x/ranger
Code Issues Proposed changes

Assign and Unassign group roles

Browse Source 
This patch provides support for assigning and unassigning roles
to group on domain or project.

Change-Id: If7b8c54720f3bcab2da71bbd8ca088ac572e382a
(cherry picked from commit ed887d10b8f139b4a23e9f259957aad357464715)
This commit is contained in:
Chi Lo 2019-04-16 09:20:30 -07:00 committed by Hari
parent 2e70764f30
commit 59584f034e
26 changed files with 1915 additions and 494 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

85
orm/orm_client/ormcli/cmscli.py
View File

@ -271,7 +271,7 @@ def add_to_parser(service_sub):
type=str, help='<key:value>') type=str, help='<key:value>')
# group # group
parser_create_group = subparsers.add_parser('creste_group', parser_create_group = subparsers.add_parser('create_group',
help='[<"X-RANGER-Client" ' help='[<"X-RANGER-Client" '
'header>] <data file ' 'header>] <data file '
'with new group ' 'with new group '
@ -288,6 +288,25 @@ def add_to_parser(service_sub):
parser_delete_group.add_argument('client', **cli_common.ORM_CLIENT_KWARGS) parser_delete_group.add_argument('client', **cli_common.ORM_CLIENT_KWARGS)
parser_delete_group.add_argument('groupid', type=str, help='<group id>') parser_delete_group.add_argument('groupid', type=str, help='<group id>')
# get group
h1, h2 = '[<"X-RANGER-Client" header>]', '<group id or group name>'
parser_get_group = subparsers.add_parser('get_group',
help='%s %s' % (h1, h2))
parser_get_group.add_argument('client', **cli_common.ORM_CLIENT_KWARGS)
parser_get_group.add_argument('groupid', type=str, help=h2)
# list groups
h1 = '[<"X-RANGER-Client" header>]'
h2 = '[--region <name>] [--starts_with <name>] [--contains <name>]'
parser_list_groups = subparsers.add_parser('list_groups',
help='%s %s' % (h1, h2))
parser_list_groups.add_argument('client', **cli_common.ORM_CLIENT_KWARGS)
parser_list_groups.add_argument('--region', type=str, help='region name')
parser_list_groups.add_argument('--starts_with', type=str,
help='group name')
parser_list_groups.add_argument('--contains', type=str,
help='* contains in group name')
# groups region # groups region
parser_add_groups_region = subparsers.add_parser( parser_add_groups_region = subparsers.add_parser(
'add_groups_region', 'add_groups_region',
@ -318,24 +337,35 @@ def add_to_parser(service_sub):
help='force delete groups region', help='force delete groups region',
action="store_true") action="store_true")
# get group # groups roles
h1, h2 = '[<"X-RANGER-Client" header>]', '<group id or group name>' parser_assign_group_roles = subparsers.add_parser(
parser_get_group = subparsers.add_parser('get_group', 'assign_group_roles',
help='%s %s' % (h1, h2)) help='[<"X-RANGER-Client" '
parser_get_group.add_argument('client', **cli_common.ORM_CLIENT_KWARGS) 'header>] <group id> '
parser_get_group.add_argument('groupid', type=str, help=h2) '<data file with group role(s) assignment JSON>')
parser_assign_group_roles.add_argument(
'client', **cli_common.ORM_CLIENT_KWARGS)
parser_assign_group_roles.add_argument(
'groupid', type=str, help='<groupid id>')
parser_assign_group_roles.add_argument(
'datafile', type=argparse.FileType('r'),
help='<data file with group role(s) assignment JSON>')
# list groups parser_unassign_group_roles = subparsers.add_parser(
h1 = '[<"X-RANGER-Client" header>]' 'unassign_group_roles',
h2 = '[--region <name>] [--starts_with <name>] [--contains <name>]' help='[<"X-RANGER-Client" '
parser_list_groups = subparsers.add_parser('list_groups', 'header>] <group id> <role> < --customer <customer id> '
help='%s %s' % (h1, h2)) 'or <--domain <domain_name> >')
parser_list_groups.add_argument('client', **cli_common.ORM_CLIENT_KWARGS) parser_unassign_group_roles.add_argument(
parser_list_groups.add_argument('--region', type=str, help='region name') 'client', **cli_common.ORM_CLIENT_KWARGS)
parser_list_groups.add_argument('--starts_with', type=str, parser_unassign_group_roles.add_argument(
help='group name') 'groupid', type=str, help='<groupid id>')
parser_list_groups.add_argument('--contains', type=str, parser_unassign_group_roles.add_argument(
help='* contains in group name') 'role', type=str, help='<role>')
parser_unassign_group_roles.add_argument(
'--customer', type=str, help='customer id')
parser_unassign_group_roles.add_argument(
'--domain', type=str, help='domain name')
return parser return parser
@ -423,6 +453,25 @@ def cmd_details(args):
if args.contains: if args.contains:
param += '%scontains=%s' % (preparm(param), args.contains) param += '%scontains=%s' % (preparm(param), args.contains)
return requests.get, 'groups/%s' % param return requests.get, 'groups/%s' % param
elif args.subcmd == 'assign_group_roles':
return requests.post, 'groups/%s/roles' % args.groupid
elif args.subcmd == 'unassign_group_roles':
if args.customer and args.domain:
print("--customer and --domain cannot be specified "
"at the same time")
exit(1)
assignment_type = assignment_value = ""
if args.customer:
assignment_type = "customer"
assignment_value = args.customer
elif args.domain:
assignment_type = "domain"
assignment_value = args.domain
return requests.delete, 'groups/%s/roles/%s/%s/%s' % (
args.groupid,
args.role,
assignment_type,
assignment_value)
def get_token(timeout, args, host): def get_token(timeout, args, host):

111
orm/services/customer_manager/cms_rest/controllers/v1/orm/group/roles.py Normal file
View File

@ -0,0 +1,111 @@
from oslo_db.exception import DBDuplicateEntry
from pecan import request, rest
from wsmeext.pecan import wsexpose
from orm.common.orm_common.utils import api_error_utils as err_utils
from orm.common.orm_common.utils import utils
from orm.services.customer_manager.cms_rest.logger import get_logger
from orm.services.customer_manager.cms_rest.logic.error_base import ErrorStatus
from orm.services.customer_manager.cms_rest.logic.group_logic import GroupLogic
from orm.services.customer_manager.cms_rest.model.GroupModels import \
RoleAssignment, RoleResultWrapper
from orm.services.customer_manager.cms_rest.utils import authentication
LOG = get_logger(__name__)
class RoleController(rest.RestController):
@wsexpose([str], str, rest_content_types='json')
def get(self, group_id):
return ["This is groups role controller ", "group id: " + group_id]
@wsexpose(RoleResultWrapper, str, body=[RoleAssignment],
rest_content_types='json', status_code=200)
def post(self, group_id, role_assignments):
LOG.info("RoleController - Assign Roles to group id {0} "
"roles: {1}".format(group_id, str(role_assignments)))
authentication.authorize(request, 'groups:assign_region')
try:
group_logic = GroupLogic()
result = group_logic.assign_roles(group_id,
role_assignments,
request.transaction_id)
LOG.info("RoleController - Roles assigned: " + str(result))
event_details = 'Group {} - roles assigned.'.format(group_id)
utils.audit_trail('assigned group roles',
request.transaction_id,
request.headers,
group_id,
event_details=event_details)
except DBDuplicateEntry as exception:
LOG.log_exception(
"DBDuplicateEntry - Group Roles already assigned.", exception)
print exception.message
raise err_utils.get_error(
request.transaction_id,
status_code=409,
message='Duplicate Entry - Group Roles already assigned.',
error_details=exception.message)
except ErrorStatus as exception:
LOG.log_exception(
"ErrorStatus - Failed to assign roles", exception)
raise err_utils.get_error(request.transaction_id,
message=exception.message,
status_code=exception.status_code)
except Exception as exception:
LOG.log_exception(
"Exception - Failed in assign roles", exception)
raise err_utils.get_error(request.transaction_id,
status_code=500,
error_details=str(exception))
return result
@wsexpose(None, str, str, str, str, status_code=204)
def delete(self, group_id, role_name, assignment_type, assignment_value):
requester = request.headers.get('X-RANGER-Requester')
is_rds_client_request = requester == 'rds_resource_service_proxy'
LOG.info("Unassign Roles from group id: {0} role_name: {1} "
"assignment_type: {2} assignment_value: {3}. ".format(
group_id, role_name, assignment_type,
assignment_value))
authentication.authorize(request, 'groups:unassign_region')
try:
group_logic = GroupLogic()
group_logic.unassign_roles(group_id,
role_name,
assignment_type,
assignment_value,
request.transaction_id)
LOG.info("RoleController - Unassign Roles finished")
event_details = 'Group {} roles unassigned'.format(group_id)
utils.audit_trail('unassign group roles',
request.transaction_id,
request.headers,
group_id,
event_details=event_details)
except ValueError as exception:
raise err_utils.get_error(request.transaction_id,
message=exception.message,
status_code=404)
except ErrorStatus as exception:
LOG.log_exception("ErrorStatus - Failed to unassign roles",
exception)
raise err_utils.get_error(request.transaction_id,
message=exception.message,
status_code=exception.status_code)
except Exception as exception:
LOG.log_exception("Exception - Failed in unassign roles",
exception)
raise err_utils.get_error(request.transaction_id,
status_code=500,
error_details=str(exception))

3
orm/services/customer_manager/cms_rest/controllers/v1/orm/group/root.py
View File

@ -8,6 +8,8 @@ from orm.services.customer_manager.cms_rest.controllers.v1.orm.customer.users \
import DefaultUserController import DefaultUserController
from orm.services.customer_manager.cms_rest.controllers.v1.orm.group.regions \ from orm.services.customer_manager.cms_rest.controllers.v1.orm.group.regions \
import RegionController import RegionController
from orm.services.customer_manager.cms_rest.controllers.v1.orm.group.roles \
import RoleController
from orm.services.customer_manager.cms_rest.logger import get_logger from orm.services.customer_manager.cms_rest.logger import get_logger
from orm.services.customer_manager.cms_rest.logic.error_base import ErrorStatus from orm.services.customer_manager.cms_rest.logic.error_base import ErrorStatus
from orm.services.customer_manager.cms_rest.logic.group_logic import GroupLogic from orm.services.customer_manager.cms_rest.logic.group_logic import GroupLogic
@ -19,6 +21,7 @@ LOG = get_logger(__name__)
class GroupController(rest.RestController): class GroupController(rest.RestController):
roles = RoleController()
regions = RegionController() regions = RegionController()
users = DefaultUserController() users = DefaultUserController()

87
orm/services/customer_manager/cms_rest/data/data_manager.py
View File

@ -6,12 +6,18 @@ from orm.services.customer_manager.cms_rest.data.sql_alchemy.\
customer_region_record import CustomerRegionRecord customer_region_record import CustomerRegionRecord
from orm.services.customer_manager.cms_rest.data.sql_alchemy.\ from orm.services.customer_manager.cms_rest.data.sql_alchemy.\
group_record import GroupRecord group_record import GroupRecord
from orm.services.customer_manager.cms_rest.data.sql_alchemy.\
groups_customer_role_record import GroupsCustomerRoleRecord
from orm.services.customer_manager.cms_rest.data.sql_alchemy.\
groups_domain_role_record import GroupsDomainRoleRecord
from orm.services.customer_manager.cms_rest.data.sql_alchemy.\ from orm.services.customer_manager.cms_rest.data.sql_alchemy.\
groups_region_record import GroupsRegionRecord groups_region_record import GroupsRegionRecord
from orm.services.customer_manager.cms_rest.data.sql_alchemy.\
groups_role_record import GroupsRoleRecord
from orm.services.customer_manager.cms_rest.data.sql_alchemy.models \ from orm.services.customer_manager.cms_rest.data.sql_alchemy.models \
import (CmsRole, CmsUser, Customer, import (CmsRole, CmsUser, Customer, CustomerRegion,
Groups, GroupRegion, Groups, GroupsCustomerRole, GroupsDomainRole, GroupRegion,
CustomerRegion, Quota, GroupsRole, Quota,
QuotaFieldDetail, Region, QuotaFieldDetail, Region,
UserRole) UserRole)
from orm.services.customer_manager.cms_rest.data.sql_alchemy.user_role_record \ from orm.services.customer_manager.cms_rest.data.sql_alchemy.user_role_record \
@ -135,27 +141,48 @@ class DataManager(object):
self.customer_record = CustomerRecord(self.session) self.customer_record = CustomerRecord(self.session)
return self.customer_record return self.customer_record
if record_name == "Group" or record_name == "group": elif record_name == "Group" or record_name == "group":
if not hasattr(self, "group_record"): if not hasattr(self, "group_record"):
self.group_record = GroupRecord(self.session) self.group_record = GroupRecord(self.session)
return self.group_record return self.group_record
if record_name == "CustomerRegion" or record_name == "customer_region": elif (record_name == "CustomerRegion" or
record_name == "customer_region"):
if not hasattr(self, "customer_region_record"): if not hasattr(self, "customer_region_record"):
self.customer_region_record = CustomerRegionRecord( self.customer_region_record = CustomerRegionRecord(
self.session) self.session)
return self.customer_region_record return self.customer_region_record
if record_name == "GroupRegion" or record_name == "group_region": elif record_name == "GroupsRegion" or record_name == "groups_region":
if not hasattr(self, "groups_region_record"): if not hasattr(self, "groups_region_record"):
self.groups_region_record = GroupsRegionRecord( self.groups_region_record = GroupsRegionRecord(
self.session) self.session)
return self.groups_region_record return self.groups_region_record
if record_name == "UserRole" or record_name == "user_role": elif record_name == "UserRole" or record_name == "user_role":
if not hasattr(self, "user_role_record"): if not hasattr(self, "user_role_record"):
self.user_role_record = UserRoleRecord(self.session) self.user_role_record = UserRoleRecord(self.session)
return self.user_role_record return self.user_role_record
elif record_name == "GroupsRole" or record_name == "groups_role":
if not hasattr(self, "groups_role_record"):
self.groups_role_record = GroupsRoleRecord(self.session)
return self.groups_role_record
elif (record_name == "GroupsCustomerRole" or
record_name == "groups_customer_role"):
if not hasattr(self, "groups_customer_role_record"):
self.groups_customer_role_record = GroupsCustomerRoleRecord(
self.session)
return self.groups_customer_role_record
elif (record_name == "GroupsDomainRole" or
record_name == "groups_domain_role"):
if not hasattr(self, "groups_domain_role_record"):
self.groups_domain_role_record = GroupsDomainRoleRecord(
self.session)
return self.groups_domain_role_record
return None return None
def add_user(self, user): def add_user(self, user):
@ -227,7 +254,7 @@ class DataManager(object):
sql_group = Groups( sql_group = Groups(
uuid=uuid, uuid=uuid,
name=group.name, name=group.name,
domain_name='default', domain_name=group.domain_name,
enabled=group.enabled, enabled=group.enabled,
description=group.description description=group.description
) )
@ -318,6 +345,50 @@ class DataManager(object):
return customer_id return customer_id
def get_role_id_by_name(self, name):
role_id = self.session.query(CmsRole.id).filter(
CmsRole.name == name).scalar()
return role_id
def check_groups_role_exist(self, role_id, group_id):
count = self.session.query(GroupsRole).filter(
GroupsRole.role_id == role_id,
GroupsRole.group_id == group_id).count()
return count >= 1
def add_groups_role(self, role_id, group_id):
# if there is no existing record, proceed to add it
if not self.check_groups_role_exist(role_id, group_id):
groups_role = GroupsRole(role_id=role_id,
group_id=group_id)
self.session.add(groups_role)
self.flush()
def add_groups_role_on_domain(self,
group_id, role_id, region_id, domain):
self.add_groups_role(role_id, group_id)
groups_domain_role = GroupsDomainRole(role_id=role_id,
group_id=group_id,
domain_name=domain,
region_id=region_id)
self.session.add(groups_domain_role)
self.flush()
return groups_domain_role
def add_groups_role_on_project(self,
group_id, role_id, region_id, customer_id):
self.add_groups_role(role_id, group_id)
groups_customer_role = GroupsCustomerRole(role_id=role_id,
group_id=group_id,
customer_id=customer_id,
region_id=region_id)
self.session.add(groups_customer_role)
self.flush()
return groups_customer_role
@classmethod @classmethod
def get_dict_from_quota(cls, quota, quota_type): def get_dict_from_quota(cls, quota, quota_type):
types = { types = {

6
orm/services/customer_manager/cms_rest/data/sql_alchemy/group_record.py
View File

@ -41,7 +41,7 @@ class GroupRecord:
def delete_by_primary_key(self, group_id): def delete_by_primary_key(self, group_id):
cmd = 'DELETE FROM groups WHERE id = %s' cmd = 'DELETE FROM groups WHERE id = %s'
result = self.session.connection().execute(cmd, (group_id)) result = self.session.connection().execute(cmd, (group_id,))
return result return result
def read_by_primary_key(self): def read_by_primary_key(self):
@ -70,7 +70,7 @@ class GroupRecord:
def get_group_id_from_uuid(self, group_uuid): def get_group_id_from_uuid(self, group_uuid):
cmd = "SELECT id from groups WHERE uuid = %s" cmd = "SELECT id from groups WHERE uuid = %s"
result = self.session.connection().scalar(cmd, (group_uuid)) result = self.session.connection().scalar(cmd, (group_uuid,))
if result: if result:
return int(result) return int(result)
@ -80,7 +80,7 @@ class GroupRecord:
def get_groups_status_by_uuids(self, uuid_str): def get_groups_status_by_uuids(self, uuid_str):
cmd = "SELECT id, resource_id, region, status FROM " \ cmd = "SELECT id, resource_id, region, status FROM " \
"rds_resource_status_view WHERE resource_id IN (%s)" "rds_resource_status_view WHERE resource_id IN (%s)"
results = self.session.connection().execute(cmd, (uuid_str)) results = self.session.connection().execute(cmd % uuid_str)
group_region = {} group_region = {}
if results: if results:

130
orm/services/customer_manager/cms_rest/data/sql_alchemy/groups_customer_role_record.py Normal file
View File

@ -0,0 +1,130 @@
from orm.services.customer_manager.cms_rest.data.sql_alchemy.group_record \
import GroupRecord
from orm.services.customer_manager.cms_rest.data.sql_alchemy.models \
import GroupsCustomerRole
from orm.services.customer_manager.cms_rest.data.sql_alchemy.region_record \
import RegionRecord
from orm.services.customer_manager.cms_rest.logger import get_logger
LOG = get_logger(__name__)
class GroupsCustomerRoleRecord:
def __init__(self, session):
# thie model uses for the parameters for any acceess methods - not
# as instance of record in the table
self.__groups_customer_role = GroupsCustomerRole()
self.__TableName = "groups_customer_role"
if (session):
self.session = session
def setDBSession(self, session):
self.session = session
@property
def groups_customer_role(self):
return self.__groups_customer_role
@groups_customer_role.setter
def groups_customer_role(self):
self.__groups_customer_role = GroupsCustomerRole()
def insert(self, groups_customer_role):
try:
self.session.add(groups_customer_role)
except Exception as exception:
LOG.log_exception(
"Failed to insert groups_customer_role" +
str(groups_customer_role), exception)
raise
def get_group_customer_role_by_keys(self,
group_uuid,
role_id,
region_name,
customer_uuid):
region_record = RegionRecord(self.session)
region_id = region_record.get_region_id_from_name(region_name)
if region_id is None:
raise ValueError(
'region with the region name {0} not found'.format(
region_name))
try:
group = self.session.query(GroupsCustomerRole).filter(
and_, (
GroupsCustomerRole.group_id == group_uuid,
GroupsCustomerRole.customer_id == customer_uuid,
GroupsCustomerRole.region_id == region_id,
GroupsCustomerRole.role_id == role_id))
return group.first()
except Exception as exception:
message = "Failed to get group/project by keys: " \
" group_uuid:%s customer_uuid:%s region_name:%s " \
" role_id:%s " \
% group_uuid, customer_uuid, region_id, role_id
LOG.log_exception(message, exception)
raise
def get_customer_roles_for_group(self, group_uuid):
groups_customer_roles = []
try:
query = self.session.query(GroupsCustomerRole).filter(
GroupsCustomerRole.group_id == group_uuid)
for groups_customer_role in query.all():
groups_customer_roles.append(groups_customer_role)
return groups_customer_roles
except Exception as exception:
message = "Failed to get projects for group: %s" % (group_uuid)
LOG.log_exception(message, exception)
raise
def check_groups_customer_role_exist(self, role_id, group_id):
count = self.session.query(GroupsCustomerRole).filter(
GroupsCustomerRole.role_id == role_id,
GroupsCustomerRole.group_id == group_id).count()
return count >= 1
def remove_customer_role_from_group(self,
group_uuid,
region_id,
customer_id,
role_id):
cmd = 'DELETE FROM groups_customer_role WHERE group_id = %s and \
region_id = %s and customer_id = %s and role_id = %s'
result = self.session.connection().execute(cmd,
(group_uuid,
region_id,
customer_id,
role_id))
self.session.flush()
if result.rowcount == 0:
LOG.warn('customer with the customer id {0} not found'.format(
customer_id))
raise ValueError(
'customer with the customer id {0} not found'.format(
customer_id))
LOG.debug("num records deleted: " + str(result.rowcount))
return result
def delete_all_customers_from_group(self, group_id):
# group_id can be a uuid (type of string) or id (type of int).
# If group_id is uuid, then get id from uuid and use the id in the
# next sql command
if isinstance(group_id, basestring):
group_record = GroupRecord(self.session)
group_id = group_record.get_group_id_from_uuid(group_id)
# not including default region which is -1
cmd = 'DELETE FROM groups_customer_role WHERE group_id = %s'
result = self.session.connection().execute(cmd, (group_id,))
return result

128
orm/services/customer_manager/cms_rest/data/sql_alchemy/groups_domain_role_record.py Normal file
View File

@ -0,0 +1,128 @@
from orm.services.customer_manager.cms_rest.data.sql_alchemy.group_record \
import GroupRecord
from orm.services.customer_manager.cms_rest.data.sql_alchemy.models \
import GroupsDomainRole
from orm.services.customer_manager.cms_rest.data.sql_alchemy.region_record \
import RegionRecord
from orm.services.customer_manager.cms_rest.logger import get_logger
LOG = get_logger(__name__)
class GroupsDomainRoleRecord:
def __init__(self, session):
# thie model uses for the parameters for any acceess methods - not
# as instance of record in the table
self.__groups_domain_role = GroupsDomainRole()
self.__TableName = "groups_domain_role"
if (session):
self.session = session
def setDBSession(self, session):
self.session = session
@property
def groups_domain_role(self):
return self.__groups_domain_role
@groups_domain_role.setter
def groups_domain_role(self):
self.__groups_domain_role = GroupsDomainRole()
def insert(self, groups_domain_role):
try:
self.session.add(groups_domain_role)
except Exception as exception:
LOG.log_exception(
"Failed to insert groups_domain_role" +
str(groups_domain_role), exception)
raise
def get_group_domain_role_by_keys(self,
group_uuid,
region_name,
domain,
role_id):
region_record = RegionRecord(self.session)
region_id = region_record.get_region_id_from_name(region_name)
if region_id is None:
raise ValueError(
'region with the region name {0} not found'.format(
region_name))
try:
group = self.session.query(GroupsDomainRole).filter(
and_(
GroupsDomainRole.group_id == group_uuid,
GroupsDomainRole.domain_name == domain,
GroupsDomainRole.region_id == region_id,
GroupsDomainRole.role_id == role_id))
return group.first()
except Exception as exception:
message = "Failed to get group/domain by primary keys: " \
" group_uuid:%s domain:%s region_name:%s role_id: %s" \
% group_uuid, domain, region_id, role_id
LOG.log_exception(message, exception)
raise
def get_domain_roles_for_group(self, group_uuid):
groups_domain_roles = []
try:
query = self.session.query(GroupsDomainRole).filter(
GroupsDomainRole.group_id == group_uuid)
for groups_domain_role in query.all():
groups_domain_roles.append(groups_domain_role)
return groups_domain_roles
except Exception as exception:
message = "Failed to get domains for group: %s" % (group_uuid)
LOG.log_exception(message, exception)
raise
def check_groups_domain_role_exist(self, role_id, group_id):
count = self.session.query(GroupsDomainRole).filter(
GroupsDomainRole.role_id == role_id,
GroupsDomainRole.group_id == group_id).count()
return count >= 1
def remove_domain_role_from_group(self,
group_uuid,
region_id,
domain,
role_id):
cmd = 'DELETE FROM groups_domain_role WHERE group_id = %s and \
region_id = %s and domain_name = %s and role_id = %s'
result = self.session.connection().execute(cmd,
(group_uuid,
region_id,
domain,
role_id))
self.session.flush()
if result.rowcount == 0:
LOG.warn('domain with domain name {0} not found'.format(
domain))
raise ValueError(
'domain with domain name {0} not found'.format(
domain))
LOG.debug("num records deleted: " + str(result.rowcount))
return result
def delete_all_customers_from_group(self, group_id):
# group_id can be a uuid (type of string) or id (type of int).
# If group_id is uuid, then get id from uuid and use the id in the
# next sql command
if isinstance(group_id, basestring):
group_record = GroupRecord(self.session)
group_id = group_record.get_group_id_from_uuid(group_id)
# not including default region which is -1
cmd = 'DELETE FROM groups_domain_role WHERE group_id = %s'
result = self.session.connection().execute(cmd, (group_id,))
return result

6
orm/services/customer_manager/cms_rest/data/sql_alchemy/groups_region_record.py
View File

@ -44,16 +44,16 @@ class GroupsRegionRecord:
try: try:
group_record = GroupRecord(self.session) group_record = GroupRecord(self.session)
group_id = group_record.get_group_id_from_uuid(group_uuid)
query = self.session.query(GroupRegion).filter( query = self.session.query(GroupRegion).filter(
GroupRegion.group_id == group_id) GroupRegion.group_id == group_uuid,
GroupRegion.region_id != -1)
for group_region in query.all(): for group_region in query.all():
group_regions.append(group_region) group_regions.append(group_region)
return group_regions return group_regions
except Exception as exception: except Exception as exception:
message = "Failed to get_region_names_for_group: %d" % (group_id) message = "Failed to get_region_id_for_group: %d" % (group_uuid)
LOG.log_exception(message, exception) LOG.log_exception(message, exception)
raise raise

100
orm/services/customer_manager/cms_rest/data/sql_alchemy/groups_role_record.py Normal file
View File

@ -0,0 +1,100 @@
from orm.services.customer_manager.cms_rest.data.sql_alchemy.group_record \
import GroupRecord
from orm.services.customer_manager.cms_rest.data.sql_alchemy.models \
import GroupsRole
from orm.services.customer_manager.cms_rest.logger import get_logger
LOG = get_logger(__name__)
class GroupsRoleRecord:
def __init__(self, session):
# thie model uses for the parameters for any acceess methods - not
# as instance of record in the table
self.__groups_role = GroupsRole()
self.__TableName = "groups_role"
if (session):
self.session = session
def setDBSession(self, session):
self.session = session
@property
def groups_role(self):
return self.__groups_role
@groups_role.setter
def groups_role(self):
self.__groups_role = GroupsRole()
def insert(self, groups_role):
try:
self.session.add(groups_role)
except Exception as exception:
LOG.log_exception(
"Failed to insert groups_role" + str(groups_role), exception)
raise
def get_role_for_group_by_primary_key(self, group_uuid, role_id):
try:
group = self.session.query(GroupsRole).filter(
and_(
GroupsRole.group_id == group_uuid,
GroupsRole.role_id == role_id))
return group.first()
except Exception as exception:
message = "Failed to get role by primary keys: group_uuid:%s " \
"role_id:%s " % group_uuid, role_id
LOG.log_exception(message, exception)
raise
def get_roles_for_group(self, group_uuid):
groups_roles = []
try:
query = self.session.query(GroupsRole).filter(
GroupsRole.group_id == group_uuid)
for groups_role in query.all():
groups_roles.append(groups_role)
return groups_roles
except Exception as exception:
message = "Failed to get roles for group: %s" % (group_uuid)
LOG.log_exception(message, exception)
raise
def remove_role_from_group(self, group_uuid, role_id):
cmd = 'DELETE FROM groups_role WHERE group_id = %s and role_id = %s'
result = self.session.connection().execute(cmd,
(group_uuid,
role_id))
self.session.flush()
if result.rowcount == 0:
LOG.warn('role with the role id {0} not found'.format(
role_id))
raise ValueError(
'role with the role id {0} not found'.format(
role_id))
LOG.debug("num records deleted: " + str(result.rowcount))
return result
def delete_all_roles_for_group(self, group_id):
# group_id can be a uuid (type of string) or id (type of int).
# If group_id is uuid, then get id from uuid and use the id in the
# next sql command
if isinstance(group_id, basestring):
group_record = GroupRecord(self.session)
group_id = group_record.get_group_id_from_uuid(group_id)
# not including default region which is -1
cmd = 'DELETE FROM groups_role WHERE group_id = %s and \
region_id <> -1'
result = self.session.connection().execute(cmd, (group_id,))
return result

149
orm/services/customer_manager/cms_rest/data/sql_alchemy/models.py
View File

@ -48,6 +48,9 @@ class Groups(Base, CMSBaseModel):
description = Column(String(255), nullable=True) description = Column(String(255), nullable=True)
enabled = Column(SmallInteger, nullable=False) enabled = Column(SmallInteger, nullable=False)
group_regions = relationship("GroupRegion", cascade="all, delete, delete-orphan") group_regions = relationship("GroupRegion", cascade="all, delete, delete-orphan")
groups_roles = relationship("GroupsRole", cascade="all, delete, delete-orphan")
groups_customer_roles = relationship("GroupsCustomerRole", cascade="all, delete, delete-orphan")
groups_domain_roles = relationship("GroupsDomainRole", cascade="all, delete, delete-orphan")
def __json__(self): def __json__(self):
return dict( return dict(
@ -74,6 +77,16 @@ class Groups(Base, CMSBaseModel):
group_regions = self.get_group_regions() group_regions = self.get_group_regions()
proxy_dict["regions"] = [group_region.get_proxy_dict() for group_region in group_regions] proxy_dict["regions"] = [group_region.get_proxy_dict() for group_region in group_regions]
proxy_dict["groups_roles"] = [group_role.get_proxy_dict() for group_role in self.groups_roles]
proxy_dict["groups_customer_roles"] = [
group_customer_role.get_proxy_dict()
for group_customer_role in self.groups_customer_roles]
proxy_dict["groups_domain_roles"] = [
group_domain_role.get_proxy_dict()
for group_domain_role in self.groups_domain_roles]
return proxy_dict return proxy_dict
def get_group_regions(self): def get_group_regions(self):
@ -120,13 +133,13 @@ class GroupRegion(Base, CMSBaseModel):
) )
def get_proxy_dict(self): def get_proxy_dict(self):
proxy_dict = { return {
"name": self.region.name, "name": self.region.name,
"group_id": self.group_id,
"region_id": self.region_id,
"action": "modify" "action": "modify"
} }
return proxy_dict
def to_wsme(self): def to_wsme(self):
name = self.region.name name = self.region.name
type = self.region.type type = self.region.type
@ -134,9 +147,135 @@ class GroupRegion(Base, CMSBaseModel):
type=type) type=type)
return region return region
''' '''
' CmsUser is a DataObject and contains all the fields defined in CmsUser table record. ' GroupRole is a DataObject and contains all the fields defined in GroupRole
' defined as SqlAlchemy model map to a table ' table record, defined as SqlAlchemy model map to a table
'''
class GroupsRole(Base, CMSBaseModel):
__tablename__ = 'groups_role'
role_id = Column(Integer, ForeignKey('cms_role.id'),
primary_key=True, nullable=False)
group_id = Column(String(64), ForeignKey('groups.uuid'),
primary_key=True, nullable=False, index=True)
role = relationship("CmsRole", viewonly=True)
def __json__(self):
return dict(
role_id=self.role_id,
group_id=self.group_id
)
def get_proxy_dict(self):
return {
"role_name": self.role.name,
"role_id": self.role_id,
"group_id": self.group_id
}
def to_wsme(self):
role = GroupWsmeModels.Role(name=self.role.name)
return role
'''
' GroupsCustomerRole is a DataObject and contains all the fields defined in
' GroupsCustomerRole table record, defined as SqlAlchemy model map to a table
'''
class GroupsCustomerRole(Base, CMSBaseModel):
__tablename__ = 'groups_customer_role'
group_id = Column(String(64), ForeignKey('groups.uuid'),
primary_key=True, nullable=False)
region_id = Column(Integer, ForeignKey('cms_region.id'))
customer_id = Column(Integer, ForeignKey('customer.id'),
primary_key=True, nullable=False, index=True)
role_id = Column(Integer, ForeignKey('groups_role.role_id'),
primary_key=True, nullable=False, index=True)
groups = relationship("Groups", viewonly=True)
customer = relationship("Customer", viewonly=True)
groups_role = relationship("GroupsRole", viewonly=True)
def __json__(self):
return dict(
group_id=self.group_id,
region_id=self.region_id,
customer_id=self.customer_id,
role_id=self.role_id
)
def get_proxy_dict(self):
return {
"group_id": self.group_id,
"region_id": self.region_id,
"customer_id": self.customer_id,
"customer_uuid": self.customer.uuid,
"role_id": self.role_id,
"role_name": self.groups_role.role.name
}
def to_wsme(self):
customer = GroupWsmeModels.Customer(customer_uuid=self.customer_id,
group=self.group.name,
role_id=self.role_id)
return customer
'''
' GroupsDomainRole is a DataObject and contains all the fields defined in
' GroupsDomainRole table record, defined as SqlAlchemy model map to a table
'''
class GroupsDomainRole(Base, CMSBaseModel):
__tablename__ = 'groups_domain_role'
group_id = Column(String(64), ForeignKey('groups.uuid'),
primary_key=True, nullable=False)
region_id = Column(Integer, ForeignKey('cms_region.id'))
domain_name = Column(String(64), ForeignKey('cms_domain.name'),
primary_key=True, nullable=False)
role_id = Column(Integer, ForeignKey('groups_role.role_id'),
primary_key=True, nullable=False, index=True)
groups = relationship("Groups", viewonly=True)
groups_role = relationship("GroupsRole", viewonly=True)
def __json__(self):
return dict(
group_id=self.group_id,
region_id=self.region_id,
domain_name=self.domain_name,
role_id=self.role_id
)
def get_proxy_dict(self):
return {
"group_id": self.group_id,
"region_id": self.region_id,
"domain_name": self.domain_name,
"role_id": self.role_id,
"role_name": self.groups_role.role.name
}
'''
' CmsRole is a DataObject and contains all the fields defined in CmsRole
' table record, defined as SqlAlchemy model map to a table
''' '''

4
orm/services/customer_manager/cms_rest/etc/policy.json
View File

@ -43,5 +43,7 @@
"groups:update": "rule:admin_or_creator", "groups:update": "rule:admin_or_creator",
"groups:delete": "rule:admin", "groups:delete": "rule:admin",
"groups:add_region": "rule:admin_or_support_or_creator", "groups:add_region": "rule:admin_or_support_or_creator",
"groups:delete_region": "rule:admin_or_creator" "groups:delete_region": "rule:admin_or_creator",
"groups:assign_role": "rule:admin_or_support_or_creator",
"groups:unassign_role": "rule:admin_or_creator"
} }

207
orm/services/customer_manager/cms_rest/logic/group_logic.py
View File

@ -10,11 +10,15 @@ from orm.services.customer_manager.cms_rest.data.data_manager import \
DataManager DataManager
from orm.services.customer_manager.cms_rest.logger import get_logger from orm.services.customer_manager.cms_rest.logger import get_logger
from orm.services.customer_manager.cms_rest.logic.error_base import ( from orm.services.customer_manager.cms_rest.logic.error_base import (
DuplicateEntryError, ErrorStatus) DuplicateEntryError, ErrorStatus, NotFound)
from orm.services.customer_manager.cms_rest.model.GroupModels import ( from orm.services.customer_manager.cms_rest.model.GroupModels import (
GroupResultWrapper, GroupSummary, GroupSummaryResponse) GroupResultWrapper,
RoleResultWrapper,
GroupSummary,
GroupSummaryResponse)
from orm.services.customer_manager.cms_rest.rds_proxy import RdsProxy from orm.services.customer_manager.cms_rest.rds_proxy import RdsProxy
LOG = get_logger(__name__) LOG = get_logger(__name__)
@ -51,14 +55,153 @@ class GroupLogic(object):
' already associated with group') ' already associated with group')
raise ex raise ex
def assign_roles(self,
group_uuid,
role_assignments,
transaction_id):
datamanager = DataManager()
try:
[assignment.validate_model() for assignment in role_assignments]
group_record = datamanager.get_record('group')
region_record = datamanager.get_record('groups_region')
groups_regions = region_record.get_regions_for_group(group_uuid)
for role_assignment in role_assignments:
for role in role_assignment.roles:
role_id = datamanager.get_role_id_by_name(role)
for group_region in groups_regions:
region_id = group_region.region_id
if role_assignment.domain_name:
datamanager.add_groups_role_on_domain(
group_uuid,
role_id,
region_id,
role_assignment.domain_name)
elif role_assignment.project:
project_id = datamanager.get_customer_id_by_uuid(
role_assignment.project)
datamanager.add_groups_role_on_project(
group_uuid,
role_id,
region_id,
project_id)
datamanager.flush()
group = group_record.read_group_by_uuid(group_uuid)
group_dict = group.get_proxy_dict()
if len(group_dict["regions"]) > 0:
RdsProxy.send_group_dict(group_dict, transaction_id, "PUT")
roles = [{'roles': role_assignment.roles,
'domain': role_assignment.domain_name,
'project': role_assignment.project}
for role_assignment in role_assignments]
role_result_wrapper = build_response(group_uuid,
transaction_id,
'role_assignment',
roles=roles)
datamanager.commit()
return role_result_wrapper
except Exception as exp:
LOG.log_exception("GroupLogic - Failed to Assign Role(s)", exp)
datamanager.rollback()
raise
def unassign_roles(self,
group_uuid,
role_name,
assignment_type,
assignment_value,
transaction_id):
datamanager = DataManager()
try:
group_record = datamanager.get_record('group')
region_record = datamanager.get_record('groups_region')
groups_regions = region_record.get_regions_for_group(group_uuid)
groups_role = datamanager.get_record('groups_role')
sql_group = datamanager.get_group_by_uuid_or_name(group_uuid)
if assignment_type != "customer" and assignment_type != "domain":
raise ErrorStatus(400,
"Role unassignment type must either be "
"domain or project.")
if sql_group is None:
raise ErrorStatus(
404,
"group with id {} does not exist".format(group_uuid))
role_id = datamanager.get_role_id_by_name(role_name)
domain = datamanager.get_record('groups_domain_role')
customer = datamanager.get_record('groups_customer_role')
for group_region in groups_regions:
region_id = group_region.region_id
if assignment_type == "domain":
result = domain.remove_domain_role_from_group(
group_uuid, region_id, assignment_value, role_id)
elif assignment_type == "customer":
customer_id = datamanager.get_customer_id_by_uuid(
assignment_value)
result = customer.remove_customer_role_from_group(
group_uuid, region_id, customer_id, role_id)
if result.rowcount == 0:
raise NotFound("Record not found for unassignment type: {}"
" value: {} group: {} region id: {} role"
" {} ".format(
assignment_type, assignment_value,
group_uuid, region_id, role_name))
if (not customer.check_groups_customer_role_exist(
role_id, group_uuid) and
not domain.check_groups_domain_role_exist(
role_id, group_uuid)):
result = groups_role.remove_role_from_group(group_uuid,
role_id)
if result.rowcount == 0:
raise NotFound("Record not found for group: {}"
" role: {}".format(group_uuid,
role_name))
datamanager.flush()
group = group_record.read_group_by_uuid(group_uuid)
group_dict = group.get_proxy_dict()
if len(group_dict["regions"]) > 0:
RdsProxy.send_group_dict(group_dict, transaction_id, "PUT")
datamanager.commit()
LOG.info("Role unassgined - type: {} value: {} group: {} "
"role {} ".format(assignment_type, assignment_value,
group_uuid, role_name))
except NotFound as e:
datamanager.rollback()
LOG.log_exception("Failed to unassign role, record not found",
e.message)
raise NotFound("Failed to unassign role, not found - %s" %
e.message)
except Exception as exp:
datamanager.rollback()
raise
def create_group(self, group, uuid, transaction_id): def create_group(self, group, uuid, transaction_id):
datamanager = DataManager() datamanager = DataManager()
try: try:
group.handle_region_group() group.handle_region_group()
sql_group = self.build_full_group(group, uuid, datamanager) sql_group = self.build_full_group(group, uuid, datamanager)
group_result_wrapper = build_response(uuid, transaction_id, group_result_wrapper = build_response(uuid,
'create') transaction_id,
'create_group')
if sql_group.group_regions and len(sql_group.group_regions) > 1: if sql_group.group_regions and len(sql_group.group_regions) > 1:
group_dict = sql_group.get_proxy_dict() group_dict = sql_group.get_proxy_dict()
for region in group_dict["regions"]: for region in group_dict["regions"]:
@ -100,8 +243,9 @@ class GroupLogic(object):
datamanager) datamanager)
# new_group_dict = sql_group.get_proxy_dict() # new_group_dict = sql_group.get_proxy_dict()
group_result_wrapper = build_response(group_uuid, transaction_id, group_result_wrapper = build_response(group_uuid,
'update') transaction_id,
'update_group')
datamanager.flush() datamanager.flush()
datamanager.commit() datamanager.commit()
@ -116,7 +260,7 @@ class GroupLogic(object):
on_success_by_rds, force_delete): on_success_by_rds, force_delete):
datamanager = DataManager() datamanager = DataManager()
try: try:
group_region = datamanager.get_record('group_region') group_region = datamanager.get_record('groups_region')
sql_group = datamanager.get_group_by_uuid_or_name(group_id) sql_group = datamanager.get_group_by_uuid_or_name(group_id)
if on_success_by_rds and sql_group is None: if on_success_by_rds and sql_group is None:
return return
@ -197,10 +341,11 @@ class GroupLogic(object):
limit=limit) limit=limit)
response = GroupSummaryResponse() response = GroupSummaryResponse()
if sql_groups: if sql_groups:
uuids = ','.join(str(sql_group.uuid) uuids = [sql_group.uuid for sql_group in sql_groups
for sql_group in sql_groups if sql_group and sql_group.uuid]
if sql_group and sql_group.uuid)
resource_status = group_record.get_groups_status_by_uuids(uuids) sql_in = ', '.join(list(map(lambda arg: "'%s'" % arg, uuids)))
resource_status = group_record.get_groups_status_by_uuids(sql_in)
for sql_group in sql_groups: for sql_group in sql_groups:
groups = GroupSummary.from_db_model(sql_group) groups = GroupSummary.from_db_model(sql_group)
@ -302,24 +447,38 @@ class GroupLogic(object):
raise raise
def build_response(group_uuid, transaction_id, context): def build_response(group_uuid, transaction_id, context, roles=[]):
"""this function generate th group action response JSON """this function generate th group action response JSON
:param group_uuid: :param group_uuid:
:param transaction_id: :param transaction_id:
:param context: create or update :param context:
:param roles:
:return: :return:
""" """
timestamp = utils.get_time_human()
# The link should point to the group itself (/v1/orm/groups/{id}) # The link should point to the group itself (/v1/orm/groups/{id})
link_elements = request.url.split('/') link_elements = request.url.split('/')
base_link = '/'.join(link_elements) base_link = '/'.join(link_elements)
if context == 'create': if context == 'create_group' or context == 'update_group':
base_link = base_link + '/' + group_uuid if context == 'create_group':
base_link = base_link + group_uuid
timestamp = utils.get_time_human() group_result_wrapper = GroupResultWrapper(
group_result_wrapper = GroupResultWrapper( transaction_id=transaction_id,
transaction_id=transaction_id, id=group_uuid,
id=group_uuid, updated=None,
updated=None, created=timestamp,
created=timestamp, links={'self': base_link})
links={'self': base_link})
return group_result_wrapper return group_result_wrapper
elif context == 'role_assignment':
role_result_wrapper = RoleResultWrapper(
transaction_id=transaction_id,
roles=roles,
links={'self': base_link},
created=timestamp)
return role_result_wrapper
else:
return None

53
orm/services/customer_manager/cms_rest/model/GroupModels.py
View File

@ -35,6 +35,27 @@ class Region(Model):
self.error_message = error_message self.error_message = error_message
class RoleAssignment(Model):
roles = wsme.wsattr([str], mandatory=True)
project = wsme.wsattr(wsme.types.text, mandatory=False)
domain_name = wsme.wsattr(wsme.types.text, mandatory=False)
def __init__(self, status="", domain="", project="", roles=[]):
self.domain_name = domain
self.project = project
self.roles = roles
def validate_model(self):
if self.project and self.domain_name:
raise ErrorStatus(400,
"Found both project and domain_name tag used. "
"Only one can be specified for role assignment.")
if len(set(self.roles)) != len(self.roles):
raise ErrorStatus(400,
"Duplicate role in roles tag found ")
class Group(Model): class Group(Model):
"""group entity with all it's related data """group entity with all it's related data
""" """
@ -168,9 +189,6 @@ class GroupSummaryResponse(Model):
self.groups = [] self.groups = []
""" Region Result Handler """
class RegionResult(Model): class RegionResult(Model):
id = wsme.wsattr(wsme.types.text, mandatory=True) id = wsme.wsattr(wsme.types.text, mandatory=True)
added = wsme.wsattr(wsme.types.text, mandatory=False) added = wsme.wsattr(wsme.types.text, mandatory=False)
@ -195,4 +213,31 @@ class RegionResultWrapper(Model):
self.regions = regions_result self.regions = regions_result
""" ****************************************************************** """ class RoleResult(Model):
roles = wsme.wsattr([str], mandatory=True)
project = wsme.wsattr(wsme.types.text, mandatory=False)
domain_name = wsme.wsattr(wsme.types.text, mandatory=False)
def __init__(self, roles, project="", domain=""):
Model.__init__(self)
self.roles = roles
if project:
self.project = project
if domain:
self.domain_name = domain
class RoleResultWrapper(Model):
transaction_id = wsme.wsattr(wsme.types.text, mandatory=True)
roles = wsme.wsattr([RoleResult], mandatory=True)
links = wsme.wsattr({str: str}, mandatory=True)
created = wsme.wsattr(wsme.types.text, mandatory=True)
def __init__(self, transaction_id, roles, links, created):
roles_result = [RoleResult(role['roles'],
project=role['project'],
domain=role['domain']) for role in roles]
self.roles = roles_result
self.transaction_id = transaction_id
self.links = links
self.created = created

29
orm/services/customer_manager/scripts/db_scripts/ranger_cms_create_db.sql
View File

@ -130,11 +130,9 @@ create table if not exists groups_role
( (
role_id integer not null, role_id integer not null,
group_id varchar(64) not null, group_id varchar(64) not null,
region_id integer not null, primary key (role_id, group_id),
primary key (role_id, region_id, group_id), foreign key (role_id) references cms_role(id),
foreign key (role_id) references cms_role(id),
foreign key (`group_id`) references `groups` (`uuid`) ON DELETE CASCADE ON UPDATE NO ACTION, foreign key (`group_id`) references `groups` (`uuid`) ON DELETE CASCADE ON UPDATE NO ACTION,
index region_id (region_id),
index group_id_idx (group_id)); index group_id_idx (group_id));
create table if not exists groups_user create table if not exists groups_user
@ -147,14 +145,29 @@ create table if not exists groups_user
index user_id (user_id), index user_id (user_id),
index group_id (group_id)); index group_id (group_id));
create table if not exists groups_customer create table if not exists groups_customer_role
( (
group_id varchar(64) not null, group_id varchar(64) not null,
customer_id integer not null, customer_id integer not null,
region_id integer not null, region_id integer,
primary key (group_id, customer_id, region_id), role_id integer not null,
primary key (group_id, customer_id, role_id),
foreign key (`group_id`) references `groups` (`uuid`) ON DELETE CASCADE ON UPDATE NO ACTION, foreign key (`group_id`) references `groups` (`uuid`) ON DELETE CASCADE ON UPDATE NO ACTION,
foreign key (`customer_id`) references `customer` (`id`) ON DELETE CASCADE ON UPDATE NO ACTION, foreign key (`customer_id`) references `customer` (`id`) ON DELETE CASCADE ON UPDATE NO ACTION,
foreign key (`role_id`) references `groups_role` (`role_id`) ON DELETE CASCADE ON UPDATE NO ACTION,
foreign key (`region_id`) references `cms_region` (`id`) ON DELETE CASCADE ON UPDATE NO ACTION, foreign key (`region_id`) references `cms_region` (`id`) ON DELETE CASCADE ON UPDATE NO ACTION,
index customer_id_idx (customer_id), index customer_id_idx (customer_id),
index regio_id_idx (region_id)); index role_id_idx (role_id));
create table if not exists groups_domain_role
(
group_id varchar(64) not null,
domain_name varchar(64) not null,
region_id integer,
role_id integer not null,
primary key (group_id, domain_name, role_id),
foreign key (`group_id`) references `groups` (`uuid`) ON DELETE CASCADE ON UPDATE NO ACTION,
foreign key (`domain_name`) references `cms_domain` (`name`) ON DELETE CASCADE ON UPDATE NO ACTION,
foreign key (`role_id`) references `groups_role` (`role_id`) ON DELETE CASCADE ON UPDATE NO ACTION,
foreign key (`region_id`) references `cms_region` (`id`) ON DELETE CASCADE ON UPDATE NO ACTION,
index role_id_idx (role_id));

2
orm/services/resource_distributor/rds/services/helpers.py
View File

@ -17,7 +17,7 @@ def create_final_yaml(title, description, resources, outputs):
yaml.dump(resources, default_flow_style=False)).strip() yaml.dump(resources, default_flow_style=False)).strip()
outputs_yaml = yaml.dump(outputs).strip() outputs_yaml = yaml.dump(outputs).strip()
return '\n\n'.join([ return '\n'.join([
title_yaml, title_yaml,
description_yaml, description_yaml,
resources_yaml, resources_yaml,

106
orm/services/resource_distributor/rds/services/yaml_group_builder.py
View File

@ -1,6 +1,7 @@
"""yaml build build yaml from json input.""" """yaml build build yaml from json input."""
import logging import logging
from orm.services.resource_distributor.rds.services.helpers import create_final_yaml from orm.services.resource_distributor.rds.services.helpers import \
create_final_yaml
from pecan import conf from pecan import conf
from pprint import pformat from pprint import pformat
@ -17,20 +18,60 @@ def yamlbuilder(alldata, region):
:param region: data per region :param region: data per region
:return: the full string of yaml file :return: the full string of yaml file
""" """
logger.info("group alldata {} for region {}".format(pformat(alldata), region)) logger.info("group alldata {} for region {}".format(pformat(alldata),
region))
outputs = {} outputs = {"outputs": {}}
resources = {} resources = {"resources": {}}
yaml_version = conf.yaml_configs.group_yaml.yaml_version yaml_version = conf.yaml_configs.group_yaml.yaml_version
title = {'heat_template_version': yaml_version} title = {'heat_template_version': yaml_version}
description = {'description': 'yaml file for region - %s' % region['name']} description = {'description': 'yaml file for region - %s' % region['name']}
jsondata = alldata jsondata = alldata
status = {"0": False, "1": True}[str(jsondata['enabled'])] group_name = jsondata['name']
if "roles" in alldata: resources["resources"][group_name] = {
outputs['outputs'], resources['resources'] = build_group_roles_yaml(jsondata) 'type': 'OS::Keystone::Group\n',
else: 'properties': {
outputs['outputs'], resources['resources'] = build_group_yaml(jsondata) 'name': "%s" % group_name,
'description': jsondata['description'],
'domain': jsondata['domain_name']
}
}
if "groups_roles" in jsondata and len(jsondata["groups_roles"]) > 0:
template_name = "{}-Role-Assignment".format(group_name)
roles = []
for customer_role in jsondata["groups_customer_roles"]:
roles.append({
"role": customer_role["role_name"],
"project": customer_role["customer_uuid"]
})
for domain_role in jsondata["groups_domain_roles"]:
roles.append({
"role": domain_role["role_name"],
"domain": domain_role["domain_name"]
})
resources["resources"][template_name] = {
'type': 'OS::Keystone::GroupRoleAssignment\n',
'properties': {
'group': "%s" % group_name,
'roles': roles
}
}
outputs["outputs"][template_name + "_id"] = {
"value": {
"get_resource": "%s" % template_name
}
}
outputs["outputs"][group_name + "_id"] = {
"value": {
"get_resource": "%s" % group_name
}
}
# putting all parts together for full yaml # putting all parts together for full yaml
yamldata = create_final_yaml(title, description, resources, outputs) yamldata = create_final_yaml(title, description, resources, outputs)
@ -38,50 +79,3 @@ def yamlbuilder(alldata, region):
"done building group yaml for region %s " % region['name']) "done building group yaml for region %s " % region['name'])
return yamldata return yamldata
def build_group_yaml(jsondata):
resources = {}
outputs = {}
group_name = jsondata['name']
resources[group_name] = {
'type': 'OS::Keystone::Group\n',
'properties': {
'name': "%s" % group_name,
'description': jsondata['description'],
'domain': jsondata['domain_name'],
'roles': []
}
}
outputs[group_name] = {
"value": {
"get_resource": "%s" % group_name
}
}
return outputs, resources
def build_group_roles_yaml(jsondata):
resources = {}
outputs = {}
group_name = jsondata['name']
template_name = "{}-Role-Assignment".format(group_name)
resources[template_name] = {
'type': 'OS::Keystone::GroupRoleAssignment\n',
'properties': {
'group': "%s" % group_name,
'roles': jsondata['roles']
}
}
outputs[template_name] = {
"value": {
"get_resource": "%s" % template_name
}
}
return outputs, resources

179
orm/tests/unit/cms/test_group_logic.py
View File

@ -1,6 +1,7 @@
from orm.services.customer_manager.cms_rest.data.sql_alchemy\ from orm.services.customer_manager.cms_rest.data.sql_alchemy \
import models as sql_models import models as sql_models
from orm.services.customer_manager.cms_rest.logic.error_base import ErrorStatus from orm.services.customer_manager.cms_rest.logic.error_base \
import ErrorStatus, NotFound
from orm.services.customer_manager.cms_rest.logic import group_logic from orm.services.customer_manager.cms_rest.logic import group_logic
import orm.services.customer_manager.cms_rest.model.GroupModels as models import orm.services.customer_manager.cms_rest.model.GroupModels as models
from orm.tests.unit.cms import FunctionalTest from orm.tests.unit.cms import FunctionalTest
@ -55,7 +56,7 @@ class TestGroupLogic(FunctionalTest):
group_logic.utils.get_time_human.return_value = '111' group_logic.utils.get_time_human.return_value = '111'
group_logic.RdsProxy = mock.MagicMock() group_logic.RdsProxy = mock.MagicMock()
group_logic.RdsProxy.send_group.return_value = None group_logic.RdsProxy.send_group_dict.return_value = None
group_logic.RdsProxy.get_status.return_value = RdsStatus() group_logic.RdsProxy.get_status.return_value = RdsStatus()
group_logic.build_response = mock.MagicMock() group_logic.build_response = mock.MagicMock()
@ -179,6 +180,150 @@ class TestGroupLogic(FunctionalTest):
self.assertRaises(group_logic.ErrorStatus, logic.delete_group_by_uuid, self.assertRaises(group_logic.ErrorStatus, logic.delete_group_by_uuid,
'group_id') 'group_id')
def test_assign_roles_to_group_on_domain_success(self):
roles_assginments = [models.RoleAssignment(
roles=['a_role'], domain='domain')]
logic = group_logic.GroupLogic()
logic.assign_roles('group_uuid', roles_assginments, 'some_trans_id')
assert data_manager_mock.add_groups_role_on_domain.called
assert data_manager_mock.get_role_id_by_name.called
assert data_manager_mock.commit.called
assert not data_manager_mock.rollback.called
assert record_mock.read_group_by_uuid.called
assert record_mock.get_regions_for_group.called
def test_assign_roles_to_group_on_project_success(self):
roles_assginments = [models.RoleAssignment(
roles=['a_role'], project='project')]
logic = group_logic.GroupLogic()
logic.assign_roles('group_uuid', roles_assginments, 'some_trans_id')
assert data_manager_mock.add_groups_role_on_project.called
assert data_manager_mock.get_customer_id_by_uuid.called
assert data_manager_mock.commit.called
assert data_manager_mock.get_role_id_by_name.called
assert not data_manager_mock.rollback.called
assert record_mock.read_group_by_uuid.called
assert record_mock.get_regions_for_group.called
def test_assign_roles_to_group_on_domain_error(self):
global mock_returns_error
mock_returns_error = True
roles_assginments = [models.RoleAssignment(
roles=['a_role'], domain='domain')]
logic = group_logic.GroupLogic()
self.assertRaises(SystemError, logic.assign_roles, 'group_uuid',
roles_assginments, 'some_trans_id')
assert data_manager_mock.rollback.called
def test_assign_roles_to_group_on_project_error(self):
global mock_returns_error
mock_returns_error = True
roles_assginments = [models.RoleAssignment(
roles=['a_role'], project='project')]
logic = group_logic.GroupLogic()
self.assertRaises(SystemError, logic.assign_roles, 'group_uuid',
roles_assginments, 'some_trans_id')
assert data_manager_mock.rollback.called
def test_unassign_roles_from_group_on_domain_success(self):
logic = group_logic.GroupLogic()
logic.unassign_roles('group_uuid', 'role', 'domain', 'domain_name',
'some_trans_id')
assert record_mock.get_regions_for_group.called
assert record_mock.remove_domain_role_from_group.called
assert record_mock.check_groups_customer_role_exist.called
assert record_mock.check_groups_domain_role_exist.called
assert record_mock.read_group_by_uuid.called
assert record_mock.remove_role_from_group.called
assert data_manager_mock.commit.called
assert data_manager_mock.get_role_id_by_name.called
def test_unassign_roles_from_group_on_project_success(self):
logic = group_logic.GroupLogic()
logic.unassign_roles('group_uuid', 'role', 'customer', 'customer_id',
'some_trans_id')
assert record_mock.get_regions_for_group.called
assert record_mock.remove_customer_role_from_group.called
assert record_mock.check_groups_customer_role_exist.called
assert record_mock.check_groups_domain_role_exist.called
assert record_mock.read_group_by_uuid.called
assert record_mock.remove_role_from_group.called
assert data_manager_mock.commit.called
assert data_manager_mock.get_role_id_by_name.called
def test_unassign_roles_from_group_group_role_not_removed(self):
global flow_type
flow_type = 3
logic = group_logic.GroupLogic()
logic.unassign_roles('group_uuid', 'role', 'customer', 'customer_id',
'some_trans_id')
assert record_mock.get_regions_for_group.called
assert record_mock.remove_customer_role_from_group.called
assert record_mock.check_groups_customer_role_exist.called
assert not record_mock.check_groups_domain_role_exist.called
assert record_mock.read_group_by_uuid.called
assert not record_mock.remove_role_from_group.called
assert data_manager_mock.commit.called
assert data_manager_mock.get_role_id_by_name.called
def test_unassign_roles_from_group_on_domain_error(self):
global mock_returns_error
mock_returns_error = True
logic = group_logic.GroupLogic()
self.assertRaises(SystemError, logic.unassign_roles, 'group_uuid',
'role', 'domain', 'domain_name', 'some_trans_id')
assert record_mock.get_regions_for_group.called
assert record_mock.remove_domain_role_from_group.called
assert data_manager_mock.rollback.called
assert data_manager_mock.get_role_id_by_name.called
def test_unassign_roles_from_group_on_project_error(self):
global mock_returns_error
mock_returns_error = True
logic = group_logic.GroupLogic()
self.assertRaises(SystemError, logic.unassign_roles, 'group_uuid',
'role', 'customer', 'customer_id', 'some_trans_id')
assert record_mock.get_regions_for_group.called
assert record_mock.remove_customer_role_from_group.called
assert data_manager_mock.rollback.called
assert data_manager_mock.get_role_id_by_name.called
def test_unassign_roles_from_group_group_not_found(self):
global flow_type
flow_type = 1
logic = group_logic.GroupLogic()
self.assertRaises(ErrorStatus, logic.unassign_roles, 'group_uuid',
'role', 'customer', 'customer_id', 'some_trans_id')
def test_unassign_roles_from_group_incorrect_type(self):
logic = group_logic.GroupLogic()
self.assertRaises(ErrorStatus, logic.unassign_roles, 'group_uuid',
'role', 'wrong_type', 'customer_id', 'some_trans_id')
def test_unassign_roles_from_group_group_role_not_found(self):
global flow_type
flow_type = 4
logic = group_logic.GroupLogic()
self.assertRaises(NotFound, logic.unassign_roles, 'group_uuid',
'role', 'customer', 'customer_id', 'some_trans_id')
def get_mock_datamanager(): def get_mock_datamanager():
global data_manager_mock global data_manager_mock
@ -190,6 +335,8 @@ def get_mock_datamanager():
data_manager_mock = mock.MagicMock() data_manager_mock = mock.MagicMock()
record_mock = mock.MagicMock() record_mock = mock.MagicMock()
record_mock.get_groups_by_criteria.return_value = [sql_group] record_mock.get_groups_by_criteria.return_value = [sql_group]
result_mock = mock.Mock()
result_mock.rowcount = 1
def _get_group(): def _get_group():
def mock_to_wsme(): def mock_to_wsme():
@ -205,9 +352,20 @@ def get_mock_datamanager():
if not mock_returns_error: if not mock_returns_error:
data_manager_mock.get_group_by_uuid_or_name.return_value = _get_group() data_manager_mock.get_group_by_uuid_or_name.return_value = _get_group()
data_manager_mock.get_role_id_by_name.return_value = 1
record_mock.delete_region_for_group.return_value = None record_mock.delete_region_for_group.return_value = None
record_mock.delete_group_by_uuid.return_value = None record_mock.delete_group_by_uuid.return_value = None
# mock for assign/unassign roles
record_mock.read_group_by_uuid.return_value = sql_group
record_mock.get_regions_for_group.return_value = [
sql_models.GroupRegion(region_id=1, group_id="group_id")]
record_mock.remove_customer_role_from_group.return_value = result_mock
record_mock.remove_domain_role_from_group.return_value = result_mock
record_mock.check_groups_customer_role_exist.return_value = False
record_mock.check_groups_domain_role_exist.return_value = False
record_mock.remove_role_from_group.return_value = result_mock
if flow_type == 1: if flow_type == 1:
record_mock.read_group_by_uuid.return_value = None record_mock.read_group_by_uuid.return_value = None
data_manager_mock.get_group_by_uuid_or_name.return_value = None data_manager_mock.get_group_by_uuid_or_name.return_value = None
@ -216,9 +374,24 @@ def get_mock_datamanager():
q.get_group_regions.return_value = [mock.MagicMock()] q.get_group_regions.return_value = [mock.MagicMock()]
record_mock.read_group_by_uuid.return_value = q record_mock.read_group_by_uuid.return_value = q
record_mock.delete_group_by_uuid.side_effect = SystemError() record_mock.delete_group_by_uuid.side_effect = SystemError()
elif flow_type == 3:
record_mock.check_groups_customer_role_exist.return_value = True
elif flow_type == 4:
result_mock.rowcount = 0
record_mock.remove_role_from_group.return_value = result_mock
else: else:
record_mock.read_group_by_uuid.side_effect = SystemError() record_mock.read_group_by_uuid.side_effect = SystemError()
record_mock.delete_region_for_group.side_effect = SystemError() record_mock.delete_region_for_group.side_effect = SystemError()
# mock for assign roles
data_manager_mock.add_groups_role_on_domain.side_effect = \
SystemError()
data_manager_mock.add_groups_role_on_project.side_effect = \
SystemError()
record_mock.get_regions_for_group.return_value = [
sql_models.GroupRegion(region_id=1, group_id="group_id")]
record_mock.remove_domain_role_from_group.side_effect = SystemError()
record_mock.remove_customer_role_from_group.side_effect = SystemError()
data_manager_mock.get_record.return_value = record_mock data_manager_mock.get_record.return_value = record_mock
return data_manager_mock return data_manager_mock

168
orm/tests/unit/cms/test_groups_role.py Normal file
View File

@ -0,0 +1,168 @@
import mock
import requests
from orm.services.customer_manager.cms_rest.controllers.v1.orm.group\
import roles
from orm.services.customer_manager.cms_rest.logic.error_base import ErrorStatus
from orm.services.customer_manager.cms_rest.model import GroupModels
from orm.tests.unit.cms import FunctionalTest
from wsme.exc import ClientSideError
group_logic_mock = None
class TestGroupsRoleController(FunctionalTest):
def setUp(self):
FunctionalTest.setUp(self)
roles.authentication = mock.MagicMock()
roles.GroupLogic = get_mock_group_logic
roles.GroupLogic.return_error = 0
roles.utils = mock.MagicMock()
roles.utils.make_transid.return_value = 'some_trans_id'
roles.utils.audit_trail.return_value = None
roles.utils.make_uuid.return_value = 'some_uuid'
roles.err_utils = mock.MagicMock()
def tearDown(self):
FunctionalTest.tearDown(self)
def test_assign_roles_to_group(self):
# given
requests.post = mock.MagicMock(return_value=ResponseMock(200))
# when
response = self.app.post_json('/v1/orm/groups/{groups id}/roles/',
GROUPS_ROLE_JSON)
# assert
assert response.status_int == 200
assert roles.utils.audit_trail.called
assert group_logic_mock.assign_roles_called
def test_assign_roles_to_group_fail(self):
# given
requests.post = mock.MagicMock()
roles.GroupLogic.return_error = 1
roles.err_utils.get_error = mock.MagicMock(
return_value=ClientSideError("blabla", 500))
# when
response = self.app.post_json('/v1/orm/groups/{groups id}/roles/',
GROUPS_ROLE_JSON, expect_errors=True)
# assert
self.assertEqual(response.status_int, 500)
def test_assign_roles_to_group_bad_request(self):
# given
requests.post = mock.MagicMock()
roles.GroupLogic.return_error = 2
roles.err_utils.get_error = mock.MagicMock(
return_value=ClientSideError("blabla", 404))
# when
response = self.app.post_json('/v1/orm/groups/{groups_id}/roles/',
GROUPS_ROLE_JSON, expect_errors=True)
# assert
self.assertEqual(response.status_int, 404)
@mock.patch.object(roles, 'request')
def test_unassign_roles_to_group(self, request):
# given
requests.delete = mock.MagicMock(return_value=ResponseMock(204))
request.headers = {'X-RANGER-Requester': "rds_resource_service_proxy"}
response = self.app.delete(
'/v1/orm/groups/{groups id}/roles/{role name}/{type}/{type id}')
# assert
assert response.status_int == 204
assert roles.utils.audit_trail.called
assert group_logic_mock.unassign_roles_called
def test_unassign_roles_to_group_fail(self):
# given
requests.delete = mock.MagicMock()
roles.GroupLogic.return_error = 1
roles.err_utils.get_error = mock.MagicMock(
return_value=ClientSideError("blabla", 500))
# when
response = self.app.delete(
'/v1/orm/groups/{groups id}/roles/{role name}/{type}/{type id}',
expect_errors=True)
# assert
self.assertEqual(response.status_int, 500)
@mock.patch.object(roles, 'request')
def test_unassign_roles_to_group_bad_request(self, request):
# given
requests.delete = mock.MagicMock()
request.headers = {'X-RANGER-Requester': "rds_resource_service_proxy"}
roles.GroupLogic.return_error = 2
roles.err_utils.get_error = mock.MagicMock(
return_value=ClientSideError("blabla", 404))
# when
response = self.app.delete(
'/v1/orm/groups/{groups id}/roles/{role name}/{type}/{type id}',
expect_errors=True)
# assert
self.assertEqual(response.status_int, 404)
def get_mock_group_logic():
global group_logic_mock
group_logic_mock = mock.MagicMock()
if roles.GroupLogic.return_error == 0:
res = GroupModels.RoleResultWrapper(transaction_id='1',
roles=[],
links={},
created='1')
res1 = GroupModels.RoleResultWrapper(transaction_id='1',
roles=[],
links={},
created='1')
group_logic_mock.assign_roles.return_value = res
group_logic_mock.unassign_roles.return_value = res1
elif roles.GroupLogic.return_error == 1:
group_logic_mock.assign_roles.side_effect = SystemError()
group_logic_mock.unassign_roles.side_effect = SystemError()
else:
group_logic_mock.assign_roles.side_effect = ErrorStatus(
status_code=404)
group_logic_mock.unassign_roles.side_effect = ErrorStatus(
status_code=404)
return group_logic_mock
class ResponseMock:
def __init__(self, status_code=200):
self.status_code = status_code
GROUPS_ROLE_JSON = [
{
"project": "project-id",
"roles": [
"role1",
"role2"
]
}
]

24
orm/tests/unit/ormcli/test_cmscli.py
View File

@ -41,6 +41,8 @@ class CmsTests(TestCase):
args.starts_with = 'test_startswith' args.starts_with = 'test_startswith'
args.contains = 'test_contains' args.contains = 'test_contains'
args.force_delete is False args.force_delete is False
args.role = 'test_role_name'
args.assignment_value = 'test_role_assignment_value'
subcmd_to_result = { subcmd_to_result = {
'create_customer': (requests.post, 'customers/',), 'create_customer': (requests.post, 'customers/',),
@ -93,7 +95,9 @@ class CmsTests(TestCase):
'groups/?region=%s&starts_with=%s' 'groups/?region=%s&starts_with=%s'
'&contains=%s' % (args.region, '&contains=%s' % (args.region,
args.starts_with, args.starts_with,
args.contains)) args.contains)),
'assign_group_roles': (
requests.post, 'groups/%s/roles' % args.groupid,)
} }
# Assert that each subcommand returns the expected details # Assert that each subcommand returns the expected details
@ -102,6 +106,24 @@ class CmsTests(TestCase):
self.assertEqual(subcmd_to_result[subcmd], self.assertEqual(subcmd_to_result[subcmd],
cmscli.cmd_details(args)) cmscli.cmd_details(args))
args.subcmd = 'unassign_group_roles'
for assignment_type in ['customer', 'domain']:
if assignment_type == 'customer':
args.customer = args.assignment_value
args.domain = None
else:
args.domain = args.assignment_value
args.customer = None
cmd_to_result = (requests.delete,
'groups/%s/roles/%s/%s/%s' % (
args.groupid,
args.role,
assignment_type,
args.assignment_value))
self.assertEqual(cmd_to_result,
cmscli.cmd_details(args))
@mock.patch.object(cmscli.cli_common, 'get_keystone_ep', @mock.patch.object(cmscli.cli_common, 'get_keystone_ep',
return_value=None) return_value=None)
def test_get_token_keystone_ep_not_found(self, mock_get_keystone_ep): def test_get_token_keystone_ep_not_found(self, mock_get_keystone_ep):

4
orm/tests/unit/rds/services/test_group_yaml.py
View File

@ -18,10 +18,10 @@ yaml_group = \
' test_group:\n properties:\n'\ ' test_group:\n properties:\n'\
' description: "this is a description"\n'\ ' description: "this is a description"\n'\
' domain: nc\n'\ ' domain: nc\n'\
' name: test_group\n roles: []\n'\ ' name: test_group\n'\
' type: OS::Keystone::Group\n\n\n'\ ' type: OS::Keystone::Group\n\n\n'\
'outputs:\n'\ 'outputs:\n'\
' test_group:\n'\ ' test_group_id:\n'\
' value: {get_resource: test_group}\n' ' value: {get_resource: test_group}\n'
region = {'name': 'regionname', region = {'name': 'regionname',

5
ranger-tempest-plugin/ranger_tempest_plugin/config.py
View File

@ -68,5 +68,8 @@ OrmGroup = [
help='Token Authentication enabled/disabled'), help='Token Authentication enabled/disabled'),
cfg.ListOpt("flavor_series", cfg.ListOpt("flavor_series",
default=['xx'], default=['xx'],
help="Supported flavor series") help="Supported flavor series"),
cfg.StrOpt("domain",
default='Default',
help="Domain used for Ranger tempest testing")
] ]

39
ranger-tempest-plugin/ranger_tempest_plugin/schemas/group_schema.py
View File

@ -13,6 +13,10 @@
# License for the specific language governing permissions and limitations # License for the specific language governing permissions and limitations
# under the License # under the License
_delete = {
'status_code': [204]
}
_status = { _status = {
'type': 'string', 'type': 'string',
'enum': ['Success', 'no regions', 'Error', 'Pending', 'Submitted'] 'enum': ['Success', 'no regions', 'Error', 'Pending', 'Submitted']
@ -106,8 +110,37 @@ list_groups = {
} }
} }
delete_group = { delete_group = _delete
'status_code': [204] delete_groups_region = _delete
_roles = {
'type': 'object',
'properties': {
'roles': {
'type': 'array',
'items': {'type': 'string'}
},
'project': {'type': 'string'},
'domain_name': {'type': 'string'}
},
'required': ['roles']
} }
delete_region_from_group = delete_group assign_group_roles = {
'status_code': [200],
'response_body': {
'type': 'object',
'properties': {
'transaction_id': {'type': 'string'},
'roles': {
'type': 'array',
'items': _roles
},
'links': _links,
'created': {'type': 'string', 'format': 'date-time'}
},
'required': ['transaction_id', 'roles', 'links', 'created']
}
}
unassign_group_roles = _delete

20
ranger-tempest-plugin/ranger_tempest_plugin/services/grp_client.py
View File

@ -45,12 +45,28 @@ class GrpClient(base_client.RangerClientBase):
uri += '?' + urllib.urlencode(filter) uri += '?' + urllib.urlencode(filter)
return self.get_request(uri, schema.list_groups) return self.get_request(uri, schema.list_groups)
def delete_region_from_group(self, group_id, region_id): def delete_groups_region(self, group_id, region_id):
uri = '%s/%s/orm/groups/%s/regions/%s' % ( uri = '%s/%s/orm/groups/%s/regions/%s' % (
self.cms_url, self.version, group_id, region_id) self.cms_url, self.version, group_id, region_id)
return self.delete_request(uri, schema.delete_region_from_group) return self.delete_request(uri, schema.delete_groups_region)
def delete_group(self, group_id): def delete_group(self, group_id):
uri = '%s/%s/orm/groups/%s' \ uri = '%s/%s/orm/groups/%s' \
% (self.cms_url, self.version, group_id) % (self.cms_url, self.version, group_id)
return self.delete_request(uri, schema.delete_group) return self.delete_request(uri, schema.delete_group)
def assign_group_roles(self, group_id, *args):
uri = '%s/%s/orm/groups/%s/roles' % (
self.cms_url, self.version, group_id)
post_body = json.dumps(args)
return self.post_request(uri, post_body, schema.assign_group_roles)
def unassign_group_roles(
self, group_id, role, assignmenet_type, assignment_value):
uri = '%s/%s/orm/groups/%s/roles/%s/%s/%s' % (self.cms_url,
self.version,
group_id,
role,
assignmenet_type,
assignment_value)
return self.delete_request(uri, schema.unassign_group_roles)

31
ranger-tempest-plugin/ranger_tempest_plugin/tests/api/grp_base.py
View File

@ -16,7 +16,7 @@
import time import time
from oslo_log import log as logging from oslo_log import log as logging
from ranger_tempest_plugin.tests.api import base from ranger_tempest_plugin.tests.api.cms_base import CmsBaseOrmTest
from tempest.common.utils import data_utils from tempest.common.utils import data_utils
from tempest import config from tempest import config
from tempest.lib import exceptions from tempest.lib import exceptions
@ -25,24 +25,23 @@ CONF = config.CONF
LOG = logging.getLogger(__name__) LOG = logging.getLogger(__name__)
class GrpBaseOrmTest(base.BaseOrmTest): class GrpBaseOrmTest(CmsBaseOrmTest):
credentials = ['admin', 'primary', 'alt'] credentials = ['admin', 'primary', 'alt']
@classmethod @classmethod
def setup_clients(cls): def setup_clients(cls):
super(GrpBaseOrmTest, cls).setup_clients() super(GrpBaseOrmTest, cls).setup_clients()
cls.client = cls.os_primary.grp_client cls.grp_client = cls.os_primary.grp_client
@classmethod @classmethod
def _get_group_params(cls, enabled=True): def _get_group_params(cls, enabled=True):
region, payload = {}, {} region, payload = {}, {}
grp_name = data_utils.rand_name('ormTempestGrp') grp_name = data_utils.rand_name('ormTempestGrp')
domain_name = CONF.auth.admin_domain_name
region['name'] = CONF.identity.region region['name'] = CONF.identity.region
region['type'] = 'single' region['type'] = 'single'
regions = [region] regions = [region]
payload["description"] = grp_name payload["description"] = grp_name
payload["domain_name"] = domain_name payload["domain_name"] = CONF.ranger.domain
payload["enabled"] = True if enabled else False payload["enabled"] = True if enabled else False
payload["name"] = grp_name payload["name"] = grp_name
payload["regions"] = regions payload["regions"] = regions
@ -76,9 +75,9 @@ class GrpBaseOrmTest(base.BaseOrmTest):
- domain_name - domain_name
- regions - regions
""" """
_, body = self.client.create_group(**kwargs) _, body = self.grp_client.create_group(**kwargs)
group_id = body["group"]["id"] group_id = body["group"]["id"]
_, group = self.client.get_group(group_id) _, group = self.grp_client.get_group(group_id)
if group["name"] == kwargs["name"]: if group["name"] == kwargs["name"]:
if group["regions"] == []: if group["regions"] == []:
group_status = "no regions" group_status = "no regions"
@ -93,11 +92,11 @@ class GrpBaseOrmTest(base.BaseOrmTest):
@classmethod @classmethod
def _wait_for_group_status(cls, group_id, status): def _wait_for_group_status(cls, group_id, status):
group_status = cls.client.get_group(group_id)[1]["status"] group_status = cls.grp_client.get_group(group_id)[1]["status"]
start = int(time.time()) start = int(time.time())
while group_status != status: while group_status != status:
time.sleep(cls.build_interval) time.sleep(cls.build_interval)
group_status = cls.client.get_group(group_id)[1]["status"] group_status = cls.grp_client.get_group(group_id)[1]["status"]
if group_status == 'Error': if group_status == 'Error':
message = ('group %s failed to reach %s status' message = ('group %s failed to reach %s status'
' and is in ERROR status on orm' % ' and is in ERROR status on orm' %
@ -114,13 +113,13 @@ class GrpBaseOrmTest(base.BaseOrmTest):
@classmethod @classmethod
def _del_group_validate_deletion_on_dcp_and_lcp(cls, group_id): def _del_group_validate_deletion_on_dcp_and_lcp(cls, group_id):
_, group = cls.client.get_group(group_id) _, group = cls.grp_client.get_group(group_id)
regions_on_group = [region for region in group["regions"]] regions_on_group = [region for region in group["regions"]]
if regions_on_group: if regions_on_group:
region_name_on_group = regions_on_group[0]["name"] region_name_on_group = regions_on_group[0]["name"]
cls._delete_region_from_group_and_validate_deletion( cls._delete_region_from_group_and_validate_deletion(
group_id, region_name_on_group) group_id, region_name_on_group)
cls.client.delete_group(group_id) cls.grp_client.delete_group(group_id)
cls._wait_for_group_deletion_on_dcp(group_id) cls._wait_for_group_deletion_on_dcp(group_id)
cls._validate_group_deletion_on_lcp(group_id) cls._validate_group_deletion_on_lcp(group_id)
@ -129,9 +128,9 @@ class GrpBaseOrmTest(base.BaseOrmTest):
cls, group_id, rname): cls, group_id, rname):
_, region = cls.os_admin.rms_client.get_region(rname) _, region = cls.os_admin.rms_client.get_region(rname)
region_id = region["id"] region_id = region["id"]
cls.client.delete_region_from_group(group_id, region_id) cls.grp_client.delete_groups_region(group_id, region_id)
cls._wait_for_group_status(group_id, "no regions") cls._wait_for_group_status(group_id, "no regions")
_, body = cls.client.get_group(group_id) _, body = cls.grp_client.get_group(group_id)
regions_on_group = [rgn for rgn in body["regions"]] regions_on_group = [rgn for rgn in body["regions"]]
if regions_on_group: if regions_on_group:
message = "Region %s failed to get deleted from group %s " % ( message = "Region %s failed to get deleted from group %s " % (
@ -140,14 +139,14 @@ class GrpBaseOrmTest(base.BaseOrmTest):
@classmethod @classmethod
def _wait_for_group_deletion_on_dcp(cls, group_id): def _wait_for_group_deletion_on_dcp(cls, group_id):
_, body = cls.client.list_groups() _, body = cls.grp_client.list_groups()
group_list = body["groups"] group_list = body["groups"]
group_ids = [group["id"] for group in group_list group_ids = [group["id"] for group in group_list
if group["id"] == group_id] if group["id"] == group_id]
start = int(time.time()) start = int(time.time())
while group_ids: while group_ids:
time.sleep(cls.build_interval) time.sleep(cls.build_interval)
_, body = cls.client.list_groups()["groups"] _, body = cls.grp_client.list_groups()["groups"]
group_list = body["groups"] group_list = body["groups"]
group_ids = [group["id"] for group in group_list group_ids = [group["id"] for group in group_list
if group["id"] == group_id] if group["id"] == group_id]
@ -167,7 +166,7 @@ class GrpBaseOrmTest(base.BaseOrmTest):
@classmethod @classmethod
def _validate_group_deletion_on_lcp(cls, group_id): def _validate_group_deletion_on_lcp(cls, group_id):
_, body = cls.client.list_groups() _, body = cls.grp_client.list_groups()
group_ids = [group["id"] for group in body["groups"] group_ids = [group["id"] for group in body["groups"]
if group["id"] == group_id] if group["id"] == group_id]
if group_ids: if group_ids:

77
ranger-tempest-plugin/ranger_tempest_plugin/tests/api/test_groups.py
View File

@ -27,6 +27,11 @@ class TestTempestGrp(grp_base.GrpBaseOrmTest):
@classmethod @classmethod
def resource_setup(cls): def resource_setup(cls):
cls.setup_customer_params = cls._get_customer_params()
cls.setup_customer_id = \
cls._create_cust_validate_creation_on_dcp_and_lcp(
**cls.setup_customer_params)
cls.setup_group = cls._get_group_params() cls.setup_group = cls._get_group_params()
cls.setup_group_id = \ cls.setup_group_id = \
cls._create_grp_validate_creation_on_dcp_and_lcp( cls._create_grp_validate_creation_on_dcp_and_lcp(
@ -36,6 +41,10 @@ class TestTempestGrp(grp_base.GrpBaseOrmTest):
@classmethod @classmethod
def resource_cleanup(cls): def resource_cleanup(cls):
cls._del_group_validate_deletion_on_dcp_and_lcp(cls.setup_group_id) cls._del_group_validate_deletion_on_dcp_and_lcp(cls.setup_group_id)
cls._del_cust_validate_deletion_on_dcp_and_lcp(
cls.setup_customer_id)
super(TestTempestGrp, cls).resource_cleanup() super(TestTempestGrp, cls).resource_cleanup()
@decorators.idempotent_id('deeb3b8a-fb38-46e1-97ba-c878b0ba890f') @decorators.idempotent_id('deeb3b8a-fb38-46e1-97ba-c878b0ba890f')
@ -48,7 +57,7 @@ class TestTempestGrp(grp_base.GrpBaseOrmTest):
# execute get_group using group id and group name # execute get_group using group id and group name
for identifier in [self.setup_group_id, for identifier in [self.setup_group_id,
self.setup_group['name']]: self.setup_group['name']]:
_, body = self.client.get_group(identifier) _, body = self.grp_client.get_group(identifier)
self.assertIn(self.setup_group_id, body['uuid']) self.assertIn(self.setup_group_id, body['uuid'])
@decorators.idempotent_id('8068e33f-a6aa-416a-9505-048c6ad037b2') @decorators.idempotent_id('8068e33f-a6aa-416a-9505-048c6ad037b2')
@ -75,7 +84,7 @@ class TestTempestGrp(grp_base.GrpBaseOrmTest):
# execute list_groups with the available filters # execute list_groups with the available filters
for list_filter in [no_filter, region_filter, contains_filter, for list_filter in [no_filter, region_filter, contains_filter,
startswith_filter]: startswith_filter]:
_, body = self.client.list_groups(list_filter) _, body = self.grp_client.list_groups(list_filter)
groups = [grp['id'] for grp in body['groups']] groups = [grp['id'] for grp in body['groups']]
self.assertIn(self.setup_group_id, groups) self.assertIn(self.setup_group_id, groups)
@ -88,24 +97,24 @@ class TestTempestGrp(grp_base.GrpBaseOrmTest):
**post_body) **post_body)
self.addCleanup(self._del_group_validate_deletion_on_dcp_and_lcp, self.addCleanup(self._del_group_validate_deletion_on_dcp_and_lcp,
test_group_id) test_group_id)
_, group = self.client.get_group(test_group_id) _, group = self.grp_client.get_group(test_group_id)
self.assertTrue(group["regions"]) self.assertTrue(group["regions"])
_, body = self.client.delete_region_from_group(test_group_id, _, body = self.grp_client.delete_groups_region(test_group_id,
region_name) region_name)
self._wait_for_group_status(test_group_id, 'no regions') self._wait_for_group_status(test_group_id, 'no regions')
_, group = self.client.get_group(test_group_id) _, group = self.grp_client.get_group(test_group_id)
self.assertFalse(group["regions"]) self.assertFalse(group["regions"])
@decorators.idempotent_id('bba25028-d962-47df-9566-557eec48f22d') @decorators.idempotent_id('bba25028-d962-47df-9566-557eec48f22d')
def test_create_group(self): def test_create_group(self):
post_body = self._get_group_params() post_body = self._get_group_params()
test_group_name = post_body['name'] test_group_name = post_body['name']
_, body = self.client.create_group(**post_body) _, body = self.grp_client.create_group(**post_body)
test_group_id = body['group']['id'] test_group_id = body['group']['id']
self.addCleanup(self._del_group_validate_deletion_on_dcp_and_lcp, self.addCleanup(self._del_group_validate_deletion_on_dcp_and_lcp,
test_group_id) test_group_id)
self._wait_for_group_status(test_group_id, 'Success') self._wait_for_group_status(test_group_id, 'Success')
_, body = self.client.get_group(test_group_name) _, body = self.grp_client.get_group(test_group_name)
self.assertIn(test_group_id, body['uuid']) self.assertIn(test_group_id, body['uuid'])
@decorators.idempotent_id('356633f0-c615-4bdc-8f0f-d97b6ca409e0') @decorators.idempotent_id('356633f0-c615-4bdc-8f0f-d97b6ca409e0')
@ -117,5 +126,57 @@ class TestTempestGrp(grp_base.GrpBaseOrmTest):
# delete the data and do get_group to ensure 404-NotFound response # delete the data and do get_group to ensure 404-NotFound response
self._del_group_validate_deletion_on_dcp_and_lcp(test_group_id) self._del_group_validate_deletion_on_dcp_and_lcp(test_group_id)
self.assertRaises(exceptions.NotFound, self.client.get_group, self.assertRaises(exceptions.NotFound, self.grp_client.get_group,
test_group_id) test_group_id)
@decorators.idempotent_id('afe5c72f-499b-493f-b61b-68bbaca12b7a')
def test_assign_unassign_role_to_group_on_domain(self):
role = {
'roles': ["admin"],
'domain_name': CONF.ranger.domain
}
post_body = [role]
_, body = self.grp_client.assign_group_roles(self.setup_group_id,
*post_body)
self._wait_for_group_status(self.setup_group_id, 'Success')
self.assertEqual(body['roles'][0]['domain_name'], role['domain_name'])
self.assertEqual(body['roles'][0]['roles'][0], role['roles'][0])
_, body = self.grp_client.unassign_group_roles(self.setup_group_id,
role['roles'][0],
'domain',
role['domain_name'])
self._wait_for_group_status(self.setup_group_id, 'Success')
# Once the get groups role function is implemented, it will be
# added here to retreive the role and call assert to verfify that
# the role has indeed been unassigned.
self.assertEqual(body, '')
@decorators.idempotent_id('67f5e46e-9267-4cbb-84d6-ee8521370e23')
def test_assign_unassign_role_to_group_on_project(self):
role = {
'roles': ["admin"],
'project': self.setup_customer_id
}
post_body = [role]
_, body = self.grp_client.assign_group_roles(self.setup_group_id,
*post_body)
self._wait_for_group_status(self.setup_group_id, 'Success')
self.assertEqual(body['roles'][0]['project'], role['project'])
self.assertEqual(body['roles'][0]['roles'][0], role['roles'][0])
_, body = self.grp_client.unassign_group_roles(self.setup_group_id,
role['roles'][0],
'customer',
role['project'])
self._wait_for_group_status(self.setup_group_id, 'Success')
# Once the get groups role function is implemented, it will be
# added here to retreive the role and call assert to verfify that
# the role has indeed been unassigned.
self.assertEqual(body, '')

2
ranger-tempest-plugin/tempest_setup/tempest.conf
View File

@ -127,3 +127,5 @@ multi_backend = false
catalog_type = ranger catalog_type = ranger
### uncomment flavor_series and set it accordingly ### uncomment flavor_series and set it accordingly
# flavor_series = # flavor_series =
# uncomment domain and set it accordingly
# domain =