diff options
| author | Devin Carlen <devin.carlen@gmail.com> | 2010-10-01 15:08:19 +0000 |
|---|---|---|
| committer | Tarmac <> | 2010-10-01 15:08:19 +0000 |
| commit | 4d13a8554459638387d772a23fffe6aaaab3348d (patch) | |
| tree | f8299aef65d76d3e003fe0c42d94c9df66eb5ee9 /nova/api | |
| parent | c9cb22f87561fad4ba57865d8a614ca024393f13 (diff) | |
| parent | 4b3d4eb51a5d927a8eecdca550e04fc699443d21 (diff) | |
Refactor sqlalchemy api to perform contextual authorization.
All database calls now examine the context object for information about what kind of user is accessing the data. If an administrator is accessing, full privileges are granted. If a normal user is accessing, then checks are made to ensure that the user does indeed have the rights to the data.
Also refactored NovaBase and removed several methods since they would have to be changed when we move away from sqlalchemy models and begin using sqlalchemy table definitions.
Diffstat (limited to 'nova/api')
| -rw-r--r-- | nova/api/context.py (renamed from nova/api/ec2/context.py) | 13 | ||||
| -rw-r--r-- | nova/api/ec2/__init__.py | 8 |
2 files changed, 17 insertions, 4 deletions
diff --git a/nova/api/ec2/context.py b/nova/api/context.py index c53ba98d9..b66cfe468 100644 --- a/nova/api/ec2/context.py +++ b/nova/api/context.py @@ -31,3 +31,16 @@ class APIRequestContext(object): [random.choice('ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890-') for x in xrange(20)] ) + if user: + self.is_admin = user.is_admin() + else: + self.is_admin = False + self.read_deleted = False + + +def get_admin_context(user=None, read_deleted=False): + context_ref = APIRequestContext(user=user, project=None) + context_ref.is_admin = True + context_ref.read_deleted = read_deleted + return context_ref + diff --git a/nova/api/ec2/__init__.py b/nova/api/ec2/__init__.py index 7a958f841..6b538a7f1 100644 --- a/nova/api/ec2/__init__.py +++ b/nova/api/ec2/__init__.py @@ -27,8 +27,8 @@ import webob.exc from nova import exception from nova import flags from nova import wsgi +from nova.api import context from nova.api.ec2 import apirequest -from nova.api.ec2 import context from nova.api.ec2 import admin from nova.api.ec2 import cloud from nova.auth import manager @@ -193,15 +193,15 @@ class Authorizer(wsgi.Middleware): return True if 'none' in roles: return False - return any(context.project.has_role(context.user.id, role) + return any(context.project.has_role(context.user.id, role) for role in roles) - + class Executor(wsgi.Application): """Execute an EC2 API request. - Executes 'ec2.action' upon 'ec2.controller', passing 'ec2.context' and + Executes 'ec2.action' upon 'ec2.controller', passing 'ec2.context' and 'ec2.action_args' (all variables in WSGI environ.) Returns an XML response, or a 400 upon failure. """ |