Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- import json
- import configparser
- import difflib
- from keystoneauth1 import session
- from keystoneauth1.identity import v2
- from keystoneauth1.identity import v3
- from keystoneclient.v2_0 import client as ksclient_v2
- from keystoneclient.v3 import client as ksclient_v3
- from ldap3 import Server, Connection, ALL, ALL_ATTRIBUTES, ALL_OPERATIONAL_ATTRIBUTES
- def ad_group_persons(server_name, domain_name, user_name, password, group):
- server = Server(server_name, get_info=ALL)
- conn = Connection(server, user=user_name+'@'+domain_name, password=password, auto_bind=True)
- conn.search('dc=sys,dc=local', "(&(objectCategory=Person)(memberOf=CN=%s,OU=Groups,OU=org,DC=sys,DC=local)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2)))"%(group),
- attributes=[ALL_ATTRIBUTES, ALL_OPERATIONAL_ATTRIBUTES])
- persons = []
- for e in sorted(conn.entries):
- persons.append(e.sAMAccountName[0])
- return persons
- def _get_config_file_creds(infra_name, config='config.cfg'):
- with open(config) as fp:
- config = configparser.ConfigParser()
- config.read_file(fp)
- creds = {}
- for entry in config.items(infra_name):
- creds[entry[0]] = entry[1]
- return creds
- def _do_auth(**creds):
- if int(creds.get('os_identity_api_version')) == 3:
- auth = v3.Password(username=creds.get('os_username'),
- password=creds.get('os_password'),
- project_domain_name=creds.get('os_project_domain_name'),
- user_domain_name=creds.get('os_user_domain_name'),
- project_name=creds.get('os_project_name'),
- auth_url=creds.get('os_auth_url'))
- else:
- auth = v2.Password(username=creds.get('os_username'),
- password=creds.get('os_password'),
- tenant_name=creds.get('os_tenant_name'),
- auth_url=creds.get('os_auth_url'))
- sess = session.Session(auth=auth)
- if int(creds.get('os_identity_api_version')) == 3:
- keystone = ksclient_v3.Client(session=sess)
- else:
- keystone = ksclient_v2.Client(session=sess)
- return keystone
- def _check_defir_groups(client, group):
- for tenant in client.tenants.list():
- ig = dict()
- if tenant.name == f'DEFIR_{group}':
- ig['name'] = tenant.name
- ig['status'] = True
- ig['id'] = tenant.id
- ig['users'] = [u.username for u in client.tenants.list_users(tenant.id)]
- break
- else:
- ig['status'] = False
- return ig
- def Diff(old, new):
- diff = (difflib.unified_diff(old, new, fromfile='a', tofile='b'))
- lines = list(diff)[2:]
- d = dict()
- add = [line[1:] for line in lines if line[0] == '+']
- remove = [line[1:] for line in lines if line[0] == '-']
- d['a'] = [a for a in remove if a not in add]
- d['r'] = [r for r in add if r not in remove]
- return d
- CURRENT='current_users.txt'
- OLD="old_users.txt"
- group = 'TAM-Users'
- main_users = ['admin', 'orchestrator', 'openstack-msk']
- adcreds={'server_name': 'p0029ad-dc01.sys.local',
- 'domain_name': 'sys.local',
- 'user_name': 'kvmreport',
- 'password': '********',
- 'group': 'TAM-Users'}
- cred = _get_config_file_creds('i04')
- auth = _do_auth(**cred)
- class T:
- def __init__(self, auth):
- self.auth = auth
- self._data = self.tenant_info()
- self.users = self.all_users()
- self.roles = self.roles_list()
- return
- def tenant_info(self):
- users = {}
- _data = {t.name: {'id': t.id, 'users': users} for t in self.auth.tenants.list() }
- for k, v in _data.items():
- v['users'] = {u.username: u.id for u in self.auth.tenants.list_users(v['id'])}
- return _data
- def users_in_tenant(self, tenant):
- _users = [user for user in self._data[tenant]['users']]
- return _users
- def all_users(self):
- allu = {u.username: u.id for u in self.auth.users.list()}
- return allu
- def user_in_groups(self,user):
- user_tenant = {t[0]: t[1]["id"] for t in self._data.items() if user in t[1]['users'].keys()}
- return user_tenant
- def check_user(self, user):
- if user in self.users.keys():
- return self.users[user]
- def roles_list(self):
- roles = {role.name: role.id for role in self.auth.roles.list()}
- return roles
- def check_tenant(self, tenant):
- for t in self._data:
- if t == f'{tenant}':
- check = True
- break
- else:
- check = False
- return check
- tinf = T(auth)
- all_stack_users = tinf.users
- ldap_persons = ad_group_persons(**adcreds)
- #ldap_persons = ['evgeniy.gaynutdinov', 'nsuvorov', 'aleksandr.pronin', 'ekaterina.zheludkova']
- defir_project = _check_defir_groups(auth, adcreds['group'])
- if defir_project["status"]:
- print(defir_project['name'])
- state = (Diff(ldap_persons, tinf.users_in_tenant(defir_project['name'])))
- for add in state['a']:
- print("Add to project new user ", add)
- if tinf.check_user(add):
- auth.users.update_tenant(tinf.check_user(add),defir_project['id'])
- else:
- auth.users.create(add, tenant_id=defir_project['id'])
- for remove in state['r']:
- print("Remove from project user ", remove)
- if tinf.check_user(remove):
- auth.users.delete(tinf.check_user(remove))
- else:
- auth.tenants.create(f'DEFIR_{adcreds["group"]}')
- new_project = _check_defir_groups(auth, adcreds['group'])
- for user in ldap_persons:
- print(user)
- if user in all_stack_users.keys():
- print("change user project")
- auth.users.update_tenant(all_stack_users[user], new_project["id"])
- else:
- print("create new")
- auth.users.create(user, tenant_id=new_project['id'])
- with open(f'{adcreds["group"]}_access.json') as steps:
- data = json.load(steps)
- for os in data.items():
- os_setup = os[0]
- projects = os[1]["projects"]
- for user in ldap_persons:
- if type(projects) == list and projects != []:
- p = [f'tenant_{pr}' for pr in projects]
- p.append(f'DEFIR_{adcreds["group"]}')
- state = Diff(p, list(tinf.user_in_groups(user).keys()))
- if state['a'] != []:
- for pr in state['a']:
- if tinf.check_tenant(pr):
- auth.tenants.add_user(tinf._data[pr]['id'], tinf.users[user], tinf.roles['_member_'])
- else:
- print("Project failed")
- for pr in state['r']:
- if tinf.check_tenant(pr):
- auth.tenants.remove_user(tinf._data[pr]['id'], tinf.users[user], tinf.roles['_member_'])
- else:
- print("Project failed")
- if projects == []:
- if tinf.user_in_groups(user) != {defir_project['name']: defir_project['id']}:
- print("I need delete user from group ", user)
- for pr in tinf.user_in_groups(user):
- if pr != defir_project['name']:
- print("i need delete from project ", pr)
- auth.tenants.remove_user(tinf._data[pr]['id'], tinf.users[user], tinf.roles['_member_'])
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement