From: Zane Bitter Date: Mon, 22 Oct 2012 09:20:07 +0000 (+0200) Subject: Pass the correct tenant for the service user X-Git-Tag: 2014.1~1285 X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=3bc725b5bd1ec82cc5e307d08803836d83a9e143;p=openstack-build%2Fheat-build.git Pass the correct tenant for the service user Previously, the service user (which authenticates tokens passes to the engine by the APIs) was paired with the tenant of the end user to do authentication, which worked only when they were in the same tenant. This should not be the case, since the service user should only have an admin role in the "service" tenant. Fixes #269 Change-Id: I99b764fc489429dd6d081485bd89d5dde737c124 Signed-off-by: Zane Bitter --- diff --git a/heat/common/auth_token.py b/heat/common/auth_token.py index 7d8bbb60..e7b4d645 100644 --- a/heat/common/auth_token.py +++ b/heat/common/auth_token.py @@ -437,6 +437,7 @@ class AuthProtocol(object): 'X-Role': roles, 'X-Admin-User': self.admin_user, 'X-Admin-Pass': self.admin_password, + 'X-Admin-Tenant-Name': self.admin_tenant_name, 'X-Auth-Url': self.conf['auth_uri'], } diff --git a/heat/common/context.py b/heat/common/context.py index 2da85999..efe46f1a 100644 --- a/heat/common/context.py +++ b/heat/common/context.py @@ -34,7 +34,8 @@ class RequestContext(object): def __init__(self, auth_token=None, username=None, password=None, aws_creds=None, aws_auth_uri=None, - service_user=None, service_password=None, tenant=None, + service_user=None, service_password=None, + service_tenant=None, tenant=None, tenant_id=None, auth_url=None, roles=None, is_admin=False, read_only=False, show_deleted=False, owner_is_tenant=True, overwrite=True, **kwargs): @@ -53,6 +54,7 @@ class RequestContext(object): self.aws_auth_uri = aws_auth_uri self.service_user = service_user self.service_password = service_password + self.service_tenant = service_tenant self.tenant = tenant self.tenant_id = tenant_id self.auth_url = auth_url @@ -75,6 +77,7 @@ class RequestContext(object): 'aws_auth_uri': self.aws_auth_uri, 'service_user': self.service_user, 'service_password': self.service_password, + 'service_tenant': self.service_tenant, 'tenant': self.tenant, 'tenant_id': self.tenant_id, 'auth_url': self.auth_url, @@ -175,7 +178,8 @@ class ContextMiddleware(wsgi.Middleware): token = headers.get('X-Auth-Token') service_user = headers.get('X-Admin-User') service_password = headers.get('X-Admin-Pass') - tenant = headers.get('X-Tenant') + service_tenant = headers.get('X-Admin-Tenant-Name') + tenant = headers.get('X-Tenant-Name') tenant_id = headers.get('X-Tenant-Id') auth_url = headers.get('X-Auth-Url') roles = headers.get('X-Roles') @@ -190,6 +194,7 @@ class ContextMiddleware(wsgi.Middleware): password=password, service_user=service_user, service_password=service_password, + service_tenant=service_tenant, auth_url=auth_url, roles=roles, is_admin=True) diff --git a/heat/engine/resources.py b/heat/engine/resources.py index a305bab3..b4a61b02 100644 --- a/heat/engine/resources.py +++ b/heat/engine/resources.py @@ -222,20 +222,21 @@ class Resource(object): con = self.context args = { - 'tenant_name': con.tenant, - 'tenant_id': con.tenant_id, 'auth_url': con.auth_url, } if con.password is not None: args['username'] = con.username args['password'] = con.password + args['tenant_name'] = con.tenant + args['tenant_id'] = con.tenant_id elif con.auth_token is not None: args['username'] = con.service_user args['password'] = con.service_password + args['tenant_name'] = con.service_tenant args['token'] = con.auth_token else: - logger.error("Keystone connectio failed, no password or " + + logger.error("Keystone connection failed, no password or " + "auth_token!") return None @@ -261,6 +262,7 @@ class Resource(object): elif con.auth_token is not None: args['username'] = con.service_user args['api_key'] = con.service_password + args['project_id'] = con.service_tenant args['proxy_token'] = con.auth_token args['proxy_tenant_id'] = con.tenant_id else: