From 9a6f3d54e94d31f7be2b8ccfceeb8b835a89cddc Mon Sep 17 00:00:00 2001 From: Yogeshwar Srikrishnan Date: Wed, 1 Jun 2011 17:29:01 -0500 Subject: Changes on auth basic middleware component to return roles.Also changes on the application to return roles not tied to a tenant. --- examples/echo/echo/server.py | 4 ++++ keystone/auth_protocols/auth_token.py | 11 ++++++++++- keystone/logic/service.py | 6 +++++- 3 files changed, 19 insertions(+), 2 deletions(-) mode change 100644 => 100755 keystone/logic/service.py diff --git a/examples/echo/echo/server.py b/examples/echo/echo/server.py index 8c24aa8f..69919a88 100644 --- a/examples/echo/echo/server.py +++ b/examples/echo/echo/server.py @@ -31,6 +31,7 @@ POSSIBLE_TOPDIR = os.path.normpath(os.path.join(os.path.abspath(sys.argv[0]), if os.path.exists(os.path.join(POSSIBLE_TOPDIR, 'echo', '__init__.py')): # also use the local keystone KEYSTONE_TOPDIR = os.path.normpath(os.path.join(POSSIBLE_TOPDIR, + os.pardir, os.pardir)) if os.path.exists(os.path.join(KEYSTONE_TOPDIR, 'keystone', @@ -75,6 +76,9 @@ class EchoApp(object): print ' Tenant :', self.envr['HTTP_X_TENANT'] if 'HTTP_X_GROUP' in self.envr: print ' Group :', self.envr['HTTP_X_GROUP'] + if 'HTTP_X_ROLES' in self.envr: + print ' Roles :', self.envr['HTTP_X_ROLES'] + accept = self.envr.get("HTTP_ACCEPT", "application/json") if accept == "application/xml": diff --git a/keystone/auth_protocols/auth_token.py b/keystone/auth_protocols/auth_token.py index 1484bf58..e690b335 100644 --- a/keystone/auth_protocols/auth_token.py +++ b/keystone/auth_protocols/auth_token.py @@ -167,6 +167,8 @@ class AuthProtocol(object): self._decorate_request('X_USER', claims['user']) if 'group' in claims: self._decorate_request('X_GROUP', claims['group']) + if 'roles' in claims: + self._decorate_request('X_ROLES', claims['roles']) self.expanded = True #Send request downstream @@ -263,8 +265,15 @@ class AuthProtocol(object): token_info = json.loads(data) #TODO(Ziad): make this more robust #first_group = token_info['auth']['user']['groups']['group'][0] + roles =[] + role_refs =token_info["auth"]["user"]["roleRefs"] + for role_ref in role_refs: + roles.append(role_ref["roleId"]) + verified_claims = {'user': token_info['auth']['user']['username'], - 'tenant': token_info['auth']['user']['tenantId']} + 'tenant': token_info['auth']['user']['tenantId'], 'roles':roles} + + # TODO(Ziad): removed groups for now # ,'group': '%s/%s' % (first_group['id'], # first_group['tenantId'])} diff --git a/keystone/logic/service.py b/keystone/logic/service.py old mode 100644 new mode 100755 index 926fa4b6..e028705e --- a/keystone/logic/service.py +++ b/keystone/logic/service.py @@ -129,7 +129,7 @@ class IdentityService(object): ## GET Tenants with Pagination ## def get_tenants(self, admin_token, marker, limit, url): - self.__validate_token(admin_token) + (token, user) = self.__validate_token(admin_token, False) ts = [] dtenants = db_api.tenant_get_page(marker, limit) @@ -848,6 +848,10 @@ class IdentityService(object): for droleRef in droleRefs: ts.append(roles.RoleRef(droleRef.id, droleRef.role_id, droleRef.tenant_id)) + droleRefs = db_api.role_ref_get_all_global_roles(duser.id) + for droleRef in droleRefs: + ts.append(roles.RoleRef(droleRef.id, droleRef.role_id, + droleRef.tenant_id)) user = auth.User(duser.id, duser.tenant_id, None, roles.RoleRefs(ts, [])) return auth.ValidateData(token, user) -- cgit