]> review.fuel-infra Code Review - openstack-build/heat-build.git/commitdiff
Code Review / openstack-build / heat-build.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | patch | inline | side by side (parent: d75075c)
Pass the correct tenant for the service user
authorZane Bitter <zbitter@redhat.com>
Mon, 22 Oct 2012 09:20:07 +0000 (11:20 +0200)
committerZane Bitter <zbitter@redhat.com>
Mon, 22 Oct 2012 10:25:27 +0000 (12:25 +0200)
Previously, the service user (which authenticates tokens passes to the
engine by the APIs) was paired with the tenant of the end user to do
authentication, which worked only when they were in the same tenant. This
should not be the case, since the service user should only have an admin
role in the "service" tenant.

Fixes #269

Change-Id: I99b764fc489429dd6d081485bd89d5dde737c124
Signed-off-by: Zane Bitter <zbitter@redhat.com>
heat/common/auth_token.py patch | blob | history
heat/common/context.py patch | blob | history
heat/engine/resources.py patch | blob | history

diff --git a/heat/common/auth_token.py b/heat/common/auth_token.py
index 7d8bbb60759d6b05ab60b702c2645218433c362c..e7b4d6450230de16f2d10f8414bacbbe698ba20a 100644 (file)
--- a/heat/common/auth_token.py
+++ b/heat/common/auth_token.py
@@ -437,6 +437,7 @@ class AuthProtocol(object):
             'X-Role': roles,
             'X-Admin-User': self.admin_user,
             'X-Admin-Pass': self.admin_password,
+            'X-Admin-Tenant-Name': self.admin_tenant_name,
             'X-Auth-Url': self.conf['auth_uri'],
         }
 
diff --git a/heat/common/context.py b/heat/common/context.py
index 2da8599935d6d2d4b854707c0e56f27c0e9c8870..efe46f1ad46e0e94698dade1c40538b8a28fb675 100644 (file)
--- a/heat/common/context.py
+++ b/heat/common/context.py
@@ -34,7 +34,8 @@ class RequestContext(object):
 
     def __init__(self, auth_token=None, username=None, password=None,
                  aws_creds=None, aws_auth_uri=None,
-                 service_user=None, service_password=None, tenant=None,
+                 service_user=None, service_password=None,
+                 service_tenant=None, tenant=None,
                  tenant_id=None, auth_url=None, roles=None, is_admin=False,
                  read_only=False, show_deleted=False,
                  owner_is_tenant=True, overwrite=True, **kwargs):
@@ -53,6 +54,7 @@ class RequestContext(object):
         self.aws_auth_uri = aws_auth_uri
         self.service_user = service_user
         self.service_password = service_password
+        self.service_tenant = service_tenant
         self.tenant = tenant
         self.tenant_id = tenant_id
         self.auth_url = auth_url
@@ -75,6 +77,7 @@ class RequestContext(object):
                 'aws_auth_uri': self.aws_auth_uri,
                 'service_user': self.service_user,
                 'service_password': self.service_password,
+                'service_tenant': self.service_tenant,
                 'tenant': self.tenant,
                 'tenant_id': self.tenant_id,
                 'auth_url': self.auth_url,
@@ -175,7 +178,8 @@ class ContextMiddleware(wsgi.Middleware):
             token = headers.get('X-Auth-Token')
             service_user = headers.get('X-Admin-User')
             service_password = headers.get('X-Admin-Pass')
-            tenant = headers.get('X-Tenant')
+            service_tenant = headers.get('X-Admin-Tenant-Name')
+            tenant = headers.get('X-Tenant-Name')
             tenant_id = headers.get('X-Tenant-Id')
             auth_url = headers.get('X-Auth-Url')
             roles = headers.get('X-Roles')
@@ -190,6 +194,7 @@ class ContextMiddleware(wsgi.Middleware):
                                         password=password,
                                         service_user=service_user,
                                         service_password=service_password,
+                                        service_tenant=service_tenant,
                                         auth_url=auth_url, roles=roles,
                                         is_admin=True)
 
diff --git a/heat/engine/resources.py b/heat/engine/resources.py
index a305bab3467b52630ad6a0f54b63e60dad76a59f..b4a61b029e6edc4290e4696891b92f0d02628174 100644 (file)
--- a/heat/engine/resources.py
+++ b/heat/engine/resources.py
@@ -222,20 +222,21 @@ class Resource(object):
 
         con = self.context
         args = {
-            'tenant_name': con.tenant,
-            'tenant_id': con.tenant_id,
             'auth_url': con.auth_url,
         }
 
         if con.password is not None:
             args['username'] = con.username
             args['password'] = con.password
+            args['tenant_name'] = con.tenant
+            args['tenant_id'] = con.tenant_id
         elif con.auth_token is not None:
             args['username'] = con.service_user
             args['password'] = con.service_password
+            args['tenant_name'] = con.service_tenant
             args['token'] = con.auth_token
         else:
-            logger.error("Keystone connectio failed, no password or " +
+            logger.error("Keystone connection failed, no password or " +
                          "auth_token!")
             return None
 
@@ -261,6 +262,7 @@ class Resource(object):
         elif con.auth_token is not None:
             args['username'] = con.service_user
             args['api_key'] = con.service_password
+            args['project_id'] = con.service_tenant
             args['proxy_token'] = con.auth_token
             args['proxy_tenant_id'] = con.tenant_id
         else: