Merge "[APIv2]Nix custom OpenStack-Project-ID header"

doc/source/contributor/apiv2.rst

@@ -61,9 +61,10 @@ Communicating with the v2 API
 -----------------------------
 
 The v2 API makes at least one major change from the previous versions,
-removing the OpenStack project identifier from the URL. Instead of
-adding this UUID to the URL, it is now required to be included as a
-header named ``OpenStack-Project-ID``.
+removing the OpenStack project identifier from the URL. Now users of
+the API do not provide their project ID explictly; instead we fully
+trust keystonemiddeware to provide it in the WSGI environment based
+on the given user token.
 
 For example, in previous versions of the API, a call to get the list of
 clusters for project "12345678-1234-1234-1234-123456789ABC" would have
@@ -72,19 +73,16 @@ been made as follows::
     GET /v1.1/12345678-1234-1234-1234-123456789ABC/clusters
     X-Auth-Token: {valid auth token}
 
-This call would now be made to the following URL, while including the
-project identifier in a header named ``OpenStack-Project-ID``::
+This call would now be made to the following URL::
 
     GET /v2/clusters
     X-Auth-Token: {valid auth token}
-    OpenStack-Project-ID: 12345678-1234-1234-1234-123456789ABC
 
 Using a tool like `HTTPie <https://httpie.org/>`_, the
 same request could be made like this::
 
     $ httpie http://{sahara service ip:port}/v2/clusters \
-      X-Auth-Token:{valid auth token} \
-      OpenStack-Project-ID:12345678-1234-1234-1234-123456789ABC
+      X-Auth-Token:{valid auth token}
 
 Following the implementation progress
 -------------------------------------

sahara/api/middleware/auth_valid.py

@@ -67,16 +67,16 @@ class AuthValidatorV2(base.Middleware):
 
     @webob.dec.wsgify
     def __call__(self, req):
-        """Ensures that the requested and token tenants match
+        """Ensures valid path and tenant
 
         Handle incoming requests by checking tenant info from the
         headers and url ({tenant_id} url attribute), if using v1 or v1.1
-        APIs. If using the v2 API, this function will check the token
-        tenant and the requested tenant in the headers.
+        APIs. If using the v2 API, this function just makes sure that
+        keystonemiddleware has populated the WSGI environment.
 
         Pass request downstream on success.
         Reject request if tenant_id from headers is not equal to the
-        tenant_id from url or v2 project header.
+        tenant_id from url in the case of v1.
         """
         path = req.environ['PATH_INFO']
         if path != '/':
@@ -88,7 +88,6 @@ class AuthValidatorV2(base.Middleware):
             try:
                 if path.startswith('/v2'):
                     version, rest = strutils.split_path(path, 2, 2, True)
-                    requested_tenant = req.headers.get('OpenStack-Project-ID')
                 else:
                     version, requested_tenant, rest = strutils.split_path(
                         path, 3, 3, True)
@@ -96,8 +95,9 @@ class AuthValidatorV2(base.Middleware):
                 LOG.warning("Incorrect path: {path}".format(path=path))
                 raise ex.HTTPNotFound(_("Incorrect path"))
 
-            if token_tenant != requested_tenant:
-                LOG.debug("Unauthorized: token tenant != requested tenant")
-                raise ex.HTTPUnauthorized(
-                    _('Token tenant != requested tenant'))
+            if path.startswith('/v1'):
+                if token_tenant != requested_tenant:
+                    LOG.debug("Unauthorized: token tenant != requested tenant")
+                    raise ex.HTTPUnauthorized(
+                        _('Token tenant != requested tenant'))
         return self.application

sahara/tests/unit/api/middleware/test_auth_valid.py

@@ -77,19 +77,17 @@ class AuthValidatorV2Test(test_base.SaharaTestCase):
     def test_auth_ok(self):
         req = webob.Request.blank("/v2/tid/clusters", accept="text/plain",
                                   method="GET",
-                                  environ={"HTTP_X_TENANT_ID": "tid"},
-                                  headers={"OpenStack-Project-ID": "tid"})
+                                  environ={"HTTP_X_TENANT_ID": "tid"})
         res = req.get_response(self.app)
         self.assertEqual(200, res.status_code)
 
     def test_auth_ok_without_path(self):
         req = webob.Request.blank("/", accept="text/plain", method="GET",
-                                  environ={"HTTP_X_TENANT_ID": "tid"},
-                                  headers={"OpenStack-Project-ID": "tid"})
+                                  environ={"HTTP_X_TENANT_ID": "tid"})
         res = req.get_response(self.app)
         self.assertEqual(200, res.status_code)
 
-    def test_auth_without_header(self):
+    def test_auth_without_environ(self):
         req = webob.Request.blank("/v2/tid/clusters", accept="text/plain",
                                   method="GET")
         res = req.get_response(self.app)
@@ -100,11 +98,3 @@ class AuthValidatorV2Test(test_base.SaharaTestCase):
                                   environ={"HTTP_X_TENANT_ID": "tid"})
         res = req.get_response(self.app)
         self.assertEqual(404, res.status_code)
-
-    def test_auth_different_tenant(self):
-        req = webob.Request.blank("/v2/tid1/clusters", accept="text/plain",
-                                  method="GET",
-                                  environ={"HTTP_X_TENANT_ID": "tid2"},
-                                  headers={"OpenStack-Project-ID": "tid"})
-        res = req.get_response(self.app)
-        self.assertEqual(401, res.status_code)