Use oslo.context features
In an effort to standardize policy and authentication values oslo.context has new features such as from_environ which constructs a standard oslo.context object from the environment variables created by auth_token middleware and to_policy_values which emit a standard credentials target for writing common policy files across services. Use these standard functions when dealing with contexts and policy in glance. Closes-Bug: #1602081 Change-Id: I40582cb34818b980d6c6914b2c9346a17a0ed489
This commit is contained in:
parent
02fd711d7d
commit
ca501cba92
@ -102,14 +102,6 @@ class ContextMiddleware(BaseContextMiddleware):
|
||||
return glance.context.RequestContext(**kwargs)
|
||||
|
||||
def _get_authenticated_context(self, req):
|
||||
# NOTE(bcwaldon): X-Roles is a csv string, but we need to parse
|
||||
# it into a list to be useful
|
||||
roles_header = req.headers.get('X-Roles', '')
|
||||
roles = [r.strip().lower() for r in roles_header.split(',')]
|
||||
|
||||
# NOTE(bcwaldon): This header is deprecated in favor of X-Auth-Token
|
||||
deprecated_token = req.headers.get('X-Storage-Token')
|
||||
|
||||
service_catalog = None
|
||||
if req.headers.get('X-Service-Catalog') is not None:
|
||||
try:
|
||||
@ -127,18 +119,25 @@ class ContextMiddleware(BaseContextMiddleware):
|
||||
return webob.exc.HTTPRequestHeaderFieldsTooLarge(comment=msg)
|
||||
|
||||
kwargs = {
|
||||
'user': req.headers.get('X-User-Id'),
|
||||
'tenant': req.headers.get('X-Tenant-Id'),
|
||||
'roles': roles,
|
||||
'is_admin': CONF.admin_role.strip().lower() in roles,
|
||||
'auth_token': req.headers.get('X-Auth-Token', deprecated_token),
|
||||
'owner_is_tenant': CONF.owner_is_tenant,
|
||||
'service_catalog': service_catalog,
|
||||
'policy_enforcer': self.policy_enforcer,
|
||||
'request_id': request_id,
|
||||
}
|
||||
|
||||
return glance.context.RequestContext(**kwargs)
|
||||
ctxt = glance.context.RequestContext.from_environ(req.environ,
|
||||
**kwargs)
|
||||
|
||||
# FIXME(jamielennox): glance has traditionally lowercased its roles.
|
||||
# This was related to bug #1010519 where at least the admin role was
|
||||
# case insensitive. This seems to no longer be the case and should be
|
||||
# fixed.
|
||||
ctxt.roles = [r.lower() for r in ctxt.roles]
|
||||
|
||||
if CONF.admin_role.strip().lower() in ctxt.roles:
|
||||
ctxt.is_admin = True
|
||||
|
||||
return ctxt
|
||||
|
||||
|
||||
class UnauthenticatedContextMiddleware(BaseContextMiddleware):
|
||||
|
@ -60,12 +60,8 @@ class Enforcer(policy.Enforcer):
|
||||
:raises: `glance.common.exception.Forbidden`
|
||||
:returns: A non-False value if access is allowed.
|
||||
"""
|
||||
credentials = {
|
||||
'roles': context.roles,
|
||||
'user': context.user,
|
||||
'tenant': context.tenant,
|
||||
}
|
||||
return super(Enforcer, self).enforce(action, target, credentials,
|
||||
return super(Enforcer, self).enforce(action, target,
|
||||
context.to_policy_values(),
|
||||
do_raise=True,
|
||||
exc=exception.Forbidden,
|
||||
action=action)
|
||||
@ -78,12 +74,9 @@ class Enforcer(policy.Enforcer):
|
||||
:param target: Dictionary representing the object of the action.
|
||||
:returns: A non-False value if access is allowed.
|
||||
"""
|
||||
credentials = {
|
||||
'roles': context.roles,
|
||||
'user': context.user,
|
||||
'tenant': context.tenant,
|
||||
}
|
||||
return super(Enforcer, self).enforce(action, target, credentials)
|
||||
return super(Enforcer, self).enforce(action,
|
||||
target,
|
||||
context.to_policy_values())
|
||||
|
||||
def check_is_admin(self, context):
|
||||
"""Check if the given context is associated with an admin role,
|
||||
|
@ -43,6 +43,12 @@ class RequestContext(context.RequestContext):
|
||||
})
|
||||
return d
|
||||
|
||||
def to_policy_values(self):
|
||||
pdict = super(RequestContext, self).to_policy_values()
|
||||
pdict['user'] = self.user
|
||||
pdict['tenant'] = self.tenant
|
||||
return pdict
|
||||
|
||||
@classmethod
|
||||
def from_dict(cls, values):
|
||||
return cls(**values)
|
||||
|
Loading…
x
Reference in New Issue
Block a user