Skip to content
Permalink
Browse files Browse the repository at this point in the history
Ensures User is member of tenant in ec2 validation
It is possible that a user is no longer a member of a tenant when
they attempt to use an ec2 token. This checks to make sure that
the user still has at least one valid role in the tenant before
authenticating them. This should automatically work for the s3
version as well since it is a subclass.

Fixes bug 1064914

Change-Id: Ieb237bae936a7b00ce7ba4d4c59aec6c7a69ec21
  • Loading branch information
vishvananda authored and yolandacanonical committed Nov 22, 2012
1 parent ddb4019 commit 8735009
Showing 1 changed file with 13 additions and 10 deletions.
23 changes: 13 additions & 10 deletions keystone/contrib/ec2/core.py
Expand Up @@ -161,9 +161,19 @@ def authenticate(self, context, credentials=None,
context=context,
user_id=creds_ref['user_id'])
metadata_ref = self.identity_api.get_metadata(
context=context,
user_id=user_ref['id'],
tenant_id=tenant_ref['id'])
context=context,
user_id=user_ref['id'],
tenant_id=tenant_ref['id'])

# TODO(termie): optimize this call at some point and put it into the
# the return for metadata
# fill out the roles in the metadata
roles = metadata_ref.get('roles', [])
if not roles:
raise exception.Unauthorized(message='User not valid for tenant.')
roles_ref = [self.identity_api.get_role(context, role_id)
for role_id in roles]

catalog_ref = self.catalog_api.get_catalog(
context=context,
user_id=user_ref['id'],
Expand All @@ -176,13 +186,6 @@ def authenticate(self, context, credentials=None,
tenant=tenant_ref,
metadata=metadata_ref))

# TODO(termie): optimize this call at some point and put it into the
# the return for metadata
# fill out the roles in the metadata
roles_ref = []
for role_id in metadata_ref.get('roles', []):
roles_ref.append(self.identity_api.get_role(context, role_id))

# TODO(termie): make this a util function or something
# TODO(termie): i don't think the ec2 middleware currently expects a
# full return, but it contains a note saying that it
Expand Down

0 comments on commit 8735009

Please sign in to comment.