From a70632890c610ece766bfd3c31eea4bc6eb4a316 Mon Sep 17 00:00:00 2001
From: Michael Gundlach <michael.gundlach@rackspace.com>
Date: Thu, 23 Sep 2010 17:06:23 -0400
Subject: Apply vish's patch

---
 nova/api/ec2/__init__.py | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

(limited to 'nova/api')

diff --git a/nova/api/ec2/__init__.py b/nova/api/ec2/__init__.py
index b041787c2..f0aa57ee4 100644
--- a/nova/api/ec2/__init__.py
+++ b/nova/api/ec2/__init__.py
@@ -166,8 +166,8 @@ class Authorizer(wsgi.Middleware):
                 'ModifyImageAttribute': ['projectmanager', 'sysadmin'],
             },
             'AdminController': {
-                # All actions have the same permission: [] (the default)
-                # admins will be allowed to run them
+                # All actions have the same permission: ['none'] (the default)
+                # superusers will be allowed to run them
                 # all others will get HTTPUnauthorized.
             },
         }
@@ -177,8 +177,7 @@ class Authorizer(wsgi.Middleware):
         context = req.environ['ec2.context']
         controller_name = req.environ['ec2.controller'].__class__.__name__
         action = req.environ['ec2.action']
-        allowed_roles = self.action_roles[controller_name].get(action, [])
-        allowed_roles.extend(FLAGS.superuser_roles)
+        allowed_roles = self.action_roles[controller_name].get(action, ['none'])
         if self._matches_any_role(context, allowed_roles):
             return self.application
         else:
@@ -186,6 +185,8 @@ class Authorizer(wsgi.Middleware):
 
     def _matches_any_role(self, context, roles):
         """Return True if any role in roles is allowed in context."""
+        if context.user.is_superuser():
+            return True
         if 'all' in roles:
             return True
         if 'none' in roles:
-- 
cgit