Merged with current trunk.

author: Yuriy Taraday <yorik.sar@gmail.com> 2011-05-05 07:04:34 +0400
committer: Yuriy Taraday <yorik.sar@gmail.com> 2011-05-05 07:04:34 +0400
commit: da286df51e00a9ee8a0450ee8afbce27712151a7 (patch)
tree: a7ea4ad57bd6f358b3927e6c6b4d3e8a29f2cddf /nova/auth
parent: 36aa631dfdea4d2041df3a60d1a294f6a80807b7 (diff)
parent: 114a55d0243f79db7ea1ef29830a9428dbf1aa33 (diff)
1 files changed, 49 insertions, 17 deletions
diff --git a/nova/auth/manager.py b/nova/auth/manager.py
index b719a0dbd..98d5f6eb6 100644
--- a/nova/auth/manager.py
+++ b/nova/auth/manager.py
@@ -223,6 +223,13 @@ class AuthManager(object):
         if driver or not getattr(self, 'driver', None):
             self.driver = utils.import_class(driver or FLAGS.auth_driver)
 
+        if FLAGS.memcached_servers:
+            import memcache
+        else:
+            from nova import fakememcache as memcache
+        self.mc = memcache.Client(FLAGS.memcached_servers,
+                                  debug=0)
+
     def authenticate(self, access, signature, params, verb='GET',
                      server_string='127.0.0.1:8773', path='/',
                      check_type='ec2', headers=None):
@@ -303,7 +310,8 @@ class AuthManager(object):
             LOG.debug('signature: %s', signature)
             if signature != expected_signature:
                 LOG.audit(_("Invalid signature for user %s"), user.name)
-                raise exception.NotAuthorized(_('Signature does not match'))
+                raise exception.InvalidSignature(signature=signature,
+                                                 user=user)
         elif check_type == 'ec2':
             # NOTE(vish): hmac can't handle unicode, so encode ensures that
             #             secret isn't unicode
@@ -314,7 +322,8 @@ class AuthManager(object):
             LOG.debug('signature: %s', signature)
             if signature != expected_signature:
                 LOG.audit(_("Invalid signature for user %s"), user.name)
-                raise exception.NotAuthorized(_('Signature does not match'))
+                raise exception.InvalidSignature(signature=signature,
+                                                 user=user)
         return (user, project)
 
     def get_access_key(self, user, project):
@@ -358,6 +367,27 @@ class AuthManager(object):
             if self.has_role(user, role):
                 return True
 
+    def _build_mc_key(self, user, role, project=None):
+        key_parts = ['rolecache', User.safe_id(user), str(role)]
+        if project:
+            key_parts.append(Project.safe_id(project))
+        return '-'.join(key_parts)
+
+    def _clear_mc_key(self, user, role, project=None):
+        # NOTE(anthony): it would be better to delete the key
+        self.mc.set(self._build_mc_key(user, role, project), None)
+
+    def _has_role(self, user, role, project=None):
+        mc_key = self._build_mc_key(user, role, project)
+        rslt = self.mc.get(mc_key)
+        if rslt is None:
+            with self.driver() as drv:
+                rslt = drv.has_role(user, role, project)
+                self.mc.set(mc_key, rslt)
+                return rslt
+        else:
+            return rslt
+
     def has_role(self, user, role, project=None):
         """Checks existence of role for user
 
@@ -381,24 +411,24 @@ class AuthManager(object):
         @rtype: bool
         @return: True if the user has the role.
         """
-        with self.driver() as drv:
-            if role == 'projectmanager':
-                if not project:
-                    raise exception.Error(_("Must specify project"))
-                return self.is_project_manager(user, project)
+        if role == 'projectmanager':
+            if not project:
+                raise exception.Error(_("Must specify project"))
+            return self.is_project_manager(user, project)
+
+        global_role = self._has_role(User.safe_id(user),
+                                     role,
+                                     None)
 
-            global_role = drv.has_role(User.safe_id(user),
-                                        role,
-                                        None)
-            if not global_role:
-                return global_role
+        if not global_role:
+            return global_role
 
-            if not project or role in FLAGS.global_roles:
-                return global_role
+        if not project or role in FLAGS.global_roles:
+            return global_role
 
-            return drv.has_role(User.safe_id(user),
-                                 role,
-                                 Project.safe_id(project))
+        return self._has_role(User.safe_id(user),
+                              role,
+                              Project.safe_id(project))
 
     def add_role(self, user, role, project=None):
         """Adds role for user
@@ -430,6 +460,7 @@ class AuthManager(object):
             LOG.audit(_("Adding sitewide role %(role)s to user %(uid)s")
                     % locals())
         with self.driver() as drv:
+            self._clear_mc_key(uid, role, pid)
             drv.add_role(uid, role, pid)
 
     def remove_role(self, user, role, project=None):
@@ -458,6 +489,7 @@ class AuthManager(object):
             LOG.audit(_("Removing sitewide role %(role)s"
                     " from user %(uid)s") % locals())
         with self.driver() as drv:
+            self._clear_mc_key(uid, role, pid)
             drv.remove_role(uid, role, pid)
 
     @staticmethod
author	Yuriy Taraday <yorik.sar@gmail.com>	2011-05-05 07:04:34 +0400
committer	Yuriy Taraday <yorik.sar@gmail.com>	2011-05-05 07:04:34 +0400
commit	da286df51e00a9ee8a0450ee8afbce27712151a7 (patch)
tree	a7ea4ad57bd6f358b3927e6c6b4d3e8a29f2cddf /nova/auth
parent	36aa631dfdea4d2041df3a60d1a294f6a80807b7 (diff)
parent	114a55d0243f79db7ea1ef29830a9428dbf1aa33 (diff)