Browse Source

Merge "Introduce new header for system-scoped tokens"

Zuul 11 months ago
parent
commit
83d0612e03

+ 5
- 0
keystonemiddleware/auth_token/__init__.py View File

@@ -72,6 +72,11 @@ HTTP_X_IDENTITY_STATUS, HTTP_X_SERVICE_IDENTITY_STATUS
72 72
     presented. This allows the underlying service to determine if a
73 73
     denial should use ``401 Unauthenticated`` or ``403 Forbidden``.
74 74
 
75
+HTTP_OPENSTACK_SYSTEM_SCOPE
76
+    A string relaying system information about the token's scope. This
77
+    attribute is only present if the token is system-scoped. The string ``all``
78
+    means the token is scoped to the entire deployment system.
79
+
75 80
 HTTP_X_DOMAIN_ID, HTTP_X_SERVICE_DOMAIN_ID
76 81
     Identity service managed unique identifier, string. Only present if
77 82
     this is a domain-scoped token.

+ 9
- 0
keystonemiddleware/auth_token/_request.py View File

@@ -62,6 +62,13 @@ def _is_admin_project(auth_ref):
62 62
     return 'True' if auth_ref.is_admin_project else 'False'
63 63
 
64 64
 
65
+def _get_system_scope(auth_ref):
66
+    """Return the scope information of a system scoped token."""
67
+    if auth_ref.system_scoped:
68
+        if auth_ref.system.get('all'):
69
+            return 'all'
70
+
71
+
65 72
 # NOTE(jamielennox): this should probably be moved into its own file, but at
66 73
 # the moment there's no real logic here so just keep it locally.
67 74
 class _AuthTokenResponse(webob.Response):
@@ -95,6 +102,7 @@ class _AuthTokenRequest(webob.Request):
95 102
     _SERVICE_STATUS_HEADER = 'X-Service-Identity-Status'
96 103
 
97 104
     _ADMIN_PROJECT_HEADER = 'X-Is-Admin-Project'
105
+    _SYSTEM_SCOPE_HEADER = 'OpenStack-System-Scope'
98 106
 
99 107
     _SERVICE_CATALOG_HEADER = 'X-Service-Catalog'
100 108
     _TOKEN_AUTH = 'keystone.token_auth'
@@ -154,6 +162,7 @@ class _AuthTokenRequest(webob.Request):
154 162
     def _set_auth_headers(self, auth_ref, prefix):
155 163
         names = ','.join(auth_ref.role_names)
156 164
         self.headers[self._ROLES_TEMPLATE % prefix] = names
165
+        self.headers[self._SYSTEM_SCOPE_HEADER] = _get_system_scope(auth_ref)
157 166
 
158 167
         for header_tmplt, attr in self._HEADER_TEMPLATE.items():
159 168
             self.headers[header_tmplt % prefix] = getattr(auth_ref, attr)

+ 15
- 0
keystonemiddleware/tests/unit/auth_token/test_auth_token_middleware.py View File

@@ -1871,6 +1871,21 @@ class v3AuthTokenMiddlewareTest(BaseAuthTokenMiddlewareTest,
1871 1871
                                       with_catalog=False)
1872 1872
         self.assertLastPath('/v3/auth/tokens')
1873 1873
 
1874
+    def test_valid_system_scoped_token_request(self):
1875
+        delta_expected_env = {
1876
+            'HTTP_OPENSTACK_SYSTEM_SCOPE': 'all',
1877
+            'HTTP_X_PROJECT_ID': None,
1878
+            'HTTP_X_PROJECT_NAME': None,
1879
+            'HTTP_X_PROJECT_DOMAIN_ID': None,
1880
+            'HTTP_X_PROJECT_DOMAIN_NAME': None,
1881
+            'HTTP_X_TENANT_ID': None,
1882
+            'HTTP_X_TENANT_NAME': None,
1883
+            'HTTP_X_TENANT': None
1884
+        }
1885
+        self.set_middleware(expected_env=delta_expected_env)
1886
+        self.assert_valid_request_200(self.examples.v3_SYSTEM_SCOPED_TOKEN)
1887
+        self.assertLastPath('/v3/auth/tokens')
1888
+
1874 1889
     def test_domain_scoped_uuid_request(self):
1875 1890
         # Modify items compared to default token for a domain scope
1876 1891
         delta_expected_env = {

+ 12
- 0
keystonemiddleware/tests/unit/client_fixtures.py View File

@@ -127,6 +127,7 @@ class Examples(fixtures.Fixture):
127 127
         self.v3_UUID_TOKEN_DOMAIN_SCOPED = 'e8a7b63aaa4449f38f0c5c05c3581792'
128 128
         self.v3_UUID_TOKEN_BIND = '2f61f73e1c854cbb9534c487f9bd63c2'
129 129
         self.v3_UUID_TOKEN_UNKNOWN_BIND = '7ed9781b62cd4880b8d8c6788ab1d1e2'
130
+        self.v3_SYSTEM_SCOPED_TOKEN = '9ca6e88364b6418a88ffc02e6a24afd8'
130 131
 
131 132
         self.UUID_SERVICE_TOKEN_DEFAULT = 'fe4c0710ec2f492748596c1b53ab124'
132 133
         self.UUID_SERVICE_TOKEN_BIND = '5e43439613d34a13a7e03b2762bd08ab'
@@ -380,6 +381,17 @@ class Examples(fixtures.Fixture):
380 381
                                 user_domain_name=DOMAIN_NAME)
381 382
         self.TOKEN_RESPONSES[self.v3_UUID_TOKEN_UNSCOPED] = token
382 383
 
384
+        token = fixture.V3Token(user_id=USER_ID,
385
+                                user_name=USER_NAME,
386
+                                user_domain_id=DOMAIN_ID,
387
+                                user_domain_name=DOMAIN_NAME)
388
+        token.system = {'all': True}
389
+        token.add_role(id=ROLE_NAME1, name=ROLE_NAME1)
390
+        token.add_role(id=ROLE_NAME2, name=ROLE_NAME2)
391
+        svc = token.add_service(self.SERVICE_TYPE)
392
+        svc.add_endpoint('public', self.SERVICE_URL)
393
+        self.TOKEN_RESPONSES[self.v3_SYSTEM_SCOPED_TOKEN] = token
394
+
383 395
         token = fixture.V3Token(user_id=USER_ID,
384 396
                                 user_name=USER_NAME,
385 397
                                 user_domain_id=DOMAIN_ID,

+ 7
- 0
releasenotes/notes/bug-1766731-3b29192cfeb77964.yaml View File

@@ -0,0 +1,7 @@
1
+---
2
+fixes:
3
+  - |
4
+    [`bug 1766731 <https://bugs.launchpad.net/keystonemiddleware/+bug/1766731>`_]
5
+    Keystonemiddleware now supports system scoped tokens. When a system-scoped
6
+    token is parsed by auth_token middleware, it will set the
7
+    ``OpenStack-System-Scope`` header accordingly.

Loading…
Cancel
Save