]> review.fuel-infra Code Review - openstack-build/neutron-build.git/commitdiff
Code Review / openstack-build / neutron-build.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | patch | inline | side by side (parent: 2e3931e)
First, trivial, implementation of authN+authZ
authorSalvatore Orlando <salvatore.orlando@eu.citrix.com>
Fri, 12 Aug 2011 11:12:36 +0000 (12:12 +0100)
committerSalvatore Orlando <salvatore.orlando@eu.citrix.com>
Fri, 12 Aug 2011 11:12:36 +0000 (12:12 +0100)
etc/quantum.conf patch | blob | history
quantum/common/authentication.py [moved from quantum/common/auth_token.py with 99% similarity] patch | blob | history
quantum/common/authorization.py patch | blob | history

diff --git a/etc/quantum.conf b/etc/quantum.conf
index 193ce8b396bde847265a13c8fcc213e819144dd9..1fd76257e477d219c27ba6831c80921233ab85a1 100644 (file)
--- a/etc/quantum.conf
+++ b/etc/quantum.conf
@@ -16,8 +16,11 @@ use = egg:Paste#urlmap
 /: quantumversions
 /v0.1: quantumapi
 
-[filter:tokenauth]
-paste.filter_factory = quantum.common.auth_token:filter_factory
+[pipeline:quantumapi]
+pipeline = authN authZ quantumapiapp
+
+[filter:authN]
+paste.filter_factory = quantum.common.authentication:filter_factory
 auth_host = 127.0.0.1
 auth_port = 5001
 auth_protocol = http
@@ -26,8 +29,8 @@ auth_protocol = http
 admin_user = admin
 admin_password = secrete
 
-[pipeline:quantumapi]
-pipeline = tokenauth quantumapiapp
+[filter:authZ]
+paste.filter_factory = quantum.common.authorization:filter_factory
 
 [app:quantumversions]
 paste.app_factory = quantum.api.versions:Versions.factory
diff --git a/quantum/common/auth_token.py b/quantum/common/authentication.py
similarity index 99%
rename from quantum/common/auth_token.py
rename to quantum/common/authentication.py
index c52dcec21862d589ddcbdb5fce39367c29be448a..cb86fd7876cfd6131a587ca1d93164a562c06895 100755 (executable)
--- a/quantum/common/auth_token.py
+++ b/quantum/common/authentication.py
@@ -66,7 +66,7 @@ from webob.exc import Request, Response
 from quantum.common.bufferedhttp import http_connect_raw as http_connect
 
 PROTOCOL_NAME = "Token Authentication"
-LOG = logging.getLogger('quantum.common.auth_token')
+LOG = logging.getLogger('quantum.common.authentication')
 
 class AuthProtocol(object):
     """Auth Middleware that handles authenticating client calls"""
diff --git a/quantum/common/authorization.py b/quantum/common/authorization.py
index 30a90c42842e546fb6cca6c39f8218582458c978..f212d5bd05eb70dd231d6a0768489db7afd038e0 100644 (file)
--- a/quantum/common/authorization.py
+++ b/quantum/common/authorization.py
@@ -28,48 +28,61 @@
 import logging
 
 from webob.exc import HTTPUnauthorized, HTTPForbidden
-from webob.exc import Request, Response
 
 LOG = logging.getLogger('quantum.common.authorization')
 
 class QuantumAuthorization(object):
     """ Authorizes an operation before it reaches the API WSGI app"""
 
+    def __init__(self, app, conf):
+        """ Common initialization code """
+        LOG.info("Starting the Authorization component")
+        self.conf = conf
+        self.app = app
+
+    
     def __call__(self, req, start_response):
         """ Handle incoming request. Authorize. And send downstream. """
         LOG.debug("entering QuantumAuthorization.__call__")
         self.start_response = start_response
+        LOG.debug("Self is:%s" %self)
+        LOG.debug("Req is:%s:" %req)
         self.req = req
 
         # Retrieves TENANT ID from headers as the request 
         # should already have been authenticated with Keystone
         self.headers = req.copy()
-        if not "X_TENANT" in self.headers:
+        LOG.debug("Looking for X_TENANT header")
+        LOG.debug("Headers:%s" %self.headers)
+        if not "HTTP_X_TENANT" in self.headers:
             # This is bad, very bad
-            self._reject()
-        
-        auth_tenant_id = self.headers['X_TENANT']
-        path = self.req.path
+            return self._reject()
+        LOG.debug("X_TENANT header found:%s", self.headers['HTTP_X_TENANT'])
+        LOG.debug("Looking for tenant_id in request URI")
+        auth_tenant_id = self.headers['HTTP_X_TENANT']
+        path = self.req['PATH_INFO']
         parts=path.split('/')
+        LOG.debug("Request parts:%s", parts)
         #TODO (salvatore-orlando): need bound checking here
         idx = parts.index('tenants') + 1
         req_tenant_id = parts[idx]
-        
+        LOG.debug("Tenant ID from request:%s", req_tenant_id)
         if auth_tenant_id != req_tenant_id:
             # This is bad, very bad
-            self._forbid()
+            return self._forbid()
         
-        # Okay, authorize it!
+        # Okay, authorize it - pass downstream
+        return self.app(self.req, self.start_response)
         
     def _reject(self):
         """Apparently the request has not been authenticated """
-        return HTTPUnauthorized()(self.env,
+        return HTTPUnauthorized()(self.req,
             self.start_response)
     
     
     def _forbid(self):
         """Cannot authorize. Operating on non-owned resources"""
-        return HTTPForbidden()(self.env,
+        return HTTPForbidden()(self.req,
             self.start_response)