Browse Source

Populate context roles when using stored context

Currently we leave the context roles empty when loading the stored
context, even though there are roles associated with e.g the trust
scoped token used via loading the stored context.  Loading the auth
ref and populating the roles from the token ensure any RBAC performed
on the context roles will work as expected.

Change-Id: I7d699bcf947940357a6eb6ae2d17027ec8d6bd04
Closes-Bug: #1529354
(cherry picked from commit ce46629661)
tags/5.0.2
Steven Hardy Rabi Mishra 4 years ago
parent
commit
65fe32d3ac
4 changed files with 34 additions and 2 deletions
  1. +4
    -0
      heat/common/heat_keystoneclient.py
  2. +2
    -0
      heat/engine/stack.py
  3. +1
    -1
      heat/tests/engine/tools.py
  4. +27
    -1
      heat/tests/fakes.py

+ 4
- 0
heat/common/heat_keystoneclient.py View File

@@ -555,6 +555,10 @@ class KeystoneClientV3(object):
def auth_token(self):
return self.context.auth_plugin.get_token(self.session)

@property
def auth_ref(self):
return self.context.auth_plugin.get_access(self.session)


class KeystoneClient(object):



+ 2
- 0
heat/engine/stack.py View File

@@ -188,6 +188,8 @@ class Stack(collections.Mapping):

if use_stored_context:
self.context = self.stored_context()
self.context.roles = self.context.clients.client(
'keystone').auth_ref.role_names

self.clients = self.context.clients



+ 1
- 1
heat/tests/engine/tools.py View File

@@ -170,7 +170,7 @@ def setup_keystone_mocks(mocks, stack):
fkc = test_fakes.FakeKeystoneClient()

mocks.StubOutWithMock(keystone.KeystoneClientPlugin, '_create')
keystone.KeystoneClientPlugin._create().AndReturn(fkc)
keystone.KeystoneClientPlugin._create().MultipleTimes().AndReturn(fkc)


def setup_mock_for_image_constraint(mocks, imageId_input,


+ 27
- 1
heat/tests/fakes.py View File

@@ -99,7 +99,7 @@ class FakeKeystoneClient(object):
def __init__(self, username='test_username', password='password',
user_id='1234', access='4567', secret='8901',
credential_id='abcdxyz', auth_token='abcd1234',
context=None):
context=None, stack_domain_id='4321', roles=None):
self.username = username
self.password = password
self.user_id = user_id
@@ -110,6 +110,8 @@ class FakeKeystoneClient(object):
self.token = auth_token
self.context = context
self.v3_endpoint = 'http://localhost:5000/v3'
self.stack_domain_id = stack_domain_id
self.roles = roles or []

class FakeCred(object):
id = self.credential_id
@@ -194,3 +196,27 @@ class FakeKeystoneClient(object):
return self.context.auth_plugin.get_token(self.session)
else:
return self.token

@property
def auth_ref(self):
return FakeAccessInfo(roles=self.roles)


class FakeAccessInfo(object):
def __init__(self, roles):
self.roles = roles

@property
def role_names(self):
return self.roles


class FakeEventSink(object):

def __init__(self, evt):
self.events = []
self.evt = evt

def consume(self, stack, event):
self.events.append(event)
self.evt.send(None)

Loading…
Cancel
Save