Add roles to context
Roles are an important part of the user context. They typically don't need to be serialized for RPC but they are needed for policy. Include roles onto the context object and make sure it is loaded from the auth_token middleware environment. Related-Bug: #1537653 Change-Id: Ia575ba803a0fb70f39146bd75d381ed19414bd23
This commit is contained in:
Jamie Lennox
Ronald Bradford
parent
ce60425d58
commit
f383bd2973
|
|
@ -53,7 +53,7 @@ class RequestContext(object):
|
||||||
def __init__(self, auth_token=None, user=None, tenant=None, domain=None,
|
def __init__(self, auth_token=None, user=None, tenant=None, domain=None,
|
||||||
user_domain=None, project_domain=None, is_admin=False,
|
user_domain=None, project_domain=None, is_admin=False,
|
||||||
read_only=False, show_deleted=False, request_id=None,
|
read_only=False, show_deleted=False, request_id=None,
|
||||||
resource_uuid=None, overwrite=True):
|
resource_uuid=None, overwrite=True, roles=None):
|
||||||
"""Initialize the RequestContext
|
"""Initialize the RequestContext
|
||||||
|
|
||||||
:param overwrite: Set to False to ensure that the greenthread local
|
:param overwrite: Set to False to ensure that the greenthread local
|
||||||
|
|
@ -69,6 +69,7 @@ class RequestContext(object):
|
||||||
self.read_only = read_only
|
self.read_only = read_only
|
||||||
self.show_deleted = show_deleted
|
self.show_deleted = show_deleted
|
||||||
self.resource_uuid = resource_uuid
|
self.resource_uuid = resource_uuid
|
||||||
|
self.roles = roles or []
|
||||||
if not request_id:
|
if not request_id:
|
||||||
request_id = generate_request_id()
|
request_id = generate_request_id()
|
||||||
self.request_id = request_id
|
self.request_id = request_id
|
||||||
|
|
@ -99,6 +100,7 @@ class RequestContext(object):
|
||||||
'auth_token': self.auth_token,
|
'auth_token': self.auth_token,
|
||||||
'request_id': self.request_id,
|
'request_id': self.request_id,
|
||||||
'resource_uuid': self.resource_uuid,
|
'resource_uuid': self.resource_uuid,
|
||||||
|
'roles': self.roles,
|
||||||
'user_identity': user_idt}
|
'user_identity': user_idt}
|
||||||
|
|
||||||
def get_logging_values(self):
|
def get_logging_values(self):
|
||||||
|
|
@ -143,6 +145,9 @@ class RequestContext(object):
|
||||||
kwargs.setdefault('project_domain',
|
kwargs.setdefault('project_domain',
|
||||||
environ.get('HTTP_X_PROJECT_DOMAIN_ID'))
|
environ.get('HTTP_X_PROJECT_DOMAIN_ID'))
|
||||||
|
|
||||||
|
roles = environ.get('HTTP_X_ROLES')
|
||||||
|
kwargs.setdefault('roles', roles.split(',') if roles else [])
|
||||||
|
|
||||||
return cls(**kwargs)
|
return cls(**kwargs)
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -135,12 +135,14 @@ class ContextTest(test_base.BaseTestCase):
|
||||||
project_id = uuid.uuid4().hex
|
project_id = uuid.uuid4().hex
|
||||||
user_domain_id = uuid.uuid4().hex
|
user_domain_id = uuid.uuid4().hex
|
||||||
project_domain_id = uuid.uuid4().hex
|
project_domain_id = uuid.uuid4().hex
|
||||||
|
roles = [uuid.uuid4().hex, uuid.uuid4().hex, uuid.uuid4().hex]
|
||||||
|
|
||||||
environ = {'HTTP_X_AUTH_TOKEN': auth_token,
|
environ = {'HTTP_X_AUTH_TOKEN': auth_token,
|
||||||
'HTTP_X_USER_ID': user_id,
|
'HTTP_X_USER_ID': user_id,
|
||||||
'HTTP_X_PROJECT_ID': project_id,
|
'HTTP_X_PROJECT_ID': project_id,
|
||||||
'HTTP_X_USER_DOMAIN_ID': user_domain_id,
|
'HTTP_X_USER_DOMAIN_ID': user_domain_id,
|
||||||
'HTTP_X_PROJECT_DOMAIN_ID': project_domain_id}
|
'HTTP_X_PROJECT_DOMAIN_ID': project_domain_id,
|
||||||
|
'HTTP_X_ROLES': ','.join(roles)}
|
||||||
|
|
||||||
ctx = context.RequestContext.from_environ(environ)
|
ctx = context.RequestContext.from_environ(environ)
|
||||||
|
|
||||||
|
|
@ -149,6 +151,14 @@ class ContextTest(test_base.BaseTestCase):
|
||||||
self.assertEqual(project_id, ctx.tenant)
|
self.assertEqual(project_id, ctx.tenant)
|
||||||
self.assertEqual(user_domain_id, ctx.user_domain)
|
self.assertEqual(user_domain_id, ctx.user_domain)
|
||||||
self.assertEqual(project_domain_id, ctx.project_domain)
|
self.assertEqual(project_domain_id, ctx.project_domain)
|
||||||
|
self.assertEqual(roles, ctx.roles)
|
||||||
|
|
||||||
|
def test_from_environ_no_roles(self):
|
||||||
|
ctx = context.RequestContext.from_environ(environ={})
|
||||||
|
self.assertEqual([], ctx.roles)
|
||||||
|
|
||||||
|
ctx = context.RequestContext.from_environ(environ={'HTTP_X_ROLES': ''})
|
||||||
|
self.assertEqual([], ctx.roles)
|
||||||
|
|
||||||
def test_from_function_and_args(self):
|
def test_from_function_and_args(self):
|
||||||
ctx = context.RequestContext(user="user1")
|
ctx = context.RequestContext(user="user1")
|
||||||
|
|
@ -214,6 +224,7 @@ class ContextTest(test_base.BaseTestCase):
|
||||||
self.assertIn('request_id', d)
|
self.assertIn('request_id', d)
|
||||||
self.assertIn('resource_uuid', d)
|
self.assertIn('resource_uuid', d)
|
||||||
self.assertIn('user_identity', d)
|
self.assertIn('user_identity', d)
|
||||||
|
self.assertIn('roles', d)
|
||||||
|
|
||||||
self.assertEqual(auth_token, d['auth_token'])
|
self.assertEqual(auth_token, d['auth_token'])
|
||||||
self.assertEqual(tenant, d['tenant'])
|
self.assertEqual(tenant, d['tenant'])
|
||||||
|
|
@ -228,6 +239,7 @@ class ContextTest(test_base.BaseTestCase):
|
||||||
user_identity = "%s %s %s %s %s" % (user, tenant, domain,
|
user_identity = "%s %s %s %s %s" % (user, tenant, domain,
|
||||||
user_domain, project_domain)
|
user_domain, project_domain)
|
||||||
self.assertEqual(user_identity, d['user_identity'])
|
self.assertEqual(user_identity, d['user_identity'])
|
||||||
|
self.assertEqual([], d['roles'])
|
||||||
|
|
||||||
def test_get_logging_values(self):
|
def test_get_logging_values(self):
|
||||||
auth_token = "token1"
|
auth_token = "token1"
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue