Authorization. Initially it should support Openstack Keystone as a
backend through a plugin model where more backends can be added and a
RBAC model to manage permissions on operations.
+ This class must be threading safe
"""
periodin_db_pruning = 60 * 30 # for the internal backend only. every 30 minutes expired tokens will be pruned
# Note: it is faster to rewrite the value than to check if it is already there or not
if self.config["authentication"]["backend"] == "internal":
return
-
+
operations = []
with open(self.resources_to_operations_file, "r") as stream:
resources_to_operations_yaml = yaml.load(stream)
if self.config["authentication"]["backend"] != "internal" and \
role_with_operations["role"] != "anonymous":
- keystone_id = self.backend.create_role(role_with_operations["role"])
+ keystone_id = [role for role in self.backend.get_role_list()
+ if role["name"] == role_with_operations["role"]]
+ if keystone_id:
+ keystone_id = keystone_id[0]
+ else:
+ keystone_id = self.backend.create_role(role_with_operations["role"])
operation_to_roles_item["_id"] = keystone_id["_id"]
self.db.create("roles_operations", operation_to_roles_item)
now = time()
session = self.tokens_cache.get(token_id)
if session and session["expires"] < now:
- del self.tokens_cache[token_id]
+ # delete token. MUST be done with care, as another thread maybe already delete it. Do not use del
+ self.tokens_cache.pop(token_id, None)
session = None
if session:
return session
if self.config["global"].get("test.user_not_authorized"):
return {"id": "fake-token-id-for-test",
"project_id": self.config["global"].get("test.project_not_authorized", "admin"),
- "username": self.config["global"]["test.user_not_authorized"]}
+ "username": self.config["global"]["test.user_not_authorized"], "admin": True}
else:
raise