Barbican should not do rbac on version api call
Closes-Bug: #1290445 Change-Id: Idcd52600542b017f54c25a75ec0ab37348eb109d
This commit is contained in:
parent
caefb74bfd
commit
617addcbc7
@ -52,7 +52,6 @@ def create_main_app(global_config, **local_conf):
|
|||||||
queue.init(CONF)
|
queue.init(CONF)
|
||||||
|
|
||||||
# Resources
|
# Resources
|
||||||
versions = res.VersionResource()
|
|
||||||
secrets = res.SecretsResource(crypto_mgr)
|
secrets = res.SecretsResource(crypto_mgr)
|
||||||
secret = res.SecretResource(crypto_mgr)
|
secret = res.SecretResource(crypto_mgr)
|
||||||
orders = res.OrdersResource()
|
orders = res.OrdersResource()
|
||||||
@ -70,7 +69,6 @@ def create_main_app(global_config, **local_conf):
|
|||||||
if newrelic_loaded:
|
if newrelic_loaded:
|
||||||
wsgi_app = newrelic.agent.WSGIApplicationWrapper(wsgi_app)
|
wsgi_app = newrelic.agent.WSGIApplicationWrapper(wsgi_app)
|
||||||
|
|
||||||
api.add_route('/', versions)
|
|
||||||
api.add_route('/v1/{keystone_id}/secrets', secrets)
|
api.add_route('/v1/{keystone_id}/secrets', secrets)
|
||||||
api.add_route('/v1/{keystone_id}/secrets/{secret_id}', secret)
|
api.add_route('/v1/{keystone_id}/secrets/{secret_id}', secret)
|
||||||
api.add_route('/v1/{keystone_id}/orders', orders)
|
api.add_route('/v1/{keystone_id}/orders', orders)
|
||||||
@ -95,3 +93,13 @@ def create_admin_app(global_config, **local_conf):
|
|||||||
api.add_route('/', versions)
|
api.add_route('/', versions)
|
||||||
|
|
||||||
return wsgi_app
|
return wsgi_app
|
||||||
|
|
||||||
|
|
||||||
|
def create_version_app(global_config, **local_conf):
|
||||||
|
config.parse_args()
|
||||||
|
|
||||||
|
versions = res.VersionResource()
|
||||||
|
wsgi_app = api = falcon.API()
|
||||||
|
api.add_route('/', versions)
|
||||||
|
|
||||||
|
return wsgi_app
|
||||||
|
@ -152,8 +152,13 @@ class WhenTestingVersionResource(BaseTestCase):
|
|||||||
self._invoke_on_get()
|
self._invoke_on_get()
|
||||||
self.setUp() # Need to re-setup
|
self.setUp() # Need to re-setup
|
||||||
|
|
||||||
def test_should_fail_get_version(self):
|
def test_should_pass_get_version_with_bad_roles(self):
|
||||||
self._assert_fail_rbac([None, 'bunkrolehere'], self._invoke_on_get)
|
self.req = self._generate_req(roles=[None, 'bunkrolehere'])
|
||||||
|
self._invoke_on_get()
|
||||||
|
|
||||||
|
def test_should_pass_get_version_with_no_roles(self):
|
||||||
|
self.req = self._generate_req()
|
||||||
|
self._invoke_on_get()
|
||||||
|
|
||||||
def test_should_pass_get_version_multiple_roles(self):
|
def test_should_pass_get_version_multiple_roles(self):
|
||||||
self.req = self._generate_req(roles=['admin', 'observer', 'creator',
|
self.req = self._generate_req(roles=['admin', 'observer', 'creator',
|
||||||
|
@ -111,7 +111,7 @@ function configure_barbican {
|
|||||||
## Set up keystone
|
## Set up keystone
|
||||||
|
|
||||||
# Turn on the middleware
|
# Turn on the middleware
|
||||||
iniset $BARBICAN_PASTE_CONF 'pipeline:main' pipeline 'keystone_authtoken context apiapp'
|
iniset $BARBICAN_PASTE_CONF 'pipeline:barbican_api' pipeline 'keystone_authtoken context apiapp'
|
||||||
|
|
||||||
# Set the keystone parameters
|
# Set the keystone parameters
|
||||||
iniset $BARBICAN_PASTE_CONF 'filter:keystone_authtoken' auth_protocol $KEYSTONE_AUTH_PROTOCOL
|
iniset $BARBICAN_PASTE_CONF 'filter:keystone_authtoken' auth_protocol $KEYSTONE_AUTH_PROTOCOL
|
||||||
|
@ -1,7 +1,17 @@
|
|||||||
|
[composite:main]
|
||||||
|
use = egg:Paste#urlmap
|
||||||
|
/: barbican_version
|
||||||
|
/v1: barbican_api
|
||||||
|
|
||||||
|
# Use this pipeline for Barbican API - versions no authentication
|
||||||
|
[pipeline:barbican_version]
|
||||||
|
pipeline = unauthenticated-context versionapp
|
||||||
|
|
||||||
# Use this pipeline for Barbican API - DEFAULT no authentication
|
# Use this pipeline for Barbican API - DEFAULT no authentication
|
||||||
[pipeline:main]
|
[pipeline:barbican_api]
|
||||||
pipeline = unauthenticated-context apiapp
|
pipeline = unauthenticated-context apiapp
|
||||||
####pipeline = simple apiapp
|
####pipeline = simple apiapp
|
||||||
|
#pipeline = keystone_authtoken context apiapp
|
||||||
|
|
||||||
#Use this pipeline to activate a repoze.profile middleware and HTTP port,
|
#Use this pipeline to activate a repoze.profile middleware and HTTP port,
|
||||||
# to provide profiling information for the REST API processing.
|
# to provide profiling information for the REST API processing.
|
||||||
@ -15,6 +25,9 @@ pipeline = keystone_authtoken context apiapp
|
|||||||
[app:apiapp]
|
[app:apiapp]
|
||||||
paste.app_factory = barbican.api.app:create_main_app
|
paste.app_factory = barbican.api.app:create_main_app
|
||||||
|
|
||||||
|
[app:versionapp]
|
||||||
|
paste.app_factory = barbican.api.app:create_version_app
|
||||||
|
|
||||||
[filter:simple]
|
[filter:simple]
|
||||||
paste.filter_factory = barbican.api.middleware.simple:SimpleFilter.factory
|
paste.filter_factory = barbican.api.middleware.simple:SimpleFilter.factory
|
||||||
|
|
||||||
@ -36,7 +49,7 @@ admin_user = barbican
|
|||||||
admin_password = orange
|
admin_password = orange
|
||||||
auth_version = v2.0
|
auth_version = v2.0
|
||||||
#delay failing perhaps to log the unauthorized request in barbican ..
|
#delay failing perhaps to log the unauthorized request in barbican ..
|
||||||
#delay_auth_decision = true
|
#delay_auth_decision = true
|
||||||
|
|
||||||
[filter:profile]
|
[filter:profile]
|
||||||
use = egg:repoze.profile
|
use = egg:repoze.profile
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
{
|
{
|
||||||
"version:get": "rule:all_users",
|
"version:get": "@",
|
||||||
"secret:decrypt": "rule:all_but_audit",
|
"secret:decrypt": "rule:all_but_audit",
|
||||||
"secret:get": "rule:all_users",
|
"secret:get": "rule:all_users",
|
||||||
"secret:put": "rule:admin_or_creator",
|
"secret:put": "rule:admin_or_creator",
|
||||||
|
@ -15,7 +15,7 @@
|
|||||||
# How many seconds to wait for the API to be responding before giving up
|
# How many seconds to wait for the API to be responding before giving up
|
||||||
API_RESPONDING_TIMEOUT=20
|
API_RESPONDING_TIMEOUT=20
|
||||||
|
|
||||||
if ! timeout ${API_RESPONDING_TIMEOUT} sh -c "while ! curl -s http://127.0.0.1:9311/ 2>/dev/null | grep -q 'Authentication required' ; do sleep 1; done"; then
|
if ! timeout ${API_RESPONDING_TIMEOUT} sh -c "while ! curl -s http://127.0.0.1:9311/ 2>/dev/null | grep -q 'v1' ; do sleep 1; done"; then
|
||||||
echo "The Barbican (non-admin) API failed to respond within ${API_RESPONDING_TIMEOUT} seconds"
|
echo "The Barbican (non-admin) API failed to respond within ${API_RESPONDING_TIMEOUT} seconds"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
@ -8,6 +8,7 @@ kombu>=2.4.8
|
|||||||
netaddr>=0.7.6
|
netaddr>=0.7.6
|
||||||
oslo.config>=1.2.0
|
oslo.config>=1.2.0
|
||||||
PasteDeploy>=1.5.0
|
PasteDeploy>=1.5.0
|
||||||
|
Paste
|
||||||
pbr>=0.5.21,<1.0
|
pbr>=0.5.21,<1.0
|
||||||
pycrypto>=2.6
|
pycrypto>=2.6
|
||||||
pysqlite
|
pysqlite
|
||||||
|
Loading…
Reference in New Issue
Block a user