This adds a method in glance.context that will give us a
keystoneauth1 client, authorized with the user's token, suitable for
calling directly to other services.
Related to blueprint distributed-image-import
Change-Id: I71ed8c80939b4cfab6a081c2f8cde63299fc7893
The oslo.policy's Enforcer() object will transpose authorization
information from oslo.context RequestContext objects if you pass one
to enforce()[0].
This commit simplifies the enforcement code in glance by letting
oslo.policy handle the translation instead of glance. This allows us to
remove the to_policy_values() method maintained in glance since it's no
longer used.
[0] 775641a5fc
Related: blueprint secure-rbac
Change-Id: Ie7f9a9201361c56e0f0a289ef93443b9e277357c
This adds an elevated() method to glance.context.RequestContext similar
to what Nova and other projects use. When doing something as admin on
behalf of a user, this results in a whole context, including information
about the user and the request, but with is_admin==True.
Change-Id: I5499946425b1c32476c57241b4b14b601daa841f
RequestContext.tenant and user fields are deprecated in favor
of project_id and user_id respectively.
This change modifies the glance.context.RequestContext constructor
to transition usage of tenant/user to project_id/user_id until
all tests are moved over to the new attributes. Runtime usage of
the old fiels is updated.
To prevent new code from using the deprecated fields, a warnings
filter is added which will make tests fail if they hit code using
the old fields.
Co-Authored-By: Abhishek Kekane <akekane@redhat.com>
Change-Id: I351380840308a24769ece93abc6d1a9a6d6aa06f
Various RequestContext values have been renamed and the old names
deprecated. This results in a large amount of DeprecationWarning
messages in the logs.
This updates glance.context.RequestContext to use the new names.
Change-Id: Id34637542051cfdc532eebdfbf95edd8a58467da
In an effort to standardize policy and authentication values
oslo.context has new features such as from_environ which constructs a
standard oslo.context object from the environment variables created by
auth_token middleware and to_policy_values which emit a standard
credentials target for writing common policy files across services.
Use these standard functions when dealing with contexts and policy in
glance.
Closes-Bug: #1602081
Change-Id: I40582cb34818b980d6c6914b2c9346a17a0ed489
Starting from version 2.2.0 oslo context has out-of-the-box 'roles'
attribute that can store user roles. So Glance doesn't need to implement
custom attribute for roles in Request Context anymore.
Change-Id: I39804ebc5f91ce6ad5bfb9c52b324d4cc8a8b115
The RequestContext class from oslo-incubator uses 'auth_token'.
Glance's RequestContext uses 'auth_tok' -- which is inconsistent.
glance_store currently uses the oslo 'auth_token'.
We should not assume a 1-1 mapping from the glance_store to glance,
nor should we have glance_store support both 'auth_token' and
'auth_tok'. Therefore Glance should be updated to use 'auth_token'.
This change was generated automatically with:
$ for file in `find glance -name '*\.py' -exec grep -wl auth_tok "{}" \;` ; \
do sed --in-place 's/\<auth_tok\>/auth_token/g' $file ; done
In addition, the set_auth_token function was removed. This had been used
by Nova to work around the auth_tok <-> auth_token inconsistency, but
was removed in mid-2012 as part of the move to python-glanceclient so
is no longer needed.
In conjuction with other changes this fixes image upload when
using the multi-tenant Swift store.
Change-Id: Ic8a5f44088990fd8f6290a5622b823f59ef365fc
Partial-bug: #1385213
The user_identity generated created from user, tenant, domain
user_domain and project_domain.
The new domain related values are default to None
Closes-Bug: #1283080
Change-Id: I5e43142afba3492ecf05b65ba24ee70f158f88de
Each project should directly use the standard uuid module.
uuidutils will be deprecated/removed in this cycle.
This patch replaces every uuidutils.generate_uuid() with
str(uuid.uuid4()) and uuidutils.is_uuid_like()
with utils.is_uuid_like().
Change-Id: I43642d4f1e137c14134b3d544e367b504b9851ac
Closes-Bug: #1253497
Fixes bug 1152716
If the context roles do not match the configured admin_role,
fall back to determining if admin via the "context_is_admin"
RBAC policy rule (for consistency with the approach used by
the other projects).
Note this requires that the "context_is_admin" rule *must*
be set in the policy.json if the out-of-the-box default rule
is used (as this default is so open, the net effect of omitting
the "context_is_admin" rule is for every request to acquire
admin status).
Change-Id: Ide2cf604b48f24bd759ce2d65091ff546cd9d22e
* Update to oslo-incubator commit b17b268a269c4989d76267db5c2d49d4c20bd51d.
* Update usage of 'deferred_version_string' to 'cached_version_string'
* Add context values 'user' and 'tenant' for context-logging
* Remove prefixes that resolve to '%prog' in --version CLI output
Change-Id: I24d9a24ad1a6e9379008ea719c9cbd22899111f9
Updates the ContextMiddleware so that it stores the service_catalog
which from set via Keystone's auth_token middleware.
The motivation for this change is that we'll need access to the
'object-store' endpoint in order to implement swift tenant specific
storage.
Partially implements blueprint: swift-tenant-specific-storage
Change-Id: I0389e135f6683a353ae915b543d70f6ac1246b2c
* Generate a uuid in RequestContext.request_id on init
* Present request_id in an 'x-openstack-request-id' header using
process_response in the ContextMiddlewares
* Related to bp glance-request-tracking
Change-Id: Idd9b86661322250b6167a1ee23e5baae91066ff6
* Move RequestContext class to glance.context
* Move context middlewares to glance.api.middleware
* Update tests to reflect move
* Update paste configs
Related to bp glance-request-tracking
Change-Id: I289b546ec28c973a3022be779ce378ae2febb340