Add tests and doc entry for request.environ[reseller_request]
The recent account_quotas (https://review.openstack.org/23434) patch added a new setting request.environ[reseller_request]. This patch adds tests for tempauth and keystoneauth as well as an updated overview_auth.rst. Change-Id: Icdb7ec9948ae7424b0721fc51a143782b2fdc5a6
This commit is contained in:
parent
5e427e5e3b
commit
157c3c91ee
1
AUTHORS
1
AUTHORS
@ -79,6 +79,7 @@ Felipe Reyes (freyes@tty.cl)
|
||||
Li Riqiang (lrqrun@gmail.com)
|
||||
Victor Rodionov (victor.rodionov@nexenta.com)
|
||||
Brent Roskos (broskos@internap.com)
|
||||
Christian Schwede (info@cschwede.de)
|
||||
Michael Shuler (mshuler@rackspace.com)
|
||||
Andrew Clay Shafer (acs@parvuscaptus.com)
|
||||
Scott Simpson (sasimpson@gmail.com)
|
||||
|
@ -39,6 +39,11 @@ Additionally, if the auth system sets the request environ's swift_owner key to
|
||||
True, the proxy will return additional header information in some requests,
|
||||
such as the X-Container-Sync-Key for a container GET or HEAD.
|
||||
|
||||
Users with the special group ``.reseller_admin`` can operate on any account.
|
||||
For an example usage please see :mod:`swift.common.middleware.tempauth`.
|
||||
If a request is coming from a reseller the auth system sets the request environ
|
||||
reseller_request to True. This can be used by other middlewares.
|
||||
|
||||
TempAuth will now allow OPTIONS requests to go through without a token.
|
||||
|
||||
The user starts a session by sending a ReST request to the auth system to
|
||||
@ -130,6 +135,11 @@ This user who have one of those role will be able to give ACLs to
|
||||
other users on containers, see the documentation on ACL here
|
||||
:mod:`swift.common.middleware.acl`.
|
||||
|
||||
Users with the Keystone role defined in ``reseller_admin_role``
|
||||
(``ResellerAdmin`` by default) can operate on any account. The auth system
|
||||
sets the request environ reseller_request to True if a request is coming
|
||||
from an user with this role. This can be used by other middlewares.
|
||||
|
||||
--------------
|
||||
Extending Auth
|
||||
--------------
|
||||
|
@ -79,6 +79,13 @@ class SwiftAuth(unittest.TestCase):
|
||||
resp = req.get_response(self._get_successful_middleware())
|
||||
self.assertEqual(resp.status_int, 200)
|
||||
|
||||
def test_detect_reseller_request(self):
|
||||
role = self.test_auth.reseller_admin_role
|
||||
headers = self._get_identity_headers(role=role)
|
||||
req = self._make_request('/v1/AUTH_acct/c', headers)
|
||||
resp = req.get_response(self._get_successful_middleware())
|
||||
self.assertTrue(req.environ.get('reseller_request'))
|
||||
|
||||
def test_confirmed_identity_is_not_authorized(self):
|
||||
headers = self._get_identity_headers()
|
||||
req = self._make_request('/v1/AUTH_acct/c', headers)
|
||||
|
@ -16,6 +16,7 @@
|
||||
import unittest
|
||||
from contextlib import contextmanager
|
||||
from base64 import b64encode
|
||||
from time import time
|
||||
|
||||
from swift.common.middleware import tempauth as auth
|
||||
from swift.common.swob import Request, Response
|
||||
@ -327,6 +328,15 @@ class TestAuth(unittest.TestCase):
|
||||
req.acl = '.r:.example.com,.rlistings'
|
||||
self.assertEquals(self.test_auth.authorize(req), None)
|
||||
|
||||
def test_detect_reseller_request(self):
|
||||
req = self._make_request('/v1/AUTH_admin',
|
||||
headers={'X-Auth-Token': 'AUTH_t'})
|
||||
cache_key = 'AUTH_/token/AUTH_t'
|
||||
cache_entry = (time()+3600, '.reseller_admin')
|
||||
req.environ['swift.cache'].set(cache_key, cache_entry)
|
||||
resp = req.get_response(self.test_auth)
|
||||
self.assertTrue(req.environ.get('reseller_request', False))
|
||||
|
||||
def test_account_put_permissions(self):
|
||||
req = self._make_request('/v1/AUTH_new',
|
||||
environ={'REQUEST_METHOD': 'PUT'})
|
||||
|
Loading…
Reference in New Issue
Block a user