auth problems

asked 2013-03-13 07:51:07 -0500

in keystoneauth.py

267 def _authorize_unconfirmed_identity(self, req, obj, referrers, roles): 268 """" 269 Perform authorization for access that does not require a 270 confirmed identity. 271 272 :returns: A boolean if authorization is granted or denied. None if 273 a determination could not be made. 274 """ 275 # Allow container sync. 276 if (req.environ.get('swift_sync_key') 277 and (req.environ['swift_sync_key'] == 278 req.headers.get('x-container-sync-key', None)) 279 and 'x-timestamp' in req.headers): 280 log_msg = 'allowing proxy %s for container-sync' % req.remote_addr 281 self.logger.debug(log_msg) 282 return True 283 284 # Check if referrer is allowed. 285 if swift_acl.referrer_allowed(req.referer, referrers): 286 if obj or '.rlistings' in roles: 287 log_msg = 'authorizing %s via referer ACL' % req.referrer 288 self.logger.debug(log_msg) 289 return True 290 return False

My question is in line 290, why return False here but not let this run follow authorizing check? This request may be allowed by other condition. This is a case here: https://bugs.launchpad.net/swift/+bug/1082973 (https://bugs.launchpad.net/swift/+bug...)

same codes in tempauth, so what's the design idea here?

edit retag flag offensive close merge delete

5 answers

Sort by ยป oldest newest most voted
0

answered 2013-03-31 02:40:37 -0500

You're right. I checked codes again. That bug is not related about this.

Thanks clayg

edit flag offensive delete link more
0

answered 2013-06-24 17:12:04 -0500

Thanks clayg, that solved my question.

edit flag offensive delete link more
0

answered 2013-03-28 08:46:45 -0500

This question was expired because it remained in the 'Open' state without activity for the last 15 days.

edit flag offensive delete link more
0

answered 2013-03-28 09:03:43 -0500

I still need an answer

edit flag offensive delete link more
0

answered 2013-03-28 17:48:19 -0500

clay-gerrard gravatar image

That particular snippet looks to just be a two phase check.

I'm reading it as simply asking 1) is the referrer allowed AND 2a) it's an object OR 2b) it's a listing enabled container

If you returned True at 290 you'd allows listings of containers that didn't specify .rlisting?

I think the code is valid. I also think bug # 1082973 is valid, but possibly unrelated...

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2013-03-13 07:51:07 -0500

Seen: 52 times

Last updated: Jun 24 '13