Add ACL check using <tenant_id>:<user> format.

Fixes bug 999998.

Swift auth middleware uses a new format for expressing
a container ACL for a user: <tenant_name>:<user>. This
fix add supports for checking ACL using the old format
of <tenant_id>:<user>.

Change-Id: I44985b191afb174605c35041741056ae1e78fa77

1 files changed, 5 insertions, 3 deletions

diff --git a/keystone/middleware/swift_auth.py b/keystone/middleware/swift_auth.py
index 19f8cab9..19ef6ab9 100644
--- a/keystone/middleware/swift_auth.py
+++ b/keystone/middleware/swift_auth.py
@@ -196,9 +196,11 @@ class SwiftAuth(object):
             return self.denied_response(req)
 
         # Allow ACL at individual user level (tenant:user format)
-        if '%s:%s' % (tenant_name, user) in roles:
-            log_msg = 'user %s:%s allowed in ACL authorizing'
-            self.logger.debug(log_msg % (tenant_name, user))
+        # For backward compatibility, check for ACL in tenant_id:user format
+        if ('%s:%s' % (tenant_name, user) in roles
+             or '%s:%s' % (tenant_id, user) in roles):
+            log_msg = 'user %s:%s or %s:%s allowed in ACL authorizing'
+            self.logger.debug(log_msg % (tenant_name, user, tenant_id, user))
             return
 
         # Check if we have the role in the userroles and allow it