policy: Add note about keystone's expansion of roles
The 'HTTP_X_ROLES' header will include both the primary role of the user and the implied roles. Clarify this in the stub we're using to mock that out. Change-Id: I0ab16c3a4d997a0a1f86d75323beaa86979bafa3 Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
This commit is contained in:
parent
6498534c3b
commit
6805790dda
|
@ -49,15 +49,22 @@ class NoAuthMiddleware(Middleware):
|
||||||
token = req.headers['X-Auth-Token']
|
token = req.headers['X-Auth-Token']
|
||||||
user_id, _sep, project_id = token.partition(':')
|
user_id, _sep, project_id = token.partition(':')
|
||||||
project_id = project_id or user_id
|
project_id = project_id or user_id
|
||||||
|
|
||||||
|
# Real keystone expands and flattens roles to include their implied
|
||||||
|
# roles, e.g. admin implies member and reader, so tests should include
|
||||||
|
# this flattened list also
|
||||||
if 'HTTP_X_ROLES' in req.environ.keys():
|
if 'HTTP_X_ROLES' in req.environ.keys():
|
||||||
roles = req.headers['X_ROLES'].split(',')
|
roles = req.headers['X_ROLES'].split(',')
|
||||||
elif user_id == 'admin':
|
elif user_id == 'admin':
|
||||||
roles = ['admin']
|
roles = ['admin']
|
||||||
else:
|
else:
|
||||||
roles = []
|
roles = []
|
||||||
|
|
||||||
req.headers['X_USER_ID'] = user_id
|
req.headers['X_USER_ID'] = user_id
|
||||||
|
|
||||||
if not req.headers.get('OPENSTACK_SYSTEM_SCOPE'):
|
if not req.headers.get('OPENSTACK_SYSTEM_SCOPE'):
|
||||||
req.headers['X_TENANT_ID'] = project_id
|
req.headers['X_TENANT_ID'] = project_id
|
||||||
|
|
||||||
req.headers['X_ROLES'] = ','.join(roles)
|
req.headers['X_ROLES'] = ','.join(roles)
|
||||||
return self.application
|
return self.application
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue