openstack/swift
Code Issues Proposed changes

Merge "Add functional test for access control (RBAC) with Keystone"

Browse Source
This commit is contained in:
Jenkins
2016-02-11 15:07:38 +00:00
committed by Gerrit Code Review
parent bf4c26d7ef 09b188f03c
commit a2405e99af
5 changed files with 1149 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
test/functional/__init__.py
View File

@@ -92,15 +92,16 @@ normalized_urls = None
# If no config was read, we will fall back to old school env vars # If no config was read, we will fall back to old school env vars
swift_test_auth_version = None swift_test_auth_version = None
swift_test_auth = os.environ.get('SWIFT_TEST_AUTH') swift_test_auth = os.environ.get('SWIFT_TEST_AUTH')
swift_test_user = [os.environ.get('SWIFT_TEST_USER'), None, None, '', ''] swift_test_user = [os.environ.get('SWIFT_TEST_USER'), None, None, '', '', '']
swift_test_key = [os.environ.get('SWIFT_TEST_KEY'), None, None, '', ''] swift_test_key = [os.environ.get('SWIFT_TEST_KEY'), None, None, '', '', '']
swift_test_tenant = ['', '', '', '', ''] swift_test_tenant = ['', '', '', '', '', '']
swift_test_perm = ['', '', '', '', ''] swift_test_perm = ['', '', '', '', '', '']
swift_test_domain = ['', '', '', '', ''] swift_test_domain = ['', '', '', '', '', '']
swift_test_user_id = ['', '', '', '', ''] swift_test_user_id = ['', '', '', '', '', '']
swift_test_tenant_id = ['', '', '', '', ''] swift_test_tenant_id = ['', '', '', '', '', '']
skip, skip2, skip3, skip_service_tokens = False, False, False, False skip, skip2, skip3, skip_service_tokens, skip_if_no_reseller_admin = \
False, False, False, False, False
orig_collate = '' orig_collate = ''
insecure = False insecure = False
@@ -385,7 +386,11 @@ def in_process_setup(the_object_server=object_server):
'service_prefix': 'SERVICE', 'service_prefix': 'SERVICE',
# For tempauth middleware. Update reseller_prefix # For tempauth middleware. Update reseller_prefix
'reseller_prefix': 'AUTH, SERVICE', 'reseller_prefix': 'AUTH, SERVICE',
'SERVICE_require_group': 'service' 'SERVICE_require_group': 'service',
# Reseller admin user (needs reseller_admin_role)
'account6': 'test6',
'username6': 'tester6',
'password6': 'testing6'
}) })
# If an env var explicitly specifies the proxy-server object_post_as_copy # If an env var explicitly specifies the proxy-server object_post_as_copy
@@ -692,6 +697,10 @@ def setup_package():
swift_test_user[4] = config['username5'] swift_test_user[4] = config['username5']
swift_test_tenant[4] = config['account5'] swift_test_tenant[4] = config['account5']
swift_test_key[4] = config['password5'] swift_test_key[4] = config['password5']
if 'username6' in config:
swift_test_user[5] = config['username6']
swift_test_tenant[5] = config['account6']
swift_test_key[5] = config['password6']
for _ in range(5): for _ in range(5):
swift_test_perm[_] = swift_test_tenant[_] + ':' \ swift_test_perm[_] = swift_test_tenant[_] + ':' \
@@ -747,6 +756,16 @@ def setup_package():
% policy_specified) % policy_specified)
raise Exception('Failed to find specified policy %s' raise Exception('Failed to find specified policy %s'
% policy_specified) % policy_specified)
global skip_if_no_reseller_admin
skip_if_no_reseller_admin = not all([not skip, swift_test_user[5],
swift_test_key[5],
swift_test_tenant[5]])
if not skip and skip_if_no_reseller_admin:
print(
'SKIPPING FUNCTIONAL TESTS DUE TO NO CONFIG FOR RESELLER ADMIN',
file=sys.stderr)
get_cluster_info() get_cluster_info()

1092
test/functional/test_access_control.py Normal file
View File

File diff suppressed because it is too large Load Diff

14
test/functional/test_object.py
View File

@@ -71,6 +71,20 @@ class TestObject(unittest2.TestCase):
resp = retry(put, name, use_account=use_account) resp = retry(put, name, use_account=use_account)
resp.read() resp.read()
self.assertEqual(resp.status, 201) self.assertEqual(resp.status, 201)
# With keystoneauth we need the accounts to have had the project
# domain id persisted as sysmeta prior to testing ACLs. This may
# not be the case if, for example, the account was created using
# a request with reseller_admin role, when project domain id may
# not have been known. So we ensure that the project domain id is
# in sysmeta by making a POST to the accounts using an admin role.
def post(url, token, parsed, conn):
conn.request('POST', parsed.path, '', {'X-Auth-Token': token})
return check_response(conn)
resp = retry(post, use_account=use_account)
resp.read()
self.assertEqual(resp.status, 204)
return name return name
def tearDown(self): def tearDown(self):

9
test/functional/tests.py
View File

@@ -1108,6 +1108,15 @@ class TestFileEnv(object):
cls.file_size = 128 cls.file_size = 128
# With keystoneauth we need the accounts to have had the project
# domain id persisted as sysmeta prior to testing ACLs. This may
# not be the case if, for example, the account was created using
# a request with reseller_admin role, when project domain id may
# not have been known. So we ensure that the project domain id is
# in sysmeta by making a POST to the accounts using an admin role.
cls.account.update_metadata()
cls.account2.update_metadata()
class TestFileDev(Base): class TestFileDev(Base):
env = TestFileEnv env = TestFileEnv

6
test/sample.conf
View File

@@ -58,6 +58,12 @@ password3 = testing3
# account contains an underscore. # account contains an underscore.
#service_prefix = SERVICE #service_prefix = SERVICE
# Sixth user is required for access control tests.
# Account must have a role for reseller_admin_role(keystoneauth).
#account6 = test
#username6 = tester6
#password6 = testing6
collate = C collate = C
# Only necessary if a pre-existing server uses self-signed certificate # Only necessary if a pre-existing server uses self-signed certificate