Add admin_role option
* Allow a deployer to define the role that should give an authenticated user admin privileges. Defaults to 'admin' * Fixes bug 956547 Change-Id: I018b9c438a12c527833ed8e2e6c377a93fde9130
This commit is contained in:
parent
8a533f9cfe
commit
eff04c5612
@ -157,6 +157,12 @@ configuration file, select the appropriate deployment flavor by adding a
|
|||||||
[paste_deploy]
|
[paste_deploy]
|
||||||
flavor = keystone
|
flavor = keystone
|
||||||
|
|
||||||
|
.. note::
|
||||||
|
If your authentication service uses a role other than ``admin`` to identify
|
||||||
|
which users should be granted admin-level privileges, you must define it
|
||||||
|
in the ``admin_role`` config attribute in both ``glance-registry.conf`` and
|
||||||
|
``glance-api.conf``.
|
||||||
|
|
||||||
Sharing Images With Others
|
Sharing Images With Others
|
||||||
--------------------------
|
--------------------------
|
||||||
|
|
||||||
|
@ -30,6 +30,9 @@ backlog = 4096
|
|||||||
# this value to the number of CPUs present on your machine.
|
# this value to the number of CPUs present on your machine.
|
||||||
workers = 0
|
workers = 0
|
||||||
|
|
||||||
|
# Role used to identify an authenticated user as administrator
|
||||||
|
#admin_role = admin
|
||||||
|
|
||||||
# ================= Syslog Options ============================
|
# ================= Syslog Options ============================
|
||||||
|
|
||||||
# Send logs to syslog (/dev/log) instead of to file specified
|
# Send logs to syslog (/dev/log) instead of to file specified
|
||||||
|
@ -40,6 +40,9 @@ api_limit_max = 1000
|
|||||||
# default to `limit_param_default`
|
# default to `limit_param_default`
|
||||||
limit_param_default = 25
|
limit_param_default = 25
|
||||||
|
|
||||||
|
# Role used to identify an authenticated user as administrator
|
||||||
|
#admin_role = admin
|
||||||
|
|
||||||
# ================= Syslog Options ============================
|
# ================= Syslog Options ============================
|
||||||
|
|
||||||
# Send logs to syslog (/dev/log) instead of to file specified
|
# Send logs to syslog (/dev/log) instead of to file specified
|
||||||
|
@ -56,6 +56,7 @@ class ContextMiddleware(wsgi.Middleware):
|
|||||||
|
|
||||||
opts = [
|
opts = [
|
||||||
cfg.BoolOpt('owner_is_tenant', default=True),
|
cfg.BoolOpt('owner_is_tenant', default=True),
|
||||||
|
cfg.StrOpt('admin_role', default='admin'),
|
||||||
]
|
]
|
||||||
|
|
||||||
def __init__(self, app, conf, **local_conf):
|
def __init__(self, app, conf, **local_conf):
|
||||||
@ -106,7 +107,7 @@ class ContextMiddleware(wsgi.Middleware):
|
|||||||
tenant = req.headers.get('X-Tenant')
|
tenant = req.headers.get('X-Tenant')
|
||||||
roles = [r.strip()
|
roles = [r.strip()
|
||||||
for r in req.headers.get('X-Role', '').split(',')]
|
for r in req.headers.get('X-Role', '').split(',')]
|
||||||
is_admin = 'Admin' in roles
|
is_admin = self.conf.admin_role in roles
|
||||||
else:
|
else:
|
||||||
# 2. Indentity-Status not confirmed
|
# 2. Indentity-Status not confirmed
|
||||||
# FIXME(sirp): not sure what the correct behavior in this case
|
# FIXME(sirp): not sure what the correct behavior in this case
|
||||||
|
@ -3055,3 +3055,44 @@ class TestImageSerializer(base.IsolatedUnitTest):
|
|||||||
self.serializer.image_send_notification(17, 19, image_meta, req)
|
self.serializer.image_send_notification(17, 19, image_meta, req)
|
||||||
|
|
||||||
self.assertTrue(called['notified'])
|
self.assertTrue(called['notified'])
|
||||||
|
|
||||||
|
|
||||||
|
class TestContextMiddleware(base.IsolatedUnitTest):
|
||||||
|
def _build_request(self, roles=None):
|
||||||
|
req = webob.Request.blank('/')
|
||||||
|
req.headers['x-auth-token'] = 'token1'
|
||||||
|
req.headers['x-identity-status'] = 'Confirmed'
|
||||||
|
req.headers['x-user'] = 'user1'
|
||||||
|
req.headers['x-tenant'] = 'tenant1'
|
||||||
|
_roles = roles or ['role1', 'role2']
|
||||||
|
req.headers['x-role'] = ','.join(_roles)
|
||||||
|
return req
|
||||||
|
|
||||||
|
def _build_middleware(self, **extra_config):
|
||||||
|
for k, v in extra_config.items():
|
||||||
|
setattr(self.conf, k, v)
|
||||||
|
return context.ContextMiddleware(None, self.conf)
|
||||||
|
|
||||||
|
def test_header_parsing(self):
|
||||||
|
req = self._build_request()
|
||||||
|
self._build_middleware().process_request(req)
|
||||||
|
self.assertEqual(req.context.auth_tok, 'token1')
|
||||||
|
self.assertEqual(req.context.user, 'user1')
|
||||||
|
self.assertEqual(req.context.tenant, 'tenant1')
|
||||||
|
self.assertEqual(req.context.roles, ['role1', 'role2'])
|
||||||
|
|
||||||
|
def test_is_admin_flag(self):
|
||||||
|
# is_admin check should look for 'admin' role by default
|
||||||
|
req = self._build_request(roles=['admin', 'role2'])
|
||||||
|
self._build_middleware().process_request(req)
|
||||||
|
self.assertTrue(req.context.is_admin)
|
||||||
|
|
||||||
|
# without the 'admin' role, is_admin shoud be False
|
||||||
|
req = self._build_request()
|
||||||
|
self._build_middleware().process_request(req)
|
||||||
|
self.assertFalse(req.context.is_admin)
|
||||||
|
|
||||||
|
# if we change the admin_role attribute, we should be able to use it
|
||||||
|
req = self._build_request()
|
||||||
|
self._build_middleware(admin_role='role1').process_request(req)
|
||||||
|
self.assertTrue(req.context.is_admin)
|
||||||
|
Loading…
Reference in New Issue
Block a user