openstack/swift
Code Issues Proposed changes

Merge "Add debug level logs for TempAuth.authorize."

Browse Source
This commit is contained in:
Jenkins
2013-02-27 02:05:36 +00:00
committed by Gerrit Code Review
parent 1dc38b4672 c52a992793
commit d3232d4fc5
1 changed files with 27 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
swift/common/middleware/tempauth.py
View File

@@ -245,38 +245,65 @@ class TempAuth(object):
except ValueError: except ValueError:
self.logger.increment('errors') self.logger.increment('errors')
return HTTPNotFound(request=req) return HTTPNotFound(request=req)
if not account or not account.startswith(self.reseller_prefix): if not account or not account.startswith(self.reseller_prefix):
self.logger.debug("Account name: %s doesn't start with "
"reseller_prefix: %s."
% (account, self.reseller_prefix))
return self.denied_response(req) return self.denied_response(req)
user_groups = (req.remote_user or '').split(',') user_groups = (req.remote_user or '').split(',')
account_user = user_groups[1] if len(user_groups) > 1 else None
if '.reseller_admin' in user_groups and \ if '.reseller_admin' in user_groups and \
account != self.reseller_prefix and \ account != self.reseller_prefix and \
account[len(self.reseller_prefix)] != '.': account[len(self.reseller_prefix)] != '.':
req.environ['swift_owner'] = True req.environ['swift_owner'] = True
self.logger.debug("User %s has reseller admin authorizing."
% account_user)
return None return None
if account in user_groups and \ if account in user_groups and \
(req.method not in ('DELETE', 'PUT') or container): (req.method not in ('DELETE', 'PUT') or container):
# If the user is admin for the account and is not trying to do an # If the user is admin for the account and is not trying to do an
# account DELETE or PUT... # account DELETE or PUT...
req.environ['swift_owner'] = True req.environ['swift_owner'] = True
self.logger.debug("User %s has admin authorizing."
% account_user)
return None return None
if (req.environ.get('swift_sync_key') if (req.environ.get('swift_sync_key')
and (req.environ['swift_sync_key'] == and (req.environ['swift_sync_key'] ==
req.headers.get('x-container-sync-key', None)) req.headers.get('x-container-sync-key', None))
and 'x-timestamp' in req.headers): and 'x-timestamp' in req.headers):
self.logger.debug("Allow request with container sync-key: %s."
% req.environ['swift_sync_key'])
return None return None
if req.method == 'OPTIONS': if req.method == 'OPTIONS':
#allow OPTIONS requests to proceed as normal #allow OPTIONS requests to proceed as normal
self.logger.debug("Allow OPTIONS request.")
return None return None
referrers, groups = parse_acl(getattr(req, 'acl', None)) referrers, groups = parse_acl(getattr(req, 'acl', None))
if referrer_allowed(req.referer, referrers): if referrer_allowed(req.referer, referrers):
if obj or '.rlistings' in groups: if obj or '.rlistings' in groups:
self.logger.debug("Allow authorizing %s via referer ACL."
% req.referer)
return None return None
self.logger.debug("Disallow authorizing %s via referer ACL."
% req.referer)
return self.denied_response(req) return self.denied_response(req)
if not req.remote_user: if not req.remote_user:
return self.denied_response(req) return self.denied_response(req)
for user_group in user_groups: for user_group in user_groups:
if user_group in groups: if user_group in groups:
self.logger.debug("User %s allowed in ACL: %s authorizing."
% (account_user, user_group))
return None return None
return self.denied_response(req) return self.denied_response(req)
def denied_response(self, req): def denied_response(self, req):