jenkins-bot has submitted this change and it was merged. (
https://gerrit.wikimedia.org/r/352689 )
Change subject: openstack: Role modifications require global admin rights
......................................................................
openstack: Role modifications require global admin rights
Keystone hands out different authentication tokens depending on the
project that is used when authenticating. Some API actions require
`role:admin` or `is_admin:1` rights in the token. These can only be
acquired by authenticating via the `admin` project.
* Add ability to pass interface to _client()
* Add _admin_client() convenience method for getting a client for
project=admin, interface=admin.
* Use _admin_client() for role add/remove API activities.
* Add missing `user` keyword specifier when calling role add/remove
APIs.
Bug: T164787
Change-Id: Ia67b4fef0c915068c9a735098ef3a4083177c1c9
---
M striker/openstack.py
1 file changed, 13 insertions(+), 7 deletions(-)
Approvals:
Andrew Bogott: Looks good to me, approved
jenkins-bot: Verified
diff --git a/striker/openstack.py b/striker/openstack.py
index c7d4a70..6a20d02 100644
--- a/striker/openstack.py
+++ b/striker/openstack.py
@@ -62,20 +62,24 @@
auth_url=self.url,
password=self.password,
username=self.username,
- project_id=project,
+ project_name=project,
user_domain_name='Default',
project_domain_name='Default',
)
return keystone_session.Session(auth=auth)
@functools.lru_cache(maxsize=None)
- def _client(self, project=None):
+ def _client(self, project=None, interface='public'):
project = project or self.project
return client.Client(
session=self._session(project),
- interface='public',
+ interface=interface,
timeoute=2,
)
+
+ def _admin_client(self):
+ """Convenience method for getting a client with super user rights."""
+ return self._client(project='admin', interface='admin')
def role(self, name):
if self.roles is None:
@@ -85,10 +89,12 @@
def grant_role(self, role, user, project=None):
project = project or self.project
- keystone = self._client(project)
- keystone.roles.grant(self.role(role), user, project=project)
+ # We need global admin rights to change role assignments
+ keystone = self._admin_client()
+ keystone.roles.grant(self.role(role), user=user, project=project)
def revoke_role(self, role, user, project=None):
project = project or self.project
- keystone = self._client(project)
- keystone.roles.revoke(role, user, project=project)
+ # We need global admin rights to change role assignments
+ keystone = self._admin_client()
+ keystone.roles.revoke(role, user=user, project=project)
--
To view, visit https://gerrit.wikimedia.org/r/352689
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: Ia67b4fef0c915068c9a735098ef3a4083177c1c9
Gerrit-PatchSet: 3
Gerrit-Project: labs/striker
Gerrit-Branch: master
Gerrit-Owner: BryanDavis <[email protected]>
Gerrit-Reviewer: Andrew Bogott <[email protected]>
Gerrit-Reviewer: BryanDavis <[email protected]>
Gerrit-Reviewer: Madhuvishy <[email protected]>
Gerrit-Reviewer: Rush <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
