summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLance Bragstad <lbragstad@gmail.com>2018-04-24 22:10:37 +0000
committerLance Bragstad <lbragstad@gmail.com>2018-05-02 19:15:16 +0000
commit245c91f2e3d499498e5f0edd30c23504cda9d111 (patch)
tree5e2eaeddf95b75dda6debf1160c831f18251c68a
parent686f7a5b0b13a7ef4c7ce6721e6c9e601816ad45 (diff)
Introduce new header for system-scoped tokens
Keystonemiddleware attempts to parse user/service tokens and populate request headers for other services to consume. This information is important for services looking to build oslo.context objects from request environments. Change-Id: I0717c2a5207a647999b4f9bcdf11f728984f0812 Closes-Bug: 1766731
Notes
Notes (review): Code-Review+1: Morgan Fainberg <morgan.fainberg@gmail.com> Code-Review+2: ayoung <ayoung@redhat.com> Code-Review+1: Jamie Lennox <jamielennox@gmail.com> Code-Review+2: Gage Hugo <gagehugo@gmail.com> Code-Review+1: Harry Rybacki <hrybacki@redhat.com> Workflow+1: Morgan Fainberg <morgan.fainberg@gmail.com> Verified+2: Zuul Submitted-by: Zuul Submitted-at: Wed, 09 May 2018 16:21:55 +0000 Reviewed-on: https://review.openstack.org/564072 Project: openstack/keystonemiddleware Branch: refs/heads/master
-rw-r--r--keystonemiddleware/auth_token/__init__.py5
-rw-r--r--keystonemiddleware/auth_token/_request.py9
-rw-r--r--keystonemiddleware/tests/unit/auth_token/test_auth_token_middleware.py15
-rw-r--r--keystonemiddleware/tests/unit/client_fixtures.py12
-rw-r--r--releasenotes/notes/bug-1766731-3b29192cfeb77964.yaml7
5 files changed, 48 insertions, 0 deletions
diff --git a/keystonemiddleware/auth_token/__init__.py b/keystonemiddleware/auth_token/__init__.py
index f0d2209..f4917bd 100644
--- a/keystonemiddleware/auth_token/__init__.py
+++ b/keystonemiddleware/auth_token/__init__.py
@@ -72,6 +72,11 @@ HTTP_X_IDENTITY_STATUS, HTTP_X_SERVICE_IDENTITY_STATUS
72 presented. This allows the underlying service to determine if a 72 presented. This allows the underlying service to determine if a
73 denial should use ``401 Unauthenticated`` or ``403 Forbidden``. 73 denial should use ``401 Unauthenticated`` or ``403 Forbidden``.
74 74
75HTTP_OPENSTACK_SYSTEM_SCOPE
76 A string relaying system information about the token's scope. This
77 attribute is only present if the token is system-scoped. The string ``all``
78 means the token is scoped to the entire deployment system.
79
75HTTP_X_DOMAIN_ID, HTTP_X_SERVICE_DOMAIN_ID 80HTTP_X_DOMAIN_ID, HTTP_X_SERVICE_DOMAIN_ID
76 Identity service managed unique identifier, string. Only present if 81 Identity service managed unique identifier, string. Only present if
77 this is a domain-scoped token. 82 this is a domain-scoped token.
diff --git a/keystonemiddleware/auth_token/_request.py b/keystonemiddleware/auth_token/_request.py
index 26037a2..33df7a9 100644
--- a/keystonemiddleware/auth_token/_request.py
+++ b/keystonemiddleware/auth_token/_request.py
@@ -62,6 +62,13 @@ def _is_admin_project(auth_ref):
62 return 'True' if auth_ref.is_admin_project else 'False' 62 return 'True' if auth_ref.is_admin_project else 'False'
63 63
64 64
65def _get_system_scope(auth_ref):
66 """Return the scope information of a system scoped token."""
67 if auth_ref.system_scoped:
68 if auth_ref.system.get('all'):
69 return 'all'
70
71
65# NOTE(jamielennox): this should probably be moved into its own file, but at 72# NOTE(jamielennox): this should probably be moved into its own file, but at
66# the moment there's no real logic here so just keep it locally. 73# the moment there's no real logic here so just keep it locally.
67class _AuthTokenResponse(webob.Response): 74class _AuthTokenResponse(webob.Response):
@@ -95,6 +102,7 @@ class _AuthTokenRequest(webob.Request):
95 _SERVICE_STATUS_HEADER = 'X-Service-Identity-Status' 102 _SERVICE_STATUS_HEADER = 'X-Service-Identity-Status'
96 103
97 _ADMIN_PROJECT_HEADER = 'X-Is-Admin-Project' 104 _ADMIN_PROJECT_HEADER = 'X-Is-Admin-Project'
105 _SYSTEM_SCOPE_HEADER = 'OpenStack-System-Scope'
98 106
99 _SERVICE_CATALOG_HEADER = 'X-Service-Catalog' 107 _SERVICE_CATALOG_HEADER = 'X-Service-Catalog'
100 _TOKEN_AUTH = 'keystone.token_auth' 108 _TOKEN_AUTH = 'keystone.token_auth'
@@ -154,6 +162,7 @@ class _AuthTokenRequest(webob.Request):
154 def _set_auth_headers(self, auth_ref, prefix): 162 def _set_auth_headers(self, auth_ref, prefix):
155 names = ','.join(auth_ref.role_names) 163 names = ','.join(auth_ref.role_names)
156 self.headers[self._ROLES_TEMPLATE % prefix] = names 164 self.headers[self._ROLES_TEMPLATE % prefix] = names
165 self.headers[self._SYSTEM_SCOPE_HEADER] = _get_system_scope(auth_ref)
157 166
158 for header_tmplt, attr in self._HEADER_TEMPLATE.items(): 167 for header_tmplt, attr in self._HEADER_TEMPLATE.items():
159 self.headers[header_tmplt % prefix] = getattr(auth_ref, attr) 168 self.headers[header_tmplt % prefix] = getattr(auth_ref, attr)
diff --git a/keystonemiddleware/tests/unit/auth_token/test_auth_token_middleware.py b/keystonemiddleware/tests/unit/auth_token/test_auth_token_middleware.py
index 2c30f4a..4d36be1 100644
--- a/keystonemiddleware/tests/unit/auth_token/test_auth_token_middleware.py
+++ b/keystonemiddleware/tests/unit/auth_token/test_auth_token_middleware.py
@@ -1871,6 +1871,21 @@ class v3AuthTokenMiddlewareTest(BaseAuthTokenMiddlewareTest,
1871 with_catalog=False) 1871 with_catalog=False)
1872 self.assertLastPath('/v3/auth/tokens') 1872 self.assertLastPath('/v3/auth/tokens')
1873 1873
1874 def test_valid_system_scoped_token_request(self):
1875 delta_expected_env = {
1876 'HTTP_OPENSTACK_SYSTEM_SCOPE': 'all',
1877 'HTTP_X_PROJECT_ID': None,
1878 'HTTP_X_PROJECT_NAME': None,
1879 'HTTP_X_PROJECT_DOMAIN_ID': None,
1880 'HTTP_X_PROJECT_DOMAIN_NAME': None,
1881 'HTTP_X_TENANT_ID': None,
1882 'HTTP_X_TENANT_NAME': None,
1883 'HTTP_X_TENANT': None
1884 }
1885 self.set_middleware(expected_env=delta_expected_env)
1886 self.assert_valid_request_200(self.examples.v3_SYSTEM_SCOPED_TOKEN)
1887 self.assertLastPath('/v3/auth/tokens')
1888
1874 def test_domain_scoped_uuid_request(self): 1889 def test_domain_scoped_uuid_request(self):
1875 # Modify items compared to default token for a domain scope 1890 # Modify items compared to default token for a domain scope
1876 delta_expected_env = { 1891 delta_expected_env = {
diff --git a/keystonemiddleware/tests/unit/client_fixtures.py b/keystonemiddleware/tests/unit/client_fixtures.py
index fe199fc..9f5a917 100644
--- a/keystonemiddleware/tests/unit/client_fixtures.py
+++ b/keystonemiddleware/tests/unit/client_fixtures.py
@@ -127,6 +127,7 @@ class Examples(fixtures.Fixture):
127 self.v3_UUID_TOKEN_DOMAIN_SCOPED = 'e8a7b63aaa4449f38f0c5c05c3581792' 127 self.v3_UUID_TOKEN_DOMAIN_SCOPED = 'e8a7b63aaa4449f38f0c5c05c3581792'
128 self.v3_UUID_TOKEN_BIND = '2f61f73e1c854cbb9534c487f9bd63c2' 128 self.v3_UUID_TOKEN_BIND = '2f61f73e1c854cbb9534c487f9bd63c2'
129 self.v3_UUID_TOKEN_UNKNOWN_BIND = '7ed9781b62cd4880b8d8c6788ab1d1e2' 129 self.v3_UUID_TOKEN_UNKNOWN_BIND = '7ed9781b62cd4880b8d8c6788ab1d1e2'
130 self.v3_SYSTEM_SCOPED_TOKEN = '9ca6e88364b6418a88ffc02e6a24afd8'
130 131
131 self.UUID_SERVICE_TOKEN_DEFAULT = 'fe4c0710ec2f492748596c1b53ab124' 132 self.UUID_SERVICE_TOKEN_DEFAULT = 'fe4c0710ec2f492748596c1b53ab124'
132 self.UUID_SERVICE_TOKEN_BIND = '5e43439613d34a13a7e03b2762bd08ab' 133 self.UUID_SERVICE_TOKEN_BIND = '5e43439613d34a13a7e03b2762bd08ab'
@@ -383,6 +384,17 @@ class Examples(fixtures.Fixture):
383 token = fixture.V3Token(user_id=USER_ID, 384 token = fixture.V3Token(user_id=USER_ID,
384 user_name=USER_NAME, 385 user_name=USER_NAME,
385 user_domain_id=DOMAIN_ID, 386 user_domain_id=DOMAIN_ID,
387 user_domain_name=DOMAIN_NAME)
388 token.system = {'all': True}
389 token.add_role(id=ROLE_NAME1, name=ROLE_NAME1)
390 token.add_role(id=ROLE_NAME2, name=ROLE_NAME2)
391 svc = token.add_service(self.SERVICE_TYPE)
392 svc.add_endpoint('public', self.SERVICE_URL)
393 self.TOKEN_RESPONSES[self.v3_SYSTEM_SCOPED_TOKEN] = token
394
395 token = fixture.V3Token(user_id=USER_ID,
396 user_name=USER_NAME,
397 user_domain_id=DOMAIN_ID,
386 user_domain_name=DOMAIN_NAME, 398 user_domain_name=DOMAIN_NAME,
387 domain_id=DOMAIN_ID, 399 domain_id=DOMAIN_ID,
388 domain_name=DOMAIN_NAME) 400 domain_name=DOMAIN_NAME)
diff --git a/releasenotes/notes/bug-1766731-3b29192cfeb77964.yaml b/releasenotes/notes/bug-1766731-3b29192cfeb77964.yaml
new file mode 100644
index 0000000..fe88b15
--- /dev/null
+++ b/releasenotes/notes/bug-1766731-3b29192cfeb77964.yaml
@@ -0,0 +1,7 @@
1---
2fixes:
3 - |
4 [`bug 1766731 <https://bugs.launchpad.net/keystonemiddleware/+bug/1766731>`_]
5 Keystonemiddleware now supports system scoped tokens. When a system-scoped
6 token is parsed by auth_token middleware, it will set the
7 ``OpenStack-System-Scope`` header accordingly.