Permalink
Browse files

Ensures User is member of tenant in ec2 validation

It is possible that a user is no longer a member of a tenant when
they attempt to use an ec2 token. This checks to make sure that
the user still has at least one valid role in the tenant before
authenticating them. This should automatically work for the s3
version as well since it is a subclass.

Fixes bug 1064914

Change-Id: Ieb237bae936a7b00ce7ba4d4c59aec6c7a69ec21
  • Loading branch information...
1 parent 001f708 commit 9d68b40cb9ea818c48152e6c712ff41586ad9653 @vishvananda vishvananda committed Nov 13, 2012
Showing with 10 additions and 7 deletions.
  1. +10 −7 keystone/contrib/ec2/core.py
@@ -168,6 +168,16 @@ def authenticate(self, context, credentials=None, ec2Credentials=None):
context=context,
user_id=user_ref['id'],
tenant_id=tenant_ref['id'])
+
+ # TODO(termie): optimize this call at some point and put it into the
+ # the return for metadata
+ # fill out the roles in the metadata
+ roles = metadata_ref.get('roles', [])
+ if not roles:
+ raise exception.Unauthorized(message='User not valid for tenant.')
+ roles_ref = [self.identity_api.get_role(context, role_id)
+ for role_id in roles]
+
catalog_ref = self.catalog_api.get_catalog(
context=context,
user_id=user_ref['id'],
@@ -180,13 +190,6 @@ def authenticate(self, context, credentials=None, ec2Credentials=None):
tenant=tenant_ref,
metadata=metadata_ref))
- # TODO(termie): optimize this call at some point and put it into the
- # the return for metadata
- # fill out the roles in the metadata
- roles_ref = []
- for role_id in metadata_ref.get('roles', []):
- roles_ref.append(self.identity_api.get_role(context, role_id))
-
# TODO(termie): make this a util function or something
# TODO(termie): i don't think the ec2 middleware currently expects a
# full return, but it contains a note saying that it

0 comments on commit 9d68b40

Please sign in to comment.