def modify_user_role(self, context, user, role, project=None, operation='add', **kwargs): """Add or remove a role for a user and project.""" if operation == 'add': if project: msg = _("Adding role %(role)s to user %(user)s" " for project %(project)s") % locals() LOG.audit(msg, context=context) else: msg = _("Adding sitewide role %(role)s to" " user %(user)s") % locals() LOG.audit(msg, context=context) manager.AuthManager().add_role(user, role, project) elif operation == 'remove': if project: msg = _("Removing role %(role)s from user %(user)s" " for project %(project)s") % locals() LOG.audit(msg, context=context) else: msg = _("Removing sitewide role %(role)s" " from user %(user)s") % locals() LOG.audit(msg, context=context) manager.AuthManager().remove_role(user, role, project) else: raise exception.ApiError(_('operation must be add or remove')) return True
def generate_x509_for_user(self, context, name, project=None, **kwargs): """Generates and returns an x509 certificate for a single user. Is usually called from a client that will wrap this with access and secret key info, and return a zip file. """ if project is None: project = name project = manager.AuthManager().get_project(project) user = manager.AuthManager().get_user(name) msg = _("Getting x509 for user: %(name)s" " on project: %(project)s") % locals() LOG.audit(msg, context=context) return user_dict(user, base64.b64encode(project.get_credentials(user)))
def modify_project_member(self, context, user, project, operation, **kwargs): """Add or remove a user from a project.""" if operation == 'add': msg = _("Adding user %(user)s to project %(project)s") % locals() LOG.audit(msg, context=context) manager.AuthManager().add_to_project(user, project) elif operation == 'remove': msg = _("Removing user %(user)s from" " project %(project)s") % locals() LOG.audit(msg, context=context) manager.AuthManager().remove_from_project(user, project) else: raise exception.ApiError(_('operation must be add or remove')) return True
def describe_user_roles(self, context, user, project=None, **kwargs): """Returns a list of roles for the given user. Omitting project will return any global roles that the user has. Specifying project will return only project specific roles. """ roles = manager.AuthManager().get_user_roles(user, project=project) return {'roles': [{'role': r} for r in roles]}
def deregister_user(self, context, name, **_kwargs): """Deletes a single user (NOT undoable.) Should throw an exception if the user has instances, volumes, or buckets remaining. """ LOG.audit(_("Deleting user: %s"), name, context=context) manager.AuthManager().delete_user(name) return True
def index(self, req): user = req.environ.get('user') return { 'projects': [ project_dict(u) for u in auth_manager.AuthManager().get_projects(user=user) ] }
def describe_projects(self, context, user=None, **kwargs): """Returns all projects - should be changed to deal with a list.""" return { 'projectSet': [ project_dict(u) for u in manager.AuthManager().get_projects(user=user) ] }
def response_status(self, user, methodName): roles = manager.AuthManager().get_active_roles(user, self.project) ctxt = context.RequestContext(user.id, self.project.id, is_admin=user.is_admin(), roles=roles) environ = self._env_for(ctxt, methodName) req = webob.Request.blank('/', environ) resp = req.get_response(self.mw) return resp.status_int
def tearDown(self): um = manager.AuthManager() # Delete the test project um.delete_project('testproj') # Delete the test user um.delete_user('testadmin') um.delete_user('testpmsys') um.delete_user('testnet') um.delete_user('testsys') super(AccessTestCase, self).tearDown()
def update(self, req, id, body): context = req.environ['engine.context'] name = id manager_user = body['project'].get('manager_user') description = body['project'].get('description') msg = _("Modify project: %(name)s managed by" " %(manager_user)s") % locals() LOG.audit(msg, context=context) auth_manager.AuthManager().modify_project(name, manager_user=manager_user, description=description) return exc.HTTPAccepted()
def register_project(self, context, name, manager_user, description=None, member_users=None, **kwargs): """Creates a new project""" msg = _("Create project %(name)s managed by" " %(manager_user)s") % locals() LOG.audit(msg, context=context) return project_dict(manager.AuthManager().create_project( name, manager_user, description=None, member_users=None))
def create(self, req, body): name = body['project'].get('name') manager_user = body['project'].get('manager_user') description = body['project'].get('description') member_users = body['project'].get('member_users') context = req.environ['engine.context'] msg = _("Create project %(name)s managed by" " %(manager_user)s") % locals() LOG.audit(msg, context=context) project = project_dict(auth_manager.AuthManager().create_project( name, manager_user, description=None, member_users=None)) return {'project': project}
def modify_project(self, context, name, manager_user, description=None, **kwargs): """Modifies a project""" msg = _("Modify project: %(name)s managed by" " %(manager_user)s") % locals() LOG.audit(msg, context=context) manager.AuthManager().modify_project(name, manager_user=manager_user, description=description) return True
def start_vpn(self, context, project): instance = self._vpn_for(context, project) if not instance: # NOTE(vish) import delayed because of __init__.py from engine.cloudpipe import pipelib pipe = pipelib.CloudPipe() proj = manager.AuthManager().get_project(project) user_id = proj.project_manager_id try: pipe.launch_vpn_instance(project, user_id) except db.NoMoreNetworks: raise exception.ApiError("Unable to claim IP for VPN instance" ", ensure it isn't running, and try " "again in a few minutes") instance = self._vpn_for(context, project) return {'instance_id': ec2utils.id_to_ec2_id(instance['id'])}
def __call__(self, req): # Read request signature and access id. try: signature = req.params['Signature'] access = req.params['AWSAccessKeyId'] except KeyError: raise webob.exc.HTTPBadRequest() # Make a copy of args for authentication and signature verification. auth_params = dict(req.params) # Not part of authentication args auth_params.pop('Signature') # Authenticate the request. authman = manager.AuthManager() try: (user, project) = authman.authenticate( access, signature, auth_params, req.method, req.host, req.path) # Be explicit for what exceptions are 403, the rest bubble as 500 except (exception.NotFound, exception.NotAuthorized, exception.InvalidSignature) as ex: LOG.audit(_("Authentication Failure: %s"), unicode(ex)) raise webob.exc.HTTPForbidden() # Authenticated! remote_address = req.remote_addr if FLAGS.use_forwarded_for: remote_address = req.headers.get('X-Forwarded-For', remote_address) roles = authman.get_active_roles(user, project) ctxt = context.RequestContext(user_id=user.id, project_id=project.id, is_admin=user.is_admin(), roles=roles, remote_address=remote_address) req.environ['engine.context'] = ctxt uname = user.name pname = project.name msg = _('Authenticated Request For %(uname)s:%(pname)s)') % locals() LOG.audit(msg, context=req.environ['engine.context']) return self.application
def index(self, req): if urlparse.parse_qs(req.environ['QUERY_STRING']).get( 'defaults', False): return { 'quota_set_list': [ self._format_quota_set('__defaults__', quota._get_default_quotas()) ] } else: context = req.environ['engine.context'] user = req.environ.get('user') projects = auth_manager.AuthManager().get_projects(user=user) quota_set_list = [ self._format_quota_set( project.name, quota.get_project_quotas(context, project.name)) for project in projects ] return {'quota_set_list': quota_set_list}
def setUp(self): super(AccessTestCase, self).setUp() um = manager.AuthManager() self.context = context.get_admin_context() # Make test users self.testadmin = um.create_user('testadmin') self.testpmsys = um.create_user('testpmsys') self.testnet = um.create_user('testnet') self.testsys = um.create_user('testsys') # Assign some rules um.add_role('testadmin', 'cloudadmin') um.add_role('testpmsys', 'sysadmin') um.add_role('testnet', 'netadmin') um.add_role('testsys', 'sysadmin') # Make a test project self.project = um.create_project('testproj', 'testpmsys', 'a test project', ['testpmsys', 'testnet', 'testsys']) self.project.add_role(self.testnet, 'netadmin') self.project.add_role(self.testsys, 'sysadmin') #user is set in each test def noopWSGIApp(environ, start_response): start_response('200 OK', []) return [''] self.mw = ec2.Authorizer(noopWSGIApp) self.mw.action_roles = { 'FakeControllerClass': { '_allow_all': ['all'], '_allow_none': [], '_allow_project_manager': ['projectmanager'], '_allow_sys_and_net': ['sysadmin', 'netadmin'], '_allow_sysadmin': ['sysadmin'] } }
def deregister_project(self, context, name): """Permanently deletes a project.""" LOG.audit(_("Delete project: %s"), name, context=context) manager.AuthManager().delete_project(name) return True
def delete(self, req, id): context = req.environ['engine.context'] LOG.audit(_("Delete project: %s"), id, context=context) auth_manager.AuthManager().delete_project(id) return exc.HTTPAccepted()
def __init__(self): self.manager = manager.AuthManager()
def describe_user(self, _context, name, **_kwargs): """Returns user data, including access and secret keys.""" return user_dict(manager.AuthManager().get_user(name))
def describe_users(self, _context, **_kwargs): """Returns all users - should be changed to deal with a list.""" return { 'userSet': [user_dict(u) for u in manager.AuthManager().get_users()] }
def show(self, req, id): return project_dict(auth_manager.AuthManager().get_project(id))
def describe_vpns(self, context): vpns = [] for project in manager.AuthManager().get_projects(): instance = self._vpn_for(context, project.id) vpns.append(vpn_dict(project, instance)) return {'items': vpns}
def register_user(self, context, name, **_kwargs): """Creates a new user, and returns generated credentials.""" LOG.audit(_("Creating new user: %s"), name, context=context) return user_dict(manager.AuthManager().create_user(name))
def describe_project_members(self, context, name, **kwargs): project = manager.AuthManager().get_project(name) result = {'members': [{'member': m} for m in project.member_ids]} return result
def describe_roles(self, context, project_roles=True, **kwargs): """Returns a list of allowed roles.""" roles = manager.AuthManager().get_roles(project_roles) return {'roles': [{'role': r} for r in roles]}
def describe_project(self, context, name, **kwargs): """Returns project data, including member ids.""" return project_dict(manager.AuthManager().get_project(name))
def setUp(self): super(_AuthManagerBaseTestCase, self).setUp() self.flags(auth_driver=self.auth_driver, connection_type='fake') self.manager = manager.AuthManager(new=True) self.manager.mc.cache = {}
def __init__(self): self.compute_api = compute.API() self.auth_manager = manager.AuthManager() self.cloudpipe = pipelib.CloudPipe() self.setup()