From 8c2c9bec7eed9f1c8a1ce3135cd89385df4d6520 Mon Sep 17 00:00:00 2001 From: Tim Burke Date: Tue, 17 Nov 2020 16:43:15 -0800 Subject: [PATCH] s3api: Clone ACLs when creating +segments container Change-Id: I3d23d5ff4b3f76db15e84ed37b1cb8503eb58dd5 --- .../s3api/controllers/multi_upload.py | 6 +- .../middleware/s3api/test_multi_upload.py | 69 ++++++++++++++++++- 2 files changed, 72 insertions(+), 3 deletions(-) diff --git a/swift/common/middleware/s3api/controllers/multi_upload.py b/swift/common/middleware/s3api/controllers/multi_upload.py index 3ab7e78016..823f80e964 100644 --- a/swift/common/middleware/s3api/controllers/multi_upload.py +++ b/swift/common/middleware/s3api/controllers/multi_upload.py @@ -425,10 +425,14 @@ class UploadsController(Controller): except NoSuchBucket: try: # multi-upload bucket doesn't exist, create one with - # same storage policy as the primary bucket + # same storage policy and acls as the primary bucket info = req.get_container_info(self.app) policy_name = POLICIES[info['storage_policy']].name hdrs = {'X-Storage-Policy': policy_name} + if info.get('read_acl'): + hdrs['X-Container-Read'] = info['read_acl'] + if info.get('write_acl'): + hdrs['X-Container-Write'] = info['write_acl'] seg_req.get_response(self.app, 'PUT', seg_container, '', headers=hdrs) except (BucketAlreadyExists, BucketAlreadyOwnedByYou): diff --git a/test/unit/common/middleware/s3api/test_multi_upload.py b/test/unit/common/middleware/s3api/test_multi_upload.py index 3a0dc4c1eb..2e08c7ab38 100644 --- a/test/unit/common/middleware/s3api/test_multi_upload.py +++ b/test/unit/common/middleware/s3api/test_multi_upload.py @@ -573,7 +573,9 @@ class TestS3ApiMultiUpload(S3ApiTestCase): 'multi_upload.unique_id', lambda: 'X') def _test_object_multipart_upload_initiate(self, headers, cache=None, bucket_exists=True, - expected_policy=None): + expected_policy=None, + expected_read_acl=None, + expected_write_acl=None): headers.update({ 'Authorization': 'AWS test:tester:hmac', 'Date': self.get_date_header(), @@ -604,6 +606,20 @@ class TestS3ApiMultiUpload(S3ApiTestCase): _, _, req_headers = self.swift.calls_with_headers[-2] self.assertEqual(req_headers.get('X-Storage-Policy'), expected_policy) + + if expected_read_acl: + _, _, req_headers = self.swift.calls_with_headers[-2] + self.assertEqual(req_headers.get('X-Container-Read'), + expected_read_acl) + else: + self.assertNotIn('X-Container-Read', req_headers) + + if expected_write_acl: + _, _, req_headers = self.swift.calls_with_headers[-2] + self.assertEqual(req_headers.get('X-Container-Write'), + expected_write_acl) + else: + self.assertNotIn('X-Container-Write', req_headers) self.swift.clear_calls() def test_object_multipart_upload_initiate_with_segment_bucket(self): @@ -640,7 +656,7 @@ class TestS3ApiMultiUpload(S3ApiTestCase): @patch_policies([ StoragePolicy(0, 'gold', is_default=True), StoragePolicy(1, 'silver')]) - def test_object_mpu_initiate_without_segment_bucket_same_container(self): + def test_object_mpu_initiate_without_segment_bucket_same_policy(self): self.swift.register('PUT', '/v1/AUTH_test/bucket+segments', swob.HTTPCreated, {'X-Storage-Policy': 'silver'}, None) @@ -664,6 +680,55 @@ class TestS3ApiMultiUpload(S3ApiTestCase): bucket_exists=False, expected_policy='silver') + def test_object_mpu_initiate_without_segment_bucket_same_acls(self): + self.swift.register('PUT', '/v1/AUTH_test/bucket+segments', + swob.HTTPCreated, {}, None) + fake_memcache = FakeMemcache() + fake_memcache.store[get_cache_key( + 'AUTH_test', 'bucket')] = {'status': 204, + 'read_acl': 'alice,bob', + 'write_acl': 'bob,charles'} + fake_memcache.store[get_cache_key( + 'AUTH_test', 'bucket+segments')] = {'status': 404} + self.s3api.conf.derived_container_policy_use_default = False + self._test_object_multipart_upload_initiate( + {}, fake_memcache, + bucket_exists=False, + expected_read_acl='alice,bob', expected_write_acl='bob,charles') + self._test_object_multipart_upload_initiate( + {'Etag': 'blahblahblah'}, fake_memcache, + bucket_exists=False, + expected_read_acl='alice,bob', expected_write_acl='bob,charles') + self._test_object_multipart_upload_initiate( + {'Content-MD5': base64.b64encode(b'blahblahblahblah').strip()}, + fake_memcache, + bucket_exists=False, + expected_read_acl='alice,bob', expected_write_acl='bob,charles') + + def test_object_mpu_initiate_without_segment_bucket_make_public(self): + self.swift.register('PUT', '/v1/AUTH_test/bucket+segments', + swob.HTTPCreated, {}, None) + fake_memcache = FakeMemcache() + fake_memcache.store[get_cache_key( + 'AUTH_test', 'bucket')] = {'status': 204, + 'read_acl': '.r:*,.rlistings'} + fake_memcache.store[get_cache_key( + 'AUTH_test', 'bucket+segments')] = {'status': 404} + self.s3api.conf.derived_container_policy_use_default = False + self._test_object_multipart_upload_initiate( + {}, fake_memcache, + bucket_exists=False, + expected_read_acl='.r:*,.rlistings') + self._test_object_multipart_upload_initiate( + {'Etag': 'blahblahblah'}, fake_memcache, + bucket_exists=False, + expected_read_acl='.r:*,.rlistings') + self._test_object_multipart_upload_initiate( + {'Content-MD5': base64.b64encode(b'blahblahblahblah').strip()}, + fake_memcache, + bucket_exists=False, + expected_read_acl='.r:*,.rlistings') + @patch('swift.common.middleware.s3api.controllers.multi_upload.' 'unique_id', lambda: 'X') def _test_object_multipart_upload_initiate_s3acl(