openstack
/
swift
Code Issues Proposed changes

Do not fetch content of container/object to retrieve S3 ACLs 

Bucket ACLs:
The contents of the container are unnecessarily listed.

Object ACLs:
The content of the object is unnecessarily fetched.
Additionally, because the data is skipped, a 499 error is returned on a subrequest.

Change-Id: I1e6ccc8ec4a54375b5817498c4ac7f995656a794
This commit is contained in:
Aymeric Ducroquetz 2021-10-25 15:31:55 +02:00
parent 32da73f5c9
commit b8d7c3dcb8
3 changed files with 14 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
swift/common/middleware/s3api/acl_handlers.py
View File

@ -248,6 +248,9 @@ class S3AclHandler(BaseAclHandler):
""" """
S3AclHandler: Handler for S3AclController S3AclHandler: Handler for S3AclController
""" """
def HEAD(self, app):
self._handle_acl(app, 'HEAD', permission='READ_ACP')
def GET(self, app): def GET(self, app):
self._handle_acl(app, 'HEAD', permission='READ_ACP') self._handle_acl(app, 'HEAD', permission='READ_ACP')

2
swift/common/middleware/s3api/controllers/s3_acl.py
View File

@ -37,7 +37,7 @@ class S3AclController(Controller):
""" """
Handles GET Bucket acl and GET Object acl. Handles GET Bucket acl and GET Object acl.
""" """
resp = req.get_response(self.app) resp = req.get_response(self.app, method='HEAD')
acl = resp.object_acl if req.is_object_request else resp.bucket_acl acl = resp.object_acl if req.is_object_request else resp.bucket_acl

12
test/unit/common/middleware/s3api/test_acl.py
View File

@ -46,13 +46,17 @@ class TestS3ApiAcl(S3ApiTestCase):
name = elem.find('./AccessControlList/Grant/Grantee/ID').text name = elem.find('./AccessControlList/Grant/Grantee/ID').text
self.assertEqual(name, owner) self.assertEqual(name, owner)
@s3acl
def test_bucket_acl_GET(self): def test_bucket_acl_GET(self):
req = Request.blank('/bucket?acl', req = Request.blank('/bucket?acl',
environ={'REQUEST_METHOD': 'GET'}, environ={'REQUEST_METHOD': 'GET'},
headers={'Authorization': 'AWS test:tester:hmac', headers={'Authorization': 'AWS test:tester:hmac',
'Date': self.get_date_header()}) 'Date': self.get_date_header()})
status, headers, body = self.call_s3api(req) status, headers, body = self.call_s3api(req)
self._check_acl('test:tester', body) if not self.s3api.conf.s3_acl:
self._check_acl('test:tester', body)
self.assertSetEqual(set((('HEAD', '/v1/AUTH_test/bucket'),)),
set(self.swift.calls))
def test_bucket_acl_PUT(self): def test_bucket_acl_PUT(self):
elem = Element('AccessControlPolicy') elem = Element('AccessControlPolicy')
@ -167,13 +171,17 @@ class TestS3ApiAcl(S3ApiTestCase):
self._test_put_no_body(use_transfer_encoding=True) self._test_put_no_body(use_transfer_encoding=True)
self._test_put_no_body(use_transfer_encoding=True, string_to_md5=b'zz') self._test_put_no_body(use_transfer_encoding=True, string_to_md5=b'zz')
@s3acl
def test_object_acl_GET(self): def test_object_acl_GET(self):
req = Request.blank('/bucket/object?acl', req = Request.blank('/bucket/object?acl',
environ={'REQUEST_METHOD': 'GET'}, environ={'REQUEST_METHOD': 'GET'},
headers={'Authorization': 'AWS test:tester:hmac', headers={'Authorization': 'AWS test:tester:hmac',
'Date': self.get_date_header()}) 'Date': self.get_date_header()})
status, headers, body = self.call_s3api(req) status, headers, body = self.call_s3api(req)
self._check_acl('test:tester', body) if not self.s3api.conf.s3_acl:
self._check_acl('test:tester', body)
self.assertSetEqual(set((('HEAD', '/v1/AUTH_test/bucket/object'),)),
set(self.swift.calls))
def test_invalid_xml(self): def test_invalid_xml(self):
req = Request.blank('/bucket?acl', req = Request.blank('/bucket?acl',