Domain administrator cannot do project operations

Domain administrator cannot do project operations because the require access to the domain API (which they don't have). When attempting to find a domain for project operations, ignore errors because the API returns nothing without indicating there is a problem. The domain administrators will have to use a domain id, but they will still be able to do project operations. If the user does not have permission to read the domain table, they cannot use domain names. Change-Id: Ieed5d420022a407c8296a0bb3569d9469c89d752 Closes-Bug: #1317478 Closes-Bug: #1317485
author: Terry Howe <terrylhowe@gmail.com> 2014-05-30 10:38:20 -0600
committer: Terry Howe <thowe@hp.com> 2014-07-07 20:18:39 +0000
commit: b6384886973c652c0161a9caeac6f31066edace1 (patch)
tree: e2ed27fc511b9c64a4064c892d6e6d31e300ae50 /openstackclient
parent: b3736fd9df869e2f2824ed831deb3aa9a446ee59 (diff)
download: python-openstackclient-b6384886973c652c0161a9caeac6f31066edace1.tar.gz
3 files changed, 91 insertions, 12 deletions
diff --git a/openstackclient/identity/common.py b/openstackclient/identity/common.py
index 6aeaa3c3..48dc0c89 100644
--- a/openstackclient/identity/common.py
+++ b/openstackclient/identity/common.py
@@ -16,6 +16,7 @@
 """Common identity code"""
 
 from keystoneclient import exceptions as identity_exc
+from keystoneclient.v3 import domains
 from openstackclient.common import exceptions
 from openstackclient.common import utils
 
@@ -36,3 +37,23 @@ def find_service(identity_client, name_type_or_id):
             msg = ("No service with a type, name or ID of '%s' exists."
                    % name_type_or_id)
             raise exceptions.CommandError(msg)
+
+
+def find_domain(identity_client, name_or_id):
+    """Find a domain.
+
+       If the user does not have permssions to access the v3 domain API,
+       assume that domain given is the id rather than the name.  This
+       method is used by the project list command, so errors access the
+       domain will be ignored and if the user has access to the project
+       API, everything will work fine.
+
+       Closes bugs #1317478 and #1317485.
+    """
+    try:
+        dom = utils.find_resource(identity_client.domains, name_or_id)
+        if dom is not None:
+            return dom
+    except identity_exc.Forbidden:
+        pass
+    return domains.Domain(None, {'id': name_or_id})
diff --git a/openstackclient/identity/v3/project.py b/openstackclient/identity/v3/project.py
index 00a98d19..fa935f0b 100644
--- a/openstackclient/identity/v3/project.py
+++ b/openstackclient/identity/v3/project.py
@@ -24,6 +24,7 @@ from cliff import show
 
 from openstackclient.common import parseractions
 from openstackclient.common import utils
+from openstackclient.identity import common
 
 
 class CreateProject(show.ShowOne):
@@ -73,10 +74,7 @@ class CreateProject(show.ShowOne):
         identity_client = self.app.client_manager.identity
 
         if parsed_args.domain:
-            domain = utils.find_resource(
-                identity_client.domains,
-                parsed_args.domain,
-            ).id
+            domain = common.find_domain(identity_client, parsed_args.domain).id
         else:
             domain = None
 
@@ -156,10 +154,8 @@ class ListProject(lister.Lister):
             columns = ('ID', 'Name')
         kwargs = {}
         if parsed_args.domain:
-            kwargs['domain'] = utils.find_resource(
-                identity_client.domains,
-                parsed_args.domain,
-            ).id
+            domain = common.find_domain(identity_client, parsed_args.domain)
+            kwargs['domain'] = domain.id
         data = identity_client.projects.list(**kwargs)
         return (columns,
                 (utils.get_item_properties(
@@ -236,10 +232,8 @@ class SetProject(command.Command):
         if parsed_args.name:
             kwargs['name'] = parsed_args.name
         if parsed_args.domain:
-            kwargs['domain'] = utils.find_resource(
-                identity_client.domains,
-                parsed_args.domain,
-            ).id
+            domain = common.find_domain(identity_client, parsed_args.domain)
+            kwargs['domain'] = domain.id
         if parsed_args.description:
             kwargs['description'] = parsed_args.description
         if parsed_args.enable:
diff --git a/openstackclient/tests/identity/v3/test_project.py b/openstackclient/tests/identity/v3/test_project.py
index e0420a1e..2e7bc54b 100644
--- a/openstackclient/tests/identity/v3/test_project.py
+++ b/openstackclient/tests/identity/v3/test_project.py
@@ -14,6 +14,7 @@
 #
 
 import copy
+import mock
 
 from openstackclient.identity.v3 import project
 from openstackclient.tests import fakes
@@ -172,6 +173,45 @@ class TestProjectCreate(TestProject):
         )
         self.assertEqual(data, datalist)
 
+    def test_project_create_domain_no_perms(self):
+        arglist = [
+            '--domain', identity_fakes.domain_id,
+            identity_fakes.project_name,
+        ]
+        verifylist = [
+            ('domain', identity_fakes.domain_id),
+            ('enable', False),
+            ('disable', False),
+            ('name', identity_fakes.project_name),
+        ]
+        parsed_args = self.check_parser(self.cmd, arglist, verifylist)
+        mocker = mock.Mock()
+        mocker.return_value = None
+
+        with mock.patch("openstackclient.common.utils.find_resource", mocker):
+            columns, data = self.cmd.take_action(parsed_args)
+
+        # Set expected values
+        kwargs = {
+            'name': identity_fakes.project_name,
+            'domain': identity_fakes.domain_id,
+            'description': None,
+            'enabled': True,
+        }
+        self.projects_mock.create.assert_called_with(
+            **kwargs
+        )
+        collist = ('description', 'domain_id', 'enabled', 'id', 'name')
+        self.assertEqual(columns, collist)
+        datalist = (
+            identity_fakes.project_description,
+            identity_fakes.domain_id,
+            True,
+            identity_fakes.project_id,
+            identity_fakes.project_name,
+        )
+        self.assertEqual(data, datalist)
+
     def test_project_create_enable(self):
         arglist = [
             '--enable',
@@ -411,6 +451,30 @@ class TestProjectList(TestProject):
         ), )
         self.assertEqual(tuple(data), datalist)
 
+    def test_project_list_domain_no_perms(self):
+        arglist = [
+            '--domain', identity_fakes.domain_id,
+        ]
+        verifylist = [
+            ('domain', identity_fakes.domain_id),
+        ]
+        parsed_args = self.check_parser(self.cmd, arglist, verifylist)
+        mocker = mock.Mock()
+        mocker.return_value = None
+
+        with mock.patch("openstackclient.common.utils.find_resource", mocker):
+            columns, data = self.cmd.take_action(parsed_args)
+
+        self.projects_mock.list.assert_called_with(
+            domain=identity_fakes.domain_id)
+        collist = ('ID', 'Name')
+        self.assertEqual(columns, collist)
+        datalist = ((
+            identity_fakes.project_id,
+            identity_fakes.project_name,
+        ), )
+        self.assertEqual(tuple(data), datalist)
+
 
 class TestProjectSet(TestProject):
author	Terry Howe <terrylhowe@gmail.com>	2014-05-30 10:38:20 -0600
committer	Terry Howe <thowe@hp.com>	2014-07-07 20:18:39 +0000
commit	b6384886973c652c0161a9caeac6f31066edace1 (patch)
tree	e2ed27fc511b9c64a4064c892d6e6d31e300ae50 /openstackclient
parent	b3736fd9df869e2f2824ed831deb3aa9a446ee59 (diff)
download	python-openstackclient-b6384886973c652c0161a9caeac6f31066edace1.tar.gz