[Kimchi-devel] [PATCH 4/5] Enhance UrlSubNode decorator and kimchiauth tool to check for sudo rights

Daniel H Barboza danielhb at linux.vnet.ibm.com
Mon Feb 10 12:10:06 UTC 2014


Reviewed-by: Daniel Barboza <danielhb at linux.vnet.ibm.com>

On 02/10/2014 12:32 AM, Leonardo Garcia wrote:
> From: Leonardo Garcia <lagarcia at br.ibm.com>
>
> kimchiauth tool used to only check if the user was authenticated or not.
> Now it also checks whether the REST API being accessed is only allowed
> to users with sudo rights.
>
> The necessity to have sudo rights to access a REST API can be easily
> configured through the UrlSubNode decorator. Similar to the support
> previously implemented for user authentication in UrlSubNode, an
> additional boolean parameter was added to UrlSubNode to indicate whether
> the user needs sudo rights in order to access the corresponding REST
> API.
>
> Signed-off-by: Leonardo Garcia <lagarcia at br.ibm.com>
> ---
>   src/kimchi/auth.py          | 10 +++++++---
>   src/kimchi/control/utils.py |  4 +++-
>   src/kimchi/server.py        |  2 ++
>   3 files changed, 12 insertions(+), 4 deletions(-)
>
> diff --git a/src/kimchi/auth.py b/src/kimchi/auth.py
> index 3ffe4b1..b3d1edf 100644
> --- a/src/kimchi/auth.py
> +++ b/src/kimchi/auth.py
> @@ -190,12 +190,16 @@ def logout():
>       cherrypy.lib.sessions.expire()
>
>
> -def kimchiauth(*args, **kwargs):
> +def kimchiauth(needs_admin=False):
>       debug("Entering kimchiauth...")
> -    if check_auth_session():
> +    if check_auth_session() and \
> +       (not needs_admin or (cherrypy.session[USER_SUDO] == needs_admin)):
> +        debug(str(cherrypy.session[USER_SUDO]))
>           return
>
> -    if check_auth_httpba():
> +    if check_auth_httpba() and \
> +       (not needs_admin or (cherrypy.session[USER_SUDO] == needs_admin)):
> +        debug(str(cherrypy.session[USER_SUDO]))
>           return
>
>       if not from_browser():
> diff --git a/src/kimchi/control/utils.py b/src/kimchi/control/utils.py
> index 9c6878b..4567af7 100644
> --- a/src/kimchi/control/utils.py
> +++ b/src/kimchi/control/utils.py
> @@ -107,13 +107,15 @@ def validate_params(params, instance, action):
>
>
>   class UrlSubNode(object):
> -    def __init__(self, name, auth=False):
> +    def __init__(self, name, auth=False, needs_admin=False):
>           self.name = name
>           self.auth = auth
> +        self.needs_admin = needs_admin
>
>       def __call__(self, fun):
>           fun._url_sub_node_name = {"name": self.name}
>           fun.url_auth = self.auth
> +        fun.needs_admin = self.needs_admin
>           return fun
>
>
> diff --git a/src/kimchi/server.py b/src/kimchi/server.py
> index 1e131b4..469db68 100644
> --- a/src/kimchi/server.py
> +++ b/src/kimchi/server.py
> @@ -191,6 +191,8 @@ class Server(object):
>           for ident, node in sub_nodes.items():
>               if node.url_auth:
>                   self.configObj["/%s" % ident] = {'tools.kimchiauth.on': True}
> +                if node.needs_admin:
> +                    self.configObj["/%s" % ident]['tools.kimchiauth.needs_admin']  = True
>
>           self.app = cherrypy.tree.mount(KimchiRoot(model_instance, dev_env),
>                                          config=self.configObj)




More information about the Kimchi-devel mailing list