[Kimchi-devel] [PATCH 5/9] authorization: Remove authorization config from UrlSubNode

alinefm at linux.vnet.ibm.com alinefm at linux.vnet.ibm.com
Wed Jul 23 20:39:16 UTC 2014 

From: Aline Manera <alinefm at linux.vnet.ibm.com>

UrlSubNode is used to automatically load the application configuration
and set kimchiauth tool when needed.

If we use it to also handle the authorization configuration, we won't be
able to specify different configuration to collection and its resource
as Kimchi uses the same base URL to both.

Example:
@UrlSubNode("vms", True, ["POST", "PUT", "DELETE"], 'guests')
It meant that all the methods listed were exclusive for admin users.
Which it is not correct, as a user assigned to a VM can also perform POST,
PUT and DELETE actions.

To be able to distinguish the configuration for resource and collection, the
autorization mechanism was moved to controller.

Signed-off-by: Aline Manera <alinefm at linux.vnet.ibm.com>
---
 src/kimchi/auth.py                   | 16 +---------------
 src/kimchi/control/debugreports.py   |  2 +-
 src/kimchi/control/host.py           |  2 +-
 src/kimchi/control/interfaces.py     |  2 +-
 src/kimchi/control/networks.py       |  2 +-
 src/kimchi/control/storagepools.py   |  2 +-
 src/kimchi/control/storageservers.py |  2 +-
 src/kimchi/control/templates.py      |  2 +-
 src/kimchi/control/utils.py          |  6 +-----
 src/kimchi/control/vms.py            |  2 +-
 src/kimchi/server.py                 |  4 ----
 11 files changed, 10 insertions(+), 32 deletions(-)

diff --git a/src/kimchi/auth.py b/src/kimchi/auth.py
index aabcb6c..93a47b3 100644
--- a/src/kimchi/auth.py
+++ b/src/kimchi/auth.py
@@ -243,27 +243,13 @@ def logout():
     cherrypy.lib.sessions.close()
 
 
-def has_permission(admin_methods, tab):
-    cherrypy.session.acquire_lock()
-    role = cherrypy.session.get(USER_ROLES, {}).get(tab, 'user')
-    cherrypy.session.release_lock()
-
-    return not admin_methods or \
-        cherrypy.request.method not in admin_methods or \
-        (cherrypy.request.method in admin_methods and role == "admin")
-
-
-def kimchiauth(admin_methods=None, tab=None):
+def kimchiauth():
     debug("Entering kimchiauth...")
     session_missing = cherrypy.session.missing
     if check_auth_session():
-        if not has_permission(admin_methods, tab):
-            raise cherrypy.HTTPError(403)
         return
 
     if check_auth_httpba():
-        if not has_permission(admin_methods, tab):
-            raise cherrypy.HTTPError(403)
         return
 
     # not a REST full request, redirect login page directly
diff --git a/src/kimchi/control/debugreports.py b/src/kimchi/control/debugreports.py
index a561b99..debc2eb 100644
--- a/src/kimchi/control/debugreports.py
+++ b/src/kimchi/control/debugreports.py
@@ -22,7 +22,7 @@
 from kimchi.control.utils import UrlSubNode
 
 
- at UrlSubNode('debugreports', True, ['GET', 'PUT', 'POST', 'DELETE'], 'host')
+ at UrlSubNode('debugreports', True)
 class DebugReports(AsyncCollection):
     def __init__(self, model):
         super(DebugReports, self).__init__(model)
diff --git a/src/kimchi/control/host.py b/src/kimchi/control/host.py
index 1b55a29..172f4fe 100644
--- a/src/kimchi/control/host.py
+++ b/src/kimchi/control/host.py
@@ -25,7 +25,7 @@
 from kimchi.template import render
 
 
- at UrlSubNode('host', True, ['GET', 'PUT', 'POST', 'DELETE'], 'host')
+ at UrlSubNode('host', True)
 class Host(Resource):
     def __init__(self, model, id=None):
         super(Host, self).__init__(model, id)
diff --git a/src/kimchi/control/interfaces.py b/src/kimchi/control/interfaces.py
index 944cae6..317cc6f 100644
--- a/src/kimchi/control/interfaces.py
+++ b/src/kimchi/control/interfaces.py
@@ -21,7 +21,7 @@
 from kimchi.control.utils import UrlSubNode
 
 
- at UrlSubNode('interfaces', True, ['GET'], 'network')
+ at UrlSubNode('interfaces', True)
 class Interfaces(Collection):
     def __init__(self, model):
         super(Interfaces, self).__init__(model)
diff --git a/src/kimchi/control/networks.py b/src/kimchi/control/networks.py
index f7696e7..760295c 100644
--- a/src/kimchi/control/networks.py
+++ b/src/kimchi/control/networks.py
@@ -21,7 +21,7 @@
 from kimchi.control.utils import UrlSubNode
 
 
- at UrlSubNode('networks', True, ['PUT', 'POST', 'DELETE'], 'network')
+ at UrlSubNode('networks', True)
 class Networks(Collection):
     def __init__(self, model):
         super(Networks, self).__init__(model)
diff --git a/src/kimchi/control/storagepools.py b/src/kimchi/control/storagepools.py
index 9e57992..c023505 100644
--- a/src/kimchi/control/storagepools.py
+++ b/src/kimchi/control/storagepools.py
@@ -28,7 +28,7 @@
 from kimchi.control.utils import UrlSubNode
 
 
- at UrlSubNode('storagepools', True, ['PUT', 'POST', 'DELETE'], 'storage')
+ at UrlSubNode('storagepools', True)
 class StoragePools(Collection):
     def __init__(self, model):
         super(StoragePools, self).__init__(model)
diff --git a/src/kimchi/control/storageservers.py b/src/kimchi/control/storageservers.py
index e86f920..4b70c39 100644
--- a/src/kimchi/control/storageservers.py
+++ b/src/kimchi/control/storageservers.py
@@ -22,7 +22,7 @@
 from kimchi.control.utils import get_class_name, model_fn, UrlSubNode
 
 
- at UrlSubNode('storageservers', True, ['GET'], 'storage')
+ at UrlSubNode('storageservers', True)
 class StorageServers(Collection):
     def __init__(self, model):
         super(StorageServers, self).__init__(model)
diff --git a/src/kimchi/control/templates.py b/src/kimchi/control/templates.py
index 167e19e..020902d 100644
--- a/src/kimchi/control/templates.py
+++ b/src/kimchi/control/templates.py
@@ -21,7 +21,7 @@
 from kimchi.control.utils import UrlSubNode
 
 
- at UrlSubNode('templates', True, ['GET', 'PUT', 'POST', 'DELETE'], 'templates')
+ at UrlSubNode('templates', True)
 class Templates(Collection):
     def __init__(self, model):
         super(Templates, self).__init__(model)
diff --git a/src/kimchi/control/utils.py b/src/kimchi/control/utils.py
index aa5f452..c39dbd8 100644
--- a/src/kimchi/control/utils.py
+++ b/src/kimchi/control/utils.py
@@ -113,21 +113,17 @@ def validate_params(params, instance, action):
 
 class UrlSubNode(object):
 
-    def __init__(self, name, auth=False, admin_methods=None, tab=None):
+    def __init__(self, name, auth=False):
         """
         admin_methods must be None, or a list containing zero or more of the
         string values ['GET', 'POST', 'PUT', 'DELETE']
         """
         self.name = name
         self.auth = auth
-        self.tab = tab
-        self.admin_methods = admin_methods
 
     def __call__(self, fun):
         fun._url_sub_node_name = {"name": self.name}
         fun.url_auth = self.auth
-        fun.tab = self.tab
-        fun.admin_methods = self.admin_methods
         return fun
 
 
diff --git a/src/kimchi/control/vms.py b/src/kimchi/control/vms.py
index c36d72a..28ad775 100644
--- a/src/kimchi/control/vms.py
+++ b/src/kimchi/control/vms.py
@@ -22,7 +22,7 @@
 from kimchi.control.vm import sub_nodes
 
 
- at UrlSubNode('vms', True, ['POST', 'PUT', 'DELETE'], 'guests')
+ at UrlSubNode('vms', True)
 class VMs(Collection):
     def __init__(self, model):
         super(VMs, self).__init__(model)
diff --git a/src/kimchi/server.py b/src/kimchi/server.py
index b0e9474..3f49f6c 100644
--- a/src/kimchi/server.py
+++ b/src/kimchi/server.py
@@ -129,10 +129,6 @@ def __init__(self, options):
                 cfg = self.configObj
                 ident = "/%s" % ident
                 cfg[ident] = {'tools.kimchiauth.on': True}
-                if node.admin_methods:
-                    cfg[ident]['tools.kimchiauth.tab'] = node.tab
-                    cfg[ident][
-                        'tools.kimchiauth.admin_methods'] = node.admin_methods
 
         self.app = cherrypy.tree.mount(KimchiRoot(model_instance, dev_env),
                                        config=self.configObj)
-- 
1.9.3

More information about the Kimchi-devel mailing list