belongs to (name or ID).
163167
This can be used in case collisions between project names exist.
164168

169+
(Deprecated, please use ``role assignment list`` instead)
170+
165171
.. versionadded:: 3
166172

167173
.. option:: --inherited
168174

169175
Specifies if the role grant is inheritable to the sub projects.
170176

177+
(Deprecated, please use ``role assignment list`` instead)
178+
171179
.. versionadded:: 3
172180

173181
role remove
174182
-----------
175183

176-
Remove role from domain/project : user/group
184+
Remove role assignment from domain/project : user/group
177185

178186
.. program:: role remove
179187
.. code:: bash

openstackclient/identity/v2_0/role.py

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -150,6 +150,15 @@ def get_parser(self, prog_name):
150150
return parser
151151

152152
def take_action(self, parsed_args):
153+
154+
def _deprecated():
155+
# NOTE(henry-nash): Deprecated as of Newton, so we should remove
156+
# this in the 'P' release.
157+
self.log.warning(_('Listing assignments using role list is '
158+
'deprecated as of the Newton release. Use role '
159+
'assignment list --user <user-name> --project '
160+
'<project-name> --names instead.'))
161+
153162
identity_client = self.app.client_manager.identity
154163
auth_ref = self.app.client_manager.auth_ref
155164

@@ -166,6 +175,7 @@ def take_action(self, parsed_args):
166175
identity_client.projects,
167176
parsed_args.project,
168177
)
178+
_deprecated()
169179
data = identity_client.roles.roles_for_user(user.id, project.id)
170180

171181
elif parsed_args.user:
@@ -181,6 +191,7 @@ def take_action(self, parsed_args):
181191
else:
182192
msg = _("Project must be specified")
183193
raise exceptions.CommandError(msg)
194+
_deprecated()
184195
data = identity_client.roles.roles_for_user(user.id, project.id)
185196
elif parsed_args.project:
186197
project = utils.find_resource(
@@ -195,6 +206,7 @@ def take_action(self, parsed_args):
195206
else:
196207
msg = _("User must be specified")
197208
raise exceptions.CommandError(msg)
209+
_deprecated()
198210
data = identity_client.roles.roles_for_user(user.id, project.id)
199211

200212
if parsed_args.user or parsed_args.project:
@@ -249,6 +261,10 @@ def take_action(self, parsed_args):
249261
msg = _("User must be specified")
250262
raise exceptions.CommandError(msg)
251263

264+
self.log.warning(_('Listing assignments using user role list is '
265+
'deprecated as of the Newton release. Use role '
266+
'assignment list --user <user-name> --project '
267+
'<project-name> --names instead.'))
252268
project = utils.find_resource(
253269
identity_client.tenants,
254270
parsed_args.project,

openstackclient/identity/v2_0/role_assignment.py

Lines changed: 113 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,113 @@
1+
# Licensed under the Apache License, Version 2.0 (the "License"); you may
2+
# not use this file except in compliance with the License. You may obtain
3+
# a copy of the License at
4+
#
5+
# http://www.apache.org/licenses/LICENSE-2.0
6+
#
7+
# Unless required by applicable law or agreed to in writing, software
8+
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
9+
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
10+
# License for the specific language governing permissions and limitations
11+
# under the License.
12+
#
13+
14+
"""Identity v2 Assignment action implementations """
15+
16+
from openstackclient.common import command
17+
from openstackclient.common import exceptions
18+
from openstackclient.common import utils
19+
from openstackclient.i18n import _ # noqa
20+
21+
22+
class ListRoleAssignment(command.Lister):
23+
"""List role assignments"""
24+
25+
def get_parser(self, prog_name):
26+
parser = super(ListRoleAssignment, self).get_parser(prog_name)
27+
parser.add_argument(
28+
'--user',
29+
metavar='<user>',
30+
help='User to filter (name or ID)',
31+
)
32+
parser.add_argument(
33+
'--project',
34+
metavar='<project>',
35+
help='Project to filter (name or ID)',
36+
)
37+
parser.add_argument(
38+
'--names',
39+
action="store_true",
40+
help='Display names instead of IDs',
41+
)
42+
parser.add_argument(
43+
'--auth-user',
44+
action="store_true",
45+
dest='authuser',
46+
help='Only list assignments for the authenticated user',
47+
)
48+
parser.add_argument(
49+
'--auth-project',
50+
action="store_true",
51+
dest='authproject',
52+
help='Only list assignments for the project to which the '
53+
'authenticated user\'s token is scoped',
54+
)
55+
return parser
56+
57+
def take_action(self, parsed_args):
58+
identity_client = self.app.client_manager.identity
59+
auth_ref = self.app.client_manager.auth_ref
60+
61+
include_names = True if parsed_args.names else False
62+
63+
user = None
64+
if parsed_args.user:
65+
user = utils.find_resource(
66+
identity_client.users,
67+
parsed_args.user,
68+
)
69+
elif parsed_args.authuser:
70+
if auth_ref:
71+
user = utils.find_resource(
72+
identity_client.users,
73+
auth_ref.user_id
74+
)
75+
76+
project = None
77+
if parsed_args.project:
78+
project = utils.find_resource(
79+
identity_client.projects,
80+
parsed_args.project,
81+
)
82+
elif parsed_args.authproject:
83+
if auth_ref:
84+
project = utils.find_resource(
85+
identity_client.projects,
86+
auth_ref.project_id
87+
)
88+
89+
# If user or project is not specified, we would ideally list all
90+
# relevant assignments in the system (to be compatible with v3).
91+
# However, there is no easy way of doing that in v2.
92+
if not user or not project:
93+
msg = _("Project and User must be specified")
94+
raise exceptions.CommandError(msg)
95+
else:
96+
data = identity_client.roles.roles_for_user(user.id, project.id)
97+
98+
columns = ('Role', 'User', 'Project')
99+
for user_role in data:
100+
if include_names:
101+
setattr(user_role, 'role', user_role.name)
102+
user_role.user = user.name
103+
user_role.project = project.name
104+
else:
105+
setattr(user_role, 'role', user_role.id)
106+
user_role.user = user.id
107+
user_role.project = project.id
108+
109+
return (columns,
110+
(utils.get_item_properties(
111+
s, columns,
112+
formatters={},
113+
) for s in data))

openstackclient/identity/v3/role.py

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -251,6 +251,10 @@ def take_action(self, parsed_args):
251251
for user_role in data:
252252
user_role.user = user.name
253253
user_role.domain = domain.name
254+
self.log.warning(_('Listing assignments using role list is '
255+
'deprecated. Use role assignment list --user '
256+
'<user-name> --domain <domain-name> --names '
257+
'instead.'))
254258
elif parsed_args.user and parsed_args.project:
255259
columns = ('ID', 'Name', 'Project', 'User')
256260
data = identity_client.roles.list(
@@ -261,13 +265,21 @@ def take_action(self, parsed_args):
261265
for user_role in data:
262266
user_role.user = user.name
263267
user_role.project = project.name
268+
self.log.warning(_('Listing assignments using role list is '
269+
'deprecated. Use role assignment list --user '
270+
'<user-name> --project <project-name> --names '
271+
'instead.'))
264272
elif parsed_args.user:
265273
columns = ('ID', 'Name')
266274
data = identity_client.roles.list(
267275
user=user,
268276
domain='default',
269277
os_inherit_extension_inherited=parsed_args.inherited
270278
)
279+
self.log.warning(_('Listing assignments using role list is '
280+
'deprecated. Use role assignment list --user '
281+
'<user-name> --domain default --names '
282+
'instead.'))
271283
elif parsed_args.group and parsed_args.domain:
272284
columns = ('ID', 'Name', 'Domain', 'Group')
273285
data = identity_client.roles.list(
@@ -278,6 +290,10 @@ def take_action(self, parsed_args):
278290
for group_role in data:
279291
group_role.group = group.name
280292
group_role.domain = domain.name
293+
self.log.warning(_('Listing assignments using role list is '
294+
'deprecated. Use role assignment list --group '
295+
'<group-name> --domain <domain-name> --names '
296+
'instead.'))
281297
elif parsed_args.group and parsed_args.project:
282298
columns = ('ID', 'Name', 'Project', 'Group')
283299
data = identity_client.roles.list(
@@ -288,6 +304,10 @@ def take_action(self, parsed_args):
288304
for group_role in data:
289305
group_role.group = group.name
290306
group_role.project = project.name
307+
self.log.warning(_('Listing assignments using role list is '
308+
'deprecated. Use role assignment list --group '
309+
'<group-name> --project <project-name> --names '
310+
'instead.'))
291311
else:
292312
sys.stderr.write(_("Error: If a user or group is specified, "
293313
"either --domain or --project must also be "

0 commit comments

Comments
 (0)