Adding a admin context check used for the management calls

2012-06-11 22:06:51 -05:00 · 2012-06-11 22:06:51 -05:00 · 93c3bd650e
commit 93c3bd650e
parent 739c8da233
4 changed files with 34 additions and 0 deletions
--- a/etc/reddwarf/reddwarf.conf.sample
+++ b/etc/reddwarf/reddwarf.conf.sample
@ -55,6 +55,9 @@ volume_time_out=30
 # Reddwarf DNS
 reddwarf_dns_support = False

+# Auth
+admin_roles = [admin]
+
 # ============ notifer queue kombu connection options ========================

 notifier_queue_hostname = localhost
--- a/reddwarf/common/auth.py
+++ b/reddwarf/common/auth.py
@ -21,6 +21,7 @@ import re
 import webob.exc
 import wsgi

+from reddwarf.common import exception

 LOG = logging.getLogger(__name__)

@ -69,3 +70,21 @@ class TenantBasedAuth(object):
            return True
        raise webob.exc.HTTPForbidden(_("User with tenant id %s cannot "
                                        "access this resource") % tenant_id)
+
+
+def admin_context(f):
+    """
+    Verify that the current context has administrative access,
+    or throw an exception. Reddwarf API functions typically take the form
+    function(self, req), or function(self, req, id).
+    """
+    def wrapper(*args, **kwargs):
+        try:
+            req = args[1]
+            context = req.environ.get('reddwarf.context')
+        except:
+            raise exception.ReddwarfError("Cannot load request context.")
+        if not context.is_admin:
+            raise exception.Forbidden("User does not have admin privileges.")
+        return f(*args, **kwargs)
+    return wrapper
--- a/reddwarf/common/exception.py
+++ b/reddwarf/common/exception.py
@ -144,3 +144,6 @@ class BadValue(ReddwarfError):
 class PollTimeOut(ReddwarfError):
    message = _("Polling request timed out.")

+
+class Forbidden(ReddwarfError):
+    message = _("User does not have admin privileges.")
--- a/reddwarf/common/wsgi.py
+++ b/reddwarf/common/wsgi.py
@ -26,6 +26,7 @@ import webob.dec
 import webob.exc

 from reddwarf.common import context as rd_context
+from reddwarf.common import config
 from reddwarf.common import exception
 from reddwarf.common import utils
 from reddwarf.openstack.common import wsgi as openstack_wsgi
@ -305,6 +306,7 @@ class Fault(webob.exc.HTTPException):
 class ContextMiddleware(openstack_wsgi.Middleware):

    def __init__(self, application):
+        self.admin_roles = config.Config.get('admin_roles', [])
        super(ContextMiddleware, self).__init__(application)

    def _extract_limits(self, params):
@ -315,10 +317,17 @@ class ContextMiddleware(openstack_wsgi.Middleware):
        tenant_id = request.headers.get('X-Tenant-Id', None)
        auth_tok = request.headers["X-Auth-Token"]
        user = request.headers.get('X-User', None)
+        roles = request.headers.get('X-Role', '').split(',')
+        is_admin = False
+        for role in roles:
+            if role.lower() in self.admin_roles:
+                is_admin = True
+                break
        limits = self._extract_limits(request.params)
        context = rd_context.ReddwarfContext(auth_tok=auth_tok,
                                             tenant=tenant_id,
                                             user=user,
+                                             is_admin=is_admin,
                                             limit=limits.get('limit'),
                                             marker=limits.get('marker'))
        request.environ[CONTEXT_KEY] = context