25
from django.conf import settings
26
from django.contrib.auth import logout
27
from django.utils.translation import ugettext_lazy as _
29
from keystoneclient.exceptions import ClientException
31
from openstack_auth.backend import KEYSTONE_CLIENT_ATTR
25
from django.conf import settings # noqa
26
from django.contrib.auth import logout # noqa
27
from django.utils.translation import ugettext_lazy as _ # noqa
29
from keystoneclient import exceptions as keystone_exceptions
31
from openstack_auth import backend
33
33
from horizon import exceptions
34
34
from horizon import messages
155
155
# Take care of client connection caching/fetching a new client.
156
156
# Admin vs. non-admin clients are cached separately for token matching.
157
cache_attr = "_keystoneclient_admin" if admin else KEYSTONE_CLIENT_ATTR
157
cache_attr = "_keystoneclient_admin" if admin \
158
else backend.KEYSTONE_CLIENT_ATTR
158
159
if hasattr(request, cache_attr) and (not user.token.id
159
160
or getattr(request, cache_attr).auth_token == user.token.id):
160
161
LOG.debug("Using cached client for token: %s" % user.token.id)
163
164
endpoint = _get_endpoint_url(request, endpoint_type)
164
165
insecure = getattr(settings, 'OPENSTACK_SSL_NO_VERIFY', False)
166
cacert = getattr(settings, 'OPENSTACK_SSL_CACERT', None)
165
167
LOG.debug("Creating a new keystoneclient connection to %s." % endpoint)
166
168
remote_addr = request.environ.get('REMOTE_ADDR', '')
167
169
conn = api_version['client'].Client(token=user.token.id,
168
170
endpoint=endpoint,
169
171
original_ip=remote_addr,
170
172
insecure=insecure,
171
174
auth_url=endpoint,
172
175
debug=settings.DEBUG)
173
176
setattr(request, cache_attr, conn)
218
def get_default_domain(request):
220
Gets the default domain object to use when creating Identity object.
221
Returns the domain context if is set, otherwise return the domain
224
domain_id = request.session.get("domain_context", None)
225
domain_name = request.session.get("domain_context_name", None)
226
# if running in Keystone V3 or later
227
if VERSIONS.active >= 3 and not domain_id:
228
# if no domain context set, default to users' domain
229
domain_id = request.user.user_domain_id
231
domain = domain_get(request, domain_id)
232
domain_name = domain.name
234
LOG.warning("Unable to retrieve Domain: %s" % domain_id)
235
domain = base.APIDictWrapper({"id": domain_id,
236
"name": domain_name})
215
240
# TODO(gabriel): Is there ever a valid case for admin to be false here?
216
241
# A quick search through the codebase reveals that it's always called with
217
242
# admin=true so I suspect we could eliminate it entirely as with the other
229
254
def tenant_list(request, paginate=False, marker=None, domain=None, user=None):
230
255
manager = VERSIONS.get_project_manager(request, admin=True)
231
page_size = getattr(settings, 'API_RESULT_PAGE_SIZE', 20)
256
page_size = request.session.get('horizon_pagesize',
257
getattr(settings, 'API_RESULT_PAGE_SIZE',
234
261
limit = page_size + 1
294
321
if not keystone_can_edit_user():
295
raise ClientException(405, _("Identity service does not allow "
296
"editing user data."))
322
raise keystone_exceptions.ClientException(405, _("Identity service "
323
"does not allow editing user data."))
298
325
# The v2 API updates user model, password and default project separately
299
326
if VERSIONS.active < 3:
303
330
# Update user details
305
332
user = manager.update(user, **data)
307
334
error = exceptions.handle(request, ignore=True)
309
336
# Update default tenant
311
338
user_update_tenant(request, user, project)
312
339
user.tenantId = project
314
341
error = exceptions.handle(request, ignore=True)
316
343
# Check for existing roles
329
356
user_update_password(request, user, password)
330
357
if user == request.user.id:
333
360
error = exceptions.handle(request, ignore=True)
335
362
if error is not None:
394
421
return manager.delete(group_id)
397
def group_list(request):
424
def group_list(request, domain=None, project=None, user=None):
398
425
manager = keystoneclient(request, admin=True).groups
399
return manager.list()
426
groups = manager.list(user=user)
427
# TODO(dklyle): once keystoneclient supports filtering by
428
# domain change this to use that cleaner implementation
432
if group.domain_id == domain:
433
domain_groups.append(group)
434
groups = domain_groups
439
roles = roles_for_group(request, group=group.id, project=project)
440
if roles and len(roles) > 0:
441
project_groups.append(group)
442
groups = project_groups
402
447
def group_update(request, group_id, name=None, description=None):
480
525
project=project, domain=domain)
528
def roles_for_group(request, group, domain=None, project=None):
529
manager = keystoneclient(request, admin=True).roles
530
return manager.list(group=group, domain=domain, project=project)
533
def add_group_role(request, role, group, domain=None, project=None):
534
""" Adds a role for a group on a domain or project ."""
535
manager = keystoneclient(request, admin=True).roles
536
return manager.grant(role=role, group=group, domain=domain,
540
def remove_group_role(request, role, group, domain=None, project=None):
541
""" Removes a given single role for a group from a domain or project. """
542
manager = keystoneclient(request, admin=True).roles
543
return manager.revoke(role=role, group=group, project=project,
547
def remove_group_roles(request, group, domain=None, project=None):
548
""" Removes all roles from a group on a domain or project,
549
removing them from it.
551
client = keystoneclient(request, admin=True)
552
roles = client.roles.list(group=group, domain=domain, project=project)
554
remove_group_role(request, role=role.id, group=group,
555
domain=domain, project=project)
483
558
def get_default_role(request):
485
560
Gets the default role object from Keystone and saves it as a global
516
591
def keystone_can_edit_domain():
517
592
backend_settings = getattr(settings, "OPENSTACK_KEYSTONE_BACKEND", {})
518
return backend_settings.get('can_edit_domain', True)
593
can_edit_domain = backend_settings.get('can_edit_domain', True)
594
multi_domain_support = getattr(settings,
595
'OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT',
597
return can_edit_domain and multi_domain_support
521
600
def keystone_can_edit_user():