openstack
/
heat
Code Issues Proposed changes

Pass the correct tenant for the service user 

Previously, the service user (which authenticates tokens passes to the
engine by the APIs) was paired with the tenant of the end user to do
authentication, which worked only when they were in the same tenant. This
should not be the case, since the service user should only have an admin
role in the "service" tenant.

Fixes #269

Change-Id: I99b764fc489429dd6d081485bd89d5dde737c124
Signed-off-by: Zane Bitter <zbitter@redhat.com>
This commit is contained in:
Zane Bitter 2012-10-22 11:20:07 +02:00
parent d75075cf35
commit 3bc725b5bd
3 changed files with 13 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
heat/common/auth_token.py
View File

@ -437,6 +437,7 @@ class AuthProtocol(object):
'X-Role': roles,
'X-Admin-User': self.admin_user,
'X-Admin-Pass': self.admin_password,
'X-Admin-Tenant-Name': self.admin_tenant_name,
'X-Auth-Url': self.conf['auth_uri'],
}

9
heat/common/context.py
View File

@ -34,7 +34,8 @@ class RequestContext(object):
def __init__(self, auth_token=None, username=None, password=None,
aws_creds=None, aws_auth_uri=None,
service_user=None, service_password=None, tenant=None,
service_user=None, service_password=None,
service_tenant=None, tenant=None,
tenant_id=None, auth_url=None, roles=None, is_admin=False,
read_only=False, show_deleted=False,
owner_is_tenant=True, overwrite=True, **kwargs):
@ -53,6 +54,7 @@ class RequestContext(object):
self.aws_auth_uri = aws_auth_uri
self.service_user = service_user
self.service_password = service_password
self.service_tenant = service_tenant
self.tenant = tenant
self.tenant_id = tenant_id
self.auth_url = auth_url
@ -75,6 +77,7 @@ class RequestContext(object):
'aws_auth_uri': self.aws_auth_uri,
'service_user': self.service_user,
'service_password': self.service_password,
'service_tenant': self.service_tenant,
'tenant': self.tenant,
'tenant_id': self.tenant_id,
'auth_url': self.auth_url,
@ -175,7 +178,8 @@ class ContextMiddleware(wsgi.Middleware):
token = headers.get('X-Auth-Token')
service_user = headers.get('X-Admin-User')
service_password = headers.get('X-Admin-Pass')
tenant = headers.get('X-Tenant')
service_tenant = headers.get('X-Admin-Tenant-Name')
tenant = headers.get('X-Tenant-Name')
tenant_id = headers.get('X-Tenant-Id')
auth_url = headers.get('X-Auth-Url')
roles = headers.get('X-Roles')
@ -190,6 +194,7 @@ class ContextMiddleware(wsgi.Middleware):
password=password,
service_user=service_user,
service_password=service_password,
service_tenant=service_tenant,
auth_url=auth_url, roles=roles,
is_admin=True)

8
heat/engine/resources.py
View File

@ -222,20 +222,21 @@ class Resource(object):
con = self.context
args = {
'tenant_name': con.tenant,
'tenant_id': con.tenant_id,
'auth_url': con.auth_url,
}
if con.password is not None:
args['username'] = con.username
args['password'] = con.password
args['tenant_name'] = con.tenant
args['tenant_id'] = con.tenant_id
elif con.auth_token is not None:
args['username'] = con.service_user
args['password'] = con.service_password
args['tenant_name'] = con.service_tenant
args['token'] = con.auth_token
else:
logger.error("Keystone connectio failed, no password or " +
logger.error("Keystone connection failed, no password or " +
"auth_token!")
return None
@ -261,6 +262,7 @@ class Resource(object):
elif con.auth_token is not None:
args['username'] = con.service_user
args['api_key'] = con.service_password
args['project_id'] = con.service_tenant
args['proxy_token'] = con.auth_token
args['proxy_tenant_id'] = con.tenant_id
else: