Accept role list from either X-Roles or X-Role

Accept the list of roles from either the newer X-Roles header or the deprecated X-Role header. This is useful for interoperability with a software proxy in front of Nova API that performs token authentication and might use the older header. Change-Id: I47e33233edf596dd14d07b6be16b030fd6bc352d
2012-08-24 15:59:40 -05:00
parent 458ee2eac0
commit bc0ba55ae6
2 changed files with 74 additions and 2 deletions
--- a/nova/api/auth.py
+++ b/nova/api/auth.py
@@ -77,8 +77,9 @@ class NovaKeystoneContext(wsgi.Middleware):
        if user_id is None:
            LOG.debug("Neither X_USER_ID nor X_USER found in request")
            return webob.exc.HTTPUnauthorized()
-        # get the roles
-        roles = [r.strip() for r in req.headers.get('X_ROLE', '').split(',')]
+
+        roles = self._get_roles(req)
+
        if 'X_TENANT_ID' in req.headers:
            # This is the new header since Keystone went to ID/Name
            project_id = req.headers['X_TENANT_ID']
@@ -117,3 +118,16 @@ class NovaKeystoneContext(wsgi.Middleware):

        req.environ['nova.context'] = ctx
        return self.application
+
+    def _get_roles(self, req):
+        """Get the list of roles"""
+
+        if 'X_ROLES' in req.headers:
+            roles = req.headers.get('X_ROLES', '')
+        else:
+            # Fallback to deprecated role header:
+            roles = req.headers.get('X_ROLE', '')
+            if roles:
+                LOG.warn(_("Sourcing roles from deprecated X-Role HTTP "
+                           "header"))
+        return [r.strip() for r in roles.split(',')]