On 02/10/2014 05:23 PM, Aline Manera wrote:
On 02/10/2014 05:19 PM, Aline Manera wrote:
> On 02/10/2014 12:32 AM, Leonardo Garcia wrote:
>> From: Leonardo Garcia <lagarcia(a)br.ibm.com>
>>
>> kimchiauth tool used to only check if the user was authenticated or
>> not.
>> Now it also checks whether the REST API being accessed is only allowed
>> to users with sudo rights.
>>
>> The necessity to have sudo rights to access a REST API can be easily
>> configured through the UrlSubNode decorator. Similar to the support
>> previously implemented for user authentication in UrlSubNode, an
>> additional boolean parameter was added to UrlSubNode to indicate
>> whether
>> the user needs sudo rights in order to access the corresponding REST
>> API.
>>
>> Signed-off-by: Leonardo Garcia <lagarcia(a)br.ibm.com>
>> ---
>> src/kimchi/auth.py | 10 +++++++---
>> src/kimchi/control/utils.py | 4 +++-
>> src/kimchi/server.py | 2 ++
>> 3 files changed, 12 insertions(+), 4 deletions(-)
>>
>> diff --git a/src/kimchi/auth.py b/src/kimchi/auth.py
>> index 3ffe4b1..b3d1edf 100644
>> --- a/src/kimchi/auth.py
>> +++ b/src/kimchi/auth.py
>> @@ -190,12 +190,16 @@ def logout():
>> cherrypy.lib.sessions.expire()
>>
>>
>> -def kimchiauth(*args, **kwargs):
>> +def kimchiauth(needs_admin=False):
>> debug("Entering kimchiauth...")
>> - if check_auth_session():
>> + if check_auth_session() and \
>> + (not needs_admin or (cherrypy.session[USER_SUDO] ==
>> needs_admin)):
>> + debug(str(cherrypy.session[USER_SUDO]))
>> return
>>
>> - if check_auth_httpba():
>> + if check_auth_httpba() and \
>> + (not needs_admin or (cherrypy.session[USER_SUDO] ==
>> needs_admin)):
>> + debug(str(cherrypy.session[USER_SUDO]))
>> return
>>
>> if not from_browser():
>> diff --git a/src/kimchi/control/utils.py b/src/kimchi/control/utils.py
>> index 9c6878b..4567af7 100644
>> --- a/src/kimchi/control/utils.py
>> +++ b/src/kimchi/control/utils.py
>> @@ -107,13 +107,15 @@ def validate_params(params, instance, action):
>>
>>
>> class UrlSubNode(object):
>> - def __init__(self, name, auth=False):
>> + def __init__(self, name, auth=False, needs_admin=False):
>
> We also need to have a list of which methods are exclusive for admin
> For example, any kind of user can do GET operations, but POST, PUT
> and DELETE are only available for admin
>
> def __init__(self, name, auth=False, needs_admin=False,
> admin_methods=[])
> fun.admin_methods = admin_methods
>
> And in kimchiauth()
>
> method = cherrypy.request.method.upper()
> if method in [admin_methods]:
> # needs sudo
>
Or instead of pass admin_methods() we assume in kimchiauth() only GET
method does not require admin access.
Yes, this is a better approach, definitely.
I'll include this check in v2.
Best regards,
Leonardo Garcia
>
>> self.name = name
>> self.auth = auth
>> + self.needs_admin = needs_admin
>>
>> def __call__(self, fun):
>> fun._url_sub_node_name = {"name": self.name}
>> fun.url_auth = self.auth
>> + fun.needs_admin = self.needs_admin
>> return fun
>>
>>
>> diff --git a/src/kimchi/server.py b/src/kimchi/server.py
>> index 1e131b4..469db68 100644
>> --- a/src/kimchi/server.py
>> +++ b/src/kimchi/server.py
>> @@ -191,6 +191,8 @@ class Server(object):
>> for ident, node in sub_nodes.items():
>> if node.url_auth:
>> self.configObj["/%s" % ident] =
>> {'tools.kimchiauth.on': True}
>> + if node.needs_admin:
>> + self.configObj["/%s" %
>> ident]['tools.kimchiauth.needs_admin'] = True
>>
>> self.app = cherrypy.tree.mount(KimchiRoot(model_instance,
>> dev_env),
>> config=self.configObj)
>
> _______________________________________________
> Kimchi-devel mailing list
> Kimchi-devel(a)ovirt.org
>
http://lists.ovirt.org/mailman/listinfo/kimchi-devel
>