93
93
config_is_admin = conf.get('is_admin', "false").lower()
94
94
self.is_admin = swift_utils.config_true_value(config_is_admin)
95
cfg_synchosts = conf.get('allowed_sync_hosts', '127.0.0.1')
96
self.allowed_sync_hosts = [h.strip() for h in cfg_synchosts.split(',')
98
95
config_overrides = conf.get('allow_overrides', 't').lower()
99
96
self.allow_overrides = swift_utils.config_true_value(config_overrides)
143
140
"""Check reseller prefix."""
144
141
return account == self._get_account_for_tenant(tenant_id)
143
def _authorize_cross_tenant(self, user, tenant_id, tenant_name, roles):
144
""" Check cross-tenant ACLs
146
Match tenant_id:user, tenant_name:user, and *:user.
148
:param user: The user name from the identity token.
149
:param tenant_id: The tenant ID from the identity token.
150
:param tenant_name: The tenant name from the identity token.
151
:param roles: The given container ACL.
153
:returns: True if tenant_id:user, tenant_name:user, or *:user matches
154
the given ACL. False otherwise.
157
wildcard_tenant_match = '*:%s' % (user)
158
tenant_id_user_match = '%s:%s' % (tenant_id, user)
159
tenant_name_user_match = '%s:%s' % (tenant_name, user)
161
return (wildcard_tenant_match in roles
162
or tenant_id_user_match in roles
163
or tenant_name_user_match in roles)
146
165
def authorize(self, req):
147
166
env = req.environ
148
167
env_identity = env.get('keystone.identity', {})
149
168
tenant_id, tenant_name = env_identity.get('tenant')
169
user = env_identity.get('user', '')
170
referrers, roles = swift_acl.parse_acl(getattr(req, 'acl', None))
152
173
part = swift_utils.split_path(req.path, 1, 4, True)
164
185
req.environ['swift_owner'] = True
188
# cross-tenant authorization
189
if self._authorize_cross_tenant(user, tenant_id, tenant_name, roles):
190
log_msg = 'user %s:%s, %s:%s, or *:%s allowed in ACL authorizing'
191
self.logger.debug(log_msg % (tenant_name, user,
192
tenant_id, user, user))
167
195
# Check if a user tries to access an account that does not match their
169
197
if not self._reseller_check(account, tenant_id):
186
214
# If user is of the same name of the tenant then make owner of it.
187
user = env_identity.get('user', '')
188
215
if self.is_admin and user == tenant_name:
189
216
req.environ['swift_owner'] = True
192
referrers, roles = swift_acl.parse_acl(getattr(req, 'acl', None))
194
219
authorized = self._authorize_unconfirmed_identity(req, obj, referrers,
198
223
elif authorized is not None:
199
224
return self.denied_response(req)
201
# Allow ACL at individual user level (tenant:user format)
202
# For backward compatibility, check for ACL in tenant_id:user format
203
if ('%s:%s' % (tenant_name, user) in roles
204
or '%s:%s' % (tenant_id, user) in roles):
205
log_msg = 'user %s:%s or %s:%s allowed in ACL authorizing'
206
self.logger.debug(log_msg % (tenant_name, user, tenant_id, user))
209
226
# Check if we have the role in the userroles and allow it
210
227
for user_role in user_roles:
211
228
if user_role in roles:
249
266
# Allow container sync.
250
267
if (req.environ.get('swift_sync_key')
251
and req.environ['swift_sync_key'] ==
252
req.headers.get('x-container-sync-key', None)
253
and 'x-timestamp' in req.headers
254
and (req.remote_addr in self.allowed_sync_hosts
255
or swift_utils.get_remote_client(req)
256
in self.allowed_sync_hosts)):
268
and (req.environ['swift_sync_key'] ==
269
req.headers.get('x-container-sync-key', None))
270
and 'x-timestamp' in req.headers):
257
271
log_msg = 'allowing proxy %s for container-sync' % req.remote_addr
258
272
self.logger.debug(log_msg)