Merge "xLO bug with auth tokens expiring during download."

This commit is contained in:
Jenkins 2014-06-12 20:19:04 +00:00 committed by Gerrit Code Review
commit 04c222d470
4 changed files with 30 additions and 12 deletions

View File

@ -75,7 +75,7 @@
# eventlet_debug = false # eventlet_debug = false
[pipeline:main] [pipeline:main]
pipeline = catch_errors gatekeeper healthcheck proxy-logging cache container_sync bulk tempurl slo dlo ratelimit tempauth container-quotas account-quotas proxy-logging proxy-server pipeline = catch_errors gatekeeper healthcheck proxy-logging cache container_sync bulk tempurl ratelimit tempauth container-quotas account-quotas slo dlo proxy-logging proxy-server
[app:proxy-server] [app:proxy-server]
use = egg:swift#proxy use = egg:swift#proxy
@ -526,7 +526,7 @@ use = egg:swift#bulk
[filter:container-quotas] [filter:container-quotas]
use = egg:swift#container_quotas use = egg:swift#container_quotas
# Note: Put before both ratelimit and auth in the pipeline. # Note: Put after auth and staticweb in the pipeline.
[filter:slo] [filter:slo]
use = egg:swift#slo use = egg:swift#slo
# max_manifest_segments = 1000 # max_manifest_segments = 1000
@ -543,8 +543,7 @@ use = egg:swift#slo
# Time limit on GET requests (seconds) # Time limit on GET requests (seconds)
# max_get_time = 86400 # max_get_time = 86400
# Note: Put before both ratelimit and auth in the pipeline, but after # Note: Put after auth and staticweb in the pipeline.
# gatekeeper, catch_errors, and proxy_logging (the first instance).
# If you don't put it in the pipeline, it will be inserted for you. # If you don't put it in the pipeline, it will be inserted for you.
[filter:dlo] [filter:dlo]
use = egg:swift#dlo use = egg:swift#dlo

View File

@ -16,6 +16,7 @@ from swift.common import utils as swift_utils
from swift.common.middleware import acl as swift_acl from swift.common.middleware import acl as swift_acl
from swift.common.swob import HTTPNotFound, HTTPForbidden, HTTPUnauthorized from swift.common.swob import HTTPNotFound, HTTPForbidden, HTTPUnauthorized
from swift.common.utils import register_swift_info from swift.common.utils import register_swift_info
import functools
class KeystoneAuth(object): class KeystoneAuth(object):
@ -103,7 +104,9 @@ class KeystoneAuth(object):
self.logger.debug('Using identity: %r', identity) self.logger.debug('Using identity: %r', identity)
environ['keystone.identity'] = identity environ['keystone.identity'] = identity
environ['REMOTE_USER'] = identity.get('tenant') environ['REMOTE_USER'] = identity.get('tenant')
environ['swift.authorize'] = self.authorize env_identity = self._integral_keystone_identity(environ)
environ['swift.authorize'] = functools.partial(
self.authorize, env_identity)
user_roles = (r.lower() for r in identity.get('roles', [])) user_roles = (r.lower() for r in identity.get('roles', []))
if self.reseller_admin_role in user_roles: if self.reseller_admin_role in user_roles:
environ['reseller_request'] = True environ['reseller_request'] = True
@ -177,9 +180,7 @@ class KeystoneAuth(object):
return s return s
return None return None
def authorize(self, req): def authorize(self, env_identity, req):
env = req.environ
env_identity = self._integral_keystone_identity(env)
tenant_id, tenant_name = env_identity['tenant'] tenant_id, tenant_name = env_identity['tenant']
user_id, user_name = env_identity['user'] user_id, user_name = env_identity['user']
referrers, roles = swift_acl.parse_acl(getattr(req, 'acl', None)) referrers, roles = swift_acl.parse_acl(getattr(req, 'acl', None))

View File

@ -56,10 +56,11 @@ required_filters = [
{'name': 'catch_errors'}, {'name': 'catch_errors'},
{'name': 'gatekeeper', {'name': 'gatekeeper',
'after_fn': lambda pipe: (['catch_errors'] 'after_fn': lambda pipe: (['catch_errors']
if pipe.startswith("catch_errors") if pipe.startswith('catch_errors')
else [])}, else [])},
{'name': 'dlo', 'after_fn': lambda _junk: ['catch_errors', 'gatekeeper', {'name': 'dlo', 'after_fn': lambda _junk: [
'proxy_logging']}] 'staticweb', 'tempauth', 'keystoneauth',
'catch_errors', 'gatekeeper', 'proxy_logging']}]
class Application(object): class Application(object):

View File

@ -214,7 +214,9 @@ class TestAuthorize(unittest.TestCase):
default_env.update(env) default_env.update(env)
req = self._make_request(path, headers=headers, environ=default_env) req = self._make_request(path, headers=headers, environ=default_env)
req.acl = acl req.acl = acl
result = self.test_auth.authorize(req)
env_identity = self.test_auth._integral_keystone_identity(req.environ)
result = self.test_auth.authorize(env_identity, req)
# if we have requested an exception but nothing came back then # if we have requested an exception but nothing came back then
if exception and not result: if exception and not result:
@ -398,5 +400,20 @@ class TestAuthorize(unittest.TestCase):
env={'REQUEST_METHOD': 'DELETE'}) env={'REQUEST_METHOD': 'DELETE'})
self.assertEqual(bool(req.environ.get('swift_owner')), True) self.assertEqual(bool(req.environ.get('swift_owner')), True)
def test_identity_set_up_at_call(self):
def fake_start_response(*args, **kwargs):
pass
the_env = self._get_identity(
tenant_id='test', roles=['reselleradmin'])
self.test_auth(the_env, fake_start_response)
subreq = Request.blank(
'/v1/%s/c/o' % self.test_auth._get_account_for_tenant('test'))
subreq.environ.update(
self._get_identity(tenant_id='test', roles=['got_erased']))
authorize_resp = the_env['swift.authorize'](subreq)
self.assertEqual(authorize_resp, None)
if __name__ == '__main__': if __name__ == '__main__':
unittest.main() unittest.main()