[Kimchi-devel] [PATCH 4/5] Enhance UrlSubNode decorator and kimchiauth tool to check for sudo rights
Aline Manera
alinefm at linux.vnet.ibm.com
Mon Feb 10 19:19:13 UTC 2014
On 02/10/2014 12:32 AM, Leonardo Garcia wrote:
> From: Leonardo Garcia <lagarcia at br.ibm.com>
>
> kimchiauth tool used to only check if the user was authenticated or not.
> Now it also checks whether the REST API being accessed is only allowed
> to users with sudo rights.
>
> The necessity to have sudo rights to access a REST API can be easily
> configured through the UrlSubNode decorator. Similar to the support
> previously implemented for user authentication in UrlSubNode, an
> additional boolean parameter was added to UrlSubNode to indicate whether
> the user needs sudo rights in order to access the corresponding REST
> API.
>
> Signed-off-by: Leonardo Garcia <lagarcia at br.ibm.com>
> ---
> src/kimchi/auth.py | 10 +++++++---
> src/kimchi/control/utils.py | 4 +++-
> src/kimchi/server.py | 2 ++
> 3 files changed, 12 insertions(+), 4 deletions(-)
>
> diff --git a/src/kimchi/auth.py b/src/kimchi/auth.py
> index 3ffe4b1..b3d1edf 100644
> --- a/src/kimchi/auth.py
> +++ b/src/kimchi/auth.py
> @@ -190,12 +190,16 @@ def logout():
> cherrypy.lib.sessions.expire()
>
>
> -def kimchiauth(*args, **kwargs):
> +def kimchiauth(needs_admin=False):
> debug("Entering kimchiauth...")
> - if check_auth_session():
> + if check_auth_session() and \
> + (not needs_admin or (cherrypy.session[USER_SUDO] == needs_admin)):
> + debug(str(cherrypy.session[USER_SUDO]))
> return
>
> - if check_auth_httpba():
> + if check_auth_httpba() and \
> + (not needs_admin or (cherrypy.session[USER_SUDO] == needs_admin)):
> + debug(str(cherrypy.session[USER_SUDO]))
> return
>
> if not from_browser():
> diff --git a/src/kimchi/control/utils.py b/src/kimchi/control/utils.py
> index 9c6878b..4567af7 100644
> --- a/src/kimchi/control/utils.py
> +++ b/src/kimchi/control/utils.py
> @@ -107,13 +107,15 @@ def validate_params(params, instance, action):
>
>
> class UrlSubNode(object):
> - def __init__(self, name, auth=False):
> + def __init__(self, name, auth=False, needs_admin=False):
We also need to have a list of which methods are exclusive for admin
For example, any kind of user can do GET operations, but POST, PUT and
DELETE are only available for admin
def __init__(self, name, auth=False, needs_admin=False, admin_methods=[])
fun.admin_methods = admin_methods
And in kimchiauth()
method = cherrypy.request.method.upper()
if method in [admin_methods]:
# needs sudo
> self.name = name
> self.auth = auth
> + self.needs_admin = needs_admin
>
> def __call__(self, fun):
> fun._url_sub_node_name = {"name": self.name}
> fun.url_auth = self.auth
> + fun.needs_admin = self.needs_admin
> return fun
>
>
> diff --git a/src/kimchi/server.py b/src/kimchi/server.py
> index 1e131b4..469db68 100644
> --- a/src/kimchi/server.py
> +++ b/src/kimchi/server.py
> @@ -191,6 +191,8 @@ class Server(object):
> for ident, node in sub_nodes.items():
> if node.url_auth:
> self.configObj["/%s" % ident] = {'tools.kimchiauth.on': True}
> + if node.needs_admin:
> + self.configObj["/%s" % ident]['tools.kimchiauth.needs_admin'] = True
>
> self.app = cherrypy.tree.mount(KimchiRoot(model_instance, dev_env),
> config=self.configObj)
More information about the Kimchi-devel
mailing list