madorn
diff --git a/‎doc/source/command-objects/network-rbac.rst‎
Lines changed: 62 additions & 0 deletions b/‎doc/source/command-objects/network-rbac.rst‎
Lines changed: 62 additions & 0 deletions
diff --git a/‎doc/source/specs/command-objects/example.rst‎
Lines changed: 1 addition & 1 deletion b/‎doc/source/specs/command-objects/example.rst‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎functional/tests/network/v2/test_network_rbac.py‎
Lines changed: 55 additions & 0 deletions b/‎functional/tests/network/v2/test_network_rbac.py‎
Lines changed: 55 additions & 0 deletions
diff --git a/‎openstackclient/network/v2/network_rbac.py‎
Lines changed: 132 additions & 0 deletions b/‎openstackclient/network/v2/network_rbac.py‎
Lines changed: 132 additions & 0 deletions
diff --git a/‎openstackclient/tests/network/v2/fakes.py‎
Lines changed: 19 additions & 0 deletions b/‎openstackclient/tests/network/v2/fakes.py‎
Lines changed: 19 additions & 0 deletions
@@ -8,6 +8,68 @@ to network resources for specific projects.
 
 Network v2
 
+network rbac create
+-------------------
+
+Create network RBAC policy
+
+.. program:: network rbac create
+.. code:: bash
+
+    os network rbac create
+        --type <type>
+        --action <action>
+        --target-project <target-project> [--target-project-domain <target-project-domain>]
+        [--project <project> [--project-domain <project-domain>]]
+        <rbac-policy>
+
+.. option:: --type <type>
+
+    Type of the object that RBAC policy affects ("qos_policy" or "network") (required)
+
+.. option:: --action <action>
+
+    Action for the RBAC policy ("access_as_external" or "access_as_shared") (required)
+
+.. option:: --target-project <target-project>
+
+    The project to which the RBAC policy will be enforced (name or ID) (required)
+
+.. option:: --target-project-domain <target-project-domain>
+
+    Domain the target project belongs to (name or ID).
+    This can be used in case collisions between project names exist.
+
+.. option:: --project <project>
+
+    The owner project (name or ID)
+
+.. option:: --project-domain <project-domain>
+
+    Domain the project belongs to (name or ID).
+    This can be used in case collisions between project names exist.
+
+.. _network_rbac_create-rbac-policy:
+.. describe:: <rbac-object>
+
+    The object to which this RBAC policy affects (name or ID for network objects, ID only for QoS policy objects)
+
+network rbac delete
+-------------------
+
+Delete network RBAC policy(s)
+
+.. program:: network rbac delete
+.. code:: bash
+
+    os network rbac delete
+        <rbac-policy> [<rbac-policy> ...]
+
+.. _network_rbac_delete-rbac-policy:
+.. describe:: <rbac-policy>
+
+    RBAC policy(s) to delete (ID only)
+
 network rbac list
 -----------------
 
 
@@ -38,7 +38,7 @@ Delete example(s)
 
 .. describe:: <example>
 
-    Example to delete (name or ID)
+    Example(s) to delete (name or ID)
 
 example list
 ------------
 
@@ -0,0 +1,55 @@
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+import uuid
+
+from functional.common import test
+
+
+class NetworkRBACTests(test.TestCase):
+    """Functional tests for network rbac. """
+    NET_NAME = uuid.uuid4().hex
+    OBJECT_ID = None
+    ID = None
+    HEADERS = ['ID']
+    FIELDS = ['id']
+
+    @classmethod
+    def setUpClass(cls):
+        opts = cls.get_opts(cls.FIELDS)
+        raw_output = cls.openstack('network create ' + cls.NET_NAME + opts)
+        cls.OBJECT_ID = raw_output.strip('\n')
+        opts = cls.get_opts(['id', 'object_id'])
+        raw_output = cls.openstack('network rbac create ' +
+                                   cls.OBJECT_ID +
+                                   ' --action access_as_shared' +
+                                   ' --target-project admin' +
+                                   ' --type network' + opts)
+        cls.ID, object_id, rol = tuple(raw_output.split('\n'))
+        cls.assertOutput(cls.OBJECT_ID, object_id)
+
+    @classmethod
+    def tearDownClass(cls):
+        raw_output = cls.openstack('network rbac delete ' + cls.ID)
+        cls.assertOutput('', raw_output)
+        raw_output = cls.openstack('network delete ' + cls.OBJECT_ID)
+        cls.assertOutput('', raw_output)
+
+    def test_network_rbac_list(self):
+        opts = self.get_opts(self.HEADERS)
+        raw_output = self.openstack('network rbac list' + opts)
+        self.assertIn(self.ID, raw_output)
+
+    def test_network_rbac_show(self):
+        opts = self.get_opts(self.FIELDS)
+        raw_output = self.openstack('network rbac show ' + self.ID + opts)
+        self.assertEqual(self.ID + "\n", raw_output)
@@ -13,10 +13,17 @@
 
 """RBAC action implementations"""
 
+import logging
+
 from osc_lib.command import command
+from osc_lib import exceptions
 from osc_lib import utils
 
 from openstackclient.i18n import _
+from openstackclient.identity import common as identity_common
+
+
+LOG = logging.getLogger(__name__)
 
 
 def _get_columns(item):
@@ -30,6 +37,131 @@ def _get_columns(item):
     return tuple(sorted(columns))
 
 
+def _get_attrs(client_manager, parsed_args):
+    attrs = {}
+    attrs['object_type'] = parsed_args.type
+    attrs['action'] = parsed_args.action
+
+    network_client = client_manager.network
+    if parsed_args.type == 'network':
+        object_id = network_client.find_network(
+            parsed_args.rbac_object, ignore_missing=False).id
+    if parsed_args.type == 'qos_policy':
+        # TODO(Huanxuan Ao): Support finding a object ID by obejct name
+        # after qos policy finding supported in SDK.
+        object_id = parsed_args.rbac_object
+    attrs['object_id'] = object_id
+
+    identity_client = client_manager.identity
+    project_id = identity_common.find_project(
+        identity_client,
+        parsed_args.target_project,
+        parsed_args.target_project_domain,
+    ).id
+    attrs['target_tenant'] = project_id
+    if parsed_args.project is not None:
+        project_id = identity_common.find_project(
+            identity_client,
+            parsed_args.project,
+            parsed_args.project_domain,
+        ).id
+        attrs['tenant_id'] = project_id
+
+    return attrs
+
+
+class CreateNetworkRBAC(command.ShowOne):
+    """Create network RBAC policy"""
+
+    def get_parser(self, prog_name):
+        parser = super(CreateNetworkRBAC, self).get_parser(prog_name)
+        parser.add_argument(
+            'rbac_object',
+            metavar="<rbac-object>",
+            help=_("The object to which this RBAC policy affects (name or "
+                   "ID for network objects, ID only for QoS policy objects)")
+        )
+        parser.add_argument(
+            '--type',
+            metavar="<type>",
+            required=True,
+            choices=['qos_policy', 'network'],
+            help=_('Type of the object that RBAC policy '
+                   'affects ("qos_policy" or "network")')
+        )
+        parser.add_argument(
+            '--action',
+            metavar="<action>",
+            required=True,
+            choices=['access_as_external', 'access_as_shared'],
+            help=_('Action for the RBAC policy '
+                   '("access_as_external" or "access_as_shared")')
+        )
+        parser.add_argument(
+            '--target-project',
+            required=True,
+            metavar="<target-project>",
+            help=_('The project to which the RBAC policy '
+                   'will be enforced (name or ID)')
+        )
+        parser.add_argument(
+            '--target-project-domain',
+            metavar='<target-project-domain>',
+            help=_('Domain the target project belongs to (name or ID). '
+                   'This can be used in case collisions between project names '
+                   'exist.'),
+        )
+        parser.add_argument(
+            '--project',
+            metavar="<project>",
+            help=_('The owner project (name or ID)')
+        )
+        identity_common.add_project_domain_option_to_parser(parser)
+        return parser
+
+    def take_action(self, parsed_args):
+        client = self.app.client_manager.network
+        attrs = _get_attrs(self.app.client_manager, parsed_args)
+        obj = client.create_rbac_policy(**attrs)
+        columns = _get_columns(obj)
+        data = utils.get_item_properties(obj, columns)
+        return columns, data
+
+
+class DeleteNetworkRBAC(command.Command):
+    """Delete network RBAC policy(s)"""
+
+    def get_parser(self, prog_name):
+        parser = super(DeleteNetworkRBAC, self).get_parser(prog_name)
+        parser.add_argument(
+            'rbac_policy',
+            metavar="<rbac-policy>",
+            nargs='+',
+            help=_("RBAC policy(s) to delete (ID only)")
+        )
+        return parser
+
+    def take_action(self, parsed_args):
+        client = self.app.client_manager.network
+        result = 0
+
+        for rbac in parsed_args.rbac_policy:
+            try:
+                obj = client.find_rbac_policy(rbac, ignore_missing=False)
+                client.delete_rbac_policy(obj)
+            except Exception as e:
+                result += 1
+                LOG.error(_("Failed to delete RBAC policy with "
+                            "ID '%(rbac)s': %(e)s"),
+                          {'rbac': rbac, 'e': e})
+
+        if result > 0:
+            total = len(parsed_args.rbac_policy)
+            msg = (_("%(result)s of %(total)s RBAC policies failed "
+                   "to delete.") % {'result': result, 'total': total})
+            raise exceptions.CommandError(msg)
+
+
 class ListNetworkRBAC(command.Lister):
     """List network RBAC policies"""
 
 
@@ -541,6 +541,25 @@ def create_network_rbacs(attrs=None, count=2):
 
         return rbac_policies
 
+    @staticmethod
+    def get_network_rbacs(rbac_policies=None, count=2):
+        """Get an iterable MagicMock object with a list of faked rbac policies.
+
+        If rbac policies list is provided, then initialize the Mock object
+        with the list. Otherwise create one.
+
+        :param List rbac_policies:
+            A list of FakeResource objects faking rbac policies
+        :param int count:
+            The number of rbac policies to fake
+        :return:
+            An iterable Mock object with side_effect set to a list of faked
+            rbac policies
+        """
+        if rbac_policies is None:
+            rbac_policies = FakeNetworkRBAC.create_network_rbacs(count)
+        return mock.MagicMock(side_effect=rbac_policies)
+
 
 class FakeRouter(object):
     """Fake one or more routers."""