Add another user for s3api func tests

Previously we'd use two users, one admin and one unprivileged. Ceph's s3-tests, however, assume that both users should have access to create buckets. Further, there are different errors that may be returned depending on whether you are the *bucket* owner or not when using s3_acl. So now we've got: test:tester1 (admin) test:tester2 (also admin) test:tester3 (unprivileged) Change-Id: I0b67c53de3bcadc2c656d86131fca5f2c3114f14
2018-09-13 11:38:01 -06:00 · 2018-09-13 11:38:01 -06:00 · 5a8cfd6e06
commit 5a8cfd6e06
parent 80001aa096
7 changed files with 58 additions and 24 deletions
--- a/doc/saio/swift/proxy-server.conf
+++ b/doc/saio/swift/proxy-server.conf
@ -53,8 +53,9 @@ use = egg:swift#tempurl
 use = egg:swift#tempauth
 user_admin_admin = admin .admin .reseller_admin
 user_test_tester = testing .admin
-user_test2_tester2 = testing2 .admin
+user_test_tester2 = testing2 .admin
 user_test_tester3 = testing3
+user_test2_tester2 = testing2 .admin

 [filter:staticweb]
 use = egg:swift#staticweb
--- a/etc/proxy-server.conf-sample
+++ b/etc/proxy-server.conf-sample
@ -351,8 +351,9 @@ use = egg:swift#tempauth
 # Here are example entries, required for running the tests:
 user_admin_admin = admin .admin .reseller_admin
 user_test_tester = testing .admin
-user_test2_tester2 = testing2 .admin
+user_test_tester2 = testing2 .admin
 user_test_tester3 = testing3
+user_test2_tester2 = testing2 .admin
 user_test5_tester5 = testing5 service

 # To enable Keystone authentication you need to have the auth token
--- a/test/functional/init.py
+++ b/test/functional/init.py
@ -589,6 +589,10 @@ def in_process_setup(the_object_server=object_server):
        'password': 'testing',
        's3_access_key': 'test:tester',
        's3_secret_key': 'testing',
+        # Secondary user of the primary test account (needs admin access
+        # to the account) for s3api
+        's3_access_key2': 'test:tester2',
+        's3_secret_key2': 'testing2',
        # User on a second account (needs admin access to the account)
        'account2': 'test2',
        'username2': 'tester2',
@ -596,8 +600,8 @@ def in_process_setup(the_object_server=object_server):
        # User on same account as first, but without admin access
        'username3': 'tester3',
        'password3': 'testing3',
-        's3_access_key2': 'test:tester3',
-        's3_secret_key2': 'testing3',
+        's3_access_key3': 'test:tester3',
+        's3_secret_key3': 'testing3',
        # Service user and prefix (emulates glance, cinder, etc. user)
        'account5': 'test5',
        'username5': 'tester5',
--- a/test/functional/s3api/test_acl.py
+++ b/test/functional/s3api/test_acl.py
@ -35,14 +35,15 @@ class TestS3Acl(S3ApiBase):
        super(TestS3Acl, self).setUp()
        self.bucket = 'bucket'
        self.obj = 'object'
-        if 's3_access_key2' not in tf.config or \
-                's3_secret_key2' not in tf.config:
+        if 's3_access_key3' not in tf.config or \
+                's3_secret_key3' not in tf.config:
            raise tf.SkipTest(
-                'TestS3Acl requires s3_access_key2 and s3_secret_key2 setting')
+                'TestS3Acl requires s3_access_key3 and s3_secret_key3 '
+                'configured for reduced-access user')
        self.conn.make_request('PUT', self.bucket)
-        access_key2 = tf.config['s3_access_key2']
-        secret_key2 = tf.config['s3_secret_key2']
-        self.conn2 = Connection(access_key2, secret_key2, access_key2)
+        access_key3 = tf.config['s3_access_key3']
+        secret_key3 = tf.config['s3_secret_key3']
+        self.conn3 = Connection(access_key3, secret_key3, access_key3)

    def test_acl(self):
        self.conn.make_request('PUT', self.bucket, self.obj)
@ -103,7 +104,7 @@ class TestS3Acl(S3ApiBase):
        self.assertEqual(get_error_code(body), 'NoSuchBucket')

        status, headers, body = \
-            self.conn2.make_request('PUT', self.bucket,
+            self.conn3.make_request('PUT', self.bucket,
                                    headers=req_headers, query='acl')
        self.assertEqual(get_error_code(body), 'AccessDenied')

@ -118,7 +119,7 @@ class TestS3Acl(S3ApiBase):
        self.assertEqual(get_error_code(body), 'NoSuchBucket')

        status, headers, body = \
-            self.conn2.make_request('GET', self.bucket, query='acl')
+            self.conn3.make_request('GET', self.bucket, query='acl')
        self.assertEqual(get_error_code(body), 'AccessDenied')

    def test_get_object_acl_error(self):
@ -135,7 +136,7 @@ class TestS3Acl(S3ApiBase):
        self.assertEqual(get_error_code(body), 'NoSuchKey')

        status, headers, body = \
-            self.conn2.make_request('GET', self.bucket, self.obj, query='acl')
+            self.conn3.make_request('GET', self.bucket, self.obj, query='acl')
        self.assertEqual(get_error_code(body), 'AccessDenied')


--- a/test/functional/s3api/test_bucket.py
+++ b/test/functional/s3api/test_bucket.py
@ -151,11 +151,34 @@ class TestS3ApiBucket(S3ApiBase):

        self.conn.make_request('PUT', 'bucket')
        status, headers, body = self.conn.make_request('PUT', 'bucket')
+        self.assertEqual(status, 409)
+        self.assertEqual(get_error_code(body), 'BucketAlreadyExists')
+
+        if 's3_access_key2' not in tf.config or \
+                's3_secret_key2' not in tf.config:
+            raise tf.SkipTest(
+                'Cannot test for BucketAlreadyExists with second user; need '
+                's3_access_key2 and s3_secret_key2 configured')
+        # Other users of the same account get the same error
+        conn2 = Connection(tf.config['s3_access_key2'],
+                           tf.config['s3_secret_key2'],
+                           tf.config['s3_access_key2'])
+        status, headers, body = conn2.make_request('PUT', 'bucket')
+        self.assertEqual(status, 409)
+        self.assertEqual(get_error_code(body), 'BucketAlreadyExists')
+
+        if 's3_access_key3' not in tf.config or \
+                's3_secret_key3' not in tf.config:
+            raise tf.SkipTest('Cannot test for AccessDenied; need '
+                              's3_access_key3 and s3_secret_key3 configured')
        # If the user can't create buckets, they shouldn't even know
-        # whether the bucket exists. For some reason, though, when s3_acl
-        # is disabled, we translate 403 -> BucketAlreadyExists??
-        self.assertIn(get_error_code(body),
-                      ('AccessDenied', 'BucketAlreadyExists'))
+        # whether the bucket exists.
+        conn3 = Connection(tf.config['s3_access_key3'],
+                           tf.config['s3_secret_key3'],
+                           tf.config['s3_access_key3'])
+        status, headers, body = conn3.make_request('PUT', 'bucket')
+        self.assertEqual(status, 403)
+        self.assertEqual(get_error_code(body), 'AccessDenied')

    def test_put_bucket_with_LocationConstraint(self):
        bucket = 'bucket'
--- a/test/sample.conf
+++ b/test/sample.conf
@ -29,8 +29,12 @@ password2 = testing2
 username3 = tester3
 password3 = testing3
 # s3api requires the same account with the primary one and different users
-s3_access_key2 = test:tester3
-s3_secret_key2 = testing3
+# one swift owner:
+s3_access_key2 = test:tester2
+s3_secret_key2 = testing2
+# one unprivileged:
+s3_access_key3 = test:tester3
+s3_secret_key3 = testing3

 # Fourth user is required for keystone v3 specific tests.
 # Account must be in a non-default domain.
--- a/tools/playbooks/ceph-s3tests/ceph-s3.conf
+++ b/tools/playbooks/ceph-s3tests/ceph-s3.conf
@ -11,8 +11,8 @@ access_key = test:tester
 secret_key = testing

 [s3 alt]
-user_id = test:tester3
-display_name = test:tester3
-email = test:tester3
-access_key = test:tester3
-secret_key = testing3
+user_id = test:tester2
+display_name = test:tester2
+email = test:tester2
+access_key = test:tester2
+secret_key = testing2