Admin users are able to access apps belonging to other tenants.
Users with an admin role (within a tenant) are able to list and manipulate apps belonging to other tenants. Users should be allowed access to apps that belong to the same tenant as the user. We need to introduce a global admin for use by customer service, devops and devs for troubleshooting end user apps. This follows Heats model of using a single tenant created specifically for accessing apps belonging to all tenants. Change-Id: I3524f47d051dd60fe3440b17f1574811f4cd1c65 Closes-bug: 1454838
This commit is contained in:
parent
de32eb2db0
commit
3c4beeeb34
|
@ -14,8 +14,19 @@
|
|||
|
||||
import inspect
|
||||
|
||||
from oslo.config import cfg
|
||||
|
||||
from solum.openstack.common import context
|
||||
|
||||
AUTH_OPTS = [
|
||||
cfg.StrOpt('solum_admin_tenant_id',
|
||||
default='',
|
||||
help='Tenant id of global admin'),
|
||||
]
|
||||
|
||||
CONF = cfg.CONF
|
||||
CONF.register_opts(AUTH_OPTS)
|
||||
|
||||
|
||||
class RequestContext(context.RequestContext):
|
||||
def __init__(self, auth_token=None, user=None, tenant=None, domain=None,
|
||||
|
@ -36,6 +47,9 @@ class RequestContext(context.RequestContext):
|
|||
self.auth_url = auth_url
|
||||
self.trust_id = trust_id
|
||||
self.auth_token_info = auth_token_info
|
||||
global_admin_id = CONF.get('solum_admin_tenant_id')
|
||||
if global_admin_id and global_admin_id == tenant:
|
||||
self.is_admin = True
|
||||
|
||||
def to_dict(self):
|
||||
data = super(RequestContext, self).to_dict()
|
||||
|
|
|
@ -75,15 +75,13 @@ def table_args():
|
|||
|
||||
def filter_by_project(context, query):
|
||||
if context is not None:
|
||||
is_admin = context.is_admin
|
||||
if context.roles is not None:
|
||||
is_admin |= 'admin' in context.roles
|
||||
if not is_admin and context.tenant is not None:
|
||||
try:
|
||||
query = query.filter_by(project_id=context.tenant)
|
||||
except sqla_exc.InvalidRequestError:
|
||||
# No project_id column.
|
||||
pass
|
||||
if context.is_admin:
|
||||
return query
|
||||
try:
|
||||
query = query.filter_by(project_id=context.tenant)
|
||||
except sqla_exc.InvalidRequestError:
|
||||
# No project_id column.
|
||||
pass
|
||||
return query
|
||||
|
||||
|
||||
|
|
|
@ -13,10 +13,14 @@
|
|||
# under the License.
|
||||
|
||||
from solum.common import context
|
||||
from solum.openstack.common.fixture import config
|
||||
from solum.tests import base
|
||||
|
||||
|
||||
class TestContext(base.BaseTestCase):
|
||||
def setUp(self):
|
||||
super(TestContext, self).setUp()
|
||||
self.CONF = self.useFixture(config.Config())
|
||||
|
||||
def test_context_to_dict(self):
|
||||
ctx = context.RequestContext('_token_', '_user_', '_tenant_',
|
||||
|
@ -41,3 +45,53 @@ class TestContext(base.BaseTestCase):
|
|||
self.assertEqual(ctx_dict['roles'], ['admin', 'member'])
|
||||
self.assertEqual(ctx_dict['auth_url'], 'fake_auth_url')
|
||||
self.assertEqual(ctx_dict['trust_id'], 'fake_trust_id')
|
||||
|
||||
def test_glabal_admin_true(self):
|
||||
self.CONF.config(solum_admin_tenant_id='fake_tenant_id')
|
||||
ctx = context.RequestContext('_token_', '_user_', 'fake_tenant_id',
|
||||
'_domain_', '_user_domain_',
|
||||
'_project_domain_', False, False,
|
||||
'_request_id_', '_user_name_',
|
||||
['admin', 'member'], 'fake_auth_url',
|
||||
trust_id='fake_trust_id')
|
||||
ctx_dict = ctx.to_dict()
|
||||
self.assertEqual(ctx_dict['auth_token'], '_token_')
|
||||
self.assertEqual(ctx_dict['user'], '_user_')
|
||||
self.assertEqual(ctx_dict['tenant'], 'fake_tenant_id')
|
||||
self.assertEqual(ctx_dict['domain'], '_domain_')
|
||||
self.assertEqual(ctx_dict['user_domain'], '_user_domain_')
|
||||
self.assertEqual(ctx_dict['project_domain'], '_project_domain_')
|
||||
self.assertEqual(ctx_dict['is_admin'], True)
|
||||
self.assertEqual(ctx_dict['read_only'], False)
|
||||
self.assertEqual(ctx_dict['show_deleted'], False)
|
||||
self.assertEqual(ctx_dict['auth_token'], '_token_')
|
||||
self.assertEqual(ctx_dict['instance_uuid'], None)
|
||||
self.assertEqual(ctx_dict['user_name'], '_user_name_')
|
||||
self.assertEqual(ctx_dict['roles'], ['admin', 'member'])
|
||||
self.assertEqual(ctx_dict['auth_url'], 'fake_auth_url')
|
||||
self.assertEqual(ctx_dict['trust_id'], 'fake_trust_id')
|
||||
|
||||
def test_glabal_admin_false(self):
|
||||
self.CONF.config(solum_admin_tenant_id='fake_tenant_id')
|
||||
ctx = context.RequestContext('_token_', '_user_', '_tenant_id_',
|
||||
'_domain_', '_user_domain_',
|
||||
'_project_domain_', False, False,
|
||||
'_request_id_', '_user_name_',
|
||||
['admin', 'member'], 'fake_auth_url',
|
||||
trust_id='fake_trust_id')
|
||||
ctx_dict = ctx.to_dict()
|
||||
self.assertEqual(ctx_dict['auth_token'], '_token_')
|
||||
self.assertEqual(ctx_dict['user'], '_user_')
|
||||
self.assertEqual(ctx_dict['tenant'], '_tenant_id_')
|
||||
self.assertEqual(ctx_dict['domain'], '_domain_')
|
||||
self.assertEqual(ctx_dict['user_domain'], '_user_domain_')
|
||||
self.assertEqual(ctx_dict['project_domain'], '_project_domain_')
|
||||
self.assertEqual(ctx_dict['is_admin'], False)
|
||||
self.assertEqual(ctx_dict['read_only'], False)
|
||||
self.assertEqual(ctx_dict['show_deleted'], False)
|
||||
self.assertEqual(ctx_dict['auth_token'], '_token_')
|
||||
self.assertEqual(ctx_dict['instance_uuid'], None)
|
||||
self.assertEqual(ctx_dict['user_name'], '_user_name_')
|
||||
self.assertEqual(ctx_dict['roles'], ['admin', 'member'])
|
||||
self.assertEqual(ctx_dict['auth_url'], 'fake_auth_url')
|
||||
self.assertEqual(ctx_dict['trust_id'], 'fake_trust_id')
|
||||
|
|
Loading…
Reference in New Issue