keshavab/keystoneauth-middleware

## keystoneauth-middleware
# Getting account based on tenant id
   def _get_account_for_tenant(self, tenant_id):
        return '%s%s' % (self.reseller_prefix, tenant_id)

    def _reseller_check(self, account, tenant_id):
        """Check reseller prefix."""
        return account == self._get_account_for_tenant(tenant_id)

# authorizing account

        if not self._reseller_check(account, tenant_id):
            log_msg = 'tenant mismatch: %s != %s'
            self.logger.debug(log_msg, account, tenant_id)
            return self.denied_response(req)


<Kbee> notmyname, creiht , Q - when are accounts or account objects created .. I don't see a api for it.. but i see in code that PUT is annotated @public
<notmyname> Kbee: so there's a couple of different way, but let me tell you about the common way
<notmyname> Kbee: if swift sees a request to PUT a container in an account, and the token given is valid for that operation, and the account doesn't exist, then swift will automatically create the account
<notmyname> Kbee: if the token is valid and the account doesn't exist and it's a read operation for the account, swift will short-circuit and return a default empty response
<notmyname> Kbee: there is a config value (default to off) that must be turned on before PUT/DELETE to an account will be accepted. so the other way is that you have a separate proxy server with that turned on and firewalled off to only accept connections eg from trusted sources like your provisioning system
<notmyname> Kbee: (ok, I said I would just tell you one way, but that ^^ is the other way. now you know everything)
<Kbee> notmyname,  hmmm.. I tried this using keystone.. Suppose you auth using keystone and try to create a container using an account name different from ( AUTH_<tenant_id) , it throws 404.. so is it keystone middleware which doesnot allow accees to an account other than tenant_id ?
<notmyname> Kbee: that sounds reasonable (but I'm not a keystone expert
<notmyname> Kbee: reasonable == doesn't surprise me
<Kbee> notmyname,  :)  .. got it ..
<Kbee> notmyname, i dug into keystoneauth middleware.. and yes.. they check whether account matches tenatn_id -> https://gist.github.com/keshavab/0d48163467d5ff0a2f54
<Kbee> notmyname, thanks
<notmyname> Kbee: np
	# Getting account based on tenant id
	def _get_account_for_tenant(self, tenant_id):
	return '%s%s' % (self.reseller_prefix, tenant_id)

	def _reseller_check(self, account, tenant_id):
	"""Check reseller prefix."""
	return account == self._get_account_for_tenant(tenant_id)

	# authorizing account

	if not self._reseller_check(account, tenant_id):
	log_msg = 'tenant mismatch: %s != %s'
	self.logger.debug(log_msg, account, tenant_id)
	return self.denied_response(req)


	<Kbee> notmyname, creiht , Q - when are accounts or account objects created .. I don't see a api for it.. but i see in code that PUT is annotated @public
	<notmyname> Kbee: so there's a couple of different way, but let me tell you about the common way
	<notmyname> Kbee: if swift sees a request to PUT a container in an account, and the token given is valid for that operation, and the account doesn't exist, then swift will automatically create the account
	<notmyname> Kbee: if the token is valid and the account doesn't exist and it's a read operation for the account, swift will short-circuit and return a default empty response
	<notmyname> Kbee: there is a config value (default to off) that must be turned on before PUT/DELETE to an account will be accepted. so the other way is that you have a separate proxy server with that turned on and firewalled off to only accept connections eg from trusted sources like your provisioning system
	<notmyname> Kbee: (ok, I said I would just tell you one way, but that ^^ is the other way. now you know everything)
	<Kbee> notmyname, hmmm.. I tried this using keystone.. Suppose you auth using keystone and try to create a container using an account name different from ( AUTH_<tenant_id) , it throws 404.. so is it keystone middleware which doesnot allow accees to an account other than tenant_id ?
	<notmyname> Kbee: that sounds reasonable (but I'm not a keystone expert
	<notmyname> Kbee: reasonable == doesn't surprise me
	<Kbee> notmyname, :) .. got it ..
	<Kbee> notmyname, i dug into keystoneauth middleware.. and yes.. they check whether account matches tenatn_id -> https://gist.github.com/keshavab/0d48163467d5ff0a2f54
	<Kbee> notmyname, thanks
	<notmyname> Kbee: np