Add assignment list to v2 identity and deprecate alternate listing

The current identity role list command (both v2 and v3) is overloaded with listing roles as well as assignments (if you provide user, group, project or domain options). This is in addition to the v3 assignment list command designed for this purpose. This overloading complicates the fact that roles can now be domain specific (i.e. have a domain attribute), so the command 'role list --domain <domain-name' will soon become ambigious (this is in a follow on patch). This patch: - Adds a v2 assignments list, with support for pulling the user and project from the auth credentials - For comapability, adds the same auth support to the existing v3 assignments list - Deprecates the use of role list and user role list to list assignments Change-Id: I65bafdef4f8c89e863dab101369d0d629fa818b8 Partial-Bug: 1605774
author: Henry Nash <henryn@linux.vnet.ibm.com> 2016-04-29 23:59:27 +0100
committer: Dean Troyer <dtroyer@gmail.com> 2016-07-22 21:46:29 +0000
commit: 713d92df4e53f74698a1ff2dfcb7514ff22f023b (patch)
tree: dbf6825abaa32d4779d07ea28c7d637411959efd /openstackclient/identity
parent: 719c5d79ced34687944eb0bf458f36070817a7b9 (diff)
download: python-openstackclient-713d92df4e53f74698a1ff2dfcb7514ff22f023b.tar.gz
4 files changed, 175 insertions, 0 deletions
diff --git a/openstackclient/identity/v2_0/role.py b/openstackclient/identity/v2_0/role.py
index 191cdaa3..b4b67bad 100644
--- a/openstackclient/identity/v2_0/role.py
+++ b/openstackclient/identity/v2_0/role.py
@@ -150,6 +150,15 @@ class ListRole(command.Lister):
         return parser
 
     def take_action(self, parsed_args):
+
+        def _deprecated():
+            # NOTE(henry-nash): Deprecated as of Newton, so we should remove
+            # this in the 'P' release.
+            self.log.warning(_('Listing assignments using role list is '
+                               'deprecated as of the Newton release. Use role '
+                               'assignment list --user <user-name> --project '
+                               '<project-name> --names instead.'))
+
         identity_client = self.app.client_manager.identity
         auth_ref = self.app.client_manager.auth_ref
 
@@ -166,6 +175,7 @@ class ListRole(command.Lister):
                 identity_client.projects,
                 parsed_args.project,
             )
+            _deprecated()
             data = identity_client.roles.roles_for_user(user.id, project.id)
 
         elif parsed_args.user:
@@ -181,6 +191,7 @@ class ListRole(command.Lister):
             else:
                 msg = _("Project must be specified")
                 raise exceptions.CommandError(msg)
+            _deprecated()
             data = identity_client.roles.roles_for_user(user.id, project.id)
         elif parsed_args.project:
             project = utils.find_resource(
@@ -195,6 +206,7 @@ class ListRole(command.Lister):
             else:
                 msg = _("User must be specified")
                 raise exceptions.CommandError(msg)
+            _deprecated()
             data = identity_client.roles.roles_for_user(user.id, project.id)
 
         if parsed_args.user or parsed_args.project:
@@ -249,6 +261,10 @@ class ListUserRole(command.Lister):
             msg = _("User must be specified")
             raise exceptions.CommandError(msg)
 
+        self.log.warning(_('Listing assignments using user role list is '
+                           'deprecated as of the Newton release. Use role '
+                           'assignment list --user <user-name> --project '
+                           '<project-name> --names instead.'))
         project = utils.find_resource(
             identity_client.tenants,
             parsed_args.project,
diff --git a/openstackclient/identity/v2_0/role_assignment.py b/openstackclient/identity/v2_0/role_assignment.py
new file mode 100644
index 00000000..406508ac
--- /dev/null
+++ b/openstackclient/identity/v2_0/role_assignment.py
@@ -0,0 +1,113 @@
+#   Licensed under the Apache License, Version 2.0 (the "License"); you may
+#   not use this file except in compliance with the License. You may obtain
+#   a copy of the License at
+#
+#        http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#   WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#   License for the specific language governing permissions and limitations
+#   under the License.
+#
+
+"""Identity v2 Assignment action implementations """
+
+from openstackclient.common import command
+from openstackclient.common import exceptions
+from openstackclient.common import utils
+from openstackclient.i18n import _  # noqa
+
+
+class ListRoleAssignment(command.Lister):
+    """List role assignments"""
+
+    def get_parser(self, prog_name):
+        parser = super(ListRoleAssignment, self).get_parser(prog_name)
+        parser.add_argument(
+            '--user',
+            metavar='<user>',
+            help='User to filter (name or ID)',
+        )
+        parser.add_argument(
+            '--project',
+            metavar='<project>',
+            help='Project to filter (name or ID)',
+        )
+        parser.add_argument(
+            '--names',
+            action="store_true",
+            help='Display names instead of IDs',
+        )
+        parser.add_argument(
+            '--auth-user',
+            action="store_true",
+            dest='authuser',
+            help='Only list assignments for the authenticated user',
+        )
+        parser.add_argument(
+            '--auth-project',
+            action="store_true",
+            dest='authproject',
+            help='Only list assignments for the project to which the '
+                 'authenticated user\'s token is scoped',
+        )
+        return parser
+
+    def take_action(self, parsed_args):
+        identity_client = self.app.client_manager.identity
+        auth_ref = self.app.client_manager.auth_ref
+
+        include_names = True if parsed_args.names else False
+
+        user = None
+        if parsed_args.user:
+            user = utils.find_resource(
+                identity_client.users,
+                parsed_args.user,
+            )
+        elif parsed_args.authuser:
+            if auth_ref:
+                user = utils.find_resource(
+                    identity_client.users,
+                    auth_ref.user_id
+                )
+
+        project = None
+        if parsed_args.project:
+            project = utils.find_resource(
+                identity_client.projects,
+                parsed_args.project,
+            )
+        elif parsed_args.authproject:
+            if auth_ref:
+                project = utils.find_resource(
+                    identity_client.projects,
+                    auth_ref.project_id
+                )
+
+        # If user or project is not specified, we would ideally list all
+        # relevant assignments in the system (to be compatible with v3).
+        # However, there is no easy way of doing that in v2.
+        if not user or not project:
+            msg = _("Project and User must be specified")
+            raise exceptions.CommandError(msg)
+        else:
+            data = identity_client.roles.roles_for_user(user.id, project.id)
+
+        columns = ('Role', 'User', 'Project')
+        for user_role in data:
+            if include_names:
+                setattr(user_role, 'role', user_role.name)
+                user_role.user = user.name
+                user_role.project = project.name
+            else:
+                setattr(user_role, 'role', user_role.id)
+                user_role.user = user.id
+                user_role.project = project.id
+
+        return (columns,
+                (utils.get_item_properties(
+                    s, columns,
+                    formatters={},
+                ) for s in data))
diff --git a/openstackclient/identity/v3/role.py b/openstackclient/identity/v3/role.py
index 27380179..e8a03ff3 100644
--- a/openstackclient/identity/v3/role.py
+++ b/openstackclient/identity/v3/role.py
@@ -251,6 +251,10 @@ class ListRole(command.Lister):
             for user_role in data:
                 user_role.user = user.name
                 user_role.domain = domain.name
+            self.log.warning(_('Listing assignments using role list is '
+                               'deprecated. Use role assignment list --user '
+                               '<user-name> --domain <domain-name> --names '
+                               'instead.'))
         elif parsed_args.user and parsed_args.project:
             columns = ('ID', 'Name', 'Project', 'User')
             data = identity_client.roles.list(
@@ -261,6 +265,10 @@ class ListRole(command.Lister):
             for user_role in data:
                 user_role.user = user.name
                 user_role.project = project.name
+            self.log.warning(_('Listing assignments using role list is '
+                               'deprecated. Use role assignment list --user '
+                               '<user-name> --project <project-name> --names '
+                               'instead.'))
         elif parsed_args.user:
             columns = ('ID', 'Name')
             data = identity_client.roles.list(
@@ -268,6 +276,10 @@ class ListRole(command.Lister):
                 domain='default',
                 os_inherit_extension_inherited=parsed_args.inherited
             )
+            self.log.warning(_('Listing assignments using role list is '
+                               'deprecated. Use role assignment list --user '
+                               '<user-name> --domain default --names '
+                               'instead.'))
         elif parsed_args.group and parsed_args.domain:
             columns = ('ID', 'Name', 'Domain', 'Group')
             data = identity_client.roles.list(
@@ -278,6 +290,10 @@ class ListRole(command.Lister):
             for group_role in data:
                 group_role.group = group.name
                 group_role.domain = domain.name
+            self.log.warning(_('Listing assignments using role list is '
+                               'deprecated. Use role assignment list --group '
+                               '<group-name> --domain <domain-name> --names '
+                               'instead.'))
         elif parsed_args.group and parsed_args.project:
             columns = ('ID', 'Name', 'Project', 'Group')
             data = identity_client.roles.list(
@@ -288,6 +304,10 @@ class ListRole(command.Lister):
             for group_role in data:
                 group_role.group = group.name
                 group_role.project = project.name
+            self.log.warning(_('Listing assignments using role list is '
+                               'deprecated. Use role assignment list --group '
+                               '<group-name> --project <project-name> --names '
+                               'instead.'))
         else:
             sys.stderr.write(_("Error: If a user or group is specified, "
                                "either --domain or --project must also be "
diff --git a/openstackclient/identity/v3/role_assignment.py b/openstackclient/identity/v3/role_assignment.py
index 39e2336d..6177d1a5 100644
--- a/openstackclient/identity/v3/role_assignment.py
+++ b/openstackclient/identity/v3/role_assignment.py
@@ -67,6 +67,19 @@ class ListRoleAssignment(command.Lister):
         )
         common.add_project_domain_option_to_parser(parser)
         common.add_inherited_option_to_parser(parser)
+        parser.add_argument(
+            '--auth-user',
+            action="store_true",
+            dest='authuser',
+            help='Only list assignments for the authenticated user',
+        )
+        parser.add_argument(
+            '--auth-project',
+            action="store_true",
+            dest='authproject',
+            help='Only list assignments for the project to which the '
+                 'authenticated user\'s token is scoped',
+        )
         return parser
 
     def _as_tuple(self, assignment):
@@ -75,6 +88,7 @@ class ListRoleAssignment(command.Lister):
 
     def take_action(self, parsed_args):
         identity_client = self.app.client_manager.identity
+        auth_ref = self.app.client_manager.auth_ref
 
         role = None
         if parsed_args.role:
@@ -90,6 +104,12 @@ class ListRoleAssignment(command.Lister):
                 parsed_args.user,
                 parsed_args.user_domain,
             )
+        elif parsed_args.authuser:
+            if auth_ref:
+                user = common.find_user(
+                    identity_client,
+                    auth_ref.user_id
+                )
 
         domain = None
         if parsed_args.domain:
@@ -105,6 +125,12 @@ class ListRoleAssignment(command.Lister):
                 parsed_args.project,
                 parsed_args.project_domain,
             )
+        elif parsed_args.authproject:
+            if auth_ref:
+                project = common.find_project(
+                    identity_client,
+                    auth_ref.project_id
+                )
 
         group = None
         if parsed_args.group:
author	Henry Nash <henryn@linux.vnet.ibm.com>	2016-04-29 23:59:27 +0100
committer	Dean Troyer <dtroyer@gmail.com>	2016-07-22 21:46:29 +0000
commit	713d92df4e53f74698a1ff2dfcb7514ff22f023b (patch)
tree	dbf6825abaa32d4779d07ea28c7d637411959efd /openstackclient/identity
parent	719c5d79ced34687944eb0bf458f36070817a7b9 (diff)
download	python-openstackclient-713d92df4e53f74698a1ff2dfcb7514ff22f023b.tar.gz