diff options
| author | Prashanth Pai <ppai@redhat.com> | 2013-11-22 12:13:09 +0530 |
|---|---|---|
| committer | Luis Pabon <lpabon@redhat.com> | 2013-12-05 09:15:40 -0800 |
| commit | fc9124caf45949dfcc0732536c6825c12d74582a (patch) | |
| tree | ad9871cda75a8c5f08e4a06d88a38836b674c8c5 /gluster | |
| parent | 0eb79aad3658ca519143029f219c9efe3591e724 (diff) | |
gswauth: Fix 403 being returned instead of 401
- 401(Unauthorized) is to be returned when user credentials are
wrong where as 403(Forbidden) is to be returned when user
credentials are correct but the user doesn't have the priveleges
to carry out the operation.
- Also error messages displayed when using swauth-* command line
utilities have been updated.
Change-Id: I485786896ad14d3263f4325d1857cacc93adab96
Signed-off-by: Prashanth Pai <ppai@redhat.com>
Reviewed-on: http://review.gluster.org/6336
Reviewed-by: Luis Pabon <lpabon@redhat.com>
Tested-by: Luis Pabon <lpabon@redhat.com>
Diffstat (limited to 'gluster')
9 files changed, 84 insertions, 18 deletions
diff --git a/gluster/swift/common/middleware/gswauth/bin/swauth-add-account b/gluster/swift/common/middleware/gswauth/bin/swauth-add-account index 88f8010..92b6b73 100755 --- a/gluster/swift/common/middleware/gswauth/bin/swauth-add-account +++ b/gluster/swift/common/middleware/gswauth/bin/swauth-add-account @@ -66,4 +66,12 @@ if __name__ == '__main__': ssl=(parsed.scheme == 'https')) resp = conn.getresponse() if resp.status // 100 != 2: - exit('Account creation failed: %s %s' % (resp.status, resp.reason)) + if resp.status == 401: + exit('Account creation failed: %s %s: Invalid user/key provided' % + (resp.status, resp.reason)) + elif resp.status == 403: + exit('Account creation failed: %s %s: Insufficient priveleges' % + (resp.status, resp.reason)) + else: + exit('Account creation failed: %s %s' % + (resp.status, resp.reason)) diff --git a/gluster/swift/common/middleware/gswauth/bin/swauth-add-user b/gluster/swift/common/middleware/gswauth/bin/swauth-add-user index 81eeac7..7336297 100755 --- a/gluster/swift/common/middleware/gswauth/bin/swauth-add-user +++ b/gluster/swift/common/middleware/gswauth/bin/swauth-add-user @@ -96,4 +96,12 @@ if __name__ == '__main__': ssl=(parsed.scheme == 'https')) resp = conn.getresponse() if resp.status // 100 != 2: - exit('User creation failed: %s %s' % (resp.status, resp.reason)) + if resp.status == 401: + exit('User creation failed: %s %s: Invalid user/key provided' % + (resp.status, resp.reason)) + elif resp.status == 403: + exit('User creation failed: %s %s: Insufficient priveleges' % + (resp.status, resp.reason)) + else: + exit('User creation failed: %s %s' % + (resp.status, resp.reason)) diff --git a/gluster/swift/common/middleware/gswauth/bin/swauth-cleanup-tokens b/gluster/swift/common/middleware/gswauth/bin/swauth-cleanup-tokens index 54bed9d..21f99ba 100755 --- a/gluster/swift/common/middleware/gswauth/bin/swauth-cleanup-tokens +++ b/gluster/swift/common/middleware/gswauth/bin/swauth-cleanup-tokens @@ -107,6 +107,8 @@ if __name__ == '__main__': if e.http_status == 404: exit('Container %s not found. swauth-prep needs to be ' 'rerun' % (container)) + elif e.http_status == 401: + exit('Cleanup tokens failed: 401 Unauthorized: Invalid user/key provided') else: exit('Object listing on container %s failed with status ' 'code %d' % (container, e.http_status)) diff --git a/gluster/swift/common/middleware/gswauth/bin/swauth-delete-account b/gluster/swift/common/middleware/gswauth/bin/swauth-delete-account index 224e3b3..3ada02c 100755 --- a/gluster/swift/common/middleware/gswauth/bin/swauth-delete-account +++ b/gluster/swift/common/middleware/gswauth/bin/swauth-delete-account @@ -57,4 +57,17 @@ if __name__ == '__main__': ssl=(parsed.scheme == 'https')) resp = conn.getresponse() if resp.status // 100 != 2: - exit('Account deletion failed: %s %s' % (resp.status, resp.reason)) + if resp.status == 401: + exit('Delete account failed: %s %s: Invalid user/key provided' % + (resp.status, resp.reason)) + elif resp.status == 403: + exit('Delete account failed: %s %s: Insufficient priveleges' % + (resp.status, resp.reason)) + elif resp.status == 404: + exit('Delete account failed: %s %s: Account %s does not exist' % + (resp.status, resp.reason, account)) + elif resp.status == 409: + exit('Delete account failed: %s %s: Account %s contains active users. ' + 'Delete all users first.' % (resp.status, resp.reason, account)) + else: + exit('Delete account failed: %s %s' % (resp.status, resp.reason)) diff --git a/gluster/swift/common/middleware/gswauth/bin/swauth-delete-user b/gluster/swift/common/middleware/gswauth/bin/swauth-delete-user index 3991d9a..d87d02b 100755 --- a/gluster/swift/common/middleware/gswauth/bin/swauth-delete-user +++ b/gluster/swift/common/middleware/gswauth/bin/swauth-delete-user @@ -57,4 +57,14 @@ if __name__ == '__main__': ssl=(parsed.scheme == 'https')) resp = conn.getresponse() if resp.status // 100 != 2: - exit('User deletion failed: %s %s' % (resp.status, resp.reason)) + if resp.status == 401: + exit('Delete user failed: %s %s: Invalid user/key provided' % + (resp.status, resp.reason)) + elif resp.status == 403: + exit('Delete user failed: %s %s: Insufficient priveleges' % + (resp.status, resp.reason)) + elif resp.status == 404: + exit('Delete user failed: %s %s: User %s does not exist' % + (resp.status, resp.reason, user)) + else: + exit('Delete user failed: %s %s' % (resp.status, resp.reason)) diff --git a/gluster/swift/common/middleware/gswauth/bin/swauth-list b/gluster/swift/common/middleware/gswauth/bin/swauth-list index 7ad0974..4a8c546 100755 --- a/gluster/swift/common/middleware/gswauth/bin/swauth-list +++ b/gluster/swift/common/middleware/gswauth/bin/swauth-list @@ -82,7 +82,14 @@ If the [user] is '.groups', the active groups for the account will be listed. resp = conn.getresponse() body = resp.read() if resp.status // 100 != 2: - exit('List failed: %s %s' % (resp.status, resp.reason)) + if resp.status == 401: + exit('List failed: %s %s: Invalid user/key provided' % + (resp.status, resp.reason)) + elif resp.status == 403: + exit('List failed: %s %s: Insufficient priveleges' % + (resp.status, resp.reason)) + else: + exit('List failed: %s %s' % (resp.status, resp.reason)) if options.plain_text: info = json.loads(body) for group in info[['accounts', 'users', 'groups'][len(args)]]: diff --git a/gluster/swift/common/middleware/gswauth/bin/swauth-prep b/gluster/swift/common/middleware/gswauth/bin/swauth-prep index bf2384f..f520426 100755 --- a/gluster/swift/common/middleware/gswauth/bin/swauth-prep +++ b/gluster/swift/common/middleware/gswauth/bin/swauth-prep @@ -56,4 +56,9 @@ if __name__ == '__main__': ssl=(parsed.scheme == 'https')) resp = conn.getresponse() if resp.status // 100 != 2: - exit('Auth subsystem prep failed: %s %s' % (resp.status, resp.reason)) + if resp.status == 401: + exit('gswauth preparation failed: %s %s: Invalid user/key provided' % + (resp.status, resp.reason)) + else: + exit('gswauth preparation failed: %s %s' % + (resp.status, resp.reason)) diff --git a/gluster/swift/common/middleware/gswauth/bin/swauth-set-account-service b/gluster/swift/common/middleware/gswauth/bin/swauth-set-account-service index b0bed38..41a33d2 100755 --- a/gluster/swift/common/middleware/gswauth/bin/swauth-set-account-service +++ b/gluster/swift/common/middleware/gswauth/bin/swauth-set-account-service @@ -70,4 +70,11 @@ Example: %prog -K swauthkey test storage local http://127.0.0.1:8080/v1/AUTH_018 conn.send(body) resp = conn.getresponse() if resp.status // 100 != 2: - exit('Service set failed: %s %s' % (resp.status, resp.reason)) + if resp.status == 401: + exit('Service set failed: %s %s: Invalid user/key provided' % + (resp.status, resp.reason)) + elif resp.status == 403: + exit('Service set failed: %s %s: Insufficient priveleges' % + (resp.status, resp.reason)) + else: + exit('Service set failed: %s %s' % (resp.status, resp.reason)) diff --git a/gluster/swift/common/middleware/gswauth/swauth/middleware.py b/gluster/swift/common/middleware/gswauth/swauth/middleware.py index 996228d..c791423 100644 --- a/gluster/swift/common/middleware/gswauth/swauth/middleware.py +++ b/gluster/swift/common/middleware/gswauth/swauth/middleware.py @@ -419,7 +419,9 @@ class Swauth(object): Returns a standard WSGI response callable with the status of 403 or 401 depending on whether the REMOTE_USER is set or not. """ - if req.remote_user: + if not hasattr(req, 'credentials_valid'): + req.credentials_valid = None + if req.remote_user or req.credentials_valid: return HTTPForbidden(request=req) else: return HTTPUnauthorized(request=req) @@ -534,7 +536,7 @@ class Swauth(object): :returns: swob.Response, 204 on success """ if not self.is_super_admin(req): - return HTTPForbidden(request=req) + return HTTPUnauthorized(request=req) path = quote('/v1/%s/.account_id' % self.auth_account) resp = self.make_pre_authed_request( req.environ, 'PUT', path).get_response(self.app) @@ -568,7 +570,7 @@ class Swauth(object): explained above. """ if not self.is_reseller_admin(req): - return HTTPForbidden(request=req) + return self.denied_response(req) listing = [] marker = '' while True: @@ -613,7 +615,7 @@ class Swauth(object): if req.path_info or not account or account[0] == '.': return HTTPBadRequest(request=req) if not self.is_account_admin(req, account): - return HTTPForbidden(request=req) + return self.denied_response(req) path = quote('/v1/%s/%s/.services' % (self.auth_account, account)) resp = self.make_pre_authed_request( req.environ, 'GET', path).get_response(self.app) @@ -685,7 +687,7 @@ class Swauth(object): dict as described above """ if not self.is_reseller_admin(req): - return HTTPForbidden(request=req) + return self.denied_response(req) account = req.path_info_pop() if req.path_info != '/.services' or not account or account[0] == '.': return HTTPBadRequest(request=req) @@ -731,7 +733,7 @@ class Swauth(object): :returns: swob.Response, 2xx on success. """ if not self.is_reseller_admin(req): - return HTTPForbidden(request=req) + return self.denied_response(req) account = req.path_info_pop() if req.path_info or not account or account[0] == '.': return HTTPBadRequest(request=req) @@ -798,7 +800,7 @@ class Swauth(object): :returns: swob.Response, 2xx on success. """ if not self.is_reseller_admin(req): - return HTTPForbidden(request=req) + return self.denied_response(req) account = req.path_info_pop() if req.path_info or not account or account[0] == '.': return HTTPBadRequest(request=req) @@ -905,7 +907,7 @@ class Swauth(object): (user[0] == '.' and user != '.groups'): return HTTPBadRequest(request=req) if not self.is_account_admin(req, account): - return HTTPForbidden(request=req) + return self.denied_response(req) if user == '.groups': # TODO: This could be very slow for accounts with a really large # number of users. Speed could be improved by concurrently @@ -990,9 +992,9 @@ class Swauth(object): return HTTPBadRequest(request=req) if reseller_admin: if not self.is_super_admin(req): - return HTTPForbidden(request=req) + return HTTPUnauthorized(request=req) elif not self.is_account_admin(req, account): - return HTTPForbidden(request=req) + return self.denied_response(req) path = quote('/v1/%s/%s' % (self.auth_account, account)) resp = self.make_pre_authed_request( @@ -1040,7 +1042,7 @@ class Swauth(object): user[0] == '.': return HTTPBadRequest(request=req) if not self.is_account_admin(req, account): - return HTTPForbidden(request=req) + return self.denied_response(req) # Delete the user's existing token, if any. path = quote('/v1/%s/%s/%s' % (self.auth_account, account, user)) resp = self.make_pre_authed_request( @@ -1423,6 +1425,7 @@ class Swauth(object): to retrieve the admin_detail itself. :param returns: True if .reseller_admin. """ + req.credentials_valid = False if self.is_super_admin(req): return True if not admin_detail: @@ -1430,6 +1433,7 @@ class Swauth(object): if not self.credentials_match(admin_detail, req.headers.get('x-auth-admin-key')): return False + req.credentials_valid = True return '.reseller_admin' in (g['name'] for g in admin_detail['groups']) def is_account_admin(self, req, account): @@ -1441,6 +1445,7 @@ class Swauth(object): :param account: The account to check for .admin against. :param returns: True if .admin. """ + req.credentials_valid = False if self.is_super_admin(req): return True admin_detail = self.get_admin_detail(req) @@ -1450,6 +1455,7 @@ class Swauth(object): if not self.credentials_match(admin_detail, req.headers.get('x-auth-admin-key')): return False + req.credentials_valid = True return admin_detail and admin_detail['account'] == account and \ '.admin' in (g['name'] for g in admin_detail['groups']) return False |