Add functional test for access control (RBAC) with Keystone
This patch adds test cases for PUT, DELETE, GET, HEAD, POST and OPTIONS requests to accounts, containers and objects using various combinations of users/projects, roles and/or service tokens. Change-Id: Iea8141ac74ad949a3ae7fa47fda3135d0f2612f6
This commit is contained in:
parent
6a473e3d7b
commit
09b188f03c
@ -92,15 +92,16 @@ normalized_urls = None
|
||||
# If no config was read, we will fall back to old school env vars
|
||||
swift_test_auth_version = None
|
||||
swift_test_auth = os.environ.get('SWIFT_TEST_AUTH')
|
||||
swift_test_user = [os.environ.get('SWIFT_TEST_USER'), None, None, '', '']
|
||||
swift_test_key = [os.environ.get('SWIFT_TEST_KEY'), None, None, '', '']
|
||||
swift_test_tenant = ['', '', '', '', '']
|
||||
swift_test_perm = ['', '', '', '', '']
|
||||
swift_test_domain = ['', '', '', '', '']
|
||||
swift_test_user_id = ['', '', '', '', '']
|
||||
swift_test_tenant_id = ['', '', '', '', '']
|
||||
swift_test_user = [os.environ.get('SWIFT_TEST_USER'), None, None, '', '', '']
|
||||
swift_test_key = [os.environ.get('SWIFT_TEST_KEY'), None, None, '', '', '']
|
||||
swift_test_tenant = ['', '', '', '', '', '']
|
||||
swift_test_perm = ['', '', '', '', '', '']
|
||||
swift_test_domain = ['', '', '', '', '', '']
|
||||
swift_test_user_id = ['', '', '', '', '', '']
|
||||
swift_test_tenant_id = ['', '', '', '', '', '']
|
||||
|
||||
skip, skip2, skip3, skip_service_tokens = False, False, False, False
|
||||
skip, skip2, skip3, skip_service_tokens, skip_if_no_reseller_admin = \
|
||||
False, False, False, False, False
|
||||
|
||||
orig_collate = ''
|
||||
insecure = False
|
||||
@ -385,7 +386,11 @@ def in_process_setup(the_object_server=object_server):
|
||||
'service_prefix': 'SERVICE',
|
||||
# For tempauth middleware. Update reseller_prefix
|
||||
'reseller_prefix': 'AUTH, SERVICE',
|
||||
'SERVICE_require_group': 'service'
|
||||
'SERVICE_require_group': 'service',
|
||||
# Reseller admin user (needs reseller_admin_role)
|
||||
'account6': 'test6',
|
||||
'username6': 'tester6',
|
||||
'password6': 'testing6'
|
||||
})
|
||||
|
||||
acc1lis = eventlet.listen(('localhost', 0))
|
||||
@ -683,6 +688,10 @@ def setup_package():
|
||||
swift_test_user[4] = config['username5']
|
||||
swift_test_tenant[4] = config['account5']
|
||||
swift_test_key[4] = config['password5']
|
||||
if 'username6' in config:
|
||||
swift_test_user[5] = config['username6']
|
||||
swift_test_tenant[5] = config['account6']
|
||||
swift_test_key[5] = config['password6']
|
||||
|
||||
for _ in range(5):
|
||||
swift_test_perm[_] = swift_test_tenant[_] + ':' \
|
||||
@ -738,6 +747,16 @@ def setup_package():
|
||||
% policy_specified)
|
||||
raise Exception('Failed to find specified policy %s'
|
||||
% policy_specified)
|
||||
|
||||
global skip_if_no_reseller_admin
|
||||
skip_if_no_reseller_admin = not all([not skip, swift_test_user[5],
|
||||
swift_test_key[5],
|
||||
swift_test_tenant[5]])
|
||||
if not skip and skip_if_no_reseller_admin:
|
||||
print(
|
||||
'SKIPPING FUNCTIONAL TESTS DUE TO NO CONFIG FOR RESELLER ADMIN',
|
||||
file=sys.stderr)
|
||||
|
||||
get_cluster_info()
|
||||
|
||||
|
||||
|
1092
test/functional/test_access_control.py
Normal file
1092
test/functional/test_access_control.py
Normal file
File diff suppressed because it is too large
Load Diff
@ -71,6 +71,20 @@ class TestObject(unittest2.TestCase):
|
||||
resp = retry(put, name, use_account=use_account)
|
||||
resp.read()
|
||||
self.assertEqual(resp.status, 201)
|
||||
|
||||
# With keystoneauth we need the accounts to have had the project
|
||||
# domain id persisted as sysmeta prior to testing ACLs. This may
|
||||
# not be the case if, for example, the account was created using
|
||||
# a request with reseller_admin role, when project domain id may
|
||||
# not have been known. So we ensure that the project domain id is
|
||||
# in sysmeta by making a POST to the accounts using an admin role.
|
||||
def post(url, token, parsed, conn):
|
||||
conn.request('POST', parsed.path, '', {'X-Auth-Token': token})
|
||||
return check_response(conn)
|
||||
resp = retry(post, use_account=use_account)
|
||||
resp.read()
|
||||
self.assertEqual(resp.status, 204)
|
||||
|
||||
return name
|
||||
|
||||
def tearDown(self):
|
||||
|
@ -1108,6 +1108,15 @@ class TestFileEnv(object):
|
||||
|
||||
cls.file_size = 128
|
||||
|
||||
# With keystoneauth we need the accounts to have had the project
|
||||
# domain id persisted as sysmeta prior to testing ACLs. This may
|
||||
# not be the case if, for example, the account was created using
|
||||
# a request with reseller_admin role, when project domain id may
|
||||
# not have been known. So we ensure that the project domain id is
|
||||
# in sysmeta by making a POST to the accounts using an admin role.
|
||||
cls.account.update_metadata()
|
||||
cls.account2.update_metadata()
|
||||
|
||||
|
||||
class TestFileDev(Base):
|
||||
env = TestFileEnv
|
||||
|
@ -58,6 +58,12 @@ password3 = testing3
|
||||
# account contains an underscore.
|
||||
#service_prefix = SERVICE
|
||||
|
||||
# Sixth user is required for access control tests.
|
||||
# Account must have a role for reseller_admin_role(keystoneauth).
|
||||
#account6 = test
|
||||
#username6 = tester6
|
||||
#password6 = testing6
|
||||
|
||||
collate = C
|
||||
|
||||
# Only necessary if a pre-existing server uses self-signed certificate
|
||||
|
Loading…
x
Reference in New Issue
Block a user