diff options
| author | Todd Willey <xtoddx@gmail.com> | 2011-06-21 14:26:47 -0400 |
|---|---|---|
| committer | Todd Willey <xtoddx@gmail.com> | 2011-06-21 14:26:47 -0400 |
| commit | 722fcd8ebef3fe1268ace5c05e014f6a945abfab (patch) | |
| tree | d551e07a83652d01ea96164cdefb61b300ebc1e3 | |
| parent | c8de07620830c3d9f5bfb7c8d818a0440d1076c4 (diff) | |
| download | keystone-722fcd8ebef3fe1268ace5c05e014f6a945abfab.tar.gz keystone-722fcd8ebef3fe1268ace5c05e014f6a945abfab.tar.xz keystone-722fcd8ebef3fe1268ace5c05e014f6a945abfab.zip | |
Basic authorization for swift.
This first pass only makes sure you don't issue requests against other
accounts (regardless of publicity / acls).
TODO:
* configurable reseller prefix (AUTH_)
* groups (.reseller_admin)
* don't let users change account except when admin (containerless DELETE/PUT)
* check container ACLs for object access
* add user groups into REMOTE_USER (?)
* get rid of all the useless HTTP headers jammed into the request
| -rwxr-xr-x | keystone/auth_protocols/auth_token.py | 20 |
1 files changed, 19 insertions, 1 deletions
diff --git a/keystone/auth_protocols/auth_token.py b/keystone/auth_protocols/auth_token.py index 1734dd3c..107d688b 100755 --- a/keystone/auth_protocols/auth_token.py +++ b/keystone/auth_protocols/auth_token.py @@ -58,7 +58,7 @@ import json import os from paste.deploy import loadapp from urlparse import urlparse -from webob.exc import HTTPUnauthorized, HTTPUseProxy +from webob.exc import HTTPUnauthorized, HTTPUseProxy, HTTPExpectationFailed from webob.exc import Request, Response from keystone.common.bufferedhttp import http_connect_raw as http_connect @@ -157,6 +157,10 @@ class AuthProtocol(object): #Collect information about valid claims if valid: claims = self._expound_claims() + + # Store authentication data + self.env['keystone.claims'] = claims + self.env['swift.authorize'] = self.authorize if claims: # TODO(Ziad): add additional details we may need, # like tenant and group info @@ -174,11 +178,25 @@ class AuthProtocol(object): roles += ',' roles += role self._decorate_request('X_ROLE', roles) + + # NOTE(todd): unused self.expanded = True #Send request downstream return self._forward_request() + def authorize(self, req): + env = req.environ + tenant = env.get('keystone.claims', {}).get('tenant') + if not tenant: + return HTTPExpectationFailed('Unable to locate auth claim', + request=req) + if req.path.startswith('/v1/AUTH_%s' % tenant): + return None + return HTTPUnauthorized(request=req) + + + # NOTE(todd): unused def get_admin_auth_token(self, username, password, tenant): """ This function gets an admin auth token to be used by this service to |