[openstack-dev] [nova] how safe is it to change NoAuthMiddlewareBase?
Sean Dague
sean at dague.net
Thu Feb 26 11:27:30 UTC 2015
In trying to move the flavor manage negative tests out of Tempest and
into the Nova functional tree, I ran into one set of tests which are
permissions checking. Basically that a regular user isn't allowed to do
certain things.
In (nearly) all our tests we use auth_strategy=noauth which takes you to
NoAuthMiddlewareBase instead of to keystone. That path makes you an
admin regardless of what credentials you send in -
https://github.com/openstack/nova/blob/master/nova/api/openstack/auth.py#L56-L59
What I'd like to do is to change this so that if you specify
user_id='admin' then is_admin is set true, and it's not true otherwise.
That has a bunch of test fall out, because up until this point most of
the test users are things like 'fake', which would regress to non admin.
About 25% of the api samples tests fail in such a change, so they would
need to be fixed.
My bigger concern is while I assume this is a test only interface, it is
exposed as a config file option. Which means someone could be using it
for something real somewhere. Seems kind of nuts, but it's possible.
So the safe option would be to replicate this class and make a
pseudoauth or something with that behavior. Or a noauth2. And we can
deprecate out the old interface.
I'm happy to go either way, just want opinions before diving in.
-Sean
--
Sean Dague
http://dague.net
More information about the OpenStack-dev
mailing list