MB-34413 Allow to change user and group's fields separately

Change-Id: I2674b04f5f1eb11adce29ddeabace95cfcabe6fb
Reviewed-on: http://review.couchbase.org/111067
Reviewed-by: Carlos Gonzalez <carlos.gonzalez@couchbase.com>
Tested-by: Build Bot <build@couchbase.com>

Author: timofey-barmin

cbmgr.py

@@ -3168,7 +3168,7 @@ def __init__(self):
         group.add_argument("--my-roles", dest="my_roles", action="store_true", default=False,
                            help="List my roles")
         group.add_argument("--set", dest="set", action="store_true", default=False,
-                           help="Create a new RBAC user")
+                           help="Create or edit an RBAC user")
         group.add_argument("--set-group", dest="set_group", action="store_true", default=False,
                            help="Create or edit a user group")
         group.add_argument("--delete-group", dest="delete_group", action="store_true", default=False,
@@ -3177,8 +3177,6 @@ def __init__(self):
                            help="List all groups")
         group.add_argument("--get-group", dest="get_group", action="store_true", default=False,
                            help="Get group")
-        group.add_argument("--edit-users-groups", dest="user_add", action="store_true", default=False,
-                           help="Update the groups of user")
         group.add_argument("--rbac-username", dest="rbac_user", metavar="<username>",
                            help="The RBAC username")
         group.add_argument("--rbac-password", dest="rbac_pass", metavar="<password>",
@@ -3203,13 +3201,13 @@ def execute(self, opts):
         check_versions(rest)
 
         num_selectors = sum([opts.delete, opts.list, opts.my_roles, opts.set, opts.get, opts.get_group,
-                             opts.list_group, opts.delete_group, opts.set_group, opts.user_add])
+                             opts.list_group, opts.delete_group, opts.set_group])
         if num_selectors == 0:
             _exitIfErrors(["Must specify --delete, --list, --my_roles, --set, --get, --get-group, --set-group, " +
-                           "--list-groups, --edit-users-groups or --delete-group"])
+                           "--list-groups or --delete-group"])
         elif num_selectors != 1:
             _exitIfErrors(["Only one of the following can be specified:--delete, --list, --my_roles, --set, --get," +
-                           " --get-group, --set-group, --list-groups, --edit-users-groups or --delete-group"])
+                           " --get-group, --set-group, --list-groups or --delete-group"])
 
         if opts.delete:
             self._delete(rest, opts)
@@ -3225,8 +3223,6 @@ def execute(self, opts):
             self._get_group(rest, opts)
         elif opts.set_group:
             self._set_group(rest, opts)
-        elif opts.user_add:
-            self._set_users_groups(rest, opts)
         elif opts.list_group:
             self._list_groups(rest)
         elif opts.delete_group:
@@ -3248,27 +3244,13 @@ def _get_group(self, rest, opts):
         _exitIfErrors(errors)
         print(json.dumps(group, indent=2))
 
-    def _set_users_groups(self, rest, opts):
-        if opts.username is None:
-            _exitIfErrors(['--rbac-username is required with the --edit-users-groups option'])
-        if opts.groups is None:
-            _exitIfErrors(['--user-groups is required with the --edit-users-groups option'])
-        if opts.auth_domain is None:
-            _exitIfErrors(['--auth-domain is required with the --edit-users-groups option'])
-
-        _, errors = rest.add_user_to_group(opts.rbac_user, opts.groups, opts.auth_domain)
-        _exitIfErrors(errors)
-        _success(f"User '{opts.rbac_user}' group memberships were updated")
-
     def _set_group(self, rest, opts):
         if opts.group is None:
             _exitIfErrors(['--group-name is required with --set-group'])
-        if opts.roles is None:
-            _exitIfErrors(['--roles is required with --set-group'])
 
         _, errors = rest.set_user_group(opts.group, opts.roles, opts.description, opts.ldap_ref)
         _exitIfErrors(errors)
-        _success(f"Group '{opts.group}' was created")
+        _success(f"Group '{opts.group}' set")
 
     def _list_groups(self, rest):
         groups, errors = rest.list_user_groups()
@@ -3347,29 +3329,23 @@ def _my_roles(self, rest, opts):
     def _set(self, rest, opts):
         if opts.rbac_user is None:
             _exitIfErrors(["--rbac-username is required with the --set option"])
-        if opts.rbac_pass is None and opts.auth_domain == "local":
-            _exitIfErrors(["--rbac-password is required with the --set option"])
         if opts.rbac_pass is not None and opts.auth_domain == "external":
             _warning("--rbac-password cannot be used with the external auth domain")
             opts.rbac_pass = None
-        if opts.roles is None and opts.groups is None:
-            _exitIfErrors(["--roles or --user-groups are required with the --set option"])
         if opts.auth_domain is None:
             _exitIfErrors(["--auth-domain is required with the --set option"])
 
-        _, errors = rest.set_rbac_user(opts.rbac_user, opts.rbac_pass, opts.rbac_name, opts.roles, opts.auth_domain)
+        _, errors = rest.set_rbac_user(opts.rbac_user, opts.rbac_pass, \
+                                       opts.rbac_name, opts.roles, \
+                                       opts.auth_domain, opts.groups)
         _exitIfErrors(errors)
 
-        if opts.groups is not None:
-            groups = opts.groups.split(",")
-            _, errors = rest.add_user_to_group(opts.rbac_user, groups)
-
         if opts.roles is not None and "query_external_access" in opts.roles:
             _warning("Granting the query_external_access role permits execution of the N1QL " +
                 "function CURL() and may allow access to other network endpoints in the local " +
                 "network and the Internet.")
 
-        _success(f"User {opts.rbac_user} was created")
+        _success(f"User {opts.rbac_user} set")
 
     @staticmethod
     def get_man_page_name():

cluster_manager.py

@@ -999,7 +999,7 @@ def my_roles(self):
         url = f'{self.hostname}/whoami'
         return self._get(url)
 
-    def set_rbac_user(self, username, password, name, roles, auth_domain):
+    def set_rbac_user(self, username, password, name, roles, auth_domain, groups):
         if auth_domain is None:
             return None, ["The authentication type is required"]
 
@@ -1008,27 +1008,36 @@ def set_rbac_user(self, username, password, name, roles, auth_domain):
 
         url = f'{self.hostname}/settings/rbac/users/{auth_domain}/{username}'
 
+        defaults, errors = self._get(url)
+        if errors and errors[0] == '"Unknown user."':
+            defaults = {}
+        elif errors:
+            return None, errors
+
         params = {}
         if name is not None:
-            params["name"] = name
+            params['name'] = name
+        elif 'name' in defaults:
+            params['name'] = defaults['name']
         if password is not None:
-            params["password"] = password
+            params['password'] = password
         if roles is not None:
-            params["roles"] = roles
-        return self._put(url, params)
+            params['roles'] = roles;
+        elif 'roles' in defaults:
+            params['roles'] = self._format_user_roles(defaults['roles'])
+        if groups is not None:
+            params['groups'] = groups
+        elif 'groups' in defaults:
+            params['groups'] = ','.join(defaults['groups'])
 
-    def add_user_to_group(self, user, groups, domain):
-        if user is None:
-            return None, ['User is required']
-        if groups is None:
-            return None, ['A list of groups is required']
-        if domain is None:
-            return None, ['The user domain is required']
+        return self._put(url, params)
 
-        url = f'{self.hostname}/settings/rbac/users/{domain}/{user}'
+    def _format_user_roles(self, roles):
+        directly_assigned = filter(lambda r: any(o for o in r['origins'] if o['type'] == 'user'), roles)
+        return ",".join(self._format_role(r) for r in directly_assigned)
 
-        params = {'groups': groups}
-        return self._put(url, params)
+    def _format_role(self, role):
+        return f'{role["role"]}' + (f'[{role["bucket_name"]}]' if 'bucket_name' in role else '')
 
     def get_user_group(self, group):
         if group is None:
@@ -1047,15 +1056,28 @@ def delete_user_group(self, group):
     def set_user_group(self, group, roles, description, ldap_ref):
         if group is None:
             return None, ['Group name is required']
-        if roles is None:
-            return None, ['roles are required']
 
         url = f'{self.hostname}/settings/rbac/groups/{group}'
-        params = {'roles': roles}
+
+        defaults, errors = self._get(url)
+        if errors and errors[0] == '"Unknown group."':
+            defaults = {}
+        elif errors:
+            return None, errors
+
+        params = {}
+        if roles is not None:
+            params['roles'] = roles
+        elif 'roles' in defaults:
+            params['roles'] = ",".join(self._format_role(r) for r in defaults['roles'])
         if description is not None:
             params['description'] = description
+        elif 'description' in defaults:
+            params['description'] = defaults['description']
         if ldap_ref is not None:
             params['ldap_group_ref'] = ldap_ref
+        elif 'ldap_group_ref' in defaults:
+            params['ldap_group_ref'] = defaults['ldap_group_ref']
 
         return self._put(url, params)
 

docs/generated/doc/couchbase-cli/couchbase-cli-user-manage.html

@@ -4,7 +4,7 @@
 <meta charset="UTF-8">
 <meta http-equiv="X-UA-Compatible" content="IE=edge">
 <meta name="viewport" content="width=device-width, initial-scale=1.0">
-<meta name="generator" content="Asciidoctor 2.0.9">
+<meta name="generator" content="Asciidoctor 2.0.10">
 <meta name="author" content="Couchbase">
 <title>couchbase-cli-user-manage(1)</title>
 <link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Open+Sans:300,300italic,400,400italic,600,600italic%7CNoto+Serif:400,400italic,700,700italic%7CDroid+Sans+Mono:400,700">
@@ -241,7 +241,7 @@
 pre.pygments .lineno{border-right:1px solid currentColor;opacity:.35;display:inline-block;margin-right:.75em}
 pre.pygments .lineno::before{content:"";margin-right:-.125em}
 .quoteblock{margin:0 1em 1.25em 1.5em;display:table}
-.quoteblock>.title{margin-left:-1.5em;margin-bottom:.75em}
+.quoteblock:not(.excerpt)>.title{margin-left:-1.5em;margin-bottom:.75em}
 .quoteblock blockquote,.quoteblock p{color:rgba(0,0,0,.85);font-size:1.15rem;line-height:1.75;word-spacing:.1em;letter-spacing:0;font-style:italic;text-align:justify}
 .quoteblock blockquote{margin:0;padding:0;border:0}
 .quoteblock blockquote::before{content:"\201c";float:left;font-size:2.75em;font-weight:bold;line-height:.6em;margin-left:-.6em;color:#7a2518;text-shadow:0 1px 2px rgba(0,0,0,.1)}
@@ -258,7 +258,8 @@
 .quoteblock.abstract blockquote,.quoteblock.abstract p,.quoteblock.excerpt blockquote,.quoteblock.excerpt p,.quoteblock .quoteblock blockquote,.quoteblock .quoteblock p{line-height:1.6;word-spacing:0}
 .quoteblock.abstract{margin:0 1em 1.25em;display:block}
 .quoteblock.abstract>.title{margin:0 0 .375em;font-size:1.15em;text-align:center}
-.quoteblock.excerpt,.quoteblock .quoteblock{margin:0 0 1.25em;padding:0 0 .25em 1em;border-left:.25em solid #dddddf}
+.quoteblock.excerpt>blockquote,.quoteblock .quoteblock{padding:0 0 .25em 1em;border-left:.25em solid #dddddf}
+.quoteblock.excerpt,.quoteblock .quoteblock{margin-left:0}
 .quoteblock.excerpt blockquote,.quoteblock.excerpt p,.quoteblock .quoteblock blockquote,.quoteblock .quoteblock p{color:inherit;font-size:1.0625rem}
 .quoteblock.excerpt .attribution,.quoteblock .quoteblock .attribution{color:inherit;text-align:left;margin-right:0}
 table.tableblock{max-width:100%;border-collapse:separate}
@@ -452,8 +453,8 @@ <h2 id="_synopsis">SYNOPSIS</h2>
 <pre class="content"><em>couchbase-cli user-manage</em> [--cluster &lt;url&gt;] [--username &lt;user&gt;]
     [--password &lt;password&gt;] [--delete] [--list] [--my-roles] [--set]
     [--set-group] [--delete-group] [--list-groups] [--get-group]
-    [--edit-users-groups] [-- get] [--rbac-username &lt;username&gt;]
-    [--rbac-password &lt;password&gt;] [--rbac-name &lt;name&gt;] [--roles &lt;roles_list&gt;]
+    [-- get] [--rbac-username &lt;username&gt;] [--rbac-password &lt;password&gt;]
+    [--rbac-name &lt;name&gt;] [--roles &lt;roles_list&gt;]
     [--auth-domain &lt;domain&gt;] [--user-groups &lt;group&gt;]
     [--group-description &lt;text&gt;] [--ldap-ref &lt;ref&gt;]</pre>
 </div>
@@ -536,10 +537,6 @@ <h2 id="_options">OPTIONS</h2>
 <dd>
 <p>Gets the details of a group.</p>
 </dd>
-<dt class="hdlist1">--edit-users-groups</dt>
-<dd>
-<p>Updates the groups the given RBAC user is part of.</p>
-</dd>
 <dt class="hdlist1">--rbac-username &lt;username&gt;</dt>
 <dd>
 <p>Specifies the username of the RBAC user to modify. This option is used when
@@ -575,7 +572,7 @@ <h2 id="_options">OPTIONS</h2>
 <dt class="hdlist1">--user-groups &lt;groups&gt;</dt>
 <dd>
 <p>Specifies the groups the user should be added to. This is used when creating
-a user (--set) or when updating the users group (--edit-user-groups), and
+a user (--set) or when updating the users group, and
 should be specified as a comma separated list.</p>
 </dd>
 <dt class="hdlist1">--group-name &lt;group&gt;</dt>

docs/generated/man/man1/couchbase-cli-user-manage.1

@@ -1,13 +1,13 @@
 '\" t
 .\"     Title: couchbase-cli-user-manage
 .\"    Author: Couchbase
-.\" Generator: Asciidoctor 2.0.9
-.\"      Date: 2019-06-19
+.\" Generator: Asciidoctor 2.0.10
+.\"      Date: 2019-07-03
 .\"    Manual: Couchbase CLI Manual
 .\"    Source: Couchbase CLI 1.0.0
 .\"  Language: English
 .\"
-.TH "COUCHBASE\-CLI\-USER\-MANAGE" "1" "2019-06-24" "Couchbase CLI 1.0.0" "Couchbase CLI Manual"
+.TH "COUCHBASE\-CLI\-USER\-MANAGE" "1" "2019-07-03" "Couchbase CLI 1.0.0" "Couchbase CLI Manual"
 .ie \n(.g .ds Aq \(aq
 .el       .ds Aq '
 .ss \n[.ss] 0
@@ -36,8 +36,8 @@ couchbase\-cli\-user\-manage \- Manage RBAC users
 \fIcouchbase\-cli user\-manage\fP [\-\-cluster <url>] [\-\-username <user>]
     [\-\-password <password>] [\-\-delete] [\-\-list] [\-\-my\-roles] [\-\-set]
     [\-\-set\-group] [\-\-delete\-group] [\-\-list\-groups] [\-\-get\-group]
-    [\-\-edit\-users\-groups] [\-\- get] [\-\-rbac\-username <username>]
-    [\-\-rbac\-password <password>] [\-\-rbac\-name <name>] [\-\-roles <roles_list>]
+    [\-\- get] [\-\-rbac\-username <username>] [\-\-rbac\-password <password>]
+    [\-\-rbac\-name <name>] [\-\-roles <roles_list>]
     [\-\-auth\-domain <domain>] [\-\-user\-groups <group>]
     [\-\-group\-description <text>] [\-\-ldap\-ref <ref>]
 .fi
@@ -120,11 +120,6 @@ List all groups.
 Gets the details of a group.
 .RE
 .sp
-\-\-edit\-users\-groups
-.RS 4
-Updates the groups the given RBAC user is part of.
-.RE
-.sp
 \-\-rbac\-username <username>
 .RS 4
 Specifies the username of the RBAC user to modify. This option is used when
@@ -165,7 +160,7 @@ managed by an external source suchas LDAP.
 \-\-user\-groups <groups>
 .RS 4
 Specifies the groups the user should be added to. This is used when creating
-a user (\-\-set) or when updating the users group (\-\-edit\-user\-groups), and
+a user (\-\-set) or when updating the users group, and
 should be specified as a comma separated list.
 .RE
 .sp
@@ -565,4 +560,4 @@ password are not cached in their command line history.
 Part of the \fBcouchbase\-cli\fP(1) suite
 .SH "AUTHOR"
 .sp
-Couchbase
+Couchbase

docs/modules/cli/pages/cbcli/couchbase-cli-user-manage.adoc

@@ -14,8 +14,8 @@ Manage RBAC users
 _couchbase-cli user-manage_ [--cluster <url>] [--username <user>]
     [--password <password>] [--delete] [--list] [--my-roles] [--set]
     [--set-group] [--delete-group] [--list-groups] [--get-group]
-    [--edit-users-groups] [-- get] [--rbac-username <username>]
-    [--rbac-password <password>] [--rbac-name <name>] [--roles <roles_list>]
+    [-- get] [--rbac-username <username>] [--rbac-password <password>]
+    [--rbac-name <name>] [--roles <roles_list>]
     [--auth-domain <domain>] [--user-groups <group>]
     [--group-description <text>] [--ldap-ref <ref>]
 
@@ -59,9 +59,6 @@ include::{partialsdir}/cbcli/part-common-options.adoc[]
 --get-group::
   Gets the details of a group.
 
---edit-users-groups::
-  Updates the groups the given RBAC user is part of.
-
 --rbac-username <username>::
   Specifies the username of the RBAC user to modify. This option is used when
   deleting, creating, or updating an RBAC user profile.
@@ -91,7 +88,7 @@ include::{partialsdir}/cbcli/part-common-options.adoc[]
 
 --user-groups <groups>::
   Specifies the groups the user should be added to. This is used when creating
-  a user (--set) or when updating the users group (--edit-user-groups), and
+  a user (--set) or when updating the users group, and
   should be specified as a comma separated list.
 
 --group-name <group>::