94a3f539e7
Users were not able to update their own password/key with the update operation resulting in 403 (HTTPForbidden). EXAMPLES: Command to update password/key of regular user: gswauth-add-user -U account1:user1 -K old_pass account1 user1 new_pass Command to update password/key of account admin: gswauth-add-user -U account1:admin -K old_pass -a account1 admin new_pass Command to update password/key of reseller_admin: gswauth-add-user -U account1:radmin -K old_pass -r account1 radmin new_pass BUG: https://bugs.launchpad.net/gluster-swift/+bug/1262227 Change-Id: I604da5aee67099b29541eb7e51a040a041f1961b Signed-off-by: Prashanth Pai <ppai@redhat.com> Reviewed-on: http://review.gluster.org/6650 Reviewed-by: Luis Pabon <lpabon@redhat.com> Tested-by: Luis Pabon <lpabon@redhat.com>
108 lines
4.8 KiB
Python
Executable File
108 lines
4.8 KiB
Python
Executable File
#!/usr/bin/env python
|
|
# Copyright (c) 2010-2011 OpenStack, LLC.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
|
|
# implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
import gettext
|
|
from optparse import OptionParser
|
|
from os.path import basename
|
|
from sys import argv, exit
|
|
|
|
from swift.common.bufferedhttp import http_connect_raw as http_connect
|
|
from swift.common.utils import urlparse
|
|
|
|
|
|
if __name__ == '__main__':
|
|
gettext.install('gswauth', unicode=1)
|
|
parser = OptionParser(
|
|
usage='Usage: %prog [options] <account> <user> <password>')
|
|
parser.add_option('-a', '--admin', dest='admin', action='store_true',
|
|
default=False, help='Give the user administrator access; otherwise '
|
|
'the user will only have access to containers specifically allowed '
|
|
'with ACLs.')
|
|
parser.add_option('-r', '--reseller-admin', dest='reseller_admin',
|
|
action='store_true', default=False, help='Give the user full reseller '
|
|
'administrator access, giving them full access to all accounts within '
|
|
'the reseller, including the ability to create new accounts. Creating '
|
|
'a new reseller admin requires super_admin rights.')
|
|
parser.add_option('-A', '--admin-url', dest='admin_url',
|
|
default='http://127.0.0.1:8080/auth/', help='The URL to the auth '
|
|
'subsystem (default: http://127.0.0.1:8080/auth/')
|
|
parser.add_option('-U', '--admin-user', dest='admin_user',
|
|
default='.super_admin', help='The user with admin rights to add users '
|
|
'(default: .super_admin).')
|
|
parser.add_option('-K', '--admin-key', dest='admin_key',
|
|
help='The key for the user with admin rights to add users.')
|
|
args = argv[1:]
|
|
if not args:
|
|
args.append('-h')
|
|
(options, args) = parser.parse_args(args)
|
|
if len(args) != 3:
|
|
parser.parse_args(['-h'])
|
|
account, user, password = args
|
|
parsed = urlparse(options.admin_url)
|
|
if parsed.scheme not in ('http', 'https'):
|
|
raise Exception('Cannot handle protocol scheme %s for url %s' %
|
|
(parsed.scheme, repr(options.admin_url)))
|
|
parsed_path = parsed.path
|
|
if not parsed_path:
|
|
parsed_path = '/'
|
|
elif parsed_path[-1] != '/':
|
|
parsed_path += '/'
|
|
# Check if user is changing his own password. This is carried out by
|
|
# making sure that the user changing the password and the user whose
|
|
# password is being changed are the same.
|
|
# If not, ensure that the account exists before creating new user.
|
|
if not options.admin_user == (account + ':' + user):
|
|
# GET the account
|
|
path = '%sv2/%s' % (parsed_path, account)
|
|
headers = {'X-Auth-Admin-User': options.admin_user,
|
|
'X-Auth-Admin-Key': options.admin_key}
|
|
conn = http_connect(parsed.hostname, parsed.port, 'GET', path, headers,
|
|
ssl=(parsed.scheme == 'https'))
|
|
resp = conn.getresponse()
|
|
if resp.status // 100 != 2:
|
|
# If the GET operation fails, it means the account does not exist.
|
|
# Now we create the account by sending a PUT request.
|
|
headers['Content-Length'] = '0'
|
|
conn = http_connect(parsed.hostname, parsed.port, 'PUT', path,
|
|
headers, ssl=(parsed.scheme == 'https'))
|
|
resp = conn.getresponse()
|
|
if resp.status // 100 != 2:
|
|
print 'Account creation failed: %s %s' % \
|
|
(resp.status, resp.reason)
|
|
# Add the user
|
|
path = '%sv2/%s/%s' % (parsed_path, account, user)
|
|
headers = {'X-Auth-Admin-User': options.admin_user,
|
|
'X-Auth-Admin-Key': options.admin_key,
|
|
'X-Auth-User-Key': password,
|
|
'Content-Length': '0'}
|
|
if options.admin:
|
|
headers['X-Auth-User-Admin'] = 'true'
|
|
if options.reseller_admin:
|
|
headers['X-Auth-User-Reseller-Admin'] = 'true'
|
|
conn = http_connect(parsed.hostname, parsed.port, 'PUT', path, headers,
|
|
ssl=(parsed.scheme == 'https'))
|
|
resp = conn.getresponse()
|
|
if resp.status // 100 != 2:
|
|
if resp.status == 401:
|
|
exit('User creation failed: %s %s: Invalid user/key provided' %
|
|
(resp.status, resp.reason))
|
|
elif resp.status == 403:
|
|
exit('User creation failed: %s %s: Insufficient privileges' %
|
|
(resp.status, resp.reason))
|
|
else:
|
|
exit('User creation failed: %s %s' %
|
|
(resp.status, resp.reason))
|