openstack
/
heat
Code Issues Proposed changes

Populate context roles when using stored context 

Currently we leave the context roles empty when loading the stored
context, even though there are roles associated with e.g the trust
scoped token used via loading the stored context.  Loading the auth
ref and populating the roles from the token ensure any RBAC performed
on the context roles will work as expected.

Change-Id: I7d699bcf947940357a6eb6ae2d17027ec8d6bd04
Closes-Bug: #1529354
This commit is contained in:
Steven Hardy 2016-01-05 22:41:05 +00:00 committed by huangtianhua
parent db52df4633
commit ce46629661
3 changed files with 21 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
heat/common/heat_keystoneclient.py
View File

@ -554,6 +554,10 @@ class KeystoneClientV3(object):
def auth_token(self): def auth_token(self):
return self.context.auth_plugin.get_token(self.session) return self.context.auth_plugin.get_token(self.session)
@property
def auth_ref(self):
return self.context.auth_plugin.get_access(self.session)
class KeystoneClient(object): class KeystoneClient(object):
"""Keystone Auth Client. """Keystone Auth Client.

2
heat/engine/stack.py
View File

@ -191,6 +191,8 @@ class Stack(collections.Mapping):
if use_stored_context: if use_stored_context:
self.context = self.stored_context() self.context = self.stored_context()
self.context.roles = self.context.clients.client(
'keystone').auth_ref.role_names
self.clients = self.context.clients self.clients = self.context.clients

16
heat/tests/fakes.py
View File

@ -94,7 +94,7 @@ class FakeKeystoneClient(object):
def __init__(self, username='test_username', password='password', def __init__(self, username='test_username', password='password',
user_id='1234', access='4567', secret='8901', user_id='1234', access='4567', secret='8901',
credential_id='abcdxyz', auth_token='abcd1234', credential_id='abcdxyz', auth_token='abcd1234',
context=None, stack_domain_id='4321'): context=None, stack_domain_id='4321', roles=None):
self.username = username self.username = username
self.password = password self.password = password
self.user_id = user_id self.user_id = user_id
@ -106,6 +106,7 @@ class FakeKeystoneClient(object):
self.context = context self.context = context
self.v3_endpoint = 'http://localhost:5000/v3' self.v3_endpoint = 'http://localhost:5000/v3'
self.stack_domain_id = stack_domain_id self.stack_domain_id = stack_domain_id
self.roles = roles or []
class FakeCred(object): class FakeCred(object):
id = self.credential_id id = self.credential_id
@ -191,6 +192,19 @@ class FakeKeystoneClient(object):
else: else:
return self.token return self.token
@property
def auth_ref(self):
return FakeAccessInfo(roles=self.roles)
class FakeAccessInfo(object):
def __init__(self, roles):
self.roles = roles
@property
def role_names(self):
return self.roles
class FakeEventSink(object): class FakeEventSink(object):