Admin users are able to access apps belonging to other tenants.

Users with an admin role (within a tenant) are able to list and
manipulate apps belonging to other tenants.

Users should be allowed access to apps that belong to the same
tenant as the user.

We need to introduce a global admin for use by customer service,
devops and devs for troubleshooting end user apps. This follows
Heats model of using a single tenant created specifically for
accessing apps belonging to all tenants.

Change-Id: I3524f47d051dd60fe3440b17f1574811f4cd1c65
Closes-bug: 1454838

solum/common/context.py

@@ -14,8 +14,19 @@
 
 import inspect
 
+from oslo.config import cfg
+
 from solum.openstack.common import context
 
+AUTH_OPTS = [
+    cfg.StrOpt('solum_admin_tenant_id',
+               default='',
+               help='Tenant id of global admin'),
+]
+
+CONF = cfg.CONF
+CONF.register_opts(AUTH_OPTS)
+
 
 class RequestContext(context.RequestContext):
     def __init__(self, auth_token=None, user=None, tenant=None, domain=None,
@@ -36,6 +47,9 @@ class RequestContext(context.RequestContext):
         self.auth_url = auth_url
         self.trust_id = trust_id
         self.auth_token_info = auth_token_info
+        global_admin_id = CONF.get('solum_admin_tenant_id')
+        if global_admin_id and global_admin_id == tenant:
+            self.is_admin = True
 
     def to_dict(self):
         data = super(RequestContext, self).to_dict()

solum/objects/sqlalchemy/models.py

@@ -75,15 +75,13 @@ def table_args():
 
 def filter_by_project(context, query):
     if context is not None:
-        is_admin = context.is_admin
-        if context.roles is not None:
-            is_admin |= 'admin' in context.roles
-        if not is_admin and context.tenant is not None:
-            try:
-                query = query.filter_by(project_id=context.tenant)
-            except sqla_exc.InvalidRequestError:
-                # No project_id column.
-                pass
+        if context.is_admin:
+            return query
+        try:
+            query = query.filter_by(project_id=context.tenant)
+        except sqla_exc.InvalidRequestError:
+            # No project_id column.
+            pass
     return query
 
 

solum/tests/common/test_context.py

@@ -13,10 +13,14 @@
 # under the License.
 
 from solum.common import context
+from solum.openstack.common.fixture import config
 from solum.tests import base
 
 
 class TestContext(base.BaseTestCase):
+    def setUp(self):
+        super(TestContext, self).setUp()
+        self.CONF = self.useFixture(config.Config())
 
     def test_context_to_dict(self):
         ctx = context.RequestContext('_token_', '_user_', '_tenant_',
@@ -41,3 +45,53 @@ class TestContext(base.BaseTestCase):
         self.assertEqual(ctx_dict['roles'], ['admin', 'member'])
         self.assertEqual(ctx_dict['auth_url'], 'fake_auth_url')
         self.assertEqual(ctx_dict['trust_id'], 'fake_trust_id')
+
+    def test_glabal_admin_true(self):
+        self.CONF.config(solum_admin_tenant_id='fake_tenant_id')
+        ctx = context.RequestContext('_token_', '_user_', 'fake_tenant_id',
+                                     '_domain_', '_user_domain_',
+                                     '_project_domain_', False, False,
+                                     '_request_id_', '_user_name_',
+                                     ['admin', 'member'], 'fake_auth_url',
+                                     trust_id='fake_trust_id')
+        ctx_dict = ctx.to_dict()
+        self.assertEqual(ctx_dict['auth_token'], '_token_')
+        self.assertEqual(ctx_dict['user'], '_user_')
+        self.assertEqual(ctx_dict['tenant'], 'fake_tenant_id')
+        self.assertEqual(ctx_dict['domain'], '_domain_')
+        self.assertEqual(ctx_dict['user_domain'], '_user_domain_')
+        self.assertEqual(ctx_dict['project_domain'], '_project_domain_')
+        self.assertEqual(ctx_dict['is_admin'], True)
+        self.assertEqual(ctx_dict['read_only'], False)
+        self.assertEqual(ctx_dict['show_deleted'], False)
+        self.assertEqual(ctx_dict['auth_token'], '_token_')
+        self.assertEqual(ctx_dict['instance_uuid'], None)
+        self.assertEqual(ctx_dict['user_name'], '_user_name_')
+        self.assertEqual(ctx_dict['roles'], ['admin', 'member'])
+        self.assertEqual(ctx_dict['auth_url'], 'fake_auth_url')
+        self.assertEqual(ctx_dict['trust_id'], 'fake_trust_id')
+
+    def test_glabal_admin_false(self):
+        self.CONF.config(solum_admin_tenant_id='fake_tenant_id')
+        ctx = context.RequestContext('_token_', '_user_', '_tenant_id_',
+                                     '_domain_', '_user_domain_',
+                                     '_project_domain_', False, False,
+                                     '_request_id_', '_user_name_',
+                                     ['admin', 'member'], 'fake_auth_url',
+                                     trust_id='fake_trust_id')
+        ctx_dict = ctx.to_dict()
+        self.assertEqual(ctx_dict['auth_token'], '_token_')
+        self.assertEqual(ctx_dict['user'], '_user_')
+        self.assertEqual(ctx_dict['tenant'], '_tenant_id_')
+        self.assertEqual(ctx_dict['domain'], '_domain_')
+        self.assertEqual(ctx_dict['user_domain'], '_user_domain_')
+        self.assertEqual(ctx_dict['project_domain'], '_project_domain_')
+        self.assertEqual(ctx_dict['is_admin'], False)
+        self.assertEqual(ctx_dict['read_only'], False)
+        self.assertEqual(ctx_dict['show_deleted'], False)
+        self.assertEqual(ctx_dict['auth_token'], '_token_')
+        self.assertEqual(ctx_dict['instance_uuid'], None)
+        self.assertEqual(ctx_dict['user_name'], '_user_name_')
+        self.assertEqual(ctx_dict['roles'], ['admin', 'member'])
+        self.assertEqual(ctx_dict['auth_url'], 'fake_auth_url')
+        self.assertEqual(ctx_dict['trust_id'], 'fake_trust_id')