diff --git a/doc/saio/swift/proxy-server.conf b/doc/saio/swift/proxy-server.conf index 079f941031..c656e3aeab 100644 --- a/doc/saio/swift/proxy-server.conf +++ b/doc/saio/swift/proxy-server.conf @@ -53,8 +53,9 @@ use = egg:swift#tempurl use = egg:swift#tempauth user_admin_admin = admin .admin .reseller_admin user_test_tester = testing .admin -user_test2_tester2 = testing2 .admin +user_test_tester2 = testing2 .admin user_test_tester3 = testing3 +user_test2_tester2 = testing2 .admin [filter:staticweb] use = egg:swift#staticweb diff --git a/etc/proxy-server.conf-sample b/etc/proxy-server.conf-sample index a7e813b643..7ad971fc5d 100644 --- a/etc/proxy-server.conf-sample +++ b/etc/proxy-server.conf-sample @@ -351,8 +351,9 @@ use = egg:swift#tempauth # Here are example entries, required for running the tests: user_admin_admin = admin .admin .reseller_admin user_test_tester = testing .admin -user_test2_tester2 = testing2 .admin +user_test_tester2 = testing2 .admin user_test_tester3 = testing3 +user_test2_tester2 = testing2 .admin user_test5_tester5 = testing5 service # To enable Keystone authentication you need to have the auth token diff --git a/test/functional/__init__.py b/test/functional/__init__.py index 37cf9bce5a..02e30e5308 100644 --- a/test/functional/__init__.py +++ b/test/functional/__init__.py @@ -589,6 +589,10 @@ def in_process_setup(the_object_server=object_server): 'password': 'testing', 's3_access_key': 'test:tester', 's3_secret_key': 'testing', + # Secondary user of the primary test account (needs admin access + # to the account) for s3api + 's3_access_key2': 'test:tester2', + 's3_secret_key2': 'testing2', # User on a second account (needs admin access to the account) 'account2': 'test2', 'username2': 'tester2', @@ -596,8 +600,8 @@ def in_process_setup(the_object_server=object_server): # User on same account as first, but without admin access 'username3': 'tester3', 'password3': 'testing3', - 's3_access_key2': 'test:tester3', - 's3_secret_key2': 'testing3', + 's3_access_key3': 'test:tester3', + 's3_secret_key3': 'testing3', # Service user and prefix (emulates glance, cinder, etc. user) 'account5': 'test5', 'username5': 'tester5', diff --git a/test/functional/s3api/test_acl.py b/test/functional/s3api/test_acl.py index 33b01c6285..cc71410ead 100644 --- a/test/functional/s3api/test_acl.py +++ b/test/functional/s3api/test_acl.py @@ -35,14 +35,15 @@ class TestS3Acl(S3ApiBase): super(TestS3Acl, self).setUp() self.bucket = 'bucket' self.obj = 'object' - if 's3_access_key2' not in tf.config or \ - 's3_secret_key2' not in tf.config: + if 's3_access_key3' not in tf.config or \ + 's3_secret_key3' not in tf.config: raise tf.SkipTest( - 'TestS3Acl requires s3_access_key2 and s3_secret_key2 setting') + 'TestS3Acl requires s3_access_key3 and s3_secret_key3 ' + 'configured for reduced-access user') self.conn.make_request('PUT', self.bucket) - access_key2 = tf.config['s3_access_key2'] - secret_key2 = tf.config['s3_secret_key2'] - self.conn2 = Connection(access_key2, secret_key2, access_key2) + access_key3 = tf.config['s3_access_key3'] + secret_key3 = tf.config['s3_secret_key3'] + self.conn3 = Connection(access_key3, secret_key3, access_key3) def test_acl(self): self.conn.make_request('PUT', self.bucket, self.obj) @@ -103,7 +104,7 @@ class TestS3Acl(S3ApiBase): self.assertEqual(get_error_code(body), 'NoSuchBucket') status, headers, body = \ - self.conn2.make_request('PUT', self.bucket, + self.conn3.make_request('PUT', self.bucket, headers=req_headers, query='acl') self.assertEqual(get_error_code(body), 'AccessDenied') @@ -118,7 +119,7 @@ class TestS3Acl(S3ApiBase): self.assertEqual(get_error_code(body), 'NoSuchBucket') status, headers, body = \ - self.conn2.make_request('GET', self.bucket, query='acl') + self.conn3.make_request('GET', self.bucket, query='acl') self.assertEqual(get_error_code(body), 'AccessDenied') def test_get_object_acl_error(self): @@ -135,7 +136,7 @@ class TestS3Acl(S3ApiBase): self.assertEqual(get_error_code(body), 'NoSuchKey') status, headers, body = \ - self.conn2.make_request('GET', self.bucket, self.obj, query='acl') + self.conn3.make_request('GET', self.bucket, self.obj, query='acl') self.assertEqual(get_error_code(body), 'AccessDenied') diff --git a/test/functional/s3api/test_bucket.py b/test/functional/s3api/test_bucket.py index 451dfbd47c..28083da5f7 100644 --- a/test/functional/s3api/test_bucket.py +++ b/test/functional/s3api/test_bucket.py @@ -151,11 +151,34 @@ class TestS3ApiBucket(S3ApiBase): self.conn.make_request('PUT', 'bucket') status, headers, body = self.conn.make_request('PUT', 'bucket') + self.assertEqual(status, 409) + self.assertEqual(get_error_code(body), 'BucketAlreadyExists') + + if 's3_access_key2' not in tf.config or \ + 's3_secret_key2' not in tf.config: + raise tf.SkipTest( + 'Cannot test for BucketAlreadyExists with second user; need ' + 's3_access_key2 and s3_secret_key2 configured') + # Other users of the same account get the same error + conn2 = Connection(tf.config['s3_access_key2'], + tf.config['s3_secret_key2'], + tf.config['s3_access_key2']) + status, headers, body = conn2.make_request('PUT', 'bucket') + self.assertEqual(status, 409) + self.assertEqual(get_error_code(body), 'BucketAlreadyExists') + + if 's3_access_key3' not in tf.config or \ + 's3_secret_key3' not in tf.config: + raise tf.SkipTest('Cannot test for AccessDenied; need ' + 's3_access_key3 and s3_secret_key3 configured') # If the user can't create buckets, they shouldn't even know - # whether the bucket exists. For some reason, though, when s3_acl - # is disabled, we translate 403 -> BucketAlreadyExists?? - self.assertIn(get_error_code(body), - ('AccessDenied', 'BucketAlreadyExists')) + # whether the bucket exists. + conn3 = Connection(tf.config['s3_access_key3'], + tf.config['s3_secret_key3'], + tf.config['s3_access_key3']) + status, headers, body = conn3.make_request('PUT', 'bucket') + self.assertEqual(status, 403) + self.assertEqual(get_error_code(body), 'AccessDenied') def test_put_bucket_with_LocationConstraint(self): bucket = 'bucket' diff --git a/test/sample.conf b/test/sample.conf index 283e64192a..d33be75486 100644 --- a/test/sample.conf +++ b/test/sample.conf @@ -29,8 +29,12 @@ password2 = testing2 username3 = tester3 password3 = testing3 # s3api requires the same account with the primary one and different users -s3_access_key2 = test:tester3 -s3_secret_key2 = testing3 +# one swift owner: +s3_access_key2 = test:tester2 +s3_secret_key2 = testing2 +# one unprivileged: +s3_access_key3 = test:tester3 +s3_secret_key3 = testing3 # Fourth user is required for keystone v3 specific tests. # Account must be in a non-default domain. diff --git a/tools/playbooks/ceph-s3tests/ceph-s3.conf b/tools/playbooks/ceph-s3tests/ceph-s3.conf index 7e66923a7a..3f9ebedb00 100644 --- a/tools/playbooks/ceph-s3tests/ceph-s3.conf +++ b/tools/playbooks/ceph-s3tests/ceph-s3.conf @@ -11,8 +11,8 @@ access_key = test:tester secret_key = testing [s3 alt] -user_id = test:tester3 -display_name = test:tester3 -email = test:tester3 -access_key = test:tester3 -secret_key = testing3 +user_id = test:tester2 +display_name = test:tester2 +email = test:tester2 +access_key = test:tester2 +secret_key = testing2