From ca501cba92960d0d9cffc346ebd47d39fbce32e8 Mon Sep 17 00:00:00 2001 From: Jamie Lennox Date: Wed, 4 May 2016 17:10:40 +1000 Subject: [PATCH] Use oslo.context features In an effort to standardize policy and authentication values oslo.context has new features such as from_environ which constructs a standard oslo.context object from the environment variables created by auth_token middleware and to_policy_values which emit a standard credentials target for writing common policy files across services. Use these standard functions when dealing with contexts and policy in glance. Closes-Bug: #1602081 Change-Id: I40582cb34818b980d6c6914b2c9346a17a0ed489 --- glance/api/middleware/context.py | 27 +++++++++++++-------------- glance/api/policy.py | 17 +++++------------ glance/context.py | 6 ++++++ 3 files changed, 24 insertions(+), 26 deletions(-) diff --git a/glance/api/middleware/context.py b/glance/api/middleware/context.py index 5033b5d845..d3ffd567e4 100644 --- a/glance/api/middleware/context.py +++ b/glance/api/middleware/context.py @@ -102,14 +102,6 @@ class ContextMiddleware(BaseContextMiddleware): return glance.context.RequestContext(**kwargs) def _get_authenticated_context(self, req): - # NOTE(bcwaldon): X-Roles is a csv string, but we need to parse - # it into a list to be useful - roles_header = req.headers.get('X-Roles', '') - roles = [r.strip().lower() for r in roles_header.split(',')] - - # NOTE(bcwaldon): This header is deprecated in favor of X-Auth-Token - deprecated_token = req.headers.get('X-Storage-Token') - service_catalog = None if req.headers.get('X-Service-Catalog') is not None: try: @@ -127,18 +119,25 @@ class ContextMiddleware(BaseContextMiddleware): return webob.exc.HTTPRequestHeaderFieldsTooLarge(comment=msg) kwargs = { - 'user': req.headers.get('X-User-Id'), - 'tenant': req.headers.get('X-Tenant-Id'), - 'roles': roles, - 'is_admin': CONF.admin_role.strip().lower() in roles, - 'auth_token': req.headers.get('X-Auth-Token', deprecated_token), 'owner_is_tenant': CONF.owner_is_tenant, 'service_catalog': service_catalog, 'policy_enforcer': self.policy_enforcer, 'request_id': request_id, } - return glance.context.RequestContext(**kwargs) + ctxt = glance.context.RequestContext.from_environ(req.environ, + **kwargs) + + # FIXME(jamielennox): glance has traditionally lowercased its roles. + # This was related to bug #1010519 where at least the admin role was + # case insensitive. This seems to no longer be the case and should be + # fixed. + ctxt.roles = [r.lower() for r in ctxt.roles] + + if CONF.admin_role.strip().lower() in ctxt.roles: + ctxt.is_admin = True + + return ctxt class UnauthenticatedContextMiddleware(BaseContextMiddleware): diff --git a/glance/api/policy.py b/glance/api/policy.py index 96f99c72ac..8583b65bf2 100644 --- a/glance/api/policy.py +++ b/glance/api/policy.py @@ -60,12 +60,8 @@ class Enforcer(policy.Enforcer): :raises: `glance.common.exception.Forbidden` :returns: A non-False value if access is allowed. """ - credentials = { - 'roles': context.roles, - 'user': context.user, - 'tenant': context.tenant, - } - return super(Enforcer, self).enforce(action, target, credentials, + return super(Enforcer, self).enforce(action, target, + context.to_policy_values(), do_raise=True, exc=exception.Forbidden, action=action) @@ -78,12 +74,9 @@ class Enforcer(policy.Enforcer): :param target: Dictionary representing the object of the action. :returns: A non-False value if access is allowed. """ - credentials = { - 'roles': context.roles, - 'user': context.user, - 'tenant': context.tenant, - } - return super(Enforcer, self).enforce(action, target, credentials) + return super(Enforcer, self).enforce(action, + target, + context.to_policy_values()) def check_is_admin(self, context): """Check if the given context is associated with an admin role, diff --git a/glance/context.py b/glance/context.py index 88a445be8c..d38e02e532 100644 --- a/glance/context.py +++ b/glance/context.py @@ -43,6 +43,12 @@ class RequestContext(context.RequestContext): }) return d + def to_policy_values(self): + pdict = super(RequestContext, self).to_policy_values() + pdict['user'] = self.user + pdict['tenant'] = self.tenant + return pdict + @classmethod def from_dict(cls, values): return cls(**values)