OpenStack Compute (nova)

Merge lp:~anso/nova/authn_and_authz into lp:~hudson-openstack/nova/trunk

authn_and_authz
Merge into trunk

Proposed by termie on 2011-03-03

Status:	Work in progress
Proposed branch:	lp:~anso/nova/authn_and_authz
Merge into:	lp:~hudson-openstack/nova/trunk
Diff against target:	1525 lines (+880/-95) 15 files modified bin/nova-authn (+71/-0) bin/nova-authz (+54/-0) bin/nova-direct-api (+2/-1) bin/stack (+28/-5) etc/nova-api.conf (+6/-3) nova/api/authn.py (+208/-0) nova/api/authz.py (+223/-0) nova/api/direct.py (+6/-0) nova/api/ec2/__init__.py (+144/-51) nova/api/openstack/auth.py (+33/-19) nova/api/openstack/servers.py (+51/-14) nova/compute/api.py (+49/-0) nova/context.py (+3/-1) nova/flags.py (+1/-0) nova/tests/test_access.py (+1/-1)
To merge this branch:	bzr merge lp:~anso/nova/authn_and_authz
Related bugs:	Link a bug report

Reviewer	Review Type	Date Requested	Status
Jay Pipes (community)		2011-03-03	Needs Information on 2011-03-07
Review via email: mp+52119@code.launchpad.net

Description of the change

A prototype / demo authn and authz system. Further discussion of the concepts here are in http://plansthis.com/auth

Revision history for this message

termie (termie) wrote on 2011-03-03:

This hasn't been rebased onto trunk yet, so there may be some spurious conflicts in the diff, we wanted the branch to remain intact while we work on it, we will resolve conflicts again before actually proposing for review. For the moment this is just to get launchpad to generate a bit of a diff so that people can look over the code more easily.

Revision history for this message

Jay Pipes (jaypipes) wrote on 2011-03-07:

Download full text (4.2 KiB)

Hi guys!

I'm not sure how much specifics I should get into here, since you say it's mostly for discussion, so please excuse me if I have gone into too much of a discussion of the implementation details!

1) Any reason bin/nova-authn and bin/nova-authz don't use paste.config like the other bin/ servers?

2) It seems that bin/nova-authz was not completed? Am I missing something? I don't think that this code:

129 +if __name__ == '__main__':
130 + utils.default_flagfile()
131 + flags.FLAGS(sys.argv)
132 + logging.setup()
133 + service.serve()
134 + service.wait()

will work...

3) In bin/stack:

165 +gflags.DEFINE_string('password', 'user1', 'Direct API password')

We've run into some problems in the unit tests where the user and key were both "user1" :) Could we avoid problems by making the password "pass1" or something like that?

194 + if not token and authenticate_before:
195 + token = do_authenticate()

do_authenticate() returns token, but it returns it like so:

182 + rv = do_request('authn', 'authenticate', params,
183 + host=FLAGS.authn_host,
184 + port=FLAGS.authn_port,
185 + authenticate_before=False)
186 + return rv['auth']['token']['id']

This will raise KeyError if the authentication doesn't work, correct? Probably best to trap for this in do_request(). That said, I believe a better solution would be to have the do_request() call in do_authenticate() trap for the 401 that *should* be returned if a user does not authenticate, no?

Have you guys taken a look at this blueprint: http://wiki.openstack.org/openstack-authn? Jorge and Khaled suggest using the X-Authorization header and mandating that the authentication service set the X-Identity-Status header. What were your thoughts on this?

5) In etc/nova-api.conf

226 +pipeline = logrequest authenticate authn adminrequest authorizer ec2executor

and:

245 +pipeline = faultwrap auth authn ratelimit osapiapp

Seems to be a be confusing having (authenticate and authn) or (auth and authn) in same pipeline...

6) About nova/api/authn.py

This file and its contents are difficult for me to understand. I have the following issues/questions about it:

287 +flags.DEFINE_string('authn_topic', 'authn', 'topic to listen for authn on')

Why are we adding more AMQP communication for authentication? Perhaps I'm just not understanding the various service/manager/driver/adapter abstractions going on here, but it seems odd to be delegating authentication requests to the message queue that another service is listening on?

304 +class AuthnManager(manager.Manager):
305 + """Manages token based authentication."""
306 + def __init__(self, auth_manager=None, *args, **kwargs):
307 + if not auth_manager:
308 + auth_manager = manager_auth.AuthManager()
309 + self.auth_manager = auth_manager
310 + super(AuthnManager, self).__init__(*args, **kwargs)

So, we have an AuthnManager that inherits from manager.Manager and yet has a self.auth_manager member that is a manager_auth.AuthManager? Yikes, that just got really confusing. Could we document this relationship in code comments? I'm having a really tough time understanding how all the managers relate to each other.

290 +_url = "http://127.0.0.1:9001"
291 +_cat...

Unmerged revisions

770. By Vish Ishaya on 2011-03-03: make authn work with os api
769. By Vish Ishaya on 2011-03-03: make ec2 api use authn
768. By Vish Ishaya on 2011-03-03: simplify deepmerge
767. By Vish Ishaya on 2011-03-03: move where 'account:' is added to owner
766. By Vish Ishaya on 2011-03-03: Change NotFound exceptions into NotAuthorized
765. By Vish Ishaya on 2011-03-03: Changed account to owner in authz because it is clearer. Added docstrings. Added get_acl method
764. By Vish Ishaya on 2011-03-03: add docstrings and fix wrappers to check against owner
763. By Vish Ishaya on 2011-03-02: pass roles as roles and avoid exception in wrapper
762. By Vish Ishaya on 2011-03-02: add decorator and decorate compute methods
761. By Vish Ishaya on 2011-03-02: Add docstrings and and allow set_acl

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Adam Johnson

Anne Gentle

Anso Labs

Anthony Young

Brian Lamar

Brian Waldon

Chuck Short

Dan Mihai Dumitriu

Dave Walker

David Pravec

Diego Parrilla

Edgar Magana

Endre Karlson

Ilya Alekseyev

Isaku Yamahata

JJ Asghar

Jay Pipes

Jonathan Bryce

Kapil Thangavelu

Keisuke Tagami

Koji Iida

Krisztian Eyssen

Lorin Hochstein

Mark McLoughlin

Masanori Itoh

Milind Barve

Nachi Ueno

Paul Guth

Pedro Perez

Rajesh Battala

Ram Durairaj

Robert Middleswarth

Salvatore Orlando

Sateesh

Soren Hansen

Tomoya Masuko

Vish Ishaya

Vladimir Popovski

Youcef Laribi

adil mukarram

jawaid ekram

justinsb

jxta

makki

med makki maalej

sreekanth

termie

to status/vote changes:

Chris Behrens

 === added file 'bin/nova-authn'
 --- bin/nova-authn	1970-01-01 00:00:00 +0000
 +++ bin/nova-authn	2011-03-03 20:14:39 +0000
@@ -0,0 +1,71 @@
++#!/usr/bin/env python
++# pylint: disable-msg=C0103
++# vim: tabstop=4 shiftwidth=4 softtabstop=4
++
++# Copyright 2010 United States Government as represented by the
++# Administrator of the National Aeronautics and Space Administration.
++# All Rights Reserved.
++#
++#    Licensed under the Apache License, Version 2.0 (the "License");
++#    you may not use this file except in compliance with the License.
++#    You may obtain a copy of the License at
++#
++#        http://www.apache.org/licenses/LICENSE-2.0
++#
++#    Unless required by applicable law or agreed to in writing, software
++#    distributed under the License is distributed on an "AS IS" BASIS,
++#    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++#    See the License for the specific language governing permissions and
++#    limitations under the License.
++
++"""Starter script for Nova Authentication."""
++
++import gettext
++import os
++import sys
++
++# If ../nova/__init__.py exists, add ../ to Python search path, so that
++# it will override what happens to be installed in /usr/(local/)lib/python...
++possible_topdir = os.path.normpath(os.path.join(os.path.abspath(sys.argv[0]),
++                                   os.pardir,
++                                   os.pardir))
++if os.path.exists(os.path.join(possible_topdir, 'nova', '__init__.py')):
++    sys.path.insert(0, possible_topdir)
++
++gettext.install('nova', unicode=1)
++
++from nova import context
++from nova import flags
++from nova import log as logging
++from nova import service
++from nova import utils
++from nova import wsgi
++from nova.api import direct
++from nova.api import authn
++
++
++FLAGS = flags.FLAGS
++flags.DEFINE_integer('authn_port', 9001, 'Direct Auth port')
++flags.DEFINE_string('authn_host', '0.0.0.0', 'Direct Auth host')
++flags.DEFINE_string('authn_manager', 'nova.api.authn.AuthnManager',
++                    'manager to use for authn')
++flags.DEFINE_flag(flags.HelpFlag())
++flags.DEFINE_flag(flags.HelpshortFlag())
++flags.DEFINE_flag(flags.HelpXMLFlag())
++
++
++if __name__ == '__main__':
++    utils.default_flagfile()
++    FLAGS(sys.argv)
++    logging.setup()
++
++    direct.register_service('authn', authn.API())
++    router = direct.Router()
++    with_req = direct.PostParamsMiddleware(router)
++    with_ctx = direct.EmptyContextMiddleware(with_req)
++
++    service.serve()
++    server = wsgi.Server()
++    server.start(with_ctx, FLAGS.authn_port, host=FLAGS.authn_host)
++    server.wait()
++    service.wait()
 === added file 'bin/nova-authz'
 --- bin/nova-authz	1970-01-01 00:00:00 +0000
 +++ bin/nova-authz	2011-03-03 20:14:39 +0000
@@ -0,0 +1,54 @@
++#!/usr/bin/env python
++# vim: tabstop=4 shiftwidth=4 softtabstop=4
++
++# Copyright 2010 United States Government as represented by the
++# Administrator of the National Aeronautics and Space Administration.
++# All Rights Reserved.
++#
++#    Licensed under the Apache License, Version 2.0 (the "License"); you may
++#    not use this file except in compliance with the License. You may obtain
++#    a copy of the License at
++#
++#         http://www.apache.org/licenses/LICENSE-2.0
++#
++#    Unless required by applicable law or agreed to in writing, software
++#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
++#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
++#    License for the specific language governing permissions and limitations
++#    under the License.
++
++"""Starter script for Nova Authz."""
++
++import eventlet
++eventlet.monkey_patch()
++
++import gettext
++import os
++import sys
++
++# If ../nova/__init__.py exists, add ../ to Python search path, so that
++# it will override what happens to be installed in /usr/(local/)lib/python...
++possible_topdir = os.path.normpath(os.path.join(os.path.abspath(sys.argv[0]),
++                                   os.pardir,
++                                   os.pardir))
++if os.path.exists(os.path.join(possible_topdir, 'nova', '__init__.py')):
++    sys.path.insert(0, possible_topdir)
++
++gettext.install('nova', unicode=1)
++
++from nova import flags
++from nova import log as logging
++from nova import service
++from nova import utils
++
++
++flags.DEFINE_string('authz_manager', 'nova.api.authz.AuthzManager',
++                    'manager to user for authz')
++
++
++if __name__ == '__main__':
++    utils.default_flagfile()
++    flags.FLAGS(sys.argv)
++    logging.setup()
++    service.serve()
++    service.wait()
 === modified file 'bin/nova-direct-api'
 --- bin/nova-direct-api	2011-02-23 23:26:52 +0000
 +++ bin/nova-direct-api	2011-03-03 20:14:39 +0000
@@ -39,6 +39,7 @@
  from nova import utils
  from nova import wsgi
  from nova.api import direct
++from nova.api import authn
  from nova.compute import api as compute_api
@@ -60,7 +61,7 @@
      router = direct.Router()
      with_json = direct.JsonParamsMiddleware(router)
      with_req = direct.PostParamsMiddleware(with_json)
--    with_auth = direct.DelegatedAuthMiddleware(with_req)
++    with_auth = authn.AuthnMiddleware(with_req)
      server = wsgi.Server()
      server.start(with_auth, FLAGS.direct_port, host=FLAGS.direct_host)
 === modified file 'bin/stack'
 --- bin/stack	2011-01-18 15:24:20 +0000
 +++ bin/stack	2011-03-03 20:14:39 +0000
@@ -45,7 +45,10 @@
  gflags.DEFINE_string('host', '127.0.0.1', 'Direct API host')
  gflags.DEFINE_integer('port', 8001, 'Direct API host')
  gflags.DEFINE_string('user', 'user1', 'Direct API username')
--gflags.DEFINE_string('project', 'proj1', 'Direct API project')
++gflags.DEFINE_string('password', 'user1', 'Direct API password')
++gflags.DEFINE_string('account', 'proj1', 'Direct API project')
++gflags.DEFINE_string('authn_host', '127.0.0.1', 'Authn Host')
++gflags.DEFINE_string('authn_port', '9001', 'Authn Port')
  USAGE = """usage: stack [options] <controller> <method> [arg1=value arg2=value]
@@ -95,15 +98,35 @@
      return '\n'.join(out)
--def do_request(controller, method, params=None):
++def do_authenticate():
++    params = {'user_id': FLAGS.user,
++              'account_id': FLAGS.account,
++              'password': FLAGS.password}
++
++    rv = do_request('authn', 'authenticate', params,
++                    host=FLAGS.authn_host,
++                    port=FLAGS.authn_port,
++                    authenticate_before=False)
++    return rv['auth']['token']['id']
++
++
++def do_request(controller, method, params=None, token=None, host=None,
++               port=None, authenticate_before=True):
++    host = host and host or FLAGS.host
++    port = port and port or FLAGS.port
++
++    if not token and authenticate_before:
++        token = do_authenticate()
++
      if params:
          data = urllib.urlencode(params)
      else:
          data = None
--    url = 'http://%s:%s/%s/%s' % (FLAGS.host, FLAGS.port, controller, method)
--    headers = {'X-OpenStack-User': FLAGS.user,
--               'X-OpenStack-Project': FLAGS.project}
++    url = 'http://%s:%s/%s/%s' % (host, port, controller, method)
++    headers = {}
++    if token:
++        headers['X-OpenStack-Token'] = token
      req = urllib2.Request(url, data, headers)
      try:
 === modified file 'etc/nova-api.conf'
 --- etc/nova-api.conf	2011-02-18 15:02:55 +0000
 +++ etc/nova-api.conf	2011-03-03 20:14:39 +0000
@@ -19,11 +19,11 @@
  /1.0: ec2metadata
  [pipeline:ec2cloud]
--pipeline = logrequest authenticate cloudrequest authorizer ec2executor
++pipeline = logrequest authenticate authn cloudrequest ec2executor
  #pipeline = logrequest ec2lockout authenticate cloudrequest authorizer ec2executor
  [pipeline:ec2admin]
--pipeline = logrequest authenticate adminrequest authorizer ec2executor
++pipeline = logrequest authenticate authn adminrequest authorizer ec2executor
  [pipeline:ec2metadata]
  pipeline = logrequest ec2md
@@ -40,6 +40,9 @@
  [filter:authenticate]
  paste.filter_factory = nova.api.ec2:Authenticate.factory
++[filter:authn]
++paste.filter_factory = nova.api.authn:AuthnMiddleware.factory
++
  [filter:cloudrequest]
  controller = nova.api.ec2.cloud.CloudController
  paste.filter_factory = nova.api.ec2:Requestify.factory
@@ -70,7 +73,7 @@
  /v1.0: openstackapi
  [pipeline:openstackapi]
--pipeline = faultwrap auth ratelimit osapiapp
++pipeline = faultwrap auth authn ratelimit osapiapp
  [filter:faultwrap]
  paste.filter_factory = nova.api.openstack:FaultWrapper.factory
 === added file 'nova/api/authn.py'
 --- nova/api/authn.py	1970-01-01 00:00:00 +0000
 +++ nova/api/authn.py	2011-03-03 20:14:39 +0000
@@ -0,0 +1,208 @@
++#!/usr/bin/env python
++
++# vim: tabstop=4 shiftwidth=4 softtabstop=4
++
++# Copyright 2010 United States Government as represented by the
++# Administrator of the National Aeronautics and Space Administration.
++# All Rights Reserved.
++#
++#    Licensed under the Apache License, Version 2.0 (the "License");
++#    you may not use this file except in compliance with the License.
++#    You may obtain a copy of the License at
++#
++#        http://www.apache.org/licenses/LICENSE-2.0
++#
++#    Unless required by applicable law or agreed to in writing, software
++#    distributed under the License is distributed on an "AS IS" BASIS,
++#    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++#    See the License for the specific language governing permissions and
++#    limitations under the License.
++
++import uuid
++
++from nova import context
++from nova import exception
++from nova import flags
++from nova import log as logging
++from nova import manager
++from nova import rpc
++from nova import wsgi
++from nova.auth import manager as manager_auth
++
++
++FLAGS = flags.FLAGS
++flags.DEFINE_string('authn_topic', 'authn', 'topic to listen for authn on')
++LOG = logging.getLogger("nova.auth")
++
++_url = "http://127.0.0.1:9001"
++_catalog = {"nova": [{"region": "nova",
++                      "v1Default": "true",
++                      "publicUrl": _url,
++                      "privateUrl": _url}],
++            "swift": [{"region": "nova",
++                       "v1Default": "true",
++                       "publicUrl": _url,
++                       "privateUrl": _url}],
++            "cdn": [{"region": "nova",
++                     "v1Default": "true",
++                     "publicUrl": _url,
++                     "privateUrl": _url}]}
++
++class AuthnManager(manager.Manager):
++    """Manages token based authentication."""
++    def __init__(self, auth_manager=None, *args, **kwargs):
++        if not auth_manager:
++            auth_manager = manager_auth.AuthManager()
++        self.auth_manager = auth_manager
++        super(AuthnManager, self).__init__(*args, **kwargs)
++
++    def get_accounts(self, context, user_id, password):
++        """Retrieves a list of accounts for a given user_id, password"""
++        user = self.auth_manager.get_user(user_id)
++        if not user:
++            raise exception.NotAuthorized("invalid user")
++        if password != user.secret:
++            raise exception.NotAuthorized("invalid password")
++        projects = self.auth_manager.get_projects()
++        return {"accounts" : [project.id for project in projects]}
++
++
++    def authenticate(self, context, user_id, password, account_id):
++        """Athenticates a user and password.
++
++        :param context: the context of the request
++        :param user_id: the user to auth
++        :param password: the password to auth
++        :param account_id: the id of the account to use
++        :returns: dictionary containing token and service catalog
++
++        """
++        try:
++            user = self.auth_manager.get_user(user_id)
++        except exception.NotFound:
++            raise exception.NotAuthorized("invalid user")
++        # TODO(vish): clearly this shouldn't be plaintext matching
++        #             against secret, but rather using its own field
++        #             and a hash of the password.
++        if password != user.secret:
++            raise exception.NotAuthorized("invalid password")
++        try:
++            project = self.auth_manager.get_project(account_id)
++        except exception.NotFound:
++            raise exception.NotAuthorized("invalid account")
++        # NOTE(vish): the below doesn't seem to be necessary, because
++        #             authz will take care of it
++        #if not self.auth_manager.is_member(project, user):
++        #    raise exception.NotAuthorized("can't access account")
++        token = self._generate_token(context, user_id, account_id)
++        catalog = self._generate_catalog(context, user_id, account_id)
++        return {"auth": {"token" : token, "serviceCatalog": catalog}}
++
++    def validate_token(self, context, token):
++        """Validates token and returns a dictionary of metadata
++
++        :param context: the context of the request
++        :param token: the token identifier
++        :returns: dictionary containing user, account, groups
++        """
++        elevated = context.elevated()
++        token = self.db.auth_token_get(elevated, token)
++        # TODO(vish): actually validate the token we receive
++        user_id, _sep, account_id = token["user_id"].partition(":")
++        user = self.auth_manager.get_user(user_id)
++        project = self.auth_manager.get_project(account_id)
++        groups = []
++        groups.append("user:%s" % user_id)
++        # NOTE(vish): There is no need to actually use something like
++        #             roles for the auth system.  The roles are added
++        #             because this is the system nova currently uses.
++        #             It is provided primarily as an example to aid
++        #             understanding of the flexibility of the system.
++        if self.auth_manager.is_project_member(user, project):
++            groups.append("account:%s" % account_id)
++        # TODO(vish): The next two could easily be converted to actual
++        #             roles in the database instead of requiring
++        #             special treatment.
++        if self.auth_manager.is_project_manager(user, project):
++            groups.append("role:project_manager")
++        if self.auth_manager.is_admin(user):
++            groups.append("role:admin")
++
++        # NOTE(vish): This should be a union, but intersection is the
++        #             way the current nova implementation works.
++        global_roles = set(self.auth_manager.get_user_roles(user))
++        local_roles = set(self.auth_manager.get_user_roles(user, project))
++        roles = global_roles.intersection(local_roles)
++        groups = groups + ["role:%s" % role for role in roles]
++        # NOTE(vish): We should possibly pass these in group format
++        #             as in "user" : "user:%s" % user_id
++        return {"user" : user_id,
++                "account" : account_id,
++                "groups": groups}
++
++    def _generate_token(self, context, user_id, account_id):
++        # TODO(vish): This
++        tok = {"token_hash": uuid.uuid4().hex,
++               "user_id": "%s:%s" % (user_id, account_id)}
++        elevated = context.elevated()
++        tok_ref = self.db.auth_token_create(elevated, tok)
++        return {"id": tok_ref['token_hash'],
++                "expires":  "2011-11-01T03:32:15-05:00"}
++
++    def _generate_catalog(self, context, user_id, account_id):
++        global _catalog
++        catalog = {}
++        for service_name, endpoints in _catalog.iteritems():
++            out_endpoints = []
++            for endpoint in endpoints:
++                out_endpoint = dict(endpoint)
++                for url in ["publicUrl", "privateUrl"]:
++                    out = endpoint[url].replace("$account_id", account_id)
++                    out = endpoint[url].replace("$user_id", user_id)
++                    out_endpoint[url] = out
++                out_endpoints.append(out_endpoint)
++            catalog[service_name] = out_endpoints
++        return catalog
++
++
++class API(object):
++    def authenticate(self, context, user_id, password, account_id):
++        return rpc.call(context, FLAGS.authn_topic,
++                        {'method': 'authenticate',
++                         'args': {'user_id': user_id,
++                                  'password': password,
++                                  'account_id': account_id}})
++
++    def validate_token(self, context, token):
++        return rpc.call(context, FLAGS.authn_topic,
++                        {'method': 'validate_token',
++                         'args': {'token': token}})
++
++
++class AuthnMiddleware(wsgi.Middleware):
++    def process_request(self, request):
++        api = API()
++
++        token = request.headers.get('X-OpenStack-Token')
++        if not token:
++            token = request.headers.get('X-Auth-Token')
++        empty = context.RequestContext(None, None)
++        valid = api.validate_token(empty, token)
++        if not valid:
++            raise Exception('invalid token')
++        remote_address = request.remote_addr
++        if FLAGS.use_forwarded_for:
++            remote_address = request.headers.get('X-Forwarded-For',
++                                                 remote_address)
++        context_ref = context.RequestContext(valid['user'],
++                                             valid['account'],
++                                             groups=valid['groups'],
++                                             remote_address=remote_address)
++        request.environ['openstack.context'] = context_ref
++        # TODO(vish): the line below is compatibility for api.openstack,
++        #             which expects the context to be in nova.context
++        request.environ['nova.context'] = context_ref
++        uname = valid['user']
++        aname = valid['account']
++        msg = _('Authenticated Request For %(uname)s:%(aname)s)') % locals()
++        LOG.audit(msg, context=request.environ['openstack.context'])
 === added file 'nova/api/authz.py'
 --- nova/api/authz.py	1970-01-01 00:00:00 +0000
 +++ nova/api/authz.py	2011-03-03 20:14:39 +0000
@@ -0,0 +1,223 @@
++#!/usr/bin/env python
++
++# vim: tabstop=4 shiftwidth=4 softtabstop=4
++
++# Copyright 2010 United States Government as represented by the
++# Administrator of the National Aeronautics and Space Administration.
++# All Rights Reserved.
++#
++#    Licensed under the Apache License, Version 2.0 (the "License");
++#    you may not use this file except in compliance with the License.
++#    You may obtain a copy of the License at
++#
++#        http://www.apache.org/licenses/LICENSE-2.0
++#
++#    Unless required by applicable law or agreed to in writing, software
++#    distributed under the License is distributed on an "AS IS" BASIS,
++#    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++#    See the License for the specific language governing permissions and
++#    limitations under the License.
++
++from nova import exception
++from nova import flags
++from nova import rpc
++from nova import manager
++from nova import utils
++
++
++FLAGS = flags.FLAGS
++flags.DEFINE_string('authz_driver', 'nova.api.authz.TrivialAccountPolicy',
++                    'which driver to use to backend authz requests')
++
++
++def check_acl(context, action, owner, target=None):
++    """Helper method to call check_acl on authz"""
++    authorized = rpc.call(context,
++                          FLAGS.authz_topic,
++                          {"method": "check_acl",
++                           "args": {"action": action,
++                                    "owner": owner,
++                                    "groups": context.groups,
++                                    "target": target}})
++    if not authorized:
++        raise exception.NotAuthorized("Failed ACL")
++
++
++def authorize(fn):
++    """Decorator to auth action with no target."""
++    def wrapper(self, context, *args, **kwargs):
++        # NOTE(vish): Wrapping the account should be removed
++        #             once account is passed in "group" format
++        owner = "account:%s" % context.project_id
++        check_acl(context, fn.func_name, owner)
++        return fn(self, context, *args, **kwargs)
++    wrapper.func_name = fn.func_name
++    return wrapper
++
++
++class AuthzManager(manager.Manager):
++    """Manages Authorization to actions and target objects.
++
++    Proxies requests to a driver for implementation details.
++
++    """
++
++    def __init__(self, authz_driver=None, *args, **kwargs):
++        if not authz_driver:
++            authz_driver = FLAGS.authz_driver
++        self.driver = utils.import_object(authz_driver)
++        super(AuthzManager, self).__init__(*args, **kwargs)
++
++    def check_acl(self, context, action, owner, groups, target=None):
++        """Check acl for a given action, owner, groups.
++
++        The manager expects the client service to pass in a list of groups
++        to be authenticated against the particular action and target. These
++        driver is expected to return true if any of the groups passed in is
++        allowed to perform the action on the target.
++
++        The groups are expected to be retrieved by the service when it
++        authenticates the request. Context is passed in case a specific
++        implementation wants to pass additional data from the authn service.
++
++        :param context: the current context.
++        :param action: string representing action to check acls for
++        :param owner: the owner of the target.  If target is not specified,
++                      then the owner represents the account context in which
++                      the action is being performed.  For example, when
++                      creating an object, this will be the owner of the new
++                      object that is being created.
++        :param groups: a list of strings representing the groups that the
++                       actor is a part of.
++        :param target: a string representing a unique id of the object
++                       to check acls for.
++        :returns: True on successful check.
++
++        """
++        return self.driver.check_acl(context, action, owner, groups, target)
++
++    def get_acl(self, context, action, owner, target=None):
++        """Get the current acls for a given action and owner.
++
++        :param context: the current context.
++        :param action: string representing action to get acls for
++        :param owner: the owner to get acls for.
++        :param target: a string representing a unique id of the object
++                       to get acls for.  If this is None, the get
++                       will return acls for all objects that don't have
++                       specified rules.
++        :returns: True on successful override. Raises on Error
++
++        """
++        return self.driver.get_acl(context, action, owner, target)
++
++    def set_acl(self, context, action, owner, groups, target=None):
++        """Override the default acl for a given action, owner, group.
++
++        Note that overrides are not added to the existing roles.  If you
++        wish to add a permission, it is necessary to call get_acl first
++        to get the existing list of acls, append to it, and set_acl using
++        the list.
++
++        :param context: the current context.
++        :param action: string representing action to override acls for
++        :param owner: the owner to override acls for.  Global rules are set
++                      by policy, so this cannot be None
++        :param groups: a list of strings representing the groups that should
++                       be authorized to perform the action
++        :param target: a string representing a unique id of the object
++                       to override acls for.  If this is None, the override
++                       will apply to all objects that don't have specified
++                       rules.
++        :returns: True on successful override. Raises on Error
++
++        """
++        return self.driver.set_acl(context, action, owner, groups, target)
++
++
++class TrivialAccountPolicy(object):
++    """Ultra simple policy that just makes sure the owner is in group."""
++    def check_acl(self, context, action, owner, groups, target=None):
++        allowed = self.get_acl(context, action, owner, target)
++        return bool(set(allowed).intersection(set(groups)))
++
++    def get_acl(self, context, action, owner, target=None):
++        return owner
++
++    def set_acl(self, context, action, owner, groups, target=None):
++        raise NotImplemented()
++
++def _deepmerge(left, right):
++    """Utility function to deep merge two dictionaries."""
++    if isinstance(left, dict) and isinstance(right, dict):
++        rval = dict(left)
++        for k, v in right.iteritems():
++            result = _deepmerge(left.get(k), right.get(k))
++            if result:
++                rval[k] = result
++        return rval
++    return right or left
++
++class SimplePolicy(object):
++    """In memory policy engine that allows defaults and overrides."""
++    policy = {
++        "default": ["$owner"],
++        "set_acl": ["role:project_manager"],
++        "reboot": {"default": ["role:sysadmin"]},
++        "delete": {"default": ["role:sysadmin"]},
++    }
++
++    overrides = {
++        "account:baz": {
++            "get_all": {"default": ["role:sysadmin"]},
++            "reboot": {"1": ["user:foo"]},
++            "delete": {"default": [], "1": ["user:foo"]},
++        }
++    }
++
++    def check_acl(self, context, action, owner, groups, target=None):
++        """Checks for allowed groups using policy."""
++        allowed = self.get_acl(context, action, owner, target)
++        return bool(set(allowed).intersection(set(groups)))
++
++    def get_acl(self, context, action, owner, target=None):
++        allowed = self._get_groups_for_action(action, owner, target)
++        return [x.replace("$owner", owner) for x in allowed]
++
++    def set_acl(self, context, action, owner, groups, target=None):
++        if not target:
++            target = "default"
++        new_overrides = {owner: {action: {target: groups}}}
++        overrides = _deepmerge(self.overrides, new_overrides)
++        return True
++
++    def _get_groups_for_action(self, action, owner, target=None):
++        """Helper method to get all groups using policy and overrides.
++
++        First we do a deep merge with the default policy and any
++        overrides that have been set.  Then we attempt to find the most
++        specific set of groups for our particular owner, action, target
++        combination.  The following rules will apply (later rule wins):
++
++        * policy.default
++        * overrides.owner.default
++        * policy.action.default
++        * overrides.owner.action.default
++        * overrides.owner.action.target
++
++        Note that specifically, overriding the default acl for an owner
++        does will not change the acl for a specific action if it is
++        specified in policy.action.default
++
++        """
++        local_policy = _deepmerge(self.policy, self.overrides.get(owner))
++        groups = local_policy["default"]
++        if local_policy.get(action) is not None:
++            if local_policy[action].get("default") is not None:
++                groups = local_policy[action]["default"]
++            if target:
++                target = str(target)
++                if local_policy[action].get(target) is not None:
++                    groups = local_policy[action][target]
++        return groups
++
 === modified file 'nova/api/direct.py'
 --- nova/api/direct.py	2011-01-19 22:46:31 +0000
 +++ nova/api/direct.py	2011-03-03 20:14:39 +0000
@@ -72,6 +72,12 @@
          request.environ['openstack.context'] = context_ref
++class EmptyContextMiddleware(wsgi.Middleware):
++    def process_request(self, request):
++        context_ref = context.RequestContext(None, None)
++        request.environ['openstack.context'] = context_ref
++
++
  class JsonParamsMiddleware(wsgi.Middleware):
      def process_request(self, request):
          if 'json' not in request.params:
 === modified file 'nova/api/ec2/__init__.py'
 --- nova/api/ec2/__init__.py	2011-02-19 21:39:44 +0000
 +++ nova/api/ec2/__init__.py	2011-03-03 20:14:39 +0000
@@ -28,11 +28,13 @@
  from nova import exception
  from nova import flags
  from nova import log as logging
++from nova import rpc
  from nova import utils
  from nova import wsgi
  from nova.api.ec2 import apirequest
  from nova.api.ec2 import cloud
  from nova.auth import manager
++from nova.auth import signer
  FLAGS = flags.FLAGS
@@ -50,6 +52,20 @@
                    'Memcached servers or None for in process cache.')
++def _error(req, context, code, message):
++    LOG.error("%s: %s", code, message, context=context)
++    resp = webob.Response()
++    resp.status = 400
++    resp.headers['Content-Type'] = 'text/xml'
++    resp.body = str('<?xml version="1.0"?>\n'
++                     '<Response><Errors><Error><Code>%s</Code>'
++                     '<Message>%s</Message></Error></Errors>'
++                     '<RequestID>%s</RequestID></Response>' %
++                     (utils.utf8(code), utils.utf8(message),
++                     utils.utf8(context.request_id)))
++    return resp
++
++
  class RequestLogging(wsgi.Middleware):
      """Access-Log akin logging for all EC2 API requests."""
@@ -65,7 +81,7 @@
          if controller:
              controller = controller.__class__.__name__
          action = request.environ.get('ec2.action', None)
--        ctxt = request.environ.get('ec2.context', None)
++        ctxt = request.environ.get('openstack.context', None)
          delta = utils.utcnow() - start
          seconds = delta.seconds
          microseconds = delta.microseconds
@@ -139,7 +155,7 @@
  class Authenticate(wsgi.Middleware):
--    """Authenticate an EC2 request and add 'ec2.context' to WSGI environ."""
++    """Authenticate an EC2 request and to WSGI environ."""
      @webob.dec.wsgify
      def __call__(self, req):
@@ -157,32 +173,116 @@
          # Authenticate the request.
          try:
--            (user, project) = manager.AuthManager().authenticate(
--                    access,
--                    signature,
--                    auth_params,
--                    req.method,
--                    req.host,
--                    req.path)
++            (user, password, account) = self._validate_sig(access,
++                                                           signature,
++                                                           auth_params,
++                                                           req.method,
++                                                           req.host,
++                                                           req.path)
          # Be explicit for what exceptions are 403, the rest bubble as 500
          except (exception.NotFound, exception.NotAuthorized) as ex:
--            LOG.audit(_("Authentication Failure: %s"), unicode(ex))
--            raise webob.exc.HTTPForbidden()
++            LOG.info(_('SignatureDoesNotMatch raised: %s'), unicode(ex))
++            message = _('The request signature we calculated does not match '
++                        'the signature you provided. Check your AWS Secret '
++                        'Access Key and signing method. Consult the service '
++                        'documentation for details.')
++            # NOTE(vish): Clients don't seem to respond very well to 4xx errors
++            #             so we return a special error message.
++            ctxt = context.get_admin_context()
++            return _error(req, ctxt, 'SignatureDoesNotMatch', message)
--        # Authenticated!
--        remote_address = req.remote_addr
--        if FLAGS.use_forwarded_for:
--            remote_address = req.headers.get('X-Forwarded-For', remote_address)
--        ctxt = context.RequestContext(user=user,
--                                      project=project,
--                                      remote_address=remote_address)
--        req.environ['ec2.context'] = ctxt
--        uname = user.name
--        pname = project.name
--        msg = _('Authenticated Request For %(uname)s:%(pname)s)') % locals()
--        LOG.audit(msg, context=req.environ['ec2.context'])
++        # TODO(vish): An empty context should be created as the first
++        #             middleware and other information should be added
++        rv = rpc.call(context.get_admin_context(),
++                      FLAGS.authn_topic,
++                      {"method": "authenticate",
++                       "args": {"user_id": user,
++                                "password": password,
++                                "account_id": account}})
++        req.headers['X-OpenStack-Token'] = rv['auth']['token']['id']
          return self.application
++    def _validate_sig(self, access, signature, params, verb='GET',
++                      server_string='127.0.0.1:8773', path='/',
++                      check_type='ec2', headers=None):
++        """Authenticates AWS request using access key and signature
++
++        If the project is not specified, attempts to authenticate to
++        a project with the same name as the user. This way, older tools
++        that have no project knowledge will still work.
++
++        @type access: str
++        @param access: Access key for user in the form "access:project".
++
++        @type signature: str
++        @param signature: Signature of the request.
++
++        @type params: list of str
++        @param params: Web paramaters used for the signature.
++
++        @type verb: str
++        @param verb: Web request verb ('GET' or 'POST').
++
++        @type server_string: str
++        @param server_string: Web request server string.
++
++        @type path: str
++        @param path: Web request path.
++
++        @type check_type: str
++        @param check_type: Type of signature to check. 'ec2' for EC2, 's3' for
++                           S3. Any other value will cause signature not to be
++                           checked.
++
++        @type headers: list
++        @param headers: HTTP headers passed with the request (only needed for
++                        s3 signature checks)
++
++        @rtype: tuple (User, Project)
++        @return: User and project that the request represents.
++        """
++        # TODO(vish): check for valid timestamp
++        (access_key, _sep, project_id) = access.partition(':')
++
++        LOG.debug(_('Looking up user: %r'), access_key)
++        # TODO(vish): this should be making calls through authn
++        #             instead of making AuthManager calls directly
++        auth_manager = manager.AuthManager()
++        user = auth_manager.get_user_from_access_key(access_key)
++        LOG.debug('user: %r', user)
++        if user == None:
++            LOG.audit(_("Failed authorization for access key %s"), access_key)
++            raise exception.NotFound(_('No user found for access key %s')
++                                     % access_key)
++
++        # NOTE(vish): if we stop using project name as id we need better
++        #             logic to find a default project for user
++        if project_id == '':
++            LOG.debug(_("Using project id = user id (%s)"), user.id)
++            project_id = user.id
++
++        if check_type == 's3':
++            sign = signer.Signer(user.secret.encode())
++            expected_signature = sign.s3_authorization(headers, verb, path)
++            LOG.debug('user.secret: %s', user.secret)
++            LOG.debug('expected_signature: %s', expected_signature)
++            LOG.debug('signature: %s', signature)
++            if signature != expected_signature:
++                LOG.audit(_("Invalid signature for user %s"), user.name)
++                raise exception.NotAuthorized(_('Signature does not match'))
++        elif check_type == 'ec2':
++            # NOTE(vish): hmac can't handle unicode, so encode ensures that
++            #             secret isn't unicode
++            expected_signature = signer.Signer(user.secret.encode()).generate(
++                    params, verb, server_string, path)
++            LOG.debug('user.secret: %s', user.secret)
++            LOG.debug('expected_signature: %s', expected_signature)
++            LOG.debug('signature: %s', signature)
++            if signature != expected_signature:
++                LOG.audit(_("Invalid signature for user %s"), user.name)
++                raise exception.NotAuthorized(_('Signature does not match'))
++        return (user.id, user.secret, project_id)
++
  class Requestify(wsgi.Middleware):
@@ -271,7 +371,7 @@
      @webob.dec.wsgify
      def __call__(self, req):
--        context = req.environ['ec2.context']
++        context = req.environ['openstack.context']
          controller = req.environ['ec2.request'].controller.__class__.__name__
          action = req.environ['ec2.request'].action
          allowed_roles = self.action_roles[controller].get(action, ['none'])
@@ -298,50 +398,57 @@
      """Execute an EC2 API request.
--    Executes 'ec2.action' upon 'ec2.controller', passing 'ec2.context' and
--    'ec2.action_args' (all variables in WSGI environ.)  Returns an XML
++    Executes 'ec2.action' upon 'ec2.controller', passing 'openstack.context'
++    and 'ec2.action_args' (all variables in WSGI environ.)  Returns an XML
      response, or a 400 upon failure.
      """
      @webob.dec.wsgify
      def __call__(self, req):
--        context = req.environ['ec2.context']
++        context = req.environ['openstack.context']
          api_request = req.environ['ec2.request']
          result = None
          try:
              result = api_request.invoke(context)
++        except exception.NotAuthorized as ex:
++            LOG.info(_('NotAuthorized raised: %s'), unicode(ex),
++                          context=context)
++            message = _('You are not authorized for that action')
++            # NOTE(vish): Clients don't seem to respond very well to 4xx errors
++            #             so we return a NotAuthorized message.
++            return _error(req, context, type(ex).__name__, message)
          except exception.InstanceNotFound as ex:
              LOG.info(_('InstanceNotFound raised: %s'), unicode(ex),
                       context=context)
              ec2_id = cloud.id_to_ec2_id(ex.instance_id)
              message = _('Instance %s not found') % ec2_id
--            return self._error(req, context, type(ex).__name__, message)
++            return _error(req, context, type(ex).__name__, message)
          except exception.VolumeNotFound as ex:
              LOG.info(_('VolumeNotFound raised: %s'), unicode(ex),
                       context=context)
              ec2_id = cloud.id_to_ec2_id(ex.volume_id, 'vol-%08x')
              message = _('Volume %s not found') % ec2_id
--            return self._error(req, context, type(ex).__name__, message)
++            return _error(req, context, type(ex).__name__, message)
          except exception.NotFound as ex:
              LOG.info(_('NotFound raised: %s'), unicode(ex), context=context)
--            return self._error(req, context, type(ex).__name__, unicode(ex))
++            return _error(req, context, type(ex).__name__, unicode(ex))
          except exception.ApiError as ex:
              LOG.exception(_('ApiError raised: %s'), unicode(ex),
                            context=context)
              if ex.code:
--                return self._error(req, context, ex.code, unicode(ex))
++                return _error(req, context, ex.code, unicode(ex))
              else:
--                return self._error(req, context, type(ex).__name__,
++                return _error(req, context, type(ex).__name__,
                                     unicode(ex))
          except Exception as ex:
              extra = {'environment': req.environ}
              LOG.exception(_('Unexpected error raised: %s'), unicode(ex),
                            extra=extra, context=context)
--            return self._error(req,
--                               context,
--                               'UnknownError',
--                               _('An unknown error has occurred. '
--                               'Please try your request again.'))
++            return _error(req,
++                          context,
++                          'UnknownError',
++                          _('An unknown error has occurred. '
++                            'Please try your request again.'))
          else:
              resp = webob.Response()
              resp.status = 200
@@ -349,20 +456,6 @@
              resp.body = str(result)
              return resp
--    def _error(self, req, context, code, message):
--        LOG.error("%s: %s", code, message, context=context)
--        resp = webob.Response()
--        resp.status = 400
--        resp.headers['Content-Type'] = 'text/xml'
--        resp.body = str('<?xml version="1.0"?>\n'
--                         '<Response><Errors><Error><Code>%s</Code>'
--                         '<Message>%s</Message></Error></Errors>'
--                         '<RequestID>%s</RequestID></Response>' %
--                         (utils.utf8(code), utils.utf8(message),
--                         utils.utf8(context.request_id)))
--        return resp
--
--
  class Versions(wsgi.Application):
      @webob.dec.wsgify
 === modified file 'nova/api/openstack/auth.py'
 --- nova/api/openstack/auth.py	2011-03-18 02:09:46 +0000
 +++ nova/api/openstack/auth.py	2011-03-03 20:14:39 +0000
@@ -29,6 +29,7 @@
  from nova import exception
  from nova import flags
  from nova import manager
++from nova import rpc
  from nova import utils
  from nova import wsgi
  from nova.api.openstack import faults
@@ -51,13 +52,6 @@
          if not self.has_authentication(req):
              return self.authenticate(req)
--        user = self.get_user_by_authentication(req)
--
--        if not user:
--            return faults.Fault(webob.exc.HTTPUnauthorized())
--
--        project = self.auth.get_project(FLAGS.default_project)
--        req.environ['nova.context'] = context.RequestContext(user, project)
          return self.application
      def has_authentication(self, req):
@@ -79,19 +73,39 @@
          except KeyError:
              return faults.Fault(webob.exc.HTTPUnauthorized())
--        token, user = self._authorize_user(username, key, req)
--        if user and token:
--            res = webob.Response()
--            res.headers['X-Auth-Token'] = token.token_hash
--            res.headers['X-Server-Management-Url'] = \
--                token.server_management_url
--            res.headers['X-Storage-Url'] = token.storage_url
--            res.headers['X-CDN-Management-Url'] = token.cdn_management_url
--            res.content_type = 'text/plain'
--            res.status = '204'
--            return res
--        else:
++        # TODO(vish): An empty context should be created as the first
++        #             middleware and other information should be added
++        ctxt = context.get_admin_context()
++        # NOTE(vish): account not passed in yet, so just get accounts
++        #             and use the first one
++        try:
++            rv = rpc.call(ctxt,
++                          FLAGS.authn_topic,
++                          {"method": "get_accounts",
++                           "args": {"user_id": username,
++                                    "password": key}})
++            account = rv["accounts"][0]
++            rv = rpc.call(ctxt,
++                          FLAGS.authn_topic,
++                          {"method": "authenticate",
++                           "args": {"user_id": username,
++                                    "password": key,
++                                    "account_id": account}})
++        except exception.RemoteError:
              return faults.Fault(webob.exc.HTTPUnauthorized())
++        res = webob.Response()
++        res.headers['X-OpenStack-Token'] = rv['auth']['token']['id']
++        res.headers['X-Auth-Token'] = rv['auth']['token']['id']
++        res.headers['X-Server-Management-Url'] = \
++            req.url
++            # rv['auth']['serviceCatalog']['nova'][0]['publicUrl']
++        res.headers['X-Storage-Url'] = \
++            rv['auth']['serviceCatalog']['swift'][0]['publicUrl']
++        res.headers['X-CDN-Management-Url'] = \
++            rv['auth']['serviceCatalog']['cdn'][0]['publicUrl']
++        res.content_type = 'text/plain'
++        res.status = '204'
++        return res
      def authorize_token(self, token_hash):
          """ retrieves user information from the datastore given a token
 === modified file 'nova/api/openstack/servers.py'
 --- nova/api/openstack/servers.py	2011-03-01 16:53:19 +0000
 +++ nova/api/openstack/servers.py	2011-03-03 20:14:39 +0000
@@ -118,7 +118,10 @@
          entity_maker - either _translate_detail_keys or _translate_keys
          """
--        instance_list = self.compute_api.get_all(req.environ['nova.context'])
++        try:
++            instance_list = self.compute_api.get_all(req.environ['nova.context'])
++        except exception.NotAuthorized:
++            return faults.Fault(exc.HTTPUnauthorized())
          limited_list = common.limited(instance_list, req)
          res = [entity_maker(inst)['server'] for inst in limited_list]
          return dict(servers=res)
@@ -130,6 +133,8 @@
              return _translate_detail_keys(instance)
          except exception.NotFound:
              return faults.Fault(exc.HTTPNotFound())
++        except exception.NotAuthorized:
++            return faults.Fault(exc.HTTPUnauthorized())
      def delete(self, req, id):
          """ Destroys a server """
@@ -137,6 +142,8 @@
              self.compute_api.delete(req.environ['nova.context'], id)
          except exception.NotFound:
              return faults.Fault(exc.HTTPNotFound())
++        except exception.NotAuthorized:
++            return faults.Fault(exc.HTTPUnauthorized())
          return exc.HTTPAccepted()
      def create(self, req):
@@ -166,18 +173,21 @@
              for k, v in env['server']['metadata'].items():
                  metadata.append({'key': k, 'value': v})
--        instances = self.compute_api.create(
--            context,
--            instance_types.get_by_flavor_id(env['server']['flavorId']),
--            image_id,
--            kernel_id=kernel_id,
--            ramdisk_id=ramdisk_id,
--            display_name=env['server']['name'],
--            display_description=env['server']['name'],
--            key_name=key_pair['name'],
--            key_data=key_pair['public_key'],
--            metadata=metadata,
--            onset_files=env.get('onset_files', []))
++        try:
++            instances = self.compute_api.create(
++                context,
++                instance_types.get_by_flavor_id(env['server']['flavorId']),
++                image_id,
++                kernel_id=kernel_id,
++                ramdisk_id=ramdisk_id,
++                display_name=env['server']['name'],
++                display_description=env['server']['name'],
++                key_name=key_pair['name'],
++                key_data=key_pair['public_key'],
++                metadata=metadata,
++                onset_files=env.get('onset_files', []))
++        except exception.NotAuthorized:
++            return faults.Fault(exc.HTTPUnauthorized())
          return _translate_keys(instances[0])
      def update(self, req, id):
@@ -192,6 +202,8 @@
              update_dict['admin_pass'] = inst_dict['server']['adminPass']
              try:
                  self.compute_api.set_admin_password(ctxt, id)
++            except exception.NotAuthorized:
++                return faults.Fault(exc.HTTPUnauthorized())
              except exception.TimeoutException, e:
                  return exc.HTTPRequestTimeout()
          if 'name' in inst_dict['server']:
@@ -200,6 +212,8 @@
              self.compute_api.update(ctxt, id, **update_dict)
          except exception.NotFound:
              return faults.Fault(exc.HTTPNotFound())
++        except exception.NotAuthorized:
++            return faults.Fault(exc.HTTPUnauthorized())
          return exc.HTTPNoContent()
      def action(self, req, id):
@@ -215,6 +229,8 @@
              # TODO(gundlach): pass reboot_type, support soft reboot in
              # virt driver
              self.compute_api.reboot(req.environ['nova.context'], id)
++        except exception.NotAuthorized:
++            return faults.Fault(exc.HTTPUnauthorized())
          except:
              return faults.Fault(exc.HTTPUnprocessableEntity())
          return exc.HTTPAccepted()
@@ -243,6 +259,8 @@
          context = req.environ['nova.context']
          try:
              self.compute_api.unlock(context, id)
++        except exception.NotAuthorized:
++            return faults.Fault(exc.HTTPUnauthorized())
          except:
              readable = traceback.format_exc()
              LOG.exception(_("Compute.api::unlock %s"), readable)
@@ -257,6 +275,8 @@
          context = req.environ['nova.context']
          try:
              self.compute_api.get_lock(context, id)
++        except exception.NotAuthorized:
++            return faults.Fault(exc.HTTPUnauthorized())
          except:
              readable = traceback.format_exc()
              LOG.exception(_("Compute.api::get_lock %s"), readable)
@@ -271,6 +291,8 @@
          context = req.environ['nova.context']
          try:
              self.compute_api.reset_network(context, id)
++        except exception.NotAuthorized:
++            return faults.Fault(exc.HTTPUnauthorized())
          except:
              readable = traceback.format_exc()
              LOG.exception(_("Compute.api::reset_network %s"), readable)
@@ -285,6 +307,8 @@
          context = req.environ['nova.context']
          try:
              self.compute_api.inject_network_info(context, id)
++        except exception.NotAuthorized:
++            return faults.Fault(exc.HTTPUnauthorized())
          except:
              readable = traceback.format_exc()
              LOG.exception(_("Compute.api::inject_network_info %s"), readable)
@@ -296,6 +320,8 @@
          ctxt = req.environ['nova.context']
          try:
              self.compute_api.pause(ctxt, id)
++        except exception.NotAuthorized:
++            return faults.Fault(exc.HTTPUnauthorized())
          except:
              readable = traceback.format_exc()
              LOG.exception(_("Compute.api::pause %s"), readable)
@@ -307,6 +333,8 @@
          ctxt = req.environ['nova.context']
          try:
              self.compute_api.unpause(ctxt, id)
++        except exception.NotAuthorized:
++            return faults.Fault(exc.HTTPUnauthorized())
          except:
              readable = traceback.format_exc()
              LOG.exception(_("Compute.api::unpause %s"), readable)
@@ -318,6 +346,8 @@
          context = req.environ['nova.context']
          try:
              self.compute_api.suspend(context, id)
++        except exception.NotAuthorized:
++            return faults.Fault(exc.HTTPUnauthorized())
          except:
              readable = traceback.format_exc()
              LOG.exception(_("compute.api::suspend %s"), readable)
@@ -329,6 +359,8 @@
          context = req.environ['nova.context']
          try:
              self.compute_api.resume(context, id)
++        except exception.NotAuthorized:
++            return faults.Fault(exc.HTTPUnauthorized())
          except:
              readable = traceback.format_exc()
              LOG.exception(_("compute.api::resume %s"), readable)
@@ -364,12 +396,17 @@
                  int(id))
          except exception.NotFound:
              return faults.Fault(exc.HTTPNotFound())
++        except exception.NotAuthorized:
++            return faults.Fault(exc.HTTPUnauthorized())
          return exc.HTTPAccepted()
      def diagnostics(self, req, id):
          """Permit Admins to retrieve server diagnostics."""
          ctxt = req.environ["nova.context"]
--        return self.compute_api.get_diagnostics(ctxt, id)
++        try:
++            return self.compute_api.get_diagnostics(ctxt, id)
++        except exception.NotAuthorized:
++            return faults.Fault(exc.HTTPUnauthorized())
      def actions(self, req, id):
          """Permit Admins to retrieve server actions."""
 === modified file 'nova/compute/api.py'
 --- nova/compute/api.py	2011-03-03 01:50:48 +0000
 +++ nova/compute/api.py	2011-03-03 20:14:39 +0000
@@ -35,6 +35,7 @@
  from nova import volume
  from nova.compute import instance_types
  from nova.db import base
++from nova.api import authz
  FLAGS = flags.FLAGS
  LOG = logging.getLogger('nova.compute.api')
@@ -44,6 +45,25 @@
      """Default function to generate a hostname given an instance reference."""
      return str(instance_id)
++def authorize_instance(fn):
++    """Decorator to auth action on an instance."""
++    def wrapper(self, context, *args, **kwargs):
++        # TODO(vish): We have to elevate when getting the owner, since
++        #             the action authorization system, needs to check
++        #             the owner of the instance.  This means that
++        #             some calls will be authorized but fail at the db
++        #             layer.  We should evaluate whether the db layer
++        #             auth is really necessary.
++        elevated = context.elevated()
++        instance_id = kwargs.get('instance_id')
++        instance_ref = self.db.instance_get(elevated, instance_id)
++        # TODO(vish): This wrapper should be removed once we are storing
++        #             opaque owner strings
++        owner = "account:%s" % instance_ref['project_id']
++        authz.authorize_acl(context, fn.func_name, owner, instance_id)
++        return fn(self, context, *args, **kwargs)
++    wrapper.func_name = fn.func_name
++    return wrapper
  class API(base.Base):
      """API for interacting with the compute manager."""
@@ -80,6 +100,7 @@
                          topic,
                          {"method": "get_network_topic", "args": {'fake': 1}})
++    @authz.authorize
      def create(self, context, instance_type,
                 image_id, kernel_id=None, ramdisk_id=None,
                 min_count=1, max_count=1,
@@ -299,6 +320,7 @@
                       {"method": "refresh_security_group_members",
                        "args": {"security_group_id": group_id}})
++    @authorize_instance
      def update(self, context, instance_id, **kwargs):
          """Updates the instance in the datastore.
@@ -314,6 +336,7 @@
          rv = self.db.instance_update(context, instance_id, kwargs)
          return dict(rv.iteritems())
++    @authorize_instance
      def delete(self, context, instance_id):
          LOG.debug(_("Going to try to terminate %s"), instance_id)
          try:
@@ -341,16 +364,21 @@
          else:
              self.db.instance_destroy(context, instance_id)
++    @authorize_instance
      def get(self, context, instance_id):
          """Get a single instance with the given ID."""
          rv = self.db.instance_get(context, instance_id)
          return dict(rv.iteritems())
++    @authz.authorize
      def get_all(self, context, project_id=None, reservation_id=None,
                  fixed_ip=None):
          """Get all instances, possibly filtered by one of the
          given parameters. If there is no filter and the context is
          an admin, it will retreive all instances in the system."""
++        # NOTE(vish): get_all not in the context of a project doesn't
++        #             work anymore, which is probably fine because
++        #             it doesn't scale at all anyway.
          if reservation_id is not None:
              return self.db.instance_get_all_by_reservation(context,
                                                               reservation_id)
@@ -404,6 +432,7 @@
          kwargs = {'method': method, 'args': params}
          return rpc.call(context, queue, kwargs)
++    @authorize_instance
      def snapshot(self, context, instance_id, name):
          """Snapshot the given instance.
@@ -416,18 +445,22 @@
                                     params=params)
          return image_meta
++    @authorize_instance
      def reboot(self, context, instance_id):
          """Reboot the given instance."""
          self._cast_compute_message('reboot_instance', context, instance_id)
++    @authorize_instance
      def pause(self, context, instance_id):
          """Pause the given instance."""
          self._cast_compute_message('pause_instance', context, instance_id)
++    @authorize_instance
      def unpause(self, context, instance_id):
          """Unpause the given instance."""
          self._cast_compute_message('unpause_instance', context, instance_id)
++    @authorize_instance
      def get_diagnostics(self, context, instance_id):
          """Retrieve diagnostics for the given instance."""
          return self._call_compute_message(
@@ -435,34 +468,42 @@
              context,
              instance_id)
++    @authorize_instance
      def get_actions(self, context, instance_id):
          """Retrieve actions for the given instance."""
          return self.db.instance_get_actions(context, instance_id)
++    @authorize_instance
      def suspend(self, context, instance_id):
          """suspend the instance with instance_id"""
          self._cast_compute_message('suspend_instance', context, instance_id)
++    @authorize_instance
      def resume(self, context, instance_id):
          """resume the instance with instance_id"""
          self._cast_compute_message('resume_instance', context, instance_id)
++    @authorize_instance
      def rescue(self, context, instance_id):
          """Rescue the given instance."""
          self._cast_compute_message('rescue_instance', context, instance_id)
++    @authorize_instance
      def unrescue(self, context, instance_id):
          """Unrescue the given instance."""
          self._cast_compute_message('unrescue_instance', context, instance_id)
++    @authorize_instance
      def set_admin_password(self, context, instance_id):
          """Set the root/admin password for the given instance."""
          self._cast_compute_message('set_admin_password', context, instance_id)
++    @authorize_instance
      def inject_file(self, context, instance_id):
          """Write a file to the given instance."""
          self._cast_compute_message('inject_file', context, instance_id)
++    @authorize_instance
      def get_ajax_console(self, context, instance_id):
          """Get a url to an AJAX Console"""
          instance = self.get(context, instance_id)
@@ -476,25 +517,30 @@
          return {'url': '%s/?token=%s' % (FLAGS.ajax_console_proxy_url,
                  output['token'])}
++    @authorize_instance
      def get_console_output(self, context, instance_id):
          """Get console output for an an instance"""
          return self._call_compute_message('get_console_output',
                                            context,
                                            instance_id)
++    @authorize_instance
      def lock(self, context, instance_id):
          """lock the instance with instance_id"""
          self._cast_compute_message('lock_instance', context, instance_id)
++    @authorize_instance
      def unlock(self, context, instance_id):
          """unlock the instance with instance_id"""
          self._cast_compute_message('unlock_instance', context, instance_id)
++    @authorize_instance
      def get_lock(self, context, instance_id):
          """return the boolean state of (instance with instance_id)'s lock"""
          instance = self.get(context, instance_id)
          return instance['locked']
++    @authorize_instance
      def reset_network(self, context, instance_id):
          """
          Reset networking on the instance.
@@ -502,6 +548,7 @@
          """
          self._cast_compute_message('reset_network', context, instance_id)
++    @authorize_instance
      def inject_network_info(self, context, instance_id):
          """
          Inject network info for the instance.
@@ -509,6 +556,7 @@
          """
          self._cast_compute_message('inject_network_info', context, instance_id)
++    @authorize_instance
      def attach_volume(self, context, instance_id, volume_id, device):
          if not re.match("^/dev/[a-z]d[a-z]+$", device):
              raise exception.ApiError(_("Invalid device specified: %s. "
@@ -536,6 +584,7 @@
                             "volume_id": volume_id}})
          return instance
++    @authorize_instance
      def associate_floating_ip(self, context, instance_id, address):
          instance = self.get(context, instance_id)
          self.network_api.associate_floating_ip(context, address,
 === modified file 'nova/context.py'
 --- nova/context.py	2011-01-31 00:04:52 +0000
 +++ nova/context.py	2011-03-03 20:14:39 +0000
@@ -29,7 +29,8 @@
  class RequestContext(object):
      def __init__(self, user, project, is_admin=None, read_deleted=False,
--                 remote_address=None, timestamp=None, request_id=None):
++                 remote_address=None, timestamp=None, request_id=None,
++                 groups=None):
          if hasattr(user, 'id'):
              self._user = user
              self.user_id = user.id
@@ -60,6 +61,7 @@
              chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890-'
              request_id = ''.join([random.choice(chars) for x in xrange(20)])
          self.request_id = request_id
++        self.groups = groups and groups or []
      @property
      def user(self):
 === modified file 'nova/flags.py'
 --- nova/flags.py	2011-02-25 01:04:25 +0000
 +++ nova/flags.py	2011-03-03 20:14:39 +0000
@@ -266,6 +266,7 @@
  DEFINE_integer('s3_port', 3333, 's3 port')
  DEFINE_string('s3_host', '$my_ip', 's3 host (for infrastructure)')
  DEFINE_string('s3_dmz', '$my_ip', 's3 dmz ip (for instances)')
++DEFINE_string('authz_topic', 'authz', 'the topic authz nodes listen on')
  DEFINE_string('compute_topic', 'compute', 'the topic compute nodes listen on')
  DEFINE_string('console_topic', 'console',
                'the topic console proxy nodes listen on')
 === modified file 'nova/tests/test_access.py'
 --- nova/tests/test_access.py	2011-01-12 19:20:05 +0000
 +++ nova/tests/test_access.py	2011-03-03 20:14:39 +0000
@@ -41,7 +41,7 @@
  class AccessTestCase(test.TestCase):
      def _env_for(self, ctxt, action):
          env = {}
--        env['ec2.context'] = ctxt
++        env['openstack.context'] = ctxt
          env['ec2.request'] = FakeApiRequest(action)
          return env