Accept role list from either X-Roles or X-Role

Accept the list of roles from either the newer X-Roles header or the
deprecated X-Role header.

This is useful for interoperability with a software proxy in front
of Nova API that performs token authentication and might use the
older header.

Change-Id: I47e33233edf596dd14d07b6be16b030fd6bc352d

1 files changed, 16 insertions, 2 deletions

diff --git a/nova/api/auth.py b/nova/api/auth.py
index 8bc3c9d94..be99f7041 100644
--- a/nova/api/auth.py
+++ b/nova/api/auth.py
@@ -77,8 +77,9 @@ class NovaKeystoneContext(wsgi.Middleware):
         if user_id is None:
             LOG.debug("Neither X_USER_ID nor X_USER found in request")
             return webob.exc.HTTPUnauthorized()
-        # get the roles
-        roles = [r.strip() for r in req.headers.get('X_ROLE', '').split(',')]
+
+        roles = self._get_roles(req)
+
         if 'X_TENANT_ID' in req.headers:
             # This is the new header since Keystone went to ID/Name
             project_id = req.headers['X_TENANT_ID']
@@ -117,3 +118,16 @@ class NovaKeystoneContext(wsgi.Middleware):
 
         req.environ['nova.context'] = ctx
         return self.application
+
+    def _get_roles(self, req):
+        """Get the list of roles"""
+
+        if 'X_ROLES' in req.headers:
+            roles = req.headers.get('X_ROLES', '')
+        else:
+            # Fallback to deprecated role header:
+            roles = req.headers.get('X_ROLE', '')
+            if roles:
+                LOG.warn(_("Sourcing roles from deprecated X-Role HTTP "
+                           "header"))
+        return [r.strip() for r in roles.split(',')]