Merge "Keystone middleware deprecated option is_admin removed"
This commit is contained in:
commit
7cc2c783a4
@ -333,11 +333,6 @@ This allows middleware higher in the WSGI pipeline to override auth
|
||||
processing, useful for middleware such as tempurl and formpost. If you know
|
||||
you're not going to use such middleware and you want a bit of extra security,
|
||||
you can set this to false.
|
||||
.IP \fBis_admin\fR
|
||||
[DEPRECATED] If is_admin is true, a user whose username is the same as the project name
|
||||
and who has any role on the project will have access rights elevated to be
|
||||
the same as if the user had an operator role. Note that the condition
|
||||
compares names rather than UUIDs. This option is deprecated.
|
||||
.IP \fBservice_roles\fR
|
||||
If the service_roles parameter is present, an X-Service-Token must be
|
||||
present in the request that when validated, grants at least one role listed
|
||||
|
@ -342,12 +342,6 @@ user_test5_tester5 = testing5 service
|
||||
# you can set this to false.
|
||||
# allow_overrides = true
|
||||
#
|
||||
# If is_admin is true, a user whose username is the same as the project name
|
||||
# and who has any role on the project will have access rights elevated to be
|
||||
# the same as if the user had an operator role. Note that the condition
|
||||
# compares names rather than UUIDs. This option is deprecated.
|
||||
# is_admin = false
|
||||
#
|
||||
# If the service_roles parameter is present, an X-Service-Token must be
|
||||
# present in the request that when validated, grants at least one role listed
|
||||
# in the parameter. The X-Service-Token may be scoped to any project.
|
||||
|
@ -75,12 +75,6 @@ class KeystoneAuth(object):
|
||||
id.. For example, if the project id is ``1234``, the path is
|
||||
``/v1/AUTH_1234``.
|
||||
|
||||
If the ``is_admin`` option is ``true``, a user whose username is the same
|
||||
as the project name and who has any role on the project will have access
|
||||
rights elevated to be the same as if the user had one of the
|
||||
``operator_roles``. Note that the condition compares names rather than
|
||||
UUIDs. This option is deprecated. It is ``false`` by default.
|
||||
|
||||
If you need to have a different reseller_prefix to be able to
|
||||
mix different auth servers you can configure the option
|
||||
``reseller_prefix`` in your keystoneauth entry like this::
|
||||
@ -188,7 +182,11 @@ class KeystoneAuth(object):
|
||||
self.reseller_admin_role = conf.get('reseller_admin_role',
|
||||
'ResellerAdmin').lower()
|
||||
config_is_admin = conf.get('is_admin', "false").lower()
|
||||
self.is_admin = swift_utils.config_true_value(config_is_admin)
|
||||
if swift_utils.config_true_value(config_is_admin):
|
||||
self.logger.warning("The 'is_admin' option for keystoneauth is no "
|
||||
"longer supported. Remove the 'is_admin' "
|
||||
"option from your keystoneauth config")
|
||||
|
||||
config_overrides = conf.get('allow_overrides', 't').lower()
|
||||
self.allow_overrides = swift_utils.config_true_value(config_overrides)
|
||||
self.default_domain_id = conf.get('default_domain_id', 'default')
|
||||
@ -484,14 +482,6 @@ class KeystoneAuth(object):
|
||||
req.environ['swift_owner'] = True
|
||||
return
|
||||
|
||||
# If user is of the same name of the tenant then make owner of it.
|
||||
if self.is_admin and user_name == tenant_name:
|
||||
self.logger.warning("the is_admin feature has been deprecated "
|
||||
"and will be removed in the future "
|
||||
"update your config file")
|
||||
req.environ['swift_owner'] = True
|
||||
return
|
||||
|
||||
if acl_authorized is not None:
|
||||
return self.denied_response(req)
|
||||
|
||||
|
@ -647,21 +647,16 @@ class TestAuthorize(BaseTestAuthorize):
|
||||
req = self._check_authenticate(identity=identity)
|
||||
self.assertTrue(req.environ.get('swift_owner'))
|
||||
|
||||
def _check_authorize_for_tenant_owner_match(self, exception=None):
|
||||
def test_authorize_fails_same_user_and_tenant(self):
|
||||
# Historically the is_admin option allowed access when user_name
|
||||
# matched tenant_name, but it is no longer supported. This test is a
|
||||
# sanity check that the option no longer works.
|
||||
self.test_auth.is_admin = True
|
||||
identity = self._get_identity(user_name='same_name',
|
||||
tenant_name='same_name')
|
||||
req = self._check_authenticate(identity=identity, exception=exception)
|
||||
expected = bool(exception is None)
|
||||
self.assertEqual(bool(req.environ.get('swift_owner')), expected)
|
||||
|
||||
def test_authorize_succeeds_as_owner_for_tenant_owner_match(self):
|
||||
self.test_auth.is_admin = True
|
||||
self._check_authorize_for_tenant_owner_match()
|
||||
|
||||
def test_authorize_fails_as_owner_for_tenant_owner_match(self):
|
||||
self.test_auth.is_admin = False
|
||||
self._check_authorize_for_tenant_owner_match(
|
||||
req = self._check_authenticate(identity=identity,
|
||||
exception=HTTP_FORBIDDEN)
|
||||
self.assertFalse(bool(req.environ.get('swift_owner')))
|
||||
|
||||
def test_authorize_succeeds_for_container_sync(self):
|
||||
env = {'swift_sync_key': 'foo', 'REMOTE_ADDR': '127.0.0.1'}
|
||||
|
Loading…
x
Reference in New Issue
Block a user