Last active
August 29, 2015 14:03
-
-
Save keshavab/0d48163467d5ff0a2f54 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Getting account based on tenant id | |
def _get_account_for_tenant(self, tenant_id): | |
return '%s%s' % (self.reseller_prefix, tenant_id) | |
def _reseller_check(self, account, tenant_id): | |
"""Check reseller prefix.""" | |
return account == self._get_account_for_tenant(tenant_id) | |
# authorizing account | |
if not self._reseller_check(account, tenant_id): | |
log_msg = 'tenant mismatch: %s != %s' | |
self.logger.debug(log_msg, account, tenant_id) | |
return self.denied_response(req) | |
<Kbee> notmyname, creiht , Q - when are accounts or account objects created .. I don't see a api for it.. but i see in code that PUT is annotated @public | |
<notmyname> Kbee: so there's a couple of different way, but let me tell you about the common way | |
<notmyname> Kbee: if swift sees a request to PUT a container in an account, and the token given is valid for that operation, and the account doesn't exist, then swift will automatically create the account | |
<notmyname> Kbee: if the token is valid and the account doesn't exist and it's a read operation for the account, swift will short-circuit and return a default empty response | |
<notmyname> Kbee: there is a config value (default to off) that must be turned on before PUT/DELETE to an account will be accepted. so the other way is that you have a separate proxy server with that turned on and firewalled off to only accept connections eg from trusted sources like your provisioning system | |
<notmyname> Kbee: (ok, I said I would just tell you one way, but that ^^ is the other way. now you know everything) | |
<Kbee> notmyname, hmmm.. I tried this using keystone.. Suppose you auth using keystone and try to create a container using an account name different from ( AUTH_<tenant_id) , it throws 404.. so is it keystone middleware which doesnot allow accees to an account other than tenant_id ? | |
<notmyname> Kbee: that sounds reasonable (but I'm not a keystone expert | |
<notmyname> Kbee: reasonable == doesn't surprise me | |
<Kbee> notmyname, :) .. got it .. | |
<Kbee> notmyname, i dug into keystoneauth middleware.. and yes.. they check whether account matches tenatn_id -> https://gist.github.com/keshavab/0d48163467d5ff0a2f54 | |
<Kbee> notmyname, thanks | |
<notmyname> Kbee: np |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment