Quantum的权限认证(1)
本文地址:http://blog.csdn.net/spch2008/article/details/9698453
在身份认证结束后,会进行权限认证,即验证用户是否有做此操作的权限。实际上,这一步将身份认证提供的信息
进行一些包装,在后续具体操作(例如get_port等)的过程中进行验证。
api-paste.ini中
[composite:quantumapi_v2_0] use = call:quantum.auth:pipeline_factory noauth = extensions quantumapiapp_v2_0 keystone = authtoken keystonecontext extensions quantumapiapp_v2_0 [filter:keystonecontext] paste.filter_factory = quantum.auth:QuantumKeystoneContext.factory从api-paste.ini配置文档中可知,权限认证转向quantum.auth:QuantumKeystoneContext.factory创建一个QuantumKeystoneContext对象。
@webob.dec.wsgify
def __call__(self, req):
user_id = req.headers.get('X_USER_ID', req.headers.get('X_USER'))
tenant_id = req.headers.get('X_TENANT_ID', req.headers.get('X_TENANT'))
roles = [r.strip() for r in req.headers.get('X_ROLE', '').split(',')]
ctx = context.Context(user_id, tenant_id, roles=roles)
req.environ['quantum.context'] = ctx
return self.application
将user_id, tenant_id, roles信息从信息头中抽取出来,创建一个Context对象,然后将该对象加入信息头,供后续权限认证使用。
class ContextBase(common_context.RequestContext):
"""Security context and request information.
Represents the user taking a given action within the system.
"""
def __init__(self, user_id, tenant_id, is_admin=None, read_deleted="no",
roles=None, timestamp=None, **kwargs):
super(ContextBase, self).__init__(user=user_id, tenant=tenant_id,
is_admin=is_admin)
def to_dict(self):
return {'user_id': self.user_id,
'tenant_id': self.tenant_id,
'project_id': self.project_id,
'is_admin': self.is_admin,
'read_deleted': self.read_deleted,
'roles': self.roles,
'timestamp': str(self.timestamp)}
class Context(ContextBase):
@property
def session(self):
if self._session is None:
self._session = db_api.get_session()
return self._session
有两个方法值得注意:一个是session,获得一个数据库连接,一个是to_dict将相应信息转换成一个字典。
这样,准备工作就完成了,权限认证推迟到每一个操作中去做。