X-Git-Url: https://osm.etsi.org/gitweb/?p=osm%2FNBI.git;a=blobdiff_plain;f=osm_nbi%2Fauth.py;h=bb65738cf4a3688b05540cbf246da173d44df1ad;hp=9171c9494beacaaf38408982a57e48bb80eaf3f2;hb=db04d1ed5d5da9cb1a31c56984663f90d1bf998a;hpb=c061f56a0218c562315f563b001a72fbdfa550c6 diff --git a/osm_nbi/auth.py b/osm_nbi/auth.py index 9171c94..bb65738 100644 --- a/osm_nbi/auth.py +++ b/osm_nbi/auth.py @@ -55,6 +55,7 @@ class Authenticator: Authorization. Initially it should support Openstack Keystone as a backend through a plugin model where more backends can be added and a RBAC model to manage permissions on operations. + This class must be threading safe """ periodin_db_pruning = 60 * 30 # for the internal backend only. every 30 minutes expired tokens will be pruned @@ -155,7 +156,7 @@ class Authenticator: # Note: it is faster to rewrite the value than to check if it is already there or not if self.config["authentication"]["backend"] == "internal": return - + operations = [] with open(self.resources_to_operations_file, "r") as stream: resources_to_operations_yaml = yaml.load(stream) @@ -230,7 +231,12 @@ class Authenticator: if self.config["authentication"]["backend"] != "internal" and \ role_with_operations["role"] != "anonymous": - keystone_id = self.backend.create_role(role_with_operations["role"]) + keystone_id = [role for role in self.backend.get_role_list() + if role["name"] == role_with_operations["role"]] + if keystone_id: + keystone_id = keystone_id[0] + else: + keystone_id = self.backend.create_role(role_with_operations["role"]) operation_to_roles_item["_id"] = keystone_id["_id"] self.db.create("roles_operations", operation_to_roles_item) @@ -480,7 +486,8 @@ class Authenticator: now = time() session = self.tokens_cache.get(token_id) if session and session["expires"] < now: - del self.tokens_cache[token_id] + # delete token. MUST be done with care, as another thread maybe already delete it. Do not use del + self.tokens_cache.pop(token_id, None) session = None if session: return session @@ -501,7 +508,7 @@ class Authenticator: if self.config["global"].get("test.user_not_authorized"): return {"id": "fake-token-id-for-test", "project_id": self.config["global"].get("test.project_not_authorized", "admin"), - "username": self.config["global"]["test.user_not_authorized"]} + "username": self.config["global"]["test.user_not_authorized"], "admin": True} else: raise