fix: anonymous user may list resources

pkg/apis/identity/assignments.go

@@ -62,3 +62,7 @@ func (ra *SRoleAssignment) GetRoles() []string {
 func (ra *SRoleAssignment) GetLoginIp() string {
 	return ""
 }
+
+func (ra *SRoleAssignment) GetTokenString() string {
+	return "faketoken"
+}

pkg/baremetal/service/service.go

@@ -65,10 +65,11 @@ func (s *BaremetalService) StartService() {
 
 	fsdriver.Init(nil)
 	app := app_common.InitApp(&o.Options.BaseOptions, false)
-	handler.InitHandlers(app)
 
 	common_options.StartOptionManager(&o.Options, o.Options.ConfigSyncPeriodSeconds, api.SERVICE_TYPE, api.SERVICE_VERSION, o.OnOptionsChange)
 
+	handler.InitHandlers(app)
+
 	s.startAgent(app)
 
 	cron := cronman.InitCronJobManager(false, o.Options.CronJobWorkerCount)

pkg/compute/service/service.go

@@ -70,13 +70,14 @@ func StartService() {
 	}
 
 	app := app_common.InitApp(baseOpts, true)
-	InitHandlers(app)
 
 	db.EnsureAppInitSyncDB(app, dbOpts, models.InitDB)
 	defer cloudcommon.CloseDB()
 
 	common_options.StartOptionManager(opts, opts.ConfigSyncPeriodSeconds, api.SERVICE_TYPE, api.SERVICE_VERSION, options.OnOptionsChange)
 
+	InitHandlers(app)
+
 	options.InitNameSyncResources()
 
 	err := setInfluxdbRetentionPolicy()

pkg/keystone/service/service.go

@@ -68,14 +68,15 @@ func StartService() {
 	*/
 
 	app := app_common.InitApp(&opts.BaseOptions, true)
-	InitHandlers(app)
 
 	db.EnsureAppInitSyncDB(app, &opts.DBOptions, models.InitDB)
 
 	app_common.InitBaseAuth(&opts.BaseOptions)
 
 	common_options.StartOptionManagerWithSessionDriver(opts, opts.ConfigSyncPeriodSeconds, api.SERVICE_TYPE, "", options.OnOptionsChange, models.NewServiceConfigSession())
 
+	InitHandlers(app)
+
 	if !opts.IsSlaveNode {
 		cron := cronman.InitCronJobManager(true, opts.CronJobWorkerCount)
 

pkg/mcclient/auth/middleware.go

@@ -50,7 +50,7 @@ func AuthenticateWithDelayDecision(f appsrv.FilterHandler, delayDecision bool) a
 		tokenStr := r.Header.Get(api.AUTH_TOKEN_HEADER)
 		var token mcclient.TokenCredential
 		if len(tokenStr) == 0 {
-			log.Errorf("no auth_token found!")
+			log.Errorf("no auth_token found! delayDecision=%v", delayDecision)
 			if !delayDecision {
 				httperrors.UnauthorizedError(w, "Unauthorized")
 				return

pkg/util/rbacutils/rbac.go

@@ -583,6 +583,7 @@ type IRbacIdentity interface {
 	GetProjectName() string
 	GetRoles() []string
 	GetLoginIp() string
+	GetTokenString() string
 }
 
 func (policy *SRbacPolicy) IsSystemWidePolicy() bool {
@@ -636,7 +637,7 @@ func (policy *SRbacPolicy) Match(userCred IRbacIdentity) (bool, int) {
 	if !policy.Auth && len(policy.Roles) == 0 && len(policy.Projects) == 0 && len(policy.Ips) == 0 {
 		return true, 1
 	}
-	if userCred == nil {
+	if userCred == nil || len(userCred.GetTokenString()) == 0 {
 		return false, 0
 	}
 	weight := 0
@@ -691,6 +692,10 @@ func (id sSimpleRbacIdentity) GetLoginIp() string {
 	return ""
 }
 
+func (id sSimpleRbacIdentity) GetTokenString() string {
+	return "faketoken"
+}
+
 func NewRbacIdentity(domainId, projectName string, roleNames []string) IRbacIdentity {
 	return sSimpleRbacIdentity{
 		domainId:    domainId,

pkg/util/rbacutils/rbac_test.go

@@ -296,6 +296,7 @@ type sRbacIdentity struct {
 	Project  string
 	Roles    []string
 	Ip       string
+	Token    string
 }
 
 func (ri *sRbacIdentity) GetProjectDomainId() string {
@@ -314,6 +315,10 @@ func (ri *sRbacIdentity) GetLoginIp() string {
 	return ri.Ip
 }
 
+func (ri *sRbacIdentity) GetTokenString() string {
+	return ri.Token
+}
+
 func TestSRbacPolicyMatch(t *testing.T) {
 	prefix, _ := netutils.NewIPV4Prefix("10.168.22.0/24")
 	cases := []struct {
@@ -337,6 +342,7 @@ func TestSRbacPolicyMatch(t *testing.T) {
 			},
 			&sRbacIdentity{
 				Project: "system",
+				Token:   "faketoken",
 			},
 			true,
 		},
@@ -346,6 +352,7 @@ func TestSRbacPolicyMatch(t *testing.T) {
 			},
 			&sRbacIdentity{
 				Project: "demo",
+				Token:   "faketoken",
 			},
 			false,
 		},
@@ -357,6 +364,7 @@ func TestSRbacPolicyMatch(t *testing.T) {
 			&sRbacIdentity{
 				Project: "system",
 				Roles:   []string{"admin"},
+				Token:   "faketoken",
 			},
 			true,
 		},
@@ -368,6 +376,7 @@ func TestSRbacPolicyMatch(t *testing.T) {
 			&sRbacIdentity{
 				Project: "system",
 				Roles:   []string{"admin", "_member_"},
+				Token:   "faketoken",
 			},
 			true,
 		},
@@ -379,6 +388,7 @@ func TestSRbacPolicyMatch(t *testing.T) {
 			&sRbacIdentity{
 				Project: "system",
 				Roles:   []string{"_member_"},
+				Token:   "faketoken",
 			},
 			false,
 		},
@@ -407,6 +417,7 @@ func TestSRbacPolicyMatch(t *testing.T) {
 				Project: "system",
 				Roles:   []string{"admin"},
 				Ip:      "10.0.0.23",
+				Token:   "faketoken",
 			},
 			false,
 		},
@@ -420,6 +431,7 @@ func TestSRbacPolicyMatch(t *testing.T) {
 				Project: "system",
 				Roles:   []string{"admin"},
 				Ip:      "10.168.22.23",
+				Token:   "faketoken",
 			},
 			true,
 		},
@@ -433,6 +445,7 @@ func TestSRbacPolicyMatch(t *testing.T) {
 				Project: "system",
 				Roles:   []string{"_member_"},
 				Ip:      "10.168.22.23",
+				Token:   "faketoken",
 			},
 			false,
 		},
@@ -445,6 +458,7 @@ func TestSRbacPolicyMatch(t *testing.T) {
 				Project: "system",
 				Roles:   []string{"_member_", "admin"},
 				Ip:      "10.168.22.23",
+				Token:   "faketoken",
 			},
 			true,
 		},
@@ -458,6 +472,7 @@ func TestSRbacPolicyMatch(t *testing.T) {
 				Project: "system",
 				Roles:   []string{"_member_", "projectowner"},
 				Ip:      "10.168.22.23",
+				Token:   "faketoken",
 			},
 			true,
 		},
@@ -470,6 +485,7 @@ func TestSRbacPolicyMatch(t *testing.T) {
 			&sRbacIdentity{
 				Project: "ldapproj",
 				Roles:   []string{"domain_admin"},
+				Token:   "faketoken",
 			},
 			true,
 		},