fix bug 791. Adding input validation for ns-create. It was only for ns-instantiate
[osm/NBI.git] / osm_nbi / authconn_keystone.py
index 7f59270..9f5e02c 100644 (file)
@@ -23,21 +23,24 @@ AuthconnKeystone implements implements the connector for
 Openstack Keystone and leverages the RBAC model, to bring
 it for OSM.
 """
 Openstack Keystone and leverages the RBAC model, to bring
 it for OSM.
 """
-import time
+
 
 __author__ = "Eduardo Sousa <esousa@whitestack.com>"
 __date__ = "$27-jul-2018 23:59:59$"
 
 
 __author__ = "Eduardo Sousa <esousa@whitestack.com>"
 __date__ = "$27-jul-2018 23:59:59$"
 
-from authconn import Authconn, AuthException, AuthconnOperationException
+from authconn import Authconn, AuthException, AuthconnOperationException, AuthconnNotFoundException, \
+    AuthconnConflictException
 
 import logging
 import requests
 
 import logging
 import requests
+import time
 from keystoneauth1 import session
 from keystoneauth1.identity import v3
 from keystoneauth1.exceptions.base import ClientException
 from keystoneauth1.exceptions.http import Conflict
 from keystoneclient.v3 import client
 from http import HTTPStatus
 from keystoneauth1 import session
 from keystoneauth1.identity import v3
 from keystoneauth1.exceptions.base import ClientException
 from keystoneauth1.exceptions.http import Conflict
 from keystoneclient.v3 import client
 from http import HTTPStatus
+from validation import is_valid_uuid
 
 
 class AuthconnKeystone(Authconn):
 
 
 class AuthconnKeystone(Authconn):
@@ -75,75 +78,149 @@ class AuthconnKeystone(Authconn):
         self.sess = session.Session(auth=self.auth)
         self.keystone = client.Client(session=self.sess)
 
         self.sess = session.Session(auth=self.auth)
         self.keystone = client.Client(session=self.sess)
 
-    def authenticate_with_user_password(self, user, password):
+    def authenticate(self, user, password, project=None, token_info=None):
         """
         """
-        Authenticate a user using username and password.
+        Authenticate a user using username/password or token_info, plus project
+        :param user: user: name, id or None
+        :param password: password or None
+        :param project: name, id, or None. If None first found project will be used to get an scope token
+        :param token_info: previous token_info to obtain authorization
+        :return: the scoped token info or raises an exception. The token is a dictionary with:
+            _id:  token string id,
+            username: username,
+            project_id: scoped_token project_id,
+            project_name: scoped_token project_name,
+            expires: epoch time when it expires,
 
 
-        :param user: username
-        :param password: password
-        :return: an unscoped token that grants access to project list
         """
         try:
         """
         try:
-            user_id = list(filter(lambda x: x.name == user, self.keystone.users.list()))[0].id
-            project_names = [project.name for project in self.keystone.projects.list(user=user_id)]
-
-            token = self.keystone.get_raw_token_from_identity_service(
+            username = None
+            user_id = None
+            project_id = None
+            project_name = None
+
+            if user:
+                if is_valid_uuid(user):
+                    user_id = user
+                else:
+                    username = user
+
+                # get an unscoped token firstly
+                unscoped_token = self.keystone.get_raw_token_from_identity_service(
+                    auth_url=self.auth_url,
+                    user_id=user_id,
+                    username=username,
+                    password=password,
+                    user_domain_name=self.user_domain_name,
+                    project_domain_name=self.project_domain_name)
+            elif token_info:
+                unscoped_token = self.keystone.tokens.validate(token=token_info.get("_id"))
+            else:
+                raise AuthException("Provide credentials: username/password or Authorization Bearer token",
+                                    http_code=HTTPStatus.UNAUTHORIZED)
+
+            if not project:
+                # get first project for the user
+                project_list = self.keystone.projects.list(user=unscoped_token["user"]["id"])
+                if not project_list:
+                    raise AuthException("The user {} has not any project and cannot be used for authentication".
+                                        format(user), http_code=HTTPStatus.UNAUTHORIZED)
+                project_id = project_list[0].id
+            else:
+                if is_valid_uuid(project):
+                    project_id = project
+                else:
+                    project_name = project
+
+            scoped_token = self.keystone.get_raw_token_from_identity_service(
                 auth_url=self.auth_url,
                 auth_url=self.auth_url,
-                username=user,
-                password=password,
+                project_name=project_name,
+                project_id=project_id,
                 user_domain_name=self.user_domain_name,
                 user_domain_name=self.user_domain_name,
-                project_domain_name=self.project_domain_name)
-
-            return token["auth_token"], project_names
-        except ClientException:
-            self.logger.exception("Error during user authentication using keystone. Method: basic")
-            raise AuthException("Error during user authentication using Keystone", http_code=HTTPStatus.UNAUTHORIZED)
-
-    def authenticate_with_token(self, token, project=None):
-        """
-        Authenticate a user using a token. Can be used to revalidate the token
-        or to get a scoped token.
-
-        :param token: a valid token.
-        :param project: (optional) project for a scoped token.
-        :return: return a revalidated token, scoped if a project was passed or
-        the previous token was already scoped.
-        """
-        try:
-            token_info = self.keystone.tokens.validate(token=token)
-            projects = self.keystone.projects.list(user=token_info["user"]["id"])
-            project_names = [project.name for project in projects]
-
-            new_token = self.keystone.get_raw_token_from_identity_service(
-                auth_url=self.auth_url,
-                token=token,
-                project_name=project,
-                user_domain_name=self.user_domain_name,
-                project_domain_name=self.project_domain_name)
-
-            return new_token["auth_token"], project_names
-        except ClientException:
-            self.logger.exception("Error during user authentication using keystone. Method: bearer")
-            raise AuthException("Error during user authentication using Keystone", http_code=HTTPStatus.UNAUTHORIZED)
+                project_domain_name=self.project_domain_name,
+                token=unscoped_token["auth_token"])
+
+            auth_token = {
+                "_id": scoped_token.auth_token,
+                "id": scoped_token.auth_token,
+                "user_id": scoped_token.user_id,
+                "username": scoped_token.username,
+                "project_id": scoped_token.project_id,
+                "project_name": scoped_token.project_name,
+                "expires": scoped_token.expires.timestamp(),
+                "issued_at": scoped_token.issued.timestamp()
+            }
+
+            return auth_token
+        except ClientException as e:
+            # self.logger.exception("Error during user authentication using keystone. Method: basic: {}".format(e))
+            raise AuthException("Error during user authentication using Keystone: {}".format(e),
+                                http_code=HTTPStatus.UNAUTHORIZED)
+
+    # def authenticate_with_token(self, token, project=None):
+    #     """
+    #     Authenticate a user using a token. Can be used to revalidate the token
+    #     or to get a scoped token.
+    #
+    #     :param token: a valid token.
+    #     :param project: (optional) project for a scoped token.
+    #     :return: return a revalidated token, scoped if a project was passed or
+    #     the previous token was already scoped.
+    #     """
+    #     try:
+    #         token_info = self.keystone.tokens.validate(token=token)
+    #         projects = self.keystone.projects.list(user=token_info["user"]["id"])
+    #         project_names = [project.name for project in projects]
+    #
+    #         new_token = self.keystone.get_raw_token_from_identity_service(
+    #             auth_url=self.auth_url,
+    #             token=token,
+    #             project_name=project,
+    #             project_id=None,
+    #             user_domain_name=self.user_domain_name,
+    #             project_domain_name=self.project_domain_name)
+    #
+    #         return new_token["auth_token"], project_names
+    #     except ClientException as e:
+    #         # self.logger.exception("Error during user authentication using keystone. Method: bearer: {}".format(e))
+    #         raise AuthException("Error during user authentication using Keystone: {}".format(e),
+    #                             http_code=HTTPStatus.UNAUTHORIZED)
 
     def validate_token(self, token):
         """
         Check if the token is valid.
 
 
     def validate_token(self, token):
         """
         Check if the token is valid.
 
-        :param token: token to validate
-        :return: dictionary with information associated with the token. If the
-        token is not valid, returns None.
+        :param token: token id to be validated
+        :return: dictionary with information associated with the token:
+             "expires":
+             "_id": token_id,
+             "project_id": project_id,
+             "username": ,
+             "roles": list with dict containing {name, id}
+         If the token is not valid an exception is raised.
         """
         if not token:
             return
 
         try:
             token_info = self.keystone.tokens.validate(token=token)
         """
         if not token:
             return
 
         try:
             token_info = self.keystone.tokens.validate(token=token)
-
-            return token_info
-        except ClientException:
-            self.logger.exception("Error during token validation using keystone")
-            raise AuthException("Error during token validation using Keystone", http_code=HTTPStatus.UNAUTHORIZED)
+            ses = {
+                "_id": token_info["auth_token"],
+                "id": token_info["auth_token"],
+                "project_id": token_info["project"]["id"],
+                "project_name": token_info["project"]["name"],
+                "user_id": token_info["user"]["id"],
+                "username": token_info["user"]["name"],
+                "roles": token_info["roles"],
+                "expires": token_info.expires.timestamp(),
+                "issued_at": token_info.issued.timestamp()
+            }
+
+            return ses
+        except ClientException as e:
+            # self.logger.exception("Error during token validation using keystone: {}".format(e))
+            raise AuthException("Error during token validation using Keystone: {}".format(e),
+                                http_code=HTTPStatus.UNAUTHORIZED)
 
     def revoke_token(self, token):
         """
 
     def revoke_token(self, token):
         """
@@ -156,9 +233,10 @@ class AuthconnKeystone(Authconn):
             self.keystone.tokens.revoke_token(token=token)
 
             return True
             self.keystone.tokens.revoke_token(token=token)
 
             return True
-        except ClientException:
-            self.logger.exception("Error during token revocation using keystone")
-            raise AuthException("Error during token revocation using Keystone", http_code=HTTPStatus.UNAUTHORIZED)
+        except ClientException as e:
+            # self.logger.exception("Error during token revocation using keystone: {}".format(e))
+            raise AuthException("Error during token revocation using Keystone: {}".format(e),
+                                http_code=HTTPStatus.UNAUTHORIZED)
 
     def get_user_project_list(self, token):
         """
 
     def get_user_project_list(self, token):
         """
@@ -173,9 +251,10 @@ class AuthconnKeystone(Authconn):
             project_names = [project.name for project in projects]
 
             return project_names
             project_names = [project.name for project in projects]
 
             return project_names
-        except ClientException:
-            self.logger.exception("Error during user project listing using keystone")
-            raise AuthException("Error during user project listing using Keystone", http_code=HTTPStatus.UNAUTHORIZED)
+        except ClientException as e:
+            # self.logger.exception("Error during user project listing using keystone: {}".format(e))
+            raise AuthException("Error during user project listing using Keystone: {}".format(e),
+                                http_code=HTTPStatus.UNAUTHORIZED)
 
     def get_user_role_list(self, token):
         """
 
     def get_user_role_list(self, token):
         """
@@ -192,9 +271,10 @@ class AuthconnKeystone(Authconn):
             roles = [role.name for role in roles_info]
 
             return roles
             roles = [role.name for role in roles_info]
 
             return roles
-        except ClientException:
-            self.logger.exception("Error during user role listing using keystone")
-            raise AuthException("Error during user role listing using Keystone", http_code=HTTPStatus.UNAUTHORIZED)
+        except ClientException as e:
+            # self.logger.exception("Error during user role listing using keystone: {}".format(e))
+            raise AuthException("Error during user role listing using Keystone: {}".format(e),
+                                http_code=HTTPStatus.UNAUTHORIZED)
 
     def create_user(self, user, password):
         """
 
     def create_user(self, user, password):
         """
@@ -208,24 +288,35 @@ class AuthconnKeystone(Authconn):
         try:
             new_user = self.keystone.users.create(user, password=password, domain=self.user_domain_name)
             return {"username": new_user.name, "_id": new_user.id}
         try:
             new_user = self.keystone.users.create(user, password=password, domain=self.user_domain_name)
             return {"username": new_user.name, "_id": new_user.id}
-        except ClientException:
-            self.logger.exception("Error during user creation using keystone")
-            raise AuthconnOperationException("Error during user creation using Keystone")
+        except Conflict as e:
+            # self.logger.exception("Error during user creation using keystone: {}".format(e))
+            raise AuthconnOperationException(e, http_code=HTTPStatus.CONFLICT)
+        except ClientException as e:
+            # self.logger.exception("Error during user creation using keystone: {}".format(e))
+            raise AuthconnOperationException("Error during user creation using Keystone: {}".format(e))
 
 
-    def change_password(self, user, new_password):
+    def update_user(self, user, new_name=None, new_password=None):
         """
         """
-        Change the user password.
+        Change the user name and/or password.
 
 
-        :param user: username.
+        :param user: username or user_id
+        :param new_name: new name
         :param new_password: new password.
         :param new_password: new password.
-        :raises AuthconnOperationException: if user password change failed.
+        :raises AuthconnOperationException: if change failed.
         """
         try:
         """
         try:
-            user_obj = list(filter(lambda x: x.name == user, self.keystone.users.list()))[0]
-            self.keystone.users.update(user_obj, password=new_password)
-        except ClientException:
-            self.logger.exception("Error during user password update using keystone")
-            raise AuthconnOperationException("Error during user password update using Keystone")
+            if is_valid_uuid(user):
+                user_id = user
+            else:
+                user_obj_list = self.keystone.users.list(name=user)
+                if not user_obj_list:
+                    raise AuthconnNotFoundException("User '{}' not found".format(user))
+                user_id = user_obj_list[0].id
+
+            self.keystone.users.update(user_id, password=new_password, name=new_name)
+        except ClientException as e:
+            # self.logger.exception("Error during user password/name update using keystone: {}".format(e))
+            raise AuthconnOperationException("Error during user password/name update using Keystone: {}".format(e))
 
     def delete_user(self, user_id):
         """
 
     def delete_user(self, user_id):
         """
@@ -235,40 +326,39 @@ class AuthconnKeystone(Authconn):
         :raises AuthconnOperationException: if user deletion failed.
         """
         try:
         :raises AuthconnOperationException: if user deletion failed.
         """
         try:
-            users = self.keystone.users.list()
-            user_obj = [user for user in users if user.id == user_id][0]
-            result, _ = self.keystone.users.delete(user_obj)
+            users = self.keystone.users.list()
+            user_obj = [user for user in users if user.id == user_id][0]
+            result, _ = self.keystone.users.delete(user_obj)
 
 
+            result, detail = self.keystone.users.delete(user_id)
             if result.status_code != 204:
             if result.status_code != 204:
-                raise ClientException("User was not deleted")
+                raise ClientException("error {} {}".format(result.status_code, detail))
 
             return True
 
             return True
-        except ClientException:
-            self.logger.exception("Error during user deletion using keystone")
-            raise AuthconnOperationException("Error during user deletion using Keystone")
+        except ClientException as e:
+            # self.logger.exception("Error during user deletion using keystone: {}".format(e))
+            raise AuthconnOperationException("Error during user deletion using Keystone: {}".format(e))
 
 
-    def get_user_list(self, filter_q={}):
+    def get_user_list(self, filter_q=None):
         """
         Get user list.
 
         """
         Get user list.
 
-        :param filter_q: dictionary to filter user list.
+        :param filter_q: dictionary to filter user list by name (username is also admited) and/or _id
         :return: returns a list of users.
         """
         try:
         :return: returns a list of users.
         """
         try:
-            users = self.keystone.users.list()
+            filter_name = None
+            if filter_q:
+                filter_name = filter_q.get("name") or filter_q.get("username")
+            users = self.keystone.users.list(name=filter_name)
             users = [{
                 "username": user.name,
                 "_id": user.id,
                 "id": user.id
             } for user in users if user.name != self.admin_username]
 
             users = [{
                 "username": user.name,
                 "_id": user.id,
                 "id": user.id
             } for user in users if user.name != self.admin_username]
 
-            allowed_fields = ["_id", "id", "username"]
-            for key in filter_q.keys():
-                if key not in allowed_fields:
-                    continue
-
-                users = [user for user in users 
-                         if filter_q[key] == user[key]]
+            if filter_q and filter_q.get("_id"):
+                users = [user for user in users if filter_q["_id"] == user["_id"]]
 
             for user in users:
                 projects = self.keystone.projects.list(user=user["_id"])
 
             for user in users:
                 projects = self.keystone.projects.list(user=user["_id"])
@@ -290,28 +380,36 @@ class AuthconnKeystone(Authconn):
                 user["projects"] = projects
 
             return users
                 user["projects"] = projects
 
             return users
-        except ClientException:
-            self.logger.exception("Error during user listing using keystone")
-            raise AuthconnOperationException("Error during user listing using Keystone")
+        except ClientException as e:
+            # self.logger.exception("Error during user listing using keystone: {}".format(e))
+            raise AuthconnOperationException("Error during user listing using Keystone: {}".format(e))
 
 
-    def get_role_list(self):
+    def get_role_list(self, filter_q=None):
         """
         Get role list.
 
         """
         Get role list.
 
+        :param filter_q: dictionary to filter role list by _id and/or name.
         :return: returns the list of roles.
         """
         try:
         :return: returns the list of roles.
         """
         try:
-            roles_list = self.keystone.roles.list()
+            filter_name = None
+            if filter_q:
+                filter_name = filter_q.get("name")
+            roles_list = self.keystone.roles.list(name=filter_name)
 
             roles = [{
                 "name": role.name,
                 "_id": role.id
             } for role in roles_list if role.name != "service"]
 
 
             roles = [{
                 "name": role.name,
                 "_id": role.id
             } for role in roles_list if role.name != "service"]
 
+            if filter_q and filter_q.get("_id"):
+                roles = [role for role in roles if filter_q["_id"] == role["_id"]]
+
             return roles
             return roles
-        except ClientException:
-            self.logger.exception("Error during user role listing using keystone")
-            raise AuthException("Error during user role listing using Keystone", http_code=HTTPStatus.UNAUTHORIZED)
+        except ClientException as e:
+            # self.logger.exception("Error during user role listing using keystone: {}".format(e))
+            raise AuthException("Error during user role listing using Keystone: {}".format(e),
+                                http_code=HTTPStatus.UNAUTHORIZED)
 
     def create_role(self, role):
         """
 
     def create_role(self, role):
         """
@@ -322,12 +420,12 @@ class AuthconnKeystone(Authconn):
         """
         try:
             result = self.keystone.roles.create(role)
         """
         try:
             result = self.keystone.roles.create(role)
-            return {"name": result.name, "_id": result.id}
+            return result.id
         except Conflict as ex:
         except Conflict as ex:
-            self.logger.info("Duplicate entry: %s", str(ex))
-        except ClientException:
-            self.logger.exception("Error during role creation using keystone")
-            raise AuthconnOperationException("Error during role creation using Keystone")
+            raise AuthconnConflictException(str(ex))
+        except ClientException as e:
+            # self.logger.exception("Error during role creation using keystone: {}".format(e))
+            raise AuthconnOperationException("Error during role creation using Keystone: {}".format(e))
 
     def delete_role(self, role_id):
         """
 
     def delete_role(self, role_id):
         """
@@ -337,19 +435,37 @@ class AuthconnKeystone(Authconn):
         :raises AuthconnOperationException: if role deletion failed.
         """
         try:
         :raises AuthconnOperationException: if role deletion failed.
         """
         try:
-            roles = self.keystone.roles.list()
-            role_obj = [role for role in roles if role.id == role_id][0]
-            result, _ = self.keystone.roles.delete(role_obj)
+            result, detail = self.keystone.roles.delete(role_id)
 
             if result.status_code != 204:
 
             if result.status_code != 204:
-                raise ClientException("Role was not deleted")
+                raise ClientException("error {} {}".format(result.status_code, detail))
 
             return True
 
             return True
-        except ClientException:
-            self.logger.exception("Error during role deletion using keystone")
-            raise AuthconnOperationException("Error during role deletion using Keystone")
+        except ClientException as e:
+            # self.logger.exception("Error during role deletion using keystone: {}".format(e))
+            raise AuthconnOperationException("Error during role deletion using Keystone: {}".format(e))
 
 
-    def get_project_list(self, filter_q={}):
+    def update_role(self, role, new_name):
+        """
+        Change the name of a role
+        :param role: role  name or id to be changed
+        :param new_name: new name
+        :return: None
+        """
+        try:
+            if is_valid_uuid(role):
+                role_id = role
+            else:
+                role_obj_list = self.keystone.roles.list(name=role)
+                if not role_obj_list:
+                    raise AuthconnNotFoundException("Role '{}' not found".format(role))
+                role_id = role_obj_list[0].id
+            self.keystone.roles.update(role_id, name=new_name)
+        except ClientException as e:
+            # self.logger.exception("Error during role update using keystone: {}".format(e))
+            raise AuthconnOperationException("Error during role updating using Keystone: {}".format(e))
+
+    def get_project_list(self, filter_q=None):
         """
         Get all the projects.
 
         """
         Get all the projects.
 
@@ -357,38 +473,40 @@ class AuthconnKeystone(Authconn):
         :return: list of projects
         """
         try:
         :return: list of projects
         """
         try:
-            projects = self.keystone.projects.list()
+            filter_name = None
+            if filter_q:
+                filter_name = filter_q.get("name")
+            projects = self.keystone.projects.list(name=filter_name)
+
             projects = [{
                 "name": project.name,
                 "_id": project.id
             projects = [{
                 "name": project.name,
                 "_id": project.id
-            } for project in projects if project.name != self.admin_project]
-
-            allowed_fields = ["_id", "name"]
-            for key in filter_q.keys():
-                if key not in allowed_fields:
-                    continue
+            } for project in projects]
 
 
+            if filter_q and filter_q.get("_id"):
                 projects = [project for project in projects
                 projects = [project for project in projects
-                            if filter_q[key] == project[key]]
+                            if filter_q["_id"] == project["_id"]]
 
             return projects
 
             return projects
-        except ClientException:
-            self.logger.exception("Error during user project listing using keystone")
-            raise AuthException("Error during user project listing using Keystone", http_code=HTTPStatus.UNAUTHORIZED)
+        except ClientException as e:
+            # self.logger.exception("Error during user project listing using keystone: {}".format(e))
+            raise AuthException("Error during user project listing using Keystone: {}".format(e),
+                                http_code=HTTPStatus.UNAUTHORIZED)
 
     def create_project(self, project):
         """
         Create a project.
 
         :param project: project name.
 
     def create_project(self, project):
         """
         Create a project.
 
         :param project: project name.
+        :return: the internal id of the created project
         :raises AuthconnOperationException: if project creation failed.
         """
         try:
             result = self.keystone.projects.create(project, self.project_domain_name)
         :raises AuthconnOperationException: if project creation failed.
         """
         try:
             result = self.keystone.projects.create(project, self.project_domain_name)
-            return {"name": result.name, "_id": result.id}
-        except ClientException:
-            self.logger.exception("Error during project creation using keystone")
-            raise AuthconnOperationException("Error during project creation using Keystone")
+            return result.id
+        except ClientException as e:
+            # self.logger.exception("Error during project creation using keystone: {}".format(e))
+            raise AuthconnOperationException("Error during project creation using Keystone: {}".format(e))
 
     def delete_project(self, project_id):
         """
 
     def delete_project(self, project_id):
         """
@@ -398,17 +516,31 @@ class AuthconnKeystone(Authconn):
         :raises AuthconnOperationException: if project deletion failed.
         """
         try:
         :raises AuthconnOperationException: if project deletion failed.
         """
         try:
-            projects = self.keystone.projects.list()
-            project_obj = [project for project in projects if project.id == project_id][0]
-            result, _ = self.keystone.projects.delete(project_obj)
+            projects = self.keystone.projects.list()
+            project_obj = [project for project in projects if project.id == project_id][0]
+            result, _ = self.keystone.projects.delete(project_obj)
 
 
+            result, detail = self.keystone.projects.delete(project_id)
             if result.status_code != 204:
             if result.status_code != 204:
-                raise ClientException("Project was not deleted")
+                raise ClientException("error {} {}".format(result.status_code, detail))
 
             return True
 
             return True
-        except ClientException:
-            self.logger.exception("Error during project deletion using keystone")
-            raise AuthconnOperationException("Error during project deletion using Keystone")
+        except ClientException as e:
+            # self.logger.exception("Error during project deletion using keystone: {}".format(e))
+            raise AuthconnOperationException("Error during project deletion using Keystone: {}".format(e))
+
+    def update_project(self, project_id, new_name):
+        """
+        Change the name of a project
+        :param project_id: project to be changed
+        :param new_name: new name
+        :return: None
+        """
+        try:
+            self.keystone.projects.update(project_id, name=new_name)
+        except ClientException as e:
+            # self.logger.exception("Error during project update using keystone: {}".format(e))
+            raise AuthconnOperationException("Error during project deletion using Keystone: {}".format(e))
 
     def assign_role_to_user(self, user, project, role):
         """
 
     def assign_role_to_user(self, user, project, role):
         """
@@ -420,30 +552,73 @@ class AuthconnKeystone(Authconn):
         :raises AuthconnOperationException: if role assignment failed.
         """
         try:
         :raises AuthconnOperationException: if role assignment failed.
         """
         try:
-            user_obj = list(filter(lambda x: x.name == user, self.keystone.users.list()))[0]
-            project_obj = list(filter(lambda x: x.name == project, self.keystone.projects.list()))[0]
-            role_obj = list(filter(lambda x: x.name == role, self.keystone.roles.list()))[0]
+            if is_valid_uuid(user):
+                user_obj = self.keystone.users.get(user)
+            else:
+                user_obj_list = self.keystone.users.list(name=user)
+                if not user_obj_list:
+                    raise AuthconnNotFoundException("User '{}' not found".format(user))
+                user_obj = user_obj_list[0]
+
+            if is_valid_uuid(project):
+                project_obj = self.keystone.projects.get(project)
+            else:
+                project_obj_list = self.keystone.projects.list(name=project)
+                if not project_obj_list:
+                    raise AuthconnNotFoundException("Project '{}' not found".format(project))
+                project_obj = project_obj_list[0]
+
+            if is_valid_uuid(role):
+                role_obj = self.keystone.roles.get(role)
+            else:
+                role_obj_list = self.keystone.roles.list(name=role)
+                if not role_obj_list:
+                    raise AuthconnNotFoundException("Role '{}' not found".format(role))
+                role_obj = role_obj_list[0]
 
             self.keystone.roles.grant(role_obj, user=user_obj, project=project_obj)
 
             self.keystone.roles.grant(role_obj, user=user_obj, project=project_obj)
-        except ClientException:
-            self.logger.exception("Error during user role assignment using keystone")
-            raise AuthconnOperationException("Error during user role assignment using Keystone")
+        except ClientException as e:
+            # self.logger.exception("Error during user role assignment using keystone: {}".format(e))
+            raise AuthconnOperationException("Error during role '{}' assignment to user '{}' and project '{}' using "
+                                             "Keystone: {}".format(role, user, project, e))
 
     def remove_role_from_user(self, user, project, role):
         """
         Remove a role from a user in a project.
 
         :param user: username.
 
     def remove_role_from_user(self, user, project, role):
         """
         Remove a role from a user in a project.
 
         :param user: username.
-        :param project: project name.
-        :param role: role name.
+        :param project: project name or id.
+        :param role: role name or id.
+
         :raises AuthconnOperationException: if role assignment revocation failed.
         """
         try:
         :raises AuthconnOperationException: if role assignment revocation failed.
         """
         try:
-            user_obj = list(filter(lambda x: x.name == user, self.keystone.users.list()))[0]
-            project_obj = list(filter(lambda x: x.name == project, self.keystone.projects.list()))[0]
-            role_obj = list(filter(lambda x: x.name == role, self.keystone.roles.list()))[0]
+            if is_valid_uuid(user):
+                user_obj = self.keystone.users.get(user)
+            else:
+                user_obj_list = self.keystone.users.list(name=user)
+                if not user_obj_list:
+                    raise AuthconnNotFoundException("User '{}' not found".format(user))
+                user_obj = user_obj_list[0]
+
+            if is_valid_uuid(project):
+                project_obj = self.keystone.projects.get(project)
+            else:
+                project_obj_list = self.keystone.projects.list(name=project)
+                if not project_obj_list:
+                    raise AuthconnNotFoundException("Project '{}' not found".format(project))
+                project_obj = project_obj_list[0]
+
+            if is_valid_uuid(role):
+                role_obj = self.keystone.roles.get(role)
+            else:
+                role_obj_list = self.keystone.roles.list(name=role)
+                if not role_obj_list:
+                    raise AuthconnNotFoundException("Role '{}' not found".format(role))
+                role_obj = role_obj_list[0]
 
             self.keystone.roles.revoke(role_obj, user=user_obj, project=project_obj)
 
             self.keystone.roles.revoke(role_obj, user=user_obj, project=project_obj)
-        except ClientException:
-            self.logger.exception("Error during user role revocation using keystone")
-            raise AuthconnOperationException("Error during user role revocation using Keystone")
+        except ClientException as e:
+            # self.logger.exception("Error during user role revocation using keystone: {}".format(e))
+            raise AuthconnOperationException("Error during role '{}' revocation to user '{}' and project '{}' using "
+                                             "Keystone: {}".format(role, user, project, e))