openstack/swift
Code Issues Proposed changes
ce6c850258
swift/test/unit/proxy/controllers/test_account.py

381 lines
15 KiB
Python
Raw Normal View History

Change OpenStack LLC to Foundation Change-Id: I7c3df47c31759dbeb3105f8883e2688ada848d58 Closes-bug: #1214176
2013-09-20 01:00:54 +08:00
# Copyright (c) 2010-2012 OpenStack Foundation
get_info - removes duplicate code (Take 3) Consolidate the different ways in which info of account/container is gathered, cached, used, updated, etc. This refactoring increases code reuse and is a basis for later addition of account ACLs. Changing the get_info users is left for future. This staged approach ensures the behaviour is unchanged. Change-Id: I67b58030d3f9e3bc86bcd7ece0f1dc693c4e08c3 Fixes: Bug #1162199
2013-03-30 15:55:29 +03:00
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
# implied.
# See the License for the specific language governing permissions and
# limitations under the License.
import mock
import unittest
Privileged acct ACL header, new ACL syntax, TempAuth impl. * Introduce a new privileged account header: X-Account-Access-Control * Introduce JSON-based version 2 ACL syntax -- see below for discussion * Implement account ACL authorization in TempAuth X-Account-Access-Control Header ------------------------------- Accounts now have a new privileged header to represent ACLs or any other form of account-level access control. The value of the header is an opaque string to be interpreted by the auth system, but it must be a JSON-encoded dictionary. A reference implementation is given in TempAuth, with the knowledge that historically other auth systems often use TempAuth as a starting point. The reference implementation describes three levels of account access: "admin", "read-write", and "read-only". Adding new access control features in a future patch (e.g. "write-only" account access) will automatically be forward- and backward-compatible, due to the JSON dictionary header format. The privileged X-Account-Access-Control header may only be read or written by a user with "swift_owner" status, traditionally the account owner but now also any user on the "admin" ACL. Access Levels: Read-only access is intended to indicate to the auth system that this list of identities can read everything (except privileged headers) in the account. Specifically, a user with read-only account access can get a list of containers in the account, list the contents of any container, retrieve any object, and see the (non-privileged) headers of the account, any container, or any object. Read-write access is intended to indicate to the auth system that this list of identities can read or write (or create) any container. A user with read-write account access can create new containers, set any unprivileged container headers, overwrite objects, delete containers, etc. A read-write user can NOT set account headers (or perform any PUT/POST/DELETE requests on the account). Admin access is intended to indicate to the auth system that this list of identities has "swift_owner" privileges. A user with admin account access can do anything the account owner can, including setting account headers and any privileged headers -- and thus changing the value of X-Account-Access-Control and thereby granting read-only, read-write, or admin access to other users. The auth system is responsible for making decisions based on this header, if it chooses to support its use. Therefore the above access level descriptions are necessarily advisory only for other auth systems. When setting the value of the header, callers are urged to use the new format_acl() method, described below. New ACL Format -------------- The account ACLs introduce a new format for ACLs, rather than reusing the existing format from X-Container-Read/X-Container-Write. There are several reasons for this: * Container ACL format does not support Unicode * Container ACLs have a different structure than account ACLs + account ACLs have no concept of referrers or rlistings + accounts have additional "admin" access level + account access levels are structured as admin > rw > ro, which seems more appropriate for how people access accounts, rather than reusing container ACLs' orthogonal read and write access In addition, the container ACL syntax is a bit arbitrary and highly custom, so instead of parsing additional custom syntax, I'd rather propose a next version and introduce a means for migration. The V2 ACL syntax has the following benefits: * JSON is a well-known standard syntax with parsers in all languages * no artificial value restrictions (you can grant access to a user named ".rlistings" if you want) * forward and backward compatibility: you may have extraneous keys, but your attempt to parse the header won't raise an exception I've introduced hooks in parse_acl and format_acl which currently default to the old V1 syntax but tolerate the V2 syntax and can easily be flipped to default to V2. I'm not changing the default or adding code to rewrite V1 ACLs to V2, because this patch has suffered a lot of scope creep already, but this seems like a sensible milestone in the migration. TempAuth Account ACL Implementation ----------------------------------- As stated above, core Swift is responsible for privileging the X-Account-Access-Control header (making it only accessible to swift_owners), for translating it to -sysmeta-* headers to trigger persistence by the account server, and for including the header in the responses to requests by privileged users. Core Swift puts no expectation on the *content* of this header. Auth systems (including TempAuth) are responsible for defining the content of the header and taking action based on it. In addition to the changes described above, this patch defines a format to be used by TempAuth for these headers in the common.middleware.acl module, in the methods format_v2_acl() and parse_v2_acl(). This patch also teaches TempAuth to take action based on the header contents. TempAuth now sets swift_owner=True if the user is on the Admin ACL, authorizes GET/HEAD/OPTIONS requests if the user is on any ACL, authorizes PUT/POST/DELETE requests if the user is on the admin or read-write ACL, etc. Note that the action of setting swift_owner=True triggers core Swift to add or strip the privileged headers from the responses. Core Swift (not the auth system) is responsible for that. DocImpact: Documentation for the new ACL usage and format appears in summary form in doc/source/overview_auth.rst, and in more detail in swift/common/middleware/tempauth.py in the TempAuth class docstring. I leave it to the Swift doc team to determine whether more is needed. Change-Id: I836a99eaaa6bb0e92dc03e1ca46a474522e6e826
2013-11-13 20:55:14 +00:00
from swift.common.swob import Request, Response
from swift.common.middleware.acl import format_acl
get_info - removes duplicate code (Take 3) Consolidate the different ways in which info of account/container is gathered, cached, used, updated, etc. This refactoring increases code reuse and is a basis for later addition of account ACLs. Changing the get_info users is left for future. This staged approach ensures the behaviour is unchanged. Change-Id: I67b58030d3f9e3bc86bcd7ece0f1dc693c4e08c3 Fixes: Bug #1162199
2013-03-30 15:55:29 +03:00
from swift.proxy import server as proxy_server
from swift.proxy.controllers.base import headers_to_account_info
Rework use of constraints to ease testing Prior to this patch both mainline code and testing modules imported and used constraints directly into their own namespace, or relied on the namespace of other modules that were not the constraints module. This meant that if a unit test wanted to change a constraint for its operation, it had to know how that module was using the constraint, instead of referencing the constraint module itself. This patch unifies the use of constraints so that all constraints are referenced via the constraints module. In turn, this allows a test to leverage the re-loadable nature of the constraints in the constraints module. It addition, a number of functional tests where using the default values for constraints, instead of the configured value discovered in a test.conf or in an existing swift.conf. This patch removes those direct references in favor of the load_constraint() method from the test/functional/tests.py module. Change-Id: Ia5313d653c667dd9ca800786de59b59334c34eaa
2014-04-02 16:16:21 -04:00
from swift.common import constraints
get_info - removes duplicate code (Take 3) Consolidate the different ways in which info of account/container is gathered, cached, used, updated, etc. This refactoring increases code reuse and is a basis for later addition of account ACLs. Changing the get_info users is left for future. This staged approach ensures the behaviour is unchanged. Change-Id: I67b58030d3f9e3bc86bcd7ece0f1dc693c4e08c3 Fixes: Bug #1162199
2013-03-30 15:55:29 +03:00
from test.unit import fake_http_connect, FakeRing, FakeMemcache
Add Storage Policy support to Object Server Objects now have a storage policy index associated with them as well; this is determined by their filesystem path. Like before, objects in policy 0 are in /srv/node/$disk/objects; this provides compatibility on upgrade. (Recall that policy 0 is given to all existing data when a cluster is upgraded.) Objects in policy 1 are in /srv/node/$disk/objects-1, objects in policy 2 are in /srv/node/$disk/objects-2, and so on. * 'quarantined' dir already created 'objects' subdir so now there will also be objects-N created at the same level This commit does not address replicators, auditors, or updaters except where method signatures changed. They'll still work if your cluster has only one storage policy, though. DocImpact Implements: blueprint storage-policies Change-Id: I459f3ed97df516cb0c9294477c28729c30f48e09
2014-05-27 01:17:13 -07:00
from swift.common.storage_policy import StoragePolicy
Generic means for persisting system metadata. Middleware or core features may need to store metadata against accounts or containers. This patch adds a generic mechanism for system metadata to be persisted in backend databases, without polluting the user metadata namespace, by using the reserved header namespace x-<server_type>-sysmeta-*. Modifications are firstly that backend servers persist system metadata headers alongside user metadata and other system state. For accounts and containers, system metadata in PUT and POST requests is treated in a similar way to user metadata. System metadata is not yet supported for object requests. Secondly, changes in the proxy controllers ensure that headers in the system metadata namespace will pass through in requests to backend servers. Thirdly, system metadata returned from backend servers in GET or HEAD responses is added to the cached info dict, which middleware can access. Finally, a gatekeeper middleware module is provided which filters all system metadata headers from requests and responses by removing headers with names starting x-account-sysmeta-, x-container-sysmeta-. The gatekeeper also removes headers starting x-object-sysmeta- in anticipation of future support for system metadata being set for objects. This prevents clients from writing or reading system metadata. The required_filters list in swift/proxy/server.py is modified to include the gatekeeper middleware so that if the gatekeeper has not been configured in the pipeline then it will be automatically inserted close to the start of the pipeline. blueprint cluster-federation Change-Id: I80b8b14243cc59505f8c584920f8f527646b5f45
2013-12-03 22:02:39 +00:00
from swift.common.request_helpers import get_sys_meta_prefix
Privileged acct ACL header, new ACL syntax, TempAuth impl. * Introduce a new privileged account header: X-Account-Access-Control * Introduce JSON-based version 2 ACL syntax -- see below for discussion * Implement account ACL authorization in TempAuth X-Account-Access-Control Header ------------------------------- Accounts now have a new privileged header to represent ACLs or any other form of account-level access control. The value of the header is an opaque string to be interpreted by the auth system, but it must be a JSON-encoded dictionary. A reference implementation is given in TempAuth, with the knowledge that historically other auth systems often use TempAuth as a starting point. The reference implementation describes three levels of account access: "admin", "read-write", and "read-only". Adding new access control features in a future patch (e.g. "write-only" account access) will automatically be forward- and backward-compatible, due to the JSON dictionary header format. The privileged X-Account-Access-Control header may only be read or written by a user with "swift_owner" status, traditionally the account owner but now also any user on the "admin" ACL. Access Levels: Read-only access is intended to indicate to the auth system that this list of identities can read everything (except privileged headers) in the account. Specifically, a user with read-only account access can get a list of containers in the account, list the contents of any container, retrieve any object, and see the (non-privileged) headers of the account, any container, or any object. Read-write access is intended to indicate to the auth system that this list of identities can read or write (or create) any container. A user with read-write account access can create new containers, set any unprivileged container headers, overwrite objects, delete containers, etc. A read-write user can NOT set account headers (or perform any PUT/POST/DELETE requests on the account). Admin access is intended to indicate to the auth system that this list of identities has "swift_owner" privileges. A user with admin account access can do anything the account owner can, including setting account headers and any privileged headers -- and thus changing the value of X-Account-Access-Control and thereby granting read-only, read-write, or admin access to other users. The auth system is responsible for making decisions based on this header, if it chooses to support its use. Therefore the above access level descriptions are necessarily advisory only for other auth systems. When setting the value of the header, callers are urged to use the new format_acl() method, described below. New ACL Format -------------- The account ACLs introduce a new format for ACLs, rather than reusing the existing format from X-Container-Read/X-Container-Write. There are several reasons for this: * Container ACL format does not support Unicode * Container ACLs have a different structure than account ACLs + account ACLs have no concept of referrers or rlistings + accounts have additional "admin" access level + account access levels are structured as admin > rw > ro, which seems more appropriate for how people access accounts, rather than reusing container ACLs' orthogonal read and write access In addition, the container ACL syntax is a bit arbitrary and highly custom, so instead of parsing additional custom syntax, I'd rather propose a next version and introduce a means for migration. The V2 ACL syntax has the following benefits: * JSON is a well-known standard syntax with parsers in all languages * no artificial value restrictions (you can grant access to a user named ".rlistings" if you want) * forward and backward compatibility: you may have extraneous keys, but your attempt to parse the header won't raise an exception I've introduced hooks in parse_acl and format_acl which currently default to the old V1 syntax but tolerate the V2 syntax and can easily be flipped to default to V2. I'm not changing the default or adding code to rewrite V1 ACLs to V2, because this patch has suffered a lot of scope creep already, but this seems like a sensible milestone in the migration. TempAuth Account ACL Implementation ----------------------------------- As stated above, core Swift is responsible for privileging the X-Account-Access-Control header (making it only accessible to swift_owners), for translating it to -sysmeta-* headers to trigger persistence by the account server, and for including the header in the responses to requests by privileged users. Core Swift puts no expectation on the *content* of this header. Auth systems (including TempAuth) are responsible for defining the content of the header and taking action based on it. In addition to the changes described above, this patch defines a format to be used by TempAuth for these headers in the common.middleware.acl module, in the methods format_v2_acl() and parse_v2_acl(). This patch also teaches TempAuth to take action based on the header contents. TempAuth now sets swift_owner=True if the user is on the Admin ACL, authorizes GET/HEAD/OPTIONS requests if the user is on any ACL, authorizes PUT/POST/DELETE requests if the user is on the admin or read-write ACL, etc. Note that the action of setting swift_owner=True triggers core Swift to add or strip the privileged headers from the responses. Core Swift (not the auth system) is responsible for that. DocImpact: Documentation for the new ACL usage and format appears in summary form in doc/source/overview_auth.rst, and in more detail in swift/common/middleware/tempauth.py in the TempAuth class docstring. I leave it to the Swift doc team to determine whether more is needed. Change-Id: I836a99eaaa6bb0e92dc03e1ca46a474522e6e826
2013-11-13 20:55:14 +00:00
import swift.proxy.controllers.base
get_info - removes duplicate code (Take 3) Consolidate the different ways in which info of account/container is gathered, cached, used, updated, etc. This refactoring increases code reuse and is a basis for later addition of account ACLs. Changing the get_info users is left for future. This staged approach ensures the behaviour is unchanged. Change-Id: I67b58030d3f9e3bc86bcd7ece0f1dc693c4e08c3 Fixes: Bug #1162199
2013-03-30 15:55:29 +03:00
Add Storage Policy support to Object Server Objects now have a storage policy index associated with them as well; this is determined by their filesystem path. Like before, objects in policy 0 are in /srv/node/$disk/objects; this provides compatibility on upgrade. (Recall that policy 0 is given to all existing data when a cluster is upgraded.) Objects in policy 1 are in /srv/node/$disk/objects-1, objects in policy 2 are in /srv/node/$disk/objects-2, and so on. * 'quarantined' dir already created 'objects' subdir so now there will also be objects-N created at the same level This commit does not address replicators, auditors, or updaters except where method signatures changed. They'll still work if your cluster has only one storage policy, though. DocImpact Implements: blueprint storage-policies Change-Id: I459f3ed97df516cb0c9294477c28729c30f48e09
2014-05-27 01:17:13 -07:00
from test.unit import patch_policies
get_info - removes duplicate code (Take 3) Consolidate the different ways in which info of account/container is gathered, cached, used, updated, etc. This refactoring increases code reuse and is a basis for later addition of account ACLs. Changing the get_info users is left for future. This staged approach ensures the behaviour is unchanged. Change-Id: I67b58030d3f9e3bc86bcd7ece0f1dc693c4e08c3 Fixes: Bug #1162199
2013-03-30 15:55:29 +03:00
Add Storage Policy support to Object Server Objects now have a storage policy index associated with them as well; this is determined by their filesystem path. Like before, objects in policy 0 are in /srv/node/$disk/objects; this provides compatibility on upgrade. (Recall that policy 0 is given to all existing data when a cluster is upgraded.) Objects in policy 1 are in /srv/node/$disk/objects-1, objects in policy 2 are in /srv/node/$disk/objects-2, and so on. * 'quarantined' dir already created 'objects' subdir so now there will also be objects-N created at the same level This commit does not address replicators, auditors, or updaters except where method signatures changed. They'll still work if your cluster has only one storage policy, though. DocImpact Implements: blueprint storage-policies Change-Id: I459f3ed97df516cb0c9294477c28729c30f48e09
2014-05-27 01:17:13 -07:00
@patch_policies([StoragePolicy(0, 'zero', True, object_ring=FakeRing())])
get_info - removes duplicate code (Take 3) Consolidate the different ways in which info of account/container is gathered, cached, used, updated, etc. This refactoring increases code reuse and is a basis for later addition of account ACLs. Changing the get_info users is left for future. This staged approach ensures the behaviour is unchanged. Change-Id: I67b58030d3f9e3bc86bcd7ece0f1dc693c4e08c3 Fixes: Bug #1162199
2013-03-30 15:55:29 +03:00
class TestAccountController(unittest.TestCase):
def setUp(self):
Add Storage Policy support to Object Server Objects now have a storage policy index associated with them as well; this is determined by their filesystem path. Like before, objects in policy 0 are in /srv/node/$disk/objects; this provides compatibility on upgrade. (Recall that policy 0 is given to all existing data when a cluster is upgraded.) Objects in policy 1 are in /srv/node/$disk/objects-1, objects in policy 2 are in /srv/node/$disk/objects-2, and so on. * 'quarantined' dir already created 'objects' subdir so now there will also be objects-N created at the same level This commit does not address replicators, auditors, or updaters except where method signatures changed. They'll still work if your cluster has only one storage policy, though. DocImpact Implements: blueprint storage-policies Change-Id: I459f3ed97df516cb0c9294477c28729c30f48e09
2014-05-27 01:17:13 -07:00
self.app = proxy_server.Application(
None, FakeMemcache(),
account_ring=FakeRing(), container_ring=FakeRing())
get_info - removes duplicate code (Take 3) Consolidate the different ways in which info of account/container is gathered, cached, used, updated, etc. This refactoring increases code reuse and is a basis for later addition of account ACLs. Changing the get_info users is left for future. This staged approach ensures the behaviour is unchanged. Change-Id: I67b58030d3f9e3bc86bcd7ece0f1dc693c4e08c3 Fixes: Bug #1162199
2013-03-30 15:55:29 +03:00
Add unit tests for checking responses in AccountController This patch provides unit tests to check responses for various situation in three/four replicas env. Change-Id: I1af48728b28da9780a2a78f3110e1c7487047ff8
2016-01-22 05:19:06 +00:00
def _make_callback_func(self, context):
def callback(ipaddr, port, device, partition, method, path,
headers=None, query_string=None, ssl=False):
context['method'] = method
context['path'] = path
context['headers'] = headers or {}
return callback
def _assert_responses(self, method, test_cases):
if method in ('PUT', 'DELETE'):
self.app.allow_account_management = True
controller = proxy_server.AccountController(self.app, 'AUTH_bob')
for responses, expected in test_cases:
with mock.patch(
'swift.proxy.controllers.base.http_connect',
fake_http_connect(*responses)):
req = Request.blank('/v1/AUTH_bob')
resp = getattr(controller, method)(req)
self.assertEqual(expected,
resp.status_int,
'Expected %s but got %s. Failed case: %s' %
(expected, resp.status_int, str(responses)))
get_info - removes duplicate code (Take 3) Consolidate the different ways in which info of account/container is gathered, cached, used, updated, etc. This refactoring increases code reuse and is a basis for later addition of account ACLs. Changing the get_info users is left for future. This staged approach ensures the behaviour is unchanged. Change-Id: I67b58030d3f9e3bc86bcd7ece0f1dc693c4e08c3 Fixes: Bug #1162199
2013-03-30 15:55:29 +03:00
def test_account_info_in_response_env(self):
controller = proxy_server.AccountController(self.app, 'AUTH_bob')
with mock.patch('swift.proxy.controllers.base.http_connect',
HEAD on account returns 410 if account was deleted and not yet reaped * updated CONTRIBUTING.md * improved unit tests * 100% coverage for proxy acct controller tests * invoke fake_http_connect correctly Change-Id: I0826c5a1c52efdd5ae95f7fde8024f2bff0751ba
2013-10-28 17:28:57 -07:00
fake_http_connect(200, body='')):
Stop mutating PATH_INFO in proxy server The proxy server was calling swob.Request.path_info_pop() prior to instantiating a controller so that req.path_info was just /a/c/o (sans /v1). The version got moved over into SCRIPT_NAME. This lead to some unfortunate behavior when trying to re-use a request from middleware. Something like this: # Imagine we're a WSGIContext object here. # # To start, SCRIPT_NAME = '' and PATH_INFO='/v1/a/c/o' resp_iter = self._app_call(env, start_response) # Now SCRIPT_NAME='/v1' and PATH_INFO ='/a/c/o' if something_special in self._response_headers: env['REQUEST_METHOD'] = 'GET' env.pop('HTTP_RANGE', None) # 404 SURPRISE! The proxy calls path_info_pop() again, # and now SCRIPT_NAME='/v1/a' and PATH_INFO='/c/o', so this # gets treated as a container request. Yikes. resp_iter = self._app_call(env, start_response) Now we just leave SCRIPT_NAME and PATH_INFO alone. To make life easy for everyone who does want just /a/c/o, I defined swob.Request.swift_entity_path, which just strips off the /v1. Note that there's still one call to path_info_pop() in tempauth, but that's only for requests going to /auth, so it won't affect Swift API requests. It might be a good idea to remove that one later, but let's do one thing at a time. Change-Id: I87557a11c01f3f3889b610578cda6ba7d3933e7a
2013-12-03 22:18:46 -08:00
req = Request.blank('/v1/AUTH_bob', {'PATH_INFO': '/v1/AUTH_bob'})
get_info - removes duplicate code (Take 3) Consolidate the different ways in which info of account/container is gathered, cached, used, updated, etc. This refactoring increases code reuse and is a basis for later addition of account ACLs. Changing the get_info users is left for future. This staged approach ensures the behaviour is unchanged. Change-Id: I67b58030d3f9e3bc86bcd7ece0f1dc693c4e08c3 Fixes: Bug #1162199
2013-03-30 15:55:29 +03:00
resp = controller.HEAD(req)
self.assertEqual(2, resp.status_int // 100)
self.assertTrue('swift.account/AUTH_bob' in resp.environ)
self.assertEqual(headers_to_account_info(resp.headers),
resp.environ['swift.account/AUTH_bob'])
Implements configurable swift_owner_headers These are headers that will be stripped unless the WSGI environment contains a true value for 'swift_owner'. The exact definition of a swift_owner is up to the auth system in use, but usually indicates administrative responsibilities. DocImpact Change-Id: I972772fbbd235414e00130ca663428e8750cabca
2013-06-27 14:11:25 +00:00
def test_swift_owner(self):
owner_headers = {
'x-account-meta-temp-url-key': 'value',
'x-account-meta-temp-url-key-2': 'value'}
controller = proxy_server.AccountController(self.app, 'a')
Stop mutating PATH_INFO in proxy server The proxy server was calling swob.Request.path_info_pop() prior to instantiating a controller so that req.path_info was just /a/c/o (sans /v1). The version got moved over into SCRIPT_NAME. This lead to some unfortunate behavior when trying to re-use a request from middleware. Something like this: # Imagine we're a WSGIContext object here. # # To start, SCRIPT_NAME = '' and PATH_INFO='/v1/a/c/o' resp_iter = self._app_call(env, start_response) # Now SCRIPT_NAME='/v1' and PATH_INFO ='/a/c/o' if something_special in self._response_headers: env['REQUEST_METHOD'] = 'GET' env.pop('HTTP_RANGE', None) # 404 SURPRISE! The proxy calls path_info_pop() again, # and now SCRIPT_NAME='/v1/a' and PATH_INFO='/c/o', so this # gets treated as a container request. Yikes. resp_iter = self._app_call(env, start_response) Now we just leave SCRIPT_NAME and PATH_INFO alone. To make life easy for everyone who does want just /a/c/o, I defined swob.Request.swift_entity_path, which just strips off the /v1. Note that there's still one call to path_info_pop() in tempauth, but that's only for requests going to /auth, so it won't affect Swift API requests. It might be a good idea to remove that one later, but let's do one thing at a time. Change-Id: I87557a11c01f3f3889b610578cda6ba7d3933e7a
2013-12-03 22:18:46 -08:00
req = Request.blank('/v1/a')
Implements configurable swift_owner_headers These are headers that will be stripped unless the WSGI environment contains a true value for 'swift_owner'. The exact definition of a swift_owner is up to the auth system in use, but usually indicates administrative responsibilities. DocImpact Change-Id: I972772fbbd235414e00130ca663428e8750cabca
2013-06-27 14:11:25 +00:00
with mock.patch('swift.proxy.controllers.base.http_connect',
HEAD on account returns 410 if account was deleted and not yet reaped * updated CONTRIBUTING.md * improved unit tests * 100% coverage for proxy acct controller tests * invoke fake_http_connect correctly Change-Id: I0826c5a1c52efdd5ae95f7fde8024f2bff0751ba
2013-10-28 17:28:57 -07:00
fake_http_connect(200, headers=owner_headers)):
Implements configurable swift_owner_headers These are headers that will be stripped unless the WSGI environment contains a true value for 'swift_owner'. The exact definition of a swift_owner is up to the auth system in use, but usually indicates administrative responsibilities. DocImpact Change-Id: I972772fbbd235414e00130ca663428e8750cabca
2013-06-27 14:11:25 +00:00
resp = controller.HEAD(req)
pep8 fix: assertEquals -> assertEqual assertEquals is deprecated in py3 in the following dir: test/unit/proxy/* Change-Id: Ie2c7e73e1096233a10ee7fbf6f88386fa4d469d6
2015-08-06 10:01:17 -05:00
self.assertEqual(2, resp.status_int // 100)
Implements configurable swift_owner_headers These are headers that will be stripped unless the WSGI environment contains a true value for 'swift_owner'. The exact definition of a swift_owner is up to the auth system in use, but usually indicates administrative responsibilities. DocImpact Change-Id: I972772fbbd235414e00130ca663428e8750cabca
2013-06-27 14:11:25 +00:00
for key in owner_headers:
self.assertTrue(key not in resp.headers)
Stop mutating PATH_INFO in proxy server The proxy server was calling swob.Request.path_info_pop() prior to instantiating a controller so that req.path_info was just /a/c/o (sans /v1). The version got moved over into SCRIPT_NAME. This lead to some unfortunate behavior when trying to re-use a request from middleware. Something like this: # Imagine we're a WSGIContext object here. # # To start, SCRIPT_NAME = '' and PATH_INFO='/v1/a/c/o' resp_iter = self._app_call(env, start_response) # Now SCRIPT_NAME='/v1' and PATH_INFO ='/a/c/o' if something_special in self._response_headers: env['REQUEST_METHOD'] = 'GET' env.pop('HTTP_RANGE', None) # 404 SURPRISE! The proxy calls path_info_pop() again, # and now SCRIPT_NAME='/v1/a' and PATH_INFO='/c/o', so this # gets treated as a container request. Yikes. resp_iter = self._app_call(env, start_response) Now we just leave SCRIPT_NAME and PATH_INFO alone. To make life easy for everyone who does want just /a/c/o, I defined swob.Request.swift_entity_path, which just strips off the /v1. Note that there's still one call to path_info_pop() in tempauth, but that's only for requests going to /auth, so it won't affect Swift API requests. It might be a good idea to remove that one later, but let's do one thing at a time. Change-Id: I87557a11c01f3f3889b610578cda6ba7d3933e7a
2013-12-03 22:18:46 -08:00
req = Request.blank('/v1/a', environ={'swift_owner': True})
Implements configurable swift_owner_headers These are headers that will be stripped unless the WSGI environment contains a true value for 'swift_owner'. The exact definition of a swift_owner is up to the auth system in use, but usually indicates administrative responsibilities. DocImpact Change-Id: I972772fbbd235414e00130ca663428e8750cabca
2013-06-27 14:11:25 +00:00
with mock.patch('swift.proxy.controllers.base.http_connect',
HEAD on account returns 410 if account was deleted and not yet reaped * updated CONTRIBUTING.md * improved unit tests * 100% coverage for proxy acct controller tests * invoke fake_http_connect correctly Change-Id: I0826c5a1c52efdd5ae95f7fde8024f2bff0751ba
2013-10-28 17:28:57 -07:00
fake_http_connect(200, headers=owner_headers)):
Implements configurable swift_owner_headers These are headers that will be stripped unless the WSGI environment contains a true value for 'swift_owner'. The exact definition of a swift_owner is up to the auth system in use, but usually indicates administrative responsibilities. DocImpact Change-Id: I972772fbbd235414e00130ca663428e8750cabca
2013-06-27 14:11:25 +00:00
resp = controller.HEAD(req)
pep8 fix: assertEquals -> assertEqual assertEquals is deprecated in py3 in the following dir: test/unit/proxy/* Change-Id: Ie2c7e73e1096233a10ee7fbf6f88386fa4d469d6
2015-08-06 10:01:17 -05:00
self.assertEqual(2, resp.status_int // 100)
Implements configurable swift_owner_headers These are headers that will be stripped unless the WSGI environment contains a true value for 'swift_owner'. The exact definition of a swift_owner is up to the auth system in use, but usually indicates administrative responsibilities. DocImpact Change-Id: I972772fbbd235414e00130ca663428e8750cabca
2013-06-27 14:11:25 +00:00
for key in owner_headers:
self.assertTrue(key in resp.headers)
HEAD on account returns 410 if account was deleted and not yet reaped * updated CONTRIBUTING.md * improved unit tests * 100% coverage for proxy acct controller tests * invoke fake_http_connect correctly Change-Id: I0826c5a1c52efdd5ae95f7fde8024f2bff0751ba
2013-10-28 17:28:57 -07:00
def test_get_deleted_account(self):
resp_headers = {
'x-account-status': 'deleted',
}
controller = proxy_server.AccountController(self.app, 'a')
Stop mutating PATH_INFO in proxy server The proxy server was calling swob.Request.path_info_pop() prior to instantiating a controller so that req.path_info was just /a/c/o (sans /v1). The version got moved over into SCRIPT_NAME. This lead to some unfortunate behavior when trying to re-use a request from middleware. Something like this: # Imagine we're a WSGIContext object here. # # To start, SCRIPT_NAME = '' and PATH_INFO='/v1/a/c/o' resp_iter = self._app_call(env, start_response) # Now SCRIPT_NAME='/v1' and PATH_INFO ='/a/c/o' if something_special in self._response_headers: env['REQUEST_METHOD'] = 'GET' env.pop('HTTP_RANGE', None) # 404 SURPRISE! The proxy calls path_info_pop() again, # and now SCRIPT_NAME='/v1/a' and PATH_INFO='/c/o', so this # gets treated as a container request. Yikes. resp_iter = self._app_call(env, start_response) Now we just leave SCRIPT_NAME and PATH_INFO alone. To make life easy for everyone who does want just /a/c/o, I defined swob.Request.swift_entity_path, which just strips off the /v1. Note that there's still one call to path_info_pop() in tempauth, but that's only for requests going to /auth, so it won't affect Swift API requests. It might be a good idea to remove that one later, but let's do one thing at a time. Change-Id: I87557a11c01f3f3889b610578cda6ba7d3933e7a
2013-12-03 22:18:46 -08:00
req = Request.blank('/v1/a')
HEAD on account returns 410 if account was deleted and not yet reaped * updated CONTRIBUTING.md * improved unit tests * 100% coverage for proxy acct controller tests * invoke fake_http_connect correctly Change-Id: I0826c5a1c52efdd5ae95f7fde8024f2bff0751ba
2013-10-28 17:28:57 -07:00
with mock.patch('swift.proxy.controllers.base.http_connect',
fake_http_connect(404, headers=resp_headers)):
resp = controller.HEAD(req)
pep8 fix: assertEquals -> assertEqual assertEquals is deprecated in py3 in the following dir: test/unit/proxy/* Change-Id: Ie2c7e73e1096233a10ee7fbf6f88386fa4d469d6
2015-08-06 10:01:17 -05:00
self.assertEqual(410, resp.status_int)
HEAD on account returns 410 if account was deleted and not yet reaped * updated CONTRIBUTING.md * improved unit tests * 100% coverage for proxy acct controller tests * invoke fake_http_connect correctly Change-Id: I0826c5a1c52efdd5ae95f7fde8024f2bff0751ba
2013-10-28 17:28:57 -07:00
def test_long_acct_names(self):
Rework use of constraints to ease testing Prior to this patch both mainline code and testing modules imported and used constraints directly into their own namespace, or relied on the namespace of other modules that were not the constraints module. This meant that if a unit test wanted to change a constraint for its operation, it had to know how that module was using the constraint, instead of referencing the constraint module itself. This patch unifies the use of constraints so that all constraints are referenced via the constraints module. In turn, this allows a test to leverage the re-loadable nature of the constraints in the constraints module. It addition, a number of functional tests where using the default values for constraints, instead of the configured value discovered in a test.conf or in an existing swift.conf. This patch removes those direct references in favor of the load_constraint() method from the test/functional/tests.py module. Change-Id: Ia5313d653c667dd9ca800786de59b59334c34eaa
2014-04-02 16:16:21 -04:00
long_acct_name = '%sLongAccountName' % (
'Very' * (constraints.MAX_ACCOUNT_NAME_LENGTH // 4))
HEAD on account returns 410 if account was deleted and not yet reaped * updated CONTRIBUTING.md * improved unit tests * 100% coverage for proxy acct controller tests * invoke fake_http_connect correctly Change-Id: I0826c5a1c52efdd5ae95f7fde8024f2bff0751ba
2013-10-28 17:28:57 -07:00
controller = proxy_server.AccountController(self.app, long_acct_name)
Stop mutating PATH_INFO in proxy server The proxy server was calling swob.Request.path_info_pop() prior to instantiating a controller so that req.path_info was just /a/c/o (sans /v1). The version got moved over into SCRIPT_NAME. This lead to some unfortunate behavior when trying to re-use a request from middleware. Something like this: # Imagine we're a WSGIContext object here. # # To start, SCRIPT_NAME = '' and PATH_INFO='/v1/a/c/o' resp_iter = self._app_call(env, start_response) # Now SCRIPT_NAME='/v1' and PATH_INFO ='/a/c/o' if something_special in self._response_headers: env['REQUEST_METHOD'] = 'GET' env.pop('HTTP_RANGE', None) # 404 SURPRISE! The proxy calls path_info_pop() again, # and now SCRIPT_NAME='/v1/a' and PATH_INFO='/c/o', so this # gets treated as a container request. Yikes. resp_iter = self._app_call(env, start_response) Now we just leave SCRIPT_NAME and PATH_INFO alone. To make life easy for everyone who does want just /a/c/o, I defined swob.Request.swift_entity_path, which just strips off the /v1. Note that there's still one call to path_info_pop() in tempauth, but that's only for requests going to /auth, so it won't affect Swift API requests. It might be a good idea to remove that one later, but let's do one thing at a time. Change-Id: I87557a11c01f3f3889b610578cda6ba7d3933e7a
2013-12-03 22:18:46 -08:00
req = Request.blank('/v1/%s' % long_acct_name)
HEAD on account returns 410 if account was deleted and not yet reaped * updated CONTRIBUTING.md * improved unit tests * 100% coverage for proxy acct controller tests * invoke fake_http_connect correctly Change-Id: I0826c5a1c52efdd5ae95f7fde8024f2bff0751ba
2013-10-28 17:28:57 -07:00
with mock.patch('swift.proxy.controllers.base.http_connect',
fake_http_connect(200)):
resp = controller.HEAD(req)
pep8 fix: assertEquals -> assertEqual assertEquals is deprecated in py3 in the following dir: test/unit/proxy/* Change-Id: Ie2c7e73e1096233a10ee7fbf6f88386fa4d469d6
2015-08-06 10:01:17 -05:00
self.assertEqual(400, resp.status_int)
HEAD on account returns 410 if account was deleted and not yet reaped * updated CONTRIBUTING.md * improved unit tests * 100% coverage for proxy acct controller tests * invoke fake_http_connect correctly Change-Id: I0826c5a1c52efdd5ae95f7fde8024f2bff0751ba
2013-10-28 17:28:57 -07:00
with mock.patch('swift.proxy.controllers.base.http_connect',
fake_http_connect(200)):
resp = controller.GET(req)
pep8 fix: assertEquals -> assertEqual assertEquals is deprecated in py3 in the following dir: test/unit/proxy/* Change-Id: Ie2c7e73e1096233a10ee7fbf6f88386fa4d469d6
2015-08-06 10:01:17 -05:00
self.assertEqual(400, resp.status_int)
HEAD on account returns 410 if account was deleted and not yet reaped * updated CONTRIBUTING.md * improved unit tests * 100% coverage for proxy acct controller tests * invoke fake_http_connect correctly Change-Id: I0826c5a1c52efdd5ae95f7fde8024f2bff0751ba
2013-10-28 17:28:57 -07:00
with mock.patch('swift.proxy.controllers.base.http_connect',
fake_http_connect(200)):
resp = controller.POST(req)
pep8 fix: assertEquals -> assertEqual assertEquals is deprecated in py3 in the following dir: test/unit/proxy/* Change-Id: Ie2c7e73e1096233a10ee7fbf6f88386fa4d469d6
2015-08-06 10:01:17 -05:00
self.assertEqual(400, resp.status_int)
HEAD on account returns 410 if account was deleted and not yet reaped * updated CONTRIBUTING.md * improved unit tests * 100% coverage for proxy acct controller tests * invoke fake_http_connect correctly Change-Id: I0826c5a1c52efdd5ae95f7fde8024f2bff0751ba
2013-10-28 17:28:57 -07:00
Generic means for persisting system metadata. Middleware or core features may need to store metadata against accounts or containers. This patch adds a generic mechanism for system metadata to be persisted in backend databases, without polluting the user metadata namespace, by using the reserved header namespace x-<server_type>-sysmeta-*. Modifications are firstly that backend servers persist system metadata headers alongside user metadata and other system state. For accounts and containers, system metadata in PUT and POST requests is treated in a similar way to user metadata. System metadata is not yet supported for object requests. Secondly, changes in the proxy controllers ensure that headers in the system metadata namespace will pass through in requests to backend servers. Thirdly, system metadata returned from backend servers in GET or HEAD responses is added to the cached info dict, which middleware can access. Finally, a gatekeeper middleware module is provided which filters all system metadata headers from requests and responses by removing headers with names starting x-account-sysmeta-, x-container-sysmeta-. The gatekeeper also removes headers starting x-object-sysmeta- in anticipation of future support for system metadata being set for objects. This prevents clients from writing or reading system metadata. The required_filters list in swift/proxy/server.py is modified to include the gatekeeper middleware so that if the gatekeeper has not been configured in the pipeline then it will be automatically inserted close to the start of the pipeline. blueprint cluster-federation Change-Id: I80b8b14243cc59505f8c584920f8f527646b5f45
2013-12-03 22:02:39 +00:00
def test_sys_meta_headers_PUT(self):
# check that headers in sys meta namespace make it through
# the proxy controller
sys_meta_key = '%stest' % get_sys_meta_prefix('account')
sys_meta_key = sys_meta_key.title()
user_meta_key = 'X-Account-Meta-Test'
# allow PUTs to account...
self.app.allow_account_management = True
controller = proxy_server.AccountController(self.app, 'a')
context = {}
callback = self._make_callback_func(context)
hdrs_in = {sys_meta_key: 'foo',
user_meta_key: 'bar',
'x-timestamp': '1.0'}
req = Request.blank('/v1/a', headers=hdrs_in)
with mock.patch('swift.proxy.controllers.base.http_connect',
fake_http_connect(200, 200, give_connect=callback)):
controller.PUT(req)
self.assertEqual(context['method'], 'PUT')
self.assertTrue(sys_meta_key in context['headers'])
self.assertEqual(context['headers'][sys_meta_key], 'foo')
self.assertTrue(user_meta_key in context['headers'])
self.assertEqual(context['headers'][user_meta_key], 'bar')
self.assertNotEqual(context['headers']['x-timestamp'], '1.0')
def test_sys_meta_headers_POST(self):
# check that headers in sys meta namespace make it through
# the proxy controller
sys_meta_key = '%stest' % get_sys_meta_prefix('account')
sys_meta_key = sys_meta_key.title()
user_meta_key = 'X-Account-Meta-Test'
controller = proxy_server.AccountController(self.app, 'a')
context = {}
callback = self._make_callback_func(context)
hdrs_in = {sys_meta_key: 'foo',
user_meta_key: 'bar',
'x-timestamp': '1.0'}
req = Request.blank('/v1/a', headers=hdrs_in)
with mock.patch('swift.proxy.controllers.base.http_connect',
fake_http_connect(200, 200, give_connect=callback)):
controller.POST(req)
self.assertEqual(context['method'], 'POST')
self.assertTrue(sys_meta_key in context['headers'])
self.assertEqual(context['headers'][sys_meta_key], 'foo')
self.assertTrue(user_meta_key in context['headers'])
self.assertEqual(context['headers'][user_meta_key], 'bar')
self.assertNotEqual(context['headers']['x-timestamp'], '1.0')
Privileged acct ACL header, new ACL syntax, TempAuth impl. * Introduce a new privileged account header: X-Account-Access-Control * Introduce JSON-based version 2 ACL syntax -- see below for discussion * Implement account ACL authorization in TempAuth X-Account-Access-Control Header ------------------------------- Accounts now have a new privileged header to represent ACLs or any other form of account-level access control. The value of the header is an opaque string to be interpreted by the auth system, but it must be a JSON-encoded dictionary. A reference implementation is given in TempAuth, with the knowledge that historically other auth systems often use TempAuth as a starting point. The reference implementation describes three levels of account access: "admin", "read-write", and "read-only". Adding new access control features in a future patch (e.g. "write-only" account access) will automatically be forward- and backward-compatible, due to the JSON dictionary header format. The privileged X-Account-Access-Control header may only be read or written by a user with "swift_owner" status, traditionally the account owner but now also any user on the "admin" ACL. Access Levels: Read-only access is intended to indicate to the auth system that this list of identities can read everything (except privileged headers) in the account. Specifically, a user with read-only account access can get a list of containers in the account, list the contents of any container, retrieve any object, and see the (non-privileged) headers of the account, any container, or any object. Read-write access is intended to indicate to the auth system that this list of identities can read or write (or create) any container. A user with read-write account access can create new containers, set any unprivileged container headers, overwrite objects, delete containers, etc. A read-write user can NOT set account headers (or perform any PUT/POST/DELETE requests on the account). Admin access is intended to indicate to the auth system that this list of identities has "swift_owner" privileges. A user with admin account access can do anything the account owner can, including setting account headers and any privileged headers -- and thus changing the value of X-Account-Access-Control and thereby granting read-only, read-write, or admin access to other users. The auth system is responsible for making decisions based on this header, if it chooses to support its use. Therefore the above access level descriptions are necessarily advisory only for other auth systems. When setting the value of the header, callers are urged to use the new format_acl() method, described below. New ACL Format -------------- The account ACLs introduce a new format for ACLs, rather than reusing the existing format from X-Container-Read/X-Container-Write. There are several reasons for this: * Container ACL format does not support Unicode * Container ACLs have a different structure than account ACLs + account ACLs have no concept of referrers or rlistings + accounts have additional "admin" access level + account access levels are structured as admin > rw > ro, which seems more appropriate for how people access accounts, rather than reusing container ACLs' orthogonal read and write access In addition, the container ACL syntax is a bit arbitrary and highly custom, so instead of parsing additional custom syntax, I'd rather propose a next version and introduce a means for migration. The V2 ACL syntax has the following benefits: * JSON is a well-known standard syntax with parsers in all languages * no artificial value restrictions (you can grant access to a user named ".rlistings" if you want) * forward and backward compatibility: you may have extraneous keys, but your attempt to parse the header won't raise an exception I've introduced hooks in parse_acl and format_acl which currently default to the old V1 syntax but tolerate the V2 syntax and can easily be flipped to default to V2. I'm not changing the default or adding code to rewrite V1 ACLs to V2, because this patch has suffered a lot of scope creep already, but this seems like a sensible milestone in the migration. TempAuth Account ACL Implementation ----------------------------------- As stated above, core Swift is responsible for privileging the X-Account-Access-Control header (making it only accessible to swift_owners), for translating it to -sysmeta-* headers to trigger persistence by the account server, and for including the header in the responses to requests by privileged users. Core Swift puts no expectation on the *content* of this header. Auth systems (including TempAuth) are responsible for defining the content of the header and taking action based on it. In addition to the changes described above, this patch defines a format to be used by TempAuth for these headers in the common.middleware.acl module, in the methods format_v2_acl() and parse_v2_acl(). This patch also teaches TempAuth to take action based on the header contents. TempAuth now sets swift_owner=True if the user is on the Admin ACL, authorizes GET/HEAD/OPTIONS requests if the user is on any ACL, authorizes PUT/POST/DELETE requests if the user is on the admin or read-write ACL, etc. Note that the action of setting swift_owner=True triggers core Swift to add or strip the privileged headers from the responses. Core Swift (not the auth system) is responsible for that. DocImpact: Documentation for the new ACL usage and format appears in summary form in doc/source/overview_auth.rst, and in more detail in swift/common/middleware/tempauth.py in the TempAuth class docstring. I leave it to the Swift doc team to determine whether more is needed. Change-Id: I836a99eaaa6bb0e92dc03e1ca46a474522e6e826
2013-11-13 20:55:14 +00:00
def _make_user_and_sys_acl_headers_data(self):
acl = {
'admin': ['AUTH_alice', 'AUTH_bob'],
'read-write': ['AUTH_carol'],
'read-only': [],
}
user_prefix = 'x-account-' # external, user-facing
user_headers = {(user_prefix + 'access-control'): format_acl(
version=2, acl_dict=acl)}
sys_prefix = get_sys_meta_prefix('account') # internal, system-facing
sys_headers = {(sys_prefix + 'core-access-control'): format_acl(
version=2, acl_dict=acl)}
return user_headers, sys_headers
def test_account_acl_headers_translated_for_GET_HEAD(self):
# Verify that a GET/HEAD which receives X-Account-Sysmeta-Acl-* headers
# from the account server will remap those headers to X-Account-Acl-*
hdrs_ext, hdrs_int = self._make_user_and_sys_acl_headers_data()
controller = proxy_server.AccountController(self.app, 'acct')
for verb in ('GET', 'HEAD'):
req = Request.blank('/v1/acct', environ={'swift_owner': True})
controller.GETorHEAD_base = lambda *_: Response(
headers=hdrs_int, environ={
'PATH_INFO': '/acct',
'REQUEST_METHOD': verb,
})
method = getattr(controller, verb)
resp = method(req)
for header, value in hdrs_ext.items():
if value:
self.assertEqual(resp.headers.get(header), value)
else:
# blank ACLs should result in no header
unit tests: Replace "self.assert_" by "self.assertTrue" The assert_() method is deprecated and can be safely replaced by assertTrue(). This patch makes sure that running the tests does not create undesired warnings. Change-Id: I0602ba39ef93263386644ee68088d5f65fcb4a71
2015-07-21 19:23:00 +05:30
self.assertTrue(header not in resp.headers)
Privileged acct ACL header, new ACL syntax, TempAuth impl. * Introduce a new privileged account header: X-Account-Access-Control * Introduce JSON-based version 2 ACL syntax -- see below for discussion * Implement account ACL authorization in TempAuth X-Account-Access-Control Header ------------------------------- Accounts now have a new privileged header to represent ACLs or any other form of account-level access control. The value of the header is an opaque string to be interpreted by the auth system, but it must be a JSON-encoded dictionary. A reference implementation is given in TempAuth, with the knowledge that historically other auth systems often use TempAuth as a starting point. The reference implementation describes three levels of account access: "admin", "read-write", and "read-only". Adding new access control features in a future patch (e.g. "write-only" account access) will automatically be forward- and backward-compatible, due to the JSON dictionary header format. The privileged X-Account-Access-Control header may only be read or written by a user with "swift_owner" status, traditionally the account owner but now also any user on the "admin" ACL. Access Levels: Read-only access is intended to indicate to the auth system that this list of identities can read everything (except privileged headers) in the account. Specifically, a user with read-only account access can get a list of containers in the account, list the contents of any container, retrieve any object, and see the (non-privileged) headers of the account, any container, or any object. Read-write access is intended to indicate to the auth system that this list of identities can read or write (or create) any container. A user with read-write account access can create new containers, set any unprivileged container headers, overwrite objects, delete containers, etc. A read-write user can NOT set account headers (or perform any PUT/POST/DELETE requests on the account). Admin access is intended to indicate to the auth system that this list of identities has "swift_owner" privileges. A user with admin account access can do anything the account owner can, including setting account headers and any privileged headers -- and thus changing the value of X-Account-Access-Control and thereby granting read-only, read-write, or admin access to other users. The auth system is responsible for making decisions based on this header, if it chooses to support its use. Therefore the above access level descriptions are necessarily advisory only for other auth systems. When setting the value of the header, callers are urged to use the new format_acl() method, described below. New ACL Format -------------- The account ACLs introduce a new format for ACLs, rather than reusing the existing format from X-Container-Read/X-Container-Write. There are several reasons for this: * Container ACL format does not support Unicode * Container ACLs have a different structure than account ACLs + account ACLs have no concept of referrers or rlistings + accounts have additional "admin" access level + account access levels are structured as admin > rw > ro, which seems more appropriate for how people access accounts, rather than reusing container ACLs' orthogonal read and write access In addition, the container ACL syntax is a bit arbitrary and highly custom, so instead of parsing additional custom syntax, I'd rather propose a next version and introduce a means for migration. The V2 ACL syntax has the following benefits: * JSON is a well-known standard syntax with parsers in all languages * no artificial value restrictions (you can grant access to a user named ".rlistings" if you want) * forward and backward compatibility: you may have extraneous keys, but your attempt to parse the header won't raise an exception I've introduced hooks in parse_acl and format_acl which currently default to the old V1 syntax but tolerate the V2 syntax and can easily be flipped to default to V2. I'm not changing the default or adding code to rewrite V1 ACLs to V2, because this patch has suffered a lot of scope creep already, but this seems like a sensible milestone in the migration. TempAuth Account ACL Implementation ----------------------------------- As stated above, core Swift is responsible for privileging the X-Account-Access-Control header (making it only accessible to swift_owners), for translating it to -sysmeta-* headers to trigger persistence by the account server, and for including the header in the responses to requests by privileged users. Core Swift puts no expectation on the *content* of this header. Auth systems (including TempAuth) are responsible for defining the content of the header and taking action based on it. In addition to the changes described above, this patch defines a format to be used by TempAuth for these headers in the common.middleware.acl module, in the methods format_v2_acl() and parse_v2_acl(). This patch also teaches TempAuth to take action based on the header contents. TempAuth now sets swift_owner=True if the user is on the Admin ACL, authorizes GET/HEAD/OPTIONS requests if the user is on any ACL, authorizes PUT/POST/DELETE requests if the user is on the admin or read-write ACL, etc. Note that the action of setting swift_owner=True triggers core Swift to add or strip the privileged headers from the responses. Core Swift (not the auth system) is responsible for that. DocImpact: Documentation for the new ACL usage and format appears in summary form in doc/source/overview_auth.rst, and in more detail in swift/common/middleware/tempauth.py in the TempAuth class docstring. I leave it to the Swift doc team to determine whether more is needed. Change-Id: I836a99eaaa6bb0e92dc03e1ca46a474522e6e826
2013-11-13 20:55:14 +00:00
def test_add_acls_impossible_cases(self):
# For test coverage: verify that defensive coding does defend, in cases
# that shouldn't arise naturally
# add_acls should do nothing if REQUEST_METHOD isn't HEAD/GET/PUT/POST
resp = Response()
controller = proxy_server.AccountController(self.app, 'a')
resp.environ['PATH_INFO'] = '/a'
resp.environ['REQUEST_METHOD'] = 'OPTIONS'
controller.add_acls_from_sys_metadata(resp)
self.assertEqual(1, len(resp.headers)) # we always get Content-Type
self.assertEqual(2, len(resp.environ))
def test_memcache_key_impossible_cases(self):
# For test coverage: verify that defensive coding does defend, in cases
# that shouldn't arise naturally
self.assertRaises(
ValueError,
lambda: swift.proxy.controllers.base.get_container_memcache_key(
'/a', None))
def test_stripping_swift_admin_headers(self):
# Verify that a GET/HEAD which receives privileged headers from the
# account server will strip those headers for non-swift_owners
headers = {
'x-account-meta-harmless': 'hi mom',
'x-account-meta-temp-url-key': 's3kr1t',
}
controller = proxy_server.AccountController(self.app, 'acct')
for verb in ('GET', 'HEAD'):
for env in ({'swift_owner': True}, {'swift_owner': False}):
req = Request.blank('/v1/acct', environ=env)
controller.GETorHEAD_base = lambda *_: Response(
headers=headers, environ={
'PATH_INFO': '/acct',
'REQUEST_METHOD': verb,
})
method = getattr(controller, verb)
resp = method(req)
self.assertEqual(resp.headers.get('x-account-meta-harmless'),
'hi mom')
privileged_header_present = (
'x-account-meta-temp-url-key' in resp.headers)
self.assertEqual(privileged_header_present, env['swift_owner'])
Add unit tests for checking responses in AccountController This patch provides unit tests to check responses for various situation in three/four replicas env. Change-Id: I1af48728b28da9780a2a78f3110e1c7487047ff8
2016-01-22 05:19:06 +00:00
def test_response_code_for_PUT(self):
PUT_TEST_CASES = [
Use 201 insted of 200 in PUT test case There are some unit test cases which assumes 200 as the response of PUT request, but 200 is never returned in PUT. This patch replaces 200 in PUT by 201, and adapt unit test cases to real case. Change-Id: I35fc7a4fe7fcc5558a9e6c6371105793c2710f3e
2016-02-22 16:10:09 +09:00
((201, 201, 201), 201),
((201, 201, 404), 201),
((201, 201, 503), 201),
((201, 404, 404), 404),
((201, 404, 503), 503),
((201, 503, 503), 503),
Add unit tests for checking responses in AccountController This patch provides unit tests to check responses for various situation in three/four replicas env. Change-Id: I1af48728b28da9780a2a78f3110e1c7487047ff8
2016-01-22 05:19:06 +00:00
((404, 404, 404), 404),
((404, 404, 503), 404),
((404, 503, 503), 503),
((503, 503, 503), 503)
]
self._assert_responses('PUT', PUT_TEST_CASES)
def test_response_code_for_DELETE(self):
DELETE_TEST_CASES = [
((204, 204, 204), 204),
((204, 204, 404), 204),
((204, 204, 503), 204),
((204, 404, 404), 404),
((204, 404, 503), 503),
((204, 503, 503), 503),
((404, 404, 404), 404),
((404, 404, 503), 404),
((404, 503, 503), 503),
((503, 503, 503), 503)
]
self._assert_responses('DELETE', DELETE_TEST_CASES)
def test_response_code_for_POST(self):
POST_TEST_CASES = [
((204, 204, 204), 204),
((204, 204, 404), 204),
((204, 204, 503), 204),
((204, 404, 404), 404),
((204, 404, 503), 503),
((204, 503, 503), 503),
((404, 404, 404), 404),
((404, 404, 503), 404),
((404, 503, 503), 503),
((503, 503, 503), 503)
]
self._assert_responses('POST', POST_TEST_CASES)
@patch_policies(
[StoragePolicy(0, 'zero', True, object_ring=FakeRing(replicas=4))])
class TestAccountController4Replicas(TestAccountController):
def setUp(self):
self.app = proxy_server.Application(
None,
FakeMemcache(),
account_ring=FakeRing(replicas=4),
container_ring=FakeRing(replicas=4))
def test_response_code_for_PUT(self):
PUT_TEST_CASES = [
Use 201 insted of 200 in PUT test case There are some unit test cases which assumes 200 as the response of PUT request, but 200 is never returned in PUT. This patch replaces 200 in PUT by 201, and adapt unit test cases to real case. Change-Id: I35fc7a4fe7fcc5558a9e6c6371105793c2710f3e
2016-02-22 16:10:09 +09:00
((201, 201, 201, 201), 201),
((201, 201, 201, 404), 201),
((201, 201, 201, 503), 201),
((201, 201, 404, 404), 503),
((201, 201, 404, 503), 503),
((201, 201, 503, 503), 503),
((201, 404, 404, 404), 404),
((201, 404, 404, 503), 503),
((201, 404, 503, 503), 503),
((201, 503, 503, 503), 503),
Add unit tests for checking responses in AccountController This patch provides unit tests to check responses for various situation in three/four replicas env. Change-Id: I1af48728b28da9780a2a78f3110e1c7487047ff8
2016-01-22 05:19:06 +00:00
((404, 404, 404, 404), 404),
((404, 404, 404, 503), 404),
((404, 404, 503, 503), 503),
((404, 503, 503, 503), 503),
((503, 503, 503, 503), 503)
]
self._assert_responses('PUT', PUT_TEST_CASES)
def test_response_code_for_DELETE(self):
DELETE_TEST_CASES = [
((204, 204, 204, 204), 204),
((204, 204, 204, 404), 204),
((204, 204, 204, 503), 204),
((204, 204, 404, 404), 503),
((204, 204, 404, 503), 503),
((204, 204, 503, 503), 503),
((204, 404, 404, 404), 404),
((204, 404, 404, 503), 503),
((204, 404, 503, 503), 503),
((204, 503, 503, 503), 503),
((404, 404, 404, 404), 404),
((404, 404, 404, 503), 404),
((404, 404, 503, 503), 503),
((404, 503, 503, 503), 503),
((503, 503, 503, 503), 503)
]
self._assert_responses('DELETE', DELETE_TEST_CASES)
def test_response_code_for_POST(self):
POST_TEST_CASES = [
((204, 204, 204, 204), 204),
((204, 204, 204, 404), 204),
((204, 204, 204, 503), 204),
((204, 204, 404, 404), 503),
((204, 204, 404, 503), 503),
((204, 204, 503, 503), 503),
((204, 404, 404, 404), 404),
((204, 404, 404, 503), 503),
((204, 404, 503, 503), 503),
((204, 503, 503, 503), 503),
((404, 404, 404, 404), 404),
((404, 404, 404, 503), 404),
((404, 404, 503, 503), 503),
((404, 503, 503, 503), 503),
((503, 503, 503, 503), 503)
]
self._assert_responses('POST', POST_TEST_CASES)
get_info - removes duplicate code (Take 3) Consolidate the different ways in which info of account/container is gathered, cached, used, updated, etc. This refactoring increases code reuse and is a basis for later addition of account ACLs. Changing the get_info users is left for future. This staged approach ensures the behaviour is unchanged. Change-Id: I67b58030d3f9e3bc86bcd7ece0f1dc693c4e08c3 Fixes: Bug #1162199
2013-03-30 15:55:29 +03:00
if __name__ == '__main__':
unittest.main()
Copy Permalink