Flag to define which operations are exposed in the OpenStack API, disabling all others.

3 files changed, 70 insertions, 0 deletions

diff --git a/Authors b/Authors
index a1703b279..c9bf3b67c 100644
--- a/Authors
+++ b/Authors
@@ -21,6 +21,7 @@ Monty Taylor <mordred@inaugust.com>
 Paul Voccio <paul@openstack.org>
 Rick Clark <rick@openstack.org>
 Ryan Lucio <rlucio@internap.com>
+Sandy Walsh <sandy.walsh@rackspace.com>
 Soren Hansen <soren.hansen@rackspace.com>
 Todd Willey <todd@ansolabs.com>
 Trey Morris <trey.morris@rackspace.com>
diff --git a/nova/api/openstack/__init__.py b/nova/api/openstack/__init__.py
index 4ca108c4e..c9efe5222 100644
--- a/nova/api/openstack/__init__.py
+++ b/nova/api/openstack/__init__.py
@@ -48,6 +48,10 @@ flags.DEFINE_string('nova_api_auth',
     'nova.api.openstack.auth.BasicApiAuthManager',
     'The auth mechanism to use for the OpenStack API implemenation')
 
+flags.DEFINE_bool('allow_admin_api',
+    False,
+    'When True, this API service will accept admin operations.')
+
 
 class API(wsgi.Middleware):
     """WSGI entry point for all OpenStack API requests."""
@@ -183,6 +187,10 @@ class APIRouter(wsgi.Router):
         mapper.resource("sharedipgroup", "sharedipgroups",
                         controller=sharedipgroups.Controller())
 
+        if FLAGS.allow_admin_api:
+            logging.debug("Including admin operations in API.")
+            # TODO: Place routes for admin operations here.
+
         super(APIRouter, self).__init__(mapper)
 
 
diff --git a/nova/tests/api/openstack/test_adminapi.py b/nova/tests/api/openstack/test_adminapi.py
new file mode 100644
index 000000000..1b2e1654d
--- /dev/null
+++ b/nova/tests/api/openstack/test_adminapi.py
@@ -0,0 +1,61 @@
+# vim: tabstop=4 shiftwidth=4 softtabstop=4
+
+# Copyright 2010 OpenStack LLC.
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+import unittest
+
+import stubout
+import webob
+
+import nova.api
+from nova import flags
+from nova.tests.api.openstack import fakes
+
+FLAGS = flags.FLAGS
+
+
+class AdminAPITest(unittest.TestCase):
+    def setUp(self):
+        self.stubs = stubout.StubOutForTesting()
+        fakes.FakeAuthManager.auth_data = {}
+        fakes.FakeAuthDatabase.data = {}
+        fakes.stub_out_networking(self.stubs)
+        fakes.stub_out_rate_limiting(self.stubs)
+        fakes.stub_out_auth(self.stubs)
+        self.allow_admin = FLAGS.allow_admin_api
+
+    def tearDown(self):
+        self.stubs.UnsetAll()
+        FLAGS.allow_admin_api = self.allow_admin
+
+    def test_admin_enabled(self):
+        FLAGS.allow_admin_api = True
+        # We should still be able to access public operations.
+        req = webob.Request.blank('/v1.0/flavors')
+        res = req.get_response(nova.api.API('os'))
+        self.assertEqual(res.status_int, 200)
+        # TODO: Confirm admin operations are available.
+
+    def test_admin_disabled(self):
+        FLAGS.allow_admin_api = False
+        # We should still be able to access public operations.
+        req = webob.Request.blank('/v1.0/flavors')
+        res = req.get_response(nova.api.API('os'))
+        self.assertEqual(res.status_int, 200)
+        # TODO: Confirm admin operations are unavailable.
+
+if __name__ == '__main__':
+    unittest.main()