Merge "Keystone middleware deprecated option is_admin removed"

2016-03-18 10:51:46 +00:00 · 2016-03-18 10:51:46 +00:00 · 7cc2c783a4
commit 7cc2c783a4
parent 1637fa2f8f 335d58611d
4 changed files with 13 additions and 39 deletions
--- a/doc/manpages/proxy-server.conf.5
+++ b/doc/manpages/proxy-server.conf.5
@ -333,11 +333,6 @@ This allows middleware higher in the WSGI pipeline to override auth
 processing, useful for middleware such as tempurl and formpost. If you know
 you're not going to use such middleware and you want a bit of extra security,
 you can set this to false.
-.IP \fBis_admin\fR
-[DEPRECATED] If is_admin is true, a user whose username is the same as the project name
-and who has any role on the project will have access rights elevated to be
-the same as if the user had an operator role. Note that the condition
-compares names rather than UUIDs. This option is deprecated.
 .IP \fBservice_roles\fR
 If the service_roles parameter is present, an X-Service-Token must be
 present in the request that when validated, grants at least one role listed
--- a/etc/proxy-server.conf-sample
+++ b/etc/proxy-server.conf-sample
@ -342,12 +342,6 @@ user_test5_tester5 = testing5 service
 # you can set this to false.
 # allow_overrides = true
 #
-# If is_admin is true, a user whose username is the same as the project name
-# and who has any role on the project will have access rights elevated to be
-# the same as if the user had an operator role. Note that the condition
-# compares names rather than UUIDs. This option is deprecated.
-# is_admin = false
-#
 # If the service_roles parameter is present, an X-Service-Token must be
 # present in the request that when validated, grants at least one role listed
 # in the parameter. The X-Service-Token may be scoped to any project.
--- a/swift/common/middleware/keystoneauth.py
+++ b/swift/common/middleware/keystoneauth.py
@ -75,12 +75,6 @@ class KeystoneAuth(object):
    id.. For example, if the project id is ``1234``, the path is
    ``/v1/AUTH_1234``.

-    If the ``is_admin`` option is ``true``, a user whose username is the same
-    as the project name and who has any role on the project will have access
-    rights elevated to be the same as if the user had one of the
-    ``operator_roles``. Note that the condition compares names rather than
-    UUIDs. This option is deprecated. It is ``false`` by default.
-
    If you need to have a different reseller_prefix to be able to
    mix different auth servers you can configure the option
    ``reseller_prefix`` in your keystoneauth entry like this::
@ -188,7 +182,11 @@ class KeystoneAuth(object):
        self.reseller_admin_role = conf.get('reseller_admin_role',
                                            'ResellerAdmin').lower()
        config_is_admin = conf.get('is_admin', "false").lower()
-        self.is_admin = swift_utils.config_true_value(config_is_admin)
+        if swift_utils.config_true_value(config_is_admin):
+            self.logger.warning("The 'is_admin' option for keystoneauth is no "
+                                "longer supported. Remove the 'is_admin' "
+                                "option from your keystoneauth config")
+
        config_overrides = conf.get('allow_overrides', 't').lower()
        self.allow_overrides = swift_utils.config_true_value(config_overrides)
        self.default_domain_id = conf.get('default_domain_id', 'default')
@ -484,14 +482,6 @@ class KeystoneAuth(object):
            req.environ['swift_owner'] = True
            return

-        # If user is of the same name of the tenant then make owner of it.
-        if self.is_admin and user_name == tenant_name:
-            self.logger.warning("the is_admin feature has been deprecated "
-                                "and will be removed in the future "
-                                "update your config file")
-            req.environ['swift_owner'] = True
-            return
-
        if acl_authorized is not None:
            return self.denied_response(req)

--- a/test/unit/common/middleware/test_keystoneauth.py
+++ b/test/unit/common/middleware/test_keystoneauth.py
@ -647,21 +647,16 @@ class TestAuthorize(BaseTestAuthorize):
        req = self._check_authenticate(identity=identity)
        self.assertTrue(req.environ.get('swift_owner'))

-    def _check_authorize_for_tenant_owner_match(self, exception=None):
+    def test_authorize_fails_same_user_and_tenant(self):
+        # Historically the is_admin option allowed access when user_name
+        # matched tenant_name, but it is no longer supported. This test is a
+        # sanity check that the option no longer works.
+        self.test_auth.is_admin = True
        identity = self._get_identity(user_name='same_name',
                                      tenant_name='same_name')
-        req = self._check_authenticate(identity=identity, exception=exception)
-        expected = bool(exception is None)
-        self.assertEqual(bool(req.environ.get('swift_owner')), expected)
-
-    def test_authorize_succeeds_as_owner_for_tenant_owner_match(self):
-        self.test_auth.is_admin = True
-        self._check_authorize_for_tenant_owner_match()
-
-    def test_authorize_fails_as_owner_for_tenant_owner_match(self):
-        self.test_auth.is_admin = False
-        self._check_authorize_for_tenant_owner_match(
-            exception=HTTP_FORBIDDEN)
+        req = self._check_authenticate(identity=identity,
+                                       exception=HTTP_FORBIDDEN)
+        self.assertFalse(bool(req.environ.get('swift_owner')))

    def test_authorize_succeeds_for_container_sync(self):
        env = {'swift_sync_key': 'foo', 'REMOTE_ADDR': '127.0.0.1'}