From: Steven Hardy <shardy@redhat.com>
Date: Tue, 23 Oct 2012 20:59:38 +0000 (+0100)
Subject: heat engine : Allow instance users to view their own details
X-Git-Tag: 2014.1~1270
X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=92c985191b907096b1cb2aa8c77efa9773596a35;p=openstack-build%2Fheat-build.git

heat engine : Allow instance users to view their own details

So that cfn-hup can read instance metadata via the DescribeStackResource
API call, we need non-admin "instance users" to be allowed to read their
own AccessKey resource details (since it can-be/is referenced in the
instance resource metadata).  The change in this patch should allow non-admin
users to read *only their own* secret AccessKey, and leave existing admin-user
visibility of the AccessKey resources unchanged.

Change-Id: Ic26d614d8e30104fbb354a67d3376b5d995ae8cc
Signed-off-by: Steven Hardy <shardy@redhat.com>
---

diff --git a/heat/engine/user.py b/heat/engine/user.py
index 880060b5..3890373a 100644
--- a/heat/engine/user.py
+++ b/heat/engine/user.py
@@ -154,19 +154,25 @@ class AccessKey(Resource):
         Return the user's access key, fetching it from keystone if necessary
         '''
         if self._secret is None:
-            user = self._user_from_name(self.properties['UserName'])
-            if user is None:
-                logger.warn('could not find user %s' %
-                            self.properties['UserName'])
-            else:
-                try:
-                    cred = self.keystone().ec2.get(user.id, self.instance_id)
-                    self._secret = cred.secret
-                    self.instance_id_set(cred.access)
-                except Exception as ex:
-                    logger.warn('could not get secret for %s Error:%s' %
-                                (self.properties['UserName'],
-                                 str(ex)))
+            try:
+                # Here we use the user_id of the user context of the request
+                # We need to avoid using _user_from_name, because users.list
+                # needs keystone admin role, and we want to allow an instance
+                # user to retrieve data about itself:
+                # - Users without admin role cannot create or delete, but they
+                #   can see their own secret key (but nobody elses)
+                # - Users with admin role can create/delete and view the
+                #   private keys of all users in their tenant
+                # This will allow "instance users" to retrieve resource
+                # metadata but not manipulate user resources in any other way
+                user_id = self.keystone().auth_user_id
+                cred = self.keystone().ec2.get(user_id, self.instance_id)
+                self._secret = cred.secret
+                self.instance_id_set(cred.access)
+            except Exception as ex:
+                logger.warn('could not get secret for %s Error:%s' %
+                            (self.properties['UserName'],
+                             str(ex)))
 
         return self._secret or '000-000-000'
 
diff --git a/heat/tests/test_user.py b/heat/tests/test_user.py
index 7e0f4609..d6afe444 100644
--- a/heat/tests/test_user.py
+++ b/heat/tests/test_user.py
@@ -165,7 +165,7 @@ class UserTest(unittest.TestCase):
 
         # fetch secret key
         user.AccessKey.keystone().AndReturn(self.fc)
-        self.fc.users.list(tenant_id='test_tenant').AndReturn([fake_user])
+        self.fc.auth_user_id = '1'
         user.AccessKey.keystone().AndReturn(self.fc)
         self.fc.ec2.get('1',
                 '03a4967889d94a9c8f707d267c127a3d').AndReturn(fake_cred)