diff options
author | Jenkins <jenkins@review.openstack.org> | 2012-05-29 21:38:26 +0000 |
---|---|---|
committer | Gerrit Code Review <review@openstack.org> | 2012-05-29 21:38:26 +0000 |
commit | b6dbb103e1c1779474c5d26f3acf47e704cc601c (patch) | |
tree | d04c03f27662ba9dda7261e36aa18792350a7feb | |
parent | 081c541603c439a0eaa4608eec9225d0626c075d (diff) | |
parent | 30654a65eac7166b0bd0567ef1d3cabb43031fd3 (diff) | |
download | keystone-b6dbb103e1c1779474c5d26f3acf47e704cc601c.tar.gz keystone-b6dbb103e1c1779474c5d26f3acf47e704cc601c.tar.xz keystone-b6dbb103e1c1779474c5d26f3acf47e704cc601c.zip |
Merge "Add ACL check using <tenant_id>:<user> format."
-rw-r--r-- | keystone/middleware/swift_auth.py | 8 | ||||
-rw-r--r-- | tests/test_swift_auth_middleware.py | 6 |
2 files changed, 10 insertions, 4 deletions
diff --git a/keystone/middleware/swift_auth.py b/keystone/middleware/swift_auth.py index d4be9f1f..798094cd 100644 --- a/keystone/middleware/swift_auth.py +++ b/keystone/middleware/swift_auth.py @@ -207,9 +207,11 @@ class SwiftAuth(object): return self.denied_response(req) # Allow ACL at individual user level (tenant:user format) - if '%s:%s' % (tenant_name, user) in roles: - log_msg = 'user %s:%s allowed in ACL authorizing' - self.logger.debug(log_msg % (tenant_name, user)) + # For backward compatibility, check for ACL in tenant_id:user format + if ('%s:%s' % (tenant_name, user) in roles + or '%s:%s' % (tenant_id, user) in roles): + log_msg = 'user %s:%s or %s:%s allowed in ACL authorizing' + self.logger.debug(log_msg % (tenant_name, user, tenant_id, user)) return # Check if we have the role in the userroles and allow it diff --git a/tests/test_swift_auth_middleware.py b/tests/test_swift_auth_middleware.py index afad9744..a5a0d674 100644 --- a/tests/test_swift_auth_middleware.py +++ b/tests/test_swift_auth_middleware.py @@ -235,11 +235,15 @@ class TestAuthorize(unittest.TestCase): identity = self._get_identity(roles=[acl]) self._check_authenticate(identity=identity, acl=acl) - def test_authorize_succeeds_for_tenant_user_in_roles(self): + def test_authorize_succeeds_for_tenant_name_user_in_roles(self): identity = self._get_identity() acl = '%s:%s' % (identity['tenant'][1], identity['user']) self._check_authenticate(identity=identity, acl=acl) + def test_authorize_succeeds_for_tenant_id_user_in_roles(self): + identity = self._get_identity() + acl = '%s:%s' % (identity['tenant'][0], identity['user']) + self._check_authenticate(identity=identity, acl=acl) if __name__ == '__main__': unittest.main() |