diff --git a/nova/api/auth.py b/nova/api/auth.py index f97e933c40cb..b515a71a0f1a 100644 --- a/nova/api/auth.py +++ b/nova/api/auth.py @@ -76,29 +76,10 @@ class NovaKeystoneContext(wsgi.Middleware): @webob.dec.wsgify(RequestClass=wsgi.Request) def __call__(self, req): - user_id = req.headers.get('X_USER') - user_id = req.headers.get('X_USER_ID', user_id) - if user_id is None: - LOG.debug("Neither X_USER_ID nor X_USER found in request") - return webob.exc.HTTPUnauthorized() - - roles = self._get_roles(req) - - if 'X_TENANT_ID' in req.headers: - # This is the new header since Keystone went to ID/Name - project_id = req.headers['X_TENANT_ID'] - else: - # This is for legacy compatibility - project_id = req.headers['X_TENANT'] project_name = req.headers.get('X_TENANT_NAME') user_name = req.headers.get('X_USER_NAME') - req_id = req.environ.get(request_id.ENV_REQUEST_ID) - # Get the auth token - auth_token = req.headers.get('X_AUTH_TOKEN', - req.headers.get('X_STORAGE_TOKEN')) - # Build a context, including the auth_token... remote_address = req.remote_addr if CONF.use_forwarded_for: @@ -117,22 +98,18 @@ class NovaKeystoneContext(wsgi.Middleware): # middleware in newer versions. user_auth_plugin = req.environ.get('keystone.token_auth') - ctx = context.RequestContext(user_id, - project_id, - user_name=user_name, - project_name=project_name, - roles=roles, - auth_token=auth_token, - remote_address=remote_address, - service_catalog=service_catalog, - request_id=req_id, - user_auth_plugin=user_auth_plugin) + ctx = context.RequestContext.from_environ( + req.environ, + user_name=user_name, + project_name=project_name, + user_auth_plugin=user_auth_plugin, + remote_address=remote_address, + service_catalog=service_catalog, + request_id=req_id) + + if ctx.user_id is None: + LOG.debug("Neither X_USER_ID nor X_USER found in request") + return webob.exc.HTTPUnauthorized() req.environ['nova.context'] = ctx return self.application - - def _get_roles(self, req): - """Get the list of roles.""" - - roles = req.headers.get('X_ROLES', '') - return [r.strip() for r in roles.split(',')] diff --git a/nova/context.py b/nova/context.py index 57c6658a1eea..60f2b3f4c4d2 100644 --- a/nova/context.py +++ b/nova/context.py @@ -197,6 +197,19 @@ class RequestContext(context.RequestContext): instance_lock_checked=values.get('instance_lock_checked', False), ) + @classmethod + def from_environ(cls, environ, **kwargs): + ctx = super(RequestContext, cls).from_environ(environ, **kwargs) + + # the base oslo.context sets its user param and tenant param but not + # our user_id and project_id param so fix those up. + if ctx.user and not ctx.user_id: + ctx.user_id = ctx.user + if ctx.tenant and not ctx.project_id: + ctx.project_id = ctx.tenant + + return ctx + def elevated(self, read_deleted=None): """Return a version of this context with admin flag set.""" context = copy.copy(self) diff --git a/nova/tests/unit/api/test_auth.py b/nova/tests/unit/api/test_auth.py index f88cfae6c161..18b48d949450 100644 --- a/nova/tests/unit/api/test_auth.py +++ b/nova/tests/unit/api/test_auth.py @@ -91,7 +91,7 @@ class TestKeystoneMiddlewareRoles(test.NoDBTestCase): if "knight" in context.roles and "bad" not in context.roles: return webob.Response(status="200 Role Match") - elif context.roles == ['']: + elif not context.roles: return webob.Response(status="200 No Roles") else: raise webob.exc.HTTPBadRequest("unexpected role header")