Domain administrator cannot do project operations

Domain administrator cannot do project operations because the
require access to the domain API (which they don't have).  When
attempting to find a domain for project operations, ignore errors
because the API returns nothing without indicating there is a
problem.  The domain administrators will have to use a domain id,
but they will still be able to do project operations.  If the user
does not have permission to read the domain table, they cannot
use domain names.

Change-Id: Ieed5d420022a407c8296a0bb3569d9469c89d752
Closes-Bug: #1317478
Closes-Bug: #1317485

1 files changed, 21 insertions, 0 deletions

diff --git a/openstackclient/identity/common.py b/openstackclient/identity/common.py
index 6aeaa3c3..48dc0c89 100644
--- a/openstackclient/identity/common.py
+++ b/openstackclient/identity/common.py
@@ -16,6 +16,7 @@
 """Common identity code"""
 
 from keystoneclient import exceptions as identity_exc
+from keystoneclient.v3 import domains
 from openstackclient.common import exceptions
 from openstackclient.common import utils
 
@@ -36,3 +37,23 @@ def find_service(identity_client, name_type_or_id):
             msg = ("No service with a type, name or ID of '%s' exists."
                    % name_type_or_id)
             raise exceptions.CommandError(msg)
+
+
+def find_domain(identity_client, name_or_id):
+    """Find a domain.
+
+       If the user does not have permssions to access the v3 domain API,
+       assume that domain given is the id rather than the name.  This
+       method is used by the project list command, so errors access the
+       domain will be ignored and if the user has access to the project
+       API, everything will work fine.
+
+       Closes bugs #1317478 and #1317485.
+    """
+    try:
+        dom = utils.find_resource(identity_client.domains, name_or_id)
+        if dom is not None:
+            return dom
+    except identity_exc.Forbidden:
+        pass
+    return domains.Domain(None, {'id': name_or_id})