From 335d58611d0daf87783e565b521974b456f5c636 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Nov=C3=BD?= Date: Tue, 15 Dec 2015 22:42:18 +0100 Subject: [PATCH] Keystone middleware deprecated option is_admin removed It has been deprecated from Swift 1.8.0 (Grizzly) Change-Id: Id6bc10c3e84262c0a9e6160a76af03c0ad363e9c --- doc/manpages/proxy-server.conf.5 | 5 ----- etc/proxy-server.conf-sample | 6 ------ swift/common/middleware/keystoneauth.py | 20 +++++------------- .../common/middleware/test_keystoneauth.py | 21 +++++++------------ 4 files changed, 13 insertions(+), 39 deletions(-) diff --git a/doc/manpages/proxy-server.conf.5 b/doc/manpages/proxy-server.conf.5 index 24e41aef84..07539ff7b2 100644 --- a/doc/manpages/proxy-server.conf.5 +++ b/doc/manpages/proxy-server.conf.5 @@ -330,11 +330,6 @@ This allows middleware higher in the WSGI pipeline to override auth processing, useful for middleware such as tempurl and formpost. If you know you're not going to use such middleware and you want a bit of extra security, you can set this to false. -.IP \fBis_admin\fR -[DEPRECATED] If is_admin is true, a user whose username is the same as the project name -and who has any role on the project will have access rights elevated to be -the same as if the user had an operator role. Note that the condition -compares names rather than UUIDs. This option is deprecated. .IP \fBservice_roles\fR If the service_roles parameter is present, an X-Service-Token must be present in the request that when validated, grants at least one role listed diff --git a/etc/proxy-server.conf-sample b/etc/proxy-server.conf-sample index 59c5cc02aa..0e7de10daa 100644 --- a/etc/proxy-server.conf-sample +++ b/etc/proxy-server.conf-sample @@ -337,12 +337,6 @@ user_test5_tester5 = testing5 service # you can set this to false. # allow_overrides = true # -# If is_admin is true, a user whose username is the same as the project name -# and who has any role on the project will have access rights elevated to be -# the same as if the user had an operator role. Note that the condition -# compares names rather than UUIDs. This option is deprecated. -# is_admin = false -# # If the service_roles parameter is present, an X-Service-Token must be # present in the request that when validated, grants at least one role listed # in the parameter. The X-Service-Token may be scoped to any project. diff --git a/swift/common/middleware/keystoneauth.py b/swift/common/middleware/keystoneauth.py index a00701c39b..651aeacfbb 100644 --- a/swift/common/middleware/keystoneauth.py +++ b/swift/common/middleware/keystoneauth.py @@ -75,12 +75,6 @@ class KeystoneAuth(object): id.. For example, if the project id is ``1234``, the path is ``/v1/AUTH_1234``. - If the ``is_admin`` option is ``true``, a user whose username is the same - as the project name and who has any role on the project will have access - rights elevated to be the same as if the user had one of the - ``operator_roles``. Note that the condition compares names rather than - UUIDs. This option is deprecated. It is ``false`` by default. - If you need to have a different reseller_prefix to be able to mix different auth servers you can configure the option ``reseller_prefix`` in your keystoneauth entry like this:: @@ -188,7 +182,11 @@ def __init__(self, app, conf): self.reseller_admin_role = conf.get('reseller_admin_role', 'ResellerAdmin').lower() config_is_admin = conf.get('is_admin', "false").lower() - self.is_admin = swift_utils.config_true_value(config_is_admin) + if swift_utils.config_true_value(config_is_admin): + self.logger.warning("The 'is_admin' option for keystoneauth is no " + "longer supported. Remove the 'is_admin' " + "option from your keystoneauth config") + config_overrides = conf.get('allow_overrides', 't').lower() self.allow_overrides = swift_utils.config_true_value(config_overrides) self.default_domain_id = conf.get('default_domain_id', 'default') @@ -484,14 +482,6 @@ def authorize(self, env_identity, req): req.environ['swift_owner'] = True return - # If user is of the same name of the tenant then make owner of it. - if self.is_admin and user_name == tenant_name: - self.logger.warning("the is_admin feature has been deprecated " - "and will be removed in the future " - "update your config file") - req.environ['swift_owner'] = True - return - if acl_authorized is not None: return self.denied_response(req) diff --git a/test/unit/common/middleware/test_keystoneauth.py b/test/unit/common/middleware/test_keystoneauth.py index a81565119d..81b27fad12 100644 --- a/test/unit/common/middleware/test_keystoneauth.py +++ b/test/unit/common/middleware/test_keystoneauth.py @@ -647,21 +647,16 @@ def test_authorize_succeeds_as_owner_for_insensitive_operator_role(self): req = self._check_authenticate(identity=identity) self.assertTrue(req.environ.get('swift_owner')) - def _check_authorize_for_tenant_owner_match(self, exception=None): + def test_authorize_fails_same_user_and_tenant(self): + # Historically the is_admin option allowed access when user_name + # matched tenant_name, but it is no longer supported. This test is a + # sanity check that the option no longer works. + self.test_auth.is_admin = True identity = self._get_identity(user_name='same_name', tenant_name='same_name') - req = self._check_authenticate(identity=identity, exception=exception) - expected = bool(exception is None) - self.assertEqual(bool(req.environ.get('swift_owner')), expected) - - def test_authorize_succeeds_as_owner_for_tenant_owner_match(self): - self.test_auth.is_admin = True - self._check_authorize_for_tenant_owner_match() - - def test_authorize_fails_as_owner_for_tenant_owner_match(self): - self.test_auth.is_admin = False - self._check_authorize_for_tenant_owner_match( - exception=HTTP_FORBIDDEN) + req = self._check_authenticate(identity=identity, + exception=HTTP_FORBIDDEN) + self.assertFalse(bool(req.environ.get('swift_owner'))) def test_authorize_succeeds_for_container_sync(self): env = {'swift_sync_key': 'foo', 'REMOTE_ADDR': '127.0.0.1'}