[MediaWiki-commits] [Gerrit] labs/striker[master]: openstack: Role modifications require global admin rights

Mon, 08 May 2017 15:28:51 -0700 

jenkins-bot has submitted this change and it was merged. ( 
https://gerrit.wikimedia.org/r/352689 )

Change subject: openstack: Role modifications require global admin rights
......................................................................


openstack: Role modifications require global admin rights

Keystone hands out different authentication tokens depending on the
project that is used when authenticating. Some API actions require
`role:admin` or `is_admin:1` rights in the token. These can only be
acquired by authenticating via the `admin` project.

* Add ability to pass interface to _client()
* Add _admin_client() convenience method for getting a client for
  project=admin, interface=admin.
* Use _admin_client() for role add/remove API activities.
* Add missing `user` keyword specifier when calling role add/remove
  APIs.

Bug: T164787
Change-Id: Ia67b4fef0c915068c9a735098ef3a4083177c1c9
---
M striker/openstack.py
1 file changed, 13 insertions(+), 7 deletions(-)

Approvals:
  Andrew Bogott: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/striker/openstack.py b/striker/openstack.py
index c7d4a70..6a20d02 100644
--- a/striker/openstack.py
+++ b/striker/openstack.py
@@ -62,20 +62,24 @@
             auth_url=self.url,
             password=self.password,
             username=self.username,
-            project_id=project,
+            project_name=project,
             user_domain_name='Default',
             project_domain_name='Default',
         )
         return keystone_session.Session(auth=auth)
 
     @functools.lru_cache(maxsize=None)
-    def _client(self, project=None):
+    def _client(self, project=None, interface='public'):
         project = project or self.project
         return client.Client(
             session=self._session(project),
-            interface='public',
+            interface=interface,
             timeoute=2,
         )
+
+    def _admin_client(self):
+        """Convenience method for getting a client with super user rights."""
+        return self._client(project='admin', interface='admin')
 
     def role(self, name):
         if self.roles is None:
@@ -85,10 +89,12 @@
 
     def grant_role(self, role, user, project=None):
         project = project or self.project
-        keystone = self._client(project)
-        keystone.roles.grant(self.role(role), user, project=project)
+        # We need global admin rights to change role assignments
+        keystone = self._admin_client()
+        keystone.roles.grant(self.role(role), user=user, project=project)
 
     def revoke_role(self, role, user, project=None):
         project = project or self.project
-        keystone = self._client(project)
-        keystone.roles.revoke(role, user, project=project)
+        # We need global admin rights to change role assignments
+        keystone = self._admin_client()
+        keystone.roles.revoke(role, user=user, project=project)

-- 
To view, visit https://gerrit.wikimedia.org/r/352689
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: Ia67b4fef0c915068c9a735098ef3a4083177c1c9
Gerrit-PatchSet: 3
Gerrit-Project: labs/striker
Gerrit-Branch: master
Gerrit-Owner: BryanDavis <bda...@wikimedia.org>
Gerrit-Reviewer: Andrew Bogott <abog...@wikimedia.org>
Gerrit-Reviewer: BryanDavis <bda...@wikimedia.org>
Gerrit-Reviewer: Madhuvishy <mviswanat...@wikimedia.org>
Gerrit-Reviewer: Rush <r...@wikimedia.org>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to