Remove metadata from token provider
The metadata stuff in the token provider was there as a v2-ism. This commit removes it from the token provider and leaves it's bits in the v2.0 token controller. Change-Id: I4b37289c06df2012ed4473227df5c309440af162
This commit is contained in:
Lance Bragstad
Steve Martinelli
parent
ee494cc703
commit
adb45134ab
@ -410,17 +410,13 @@ class Auth(controller.V3Controller):
|
||||
# make sure the list is unique
|
||||
method_names = list(set(method_names))
|
||||
expires_at = auth_context.get('expires_at')
|
||||
# NOTE(morganfainberg): define this here so it is clear what the
|
||||
# argument is during the issue_token provider call.
|
||||
metadata_ref = None
|
||||
|
||||
token_audit_id = auth_context.get('audit_id')
|
||||
|
||||
is_domain = auth_context.get('is_domain')
|
||||
(token_id, token_data) = self.token_provider_api.issue_token(
|
||||
auth_context['user_id'], method_names, expires_at, project_id,
|
||||
is_domain, domain_id, auth_context, trust, metadata_ref,
|
||||
include_catalog, parent_audit_id=token_audit_id)
|
||||
is_domain, domain_id, auth_context, trust, include_catalog,
|
||||
parent_audit_id=token_audit_id)
|
||||
|
||||
# NOTE(wanghong): We consume a trust use only when we are using
|
||||
# trusts and have successfully issued a token.
|
||||
|
||||
@ -113,7 +113,7 @@ class Ec2ControllerCommon(object):
|
||||
def _authenticate(self, credentials=None, ec2credentials=None):
|
||||
"""Common code shared between the V2 and V3 authenticate methods.
|
||||
|
||||
:returns: user_ref, tenant_ref, metadata_ref, roles_ref, catalog_ref
|
||||
:returns: user_ref, tenant_ref, roles_ref, catalog_ref
|
||||
"""
|
||||
# FIXME(ja): validate that a service token was used!
|
||||
|
||||
@ -132,15 +132,6 @@ class Ec2ControllerCommon(object):
|
||||
# TODO(termie): this is copied from TokenController.authenticate
|
||||
tenant_ref = self.resource_api.get_project(creds_ref['tenant_id'])
|
||||
user_ref = self.identity_api.get_user(creds_ref['user_id'])
|
||||
metadata_ref = {}
|
||||
metadata_ref['roles'] = (
|
||||
self.assignment_api.get_roles_for_user_and_project(
|
||||
user_ref['id'], tenant_ref['id']))
|
||||
|
||||
trust_id = creds_ref.get('trust_id')
|
||||
if trust_id:
|
||||
metadata_ref['trust_id'] = trust_id
|
||||
metadata_ref['trustee_user_id'] = user_ref['id']
|
||||
|
||||
# Validate that the auth info is valid and nothing is disabled
|
||||
try:
|
||||
@ -154,7 +145,9 @@ class Ec2ControllerCommon(object):
|
||||
six.reraise(exception.Unauthorized, exception.Unauthorized(e),
|
||||
sys.exc_info()[2])
|
||||
|
||||
roles = metadata_ref.get('roles', [])
|
||||
roles = self.assignment_api.get_roles_for_user_and_project(
|
||||
user_ref['id'], tenant_ref['id']
|
||||
)
|
||||
if not roles:
|
||||
raise exception.Unauthorized(
|
||||
message=_('User not valid for tenant.'))
|
||||
@ -163,7 +156,7 @@ class Ec2ControllerCommon(object):
|
||||
catalog_ref = self.catalog_api.get_catalog(
|
||||
user_ref['id'], tenant_ref['id'])
|
||||
|
||||
return user_ref, tenant_ref, metadata_ref, roles_ref, catalog_ref
|
||||
return user_ref, tenant_ref, roles_ref, catalog_ref
|
||||
|
||||
def create_credential(self, request, user_id, tenant_id):
|
||||
"""Create a secret/access pair for use with ec2 style auth.
|
||||
@ -377,15 +370,14 @@ class Ec2ControllerV3(Ec2ControllerCommon, controller.V3Controller):
|
||||
self.check_protection(request, prep_info, ref)
|
||||
|
||||
def authenticate(self, context, credentials=None, ec2Credentials=None):
|
||||
(user_ref, project_ref, metadata_ref, roles_ref,
|
||||
catalog_ref) = self._authenticate(credentials=credentials,
|
||||
ec2credentials=ec2Credentials)
|
||||
(user_ref, project_ref, roles_ref, catalog_ref) = self._authenticate(
|
||||
credentials=credentials, ec2credentials=ec2Credentials
|
||||
)
|
||||
|
||||
method_names = ['ec2credential']
|
||||
|
||||
token_id, token_data = self.token_provider_api.issue_token(
|
||||
user_ref['id'], method_names, project_id=project_ref['id'],
|
||||
metadata_ref=metadata_ref)
|
||||
user_ref['id'], method_names, project_id=project_ref['id'])
|
||||
return render_token_data_response(token_id, token_data)
|
||||
|
||||
@controller.protected(callback=_check_credential_owner_and_user_id_match)
|
||||
|
||||
@ -236,7 +236,6 @@ class TokenDriverBase(object):
|
||||
id=token_id,
|
||||
user=user_ref,
|
||||
tenant=tenant_ref,
|
||||
metadata=metadata_ref
|
||||
}
|
||||
|
||||
:type data: dict
|
||||
|
||||
@ -208,20 +208,11 @@ class Manager(manager.Manager):
|
||||
|
||||
def issue_token(self, user_id, method_names, expires_at=None,
|
||||
project_id=None, is_domain=False, domain_id=None,
|
||||
auth_context=None, trust=None, metadata_ref=None,
|
||||
include_catalog=True, parent_audit_id=None):
|
||||
auth_context=None, trust=None, include_catalog=True,
|
||||
parent_audit_id=None):
|
||||
token_id, token_data = self.driver.issue_token(
|
||||
user_id, method_names, expires_at, project_id, domain_id,
|
||||
auth_context, trust, metadata_ref, include_catalog,
|
||||
parent_audit_id)
|
||||
|
||||
if metadata_ref is None:
|
||||
metadata_ref = {}
|
||||
|
||||
if trust:
|
||||
metadata_ref.setdefault('trust_id', trust['id'])
|
||||
metadata_ref.setdefault('trustee_user_id',
|
||||
trust['trustee_user_id'])
|
||||
auth_context, trust, include_catalog, parent_audit_id)
|
||||
|
||||
data = dict(key=token_id,
|
||||
id=token_id,
|
||||
@ -229,7 +220,6 @@ class Manager(manager.Manager):
|
||||
user=token_data['token']['user'],
|
||||
tenant=token_data['token'].get('project'),
|
||||
is_domain=is_domain,
|
||||
metadata=metadata_ref,
|
||||
token_data=token_data,
|
||||
trust_id=trust['id'] if trust else None,
|
||||
token_version=self.V3)
|
||||
|
||||
@ -51,8 +51,7 @@ class Provider(object):
|
||||
@abc.abstractmethod
|
||||
def issue_token(self, user_id, method_names, expires_at=None,
|
||||
project_id=None, domain_id=None, auth_context=None,
|
||||
trust=None, metadata_ref=None, include_catalog=True,
|
||||
parent_audit_id=None):
|
||||
trust=None, include_catalog=True, parent_audit_id=None):
|
||||
"""Issue a V3 Token.
|
||||
|
||||
:param user_id: identity of the user
|
||||
@ -69,8 +68,6 @@ class Provider(object):
|
||||
:type auth_context: dict
|
||||
:param trust: optional trust reference
|
||||
:type trust: dict
|
||||
:param metadata_ref: optional metadata reference
|
||||
:type metadata_ref: dict
|
||||
:param include_catalog: optional, include the catalog in token data
|
||||
:type include_catalog: boolean
|
||||
:param parent_audit_id: optional, the audit id of the parent token
|
||||
|
||||
@ -618,7 +618,7 @@ class BaseProvider(base.Provider):
|
||||
|
||||
def issue_token(self, user_id, method_names, expires_at=None,
|
||||
project_id=None, domain_id=None, auth_context=None,
|
||||
trust=None, metadata_ref=None, include_catalog=True,
|
||||
trust=None, include_catalog=True,
|
||||
parent_audit_id=None):
|
||||
if auth_context and auth_context.get('bind'):
|
||||
# NOTE(lbragstad): Check if the token provider being used actually
|
||||
@ -628,11 +628,6 @@ class BaseProvider(base.Provider):
|
||||
'The configured token provider does not support bind '
|
||||
'authentication.'))
|
||||
|
||||
# for V2, trust is stashed in metadata_ref
|
||||
if (CONF.trust.enabled and not trust and metadata_ref and
|
||||
'trust_id' in metadata_ref):
|
||||
trust = self.trust_api.get_trust(metadata_ref['trust_id'])
|
||||
|
||||
if CONF.trust.enabled and trust:
|
||||
if user_id != trust['trustee_user_id']:
|
||||
raise exception.Forbidden(_('User is not a trustee.'))
|
||||
|
||||
Loading…
Reference in New Issue
Block a user