openstack/keystone
Code Issues Proposed changes

Merge "Add ACL check using <tenant_id>:<user> format."

Browse Source
This commit is contained in:
Jenkins 2012-05-29 21:38:26 +00:00 committed by Gerrit Code Review
commit b6dbb103e1
2 changed files with 10 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
keystone/middleware/swift_auth.py
View File

@ -207,9 +207,11 @@ class SwiftAuth(object):
return self.denied_response(req)
# Allow ACL at individual user level (tenant:user format)
if '%s:%s' % (tenant_name, user) in roles:
log_msg = 'user %s:%s allowed in ACL authorizing'
self.logger.debug(log_msg % (tenant_name, user))
# For backward compatibility, check for ACL in tenant_id:user format
if ('%s:%s' % (tenant_name, user) in roles
or '%s:%s' % (tenant_id, user) in roles):
log_msg = 'user %s:%s or %s:%s allowed in ACL authorizing'
self.logger.debug(log_msg % (tenant_name, user, tenant_id, user))
return
# Check if we have the role in the userroles and allow it

6
tests/test_swift_auth_middleware.py
View File

@ -235,11 +235,15 @@ class TestAuthorize(unittest.TestCase):
identity = self._get_identity(roles=[acl])
self._check_authenticate(identity=identity, acl=acl)
def test_authorize_succeeds_for_tenant_user_in_roles(self):
def test_authorize_succeeds_for_tenant_name_user_in_roles(self):
identity = self._get_identity()
acl = '%s:%s' % (identity['tenant'][1], identity['user'])
self._check_authenticate(identity=identity, acl=acl)
def test_authorize_succeeds_for_tenant_id_user_in_roles(self):
identity = self._get_identity()
acl = '%s:%s' % (identity['tenant'][0], identity['user'])
self._check_authenticate(identity=identity, acl=acl)
if __name__ == '__main__':
unittest.main()