Pass the correct tenant for the service user
Previously, the service user (which authenticates tokens passes to the engine by the APIs) was paired with the tenant of the end user to do authentication, which worked only when they were in the same tenant. This should not be the case, since the service user should only have an admin role in the "service" tenant. Fixes #269 Change-Id: I99b764fc489429dd6d081485bd89d5dde737c124 Signed-off-by: Zane Bitter <zbitter@redhat.com>
This commit is contained in:
parent
d75075cf35
commit
3bc725b5bd
|
@ -437,6 +437,7 @@ class AuthProtocol(object):
|
|||
'X-Role': roles,
|
||||
'X-Admin-User': self.admin_user,
|
||||
'X-Admin-Pass': self.admin_password,
|
||||
'X-Admin-Tenant-Name': self.admin_tenant_name,
|
||||
'X-Auth-Url': self.conf['auth_uri'],
|
||||
}
|
||||
|
||||
|
|
|
@ -34,7 +34,8 @@ class RequestContext(object):
|
|||
|
||||
def __init__(self, auth_token=None, username=None, password=None,
|
||||
aws_creds=None, aws_auth_uri=None,
|
||||
service_user=None, service_password=None, tenant=None,
|
||||
service_user=None, service_password=None,
|
||||
service_tenant=None, tenant=None,
|
||||
tenant_id=None, auth_url=None, roles=None, is_admin=False,
|
||||
read_only=False, show_deleted=False,
|
||||
owner_is_tenant=True, overwrite=True, **kwargs):
|
||||
|
@ -53,6 +54,7 @@ class RequestContext(object):
|
|||
self.aws_auth_uri = aws_auth_uri
|
||||
self.service_user = service_user
|
||||
self.service_password = service_password
|
||||
self.service_tenant = service_tenant
|
||||
self.tenant = tenant
|
||||
self.tenant_id = tenant_id
|
||||
self.auth_url = auth_url
|
||||
|
@ -75,6 +77,7 @@ class RequestContext(object):
|
|||
'aws_auth_uri': self.aws_auth_uri,
|
||||
'service_user': self.service_user,
|
||||
'service_password': self.service_password,
|
||||
'service_tenant': self.service_tenant,
|
||||
'tenant': self.tenant,
|
||||
'tenant_id': self.tenant_id,
|
||||
'auth_url': self.auth_url,
|
||||
|
@ -175,7 +178,8 @@ class ContextMiddleware(wsgi.Middleware):
|
|||
token = headers.get('X-Auth-Token')
|
||||
service_user = headers.get('X-Admin-User')
|
||||
service_password = headers.get('X-Admin-Pass')
|
||||
tenant = headers.get('X-Tenant')
|
||||
service_tenant = headers.get('X-Admin-Tenant-Name')
|
||||
tenant = headers.get('X-Tenant-Name')
|
||||
tenant_id = headers.get('X-Tenant-Id')
|
||||
auth_url = headers.get('X-Auth-Url')
|
||||
roles = headers.get('X-Roles')
|
||||
|
@ -190,6 +194,7 @@ class ContextMiddleware(wsgi.Middleware):
|
|||
password=password,
|
||||
service_user=service_user,
|
||||
service_password=service_password,
|
||||
service_tenant=service_tenant,
|
||||
auth_url=auth_url, roles=roles,
|
||||
is_admin=True)
|
||||
|
||||
|
|
|
@ -222,20 +222,21 @@ class Resource(object):
|
|||
|
||||
con = self.context
|
||||
args = {
|
||||
'tenant_name': con.tenant,
|
||||
'tenant_id': con.tenant_id,
|
||||
'auth_url': con.auth_url,
|
||||
}
|
||||
|
||||
if con.password is not None:
|
||||
args['username'] = con.username
|
||||
args['password'] = con.password
|
||||
args['tenant_name'] = con.tenant
|
||||
args['tenant_id'] = con.tenant_id
|
||||
elif con.auth_token is not None:
|
||||
args['username'] = con.service_user
|
||||
args['password'] = con.service_password
|
||||
args['tenant_name'] = con.service_tenant
|
||||
args['token'] = con.auth_token
|
||||
else:
|
||||
logger.error("Keystone connectio failed, no password or " +
|
||||
logger.error("Keystone connection failed, no password or " +
|
||||
"auth_token!")
|
||||
return None
|
||||
|
||||
|
@ -261,6 +262,7 @@ class Resource(object):
|
|||
elif con.auth_token is not None:
|
||||
args['username'] = con.service_user
|
||||
args['api_key'] = con.service_password
|
||||
args['project_id'] = con.service_tenant
|
||||
args['proxy_token'] = con.auth_token
|
||||
args['proxy_tenant_id'] = con.tenant_id
|
||||
else:
|
||||
|
|
Loading…
Reference in New Issue