jenkins-bot has submitted this change and it was merged. ( https://gerrit.wikimedia.org/r/352689 )
Change subject: openstack: Role modifications require global admin rights ...................................................................... openstack: Role modifications require global admin rights Keystone hands out different authentication tokens depending on the project that is used when authenticating. Some API actions require `role:admin` or `is_admin:1` rights in the token. These can only be acquired by authenticating via the `admin` project. * Add ability to pass interface to _client() * Add _admin_client() convenience method for getting a client for project=admin, interface=admin. * Use _admin_client() for role add/remove API activities. * Add missing `user` keyword specifier when calling role add/remove APIs. Bug: T164787 Change-Id: Ia67b4fef0c915068c9a735098ef3a4083177c1c9 --- M striker/openstack.py 1 file changed, 13 insertions(+), 7 deletions(-) Approvals: Andrew Bogott: Looks good to me, approved jenkins-bot: Verified diff --git a/striker/openstack.py b/striker/openstack.py index c7d4a70..6a20d02 100644 --- a/striker/openstack.py +++ b/striker/openstack.py @@ -62,20 +62,24 @@ auth_url=self.url, password=self.password, username=self.username, - project_id=project, + project_name=project, user_domain_name='Default', project_domain_name='Default', ) return keystone_session.Session(auth=auth) @functools.lru_cache(maxsize=None) - def _client(self, project=None): + def _client(self, project=None, interface='public'): project = project or self.project return client.Client( session=self._session(project), - interface='public', + interface=interface, timeoute=2, ) + + def _admin_client(self): + """Convenience method for getting a client with super user rights.""" + return self._client(project='admin', interface='admin') def role(self, name): if self.roles is None: @@ -85,10 +89,12 @@ def grant_role(self, role, user, project=None): project = project or self.project - keystone = self._client(project) - keystone.roles.grant(self.role(role), user, project=project) + # We need global admin rights to change role assignments + keystone = self._admin_client() + keystone.roles.grant(self.role(role), user=user, project=project) def revoke_role(self, role, user, project=None): project = project or self.project - keystone = self._client(project) - keystone.roles.revoke(role, user, project=project) + # We need global admin rights to change role assignments + keystone = self._admin_client() + keystone.roles.revoke(role, user=user, project=project) -- To view, visit https://gerrit.wikimedia.org/r/352689 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: Ia67b4fef0c915068c9a735098ef3a4083177c1c9 Gerrit-PatchSet: 3 Gerrit-Project: labs/striker Gerrit-Branch: master Gerrit-Owner: BryanDavis <bda...@wikimedia.org> Gerrit-Reviewer: Andrew Bogott <abog...@wikimedia.org> Gerrit-Reviewer: BryanDavis <bda...@wikimedia.org> Gerrit-Reviewer: Madhuvishy <mviswanat...@wikimedia.org> Gerrit-Reviewer: Rush <r...@wikimedia.org> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits