Add admin_role option

* Allow a deployer to define the role that should give an authenticated
  user admin privileges. Defaults to 'admin'
* Fixes bug 956547

Change-Id: I018b9c438a12c527833ed8e2e6c377a93fde9130
This commit is contained in:
Brian Waldon 2012-03-15 16:36:43 -07:00
parent 8a533f9cfe
commit eff04c5612
5 changed files with 55 additions and 1 deletions

View File

@ -157,6 +157,12 @@ configuration file, select the appropriate deployment flavor by adding a
[paste_deploy] [paste_deploy]
flavor = keystone flavor = keystone
.. note::
If your authentication service uses a role other than ``admin`` to identify
which users should be granted admin-level privileges, you must define it
in the ``admin_role`` config attribute in both ``glance-registry.conf`` and
``glance-api.conf``.
Sharing Images With Others Sharing Images With Others
-------------------------- --------------------------

View File

@ -30,6 +30,9 @@ backlog = 4096
# this value to the number of CPUs present on your machine. # this value to the number of CPUs present on your machine.
workers = 0 workers = 0
# Role used to identify an authenticated user as administrator
#admin_role = admin
# ================= Syslog Options ============================ # ================= Syslog Options ============================
# Send logs to syslog (/dev/log) instead of to file specified # Send logs to syslog (/dev/log) instead of to file specified

View File

@ -40,6 +40,9 @@ api_limit_max = 1000
# default to `limit_param_default` # default to `limit_param_default`
limit_param_default = 25 limit_param_default = 25
# Role used to identify an authenticated user as administrator
#admin_role = admin
# ================= Syslog Options ============================ # ================= Syslog Options ============================
# Send logs to syslog (/dev/log) instead of to file specified # Send logs to syslog (/dev/log) instead of to file specified

View File

@ -56,6 +56,7 @@ class ContextMiddleware(wsgi.Middleware):
opts = [ opts = [
cfg.BoolOpt('owner_is_tenant', default=True), cfg.BoolOpt('owner_is_tenant', default=True),
cfg.StrOpt('admin_role', default='admin'),
] ]
def __init__(self, app, conf, **local_conf): def __init__(self, app, conf, **local_conf):
@ -106,7 +107,7 @@ class ContextMiddleware(wsgi.Middleware):
tenant = req.headers.get('X-Tenant') tenant = req.headers.get('X-Tenant')
roles = [r.strip() roles = [r.strip()
for r in req.headers.get('X-Role', '').split(',')] for r in req.headers.get('X-Role', '').split(',')]
is_admin = 'Admin' in roles is_admin = self.conf.admin_role in roles
else: else:
# 2. Indentity-Status not confirmed # 2. Indentity-Status not confirmed
# FIXME(sirp): not sure what the correct behavior in this case # FIXME(sirp): not sure what the correct behavior in this case

View File

@ -3055,3 +3055,44 @@ class TestImageSerializer(base.IsolatedUnitTest):
self.serializer.image_send_notification(17, 19, image_meta, req) self.serializer.image_send_notification(17, 19, image_meta, req)
self.assertTrue(called['notified']) self.assertTrue(called['notified'])
class TestContextMiddleware(base.IsolatedUnitTest):
def _build_request(self, roles=None):
req = webob.Request.blank('/')
req.headers['x-auth-token'] = 'token1'
req.headers['x-identity-status'] = 'Confirmed'
req.headers['x-user'] = 'user1'
req.headers['x-tenant'] = 'tenant1'
_roles = roles or ['role1', 'role2']
req.headers['x-role'] = ','.join(_roles)
return req
def _build_middleware(self, **extra_config):
for k, v in extra_config.items():
setattr(self.conf, k, v)
return context.ContextMiddleware(None, self.conf)
def test_header_parsing(self):
req = self._build_request()
self._build_middleware().process_request(req)
self.assertEqual(req.context.auth_tok, 'token1')
self.assertEqual(req.context.user, 'user1')
self.assertEqual(req.context.tenant, 'tenant1')
self.assertEqual(req.context.roles, ['role1', 'role2'])
def test_is_admin_flag(self):
# is_admin check should look for 'admin' role by default
req = self._build_request(roles=['admin', 'role2'])
self._build_middleware().process_request(req)
self.assertTrue(req.context.is_admin)
# without the 'admin' role, is_admin shoud be False
req = self._build_request()
self._build_middleware().process_request(req)
self.assertFalse(req.context.is_admin)
# if we change the admin_role attribute, we should be able to use it
req = self._build_request()
self._build_middleware(admin_role='role1').process_request(req)
self.assertTrue(req.context.is_admin)