Keystone let's users remove role assignments that reference non-existent
users and groups. This is nice when keystone backs to an identity store
like LDAP and users or groups are removed.

Previously, openstackclient would validate the user and group existed in
keystone before sending the request to delete the role assignment. This
commit updates the code to bypass that validation so that users can use
IDs to forcibly cleanup role assignments.

Change-Id: I102b41677736bbe37a82abaa3c5b3e1faf2475d5
Story: 2006635
Task: 36848

The patch https://review.opendev.org/#/c/673389/ introduced a regression
by changing the osc-lib interface.

Two conflicting attempts to fix the regression were launched:

1) Reverting the patch.

2) The patch https://review.opendev.org/683119 changes the exception
   from the generic CommandError back to a specific Forbidden exception.

   The patch https://review.opendev.org/683118 catches this exception
   and passes on, i.e. re-implements the same behavior as before.

The first idea was implemented, the initial patch reverted. The second
idea was partially implemented. The change in python-openstackclient
(683118) was merged. The change in osc-lib was approved but failed to
merge because the initial change had been reverted.

Now we have again a situation where the exception produced in osc-lib
does not match the exception expected by the caller.

It is unclear if the osc-lib interface will ever get a rebased version
of https://review.opendev.org/683119 merged, so the safest way to
address the issue is to also catch the exception that used to be
thrown before the inital change and is again thrown after the inital
change has been reverted.

Change-Id: I2ea2def607ec5be112e42d53a1e660fef0cdd69c

When we use "--property" parameter, client get lists these the
value is string type, but the type of the value 'is_domain'
should be boolean, so we should judge it and parse it.
The patch parse string to boolean for value 'is_domain'.

Co-Authored-By: Lance Bragstad <lbragstad@gmail.com>

Change-Id: I37c9eb854524bde3a1530bfe2e3a03810fb1a676
Task: 30039
Story: 2005246

This patch adds the --immutable and --no-immutable option to the
role, project and domain CLI.

Related-Patch: https://review.opendev.org/#/c/712182/

Change-Id: I9c3bdd741f28bf558267fb217818d947597ce13e

User options [1] can be set by making POST and PATCH
request for /v3/users API calls but cannot by openstack
CLI because of no user options defined in create and update
user CLI [2]. This patch adds the user options [1] in
create user and update user CLI.

[1] https://docs.openstack.org/keystone/latest/admin/resource-options.html#multi-factor-auth-rules
[2] https://docs.openstack.org/api-ref/identity/v3/#create-user

Change-Id: I4e41bae2e8cfbe92d52b14d856991bedcd44164f

Access rules are access rules, not application credentials.

Change-Id: I74d05f11ec186283e5a86d92dcbfe4eb24130eee

This commit introduces the --access-rules option for 'application
credential create' as well as new 'access rule' commands for listing,
showing, and deleting access rules.

bp whitelist-extension-for-app-creds

Change-Id: I04834b2874ec2a70da456a380b5bef03a392effa

1. As mentioned in [1], we should avoid using six.iteritems to achieve
   iterators. We can use dict.items instead, as it will return iterators
   in PY3 as well. And dict.items/keys will more readable.

2. In py2, the performance about list should be negligible,
   see the link [2].

[1] https://wiki.openstack.org/wiki/Python3
[2] http://lists.openstack.org/pipermail/openstack-dev/2015-June/066391.html

Co-Authored-By: Akihiro Motoki <amotoki@gmail.com>
Change-Id: I4b9edb326444264c0f6c4ad281acaac356a07e85
Implements: blueprint replace-iteritems-with-items