Add tests and doc entry for request.environ[reseller_request]

The recent account_quotas (https://review.openstack.org/23434)
patch added a new setting request.environ[reseller_request].
This patch adds tests for tempauth and keystoneauth as well as
an updated overview_auth.rst.

Change-Id: Icdb7ec9948ae7424b0721fc51a143782b2fdc5a6
This commit is contained in:
Christian Schwede 2013-03-08 19:33:27 +01:00
parent 5e427e5e3b
commit 157c3c91ee
4 changed files with 28 additions and 0 deletions

View File

@ -79,6 +79,7 @@ Felipe Reyes (freyes@tty.cl)
Li Riqiang (lrqrun@gmail.com)
Victor Rodionov (victor.rodionov@nexenta.com)
Brent Roskos (broskos@internap.com)
Christian Schwede (info@cschwede.de)
Michael Shuler (mshuler@rackspace.com)
Andrew Clay Shafer (acs@parvuscaptus.com)
Scott Simpson (sasimpson@gmail.com)

View File

@ -39,6 +39,11 @@ Additionally, if the auth system sets the request environ's swift_owner key to
True, the proxy will return additional header information in some requests,
such as the X-Container-Sync-Key for a container GET or HEAD.
Users with the special group ``.reseller_admin`` can operate on any account.
For an example usage please see :mod:`swift.common.middleware.tempauth`.
If a request is coming from a reseller the auth system sets the request environ
reseller_request to True. This can be used by other middlewares.
TempAuth will now allow OPTIONS requests to go through without a token.
The user starts a session by sending a ReST request to the auth system to
@ -130,6 +135,11 @@ This user who have one of those role will be able to give ACLs to
other users on containers, see the documentation on ACL here
:mod:`swift.common.middleware.acl`.
Users with the Keystone role defined in ``reseller_admin_role``
(``ResellerAdmin`` by default) can operate on any account. The auth system
sets the request environ reseller_request to True if a request is coming
from an user with this role. This can be used by other middlewares.
--------------
Extending Auth
--------------

View File

@ -79,6 +79,13 @@ class SwiftAuth(unittest.TestCase):
resp = req.get_response(self._get_successful_middleware())
self.assertEqual(resp.status_int, 200)
def test_detect_reseller_request(self):
role = self.test_auth.reseller_admin_role
headers = self._get_identity_headers(role=role)
req = self._make_request('/v1/AUTH_acct/c', headers)
resp = req.get_response(self._get_successful_middleware())
self.assertTrue(req.environ.get('reseller_request'))
def test_confirmed_identity_is_not_authorized(self):
headers = self._get_identity_headers()
req = self._make_request('/v1/AUTH_acct/c', headers)

View File

@ -16,6 +16,7 @@
import unittest
from contextlib import contextmanager
from base64 import b64encode
from time import time
from swift.common.middleware import tempauth as auth
from swift.common.swob import Request, Response
@ -327,6 +328,15 @@ class TestAuth(unittest.TestCase):
req.acl = '.r:.example.com,.rlistings'
self.assertEquals(self.test_auth.authorize(req), None)
def test_detect_reseller_request(self):
req = self._make_request('/v1/AUTH_admin',
headers={'X-Auth-Token': 'AUTH_t'})
cache_key = 'AUTH_/token/AUTH_t'
cache_entry = (time()+3600, '.reseller_admin')
req.environ['swift.cache'].set(cache_key, cache_entry)
resp = req.get_response(self.test_auth)
self.assertTrue(req.environ.get('reseller_request', False))
def test_account_put_permissions(self):
req = self._make_request('/v1/AUTH_new',
environ={'REQUEST_METHOD': 'PUT'})