heat engine : Allow instance users to view their own details

author Steven Hardy <shardy@redhat.com>

Tue, 23 Oct 2012 20:59:38 +0000 (21:59 +0100)

committer Steven Hardy <shardy@redhat.com>

Thu, 25 Oct 2012 10:51:55 +0000 (11:51 +0100)
author Steven Hardy <shardy@redhat.com>
Tue, 23 Oct 2012 20:59:38 +0000 (21:59 +0100)
committer Steven Hardy <shardy@redhat.com>
Thu, 25 Oct 2012 10:51:55 +0000 (11:51 +0100)
diff --git a/heat/engine/user.py b/heat/engine/user.py

index 880060b5b05e56f54c8e08344465ba078384bae5..3890373a0a251fa1d3ed8ce2779285d306deeef1 100644 (file)
--- a/heat/engine/user.py
+++ b/heat/engine/user.py
@@ -154,19 +154,25 @@ class AccessKey(Resource):
          Return the user's access key, fetching it from keystone if necessary
          '''
          if self._secret is None:
-            user = self._user_from_name(self.properties['UserName'])
-            if user is None:
-                logger.warn('could not find user %s' %
-                            self.properties['UserName'])
-            else:
-                try:
-                    cred = self.keystone().ec2.get(user.id, self.instance_id)
-                    self._secret = cred.secret
-                    self.instance_id_set(cred.access)
-                except Exception as ex:
-                    logger.warn('could not get secret for %s Error:%s' %
-                                (self.properties['UserName'],
-                                 str(ex)))
+            try:
+                # Here we use the user_id of the user context of the request
+                # We need to avoid using _user_from_name, because users.list
+                # needs keystone admin role, and we want to allow an instance
+                # user to retrieve data about itself:
+                # - Users without admin role cannot create or delete, but they
+                #   can see their own secret key (but nobody elses)
+                # - Users with admin role can create/delete and view the
+                #   private keys of all users in their tenant
+                # This will allow "instance users" to retrieve resource
+                # metadata but not manipulate user resources in any other way
+                user_id = self.keystone().auth_user_id
+                cred = self.keystone().ec2.get(user_id, self.instance_id)
+                self._secret = cred.secret
+                self.instance_id_set(cred.access)
+            except Exception as ex:
+                logger.warn('could not get secret for %s Error:%s' %
+                            (self.properties['UserName'],
+                             str(ex)))
  
          return self._secret or '000-000-000'
  
diff --git a/heat/tests/test_user.py b/heat/tests/test_user.py

index 7e0f46099e6ebb154c21452e11cc82df167f21b3..d6afe44463c81ef62bae10467897e6af5714e2c7 100644 (file)
--- a/heat/tests/test_user.py
+++ b/heat/tests/test_user.py
@@ -165,7 +165,7 @@ class UserTest(unittest.TestCase):
  
          # fetch secret key
          user.AccessKey.keystone().AndReturn(self.fc)
-        self.fc.users.list(tenant_id='test_tenant').AndReturn([fake_user])
+        self.fc.auth_user_id = '1'
          user.AccessKey.keystone().AndReturn(self.fc)
          self.fc.ec2.get('1',
                  '03a4967889d94a9c8f707d267c127a3d').AndReturn(fake_cred)
author	Steven Hardy <shardy@redhat.com>
	Tue, 23 Oct 2012 20:59:38 +0000 (21:59 +0100)
committer	Steven Hardy <shardy@redhat.com>
	Thu, 25 Oct 2012 10:51:55 +0000 (11:51 +0100)
heat/engine/user.py		patch \| blob \| history
heat/tests/test_user.py		patch \| blob \| history