def __call__(self, env, start_response):
domain_id = (env.get('HTTP_X_DOMAIN_ID') or
env.get('HTTP_X_PROJECT_DOMAIN_ID') or
env.get('HTTP_X_USER_DOMAIN_ID'))
# if there is not domain ID (aka Keystone v2) or if it equals to
# 'default', fallback to the Contrail default-domain ID and name
if not domain_id or domain_id == self.auth_svc.default_domain_id:
env['HTTP_X_DOMAIN_ID'] =\
self.server_mgr.default_domain['uuid'].replace('-', '')
env['HTTP_X_DOMAIN_NAME'] =\
self.server_mgr.default_domain['fq_name'][-1]
else:
# ensure to set HTTP_X_DOMAIN_ID as it is the header used in the
# Contrail RBAC code and in certain setup, Keystone auth middleware
# just sets HTTP_X_PROJECT_DOMAIN_ID and/or HTTP_X_USER_DOMAIN_ID
# headers
env['HTTP_X_DOMAIN_ID'] = domain_id
get_context().set_proc_time('POST_KEYSTONE_REQ')
set_auth_context(env)
# if rbac is set, skip old admin based MT
if self.auth_svc.mt_rbac:
return self.app(env, start_response)
# only allow admin access when MT is on
roles = []
if 'HTTP_X_ROLE' in env:
roles = env['HTTP_X_ROLE'].split(',')
if not 'admin' in [x.lower() for x in roles]:
start_response('403 Permission Denied',
[('Content-type', 'text/plain')])
return '403 Permission Denied'.encode("latin-1")
return self.app(env, start_response)
def __call__(self, env, start_response):
domain_id = (env.get('HTTP_X_DOMAIN_ID')
or env.get('HTTP_X_PROJECT_DOMAIN_ID')
or env.get('HTTP_X_USER_DOMAIN_ID'))
# if there is not domain ID (aka Keystone v2) or if it equals to
# 'default', fallback to the Contrail default-domain ID and name
if not domain_id or domain_id == self.conf['default_domain_id']:
env['HTTP_X_DOMAIN_ID'] =\
self.server_mgr.default_domain['uuid'].replace('-', '')
env['HTTP_X_DOMAIN_NAME'] =\
self.server_mgr.default_domain['fq_name'][-1]
get_context().set_proc_time('POST_KEYSTONE_REQ')
set_auth_context(env)
# if rbac is set, skip old admin based MT
if self.conf['auth_svc']._mt_rbac:
return self.app(env, start_response)
# only allow admin access when MT is on
roles = []
if 'HTTP_X_ROLE' in env:
roles = env['HTTP_X_ROLE'].split(',')
if not 'admin' in [x.lower() for x in roles]:
start_response('403 Permission Denied',
[('Content-type', 'text/plain')])
return '403 Permission Denied'.encode("latin-1")
return self.app(env, start_response)
def __call__(self, env, start_response):
get_context().set_proc_time('POST_KEYSTONE_REQ')
set_auth_context(env)
# if rbac is set, skip old admin based MT
if self.conf['auth_svc']._mt_rbac:
return self.app(env, start_response)
# only allow admin access when MT is on
roles = []
if 'HTTP_X_ROLE' in env:
roles = env['HTTP_X_ROLE'].split(',')
if not 'admin' in [x.lower() for x in roles]:
start_response('403 Permission Denied',
[('Content-type', 'text/plain')])
return ['403 Permission Denied']
return self.app(env, start_response)
def __call__(self, env, start_response):
domain_id = (env.get('HTTP_X_DOMAIN_ID') or
env.get('HTTP_X_PROJECT_DOMAIN_ID') or
env.get('HTTP_X_USER_DOMAIN_ID'))
domain_name = (env.get('HTTP_X_DOMAIN_NAME') or
env.get('HTTP_X_PROJECT_DOMAIN_NAME') or
env.get('HTTP_X_USER_DOMAIN_NAME') or
'default-domain')
if domain_name and (not domain_id or not
_UUID_WITHOUT_DASH_REGEX.match(domain_id)):
if domain_name in ['default', 'Default']:
domain_name = 'default-domain'
try:
domain_id = self.server_mgr._db_conn.fq_name_to_uuid(
'domain', [domain_name])
domain_id = domain_id.replace('-', '')
except NoIdError:
# TODO(ethuleau): We allow the request even if the domain is
# not synced to Contrail. This can lead some issue for
# RBAC/perms validation
pass
env['HTTP_X_DOMAIN_ID'] = domain_id
env['HTTP_X_DOMAIN_NAME'] = domain_name
get_context().set_proc_time('POST_KEYSTONE_REQ')
set_auth_context(env)
# if rbac is set, skip old admin based MT
if self.conf['auth_svc']._mt_rbac:
return self.app(env, start_response)
# only allow admin access when MT is on
roles = []
if 'HTTP_X_ROLE' in env:
roles = env['HTTP_X_ROLE'].split(',')
if not 'admin' in [x.lower() for x in roles]:
start_response('403 Permission Denied',
[('Content-type', 'text/plain')])
return '403 Permission Denied'.encode("latin-1")
return self.app(env, start_response)
def __call__(self, env, start_response):
if ('HTTP_X_DOMAIN_ID' not in env or not env['HTTP_X_DOMAIN_ID'] or
not UUID_REGEX.match(env['HTTP_X_DOMAIN_ID'])):
domain_id = (env.get('HTTP_X_PROJECT_DOMAIN_ID') or
env.get('HTTP_X_USER_DOMAIN_ID'))
domain_name = (env.get('HTTP_X_DOMAIN_NAME') or
env.get('HTTP_X_PROJECT_DOMAIN_NAME') or
env.get('HTTP_X_USER_DOMAIN_NAME') or
'default-domain')
if not domain_id or not UUID_REGEX.match(domain_id):
if domain_name in ['default', 'Default']:
domain_name = 'default-domain'
try:
domain_id = self.server_mgr._db_conn.fq_name_to_uuid(
'domain', [domain_name])
except NoIdError:
start_response('404 Not Found',
[('Content-type', 'text/plain')])
return "Cannot identifying Domain '%s'" % domain_name
env['HTTP_X_DOMAIN_ID'] = domain_id.replace('-', '')
env['HTTP_X_DOMAIN_NAME'] = domain_name
get_context().set_proc_time('POST_KEYSTONE_REQ')
set_auth_context(env)
# if rbac is set, skip old admin based MT
if self.conf['auth_svc']._mt_rbac:
return self.app(env, start_response)
# only allow admin access when MT is on
roles = []
if 'HTTP_X_ROLE' in env:
roles = env['HTTP_X_ROLE'].split(',')
if not 'admin' in [x.lower() for x in roles]:
start_response('403 Permission Denied',
[('Content-type', 'text/plain')])
return ['403 Permission Denied']
return self.app(env, start_response)
def __call__(self, env, start_response):
if ('HTTP_X_DOMAIN_ID' not in env or not env['HTTP_X_DOMAIN_ID']):
domain_id = (env.get('HTTP_X_PROJECT_DOMAIN_ID')
or env.get('HTTP_X_USER_DOMAIN_ID'))
domain_name = (env.get('HTTP_X_DOMAIN_NAME')
or env.get('HTTP_X_PROJECT_DOMAIN_NAME')
or env.get('HTTP_X_USER_DOMAIN_NAME')
or 'default-domain')
if not domain_id:
if domain_name in ['default', 'Default']:
domain_name = 'default-domain'
try:
domain_id = self.server_mgr._db_conn.fq_name_to_uuid(
'domain', [domain_name])
except NoIdError:
start_response('404 Not Found',
[('Content-type', 'text/plain')])
msg = "Cannot identifying Domain '%s'" % domain_name
return msg.encode("latin-1")
env['HTTP_X_DOMAIN_ID'] = domain_id.replace('-', '')
env['HTTP_X_DOMAIN_NAME'] = domain_name
get_context().set_proc_time('POST_KEYSTONE_REQ')
set_auth_context(env)
# if rbac is set, skip old admin based MT
if self.conf['auth_svc']._mt_rbac:
return self.app(env, start_response)
# only allow admin access when MT is on
roles = []
if 'HTTP_X_ROLE' in env:
roles = env['HTTP_X_ROLE'].split(',')
if not 'admin' in [x.lower() for x in roles]:
start_response('403 Permission Denied',
[('Content-type', 'text/plain')])
return '403 Permission Denied'.encode("latin-1")
return self.app(env, start_response)