# Copyright 2012 OpenStack Foundation # All Rights Reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. from tempest.api.object_storage import base from tempest import config from tempest.lib.common.utils import data_utils from tempest.lib import decorators CONF = config.CONF class ObjectTestACLs(base.BaseObjectTest): """Test object ACLs""" credentials = [['operator', CONF.object_storage.operator_role], ['operator_alt', CONF.object_storage.operator_role]] def setUp(self): super(ObjectTestACLs, self).setUp() self.container_name = self.create_container() @classmethod def resource_cleanup(cls): cls.delete_containers() super(ObjectTestACLs, cls).resource_cleanup() @decorators.idempotent_id('a3270f3f-7640-4944-8448-c7ea783ea5b6') def test_read_object_with_rights(self): """Test reading object using authorized user""" # update X-Container-Read metadata ACL tenant_id = self.os_roles_operator_alt.credentials.tenant_id user_id = self.os_roles_operator_alt.credentials.user_id cont_headers = {'X-Container-Read': tenant_id + ':' + user_id} container_client = self.os_roles_operator.container_client resp_meta, _ = ( container_client.create_update_or_delete_container_metadata( self.container_name, create_update_metadata=cont_headers, create_update_metadata_prefix='')) self.assertHeaders(resp_meta, 'Container', 'POST') # create object object_name = data_utils.rand_name(name='Object') resp, _ = self.os_roles_operator.object_client.create_object( self.container_name, object_name, 'data') self.assertHeaders(resp, 'Object', 'PUT') # set alternative authentication data; cannot simply use the # other object client. self.os_roles_operator.object_client.auth_provider.set_alt_auth_data( request_part='headers', auth_data=self.os_roles_operator_alt.object_client.auth_provider. auth_data) resp, _ = self.os_roles_operator.object_client.get_object( self.container_name, object_name) self.assertHeaders(resp, 'Object', 'GET') @decorators.idempotent_id('aa58bfa5-40d9-4bc3-82b4-d07f4a9e392a') def test_write_object_with_rights(self): """Test writing object using authorized user""" # update X-Container-Write metadata ACL tenant_id = self.os_roles_operator_alt.credentials.tenant_id user_id = self.os_roles_operator_alt.credentials.user_id cont_headers = {'X-Container-Write': tenant_id + ':' + user_id} container_client = self.os_roles_operator.container_client resp_meta, _ = ( container_client.create_update_or_delete_container_metadata( self.container_name, create_update_metadata=cont_headers, create_update_metadata_prefix='')) self.assertHeaders(resp_meta, 'Container', 'POST') # set alternative authentication data; cannot simply use the # other object client. self.os_roles_operator.object_client.auth_provider.set_alt_auth_data( request_part='headers', auth_data=self.os_roles_operator_alt.object_client.auth_provider. auth_data) # Trying to write the object with rights object_name = data_utils.rand_name(name='Object') resp, _ = self.os_roles_operator.object_client.create_object( self.container_name, object_name, 'data', headers={}) self.assertHeaders(resp, 'Object', 'PUT')