def modify_user_role(self,
context,
user,
role,
project=None,
operation='add',
**kwargs):
"""Add or remove a role for a user and project."""
if operation == 'add':
if project:
msg = _("Adding role %(role)s to user %(user)s"
" for project %(project)s") % locals()
LOG.audit(msg, context=context)
else:
msg = _("Adding sitewide role %(role)s to"
" user %(user)s") % locals()
LOG.audit(msg, context=context)
manager.AuthManager().add_role(user, role, project)
elif operation == 'remove':
if project:
msg = _("Removing role %(role)s from user %(user)s"
" for project %(project)s") % locals()
LOG.audit(msg, context=context)
else:
msg = _("Removing sitewide role %(role)s"
" from user %(user)s") % locals()
LOG.audit(msg, context=context)
manager.AuthManager().remove_role(user, role, project)
else:
raise exception.ApiError(_('operation must be add or remove'))
return True
def generate_x509_for_user(self, context, name, project=None, **kwargs):
"""Generates and returns an x509 certificate for a single user.
Is usually called from a client that will wrap this with
access and secret key info, and return a zip file.
"""
if project is None:
project = name
project = manager.AuthManager().get_project(project)
user = manager.AuthManager().get_user(name)
msg = _("Getting x509 for user: %(name)s"
" on project: %(project)s") % locals()
LOG.audit(msg, context=context)
return user_dict(user, base64.b64encode(project.get_credentials(user)))
def modify_project_member(self, context, user, project, operation,
**kwargs):
"""Add or remove a user from a project."""
if operation == 'add':
msg = _("Adding user %(user)s to project %(project)s") % locals()
LOG.audit(msg, context=context)
manager.AuthManager().add_to_project(user, project)
elif operation == 'remove':
msg = _("Removing user %(user)s from"
" project %(project)s") % locals()
LOG.audit(msg, context=context)
manager.AuthManager().remove_from_project(user, project)
else:
raise exception.ApiError(_('operation must be add or remove'))
return True
def describe_user_roles(self, context, user, project=None, **kwargs):
"""Returns a list of roles for the given user.
Omitting project will return any global roles that the user has.
Specifying project will return only project specific roles.
"""
roles = manager.AuthManager().get_user_roles(user, project=project)
return {'roles': [{'role': r} for r in roles]}
def deregister_user(self, context, name, **_kwargs):
"""Deletes a single user (NOT undoable.)
Should throw an exception if the user has instances,
volumes, or buckets remaining.
"""
LOG.audit(_("Deleting user: %s"), name, context=context)
manager.AuthManager().delete_user(name)
return True
def index(self, req):
user = req.environ.get('user')
return {
'projects': [
project_dict(u)
for u in auth_manager.AuthManager().get_projects(user=user)
]
}
def describe_projects(self, context, user=None, **kwargs):
"""Returns all projects - should be changed to deal with a list."""
return {
'projectSet': [
project_dict(u)
for u in manager.AuthManager().get_projects(user=user)
]
}
def response_status(self, user, methodName):
roles = manager.AuthManager().get_active_roles(user, self.project)
ctxt = context.RequestContext(user.id,
self.project.id,
is_admin=user.is_admin(),
roles=roles)
environ = self._env_for(ctxt, methodName)
req = webob.Request.blank('/', environ)
resp = req.get_response(self.mw)
return resp.status_int
def tearDown(self):
um = manager.AuthManager()
# Delete the test project
um.delete_project('testproj')
# Delete the test user
um.delete_user('testadmin')
um.delete_user('testpmsys')
um.delete_user('testnet')
um.delete_user('testsys')
super(AccessTestCase, self).tearDown()
def update(self, req, id, body):
context = req.environ['engine.context']
name = id
manager_user = body['project'].get('manager_user')
description = body['project'].get('description')
msg = _("Modify project: %(name)s managed by"
" %(manager_user)s") % locals()
LOG.audit(msg, context=context)
auth_manager.AuthManager().modify_project(name,
manager_user=manager_user,
description=description)
return exc.HTTPAccepted()
def register_project(self,
context,
name,
manager_user,
description=None,
member_users=None,
**kwargs):
"""Creates a new project"""
msg = _("Create project %(name)s managed by"
" %(manager_user)s") % locals()
LOG.audit(msg, context=context)
return project_dict(manager.AuthManager().create_project(
name, manager_user, description=None, member_users=None))
def create(self, req, body):
name = body['project'].get('name')
manager_user = body['project'].get('manager_user')
description = body['project'].get('description')
member_users = body['project'].get('member_users')
context = req.environ['engine.context']
msg = _("Create project %(name)s managed by"
" %(manager_user)s") % locals()
LOG.audit(msg, context=context)
project = project_dict(auth_manager.AuthManager().create_project(
name, manager_user, description=None, member_users=None))
return {'project': project}
def modify_project(self,
context,
name,
manager_user,
description=None,
**kwargs):
"""Modifies a project"""
msg = _("Modify project: %(name)s managed by"
" %(manager_user)s") % locals()
LOG.audit(msg, context=context)
manager.AuthManager().modify_project(name,
manager_user=manager_user,
description=description)
return True
def start_vpn(self, context, project):
instance = self._vpn_for(context, project)
if not instance:
# NOTE(vish) import delayed because of __init__.py
from engine.cloudpipe import pipelib
pipe = pipelib.CloudPipe()
proj = manager.AuthManager().get_project(project)
user_id = proj.project_manager_id
try:
pipe.launch_vpn_instance(project, user_id)
except db.NoMoreNetworks:
raise exception.ApiError("Unable to claim IP for VPN instance"
", ensure it isn't running, and try "
"again in a few minutes")
instance = self._vpn_for(context, project)
return {'instance_id': ec2utils.id_to_ec2_id(instance['id'])}
def __call__(self, req):
# Read request signature and access id.
try:
signature = req.params['Signature']
access = req.params['AWSAccessKeyId']
except KeyError:
raise webob.exc.HTTPBadRequest()
# Make a copy of args for authentication and signature verification.
auth_params = dict(req.params)
# Not part of authentication args
auth_params.pop('Signature')
# Authenticate the request.
authman = manager.AuthManager()
try:
(user, project) = authman.authenticate(
access,
signature,
auth_params,
req.method,
req.host,
req.path)
# Be explicit for what exceptions are 403, the rest bubble as 500
except (exception.NotFound, exception.NotAuthorized,
exception.InvalidSignature) as ex:
LOG.audit(_("Authentication Failure: %s"), unicode(ex))
raise webob.exc.HTTPForbidden()
# Authenticated!
remote_address = req.remote_addr
if FLAGS.use_forwarded_for:
remote_address = req.headers.get('X-Forwarded-For', remote_address)
roles = authman.get_active_roles(user, project)
ctxt = context.RequestContext(user_id=user.id,
project_id=project.id,
is_admin=user.is_admin(),
roles=roles,
remote_address=remote_address)
req.environ['engine.context'] = ctxt
uname = user.name
pname = project.name
msg = _('Authenticated Request For %(uname)s:%(pname)s)') % locals()
LOG.audit(msg, context=req.environ['engine.context'])
return self.application
def index(self, req):
if urlparse.parse_qs(req.environ['QUERY_STRING']).get(
'defaults', False):
return {
'quota_set_list': [
self._format_quota_set('__defaults__',
quota._get_default_quotas())
]
}
else:
context = req.environ['engine.context']
user = req.environ.get('user')
projects = auth_manager.AuthManager().get_projects(user=user)
quota_set_list = [
self._format_quota_set(
project.name,
quota.get_project_quotas(context, project.name))
for project in projects
]
return {'quota_set_list': quota_set_list}
def setUp(self):
super(AccessTestCase, self).setUp()
um = manager.AuthManager()
self.context = context.get_admin_context()
# Make test users
self.testadmin = um.create_user('testadmin')
self.testpmsys = um.create_user('testpmsys')
self.testnet = um.create_user('testnet')
self.testsys = um.create_user('testsys')
# Assign some rules
um.add_role('testadmin', 'cloudadmin')
um.add_role('testpmsys', 'sysadmin')
um.add_role('testnet', 'netadmin')
um.add_role('testsys', 'sysadmin')
# Make a test project
self.project = um.create_project('testproj', 'testpmsys',
'a test project',
['testpmsys', 'testnet', 'testsys'])
self.project.add_role(self.testnet, 'netadmin')
self.project.add_role(self.testsys, 'sysadmin')
#user is set in each test
def noopWSGIApp(environ, start_response):
start_response('200 OK', [])
return ['']
self.mw = ec2.Authorizer(noopWSGIApp)
self.mw.action_roles = {
'FakeControllerClass': {
'_allow_all': ['all'],
'_allow_none': [],
'_allow_project_manager': ['projectmanager'],
'_allow_sys_and_net': ['sysadmin', 'netadmin'],
'_allow_sysadmin': ['sysadmin']
}
}
def deregister_project(self, context, name):
"""Permanently deletes a project."""
LOG.audit(_("Delete project: %s"), name, context=context)
manager.AuthManager().delete_project(name)
return True
def delete(self, req, id):
context = req.environ['engine.context']
LOG.audit(_("Delete project: %s"), id, context=context)
auth_manager.AuthManager().delete_project(id)
return exc.HTTPAccepted()
def __init__(self):
self.manager = manager.AuthManager()
def describe_user(self, _context, name, **_kwargs):
"""Returns user data, including access and secret keys."""
return user_dict(manager.AuthManager().get_user(name))
def describe_users(self, _context, **_kwargs):
"""Returns all users - should be changed to deal with a list."""
return {
'userSet':
[user_dict(u) for u in manager.AuthManager().get_users()]
}
def show(self, req, id):
return project_dict(auth_manager.AuthManager().get_project(id))
def describe_vpns(self, context):
vpns = []
for project in manager.AuthManager().get_projects():
instance = self._vpn_for(context, project.id)
vpns.append(vpn_dict(project, instance))
return {'items': vpns}
def register_user(self, context, name, **_kwargs):
"""Creates a new user, and returns generated credentials."""
LOG.audit(_("Creating new user: %s"), name, context=context)
return user_dict(manager.AuthManager().create_user(name))
def describe_project_members(self, context, name, **kwargs):
project = manager.AuthManager().get_project(name)
result = {'members': [{'member': m} for m in project.member_ids]}
return result
def describe_roles(self, context, project_roles=True, **kwargs):
"""Returns a list of allowed roles."""
roles = manager.AuthManager().get_roles(project_roles)
return {'roles': [{'role': r} for r in roles]}
def describe_project(self, context, name, **kwargs):
"""Returns project data, including member ids."""
return project_dict(manager.AuthManager().get_project(name))
def setUp(self):
super(_AuthManagerBaseTestCase, self).setUp()
self.flags(auth_driver=self.auth_driver, connection_type='fake')
self.manager = manager.AuthManager(new=True)
self.manager.mc.cache = {}
def __init__(self):
self.compute_api = compute.API()
self.auth_manager = manager.AuthManager()
self.cloudpipe = pipelib.CloudPipe()
self.setup()
