@@ -55,17 +55,22 @@ def get_parser(self, prog_name):
5555 help = _ ('Group to filter (name or ID)' ),
5656 )
5757 common .add_group_domain_option_to_parser (parser )
58- domain_or_project = parser .add_mutually_exclusive_group ()
59- domain_or_project .add_argument (
58+ system_or_domain_or_project = parser .add_mutually_exclusive_group ()
59+ system_or_domain_or_project .add_argument (
6060 '--domain' ,
6161 metavar = '<domain>' ,
6262 help = _ ('Domain to filter (name or ID)' ),
6363 )
64- domain_or_project .add_argument (
64+ system_or_domain_or_project .add_argument (
6565 '--project' ,
6666 metavar = '<project>' ,
6767 help = _ ('Project to filter (name or ID)' ),
6868 )
69+ system_or_domain_or_project .add_argument (
70+ '--system' ,
71+ metavar = '<system>' ,
72+ help = _ ('Filter based on system role assignments' ),
73+ )
6974 common .add_project_domain_option_to_parser (parser )
7075 common .add_inherited_option_to_parser (parser )
7176 parser .add_argument (
@@ -85,7 +90,8 @@ def get_parser(self, prog_name):
8590
8691 def _as_tuple (self , assignment ):
8792 return (assignment .role , assignment .user , assignment .group ,
88- assignment .project , assignment .domain , assignment .inherited )
93+ assignment .project , assignment .domain , assignment .system ,
94+ assignment .inherited )
8995
9096 def take_action (self , parsed_args ):
9197 identity_client = self .app .client_manager .identity
@@ -117,6 +123,10 @@ def take_action(self, parsed_args):
117123 auth_ref .user_id
118124 )
119125
126+ system = None
127+ if parsed_args .system :
128+ system = parsed_args .system
129+
120130 domain = None
121131 if parsed_args .domain :
122132 domain = common .find_domain (
@@ -149,14 +159,17 @@ def take_action(self, parsed_args):
149159
150160 include_names = True if parsed_args .names else False
151161 effective = True if parsed_args .effective else False
152- columns = ('Role' , 'User' , 'Group' , 'Project' , 'Domain' , 'Inherited' )
162+ columns = (
163+ 'Role' , 'User' , 'Group' , 'Project' , 'Domain' , 'System' , 'Inherited'
164+ )
153165
154166 inherited_to = 'projects' if parsed_args .inherited else None
155167 data = identity_client .role_assignments .list (
156168 domain = domain ,
157169 user = user ,
158170 group = group ,
159171 project = project ,
172+ system = system ,
160173 role = role ,
161174 effective = effective ,
162175 os_inherit_extension_inherited_to = inherited_to ,
@@ -174,14 +187,24 @@ def take_action(self, parsed_args):
174187 else :
175188 setattr (assignment , 'project' , scope ['project' ]['id' ])
176189 assignment .domain = ''
190+ assignment .system = ''
177191 elif 'domain' in scope :
178192 if include_names :
179193 setattr (assignment , 'domain' , scope ['domain' ]['name' ])
180194 else :
181195 setattr (assignment , 'domain' , scope ['domain' ]['id' ])
182196 assignment .project = ''
183-
197+ assignment .system = ''
198+ elif 'system' in scope :
199+ # NOTE(lbragstad): If, or when, keystone supports role
200+ # assignments on subsets of a system, this will have to evolve
201+ # to handle that case instead of hardcoding to the entire
202+ # system.
203+ setattr (assignment , 'system' , 'all' )
204+ assignment .domain = ''
205+ assignment .project = ''
184206 else :
207+ assignment .system = ''
185208 assignment .domain = ''
186209 assignment .project = ''
187210
0 commit comments