Use oslo.context features

In an effort to standardize policy and authentication values
oslo.context has new features such as from_environ which constructs a
standard oslo.context object from the environment variables created by
auth_token middleware and to_policy_values which emit a standard
credentials target for writing common policy files across services.

Use these standard functions when dealing with contexts and policy in
glance.

Closes-Bug: #1602081
Change-Id: I40582cb34818b980d6c6914b2c9346a17a0ed489
This commit is contained in:
Jamie Lennox 2016-05-04 17:10:40 +10:00
parent 02fd711d7d
commit ca501cba92
3 changed files with 24 additions and 26 deletions

View File

@ -102,14 +102,6 @@ class ContextMiddleware(BaseContextMiddleware):
return glance.context.RequestContext(**kwargs)
def _get_authenticated_context(self, req):
# NOTE(bcwaldon): X-Roles is a csv string, but we need to parse
# it into a list to be useful
roles_header = req.headers.get('X-Roles', '')
roles = [r.strip().lower() for r in roles_header.split(',')]
# NOTE(bcwaldon): This header is deprecated in favor of X-Auth-Token
deprecated_token = req.headers.get('X-Storage-Token')
service_catalog = None
if req.headers.get('X-Service-Catalog') is not None:
try:
@ -127,18 +119,25 @@ class ContextMiddleware(BaseContextMiddleware):
return webob.exc.HTTPRequestHeaderFieldsTooLarge(comment=msg)
kwargs = {
'user': req.headers.get('X-User-Id'),
'tenant': req.headers.get('X-Tenant-Id'),
'roles': roles,
'is_admin': CONF.admin_role.strip().lower() in roles,
'auth_token': req.headers.get('X-Auth-Token', deprecated_token),
'owner_is_tenant': CONF.owner_is_tenant,
'service_catalog': service_catalog,
'policy_enforcer': self.policy_enforcer,
'request_id': request_id,
}
return glance.context.RequestContext(**kwargs)
ctxt = glance.context.RequestContext.from_environ(req.environ,
**kwargs)
# FIXME(jamielennox): glance has traditionally lowercased its roles.
# This was related to bug #1010519 where at least the admin role was
# case insensitive. This seems to no longer be the case and should be
# fixed.
ctxt.roles = [r.lower() for r in ctxt.roles]
if CONF.admin_role.strip().lower() in ctxt.roles:
ctxt.is_admin = True
return ctxt
class UnauthenticatedContextMiddleware(BaseContextMiddleware):

View File

@ -60,12 +60,8 @@ class Enforcer(policy.Enforcer):
:raises: `glance.common.exception.Forbidden`
:returns: A non-False value if access is allowed.
"""
credentials = {
'roles': context.roles,
'user': context.user,
'tenant': context.tenant,
}
return super(Enforcer, self).enforce(action, target, credentials,
return super(Enforcer, self).enforce(action, target,
context.to_policy_values(),
do_raise=True,
exc=exception.Forbidden,
action=action)
@ -78,12 +74,9 @@ class Enforcer(policy.Enforcer):
:param target: Dictionary representing the object of the action.
:returns: A non-False value if access is allowed.
"""
credentials = {
'roles': context.roles,
'user': context.user,
'tenant': context.tenant,
}
return super(Enforcer, self).enforce(action, target, credentials)
return super(Enforcer, self).enforce(action,
target,
context.to_policy_values())
def check_is_admin(self, context):
"""Check if the given context is associated with an admin role,

View File

@ -43,6 +43,12 @@ class RequestContext(context.RequestContext):
})
return d
def to_policy_values(self):
pdict = super(RequestContext, self).to_policy_values()
pdict['user'] = self.user
pdict['tenant'] = self.tenant
return pdict
@classmethod
def from_dict(cls, values):
return cls(**values)