From: Aline Manera <alinefm(a)linux.vnet.ibm.com>
Also move autorization mechanism to controller to be able to distinguish
resource and collection configuration
If we use UrlSubNode to also handle the authorization configuration, we won't be
able to specify different configuration to collection and its resource
as Kimchi uses the same base URL to both.
Example:
@UrlSubNode("vms", True, ["POST", "PUT",
"DELETE"], 'guests')
It meant that all the methods listed were exclusive for admin users.
Which it is not correct, as a user assigned to a VM can also perform POST,
PUT and DELETE actions. So fix it by moving the authorization mechanism to
controller
Aline Manera (5):
authorization: Filter resources by users and groups
authorization: Restrict Collection access based on admin_methods
parameter
authorization: Restrict access to Resource instance
authorization: Update control files to set role_key and admin_methods
authorization: Remove authorization config from UrlSubNode
Crístian Viana (4):
Return some groups for every user in mockmodel
Move "fake_user" credentials to mockmodel
List "admin" as a valid system user in mockmodel
authorization: Update test cases based on last changes
src/kimchi/auth.py | 16 +----------
src/kimchi/control/base.py | 56 +++++++++++++++++++++++++++++++-----
src/kimchi/control/debugreports.py | 8 +++++-
src/kimchi/control/host.py | 26 +++++++++++++++--
src/kimchi/control/interfaces.py | 6 +++-
src/kimchi/control/networks.py | 6 +++-
src/kimchi/control/storagepools.py | 6 +++-
src/kimchi/control/storageservers.py | 8 +++++-
src/kimchi/control/templates.py | 6 +++-
src/kimchi/control/utils.py | 14 +++++----
src/kimchi/control/vms.py | 6 +++-
src/kimchi/exception.py | 4 +++
src/kimchi/i18n.py | 1 +
src/kimchi/mockmodel.py | 5 +++-
src/kimchi/server.py | 4 ---
tests/test_authorization.py | 30 +++++++++++++++++--
tests/test_rest.py | 19 ++++++------
tests/utils.py | 9 +++---
18 files changed, 172 insertions(+), 58 deletions(-)
--
1.9.3