Fixes for Tuskar API Keystone authentication

Rather than duplicating the instructions as suggested in the bug, I added a link to the Keystone service configuration page instead. It offers a much more comprehensive explanation of the steps than we should. In verifying those instructions, I had to fix code in Tuskar to get the authentication working. The original code was copied from Ironic, however, their needs are slightly different as they have the notion of public APIs. They use the AdminAuthHook to facilitate admin and public access. Furthermore, the code Tuskar did have would crash when attempting to call to_dict() on the context, which is specifically implemented in Ironic. Change-Id: I13c249ea02c5c74fb378faf41ada0efb55ddf162 Closes-Bug: #1284133
2014-04-02 14:13:47 -04:00 · 2014-04-02 14:13:47 -04:00 · 5a9b3f19b4
commit 5a9b3f19b4
parent 4d502e890c
3 changed files with 18 additions and 28 deletions
--- a/doc/source/INSTALL.rst
+++ b/doc/source/INSTALL.rst
@ -35,7 +35,8 @@ Now create your virtualenv::
    $ cd <your_src_dir>/tuskar
    $ tox -e py27

-Note: if ``pip install`` fails due to an outdated setuptools, you can try to update it first::
+.. note::
+  If ``pip install`` fails due to an outdated setuptools, you can try to update it first::

    $ sudo pip install --upgrade setuptools

@ -49,7 +50,7 @@ Copy the sample configuration file:

    $ cp etc/tuskar/tuskar.conf.sample etc/tuskar/tuskar.conf

-Edit the config file and uncomment the `heat_keystone` section at the bottom:
+Edit the config file and uncomment the ``heat_keystone`` section at the bottom:

 ::

@ -61,9 +62,10 @@ Edit the config file and uncomment the `heat_keystone` section at the bottom:
    auth_url = http://localhost:35357/v2.0
    insecure = True

-Note: replace these values with credentials for our undercloud OpenStack. If
-you're using `Devstack <http://devstack.org/>`_, the username and password are
-printed out when `stack.sh` finishes its job.
+.. note::
+  Replace these values with credentials for our undercloud OpenStack. If
+  you're using `Devstack <http://devstack.org/>`_, the username and password are
+  printed out when ``stack.sh`` finishes its job.

 You will need a local checkout of the tripleo-heat-templates. Uncomment the
 configuration entry that is defined for this purpose: tht_local_dir should point
@ -107,6 +109,14 @@ worked by running::

 This command should return JSON for four Overcloud Roles.

+Keystone Configuration
+^^^^^^^^^^^^^^^^^^^^^^
+
+By default, Tuskar is configured to skip authentication for REST API calls.
+Keystone authentication can be enabled by making the appropriate changes to
+the ``tuskar.conf`` file as described here:
+http://docs.openstack.org/developer/keystone/configuringservices.html
+
 Running Tuskar API
 ------------------

--- a/tuskar/api/acl.py
+++ b/tuskar/api/acl.py
@ -20,10 +20,6 @@

 from keystoneclient.middleware import auth_token
 from oslo.config import cfg
-from pecan import hooks
-from webob import exc
-
-from tuskar.common import policy


 OPT_GROUP_NAME = 'keystone_authtoken'
@ -32,25 +28,12 @@ OPT_GROUP_NAME = 'keystone_authtoken'
 def register_opts(conf):
    """Register keystoneclient middleware options
    """
-    conf.register_opts(auth_token.opts,
-                       group=OPT_GROUP_NAME)
+    conf.register_opts(auth_token.opts, group=OPT_GROUP_NAME)
    auth_token.CONF = conf


-register_opts(cfg.CONF)
-
-
 def install(app, conf):
    """Install ACL check on application."""
+    register_opts(cfg.CONF)
    return auth_token.AuthProtocol(app,
                                   conf=dict(conf.get(OPT_GROUP_NAME)))
-
-
-class AdminAuthHook(hooks.PecanHook):
-    """Verify that the user has admin rights
-    """
-
-    def before(self, state):
-        headers = state.request.headers
-        if not policy.check_is_admin(headers.get('X-Roles', "").split(",")):
-            raise exc.HTTPUnauthorized()
--- a/tuskar/api/app.py
+++ b/tuskar/api/app.py
@ -49,12 +49,9 @@ def setup_app(pecan_config=None, extra_hooks=None):
    if not pecan_config:
        pecan_config = get_pecan_config()

-    if pecan_config.app.enable_acl:
-        app_hooks.append(acl.AdminAuthHook())
-
    pecan.configuration.set_config(dict(pecan_config), overwrite=True)

-# TODO(deva): add middleware.ParsableErrorMiddleware from Ceilometer
+    # TODO(deva): add middleware.ParsableErrorMiddleware from Ceilometer
    app = pecan.make_app(
        pecan_config.app.root,
        custom_renderers=dict(wsmejson=renderers.JSONRenderer),