diff --git a/keystonelight/backends/policy.py b/keystonelight/backends/policy.py index 780cf0aa00..d6bb78374d 100644 --- a/keystonelight/backends/policy.py +++ b/keystonelight/backends/policy.py @@ -1,4 +1,4 @@ - +import logging class TrivialTrue(object): def __init__(self, options): @@ -21,3 +21,4 @@ class SimpleMatch(object): check = credentials.get(key) if check == match: return True + diff --git a/keystonelight/keystone_compat.py b/keystonelight/keystone_compat.py index 807a10bc58..85f947faf6 100644 --- a/keystonelight/keystone_compat.py +++ b/keystonelight/keystone_compat.py @@ -2,6 +2,7 @@ # this is the web service frontend that emulates keystone import logging +import uuid import routes @@ -34,6 +35,10 @@ class KeystoneRouter(wsgi.Router): controller=self.keystone_controller, action='tenants_for_token', conditions=dict(method=['GET'])) + mapper.connect('/tenants', + controller=self.keystone_controller, + action='create_tenant', + conditions=dict(method=['POST'])) super(KeystoneRouter, self).__init__(mapper) @@ -156,12 +161,14 @@ class KeystoneController(service.BaseApplication): """ # TODO(termie): this stuff should probably be moved to middleware if not context['is_admin']: - user_token_ref = self.token_api.get_token(context['token_id']) + user_token_ref = self.token_api.get_token( + context=context, token_id=context['token_id']) creds = user_token_ref['extras'].copy() creds['user_id'] = user_token_ref['user'].get('id') creds['tenant_id'] = user_token_ref['tenant'].get('id') # Accept either is_admin or the admin role - assert self.policy_api.can_haz(('is_admin:1', 'roles:admin'), + assert self.policy_api.can_haz(context, + ('is_admin:1', 'roles:admin'), creds) token_ref = self.token_api.get_token(context=context, @@ -191,6 +198,28 @@ class KeystoneController(service.BaseApplication): tenant_id=tenant_id)) return self._format_tenants_for_token(tenant_refs) + def create_tenant(self, context, **kw): + # TODO(termie): this stuff should probably be moved to middleware + if not context['is_admin']: + user_token_ref = self.token_api.get_token( + context=context, token_id=context['token_id']) + creds = user_token_ref['extras'].copy() + creds['user_id'] = user_token_ref['user'].get('id') + creds['tenant_id'] = user_token_ref['tenant'].get('id') + # Accept either is_admin or the admin role + assert self.policy_api.can_haz(context, + ('is_admin:1', 'roles:admin'), + creds) + tenant_ref = kw.get('tenant') + tenant_id = (tenant_ref.get('id') + and tenant_ref.get('id') + or uuid.uuid4().hex) + tenant_ref['id'] = tenant_id + + tenant = self.identity_api.create_tenant( + context, tenant_id=tenant_id, data=tenant_ref) + return {'tenant': tenant} + def _format_token(self, token_ref): user_ref = token_ref['user'] extras_ref = token_ref['extras'] diff --git a/tests/test_keystoneclient_compat.py b/tests/test_keystoneclient_compat.py index 9ad01b1770..1c64ddb3d6 100644 --- a/tests/test_keystoneclient_compat.py +++ b/tests/test_keystoneclient_compat.py @@ -61,6 +61,7 @@ class MasterCompatTestCase(CompatTestCase): self.extras_bar_foo = self.identity_backend.create_extras( self.user_foo['id'], self.tenant_bar['id'], dict(roles=[], + is_admin='1', roles_links=[])) # def test_authenticate(self):