diff options
author | Lin Hua Cheng <lin-hua.cheng@hp.com> | 2012-05-21 22:46:38 -0700 |
---|---|---|
committer | Lin Hua Cheng <lin-hua.cheng@hp.com> | 2012-05-22 22:16:59 -0700 |
commit | 30654a65eac7166b0bd0567ef1d3cabb43031fd3 (patch) | |
tree | eb458b729eda9ca3ac6a69de42d0dc23f950b4a4 /keystone/middleware | |
parent | 33d107aa1d3e1aa2c188f9df7338a1e7d97a4ed2 (diff) | |
download | keystone-30654a65eac7166b0bd0567ef1d3cabb43031fd3.tar.gz keystone-30654a65eac7166b0bd0567ef1d3cabb43031fd3.tar.xz keystone-30654a65eac7166b0bd0567ef1d3cabb43031fd3.zip |
Add ACL check using <tenant_id>:<user> format.
Fixes bug 999998.
Swift auth middleware uses a new format for expressing
a container ACL for a user: <tenant_name>:<user>. This
fix add supports for checking ACL using the old format
of <tenant_id>:<user>.
Change-Id: I44985b191afb174605c35041741056ae1e78fa77
Diffstat (limited to 'keystone/middleware')
-rw-r--r-- | keystone/middleware/swift_auth.py | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/keystone/middleware/swift_auth.py b/keystone/middleware/swift_auth.py index 19f8cab9..19ef6ab9 100644 --- a/keystone/middleware/swift_auth.py +++ b/keystone/middleware/swift_auth.py @@ -196,9 +196,11 @@ class SwiftAuth(object): return self.denied_response(req) # Allow ACL at individual user level (tenant:user format) - if '%s:%s' % (tenant_name, user) in roles: - log_msg = 'user %s:%s allowed in ACL authorizing' - self.logger.debug(log_msg % (tenant_name, user)) + # For backward compatibility, check for ACL in tenant_id:user format + if ('%s:%s' % (tenant_name, user) in roles + or '%s:%s' % (tenant_id, user) in roles): + log_msg = 'user %s:%s or %s:%s allowed in ACL authorizing' + self.logger.debug(log_msg % (tenant_name, user, tenant_id, user)) return # Check if we have the role in the userroles and allow it |