A.6. Python SDK Example: Permissions

def getRoles():
     """ Return list of all roles """
     return [role.get_name() for role in API.roles.list()]

def getRolePermissions(roleName):
     """ Return permissions of role """
     role = API.roles.get(roleName)
     return [perm.get_name() for perm in role.get_permits().list()]

def getSuperUserPermissions():
     """ Return SuperUser permissions(all possible permissions) """
     return getRolePermissions('SuperUser')

 def addRoleToUser(roleName, userName=config.USER_NAME, domainName=config.USER_DOMAIN):
     """
     Add system permissions to user.
     Parameters:
      * roleName - role permissions to add
      * userName - name of user who will be added permissions
      * domainName - domain of user
     """
     LOGGER.info("Adding role '%s' to user '%s'" % (roleName, userName))
     user = getUser(userName, domainName)
     if user is None:
         return
     user.roles.add(API.roles.get(roleName))
     assert user.roles.get(roleName) is not None

def removeAllRolesFromUser(userName=config.USER_NAME, domainName=config.USER_DOMAIN):
     """
     Removes all permissions from user.
     Parameters:
      * userName - name of user
      * domainName - domain of user
     """
     LOGGER.info("Removing all roles from user %s" % userName)
     user = getUser(userName, domainName)
     if user is None:
         return

     for role in user.roles.list():
         LOGGER.info("Removing " + role.get_name())
         role.delete()

     assert len(user.roles.list()) == 0, "Unable to remove roles from user '%s'" % user.get_name()

def removeRoleFromUser(roleName, userName=config.USER_NAME, domainName=config.USER_DOMAIN):
     """
     Remove role(System permissions) from user.
     Parameters:
      * roleName - name of role
      * userName - name of user
      * domainName - domain of user
     """
     LOGGER.info("Removing role %s to user %s" % (roleName, userName))
     user = getUser(userName, domainName)
     if user is None:
         return
     role = user.roles.get(roleName)
     role.delete()

     role = user.roles.get(roleName)
     assert role is None, "Unable to remove role '%s'" % roleName

 def givePermissionsToGroup(templateName, roleName='UserTemplateBasedVm', group="Everyone"):
     """
     Give permission to group.
     Parameters:
      * templateName - name of template to add group perms
      * roleName     - name of role which perms to be added
      * group        - On which group should be perms added
     """
     template = getObjectByName(API.templates, templateName)
     r = API.roles.get(roleName)

     g = API.groups.get(group)
     g.permissions.add(params.Permission(role=r, template=template))
     LOGGER.info("Adding permissions on template '%s' role '%s' for group '%s'.",
             template.get_name(), roleName, group)

 def givePermissionToObject(rhsc_object, roleName, userName=config.USER_NAME,
                             domainName=config.USER_DOMAIN, user_object=None,
                             role_object=None):
     """
     Add role permission to user on object.
     Parameters:
      * rhsc_object - object to add role permissions on
      * roleName     - Role permissions to be added
      * userName     - user who should be added permissions
      * domainName   - domain of user
      * user_object  - temporaly, because uf bug 869334
      * role_object  - temporaly, because uf bug 869334
     """
     # FIXME: rhsc_object can be one of:
     # [API.clusters, API.datacenters, API.disks, API.groups, API.hosts,
     #  API.storagedomains, API.templates, API.vms, API.vmpools]

     try:
         user = getUser(userName, domainName)
         if user is None:
             return
     except errors.RequestError as e:
         # User cant access /users url. Bug 869334. Workaround
         user = user_object

     try:
         role = API.roles.get(roleName)
     except errors.RequestError as e:
         # User cant access /roles url. Bug 869334. Workaround
         role = role_object

     if rhsc_object is None or user is None or role is None:
         LOGGER.warning("Unable to add permissions on 'None' object")
         returnremoving the first digit from a line

     permissionParam = params.Permission(user=user, role=role)
     try:
         rhsc_object.permissions.add(permissionParam)
     except AttributeError as e:
         # Bz 869334 - after BZ ok, could be removed
         pass

     msg = "Added permission on '%s' with role '%s' for user '%s'"
     LOGGER.info(msg % (type(rhsc_object).__name__, roleName, user.get_name()))

 def removeAllPermissionFromCluster(clusterName):
     cluster = getObjectByName(API.clusters, clusterName)
     removeAllPermissionFromObject(cluster)

 def removeAllPermissionFromObject(rhsc_object):
     """
     Removes all permissions from object
     Parameters:
      * rhsc_object - object from which permissions should be removed
     """
     LOGGER.info("Removing all permissions from object '%s'" % type(rhsc_object).__name__)
     if rhsc_object is None:
         LOGGER.info("Tying to remove perms from object that dont exists")
         return

     permissions = rhsc_object.permissions.list()
     for perm in permissions:
         perm.delete()

 def removeAllPermissionFromCluster(clusterName):
     cluster = getObjectByName(API.clusters, clusterName)
     removeAllPermissionFromObject(cluster)