diff options
| author | Michael Gundlach <michael.gundlach@rackspace.com> | 2010-09-23 17:06:23 -0400 |
|---|---|---|
| committer | Michael Gundlach <michael.gundlach@rackspace.com> | 2010-09-23 17:06:23 -0400 |
| commit | a70632890c610ece766bfd3c31eea4bc6eb4a316 (patch) | |
| tree | b74a23f101aeba06dd9653494568bdb508174c35 /nova/api | |
| parent | 4846b63a861ee7eafc642dc93f70fa8b85dfa625 (diff) | |
| download | nova-a70632890c610ece766bfd3c31eea4bc6eb4a316.tar.gz nova-a70632890c610ece766bfd3c31eea4bc6eb4a316.tar.xz nova-a70632890c610ece766bfd3c31eea4bc6eb4a316.zip | |
Apply vish's patch
Diffstat (limited to 'nova/api')
| -rw-r--r-- | nova/api/ec2/__init__.py | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/nova/api/ec2/__init__.py b/nova/api/ec2/__init__.py index b041787c2..f0aa57ee4 100644 --- a/nova/api/ec2/__init__.py +++ b/nova/api/ec2/__init__.py @@ -166,8 +166,8 @@ class Authorizer(wsgi.Middleware): 'ModifyImageAttribute': ['projectmanager', 'sysadmin'], }, 'AdminController': { - # All actions have the same permission: [] (the default) - # admins will be allowed to run them + # All actions have the same permission: ['none'] (the default) + # superusers will be allowed to run them # all others will get HTTPUnauthorized. }, } @@ -177,8 +177,7 @@ class Authorizer(wsgi.Middleware): context = req.environ['ec2.context'] controller_name = req.environ['ec2.controller'].__class__.__name__ action = req.environ['ec2.action'] - allowed_roles = self.action_roles[controller_name].get(action, []) - allowed_roles.extend(FLAGS.superuser_roles) + allowed_roles = self.action_roles[controller_name].get(action, ['none']) if self._matches_any_role(context, allowed_roles): return self.application else: @@ -186,6 +185,8 @@ class Authorizer(wsgi.Middleware): def _matches_any_role(self, context, roles): """Return True if any role in roles is allowed in context.""" + if context.user.is_superuser(): + return True if 'all' in roles: return True if 'none' in roles: |