Basic authorization for swift.

This first pass only makes sure you don't issue requests against other accounts (regardless of publicity / acls). TODO: * configurable reseller prefix (AUTH_) * groups (.reseller_admin) * don't let users change account except when admin (containerless DELETE/PUT) * check container ACLs for object access * add user groups into REMOTE_USER (?) * get rid of all the useless HTTP headers jammed into the request
2011-06-21 14:26:47 -04:00 · 2011-06-21 14:26:47 -04:00 · 722fcd8ebe
parent c8de076208
commit 722fcd8ebe
1 changed files with 19 additions and 1 deletions
--- a/keystone/auth_protocols/auth_token.py
+++ b/keystone/auth_protocols/auth_token.py
@ -58,7 +58,7 @@ import json
 import os
 from paste.deploy import loadapp
 from urlparse import urlparse
-from webob.exc import HTTPUnauthorized, HTTPUseProxy
+from webob.exc import HTTPUnauthorized, HTTPUseProxy, HTTPExpectationFailed
 from webob.exc import Request, Response

 from keystone.common.bufferedhttp import http_connect_raw as http_connect
@ -157,6 +157,10 @@ class AuthProtocol(object):
            #Collect information about valid claims
            if valid:
                claims = self._expound_claims()
+
+                # Store authentication data
+                self.env['keystone.claims'] = claims
+                self.env['swift.authorize'] = self.authorize
                if claims:
                    # TODO(Ziad): add additional details we may need,
                    #             like tenant and group info
@ -174,11 +178,25 @@ class AuthProtocol(object):
                                    roles += ','
                                roles += role
                            self._decorate_request('X_ROLE', roles)
+
+                    # NOTE(todd): unused
                    self.expanded = True

            #Send request downstream
            return self._forward_request()

+    def authorize(self, req):
+        env = req.environ
+        tenant = env.get('keystone.claims', {}).get('tenant')
+        if not tenant:
+            return HTTPExpectationFailed('Unable to locate auth claim',
+                                         request=req)
+        if req.path.startswith('/v1/AUTH_%s' % tenant):
+            return None
+        return HTTPUnauthorized(request=req)
+
+
+    # NOTE(todd): unused
    def get_admin_auth_token(self, username, password, tenant):
        """
        This function gets an admin auth token to be used by this service to