feat: Add dynamic tagging and descriptions (#7)

cloudnull · web-flow · commit 319811acd26c · 2025-01-21T11:48:39.000-06:00
This change will allow us to have a dynamic allocation of tags and project descriptions. Within the example map file, the DDI information will be defined as tag the tags allow projects to be searched. The change asserts that defined tags will always be set whenever a user is authenticated against a cloud with the plugin enabled. ``` shell openstack --os-cloud default project show --domain rackspace_cloud_domain 1342135_Flex +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | ddi | 1342135 | | description | Project for DDI 1342135 | | domain_id | 61ad3a247515421aaeaba18ae35aa095 | | enabled | True | | id | de15709c1cd242a6b7451d43c52d1640 | | is_domain | False | | name | 1342135_Flex | | options | {} | | parent_id | 61ad3a247515421aaeaba18ae35aa095 | | tags | ['1342135'] | +-------------+----------------------------------+ ``` As seen in the above snippet, the project is now fully tagged, and labeled based on the mapping. Additionally admins can now search projects using the DDI as a tag, ``` shell openstack --os-cloud default project list --domain rackspace_cloud_domain --long --tags 1342135 +----------------------------------+--------------------------------------+----------------------------------+-------------------------+---------+ | ID | Name | Domain ID | Description | Enabled | +----------------------------------+--------------------------------------+----------------------------------+-------------------------+---------+ | 31a43637efc24ea19eea40af4e72d43d | 3965512c-e2c0-48a7-acef-3cdfb2b95ef8 | 61ad3a247515421aaeaba18ae35aa095 | Project for DDI 1342135 | True | | de15709c1cd242a6b7451d43c52d1640 | 1342135_Flex | 61ad3a247515421aaeaba18ae35aa095 | Project for DDI 1342135 | True | +----------------------------------+--------------------------------------+----------------------------------+-------------------------+---------+ ``` Issue: https://rackspace.atlassian.net/browse/OSPC-746 Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
diff --git a/README.md b/README.md
@@ -90,6 +90,19 @@ roles.
 Once the plugin is setup and running, everything will be operating normally. The plugin is passive until
 the Keystone is informed about the identity provider and we have the `rackspace_cloud_domain` created.
 
+#### Mapping Setup
+
+Available environment variables.
+
+| Environment Variable | Explanation |
+| ----------------- | ----- |
+| `RXT_UserName` | Username to be mapped |
+| `RXT_Email` | Email address from the user name |
+| `RXT_DomainID` | Domain ID for the federated assignment |
+| `RXT_TenantName` | Semicolon separated list of tenants mapped to the user |
+| `RXT_TenantID` | Tenant ID for the project |
+| `RXT_orgPersonType` | RBAC association |
+
 ##### Craete the domain
 
 ``` shell
diff --git a/files/mapping.json b/files/mapping.json
@@ -17,6 +17,18 @@
                         "domain": {
                             "name": "rackspace_cloud_domain"
                         },
+                        "description": "Project for DDI {3}",
+                        "metadata": [
+                            {
+                                "key": "ddi",
+                                "value": "{3}"
+                            }
+                        ],
+                        "tags": [
+                            {
+                                "project_tag": "{3}"
+                            }
+                        ],
                         "roles": [
                             {
                                 "name": "member"
@@ -26,6 +38,9 @@
                             },
                             {
                                 "name": "heat_stack_user"
+                            },
+                            {
+                                "name": "creator"
                             }
                         ]
                     }
@@ -42,6 +57,9 @@
             {
                 "type": "RXT_TenantName"
             },
+            {
+                "type": "RXT_DomainID"
+            },
             {
                 "type": "RXT_orgPersonType",
                 "any_one_of": [
diff --git a/keystone_rxt/rackspace.py b/keystone_rxt/rackspace.py
@@ -222,7 +222,7 @@ def _merge_dict(self, base, new, extend=True):
         :param new: New dictionary to merge items from
         :type new: Dictionary
         :param extend: Boolean option to enable or disable extending
-                    iterable arrays.
+                       iterable arrays.
         :type extend: Boolean
         :returns: Dictionary
         """
@@ -270,6 +270,110 @@ class RuleProcessorToHonorDomainOption(
     """
 
 
+def _handle_projects_from_mapping(
+    shadow_projects,
+    idp_domain_id,
+    existing_roles,
+    user,
+    assignment_api,
+    resource_api,
+):
+    for shadow_project in shadow_projects:
+        mapped.configure_project_domain(
+            shadow_project, idp_domain_id, resource_api
+        )
+        try:
+            # Check and see if the project already exists and if it
+            # does not, try to create it.
+            project = resource_api.get_project_by_name(
+                shadow_project["name"], shadow_project["domain"]["id"]
+            )
+        except exception.ProjectNotFound:
+            LOG.info(
+                "Project %(project_name)s does not exist. It will be "
+                "automatically provisioning for user %(user_id)s.",
+                {
+                    "project_name": shadow_project["name"],
+                    "user_id": user["id"],
+                },
+            )
+            project_ref = {
+                "id": mapped.uuid.uuid4().hex,
+                "name": shadow_project["name"],
+                "domain_id": shadow_project["domain"]["id"],
+            }
+            project = resource_api.create_project(
+                project_ref["id"], project_ref
+            )
+        shadow_roles = shadow_project["roles"]
+        for shadow_role in shadow_roles:
+            assignment_api.create_grant(
+                existing_roles[shadow_role["name"]]["id"],
+                user_id=user["id"],
+                project_id=project["id"],
+            )
+        # Run project update to ensure that the project has the correct tags
+        # and description.
+        update_needed = False
+        for shadow_tag in shadow_project.get("tags", list()):
+            shadow_tag = shadow_tag.get("project_tag")
+            if shadow_tag and shadow_tag not in project["tags"]:
+                project["tags"].append(shadow_tag)
+                update_needed = True
+
+        description = shadow_project.get("description", "").strip()
+        if description and project.get("description") != description:
+            project["description"] = description
+            update_needed = True
+
+        metadata = shadow_project.get("metadata", list())
+        for item in metadata:
+            if item['key'] not in project:
+                project[item['key']] = item['value']
+                update_needed = True
+
+        if update_needed:
+            resource_api.update_project(
+                project_id=project["id"], project=project
+            )
+
+
+# NOTE(cloudnull): Adds tag and description support to the project mapping.
+mapped.handle_projects_from_mapping = _handle_projects_from_mapping
+
+# NOTE(cloudnull): Ensures that the Rackspace plugin is permits the use of tags
+#                  and a description within PROJECTS_SCHEMA_2_0.
+mapped.utils.PROJECTS_SCHEMA_2_0["items"]["properties"]["tags"] = {
+    "type": "array",
+    "items": {
+        "type": "object",
+        "required": ["project_tag"],
+        "properties": {
+            "project_tag": {"type": "string"},
+        },
+        "additionalProperties": False,
+    },
+}
+mapped.utils.PROJECTS_SCHEMA_2_0["items"]["properties"]["metadata"] = {
+    "type": "array",
+    "items": {
+        "type": "object",
+        "required": ["key", "value"],
+        "properties": {
+            "key": {"type": "string"},
+            "value": {"type": "string"},
+        },
+        "additionalProperties": False,
+    },
+}
+mapped.utils.PROJECTS_SCHEMA_2_0["items"]["properties"]["description"] = {
+    "type": "string"
+}
+mapped.utils.IDP_ATTRIBUTE_MAPPING_SCHEMA_2_0["properties"]["rules"]["items"][
+    "properties"
+]["local"]["items"]["properties"][
+    "projects"
+] = mapped.utils.PROJECTS_SCHEMA_2_0
 # NOTE(cloudnull): This is to ensure that the RuleProcessor is used for the
 #                  1.0 schema and the RuleProcessorToHonorDomainOption is
 #                  used for the 2.0 schema when running with the rxt auth

Original file line number	Diff line number	Diff line change
`@@ -17,6 +17,18 @@`
`17`	`17`	`"domain": {`
`18`	`18`	`"name": "rackspace_cloud_domain"`
`19`	`19`	`},`
	`20`	`+ "description": "Project for DDI {3}",`
	`21`	`+ "metadata": [`
	`22`	`+ {`
	`23`	`+ "key": "ddi",`
	`24`	`+ "value": "{3}"`
	`25`	`+ }`
	`26`	`+ ],`
	`27`	`+ "tags": [`
	`28`	`+ {`
	`29`	`+ "project_tag": "{3}"`
	`30`	`+ }`
	`31`	`+ ],`
`20`	`32`	`"roles": [`
`21`	`33`	`{`
`22`	`34`	`"name": "member"`
`@@ -26,6 +38,9 @@`
`26`	`38`	`},`
`27`	`39`	`{`
`28`	`40`	`"name": "heat_stack_user"`
	`41`	`+ },`
	`42`	`+ {`
	`43`	`+ "name": "creator"`
`29`	`44`	`}`
`30`	`45`	`]`
`31`	`46`	`}`
`@@ -42,6 +57,9 @@`
`42`	`57`	`{`
`43`	`58`	`"type": "RXT_TenantName"`
`44`	`59`	`},`
	`60`	`+ {`
	`61`	`+ "type": "RXT_DomainID"`
	`62`	`+ },`
`45`	`63`	`{`
`46`	`64`	`"type": "RXT_orgPersonType",`
`47`	`65`	`"any_one_of": [`