hemna
diff --git a/‎lower-constraints.txt‎
Lines changed: 1 addition & 1 deletion b/‎lower-constraints.txt‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎openstackclient/identity/v3/role.py‎
Lines changed: 26 additions & 7 deletions b/‎openstackclient/identity/v3/role.py‎
Lines changed: 26 additions & 7 deletions
diff --git a/‎openstackclient/identity/v3/role_assignment.py‎
Lines changed: 29 additions & 6 deletions b/‎openstackclient/identity/v3/role_assignment.py‎
Lines changed: 29 additions & 6 deletions
diff --git a/‎openstackclient/identity/v3/token.py‎
Lines changed: 6 additions & 0 deletions b/‎openstackclient/identity/v3/token.py‎
Lines changed: 6 additions & 0 deletions
@@ -95,7 +95,7 @@ python-heatclient==1.10.0
 python-ironic-inspector-client==1.5.0
 python-ironicclient==2.3.0
 python-karborclient==0.6.0
-python-keystoneclient==3.8.0
+python-keystoneclient==3.15.0
 python-mimeparse==1.6.0
 python-mistralclient==3.1.0
 python-muranoclient==0.8.2
 
@@ -31,13 +31,18 @@
 
 
 def _add_identity_and_resource_options_to_parser(parser):
-    domain_or_project = parser.add_mutually_exclusive_group()
-    domain_or_project.add_argument(
+    system_or_domain_or_project = parser.add_mutually_exclusive_group()
+    system_or_domain_or_project.add_argument(
+        '--system',
+        metavar='<system>',
+        help=_('Include <system> (all)'),
+    )
+    system_or_domain_or_project.add_argument(
         '--domain',
         metavar='<domain>',
         help=_('Include <domain> (name or ID)'),
     )
-    domain_or_project.add_argument(
+    system_or_domain_or_project.add_argument(
         '--project',
         metavar='<project>',
         help=_('Include <project> (name or ID)'),
@@ -62,7 +67,14 @@ def _add_identity_and_resource_options_to_parser(parser):
 def _process_identity_and_resource_options(parsed_args,
                                            identity_client_manager):
     kwargs = {}
-    if parsed_args.user and parsed_args.domain:
+    if parsed_args.user and parsed_args.system:
+        kwargs['user'] = common.find_user(
+            identity_client_manager,
+            parsed_args.user,
+            parsed_args.user_domain,
+        ).id
+        kwargs['system'] = parsed_args.system
+    elif parsed_args.user and parsed_args.domain:
         kwargs['user'] = common.find_user(
             identity_client_manager,
             parsed_args.user,
@@ -83,6 +95,13 @@ def _process_identity_and_resource_options(parsed_args,
             parsed_args.project,
             parsed_args.project_domain,
         ).id
+    elif parsed_args.group and parsed_args.system:
+        kwargs['group'] = common.find_group(
+            identity_client_manager,
+            parsed_args.group,
+            parsed_args.group_domain,
+        ).id
+        kwargs['system'] = parsed_args.system
     elif parsed_args.group and parsed_args.domain:
         kwargs['group'] = common.find_group(
             identity_client_manager,
@@ -109,8 +128,8 @@ def _process_identity_and_resource_options(parsed_args,
 
 
 class AddRole(command.Command):
-    _description = _("Adds a role assignment to a user or group on a domain "
-                     "or project")
+    _description = _("Adds a role assignment to a user or group on the "
+                     "system, a domain, or a project")
 
     def get_parser(self, prog_name):
         parser = super(AddRole, self).get_parser(prog_name)
@@ -381,7 +400,7 @@ def take_action(self, parsed_args):
 
 
 class RemoveRole(command.Command):
-    _description = _("Removes a role assignment from domain/project : "
+    _description = _("Removes a role assignment from system/domain/project : "
                      "user/group")
 
     def get_parser(self, prog_name):
 
@@ -55,17 +55,22 @@ def get_parser(self, prog_name):
             help=_('Group to filter (name or ID)'),
         )
         common.add_group_domain_option_to_parser(parser)
-        domain_or_project = parser.add_mutually_exclusive_group()
-        domain_or_project.add_argument(
+        system_or_domain_or_project = parser.add_mutually_exclusive_group()
+        system_or_domain_or_project.add_argument(
             '--domain',
             metavar='<domain>',
             help=_('Domain to filter (name or ID)'),
         )
-        domain_or_project.add_argument(
+        system_or_domain_or_project.add_argument(
             '--project',
             metavar='<project>',
             help=_('Project to filter (name or ID)'),
         )
+        system_or_domain_or_project.add_argument(
+            '--system',
+            metavar='<system>',
+            help=_('Filter based on system role assignments'),
+        )
         common.add_project_domain_option_to_parser(parser)
         common.add_inherited_option_to_parser(parser)
         parser.add_argument(
@@ -85,7 +90,8 @@ def get_parser(self, prog_name):
 
     def _as_tuple(self, assignment):
         return (assignment.role, assignment.user, assignment.group,
-                assignment.project, assignment.domain, assignment.inherited)
+                assignment.project, assignment.domain, assignment.system,
+                assignment.inherited)
 
     def take_action(self, parsed_args):
         identity_client = self.app.client_manager.identity
@@ -117,6 +123,10 @@ def take_action(self, parsed_args):
                     auth_ref.user_id
                 )
 
+        system = None
+        if parsed_args.system:
+            system = parsed_args.system
+
         domain = None
         if parsed_args.domain:
             domain = common.find_domain(
@@ -149,14 +159,17 @@ def take_action(self, parsed_args):
 
         include_names = True if parsed_args.names else False
         effective = True if parsed_args.effective else False
-        columns = ('Role', 'User', 'Group', 'Project', 'Domain', 'Inherited')
+        columns = (
+            'Role', 'User', 'Group', 'Project', 'Domain', 'System', 'Inherited'
+        )
 
         inherited_to = 'projects' if parsed_args.inherited else None
         data = identity_client.role_assignments.list(
             domain=domain,
             user=user,
             group=group,
             project=project,
+            system=system,
             role=role,
             effective=effective,
             os_inherit_extension_inherited_to=inherited_to,
@@ -174,14 +187,24 @@ def take_action(self, parsed_args):
                 else:
                     setattr(assignment, 'project', scope['project']['id'])
                 assignment.domain = ''
+                assignment.system = ''
             elif 'domain' in scope:
                 if include_names:
                     setattr(assignment, 'domain', scope['domain']['name'])
                 else:
                     setattr(assignment, 'domain', scope['domain']['id'])
                 assignment.project = ''
-
+                assignment.system = ''
+            elif 'system' in scope:
+                # NOTE(lbragstad): If, or when, keystone supports role
+                # assignments on subsets of a system, this will have to evolve
+                # to handle that case instead of hardcoding to the entire
+                # system.
+                setattr(assignment, 'system', 'all')
+                assignment.domain = ''
+                assignment.project = ''
             else:
+                assignment.system = ''
                 assignment.domain = ''
                 assignment.project = ''
 
 
@@ -192,6 +192,12 @@ def take_action(self, parsed_args):
             data['user_id'] = auth_ref.user_id
         if auth_ref.domain_id:
             data['domain_id'] = auth_ref.domain_id
+        if auth_ref.system_scoped:
+            # NOTE(lbragstad): This could change in the future when, or if,
+            # keystone supports the ability to scope to a subset of the entire
+            # deployment system. When that happens, this will have to relay
+            # scope information and IDs like we do for projects and domains.
+            data['system'] = 'all'
         return zip(*sorted(six.iteritems(data)))