Merge "[APIv2]Nix custom OpenStack-Project-ID header"
This commit is contained in:
commit
bc2f5f03e2
|
@ -61,9 +61,10 @@ Communicating with the v2 API
|
|||
-----------------------------
|
||||
|
||||
The v2 API makes at least one major change from the previous versions,
|
||||
removing the OpenStack project identifier from the URL. Instead of
|
||||
adding this UUID to the URL, it is now required to be included as a
|
||||
header named ``OpenStack-Project-ID``.
|
||||
removing the OpenStack project identifier from the URL. Now users of
|
||||
the API do not provide their project ID explictly; instead we fully
|
||||
trust keystonemiddeware to provide it in the WSGI environment based
|
||||
on the given user token.
|
||||
|
||||
For example, in previous versions of the API, a call to get the list of
|
||||
clusters for project "12345678-1234-1234-1234-123456789ABC" would have
|
||||
|
@ -72,19 +73,16 @@ been made as follows::
|
|||
GET /v1.1/12345678-1234-1234-1234-123456789ABC/clusters
|
||||
X-Auth-Token: {valid auth token}
|
||||
|
||||
This call would now be made to the following URL, while including the
|
||||
project identifier in a header named ``OpenStack-Project-ID``::
|
||||
This call would now be made to the following URL::
|
||||
|
||||
GET /v2/clusters
|
||||
X-Auth-Token: {valid auth token}
|
||||
OpenStack-Project-ID: 12345678-1234-1234-1234-123456789ABC
|
||||
|
||||
Using a tool like `HTTPie <https://httpie.org/>`_, the
|
||||
same request could be made like this::
|
||||
|
||||
$ httpie http://{sahara service ip:port}/v2/clusters \
|
||||
X-Auth-Token:{valid auth token} \
|
||||
OpenStack-Project-ID:12345678-1234-1234-1234-123456789ABC
|
||||
X-Auth-Token:{valid auth token}
|
||||
|
||||
Following the implementation progress
|
||||
-------------------------------------
|
||||
|
|
|
@ -67,16 +67,16 @@ class AuthValidatorV2(base.Middleware):
|
|||
|
||||
@webob.dec.wsgify
|
||||
def __call__(self, req):
|
||||
"""Ensures that the requested and token tenants match
|
||||
"""Ensures valid path and tenant
|
||||
|
||||
Handle incoming requests by checking tenant info from the
|
||||
headers and url ({tenant_id} url attribute), if using v1 or v1.1
|
||||
APIs. If using the v2 API, this function will check the token
|
||||
tenant and the requested tenant in the headers.
|
||||
APIs. If using the v2 API, this function just makes sure that
|
||||
keystonemiddleware has populated the WSGI environment.
|
||||
|
||||
Pass request downstream on success.
|
||||
Reject request if tenant_id from headers is not equal to the
|
||||
tenant_id from url or v2 project header.
|
||||
tenant_id from url in the case of v1.
|
||||
"""
|
||||
path = req.environ['PATH_INFO']
|
||||
if path != '/':
|
||||
|
@ -88,7 +88,6 @@ class AuthValidatorV2(base.Middleware):
|
|||
try:
|
||||
if path.startswith('/v2'):
|
||||
version, rest = strutils.split_path(path, 2, 2, True)
|
||||
requested_tenant = req.headers.get('OpenStack-Project-ID')
|
||||
else:
|
||||
version, requested_tenant, rest = strutils.split_path(
|
||||
path, 3, 3, True)
|
||||
|
@ -96,8 +95,9 @@ class AuthValidatorV2(base.Middleware):
|
|||
LOG.warning("Incorrect path: {path}".format(path=path))
|
||||
raise ex.HTTPNotFound(_("Incorrect path"))
|
||||
|
||||
if token_tenant != requested_tenant:
|
||||
LOG.debug("Unauthorized: token tenant != requested tenant")
|
||||
raise ex.HTTPUnauthorized(
|
||||
_('Token tenant != requested tenant'))
|
||||
if path.startswith('/v1'):
|
||||
if token_tenant != requested_tenant:
|
||||
LOG.debug("Unauthorized: token tenant != requested tenant")
|
||||
raise ex.HTTPUnauthorized(
|
||||
_('Token tenant != requested tenant'))
|
||||
return self.application
|
||||
|
|
|
@ -77,19 +77,17 @@ class AuthValidatorV2Test(test_base.SaharaTestCase):
|
|||
def test_auth_ok(self):
|
||||
req = webob.Request.blank("/v2/tid/clusters", accept="text/plain",
|
||||
method="GET",
|
||||
environ={"HTTP_X_TENANT_ID": "tid"},
|
||||
headers={"OpenStack-Project-ID": "tid"})
|
||||
environ={"HTTP_X_TENANT_ID": "tid"})
|
||||
res = req.get_response(self.app)
|
||||
self.assertEqual(200, res.status_code)
|
||||
|
||||
def test_auth_ok_without_path(self):
|
||||
req = webob.Request.blank("/", accept="text/plain", method="GET",
|
||||
environ={"HTTP_X_TENANT_ID": "tid"},
|
||||
headers={"OpenStack-Project-ID": "tid"})
|
||||
environ={"HTTP_X_TENANT_ID": "tid"})
|
||||
res = req.get_response(self.app)
|
||||
self.assertEqual(200, res.status_code)
|
||||
|
||||
def test_auth_without_header(self):
|
||||
def test_auth_without_environ(self):
|
||||
req = webob.Request.blank("/v2/tid/clusters", accept="text/plain",
|
||||
method="GET")
|
||||
res = req.get_response(self.app)
|
||||
|
@ -100,11 +98,3 @@ class AuthValidatorV2Test(test_base.SaharaTestCase):
|
|||
environ={"HTTP_X_TENANT_ID": "tid"})
|
||||
res = req.get_response(self.app)
|
||||
self.assertEqual(404, res.status_code)
|
||||
|
||||
def test_auth_different_tenant(self):
|
||||
req = webob.Request.blank("/v2/tid1/clusters", accept="text/plain",
|
||||
method="GET",
|
||||
environ={"HTTP_X_TENANT_ID": "tid2"},
|
||||
headers={"OpenStack-Project-ID": "tid"})
|
||||
res = req.get_response(self.app)
|
||||
self.assertEqual(401, res.status_code)
|
||||
|
|
Loading…
Reference in New Issue