Do not fetch content of container/object to retrieve S3 ACLs

Bucket ACLs: The contents of the container are unnecessarily listed. Object ACLs: The content of the object is unnecessarily fetched. Additionally, because the data is skipped, a 499 error is returned on a subrequest. Change-Id: I1e6ccc8ec4a54375b5817498c4ac7f995656a794
7 months ago · b8d7c3dcb8
3 changed files with 14 additions and 3 deletions
--- a/swift/common/middleware/s3api/acl_handlers.py
+++ b/swift/common/middleware/s3api/acl_handlers.py
@ -248,6 +248,9 @@ class S3AclHandler(BaseAclHandler):
    """
    S3AclHandler: Handler for S3AclController
    """
+    def HEAD(self, app):
+        self._handle_acl(app, 'HEAD', permission='READ_ACP')
+
    def GET(self, app):
        self._handle_acl(app, 'HEAD', permission='READ_ACP')

--- a/swift/common/middleware/s3api/controllers/s3_acl.py
+++ b/swift/common/middleware/s3api/controllers/s3_acl.py
@ -37,7 +37,7 @@ class S3AclController(Controller):
        """
        Handles GET Bucket acl and GET Object acl.
        """
-        resp = req.get_response(self.app)
+        resp = req.get_response(self.app, method='HEAD')

        acl = resp.object_acl if req.is_object_request else resp.bucket_acl

--- a/test/unit/common/middleware/s3api/test_acl.py
+++ b/test/unit/common/middleware/s3api/test_acl.py
@ -46,13 +46,17 @@ class TestS3ApiAcl(S3ApiTestCase):
        name = elem.find('./AccessControlList/Grant/Grantee/ID').text
        self.assertEqual(name, owner)

+    @s3acl
    def test_bucket_acl_GET(self):
        req = Request.blank('/bucket?acl',
                            environ={'REQUEST_METHOD': 'GET'},
                            headers={'Authorization': 'AWS test:tester:hmac',
                                     'Date': self.get_date_header()})
        status, headers, body = self.call_s3api(req)
-        self._check_acl('test:tester', body)
+        if not self.s3api.conf.s3_acl:
+            self._check_acl('test:tester', body)
+        self.assertSetEqual(set((('HEAD', '/v1/AUTH_test/bucket'),)),
+                            set(self.swift.calls))

    def test_bucket_acl_PUT(self):
        elem = Element('AccessControlPolicy')
@ -167,13 +171,17 @@ class TestS3ApiAcl(S3ApiTestCase):
        self._test_put_no_body(use_transfer_encoding=True)
        self._test_put_no_body(use_transfer_encoding=True, string_to_md5=b'zz')

+    @s3acl
    def test_object_acl_GET(self):
        req = Request.blank('/bucket/object?acl',
                            environ={'REQUEST_METHOD': 'GET'},
                            headers={'Authorization': 'AWS test:tester:hmac',
                                     'Date': self.get_date_header()})
        status, headers, body = self.call_s3api(req)
-        self._check_acl('test:tester', body)
+        if not self.s3api.conf.s3_acl:
+            self._check_acl('test:tester', body)
+        self.assertSetEqual(set((('HEAD', '/v1/AUTH_test/bucket/object'),)),
+                            set(self.swift.calls))

    def test_invalid_xml(self):
        req = Request.blank('/bucket?acl',