diff options
author | Dolph Mathews <dolph.mathews@gmail.com> | 2013-03-20 20:21:45 -0500 |
---|---|---|
committer | Dolph Mathews <dolph.mathews@gmail.com> | 2013-03-20 23:42:16 -0500 |
commit | 601d993fb1ca16d2fedf721de5fdb70a6b55a0a8 (patch) | |
tree | 599c5d7c878968701eee6005cbb48534c5336e89 /keystone/auth | |
parent | aa58233bd8ba174e07076444b0dc5fdb67f5a5e6 (diff) | |
download | keystone-601d993fb1ca16d2fedf721de5fdb70a6b55a0a8.tar.gz keystone-601d993fb1ca16d2fedf721de5fdb70a6b55a0a8.tar.xz keystone-601d993fb1ca16d2fedf721de5fdb70a6b55a0a8.zip |
Allow trusts to be optional
Change-Id: I76ab6ddac70cccece46bc36d7592d840599c893b
Diffstat (limited to 'keystone/auth')
-rw-r--r-- | keystone/auth/controllers.py | 8 | ||||
-rw-r--r-- | keystone/auth/token_factory.py | 10 |
2 files changed, 9 insertions, 9 deletions
diff --git a/keystone/auth/controllers.py b/keystone/auth/controllers.py index ba70735c..66ff6230 100644 --- a/keystone/auth/controllers.py +++ b/keystone/auth/controllers.py @@ -183,6 +183,8 @@ class AuthInfo(object): domain_ref = self._lookup_domain(self.auth['scope']['domain']) self._scope_data = (domain_ref['id'], None, None) elif 'trust' in self.auth['scope']: + if not CONF.trust.enabled: + raise exception.Forbidden('Trusts are disabled.') trust_ref = self._lookup_trust(self.auth['scope']['trust']) #TODO ayoung when trusts support domain, Fill in domain data here if 'project_id' in trust_ref: @@ -287,10 +289,8 @@ class Auth(controller.V3Controller): context, auth_context, auth_info) return token_factory.render_token_data_response( token_id, token_data, created=True) - except (exception.Unauthorized, - exception.AuthMethodNotSupported, - exception.AdditionalAuthRequired) as e: - raise e + except exception.SecurityError: + raise except Exception as e: LOG.exception(e) raise exception.Unauthorized(e) diff --git a/keystone/auth/token_factory.py b/keystone/auth/token_factory.py index 3d4d38b2..c16d88dd 100644 --- a/keystone/auth/token_factory.py +++ b/keystone/auth/token_factory.py @@ -107,7 +107,7 @@ class TokenDataHelper(object): trust): user_ref = self.identity_api.get_user(self.context, user_id) - if trust: + if CONF.trust.enabled and trust: trustor_user_ref = (self.identity_api.get_user(self.context, trust['trustor_user_id'])) if not trustor_user_ref['enabled']: @@ -129,7 +129,7 @@ class TokenDataHelper(object): def _populate_roles(self, token_data, user_id, domain_id, project_id, trust): - if trust: + if CONF.trust.enabled and trust: token_user_id = trust['trustor_user_id'] token_project_id = trust['project_id'] #trusts do not support domains yet @@ -144,7 +144,7 @@ class TokenDataHelper(object): token_domain_id, token_project_id) filtered_roles = [] - if trust: + if CONF.trust.enabled and trust: for trust_role in trust['roles']: match_roles = [x for x in roles if x['id'] == trust_role['id']] @@ -160,7 +160,7 @@ class TokenDataHelper(object): def _populate_service_catalog(self, token_data, user_id, domain_id, project_id, trust): - if trust: + if CONF.trust.enabled and trust: user_id = trust['trustor_user_id'] if project_id or domain_id: try: @@ -186,7 +186,7 @@ class TokenDataHelper(object): trust=None): token_data = {'methods': method_names, 'extras': extras} - if trust: + if CONF.trust.enabled and trust: if user_id != trust['trustee_user_id']: raise exception.Forbidden() |