From 072cf69cc17b47de72633b6ceedf97bb1afc728b Mon Sep 17 00:00:00 2001 From: Monty Taylor Date: Fri, 12 Jun 2015 14:10:11 +0200 Subject: [PATCH] Extract module for keystone domain management --- .../extras/cloud/openstack/os_keystone.py | 577 ------------------ .../cloud/openstack/os_keystone_domain.py | 123 ++++ 2 files changed, 123 insertions(+), 577 deletions(-) delete mode 100644 lib/ansible/modules/extras/cloud/openstack/os_keystone.py create mode 100644 lib/ansible/modules/extras/cloud/openstack/os_keystone_domain.py diff --git a/lib/ansible/modules/extras/cloud/openstack/os_keystone.py b/lib/ansible/modules/extras/cloud/openstack/os_keystone.py deleted file mode 100644 index f2455bb0e1..0000000000 --- a/lib/ansible/modules/extras/cloud/openstack/os_keystone.py +++ /dev/null @@ -1,577 +0,0 @@ -#!/usr/bin/python -# -*- coding: utf-8 -*- -from __builtin__ import False - -DOCUMENTATION = ''' ---- -module: keystone_v3 -version_added: "1.0" -short_description: Manage OpenStack Identity (keystone v3) users, tenants and roles -description: - - Manage users,tenants, roles from OpenStack. -requirements: [ python-keystoneclient ] -author: Haneef Ali -''' - -EXAMPLES = ''' -# Create a project -- keystone_v3: action="create_project" project_name=demo - description="Default Tenant" project_domain_name="Default" - -# Create a user -- keystone_v3: action="create_user" user_name=demo - description="Default User" user_domain_name="Default" - -# Create a domain -- keystone_v3: action="create_domain" domain_name=demo - description="Default User" - -# Grant admin role to the john user in the demo tenant -- keystone_v3: action="grant_project_role" project__name=demo - role_name=admin user_name=john user_domain_name=Default - project_domain_name=Default -''' - - -from keystoneclient.v3 import client as v3client -from keystoneclient.auth.identity import v3 -from keystoneclient.auth import token_endpoint -from keystoneclient import session - - -def _get_client(auth_url=None, token=None, login_username=None, login_password=None, login_project_name=None, - login_project_domain_name=None, login_user_domain_name=None, login_domain_name=None, - insecure=True, ca_cert=None): - """Return a ks_client client object""" - - auth_plugin = None - if token: - auth_plugin = token_endpoint.Token(endpoint=auth_url, token=token) - else: - auth_plugin = v3.Password(auth_url=auth_url, username=login_username, password=login_password, - project_name=login_project_name, project_domain_name=login_project_domain_name, - user_domain_name=login_user_domain_name, domain_name=login_domain_name) - - # Force validation if ca_cert is provided - if ca_cert: - insecure = False - auth_session = session.Session( - auth=auth_plugin, verify=insecure, cert=ca_cert) - return v3client.Client(auth_url=auth_url, session=auth_session) - - -def _find_domain(ks_client, domain_name=None): - domains = ks_client.domains.list(name=domain_name) - return domains[0] if len(domains) else None - - -def _delete_domain(ks_client, domain=None): - - ks_client.domains.update(domain, enabled=False) - return ks_client.domains.delete(domain) - - -def _create_domain(ks_client, domain_name=None, description=None): - return ks_client.domains.create(name=domain_name, description=description) - - -def _find_user(ks_client, domain_name=None, user_name=None): - domain = _find_domain(ks_client, domain_name=domain_name) - - if domain: - users = ks_client.users.list(domain=domain, name=user_name) - if len(users): - return users[0] - - -def _create_user(ks_client, user_name=None, user_password=None, domain_name=None, - email=None, description=None): - - domain = _find_domain(ks_client, domain_name) - return ks_client.users.create(name=user_name, password=user_password, - description=description, - email=email, domain=domain) - - -def _delete_user(ks_client, user=None): - ks_client.users.update(user=user, enabled=False) - ks_client.users.delete(user=user) - - -def _find_project(ks_client, domain_name=None, project_name=None): - domain = _find_domain(ks_client, domain_name=domain_name) - - if domain: - projects = ks_client.projects.list(domain=domain, name=project_name) - if len(projects): - return projects[0] - - -def _create_project(ks_client, project_name=None, domain_name=None, - description=None): - - domain = _find_domain(ks_client, domain_name) - return ks_client.projects.create(name=project_name, - description=description, - domain=domain) - - -def _delete_project(ks_client, project=None): - ks_client.projects.update(project=project, enabled=False) - ks_client.projects.delete(project=project) - - -def _find_role(ks_client, role_name=None): - roles = ks_client.roles.list(name=role_name) - return roles[0] if len(roles) else None - - -def _delete_role(ks_client, role=None): - return ks_client.roles.delete(role) - - -def _create_role(ks_client, role_name=None, description=None): - return ks_client.roles.create(name=role_name, description=description) - - -def _grant_roles(ks_client, role=None, project=None, user=None, domain=None): - return ks_client.roles.grant(role=role, project=project, user=user, domain=domain) - - -def _revoke_roles(ks_client, role=None, project=None, user=None, domain=None): - return ks_client.roles.revoke(role=role, project=project, user=user, domain=domain) - -def _find_service(ks_client, service_name=None, service_type=None): - services = ks_client.services.list(name=service_name, - type=service_type) - return services[0] if len(services) else None - -def _create_service(ks_client, service_name=None, service_type=None, - description=None): - return ks_client.services.create(name=service_name, type=service_type, - description=description) - -def _delete_service(ks_client, service_name=None): - return ks_client.services.delete(name=service_name) - -def _find_endpoint(ks_client, service=None, interface=None): - - endpoints = ks_client.endpoints.list(service=service, interface=interface) - return endpoints[0] if len(endpoints) else None - -def _create_endpoint(ks_client, service=None, url=None, - interface=None, region=None): - return ks_client.endpoints.create(service=service, url=url, - interface=interface, region=region) - -def find_domain(ks_client, domain_name=None): - domain = _find_domain(ks_client, domain_name=domain_name) - result, domain = (True, domain) if (domain) else (False, None) - return result, domain - - -def create_domain(ks_client, domain_name=None, description=None): - - domain = _find_domain(ks_client, domain_name=domain_name) - - if domain: - return (False, domain) - - # Domain with that name doesn't exist - domain = _create_domain( - ks_client, domain_name=domain_name, description=description) - return (True, domain) - - -def delete_domain(ks_client, domain_name=None): - - domain = _find_domain(ks_client, domain_name=domain_name) - - if domain: - _delete_domain(ks_client, domain=domain) - return (True, domain) - - # Domain with that name doesn't exist - return (False, None) - - -def find_user(ks_client, user_name=None, domain_name=None): - user = _find_user(ks_client, domain_name=domain_name, user_name=user_name) - result, user = (True, user) if user else (False, None) - return result, user - - -def create_user(ks_client, user_name=None, user_password=None, domain_name=None, - email=None, description=None): - - user = _find_user(ks_client, user_name=user_name, domain_name=domain_name) - - if user: - return (False, user) - - # User with that name doesn't exist - user = _create_user(ks_client, user_name=user_name, - user_password=user_password, domain_name=domain_name, - email=email, description=description) - return (True, user) - - -def delete_user(ks_client, user_name=None, domain_name=None): - - user = _find_user(ks_client, domain_name=domain_name, user_name=user_name) - - if user: - _delete_user(ks_client, user=user) - return (True, user) - - # User with that name doesn't exist - return (False, None) - - -def find_project(ks_client, project_name=None, domain_name=None): - project = _find_project( - ks_client, domain_name=domain_name, project_name=project_name) - result, project = (True, project) if project else (False, None) - return result, project - - -def create_project(ks_client, project_name=None, domain_name=None, - description=None): - - project = _find_project( - ks_client, project_name=project_name, domain_name=domain_name) - - if project: - return (False, project) - - # Project with that name doesn't exist - project = _create_project(ks_client, project_name=project_name, - domain_name=domain_name, description=description) - return (True, project) - - -def delete_project(ks_client, project_name=None, domain_name=None): - - project = _find_project( - ks_client, domain_name=domain_name, project_name=project_name) - - if project: - _delete_project(ks_client, project=project) - return (True, project) - - # Project with that name doesn't exist - return (False, None) - - -def find_role(ks_client, role_name=None): - role = _find_role(ks_client, role_name=role_name) - result, role = (True, role) if (role) else (False, None) - return result, role - - -def create_role(ks_client, role_name=None, description=None): - - role = _find_role(ks_client, role_name=role_name) - - if role: - return (False, role) - - # role with that name doesn't exist - role = _create_role( - ks_client, role_name=role_name, description=description) - return (True, role) - - -def delete_role(ks_client, role_name=None): - - role = _find_role(ks_client, role_name=role_name) - - if role: - _delete_role(ks_client, role=role) - return (True, role) - - # role with that name doesn't exist - return (False, None) - - -def _grant_or_revoke_project_role(ks_client, role_name=None, user_name=None, project_name=None, - user_domain_name=None, project_domain_name=None, grant=True): - - role = _find_role(ks_client, role_name=role_name) - user = _find_user( - ks_client, user_name=user_name, domain_name=user_domain_name) - project = _find_project( - ks_client, project_name=project_name, domain_name=project_domain_name) - - if (user and role and project): - if (grant): - _grant_roles(ks_client, role=role, project=project, user=user) - else: - _revoke_roles(ks_client, role=role, project=project, user=user) - return (True, "OK") - - return (False, "Not able to find user/role/project with the given inputs") - - -def _grant_or_revoke_domain_role(ks_client, role_name=None, user_name=None, - user_domain_name=None, domain_name=None, grant=True): - - role = _find_role(ks_client, role_name=role_name) - user = _find_user( - ks_client, user_name=user_name, domain_name=user_domain_name) - domain = _find_domain(ks_client, domain_name=domain_name) - - if (user and role and domain): - if (grant): - _grant_roles(ks_client, role=role, domain=domain, user=user) - else: - _revoke_roles(ks_client, role=role, domain=domain, user=user) - return (True, "OK") - - return (False, "Not able to find user/role/domain with the given inputs") - - -def grant_project_role(ks_client, role_name=None, user_name=None, project_name=None, - user_domain_name=None, project_domain_name=None): - - return _grant_or_revoke_project_role(ks_client, role_name=role_name, user_name=user_name, - project_name=project_name, user_domain_name=user_domain_name, - project_domain_name=project_domain_name, grant=True) - - -def revoke_project_role(ks_client, role_name=None, user_name=None, project_name=None, - user_domain_name=None, project_domain_name=None): - - return _grant_or_revoke_project_role(ks_client, role_name=role_name, user_name=user_name, - project_name=project_name, user_domain_name=user_domain_name, - project_domain_name=project_domain_name, grant=False) - - -def grant_domain_role(ks_client, role_name=None, user_name=None, domain_name=None, - user_domain_name=None): - - return _grant_or_revoke_domain_role(ks_client, role_name=role_name, user_name=user_name, - user_domain_name=user_domain_name, - domain_name=domain_name, grant=True) - - -def revoke_domain_role(ks_client, role_name=None, user_name=None, domain_name=None, - user_domain_name=None): - return _grant_or_revoke_domain_role(ks_client, role_name=role_name, user_name=user_name, - user_domain_name=user_domain_name, - domain_name=domain_name, grant=False) - -def create_service(ks_client, service_name=None, service_type=None, - description=None): - - service = _find_service(ks_client, service_name=service_name, - service_type=service_type) - - if service: - return (False, service) - - # Service with that name doesn't exist - service = _create_service( - ks_client, service_name=service_name, service_type=service_type, - description=description) - return (True, service) - -def create_endpoint(ks_client, service_name=None, region=None, - admin_url=None, internal_url=None, - public_url=None): - - service = _find_service(ks_client, service_name=service_name) - - if not service: - raise Exception("Service with the name=%s doesn't exist" %(service_name)) - - # Here we are checking only public endpoint, that should be fine - endpoint = _find_endpoint(ks_client, service=service, interface="public") - if endpoint: - return (False, endpoint) - - public_endpoint = _create_endpoint( - ks_client, service=service, interface="public", region=region, - url=public_url) - internal_endpoint = _create_endpoint( - ks_client, service=service, interface="internal", region=region, - url=internal_url) - public_endpint = _create_endpoint( - ks_client, service=service, interface="admin", region=region, - url=admin_url) - - return (True, public_endpint) - -def process_params(module): - - user_name = module.params.get("user_name", None) - user_password = module.params.get("user_password", None) - email = module.params.get("email", None) - description = module.params.get("description", None) - user_domain_name = module.params.get("user_domain_name", None) - - domain_name = module.params.get("domain_name", None) - - project_name = module.params.get("project_name", None) - project_domain_name = module.params.get("project_domain_name", None) - - role_name = module.params.get("role_name", None) - - service_name = module.params.get("service_name", None) - service_type = module.params.get("service_type", None) - region = module.params.get("region", None) - admin_url = module.params.get("admin_url", None) - internal_url = module.params.get("internal_url", None) - public_url = module.params.get("public_url", None) - - action = module.params["action"] - - if (action == "find_domain" or action == "delete_domain"): - kwargs = dict(domain_name=domain_name) - elif (action == "create_domain"): - kwargs = dict(domain_name=domain_name, description=description) - elif (action == "find_user" or action == "delete_user"): - kwargs = dict(domain_name=user_domain_name, user_name=user_name) - elif (action == "create_user"): - kwargs = dict(domain_name=user_domain_name, description=description, user_name=user_name, - email=email, user_password=user_password) - elif (action == "find_project" or action == "delete_project"): - kwargs = dict( - domain_name=project_domain_name, project_name=project_name) - elif (action == "create_project"): - kwargs = dict(domain_name=project_domain_name, description=description, - project_name=project_name) - elif (action == "find_role" or action == "delete_role"): - kwargs = dict(role_name=role_name) - elif (action == "create_role"): - kwargs = dict(role_name=role_name, description=description) - elif (action == "grant_project_role" or action == "revoke_project_role"): - kwargs = dict(role_name=role_name, user_name=user_name, - user_domain_name=user_domain_name, project_name=project_name, - project_domain_name=project_domain_name) - elif (action == "grant_domain_role" or action == "revoke_domain_role"): - kwargs = dict(role_name=role_name, user_name=user_name, - user_domain_name=user_domain_name, - domain_name=domain_name) - elif (action == "create_service"): - kwargs = dict(service_name=service_name, service_type=service_type, - description=description) - elif (action == "create_endpoint"): - kwargs = dict(service_name=service_name, region=region, - admin_url=admin_url, internal_url=internal_url, - public_url=public_url) - - return kwargs - -dispatch_map = { - "find_domain": find_domain, - "delete_domain": delete_domain, - "create_domain": create_domain, - - "find_user": find_user, - "delete_user": delete_user, - "create_user": create_user, - - "find_project": find_project, - "delete_project": delete_project, - "create_project": create_project, - - "find_role": find_role, - "delete_role": delete_role, - "create_role": create_role, - - "grant_project_role": grant_project_role, - "revoke_project_role": revoke_project_role, - "grant_domain_role": grant_domain_role, - "revoke_domain_role": revoke_domain_role, - - "create_service": create_service, - "create_endpoint": create_endpoint, - -} - - -def get_client(module): - - login_username = module.params.get("login_username") - login_project_name = module.params.get("login_project_name") - login_user_domain_name = module.params.get("login_user_domain_name") - login_project_domain_name = module.params.get("login_project_domain_name") - login_password = module.params.get("login_password") - auth_url = module.params.get("endpoint") - token = module.params.get("login_token") - - ks_client = _get_client(login_username=login_username, - login_project_name=login_project_name, - login_user_domain_name=login_user_domain_name, - login_project_domain_name=login_project_domain_name, - login_password=login_password, - auth_url=auth_url, - token=token) - - return ks_client - - -def process_module_action(module): - - ks_client = get_client(module) - - action = module.params["action"] - kwargs = process_params(module) - - try: - result = dispatch_map[action](ks_client, **kwargs) - except Exception as e: - module.fail_json(msg="%s, failed" % e) - else: - status, resource_data = result - data = dict(changed=status, result=str(resource_data)) - module.exit_json(**data) - - -def main(): - - supported_actions = dispatch_map.keys() - - argument_spec = dict( - login_username=dict(default=None), - login_password=dict(default=None), - login_project_name=dict(default=None), - login_project_domain_name=dict(default=None), - login_user_domain_name=dict(default=None), - login_domain_name=dict(default=None), - login_token=dict(default=None), - - endpoint=dict(default=None), - description=dict(default="Created by Ansible keystone_v3"), - email=dict(default=None), - user_name=dict(default=None), - user_password=dict(default=None), - user_domain_name=dict(default=None), - project_name=dict(default=None), - project_domain_name=dict(default=None), - domain_name=dict(default=None), - role_name=dict(default=None), - - service_name=dict(default=None), - service_type=dict(default=None), - - region=dict(default=None), - admin_url=dict(default=None), - public_url=dict(default=None), - internal_url=dict(default=None), - - action=dict(default=None, required=True, choices=supported_actions) - - ) - - module = AnsibleModule( - argument_spec=argument_spec, supports_check_mode=False) - process_module_action(module) - -from ansible.module_utils.basic import * -from ansible.module_utils.database import * - - -if __name__ == '__main__': - main() diff --git a/lib/ansible/modules/extras/cloud/openstack/os_keystone_domain.py b/lib/ansible/modules/extras/cloud/openstack/os_keystone_domain.py new file mode 100644 index 0000000000..cbb992eff5 --- /dev/null +++ b/lib/ansible/modules/extras/cloud/openstack/os_keystone_domain.py @@ -0,0 +1,123 @@ +#!/usr/bin/python +# Copyright (c) 2015 Hewlett-Packard Development Company, L.P. +# +# This module is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This software is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this software. If not, see . + + +try: + import shade + from shade import meta + HAS_SHADE = True +except ImportError: + HAS_SHADE = False + +DOCUMENTATION = ''' +--- +module: os_keystone_domain +short_description: Manage OpenStack Identity Domains +extends_documentation_fragment: openstack +version_added: "2.1" +description: + - Manage OpenStack Identity Domains +options: + name: + description: + - Name that has to be given to the instance + required: true + description: + description: + - Description of the domain + required: false + default: None + enabled: + description: + - Is the domain enabled + required: false + default: True + state: + description: + - Should the resource be present or absent. + choices: [present, absent] + default: present +requirements: + - "python >= 2.6" + - "shade" +''' + +EXAMPLES = ''' +# Create a domain +- os_keystone_domain: name=demo description="Demo Domain" +''' + + +def main(): + + argument_spec = openstack_full_argument_spec( + name=dict(required=True), + description=dict(default=None), + enabled=dict(default=True, type='bool'), + state=dict(default='present', choices=['absent', 'present']), + # Override endpoint_type default since this is an admin function + endpoint_type=dict( + default='admin', choices=['public', 'internal', 'admin']), + )) + + module_kwargs = openstack_module_kwargs() + module = AnsibleModule(argument_spec, **module_kwargs) + + if not HAS_SHADE: + module.fail_json(msg='shade is required for this module') + + name = module.params.pop('name') + description = module.params.pop('description') + enabled = module.params.pop('enabled') + state = module.params.pop('state') + + try: + cloud = shade.operator_cloud(**module.params) + + domain = cloud.get_identity_domain(name=name) + + if state == 'present': + if domain is None: + domain = cloud.create_domain( + name=name, description=description, enabled=enabled) + changed = True + else: + if (domain.name != name or domain.description != description + or domain.enabled != enabled): + cloud.update_domain( + domain.id, name=name, description=description, + enabled=enabled) + changed = True + else: + changed = False + module.exit_json(changed=changed, domain=domain) + elif state == 'absent': + if domain is None: + changed=False + else: + cloud.delete_domain(domain.id) + changed=True + module.exit_json(changed=changed) + + except shade.OpenStackCloudException as e: + module.fail_json(msg=e.message, extra_data=e.extra_data) + +from ansible.module_utils.basic import * +from ansible.module_utils.openstack import * + + +if __name__ == '__main__': + main()