openstack/keystone
Code Issues Proposed changes

Merge "Allow connect to another tenant."

Browse Source
This commit is contained in:
Jenkins 2012-03-14 20:45:40 +00:00 committed by Gerrit Code Review
commit 9a2010bfe8
1 changed files with 20 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
keystone/middleware/s3_token.py
View File

@ -66,8 +66,22 @@ class S3Token(object):
auth_header = req.headers['Authorization'] auth_header = req.headers['Authorization']
access, signature = auth_header.split(' ')[-1].rsplit(':', 1) access, signature = auth_header.split(' ')[-1].rsplit(':', 1)
# NOTE(chmou): This is to handle the special case with nova
# when we have the option s3_affix_tenant. We will force it to
# connect to another account than the one
# authenticated. Before people start getting worried about
# security, I should point that we are connecting with
# username/token specified by the user but instead of
# connecting to its own account we will force it to go to an
# another account. In a normal scenario if that user don't
# have the reseller right it will just fail but since the
# reseller account can connect to every account it is allowed
# by the swift_auth middleware.
force_tenant = None
if ':' in access:
access, force_tenant = access.split(':')
# Authenticate the request. # Authenticate request.
creds = {'credentials': {'access': access, creds = {'credentials': {'access': access,
'token': token, 'token': token,
'signature': signature, 'signature': signature,
@ -100,8 +114,7 @@ class S3Token(object):
# NOTE(chmou): We still have the same problem we would need to # NOTE(chmou): We still have the same problem we would need to
# change token_auth to detect if we already # change token_auth to detect if we already
# identified and not doing a second query and just # identified and not doing a second query and just
# pass it through to swiftauth in this case. # pass it thru to swiftauth in this case.
# identity_info = json.loads(response)
output = resp.read() output = resp.read()
conn.close() conn.close()
identity_info = json.loads(output) identity_info = json.loads(output)
@ -115,8 +128,11 @@ class S3Token(object):
raise raise
req.headers['X-Auth-Token'] = token_id req.headers['X-Auth-Token'] = token_id
tenant_to_connect = force_tenant or tenant[0]
self.logger.debug('Connecting with tenant: %s' %
(tenant_to_connect))
environ['PATH_INFO'] = environ['PATH_INFO'].replace( environ['PATH_INFO'] = environ['PATH_INFO'].replace(
account, 'AUTH_%s' % tenant[0]) account, 'AUTH_%s' % tenant_to_connect)
return self.app(environ, start_response) return self.app(environ, start_response)