| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The code was calling an unexisting function which never existed.
The module refers now to the correct `InferenceRuleManager`. It
also allows the compatibility with the future python-keystoneclient
in which the compatibility method will be removed from the
RoleManager.
Conflicts:
openstackclient/tests/unit/identity/v3/fakes.py
Backport note: Also changed the functional test test_implied_role_list
to expect 1 items instead of 3, in line with Queens expectations. The
additional 2 implied roles were only added during Rocky in Keystone
with Ie18a269e3d1075d955fe494acaf634a393c6bd7b.
Story: 2003877
Task: 26736
Change-Id: I08f785dc9e840da2e16915683eecfe49189c44b3
(cherry picked from commit 08dbd154e5da266e44f44386f711a3177e9061bd)
|
| |/
|
|
|
|
|
|
|
|
|
|
| |
The --project and --project-domain flags are currently mutually
exclusive for listing endpoints, however the --project-domain argument
is supposed to help with filtering projects with colliding names. They
should be allowed together.
Story: 2004018
Task: 27006
Change-Id: I7340e01f509e3515f07cb46f175fb603f1ce8b67
(cherry picked from commit 91a2d888625488da3f65ad372b4248e9747b9a3e)
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
pycodestyle 2.40 and later enforce these rules that were not previously
enforced. Rather than just skipping them, this cleans up the trivial
instances of these violations.
This does also include some other updates that were not triggering errors
in an attempt to keep some of the style consistent.
Change-Id: Id7c0a6b8f1f835e69d844b000e3ed751852ada63
Closes-bug: #1762803
(cherry picked from commit d60141525987bc973802b4ec9a3b027e071d1966)
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Implements the commands that allow to link and endpoint to
a project for endpoint filter management.
Implements: blueprint keystone-endpoint-filter
Change-Id: Iecf61495664fb8413d35ef69f07ea929d190d002
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
| |
Now, keystone has supported serverl auth method, like 'totp'.
Before we use this method, we should create the credential first.
And we need create it with type 'totp'. But now we cannot create
credential with this method.
Also, I think the type should not have constrains. We can create
any type in keystone project. So, we should do these actions too.
The type would be more which We cannot control.
Change-Id: Ie0482da3133fb515e4bb8e45f8c54f509589cc5e
Closes-bug: #1731848
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently ListEndpoint.take_action method unconditionally iterates
over all endpoints and issue GET /v3/services/<ep.service_id>
request for each endpoint. In case of HTTPS keystone endpoint this
can take significant amout of time, and it only getting worse in
case of multiple regions.
This commit change this logic to making just two GET requests: first
it gets endpoint list, then it gets service list, searching service
in the list instead of issuing GET /v3/services/<id> request.
Change-Id: I22b61c0b45b0205a2f5a4608c2473cb7814fe3cf
Closes-Bug: 1719413
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Allow the user to create an inference rule between
two roles. The first, called the prior role
is the role explicitly assigned to an individual.
The second, called the implied role, is one that
the user gets implicitly. For example:
Role B implies Role A.
User X is assigned Role B.
Therefore User X also assigned Role A.
The management and maintenance of the rules is
performed in the Keystone server.
Change-Id: If547c2f16e812bc7fffd742ec37e6a26011f3185
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The parents_as_list and subtree_as_list query parameters limit the
result to only parents and subtree where the user making the call has
role assignments in. Since OSC only displays the IDs, the call would be
the same as the similar *_as_ids queries, the difference is that the
later doesn't enforce the role assignments (making it more useful).
Output example by using this patch:
$ openstack project show --children root
+-------------+------------------------------+
| Field | Value |
+-------------+------------------------------+
| description | |
| domain_id | default |
| enabled | True |
| id | 123 |
| is_domain | False |
| name | root |
| parent_id | default |
| subtree | {u'456': None, u'789': None} |
+-------------+------------------------------+
Change-Id: Ib7b37ae8f55190a7efcc375d5be4a2823d02d1a4
|
| | |
| |
| |
| |
| |
| |
| |
| | |
In keystone version 3.5, "type" optional attribute has been added
to list credentials. This patch add "user_id" and "type" optional
parameter in openstack client.
Change-Id: Ia09ee7c39204fdff2dfd7b9b606d888d007caac5
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Identity providers are now associated with domains. This change
allows a user to specify a domain by ID or by name when creating
an identity provider. [0]
This also adds the column for Domain ID in listing.
Updating a domain for an identity provider is not supported, so
that isn't changed.
[0]. Id18b8b2fe853b97631bc990df8188ed64a6e1275
Closes-Bug: 1698390
Change-Id: Icc408e2fe88f257d5863bd3df716a777d52befcc
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
The 'domain' filter not work well in commands 'project show',
'user show' and 'user set'.
Depends-On: I490900d6249f01654d4cba43bddd3e7af7928a84
Closes-Bug: #1704097
Change-Id: Ib4f47cbaba27eb56c4a41d187fee74a995e62dc7
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This changes create a trust to use ids instead of names because of
the possibility of roles sharing a name. Even if the user
uniquely identified a role by inputting the id, the request sent
to the identity service would used the name, therefore the command
would fail in the case that two roles share a name.
This does not change how trusts are displayed during trust list or
trust show, a name will still be shown instead of an id.
Depends-On: I38e0ac35946ee6e53128babac3ea759a380572e0
Change-Id: I5bdf89f1e288954a7f5c2704231f270bc7d196f5
Closes-Bug: 1696111
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
If project matches the project from access token,
we do not have to send an API request to /projects?name=...,
because the project ID is already known.
This API request may require additional permissions, so
we want to avoid it, if possible.
Change-Id: Ice1af8686bceea6b67229dcab7cf82eef821163e
Closes-Bug: #1658189
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Similar delete commands in OSC, we can also support add/remove
multi users for one specified group, this review implement it.
Change-Id: I8ccf99d4ee83a18778fa3ff5c0a42bc7c6ff21fb
Implements: bp support-multi-add-remove
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Due to a default Keystone policy until Newtown,
and the use of resource_find, non-admins are unable
to list their own projects.
This patch bypasses this problem while also introducing better
UX for non-admins wishing to get their project list.
'openstack project list' retains the default of 'list all projects'
but on a forbidden error will default instead to 'list my projects'.
This way for non-admins 'list my projects' feels like the default
without breaking the expected admin default.
Adding the '--my-projects' option allows admins to easily list their
own projects or allows non-admins to be explicit and bypass the
forbidden error fallback.
Change-Id: I1021276f69fbbf28e13e17c4e567d932fce7ed8b
Closes-Bug: #1627555
|
| |\ \ |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
When checking whether a given user is in a given group, keystone will
return a 404 Not Found if all went well but the user was not in the
group. It may also return a 403 if the user and the group are in
different backends, which would also mean that the user was not in the
group[1]. Any other 400 response is a client error and any 500 response
is a server error to which the user should be alerted.
Without this patch, openstackclient treats any exception as a valid "not
found" and may end up hiding server errors. This patch reduces the
caught exceptions to 403 and 404 responses and treats everything else as
an error.
[1] https://developer.openstack.org/api-ref/identity/v3/?expanded=check-whether-user-belongs-to-group-detail#check-whether-user-belongs-to-group
Closes-bug: #1672634
Change-Id: Id3f3b2409b7cee480ee3c19b6d6c3070599ffe8f
|
| |\ \ \
| |/ /
|/| | |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Add sort support to project list by sorting items in the client side.
By default list will be sorted by name.
Change-Id: I00011406846b4003aff075eeeb88ac18fa5e2820
Closes-Bug: #1596818
|
| | |/
|/|
| |
| |
| |
| |
| |
| |
| | |
OSC support to filter OpenStack endpoints by service type, name and ID,
but help message and document don't contain "type" for "--service"
option of "endpoint list" command.
Change-Id: I5c8bc28e037b4c6f96ec83525a319353f01f256a
Closes-Bug: #1666841
|
| |\ \ |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
According to OpenStack Guideline[1], logged string message should be
interpolated by the logger.
[1]: http://docs.openstack.org/developer/oslo.i18n/guidelines.html#adding-variables-to-log-messages
Change-Id: I1d6588093616099a9eef0947c09e038b9e53493a
Related-Bug: #1596829
|
| |\ \ \
| |/ /
|/| | |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
if command failed, we usually raise exception,
if command success, sometimes there is not any
output (such as set, add commands)
So modify the error handling for role and group
commands.
Change-Id: I1c0f86c04dcedd9c0d725fd73f3436be9da75ee0
|
| |/ /
| |
| |
| |
| |
| |
| |
| | |
Options "--parents" and "--children" don't work in "project show"
command, fix the issue and add related unit and functional tests.
Change-Id: Id9965267a037442f1077f8e1929d0527981f643d
Closes-Bug: #1499657
|
| |\ \ |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This patch adds the ability to specify the domain context for making
changes to a user with `--domain` flag.
Example:
$ openstack user set test_user --domain test_domain --enable
Change-Id: I2b3241785c22e72e19181394acff650422299b0e
Closes-Bug: #1658147
|
| |/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Without this patch, the command 'openstack mapping set <args>' will,
upon success, print the rules for the updated mapping and exit with
return code 1 (failure). This is a problem for scripts and config
management tools that depend on the return code to validate whether the
operation was successful, since even upon success the command returns a
failing error code. Moreover, the behavior of printing the new value is
completely unlike the behavior of any of the 'set' subcommands for
other entities. This patch normalizes the 'mapping set' command by
omitting any return value in the SetMapping take_action() method. This
way the client will only exit with an error code if an exception is
raised, and not upon normal operation.
Change-Id: I610ec3b2fa7561072346d46e49cfc1ae82130e0d
|
| |\ \ |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Currently, creating trust requires permission to list roles, but
non-admin users don't have permission to do that by default. This
commit adds exception handling on listing roles, and continue to
create trust if server returns 403.
Closes-Bug: #1658582
Change-Id: I4f016b76cb46ae07ef65ed54780881bbcd6210d3
|
| |/ /
| |
| |
| | |
Change-Id: Ic5fae89455470585f1bd79539f99a9c04e0c68a0
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Add missing multi deletion error handling for
identity delete commands.
All delete commands in identity support
error handling now.
Change-Id: I05626dcb5e516a423d610906347b02236ba7eeaf
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The auth_with_unscoped_saml decorator existed to make sure the user
selected the right auth plugin before trying to call either a
'federation domain' or 'federation project' command. This is outdated,
because openstackclient now uses keystoneauth[1] and keystoneauth
removed its entrypoints for the federation plugins[2] since its
_Rescoped class no longer needs them. This patch removes the decorator
since that validation check was the only thing standing in the way of
the commands working correctly. Also removed the '*_list_wrong_auth'
tests since those only existed to test the decorator, and stopped
setting the plugin in the positive tests since the
automatically-determined token plugin should now be fine.
[1] http://git.openstack.org/cgit/openstack/python-openstackclient/commit/?id=6ae0d2e8a54fd5139e63a990ab4bdce634e73c5e
[2] http://git.openstack.org/cgit/openstack/keystoneauth/commit/?id=d9e4d26bb86f8d48e43188b88bab9d7fe778d2c1
Change-Id: Id981739663113447a7bba8ddba81ba9394a19e07
Closes-bug: #1624115
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Leverage the new cliff command class attribute (_description)
to get the help of a command, this allows us to mark strings
for translation. We could not do this before since the help
was grabbed from the docstring.
This also depends on a new release of cliff and a bump to the
minimum level in osc's requirements.
Closes-Bug: 1636209
Depends-On: Id915f6aa7d95a0ff3dc6e2ceaac5decb3f3bf0da
Change-Id: I8673080bb5625e8e3c499feaefd42dfc7121e96f
|
| |/
|
|
|
|
|
| |
Raise warning when empty password set for user
Change-Id: If03516f3f1290e4c329fe3d1277dee0512de0410
Closes-Bug: #1607959
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When output to shell, the token issue time is fine; however when
selecting the json formatter (via the --format json) option, an
exception is raised when formatting the dataetime data.
Rather than pass in the datetime data, we should format the data
with the ISO 8601 formatting.
Closes-Bug: 1619937
Change-Id: Iffebb2d5413fabfd283dfa94fc560fc37270f9dd
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| | |
A role entity can now be specified as domain specific.
Closes-bug: #1606105
Change-Id: I564cf3da1d61f5bfcf85be591480d2f5c8d694a0
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix argument precedence hack
Working around issues in os-client-config <= 1.18.0
This is ugly because the issues in o-c-c 1.19.1 run even deeper
than in 1.18.0, so we're going to use 1.19.0 get_one_cloud() that
is known to work for OSC and fix o-c-c with an axe.
Remove return values for set commands
'identity provider set' and 'service provider set' were still
returning their show-like data, this is a fail for set commands
now, don't know how this ever passed before...
Constraints are ready to be used for tox.ini
Per email[1] from Andreas, we don't need to hack at install_command
any longer.
[1] http://openstack.markmail.org/thread/a4l7tokbotwqvuoh
Co-authorioed-by: Steve Martinelli <s.martinelli@gmail.com>
Depends-On: I49313dc7d4f44ec897de7a375f25b7ed864226f1
Change-Id: I426548376fc7d3cdb36501310dafd8c44d22ae30
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The current identity role list command (both v2 and v3) is
overloaded with listing roles as well as assignments (if you
provide user, group, project or domain options). This is in
addition to the v3 assignment list command designed for this
purpose.
This overloading complicates the fact that roles can now be
domain specific (i.e. have a domain attribute), so the
command 'role list --domain <domain-name' will soon become
ambigious (this is in a follow on patch).
This patch:
- Adds a v2 assignments list, with support for pulling the
user and project from the auth credentials
- For comapability, adds the same auth support to the
existing v3 assignments list
- Deprecates the use of role list and user role list to list
assignments
Change-Id: I65bafdef4f8c89e863dab101369d0d629fa818b8
Partial-Bug: 1605774
|
| |
|
|
|
|
|
| |
Some files have execute permission unnecessarily. Change them from
755 to 644.
Change-Id: I471ebd1c3d123ad4a7376f7f5996f53f8c2d9b0b
|
| |\ |
|
| | |
| |
| |
| | |
Change-Id: I5f49c038a75ea67674b6d9279a6e60d6ded8d12f
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Support bulk deletion for delete commands in the list below
identity/v3/consumer
identity/v3/credential
identity/v3/domain
identity/v3/ec2creds
identity/v3/endpoint
identity/v3/federation_protocol
identity/v3/identity_provider
identity/v3/mapping
identity/v3/policy
identity/v3/region
identity/v3/service_provider
identity/v3/service
The unit test in identityv3 need to be refactored, so I add
some functional tests instead. I will add all unit tests at
one time after the refactor completed.
Change-Id: I82367570f59817b47c87b6c7bfeae95ccfe5c50e
Closes-Bug: #1592906
|
| |/
|
|
|
| |
Change-Id: I554b41969f96b62a2c6d37024caa56b1441d5ed1
Partial-bug: #1588588
|
| |
|
|
|
|
|
|
|
| |
When an exception was caught and rethrown,
it should call 'raise' without any arguments
because it shows the place where an exception
occured initially instead of place where the exception re-raised.
Change-Id: I5fb6dea5da7fb6e1e2b339a713c7d37f8c99e407
|
| |\ |
|
