From 3c3f5dc8973a28fcded50bdb65b7cd77cd772cc6 Mon Sep 17 00:00:00 2001
From: Joe Gordon <jogo@cloudscaling.com>
Date: Fri, 8 Mar 2013 15:34:25 -0800
Subject: Move auth_token middleware from admin user to an RBAC policy

Before this patch auth_token middleware required admin user credentials
stored in assorted config files. With this patch only non-admin user
credentials are needed. The revocation_list and validate_token commands
use an policy.json rule, to only allow these commands if you are in have the
service role.

Rule used:
    "service_role": [["role:service"]],
    "service_or_admin": [["rule:admin_required"], ["rule:service_role"]],

Added the policy wrapper on the validate functions.

Fixes bug 1153789

Change-Id: I43986e26b16aa5213ad2536a0d07d942bf3dbbbb
---
 keystone/common/controller.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'keystone/common/controller.py')

diff --git a/keystone/common/controller.py b/keystone/common/controller.py
index 39fb8128..daed966a 100644
--- a/keystone/common/controller.py
+++ b/keystone/common/controller.py
@@ -88,7 +88,7 @@ def flatten(d, parent_key=''):
 def protected(f):
     """Wraps API calls with role based access controls (RBAC)."""
     @functools.wraps(f)
-    def wrapper(self, context, **kwargs):
+    def wrapper(self, context, *args, **kwargs):
         if 'is_admin' in context and context['is_admin']:
             LOG.warning(_('RBAC: Bypassing authorization'))
         else:
@@ -101,7 +101,7 @@ def protected(f):
             self.policy_api.enforce(context, creds, action, flatten(kwargs))
             LOG.debug(_('RBAC: Authorization granted'))
 
-        return f(self, context, **kwargs)
+        return f(self, context, *args, **kwargs)
     return wrapper
 
 
-- 
cgit