Add another user for s3api func tests

Previously we'd use two users, one admin and one unprivileged.

Ceph's s3-tests, however, assume that both users should have access to
create buckets. Further, there are different errors that may be returned
depending on whether you are the *bucket* owner or not when using
s3_acl. So now we've got:

  test:tester1  (admin)
  test:tester2  (also admin)
  test:tester3  (unprivileged)

Change-Id: I0b67c53de3bcadc2c656d86131fca5f2c3114f14
This commit is contained in:
Tim Burke 2018-09-13 11:38:01 -06:00 committed by Kota Tsuyuzaki
parent 80001aa096
commit 5a8cfd6e06
7 changed files with 58 additions and 24 deletions

View File

@ -53,8 +53,9 @@ use = egg:swift#tempurl
use = egg:swift#tempauth use = egg:swift#tempauth
user_admin_admin = admin .admin .reseller_admin user_admin_admin = admin .admin .reseller_admin
user_test_tester = testing .admin user_test_tester = testing .admin
user_test2_tester2 = testing2 .admin user_test_tester2 = testing2 .admin
user_test_tester3 = testing3 user_test_tester3 = testing3
user_test2_tester2 = testing2 .admin
[filter:staticweb] [filter:staticweb]
use = egg:swift#staticweb use = egg:swift#staticweb

View File

@ -351,8 +351,9 @@ use = egg:swift#tempauth
# Here are example entries, required for running the tests: # Here are example entries, required for running the tests:
user_admin_admin = admin .admin .reseller_admin user_admin_admin = admin .admin .reseller_admin
user_test_tester = testing .admin user_test_tester = testing .admin
user_test2_tester2 = testing2 .admin user_test_tester2 = testing2 .admin
user_test_tester3 = testing3 user_test_tester3 = testing3
user_test2_tester2 = testing2 .admin
user_test5_tester5 = testing5 service user_test5_tester5 = testing5 service
# To enable Keystone authentication you need to have the auth token # To enable Keystone authentication you need to have the auth token

View File

@ -589,6 +589,10 @@ def in_process_setup(the_object_server=object_server):
'password': 'testing', 'password': 'testing',
's3_access_key': 'test:tester', 's3_access_key': 'test:tester',
's3_secret_key': 'testing', 's3_secret_key': 'testing',
# Secondary user of the primary test account (needs admin access
# to the account) for s3api
's3_access_key2': 'test:tester2',
's3_secret_key2': 'testing2',
# User on a second account (needs admin access to the account) # User on a second account (needs admin access to the account)
'account2': 'test2', 'account2': 'test2',
'username2': 'tester2', 'username2': 'tester2',
@ -596,8 +600,8 @@ def in_process_setup(the_object_server=object_server):
# User on same account as first, but without admin access # User on same account as first, but without admin access
'username3': 'tester3', 'username3': 'tester3',
'password3': 'testing3', 'password3': 'testing3',
's3_access_key2': 'test:tester3', 's3_access_key3': 'test:tester3',
's3_secret_key2': 'testing3', 's3_secret_key3': 'testing3',
# Service user and prefix (emulates glance, cinder, etc. user) # Service user and prefix (emulates glance, cinder, etc. user)
'account5': 'test5', 'account5': 'test5',
'username5': 'tester5', 'username5': 'tester5',

View File

@ -35,14 +35,15 @@ class TestS3Acl(S3ApiBase):
super(TestS3Acl, self).setUp() super(TestS3Acl, self).setUp()
self.bucket = 'bucket' self.bucket = 'bucket'
self.obj = 'object' self.obj = 'object'
if 's3_access_key2' not in tf.config or \ if 's3_access_key3' not in tf.config or \
's3_secret_key2' not in tf.config: 's3_secret_key3' not in tf.config:
raise tf.SkipTest( raise tf.SkipTest(
'TestS3Acl requires s3_access_key2 and s3_secret_key2 setting') 'TestS3Acl requires s3_access_key3 and s3_secret_key3 '
'configured for reduced-access user')
self.conn.make_request('PUT', self.bucket) self.conn.make_request('PUT', self.bucket)
access_key2 = tf.config['s3_access_key2'] access_key3 = tf.config['s3_access_key3']
secret_key2 = tf.config['s3_secret_key2'] secret_key3 = tf.config['s3_secret_key3']
self.conn2 = Connection(access_key2, secret_key2, access_key2) self.conn3 = Connection(access_key3, secret_key3, access_key3)
def test_acl(self): def test_acl(self):
self.conn.make_request('PUT', self.bucket, self.obj) self.conn.make_request('PUT', self.bucket, self.obj)
@ -103,7 +104,7 @@ class TestS3Acl(S3ApiBase):
self.assertEqual(get_error_code(body), 'NoSuchBucket') self.assertEqual(get_error_code(body), 'NoSuchBucket')
status, headers, body = \ status, headers, body = \
self.conn2.make_request('PUT', self.bucket, self.conn3.make_request('PUT', self.bucket,
headers=req_headers, query='acl') headers=req_headers, query='acl')
self.assertEqual(get_error_code(body), 'AccessDenied') self.assertEqual(get_error_code(body), 'AccessDenied')
@ -118,7 +119,7 @@ class TestS3Acl(S3ApiBase):
self.assertEqual(get_error_code(body), 'NoSuchBucket') self.assertEqual(get_error_code(body), 'NoSuchBucket')
status, headers, body = \ status, headers, body = \
self.conn2.make_request('GET', self.bucket, query='acl') self.conn3.make_request('GET', self.bucket, query='acl')
self.assertEqual(get_error_code(body), 'AccessDenied') self.assertEqual(get_error_code(body), 'AccessDenied')
def test_get_object_acl_error(self): def test_get_object_acl_error(self):
@ -135,7 +136,7 @@ class TestS3Acl(S3ApiBase):
self.assertEqual(get_error_code(body), 'NoSuchKey') self.assertEqual(get_error_code(body), 'NoSuchKey')
status, headers, body = \ status, headers, body = \
self.conn2.make_request('GET', self.bucket, self.obj, query='acl') self.conn3.make_request('GET', self.bucket, self.obj, query='acl')
self.assertEqual(get_error_code(body), 'AccessDenied') self.assertEqual(get_error_code(body), 'AccessDenied')

View File

@ -151,11 +151,34 @@ class TestS3ApiBucket(S3ApiBase):
self.conn.make_request('PUT', 'bucket') self.conn.make_request('PUT', 'bucket')
status, headers, body = self.conn.make_request('PUT', 'bucket') status, headers, body = self.conn.make_request('PUT', 'bucket')
self.assertEqual(status, 409)
self.assertEqual(get_error_code(body), 'BucketAlreadyExists')
if 's3_access_key2' not in tf.config or \
's3_secret_key2' not in tf.config:
raise tf.SkipTest(
'Cannot test for BucketAlreadyExists with second user; need '
's3_access_key2 and s3_secret_key2 configured')
# Other users of the same account get the same error
conn2 = Connection(tf.config['s3_access_key2'],
tf.config['s3_secret_key2'],
tf.config['s3_access_key2'])
status, headers, body = conn2.make_request('PUT', 'bucket')
self.assertEqual(status, 409)
self.assertEqual(get_error_code(body), 'BucketAlreadyExists')
if 's3_access_key3' not in tf.config or \
's3_secret_key3' not in tf.config:
raise tf.SkipTest('Cannot test for AccessDenied; need '
's3_access_key3 and s3_secret_key3 configured')
# If the user can't create buckets, they shouldn't even know # If the user can't create buckets, they shouldn't even know
# whether the bucket exists. For some reason, though, when s3_acl # whether the bucket exists.
# is disabled, we translate 403 -> BucketAlreadyExists?? conn3 = Connection(tf.config['s3_access_key3'],
self.assertIn(get_error_code(body), tf.config['s3_secret_key3'],
('AccessDenied', 'BucketAlreadyExists')) tf.config['s3_access_key3'])
status, headers, body = conn3.make_request('PUT', 'bucket')
self.assertEqual(status, 403)
self.assertEqual(get_error_code(body), 'AccessDenied')
def test_put_bucket_with_LocationConstraint(self): def test_put_bucket_with_LocationConstraint(self):
bucket = 'bucket' bucket = 'bucket'

View File

@ -29,8 +29,12 @@ password2 = testing2
username3 = tester3 username3 = tester3
password3 = testing3 password3 = testing3
# s3api requires the same account with the primary one and different users # s3api requires the same account with the primary one and different users
s3_access_key2 = test:tester3 # one swift owner:
s3_secret_key2 = testing3 s3_access_key2 = test:tester2
s3_secret_key2 = testing2
# one unprivileged:
s3_access_key3 = test:tester3
s3_secret_key3 = testing3
# Fourth user is required for keystone v3 specific tests. # Fourth user is required for keystone v3 specific tests.
# Account must be in a non-default domain. # Account must be in a non-default domain.

View File

@ -11,8 +11,8 @@ access_key = test:tester
secret_key = testing secret_key = testing
[s3 alt] [s3 alt]
user_id = test:tester3 user_id = test:tester2
display_name = test:tester3 display_name = test:tester2
email = test:tester3 email = test:tester2
access_key = test:tester3 access_key = test:tester2
secret_key = testing3 secret_key = testing2