3 # Licensed under the Apache License, Version 2.0 (the "License");
4 # you may not use this file except in compliance with the License.
5 # You may obtain a copy of the License at
7 # http://www.apache.org/licenses/LICENSE-2.0
9 # Unless required by applicable law or agreed to in writing, software
10 # distributed under the License is distributed on an "AS IS" BASIS,
11 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 # See the License for the specific language governing permissions and
13 # limitations under the License.
15 import access_management.db.amdb as amdb
16 from am_api_base import *
19 class Roles(AMApiBase):
22 Role create operations
24 .. :quickref: Roles;Role create operations
26 .. http:post:: /am/v1/roles
34 POST am/v1/roles HTTP/1.1
35 Host: haproxyvip:61200
36 Accept: application/json
38 "role_name": "test_role"
39 "desc": "This is a test role"
42 :> json string role_name: The created role name.
43 :> json string desc: A short description from the created role.
52 "description": "Role created."
55 :> json int code: the status code
56 :> json string description: the error description, present if code is non zero
58 Role modify operations
60 .. :quickref: Roles;Role modify operations
62 .. http:put:: /am/v1/roles
70 PUT am/v1/roles HTTP/1.1
71 Host: haproxyvip:61200
72 Accept: application/json
74 "role_name": "test_role"
75 "desc": "This is a test role"
78 :> json string role_name: The modified role name.
79 :> json string desc: A short description from the modified role.
88 "description": "Role modified."
91 :> json int code: the status code
92 :> json string description: the error description, present if code is non zero
94 Role delete operations
96 .. :quickref: Roles;Role delete operations
98 .. http:delete:: /am/v1/roles
100 **Start Role delete**
106 DELETE am/v1/roles HTTP/1.1
107 Host: haproxyvip:61200
108 Accept: application/json
110 "role_name": "test_role"
113 :> json string role_name: The deleted role name.
115 **Example response**:
122 "description": "Role deleted."
125 :> json int code: the status code
126 :> json string description: the error description, present if code is non zero
130 .. :quickref: Roles;Role list operations
132 .. http:get:: /am/v1/roles
140 GET am/v1/roles HTTP/1.1
141 Host: haproxyvip:61200
142 Accept: application/json
144 **Example response**:
151 "description": "Role list."
156 "desc": "Alarm Administrator",
159 "role_name": "alarm_admin"
163 "desc": "Alarm Viewer",
166 "role_name": "alarm_viewer"
171 :> json int code: the status code
172 :> json string description: the error description, present if code is non zero
173 :> json object data: a dictionary with the existing roles
174 :> json string role_name: The role name.
175 :> json string desc: The role description.
176 :> json string is_chroot: If this field is true, then this is a chroot user role.
177 :> json string is_service: If this field is true, then this is a service role and we created this role in deploymnet time.
180 endpoints = ['roles']
181 parser_arguments = ['role_name',
185 self.logger.info("Received a role create request!")
186 args = self.parse_args()
187 if args["desc"] is None:
189 state, result = self._role_create(args)
192 self.logger.info("The {0} role created!".format(args["role_name"]))
193 return AMApiBase.embed_data({}, 0, result)
195 self.logger.error("The {0} role creation failed: {1}".format(args["role_name"], result))
196 return AMApiBase.construct_error_response(1, result)
199 self.logger.info("Received a role modify request!")
200 args = self.parse_args()
201 if args["desc"] is None:
203 state, result = self._role_modify(args)
206 self.logger.info("The {0} role modified!".format(args["role_name"]))
207 return AMApiBase.embed_data({}, 0, result)
209 self.logger.error("The {0} role modify failed: {1}".format(args["role_name"], result))
210 return AMApiBase.construct_error_response(1, result)
213 self.logger.info("Received a role list request!")
214 state, roles = self._role_list()
217 self.logger.info("The role list response done!")
218 return AMApiBase.embed_data(roles, 0, "Role list.")
220 self.logger.error("Role list creation failed: {0}".format(roles))
221 return AMApiBase.construct_error_response(1, roles)
224 self.logger.info("Received a role delete request!")
225 args = self.parse_args()
227 state, message = self._role_delete(args)
230 self.logger.info("The {0} role deleted!".format(args["role_name"]))
231 return AMApiBase.embed_data({}, 0, message)
233 self.logger.error("The {0} role deletion failed: {1}".format(args["role_name"], message))
234 return AMApiBase.construct_error_response(1, message)
236 def _role_modify(self, args):
237 state_open, message_open = self._open_db()
240 self.db.set_role_param(args["role_name"], args["desc"])
241 except amdb.NotAllowedOperation:
242 self.logger.error("Modifying service role is not allowed: {0}".format(args["role_name"]))
243 return False, "Modifying service role is not allowed: {0}".format(args["role_name"])
244 except Exception as ex:
245 self.logger.error("Internal error: {0}".format(ex))
246 return False, "Internal error: {0}".format(ex)
248 state_close, message_close = self._close_db()
251 return True, "Role modified."
253 return False, message_open
255 def _role_create(self, args):
256 state_open, message_open = self._open_db()
259 self.db.create_role(args["role_name"], args["desc"])
261 self.keystone.roles.create(args["role_name"])
262 except Exception as ex:
263 self.db.delete_role(args["role_name"])
264 self.logger.error("Role {} already exists".format(args["role_name"]))
265 return False, "Role {} already exists".format(args["role_name"])
266 except amdb.AlreadyExist:
267 self.logger.error("Role already exists in table: {0}".format(args["role_name"]))
268 return False, "Role already exists in table: {0}".format(args["role_name"])
269 except Exception as ex:
270 self.logger.error("Internal error: {0}".format(ex))
271 return False, "Internal error: {0}".format(ex)
273 state_close, message_close = self._close_db()
277 return False, message_open
278 return True, "Role created."
280 def _role_list(self):
281 state_open, message_open = self._open_db()
284 roles = self.db.get_all_roles()
285 except Exception as ex:
286 self.logger.error("Internal error: {0}".format(ex))
287 return False, "Internal error: {0}".format(ex)
289 state_close, message_close = self._close_db()
294 return False, message_open
296 def _add_roles_back_to_users(self, role_name):
297 uuid_list = self.db.get_role_users(role_name)
298 for uuid in uuid_list:
299 username, def_project = self.get_user_from_uuid(uuid)
300 state, message = self.modify_role_in_keystone(role_name, uuid, "put", def_project)
302 return False, "Role deletion failed, please try again!"
303 return False, "Role deletion failed, try again"
305 def _role_delete(self, args):
306 state_open, message_open = self._open_db()
309 db_role = self.db.get_role(args["role_name"])
310 if not db_role._data["is_service"]:
311 role_id = self.get_role_id(args["role_name"])
312 if role_id is not None:
314 self.keystone.roles.delete(role_id)
315 except Exception as ex:
316 self.logger.error("Some problem occured: {}".format(ex))
317 return False, "Some problem occured: {}".format(ex)
320 self.db.delete_role(args["role_name"])
323 self.keystone.roles.create(args["role_name"])
325 self.logger.error("Error during deleting role: {}".format(args["role_name"]))
326 return False, "Error during deleting role: {}".format(args["role_name"])
327 state, message = self._add_roles_back_to_users(args["role_name"])
328 return state, message
330 raise amdb.NotAllowedOperation("")
331 except amdb.NotAllowedOperation:
332 self.logger.error("Deleting service role is not allowed: {0}".format(args["role_name"]))
333 return False, "Deleting service role is not allowed: {0}".format(args["role_name"])
334 except Exception as ex:
335 self.logger.error("Internal error: {0}".format(ex))
336 return False, "Internal error: {0}".format(ex)
338 state_close, message_close = self._close_db()
341 return True, "Role deleted."
343 return False, message_open