Add another user for s3api func tests
Previously we'd use two users, one admin and one unprivileged. Ceph's s3-tests, however, assume that both users should have access to create buckets. Further, there are different errors that may be returned depending on whether you are the *bucket* owner or not when using s3_acl. So now we've got: test:tester1 (admin) test:tester2 (also admin) test:tester3 (unprivileged) Change-Id: I0b67c53de3bcadc2c656d86131fca5f2c3114f14
This commit is contained in:
parent
80001aa096
commit
5a8cfd6e06
@ -53,8 +53,9 @@ use = egg:swift#tempurl
|
|||||||
use = egg:swift#tempauth
|
use = egg:swift#tempauth
|
||||||
user_admin_admin = admin .admin .reseller_admin
|
user_admin_admin = admin .admin .reseller_admin
|
||||||
user_test_tester = testing .admin
|
user_test_tester = testing .admin
|
||||||
user_test2_tester2 = testing2 .admin
|
user_test_tester2 = testing2 .admin
|
||||||
user_test_tester3 = testing3
|
user_test_tester3 = testing3
|
||||||
|
user_test2_tester2 = testing2 .admin
|
||||||
|
|
||||||
[filter:staticweb]
|
[filter:staticweb]
|
||||||
use = egg:swift#staticweb
|
use = egg:swift#staticweb
|
||||||
|
@ -351,8 +351,9 @@ use = egg:swift#tempauth
|
|||||||
# Here are example entries, required for running the tests:
|
# Here are example entries, required for running the tests:
|
||||||
user_admin_admin = admin .admin .reseller_admin
|
user_admin_admin = admin .admin .reseller_admin
|
||||||
user_test_tester = testing .admin
|
user_test_tester = testing .admin
|
||||||
user_test2_tester2 = testing2 .admin
|
user_test_tester2 = testing2 .admin
|
||||||
user_test_tester3 = testing3
|
user_test_tester3 = testing3
|
||||||
|
user_test2_tester2 = testing2 .admin
|
||||||
user_test5_tester5 = testing5 service
|
user_test5_tester5 = testing5 service
|
||||||
|
|
||||||
# To enable Keystone authentication you need to have the auth token
|
# To enable Keystone authentication you need to have the auth token
|
||||||
|
@ -589,6 +589,10 @@ def in_process_setup(the_object_server=object_server):
|
|||||||
'password': 'testing',
|
'password': 'testing',
|
||||||
's3_access_key': 'test:tester',
|
's3_access_key': 'test:tester',
|
||||||
's3_secret_key': 'testing',
|
's3_secret_key': 'testing',
|
||||||
|
# Secondary user of the primary test account (needs admin access
|
||||||
|
# to the account) for s3api
|
||||||
|
's3_access_key2': 'test:tester2',
|
||||||
|
's3_secret_key2': 'testing2',
|
||||||
# User on a second account (needs admin access to the account)
|
# User on a second account (needs admin access to the account)
|
||||||
'account2': 'test2',
|
'account2': 'test2',
|
||||||
'username2': 'tester2',
|
'username2': 'tester2',
|
||||||
@ -596,8 +600,8 @@ def in_process_setup(the_object_server=object_server):
|
|||||||
# User on same account as first, but without admin access
|
# User on same account as first, but without admin access
|
||||||
'username3': 'tester3',
|
'username3': 'tester3',
|
||||||
'password3': 'testing3',
|
'password3': 'testing3',
|
||||||
's3_access_key2': 'test:tester3',
|
's3_access_key3': 'test:tester3',
|
||||||
's3_secret_key2': 'testing3',
|
's3_secret_key3': 'testing3',
|
||||||
# Service user and prefix (emulates glance, cinder, etc. user)
|
# Service user and prefix (emulates glance, cinder, etc. user)
|
||||||
'account5': 'test5',
|
'account5': 'test5',
|
||||||
'username5': 'tester5',
|
'username5': 'tester5',
|
||||||
|
@ -35,14 +35,15 @@ class TestS3Acl(S3ApiBase):
|
|||||||
super(TestS3Acl, self).setUp()
|
super(TestS3Acl, self).setUp()
|
||||||
self.bucket = 'bucket'
|
self.bucket = 'bucket'
|
||||||
self.obj = 'object'
|
self.obj = 'object'
|
||||||
if 's3_access_key2' not in tf.config or \
|
if 's3_access_key3' not in tf.config or \
|
||||||
's3_secret_key2' not in tf.config:
|
's3_secret_key3' not in tf.config:
|
||||||
raise tf.SkipTest(
|
raise tf.SkipTest(
|
||||||
'TestS3Acl requires s3_access_key2 and s3_secret_key2 setting')
|
'TestS3Acl requires s3_access_key3 and s3_secret_key3 '
|
||||||
|
'configured for reduced-access user')
|
||||||
self.conn.make_request('PUT', self.bucket)
|
self.conn.make_request('PUT', self.bucket)
|
||||||
access_key2 = tf.config['s3_access_key2']
|
access_key3 = tf.config['s3_access_key3']
|
||||||
secret_key2 = tf.config['s3_secret_key2']
|
secret_key3 = tf.config['s3_secret_key3']
|
||||||
self.conn2 = Connection(access_key2, secret_key2, access_key2)
|
self.conn3 = Connection(access_key3, secret_key3, access_key3)
|
||||||
|
|
||||||
def test_acl(self):
|
def test_acl(self):
|
||||||
self.conn.make_request('PUT', self.bucket, self.obj)
|
self.conn.make_request('PUT', self.bucket, self.obj)
|
||||||
@ -103,7 +104,7 @@ class TestS3Acl(S3ApiBase):
|
|||||||
self.assertEqual(get_error_code(body), 'NoSuchBucket')
|
self.assertEqual(get_error_code(body), 'NoSuchBucket')
|
||||||
|
|
||||||
status, headers, body = \
|
status, headers, body = \
|
||||||
self.conn2.make_request('PUT', self.bucket,
|
self.conn3.make_request('PUT', self.bucket,
|
||||||
headers=req_headers, query='acl')
|
headers=req_headers, query='acl')
|
||||||
self.assertEqual(get_error_code(body), 'AccessDenied')
|
self.assertEqual(get_error_code(body), 'AccessDenied')
|
||||||
|
|
||||||
@ -118,7 +119,7 @@ class TestS3Acl(S3ApiBase):
|
|||||||
self.assertEqual(get_error_code(body), 'NoSuchBucket')
|
self.assertEqual(get_error_code(body), 'NoSuchBucket')
|
||||||
|
|
||||||
status, headers, body = \
|
status, headers, body = \
|
||||||
self.conn2.make_request('GET', self.bucket, query='acl')
|
self.conn3.make_request('GET', self.bucket, query='acl')
|
||||||
self.assertEqual(get_error_code(body), 'AccessDenied')
|
self.assertEqual(get_error_code(body), 'AccessDenied')
|
||||||
|
|
||||||
def test_get_object_acl_error(self):
|
def test_get_object_acl_error(self):
|
||||||
@ -135,7 +136,7 @@ class TestS3Acl(S3ApiBase):
|
|||||||
self.assertEqual(get_error_code(body), 'NoSuchKey')
|
self.assertEqual(get_error_code(body), 'NoSuchKey')
|
||||||
|
|
||||||
status, headers, body = \
|
status, headers, body = \
|
||||||
self.conn2.make_request('GET', self.bucket, self.obj, query='acl')
|
self.conn3.make_request('GET', self.bucket, self.obj, query='acl')
|
||||||
self.assertEqual(get_error_code(body), 'AccessDenied')
|
self.assertEqual(get_error_code(body), 'AccessDenied')
|
||||||
|
|
||||||
|
|
||||||
|
@ -151,11 +151,34 @@ class TestS3ApiBucket(S3ApiBase):
|
|||||||
|
|
||||||
self.conn.make_request('PUT', 'bucket')
|
self.conn.make_request('PUT', 'bucket')
|
||||||
status, headers, body = self.conn.make_request('PUT', 'bucket')
|
status, headers, body = self.conn.make_request('PUT', 'bucket')
|
||||||
|
self.assertEqual(status, 409)
|
||||||
|
self.assertEqual(get_error_code(body), 'BucketAlreadyExists')
|
||||||
|
|
||||||
|
if 's3_access_key2' not in tf.config or \
|
||||||
|
's3_secret_key2' not in tf.config:
|
||||||
|
raise tf.SkipTest(
|
||||||
|
'Cannot test for BucketAlreadyExists with second user; need '
|
||||||
|
's3_access_key2 and s3_secret_key2 configured')
|
||||||
|
# Other users of the same account get the same error
|
||||||
|
conn2 = Connection(tf.config['s3_access_key2'],
|
||||||
|
tf.config['s3_secret_key2'],
|
||||||
|
tf.config['s3_access_key2'])
|
||||||
|
status, headers, body = conn2.make_request('PUT', 'bucket')
|
||||||
|
self.assertEqual(status, 409)
|
||||||
|
self.assertEqual(get_error_code(body), 'BucketAlreadyExists')
|
||||||
|
|
||||||
|
if 's3_access_key3' not in tf.config or \
|
||||||
|
's3_secret_key3' not in tf.config:
|
||||||
|
raise tf.SkipTest('Cannot test for AccessDenied; need '
|
||||||
|
's3_access_key3 and s3_secret_key3 configured')
|
||||||
# If the user can't create buckets, they shouldn't even know
|
# If the user can't create buckets, they shouldn't even know
|
||||||
# whether the bucket exists. For some reason, though, when s3_acl
|
# whether the bucket exists.
|
||||||
# is disabled, we translate 403 -> BucketAlreadyExists??
|
conn3 = Connection(tf.config['s3_access_key3'],
|
||||||
self.assertIn(get_error_code(body),
|
tf.config['s3_secret_key3'],
|
||||||
('AccessDenied', 'BucketAlreadyExists'))
|
tf.config['s3_access_key3'])
|
||||||
|
status, headers, body = conn3.make_request('PUT', 'bucket')
|
||||||
|
self.assertEqual(status, 403)
|
||||||
|
self.assertEqual(get_error_code(body), 'AccessDenied')
|
||||||
|
|
||||||
def test_put_bucket_with_LocationConstraint(self):
|
def test_put_bucket_with_LocationConstraint(self):
|
||||||
bucket = 'bucket'
|
bucket = 'bucket'
|
||||||
|
@ -29,8 +29,12 @@ password2 = testing2
|
|||||||
username3 = tester3
|
username3 = tester3
|
||||||
password3 = testing3
|
password3 = testing3
|
||||||
# s3api requires the same account with the primary one and different users
|
# s3api requires the same account with the primary one and different users
|
||||||
s3_access_key2 = test:tester3
|
# one swift owner:
|
||||||
s3_secret_key2 = testing3
|
s3_access_key2 = test:tester2
|
||||||
|
s3_secret_key2 = testing2
|
||||||
|
# one unprivileged:
|
||||||
|
s3_access_key3 = test:tester3
|
||||||
|
s3_secret_key3 = testing3
|
||||||
|
|
||||||
# Fourth user is required for keystone v3 specific tests.
|
# Fourth user is required for keystone v3 specific tests.
|
||||||
# Account must be in a non-default domain.
|
# Account must be in a non-default domain.
|
||||||
|
@ -11,8 +11,8 @@ access_key = test:tester
|
|||||||
secret_key = testing
|
secret_key = testing
|
||||||
|
|
||||||
[s3 alt]
|
[s3 alt]
|
||||||
user_id = test:tester3
|
user_id = test:tester2
|
||||||
display_name = test:tester3
|
display_name = test:tester2
|
||||||
email = test:tester3
|
email = test:tester2
|
||||||
access_key = test:tester3
|
access_key = test:tester2
|
||||||
secret_key = testing3
|
secret_key = testing2
|
||||||
|
Loading…
Reference in New Issue
Block a user