X-Git-Url: https://osm.etsi.org/gitweb/?p=osm%2FNBI.git;a=blobdiff_plain;f=osm_nbi%2Fauth.py;h=36b6dc54236280532ad3fa3868086920b22459c1;hp=94eb1e9e74bc75b3d709420c4d0cd0e4a4c9f433;hb=9ebbf855f902fb7a9864427a364fb102ce792fc0;hpb=01b15d3166ea28266fb3d994d0615e4091c43c08

diff --git a/osm_nbi/auth.py b/osm_nbi/auth.py
index 94eb1e9..36b6dc5 100644
--- a/osm_nbi/auth.py
+++ b/osm_nbi/auth.py
@@ -39,9 +39,9 @@ from http import HTTPStatus
 from time import time
 from os import path
 
-from authconn import AuthException, AuthExceptionUnauthorized
-from authconn_keystone import AuthconnKeystone
-from authconn_internal import AuthconnInternal   # Comment out for testing&debugging, uncomment when ready
+from osm_nbi.authconn import AuthException, AuthExceptionUnauthorized
+from osm_nbi.authconn_keystone import AuthconnKeystone
+from osm_nbi.authconn_internal import AuthconnInternal   # Comment out for testing&debugging, uncomment when ready
 from osm_common import dbmongo
 from osm_common import dbmemory
 from osm_common.dbbase import DbException
@@ -257,11 +257,31 @@ class Authenticator:
 
         # Create admin project&user if required
         pid = self.create_admin_project()
-        self.create_admin_user(pid)
+        user_id = self.create_admin_user(pid)
 
-        if self.config["authentication"]["backend"] == "keystone":
+        # try to assign system_admin role to user admin if not any user has this role
+        if not user_id:
             try:
-                self.backend.assign_role_to_user("admin", "admin", "system_admin")
+                users = self.backend.get_user_list()
+                roles = self.backend.get_role_list({"name": "system_admin"})
+                role_id = roles[0]["_id"]
+                user_with_system_admin = False
+                user_admin_id = None
+                for user in users:
+                    if not user_admin_id:
+                        user_admin_id = user["_id"]
+                    if user["username"] == "admin":
+                        user_admin_id = user["_id"]
+                    for prm in user.get("project_role_mappings", ()):
+                        if prm["role"] == role_id:
+                            user_with_system_admin = True
+                            break
+                    if user_with_system_admin:
+                        break
+                if not user_with_system_admin:
+                    self.backend.update_user({"_id": user_admin_id,
+                                              "add_project_role_mappings": [{"project": pid, "role": role_id}]})
+                    self.logger.info("Added role system admin to user='{}' project=admin".format(user_admin_id))
             except Exception:
                 pass
 
@@ -346,6 +366,12 @@ class Authenticator:
                 if cherrypy.session.get('Authorization'):
                     del cherrypy.session['Authorization']
                 cherrypy.response.headers["WWW-Authenticate"] = 'Bearer realm="{}"'.format(e)
+            elif self.config.get("user_not_authorized"):
+                # TODO provide user_id, roles id (not name), project_id
+                return {"id": "fake-token-id-for-test",
+                        "project_id": self.config.get("project_not_authorized", "admin"),
+                        "username": self.config["user_not_authorized"],
+                        "roles": ["system_admin"]}
             raise
 
     def new_token(self, token_info, indata, remote):