Add roles to context

We use oslo.policy to check the policy. Oslo.policy needs roles held for the given token scope [1]. So we should add roles to context. [1]http://docs.openstack.org/developer/oslo.policy/ api/oslo_policy.html#generic-checks Change-Id: I95afbf57f185ca1db9c68781c2fcd78cbafc1e17 Closes-Bug: #1489832
2015-08-21 07:18:06 +08:00 · 2015-08-21 07:18:06 +08:00 · 86ed292e52
parent 52b0e32db0
commit 86ed292e52
4 changed files with 13 additions and 5 deletions
--- a/magnum/api/hooks.py
+++ b/magnum/api/hooks.py
@ -43,6 +43,8 @@ class ContextHook(hooks.PecanHook):
    X-Auth-Token:
        Used for context.auth_token.

+    X-Roles:
+        Used for context.roles.
    """

    def before(self, state):
@ -54,6 +56,7 @@ class ContextHook(hooks.PecanHook):
        domain_id = headers.get('X-User-Domain-Id')
        domain_name = headers.get('X-User-Domain-Name')
        auth_token = headers.get('X-Auth-Token')
+        roles = headers.get('X-Roles', '').split(',')
        auth_token_info = state.request.environ.get('keystone.token_info')

        auth_url = headers.get('X-Auth-Url')
@ -70,7 +73,8 @@ class ContextHook(hooks.PecanHook):
            project_name=project,
            project_id=project_id,
            domain_id=domain_id,
-            domain_name=domain_name)
+            domain_name=domain_name,
+            roles=roles)


 class RPCHook(hooks.PecanHook):
--- a/magnum/common/context.py
+++ b/magnum/common/context.py
@ -19,10 +19,10 @@ class RequestContext(context.RequestContext):

    def __init__(self, auth_token=None, auth_url=None, domain_id=None,
                 domain_name=None, user_name=None, user_id=None,
-                 project_name=None, project_id=None, is_admin=False,
-                 is_public_api=False, read_only=False, show_deleted=False,
-                 request_id=None, trust_id=None, auth_token_info=None,
-                 all_tenants=False, **kwargs):
+                 project_name=None, project_id=None, roles=None,
+                 is_admin=False, is_public_api=False, read_only=False,
+                 show_deleted=False, request_id=None, trust_id=None,
+                 auth_token_info=None, all_tenants=False, **kwargs):
        """Stores several additional request parameters:

        :param domain_id: The ID of the domain.
@ -38,6 +38,7 @@ class RequestContext(context.RequestContext):
        self.project_id = project_id
        self.domain_id = domain_id
        self.domain_name = domain_name
+        self.roles = roles
        self.auth_url = auth_url
        self.auth_token_info = auth_token_info
        self.trust_id = trust_id
--- a/magnum/tests/fakes.py
+++ b/magnum/tests/fakes.py
@ -22,6 +22,7 @@ fakeAuthTokenHeaders = {'X-User-Id': u'773a902f022949619b5c2f32cd89d419',
                        'X-Auth-Token': u'5588aebbcdc24e17a061595f80574376',
                        'X-Forwarded-For': u'10.10.10.10, 11.11.11.11',
                        'X-Service-Catalog': u'{test: 12345}',
+                        'X-Roles': 'role1,role2',
                        'X-Auth-Url': 'fake_auth_url',
                        'X-Identity-Status': 'Confirmed',
                        'X-User-Domain-Name': 'domain',
--- a/magnum/tests/unit/api/test_hooks.py
+++ b/magnum/tests/unit/api/test_hooks.py
@ -47,6 +47,8 @@ class TestContextHook(base.BaseTestCase):
                         fakes.fakeAuthTokenHeaders['X-User-Name'])
        self.assertEqual(ctx.user_id,
                         fakes.fakeAuthTokenHeaders['X-User-Id'])
+        self.assertEqual(','.join(ctx.roles),
+                         fakes.fakeAuthTokenHeaders['X-Roles'])
        self.assertEqual(ctx.auth_url,
                         fakes.fakeAuthTokenHeaders['X-Auth-Url'])
        self.assertEqual(ctx.domain_name,