Use oslo.context features
In an effort to standardize policy and authentication values oslo.context has new features such as from_environ which constructs a standard oslo.context object from the environment variables created by auth_token middleware and to_policy_values which emit a standard credentials target for writing common policy files across services. Use these standard functions when dealing with contexts and policy in glance. Closes-Bug: #1602081 Change-Id: I40582cb34818b980d6c6914b2c9346a17a0ed489
This commit is contained in:
parent
02fd711d7d
commit
ca501cba92
@ -102,14 +102,6 @@ class ContextMiddleware(BaseContextMiddleware):
|
|||||||
return glance.context.RequestContext(**kwargs)
|
return glance.context.RequestContext(**kwargs)
|
||||||
|
|
||||||
def _get_authenticated_context(self, req):
|
def _get_authenticated_context(self, req):
|
||||||
# NOTE(bcwaldon): X-Roles is a csv string, but we need to parse
|
|
||||||
# it into a list to be useful
|
|
||||||
roles_header = req.headers.get('X-Roles', '')
|
|
||||||
roles = [r.strip().lower() for r in roles_header.split(',')]
|
|
||||||
|
|
||||||
# NOTE(bcwaldon): This header is deprecated in favor of X-Auth-Token
|
|
||||||
deprecated_token = req.headers.get('X-Storage-Token')
|
|
||||||
|
|
||||||
service_catalog = None
|
service_catalog = None
|
||||||
if req.headers.get('X-Service-Catalog') is not None:
|
if req.headers.get('X-Service-Catalog') is not None:
|
||||||
try:
|
try:
|
||||||
@ -127,18 +119,25 @@ class ContextMiddleware(BaseContextMiddleware):
|
|||||||
return webob.exc.HTTPRequestHeaderFieldsTooLarge(comment=msg)
|
return webob.exc.HTTPRequestHeaderFieldsTooLarge(comment=msg)
|
||||||
|
|
||||||
kwargs = {
|
kwargs = {
|
||||||
'user': req.headers.get('X-User-Id'),
|
|
||||||
'tenant': req.headers.get('X-Tenant-Id'),
|
|
||||||
'roles': roles,
|
|
||||||
'is_admin': CONF.admin_role.strip().lower() in roles,
|
|
||||||
'auth_token': req.headers.get('X-Auth-Token', deprecated_token),
|
|
||||||
'owner_is_tenant': CONF.owner_is_tenant,
|
'owner_is_tenant': CONF.owner_is_tenant,
|
||||||
'service_catalog': service_catalog,
|
'service_catalog': service_catalog,
|
||||||
'policy_enforcer': self.policy_enforcer,
|
'policy_enforcer': self.policy_enforcer,
|
||||||
'request_id': request_id,
|
'request_id': request_id,
|
||||||
}
|
}
|
||||||
|
|
||||||
return glance.context.RequestContext(**kwargs)
|
ctxt = glance.context.RequestContext.from_environ(req.environ,
|
||||||
|
**kwargs)
|
||||||
|
|
||||||
|
# FIXME(jamielennox): glance has traditionally lowercased its roles.
|
||||||
|
# This was related to bug #1010519 where at least the admin role was
|
||||||
|
# case insensitive. This seems to no longer be the case and should be
|
||||||
|
# fixed.
|
||||||
|
ctxt.roles = [r.lower() for r in ctxt.roles]
|
||||||
|
|
||||||
|
if CONF.admin_role.strip().lower() in ctxt.roles:
|
||||||
|
ctxt.is_admin = True
|
||||||
|
|
||||||
|
return ctxt
|
||||||
|
|
||||||
|
|
||||||
class UnauthenticatedContextMiddleware(BaseContextMiddleware):
|
class UnauthenticatedContextMiddleware(BaseContextMiddleware):
|
||||||
|
@ -60,12 +60,8 @@ class Enforcer(policy.Enforcer):
|
|||||||
:raises: `glance.common.exception.Forbidden`
|
:raises: `glance.common.exception.Forbidden`
|
||||||
:returns: A non-False value if access is allowed.
|
:returns: A non-False value if access is allowed.
|
||||||
"""
|
"""
|
||||||
credentials = {
|
return super(Enforcer, self).enforce(action, target,
|
||||||
'roles': context.roles,
|
context.to_policy_values(),
|
||||||
'user': context.user,
|
|
||||||
'tenant': context.tenant,
|
|
||||||
}
|
|
||||||
return super(Enforcer, self).enforce(action, target, credentials,
|
|
||||||
do_raise=True,
|
do_raise=True,
|
||||||
exc=exception.Forbidden,
|
exc=exception.Forbidden,
|
||||||
action=action)
|
action=action)
|
||||||
@ -78,12 +74,9 @@ class Enforcer(policy.Enforcer):
|
|||||||
:param target: Dictionary representing the object of the action.
|
:param target: Dictionary representing the object of the action.
|
||||||
:returns: A non-False value if access is allowed.
|
:returns: A non-False value if access is allowed.
|
||||||
"""
|
"""
|
||||||
credentials = {
|
return super(Enforcer, self).enforce(action,
|
||||||
'roles': context.roles,
|
target,
|
||||||
'user': context.user,
|
context.to_policy_values())
|
||||||
'tenant': context.tenant,
|
|
||||||
}
|
|
||||||
return super(Enforcer, self).enforce(action, target, credentials)
|
|
||||||
|
|
||||||
def check_is_admin(self, context):
|
def check_is_admin(self, context):
|
||||||
"""Check if the given context is associated with an admin role,
|
"""Check if the given context is associated with an admin role,
|
||||||
|
@ -43,6 +43,12 @@ class RequestContext(context.RequestContext):
|
|||||||
})
|
})
|
||||||
return d
|
return d
|
||||||
|
|
||||||
|
def to_policy_values(self):
|
||||||
|
pdict = super(RequestContext, self).to_policy_values()
|
||||||
|
pdict['user'] = self.user
|
||||||
|
pdict['tenant'] = self.tenant
|
||||||
|
return pdict
|
||||||
|
|
||||||
@classmethod
|
@classmethod
|
||||||
def from_dict(cls, values):
|
def from_dict(cls, values):
|
||||||
return cls(**values)
|
return cls(**values)
|
||||||
|
Loading…
Reference in New Issue
Block a user