summaryrefslogtreecommitdiff
path: root/openstackclient/identity
diff options
context:
space:
mode:
authorLance Bragstad <lbragstad@gmail.com>2020-07-09 17:07:52 -0500
committerLance Bragstad <lbragstad@gmail.com>2020-08-19 10:50:37 -0500
commit2e0a0f15cf50e200925aebd9659d903c79b5b68e (patch)
tree76af36c632f8ac5ef604c0a41f6b63e017eea7f0 /openstackclient/identity
parent3934fe8d0a53593d6fcbed8ea8867e22282d60aa (diff)
downloadpython-openstackclient-2e0a0f15cf50e200925aebd9659d903c79b5b68e.tar.gz
Bypass user and group verification in RemoveRole
Keystone let's users remove role assignments that reference non-existent users and groups. This is nice when keystone backs to an identity store like LDAP and users or groups are removed. Previously, openstackclient would validate the user and group existed in keystone before sending the request to delete the role assignment. This commit updates the code to bypass that validation so that users can use IDs to forcibly cleanup role assignments. Change-Id: I102b41677736bbe37a82abaa3c5b3e1faf2475d5 Story: 2006635 Task: 36848 (cherry picked from commit e24673267093de85beee753860cda1fb224ce4bc)
Diffstat (limited to 'openstackclient/identity')
-rw-r--r--openstackclient/identity/v3/role.py68
1 files changed, 36 insertions, 32 deletions
diff --git a/openstackclient/identity/v3/role.py b/openstackclient/identity/v3/role.py
index 0eeddd37..0d9b8f68 100644
--- a/openstackclient/identity/v3/role.py
+++ b/openstackclient/identity/v3/role.py
@@ -65,59 +65,61 @@ def _add_identity_and_resource_options_to_parser(parser):
def _process_identity_and_resource_options(parsed_args,
- identity_client_manager):
+ identity_client_manager,
+ validate_actor_existence=True):
+
+ def _find_user():
+ try:
+ return common.find_user(
+ identity_client_manager,
+ parsed_args.user,
+ parsed_args.user_domain
+ ).id
+ except exceptions.CommandError:
+ if not validate_actor_existence:
+ return parsed_args.user
+ raise
+
+ def _find_group():
+ try:
+ return common.find_group(
+ identity_client_manager,
+ parsed_args.group,
+ parsed_args.group_domain
+ ).id
+ except exceptions.CommandError:
+ if not validate_actor_existence:
+ return parsed_args.group
+ raise
+
kwargs = {}
if parsed_args.user and parsed_args.system:
- kwargs['user'] = common.find_user(
- identity_client_manager,
- parsed_args.user,
- parsed_args.user_domain,
- ).id
+ kwargs['user'] = _find_user()
kwargs['system'] = parsed_args.system
elif parsed_args.user and parsed_args.domain:
- kwargs['user'] = common.find_user(
- identity_client_manager,
- parsed_args.user,
- parsed_args.user_domain,
- ).id
+ kwargs['user'] = _find_user()
kwargs['domain'] = common.find_domain(
identity_client_manager,
parsed_args.domain,
).id
elif parsed_args.user and parsed_args.project:
- kwargs['user'] = common.find_user(
- identity_client_manager,
- parsed_args.user,
- parsed_args.user_domain,
- ).id
+ kwargs['user'] = _find_user()
kwargs['project'] = common.find_project(
identity_client_manager,
parsed_args.project,
parsed_args.project_domain,
).id
elif parsed_args.group and parsed_args.system:
- kwargs['group'] = common.find_group(
- identity_client_manager,
- parsed_args.group,
- parsed_args.group_domain,
- ).id
+ kwargs['group'] = _find_group()
kwargs['system'] = parsed_args.system
elif parsed_args.group and parsed_args.domain:
- kwargs['group'] = common.find_group(
- identity_client_manager,
- parsed_args.group,
- parsed_args.group_domain,
- ).id
+ kwargs['group'] = _find_group()
kwargs['domain'] = common.find_domain(
identity_client_manager,
parsed_args.domain,
).id
elif parsed_args.group and parsed_args.project:
- kwargs['group'] = common.find_group(
- identity_client_manager,
- parsed_args.group,
- parsed_args.group_domain,
- ).id
+ kwargs['group'] = _find_group()
kwargs['project'] = common.find_project(
identity_client_manager,
parsed_args.project,
@@ -332,7 +334,9 @@ class RemoveRole(command.Command):
)
kwargs = _process_identity_and_resource_options(
- parsed_args, self.app.client_manager.identity)
+ parsed_args, self.app.client_manager.identity,
+ validate_actor_existence=False
+ )
identity_client.roles.revoke(role.id, **kwargs)