diff --git a/bin/reddwarf-server b/bin/reddwarf-server index 82f14af381..ac55ee5e94 100755 --- a/bin/reddwarf-server +++ b/bin/reddwarf-server @@ -16,8 +16,6 @@ # License for the specific language governing permissions and limitations # under the License. -#TODO(jkoelker) Convert this to an entry_point - import gettext import optparse import os @@ -35,12 +33,9 @@ possible_topdir = os.path.normpath(os.path.join(os.path.abspath(sys.argv[0]), if os.path.exists(os.path.join(possible_topdir, 'reddwarf', '__init__.py')): sys.path.insert(0, possible_topdir) -#from melange import ipv4 -#from melange import mac from reddwarf import version from reddwarf.common import config from reddwarf.common import wsgi -#from melange.db import db_api def create_options(parser): @@ -65,7 +60,6 @@ if __name__ == '__main__': (options, args) = config.parse_options(oparser) try: conf, app = config.Config.load_paste_app('reddwarf', options, args) - # db_api.configure_db(conf, ipv4.plugin(), mac.plugin()) server = wsgi.Server() server.start(app, options.get('port', conf['bind_port']), conf['bind_host']) diff --git a/etc/reddwarf/reddwarf.conf.sample b/etc/reddwarf/reddwarf.conf.sample index 481565870b..020afe3e5b 100644 --- a/etc/reddwarf/reddwarf.conf.sample +++ b/etc/reddwarf/reddwarf.conf.sample @@ -14,9 +14,9 @@ bind_port = 8779 # SQLAlchemy connection string for the reference implementation # registry server. Any valid SQLAlchemy connection string is fine. # See: http://www.sqlalchemy.org/docs/05/reference/sqlalchemy/connections.html#sqlalchemy.create_engine -#sql_connection = sqlite:///melange_test.sqlite -# sql_connection = mysql://root:root@localhost/melange -#sql_connection = postgresql://melange:melange@localhost/melange +sql_connection = sqlite:///reddwarf_test.sqlite +# sql_connection = mysql://root:root@localhost/reddwarf +#sql_connection = postgresql://reddwarf:reddwarf@localhost/reddwarf # Period in seconds after which SQLAlchemy should reestablish its connection # to the database. @@ -28,7 +28,7 @@ bind_port = 8779 sql_idle_timeout = 3600 #DB Api Implementation -#db_api_implementation = "reddwarf.db.sqlalchemy.api" +db_api_implementation = "reddwarf.db.sqlalchemy.api" # Path to the extensions api_extensions_path = reddwarf/extensions @@ -52,7 +52,7 @@ use = call:reddwarf.common.wsgi:versioned_urlmap paste.app_factory = reddwarf.versions:app_factory [pipeline:reddwarfapi] -pipeline = reddwarfapp +pipeline = tokenauth authorization reddwarfapp #pipeline = debug extensions reddwarfapp #[filter:extensions] @@ -62,14 +62,16 @@ pipeline = reddwarfapp paste.filter_factory = keystone.middleware.auth_token:filter_factory service_protocol = http service_host = 127.0.0.1 -service_port = 808 +service_port = 5000 auth_host = 127.0.0.1 -auth_port = 5001 +auth_port = 35357 auth_protocol = http +auth_uri = http://127.0.0.1:5000/ admin_token = be19c524ddc92109a224 -#[filter:authorization] -#paste.filter_factory = reddwarf.common.auth:AuthorizationMiddleware.factory + +[filter:authorization] +paste.filter_factory = reddwarf.common.auth:AuthorizationMiddleware.factory [app:reddwarfapp] paste.app_factory = reddwarf.database.service:app_factory diff --git a/reddwarf/__init__.py b/reddwarf/__init__.py index 3e2e36066c..5a275247dd 100644 --- a/reddwarf/__init__.py +++ b/reddwarf/__init__.py @@ -1,7 +1,6 @@ # vim: tabstop=4 shiftwidth=4 softtabstop=4 -# Copyright 2010 United States Government as represented by the -# Administrator of the National Aeronautics and Space Administration. +# Copyright 2011 OpenStack LLC. # All Rights Reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); you may @@ -15,7 +14,6 @@ # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. - """ :mod:`reddwarf` -- Cloud PaaS Database Platform =================================== @@ -25,8 +23,3 @@ :synopsis: Platform-As-A-Service Database Cloud .. moduleauthor:: Michael Basnight """ - -import gettext - - -gettext.install("reddwarf", unicode=1) diff --git a/reddwarf/common/auth.py b/reddwarf/common/auth.py new file mode 100644 index 0000000000..c070ab7766 --- /dev/null +++ b/reddwarf/common/auth.py @@ -0,0 +1,70 @@ +# vim: tabstop=4 shiftwidth=4 softtabstop=4 + +# Copyright 2011 OpenStack LLC. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import httplib2 +import logging +import re +import webob.exc +import wsgi + + +LOG = logging.getLogger("reddwarf.common.auth") + + +class AuthorizationMiddleware(wsgi.Middleware): + + def __init__(self, application, auth_providers, **local_config): + self.auth_providers = auth_providers + LOG.debug("Auth middleware providers: %s" % auth_providers) + super(AuthorizationMiddleware, self).__init__(application, + **local_config) + + def process_request(self, request): + roles = request.headers.get('X_ROLE', '').split(',') + LOG.debug("Processing auth request with roles: %s" % roles) + tenant_id = request.headers.get('X_TENANT', None) + LOG.debug("Processing auth request with tenant_id: %s" % tenant_id) + for provider in self.auth_providers: + provider.authorize(request, tenant_id, roles) + + @classmethod + def factory(cls, global_config, **local_config): + def _factory(app): + LOG.debug("Created auth middleware with config: %s" % local_config) + return cls(app, [TenantBasedAuth()], + **local_config) + return _factory + + +class TenantBasedAuth(object): + + # The paths differ from melange, so the regex must differ as well, reddwarf starts with a tenant_id + tenant_scoped_url = re.compile("/(?P.*?)/.*") + + def authorize(self, request, tenant_id, roles): + if 'admin' in [role.lower() for role in roles]: + LOG.debug("Authorized admin request: %s" % request) + return True + match_for_tenant = self.tenant_scoped_url.match(request.path_info) + if (match_for_tenant and + tenant_id == match_for_tenant.group('tenant_id')): + LOG.debug("Authorized tenant '%(tenant_id)s' request: " + "%(request)s" % locals()) + return True + raise webob.exc.HTTPForbidden(_("User with tenant id %s cannot " + "access this resource") % tenant_id) + diff --git a/reddwarf/openstack/__init__.py b/reddwarf/openstack/__init__.py index 0519dd3ece..d65c689a83 100644 --- a/reddwarf/openstack/__init__.py +++ b/reddwarf/openstack/__init__.py @@ -1 +1,16 @@ -__author__ = 'mbasnight' +# vim: tabstop=4 shiftwidth=4 softtabstop=4 + +# Copyright 2011 OpenStack LLC. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. diff --git a/reddwarf/openstack/common/__init__.py b/reddwarf/openstack/common/__init__.py index 0519dd3ece..d65c689a83 100644 --- a/reddwarf/openstack/common/__init__.py +++ b/reddwarf/openstack/common/__init__.py @@ -1 +1,16 @@ -__author__ = 'mbasnight' +# vim: tabstop=4 shiftwidth=4 softtabstop=4 + +# Copyright 2011 OpenStack LLC. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License.