From a2f040ef2584b02c672f60449e7c1d2bd4c20c61 Mon Sep 17 00:00:00 2001
From: Ziad Sawalha <github@highbridgellc.com>
Date: Wed, 1 Jun 2011 09:46:21 -0500
Subject: Support for listing roles in keystone-manage

---
 bin/keystone-manage           | 40 +++++++++++++++++++++++++++++-----------
 keystone/db/sqlalchemy/api.py |  5 +++++
 2 files changed, 34 insertions(+), 11 deletions(-)

diff --git a/bin/keystone-manage b/bin/keystone-manage
index 017a1aba..6ad73e96 100755
--- a/bin/keystone-manage
+++ b/bin/keystone-manage
@@ -51,6 +51,8 @@ def Main():
         users    : password, tenant
         tokens   : user, tenant, expiration
     
+      role list [tenant] will list roles granted on that tenant
+      
     options
       -c | --config-file : config file to use
       -d | --debug : debug mode
@@ -206,17 +208,33 @@ def Main():
                 print "ERROR: Failed to create role: %s" % exc
                 return
         elif command == "list":
-            try:
-                objects = db_api.role_get_all()
-                if objects == None:
-                    raise IndexError("Roles not found")
-                print 'role'
-                print '-' * 20
-                for row in objects:
-                    print row.id
-            except Exception, e:
-                print 'Error getting all roles:', str(e)
-            return
+            if len(args) == 3:
+                tenant = args[2]
+                try:
+                    objects = db_api.tenant_role_assignments_get(tenant)
+                    if objects == None:
+                        raise IndexError("Assignments not found")
+                    print 'user', 'role'
+                    print '-' * 20
+                    for row in objects:
+                        print row.user_id, row.role_id
+                except Exception, e:
+                    print 'Error getting all role assignments for %s:' % \
+                        tenant, str(e)
+                return
+            else:
+                tenant = None
+                try:
+                    objects = db_api.role_get_all()
+                    if objects == None:
+                        raise IndexError("Roles not found")
+                    print 'role'
+                    print '-' * 20
+                    for row in objects:
+                        print row.id
+                except Exception, e:
+                    print 'Error getting all roles:', str(e)
+                return
         elif command == "grant":
             if len(args) < 4:
                 parser.error("Missing arguments: role grant 'role' 'user'"\
diff --git a/keystone/db/sqlalchemy/api.py b/keystone/db/sqlalchemy/api.py
index a0ad533b..6ddd17b2 100644
--- a/keystone/db/sqlalchemy/api.py
+++ b/keystone/db/sqlalchemy/api.py
@@ -354,6 +354,11 @@ def tenant_group_delete(id, tenant_id, session=None):
         tenantgroup_ref = tenant_group_get(id, tenant_id, session)
         session.delete(tenantgroup_ref)
 
+def tenant_role_assignments_get(tenant_id, session=None):
+    if not session:
+        session = get_session()
+    return session.query(models.UserRoleAssociation).\
+                        filter_by(tenant_id=tenant_id)
 
 #
 # User Operations
-- 
cgit