Create region with payload authentication

Change-Id: I237d1df49082801e24e4cc55b22074aed5809f19
2019-05-23 13:11:33 -07:00 · 2019-05-23 13:11:33 -07:00 · cda08c8d59
parent 265761babd
commit cda08c8d59
1 changed files with 26 additions and 4 deletions
--- a/orm/services/region_manager/rms/utils/authentication.py
+++ b/orm/services/region_manager/rms/utils/authentication.py
@ -1,3 +1,4 @@
+import json
 import logging

 from orm.common.client.keystone.keystone_utils import tokens
@ -23,14 +24,19 @@ def authorize(request, action, skip_auth=False):
    if not _is_authorization_enabled(conf) or skip_auth:
        return

-    auth_region = request.headers.get('X-Auth-Region')
+    use_payload_url =\
+        action == 'region:create' or action == 'region:update'
+    keystone_ep = None
    try:
-        keystone_ep = get_keystone_ep(auth_region)
+        if use_payload_url:
+            keystone_ep = _get_request_keystone_ep(request)
+        if not keystone_ep:
+            auth_region = request.headers.get('X-Auth-Region')
+            keystone_ep = get_keystone_ep(auth_region)
    except Exception:
        # Failed to find Keystone EP - we'll set it to None instead of failing
        # because the rule might be to let everyone pass
        keystone_ep = None
-
    policy.authorize(action, request, conf, keystone_ep=keystone_ep)


@ -48,6 +54,22 @@ def get_token_conf(app_conf):
    user_domain_name = app_conf.authentication.user_domain_name
    project_domain_name = app_conf.authentication.project_domain_name
    conf = tokens.TokenConf(mech_id, mech_password, rms_url, tenant_name,
-                            keystone_version, user_domain_name, project_domain_name)
+                            keystone_version, user_domain_name,
+                            project_domain_name)

    return conf
+
+
+def _get_request_keystone_ep(request):
+    keystone_ep = None
+    try:
+        request_body = request.body if request.body else {}
+        endpoints = json.loads(request_body).get('endpoints')
+        endpoint_url = [endpoint.get('publicURL')
+                        for endpoint in endpoints
+                        if endpoint.get('type') == 'identity']
+        keystone_ep = endpoint_url[0] if endpoint_url else None
+    except Exception:
+        keystone_ep = None
+
+    return keystone_ep