Add a check to see if a federation token is being used for v2 auth
If a user has a federation environment, and doesn't update nova to use v3 auth in auth_token, then they will automatically be using v2 auth, which causes a fairly useless error to bubble up. We should check if the user is using a fedration token in v2 and provider a better error message. Change-Id: I9c490df8dd38e9fa1f393ebfa1296b64fb0c9527 Closes-Bug: #1419114
This commit is contained in:
parent
8ba0c166e5
commit
2d119010e1
|
@ -1392,6 +1392,20 @@ class FederatedTokenTests(FederationTests):
|
|||
self.assertRaises(exception.Unauthorized,
|
||||
self._issue_unscoped_token)
|
||||
|
||||
def test_v2_auth_with_federation_token_fails(self):
|
||||
"""Test that using a federation token with v2 auth fails.
|
||||
|
||||
If an admin sets up a federated keystone environment, and a user
|
||||
incorrectly configures a service (like nova) only use v2 auth, the
|
||||
returned message should be informative.
|
||||
|
||||
"""
|
||||
r = self._issue_unscoped_token()
|
||||
token_id = r.headers.get('X-Subject-Token')
|
||||
self.assertRaises(exception.Unauthorized,
|
||||
self.token_provider_api.validate_v2_token,
|
||||
token_id=token_id)
|
||||
|
||||
def load_federation_sample_data(self):
|
||||
"""Inject additional data."""
|
||||
|
||||
|
|
|
@ -494,6 +494,16 @@ class BaseProvider(provider.Provider):
|
|||
raise exception.Unauthorized()
|
||||
return token_ref
|
||||
|
||||
def _assert_is_not_federation_token(self, token_ref):
|
||||
"""Make sure we aren't using v2 auth on a federation token."""
|
||||
token_data = token_ref.get('token_data')
|
||||
if (token_data and self.get_token_version(token_data) ==
|
||||
token.provider.V3):
|
||||
if 'OS-FEDERATION' in token_data['token']['user']:
|
||||
msg = _('Attempting to use OS-FEDERATION token with V2 '
|
||||
'Identity Service, use V3 Authentication')
|
||||
raise exception.Unauthorized(msg)
|
||||
|
||||
def _assert_default_domain(self, token_ref):
|
||||
"""Make sure we are operating on default domain only."""
|
||||
if (token_ref.get('token_data') and
|
||||
|
@ -540,6 +550,7 @@ class BaseProvider(provider.Provider):
|
|||
|
||||
def validate_v2_token(self, token_ref):
|
||||
try:
|
||||
self._assert_is_not_federation_token(token_ref)
|
||||
self._assert_default_domain(token_ref)
|
||||
# FIXME(gyee): performance or correctness? Should we return the
|
||||
# cached token or reconstruct it? Obviously if we are going with
|
||||
|
|
Loading…
Reference in New Issue