Adding Storlets Get ACL feature
This patch introduces the storlets data security feature
described in [1].
The changes are centered around the following components:
1. The storlet middleware proxy handler. In this handler we
- Deal with the container ACL update
- Add the retry flow desribed in [1]
- Block requests having the internal referrer explained in [1]
2. The functional test for the API is placed in a new
'common' directory designated for tests that are not
storlet dependent
3. Being the first storlet API that adds a container
operation, there is a minor change in the parse_vaco
method.
4. To test the change we need a user that:
- has read access to the storlet container
- does not have access to arbitrary containers.
This involved the following changes:
- Have the installation scrips to create a _member_user
in Keystone, giving the user access to the storlets
container
- Add to the test classes a method for getting a token
for that user
While at it, I have made the following 'cleanups':
1. changed deprecated keystone cli usage with openstack cli,
which in turn needs to be changed to Ansible modules usage
2. moved unused roles to archive
3. some intenral cleanups in .yml
[1] https://wiki.openstack.org/wiki/Storlets/DataSecuritySpec
Implements: blueprint get-with-storlet
Change-Id: I743cf2a551b69581b03469cdb63b533812c3de8a
This commit is contained in:
Eran Rom
committed by
Takashi Kajinami
Takashi Kajinami
parent
97e295b959
commit
7f6c8487b7
@@ -24,8 +24,8 @@ class TestCapabilities(StorletBaseFunctionalTest):
|
||||
|
||||
def test_get_capabilities(self):
|
||||
conn = swift_client.Connection(self.conf.auth_uri,
|
||||
self.conf.user,
|
||||
self.conf.password,
|
||||
self.conf.admin_user,
|
||||
self.conf.admin_password,
|
||||
insecure=True,
|
||||
tenant_name=self.conf.tenant_name,
|
||||
auth_version=self.conf.auth_version)
|
||||
|
||||
@@ -14,9 +14,11 @@ Limitations under the License.
|
||||
-------------------------------------------------------------------------'''
|
||||
|
||||
import threading
|
||||
from swiftclient import client as c
|
||||
from swiftclient import client as swift_client
|
||||
from swiftclient import ClientException
|
||||
from nose.plugins.attrib import attr
|
||||
from tests.functional.java import StorletJavaFunctionalTest
|
||||
from tools.utils import get_member_auth
|
||||
|
||||
|
||||
class myTestThread (threading.Thread):
|
||||
@@ -41,11 +43,20 @@ class TestTestStorlet(StorletJavaFunctionalTest):
|
||||
'myobjects',
|
||||
'')
|
||||
|
||||
c.put_object(self.url,
|
||||
self.token,
|
||||
self.container,
|
||||
'test_object',
|
||||
'some content')
|
||||
self.member_url, self.member_token = get_member_auth(self.conf)
|
||||
|
||||
swift_client.put_object(self.url,
|
||||
self.token,
|
||||
self.container,
|
||||
'test_object',
|
||||
'some content')
|
||||
|
||||
def tearDown(self):
|
||||
headers = {'X-Container-Read': ''}
|
||||
swift_client.post_container(self.url,
|
||||
self.token,
|
||||
'myobjects',
|
||||
headers)
|
||||
|
||||
def invokeTestStorlet(self, op, withlog=False):
|
||||
headers = {'X-Run-Storlet': self.storlet_name}
|
||||
@@ -56,17 +67,22 @@ class TestTestStorlet(StorletJavaFunctionalTest):
|
||||
params = 'op={0}¶m2=val2'.format(op)
|
||||
resp_dict = dict()
|
||||
try:
|
||||
resp_headers, gf = c.get_object(self.url, self.token, 'myobjects',
|
||||
'test_object', None, None, params,
|
||||
resp_dict, headers)
|
||||
resp_headers, gf = swift_client.get_object(self.url, self.token,
|
||||
'myobjects',
|
||||
'test_object',
|
||||
None, None, params,
|
||||
resp_dict, headers)
|
||||
get_text = gf
|
||||
get_response_status = resp_dict.get('status')
|
||||
|
||||
if withlog is True:
|
||||
resp_headers, gf = c.get_object(self.url, self.token,
|
||||
'storletlog', 'test.log',
|
||||
None, None, None, None,
|
||||
headers)
|
||||
resp_headers, gf = swift_client.get_object(self.url,
|
||||
self.token,
|
||||
'storletlog',
|
||||
'test.log',
|
||||
None, None,
|
||||
None, None,
|
||||
headers)
|
||||
self.assertEqual(resp_headers.get('status'), 200)
|
||||
gf.read()
|
||||
self.assertEqual(resp_headers.get('status') == 200)
|
||||
@@ -107,9 +123,47 @@ class TestTestStorlet(StorletJavaFunctionalTest):
|
||||
for t in mythreads:
|
||||
t.join()
|
||||
|
||||
@attr('slow')
|
||||
def test_parallel_print(self):
|
||||
self.invokeTestStorletinParallel()
|
||||
|
||||
def test_storlet_acl_get_fail(self):
|
||||
headers = {'X-Run-Storlet': self.storlet_name}
|
||||
headers.update(self.additional_headers)
|
||||
exc_pattern = '^.*403 Forbidden.*$'
|
||||
with self.assertRaisesRegexp(ClientException, exc_pattern):
|
||||
swift_client.get_object(self.member_url, self.member_token,
|
||||
'myobjects', 'test_object',
|
||||
headers=headers)
|
||||
|
||||
def test_storlet_acl_get_success(self):
|
||||
headers = {'X-Run-Storlet': self.storlet_name}
|
||||
headers.update(self.additional_headers)
|
||||
exc_pattern = '^.*403 Forbidden.*$'
|
||||
with self.assertRaisesRegexp(ClientException, exc_pattern):
|
||||
swift_client.get_object(self.member_url, self.member_token,
|
||||
'myobjects', 'test_object',
|
||||
headers=headers)
|
||||
|
||||
headers = {'X-Storlet-Container-Read': self.conf.member_user,
|
||||
'X-Storlet-Name': self.storlet_name}
|
||||
swift_client.post_container(self.url,
|
||||
self.token,
|
||||
'myobjects',
|
||||
headers)
|
||||
swift_client.head_container(self.url,
|
||||
self.token,
|
||||
'myobjects')
|
||||
headers = {'X-Run-Storlet': self.storlet_name}
|
||||
headers.update(self.additional_headers)
|
||||
resp_dict = dict()
|
||||
swift_client.get_object(self.member_url,
|
||||
self.member_token,
|
||||
'myobjects', 'test_object',
|
||||
response_dict=resp_dict,
|
||||
headers=headers)
|
||||
self.assertEqual(resp_dict['status'], 200)
|
||||
|
||||
|
||||
class TestTestStorletOnProxy(TestTestStorlet):
|
||||
def setUp(self):
|
||||
|
||||
Reference in New Issue
Block a user