[Kimchi-devel] [PATCH 4/5] Enhance UrlSubNode decorator and kimchiauth tool to check for sudo rights
Leonardo Augusto Guimarães Garcia
lagarcia at linux.vnet.ibm.com
Tue Feb 11 03:17:51 UTC 2014
On 02/10/2014 05:23 PM, Aline Manera wrote:
> On 02/10/2014 05:19 PM, Aline Manera wrote:
>> On 02/10/2014 12:32 AM, Leonardo Garcia wrote:
>>> From: Leonardo Garcia <lagarcia at br.ibm.com>
>>>
>>> kimchiauth tool used to only check if the user was authenticated or
>>> not.
>>> Now it also checks whether the REST API being accessed is only allowed
>>> to users with sudo rights.
>>>
>>> The necessity to have sudo rights to access a REST API can be easily
>>> configured through the UrlSubNode decorator. Similar to the support
>>> previously implemented for user authentication in UrlSubNode, an
>>> additional boolean parameter was added to UrlSubNode to indicate
>>> whether
>>> the user needs sudo rights in order to access the corresponding REST
>>> API.
>>>
>>> Signed-off-by: Leonardo Garcia <lagarcia at br.ibm.com>
>>> ---
>>> src/kimchi/auth.py | 10 +++++++---
>>> src/kimchi/control/utils.py | 4 +++-
>>> src/kimchi/server.py | 2 ++
>>> 3 files changed, 12 insertions(+), 4 deletions(-)
>>>
>>> diff --git a/src/kimchi/auth.py b/src/kimchi/auth.py
>>> index 3ffe4b1..b3d1edf 100644
>>> --- a/src/kimchi/auth.py
>>> +++ b/src/kimchi/auth.py
>>> @@ -190,12 +190,16 @@ def logout():
>>> cherrypy.lib.sessions.expire()
>>>
>>>
>>> -def kimchiauth(*args, **kwargs):
>>> +def kimchiauth(needs_admin=False):
>>> debug("Entering kimchiauth...")
>>> - if check_auth_session():
>>> + if check_auth_session() and \
>>> + (not needs_admin or (cherrypy.session[USER_SUDO] ==
>>> needs_admin)):
>>> + debug(str(cherrypy.session[USER_SUDO]))
>>> return
>>>
>>> - if check_auth_httpba():
>>> + if check_auth_httpba() and \
>>> + (not needs_admin or (cherrypy.session[USER_SUDO] ==
>>> needs_admin)):
>>> + debug(str(cherrypy.session[USER_SUDO]))
>>> return
>>>
>>> if not from_browser():
>>> diff --git a/src/kimchi/control/utils.py b/src/kimchi/control/utils.py
>>> index 9c6878b..4567af7 100644
>>> --- a/src/kimchi/control/utils.py
>>> +++ b/src/kimchi/control/utils.py
>>> @@ -107,13 +107,15 @@ def validate_params(params, instance, action):
>>>
>>>
>>> class UrlSubNode(object):
>>> - def __init__(self, name, auth=False):
>>> + def __init__(self, name, auth=False, needs_admin=False):
>>
>> We also need to have a list of which methods are exclusive for admin
>> For example, any kind of user can do GET operations, but POST, PUT
>> and DELETE are only available for admin
>>
>> def __init__(self, name, auth=False, needs_admin=False,
>> admin_methods=[])
>> fun.admin_methods = admin_methods
>>
>> And in kimchiauth()
>>
>> method = cherrypy.request.method.upper()
>> if method in [admin_methods]:
>> # needs sudo
>>
>
> Or instead of pass admin_methods() we assume in kimchiauth() only GET
> method does not require admin access.
Yes, this is a better approach, definitely.
I'll include this check in v2.
Best regards,
Leonardo Garcia
>
>>
>>> self.name = name
>>> self.auth = auth
>>> + self.needs_admin = needs_admin
>>>
>>> def __call__(self, fun):
>>> fun._url_sub_node_name = {"name": self.name}
>>> fun.url_auth = self.auth
>>> + fun.needs_admin = self.needs_admin
>>> return fun
>>>
>>>
>>> diff --git a/src/kimchi/server.py b/src/kimchi/server.py
>>> index 1e131b4..469db68 100644
>>> --- a/src/kimchi/server.py
>>> +++ b/src/kimchi/server.py
>>> @@ -191,6 +191,8 @@ class Server(object):
>>> for ident, node in sub_nodes.items():
>>> if node.url_auth:
>>> self.configObj["/%s" % ident] =
>>> {'tools.kimchiauth.on': True}
>>> + if node.needs_admin:
>>> + self.configObj["/%s" %
>>> ident]['tools.kimchiauth.needs_admin'] = True
>>>
>>> self.app = cherrypy.tree.mount(KimchiRoot(model_instance,
>>> dev_env),
>>> config=self.configObj)
>>
>> _______________________________________________
>> Kimchi-devel mailing list
>> Kimchi-devel at ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/kimchi-devel
>>
>
More information about the Kimchi-devel
mailing list