diff --git a/doc/source/contributor/apiv2.rst b/doc/source/contributor/apiv2.rst index d72d3c9bea..2568bba8c9 100644 --- a/doc/source/contributor/apiv2.rst +++ b/doc/source/contributor/apiv2.rst @@ -61,9 +61,10 @@ Communicating with the v2 API ----------------------------- The v2 API makes at least one major change from the previous versions, -removing the OpenStack project identifier from the URL. Instead of -adding this UUID to the URL, it is now required to be included as a -header named ``OpenStack-Project-ID``. +removing the OpenStack project identifier from the URL. Now users of +the API do not provide their project ID explictly; instead we fully +trust keystonemiddeware to provide it in the WSGI environment based +on the given user token. For example, in previous versions of the API, a call to get the list of clusters for project "12345678-1234-1234-1234-123456789ABC" would have @@ -72,19 +73,16 @@ been made as follows:: GET /v1.1/12345678-1234-1234-1234-123456789ABC/clusters X-Auth-Token: {valid auth token} -This call would now be made to the following URL, while including the -project identifier in a header named ``OpenStack-Project-ID``:: +This call would now be made to the following URL:: GET /v2/clusters X-Auth-Token: {valid auth token} - OpenStack-Project-ID: 12345678-1234-1234-1234-123456789ABC Using a tool like `HTTPie `_, the same request could be made like this:: $ httpie http://{sahara service ip:port}/v2/clusters \ - X-Auth-Token:{valid auth token} \ - OpenStack-Project-ID:12345678-1234-1234-1234-123456789ABC + X-Auth-Token:{valid auth token} Following the implementation progress ------------------------------------- diff --git a/sahara/api/middleware/auth_valid.py b/sahara/api/middleware/auth_valid.py index 59a3842744..4db3071c63 100644 --- a/sahara/api/middleware/auth_valid.py +++ b/sahara/api/middleware/auth_valid.py @@ -67,16 +67,16 @@ class AuthValidatorV2(base.Middleware): @webob.dec.wsgify def __call__(self, req): - """Ensures that the requested and token tenants match + """Ensures valid path and tenant Handle incoming requests by checking tenant info from the headers and url ({tenant_id} url attribute), if using v1 or v1.1 - APIs. If using the v2 API, this function will check the token - tenant and the requested tenant in the headers. + APIs. If using the v2 API, this function just makes sure that + keystonemiddleware has populated the WSGI environment. Pass request downstream on success. Reject request if tenant_id from headers is not equal to the - tenant_id from url or v2 project header. + tenant_id from url in the case of v1. """ path = req.environ['PATH_INFO'] if path != '/': @@ -88,7 +88,6 @@ class AuthValidatorV2(base.Middleware): try: if path.startswith('/v2'): version, rest = strutils.split_path(path, 2, 2, True) - requested_tenant = req.headers.get('OpenStack-Project-ID') else: version, requested_tenant, rest = strutils.split_path( path, 3, 3, True) @@ -96,8 +95,9 @@ class AuthValidatorV2(base.Middleware): LOG.warning("Incorrect path: {path}".format(path=path)) raise ex.HTTPNotFound(_("Incorrect path")) - if token_tenant != requested_tenant: - LOG.debug("Unauthorized: token tenant != requested tenant") - raise ex.HTTPUnauthorized( - _('Token tenant != requested tenant')) + if path.startswith('/v1'): + if token_tenant != requested_tenant: + LOG.debug("Unauthorized: token tenant != requested tenant") + raise ex.HTTPUnauthorized( + _('Token tenant != requested tenant')) return self.application diff --git a/sahara/tests/unit/api/middleware/test_auth_valid.py b/sahara/tests/unit/api/middleware/test_auth_valid.py index 551ddfcf94..7de55e12a9 100644 --- a/sahara/tests/unit/api/middleware/test_auth_valid.py +++ b/sahara/tests/unit/api/middleware/test_auth_valid.py @@ -77,19 +77,17 @@ class AuthValidatorV2Test(test_base.SaharaTestCase): def test_auth_ok(self): req = webob.Request.blank("/v2/tid/clusters", accept="text/plain", method="GET", - environ={"HTTP_X_TENANT_ID": "tid"}, - headers={"OpenStack-Project-ID": "tid"}) + environ={"HTTP_X_TENANT_ID": "tid"}) res = req.get_response(self.app) self.assertEqual(200, res.status_code) def test_auth_ok_without_path(self): req = webob.Request.blank("/", accept="text/plain", method="GET", - environ={"HTTP_X_TENANT_ID": "tid"}, - headers={"OpenStack-Project-ID": "tid"}) + environ={"HTTP_X_TENANT_ID": "tid"}) res = req.get_response(self.app) self.assertEqual(200, res.status_code) - def test_auth_without_header(self): + def test_auth_without_environ(self): req = webob.Request.blank("/v2/tid/clusters", accept="text/plain", method="GET") res = req.get_response(self.app) @@ -100,11 +98,3 @@ class AuthValidatorV2Test(test_base.SaharaTestCase): environ={"HTTP_X_TENANT_ID": "tid"}) res = req.get_response(self.app) self.assertEqual(404, res.status_code) - - def test_auth_different_tenant(self): - req = webob.Request.blank("/v2/tid1/clusters", accept="text/plain", - method="GET", - environ={"HTTP_X_TENANT_ID": "tid2"}, - headers={"OpenStack-Project-ID": "tid"}) - res = req.get_response(self.app) - self.assertEqual(401, res.status_code)