Add functional test for access control (RBAC) with Keystone

This patch adds test cases for PUT, DELETE, GET, HEAD, POST and OPTIONS requests to accounts, containers and objects using various combinations of users/projects, roles and/or service tokens. Change-Id: Iea8141ac74ad949a3ae7fa47fda3135d0f2612f6
2015-07-16 09:35:37 +09:00 · 2015-07-16 09:35:37 +09:00 · 09b188f03c
commit 09b188f03c
parent 6a473e3d7b
5 changed files with 1149 additions and 9 deletions
--- a/test/functional/init.py
+++ b/test/functional/init.py
@ -92,15 +92,16 @@ normalized_urls = None
 # If no config was read, we will fall back to old school env vars
 swift_test_auth_version = None
 swift_test_auth = os.environ.get('SWIFT_TEST_AUTH')
-swift_test_user = [os.environ.get('SWIFT_TEST_USER'), None, None, '', '']
-swift_test_key = [os.environ.get('SWIFT_TEST_KEY'), None, None, '', '']
-swift_test_tenant = ['', '', '', '', '']
-swift_test_perm = ['', '', '', '', '']
-swift_test_domain = ['', '', '', '', '']
-swift_test_user_id = ['', '', '', '', '']
-swift_test_tenant_id = ['', '', '', '', '']
+swift_test_user = [os.environ.get('SWIFT_TEST_USER'), None, None, '', '', '']
+swift_test_key = [os.environ.get('SWIFT_TEST_KEY'), None, None, '', '', '']
+swift_test_tenant = ['', '', '', '', '', '']
+swift_test_perm = ['', '', '', '', '', '']
+swift_test_domain = ['', '', '', '', '', '']
+swift_test_user_id = ['', '', '', '', '', '']
+swift_test_tenant_id = ['', '', '', '', '', '']

-skip, skip2, skip3, skip_service_tokens = False, False, False, False
+skip, skip2, skip3, skip_service_tokens, skip_if_no_reseller_admin = \
+    False, False, False, False, False

 orig_collate = ''
 insecure = False
@ -385,7 +386,11 @@ def in_process_setup(the_object_server=object_server):
        'service_prefix': 'SERVICE',
        # For tempauth middleware. Update reseller_prefix
        'reseller_prefix': 'AUTH, SERVICE',
-        'SERVICE_require_group': 'service'
+        'SERVICE_require_group': 'service',
+        # Reseller admin user (needs reseller_admin_role)
+        'account6': 'test6',
+        'username6': 'tester6',
+        'password6': 'testing6'
    })

    acc1lis = eventlet.listen(('localhost', 0))
@ -683,6 +688,10 @@ def setup_package():
                swift_test_user[4] = config['username5']
                swift_test_tenant[4] = config['account5']
                swift_test_key[4] = config['password5']
+            if 'username6' in config:
+                swift_test_user[5] = config['username6']
+                swift_test_tenant[5] = config['account6']
+                swift_test_key[5] = config['password6']

            for _ in range(5):
                swift_test_perm[_] = swift_test_tenant[_] + ':' \
@ -738,6 +747,16 @@ def setup_package():
                % policy_specified)
            raise Exception('Failed to find specified policy %s'
                            % policy_specified)
+
+    global skip_if_no_reseller_admin
+    skip_if_no_reseller_admin = not all([not skip, swift_test_user[5],
+                                         swift_test_key[5],
+                                         swift_test_tenant[5]])
+    if not skip and skip_if_no_reseller_admin:
+        print(
+            'SKIPPING FUNCTIONAL TESTS DUE TO NO CONFIG FOR RESELLER ADMIN',
+            file=sys.stderr)
+
    get_cluster_info()


--- a/test/functional/test_access_control.py
+++ b/test/functional/test_access_control.py
--- a/test/functional/test_object.py
+++ b/test/functional/test_object.py
@ -71,6 +71,20 @@ class TestObject(unittest2.TestCase):
        resp = retry(put, name, use_account=use_account)
        resp.read()
        self.assertEqual(resp.status, 201)
+
+        # With keystoneauth we need the accounts to have had the project
+        # domain id persisted as sysmeta prior to testing ACLs. This may
+        # not be the case if, for example, the account was created using
+        # a request with reseller_admin role, when project domain id may
+        # not have been known. So we ensure that the project domain id is
+        # in sysmeta by making a POST to the accounts using an admin role.
+        def post(url, token, parsed, conn):
+            conn.request('POST', parsed.path, '', {'X-Auth-Token': token})
+            return check_response(conn)
+        resp = retry(post, use_account=use_account)
+        resp.read()
+        self.assertEqual(resp.status, 204)
+
        return name

    def tearDown(self):
--- a/test/functional/tests.py
+++ b/test/functional/tests.py
@ -1108,6 +1108,15 @@ class TestFileEnv(object):

        cls.file_size = 128

+        # With keystoneauth we need the accounts to have had the project
+        # domain id persisted as sysmeta prior to testing ACLs. This may
+        # not be the case if, for example, the account was created using
+        # a request with reseller_admin role, when project domain id may
+        # not have been known. So we ensure that the project domain id is
+        # in sysmeta by making a POST to the accounts using an admin role.
+        cls.account.update_metadata()
+        cls.account2.update_metadata()
+

 class TestFileDev(Base):
    env = TestFileEnv
--- a/test/sample.conf
+++ b/test/sample.conf
@ -58,6 +58,12 @@ password3 = testing3
 # account contains an underscore.
 #service_prefix = SERVICE

+# Sixth user is required for access control tests.
+# Account must have a role for reseller_admin_role(keystoneauth).
+#account6 = test
+#username6 = tester6
+#password6 = testing6
+
 collate = C

 # Only necessary if a pre-existing server uses self-signed certificate