1:10 p.m.
Reviewed-by: Daniel Barboza <danielhb(a)linux.vnet.ibm.com>
On 02/10/2014 12:32 AM, Leonardo Garcia wrote:
From: Leonardo Garcia <lagarcia(a)br.ibm.com>
kimchiauth tool used to only check if the user was authenticated or not.
Now it also checks whether the REST API being accessed is only allowed
to users with sudo rights.
The necessity to have sudo rights to access a REST API can be easily
configured through the UrlSubNode decorator. Similar to the support
previously implemented for user authentication in UrlSubNode, an
additional boolean parameter was added to UrlSubNode to indicate whether
the user needs sudo rights in order to access the corresponding REST
API.
Signed-off-by: Leonardo Garcia <lagarcia(a)br.ibm.com>
---
src/kimchi/auth.py | 10 +++++++---
src/kimchi/control/utils.py | 4 +++-
src/kimchi/server.py | 2 ++
3 files changed, 12 insertions(+), 4 deletions(-)
diff --git a/src/kimchi/auth.py b/src/kimchi/auth.py
index 3ffe4b1..b3d1edf 100644
--- a/src/kimchi/auth.py
+++ b/src/kimchi/auth.py
@@ -190,12 +190,16 @@ def logout():
cherrypy.lib.sessions.expire()
-def kimchiauth(*args, **kwargs):
+def kimchiauth(needs_admin=False):
debug("Entering kimchiauth...")
- if check_auth_session():
+ if check_auth_session() and \
+ (not needs_admin or (cherrypy.session[USER_SUDO] == needs_admin)):
+ debug(str(cherrypy.session[USER_SUDO]))
return
- if check_auth_httpba():
+ if check_auth_httpba() and \
+ (not needs_admin or (cherrypy.session[USER_SUDO] == needs_admin)):
+ debug(str(cherrypy.session[USER_SUDO]))
return
if not from_browser():
diff --git a/src/kimchi/control/utils.py b/src/kimchi/control/utils.py
index 9c6878b..4567af7 100644
--- a/src/kimchi/control/utils.py
+++ b/src/kimchi/control/utils.py
@@ -107,13 +107,15 @@ def validate_params(params, instance, action):
class UrlSubNode(object):
- def __init__(self, name, auth=False):
+ def __init__(self, name, auth=False, needs_admin=False):
self.name = name
self.auth = auth
+ self.needs_admin = needs_admin
def __call__(self, fun):
fun._url_sub_node_name = {"name": self.name}
fun.url_auth = self.auth
+ fun.needs_admin = self.needs_admin
return fun
diff --git a/src/kimchi/server.py b/src/kimchi/server.py
index 1e131b4..469db68 100644
--- a/src/kimchi/server.py
+++ b/src/kimchi/server.py
@@ -191,6 +191,8 @@ class Server(object):
for ident, node in sub_nodes.items():
if node.url_auth:
self.configObj["/%s" % ident] =
{'tools.kimchiauth.on': True}
+ if node.needs_admin:
+ self.configObj["/%s" %
ident]['tools.kimchiauth.needs_admin'] = True
self.app = cherrypy.tree.mount(KimchiRoot(model_instance, dev_env),
config=self.configObj)