Add tests and doc entry for request.environ[reseller_request]
The recent account_quotas (https://review.openstack.org/23434) patch added a new setting request.environ[reseller_request]. This patch adds tests for tempauth and keystoneauth as well as an updated overview_auth.rst. Change-Id: Icdb7ec9948ae7424b0721fc51a143782b2fdc5a6
This commit is contained in:
parent
5e427e5e3b
commit
157c3c91ee
1
AUTHORS
1
AUTHORS
@ -79,6 +79,7 @@ Felipe Reyes (freyes@tty.cl)
|
|||||||
Li Riqiang (lrqrun@gmail.com)
|
Li Riqiang (lrqrun@gmail.com)
|
||||||
Victor Rodionov (victor.rodionov@nexenta.com)
|
Victor Rodionov (victor.rodionov@nexenta.com)
|
||||||
Brent Roskos (broskos@internap.com)
|
Brent Roskos (broskos@internap.com)
|
||||||
|
Christian Schwede (info@cschwede.de)
|
||||||
Michael Shuler (mshuler@rackspace.com)
|
Michael Shuler (mshuler@rackspace.com)
|
||||||
Andrew Clay Shafer (acs@parvuscaptus.com)
|
Andrew Clay Shafer (acs@parvuscaptus.com)
|
||||||
Scott Simpson (sasimpson@gmail.com)
|
Scott Simpson (sasimpson@gmail.com)
|
||||||
|
@ -39,6 +39,11 @@ Additionally, if the auth system sets the request environ's swift_owner key to
|
|||||||
True, the proxy will return additional header information in some requests,
|
True, the proxy will return additional header information in some requests,
|
||||||
such as the X-Container-Sync-Key for a container GET or HEAD.
|
such as the X-Container-Sync-Key for a container GET or HEAD.
|
||||||
|
|
||||||
|
Users with the special group ``.reseller_admin`` can operate on any account.
|
||||||
|
For an example usage please see :mod:`swift.common.middleware.tempauth`.
|
||||||
|
If a request is coming from a reseller the auth system sets the request environ
|
||||||
|
reseller_request to True. This can be used by other middlewares.
|
||||||
|
|
||||||
TempAuth will now allow OPTIONS requests to go through without a token.
|
TempAuth will now allow OPTIONS requests to go through without a token.
|
||||||
|
|
||||||
The user starts a session by sending a ReST request to the auth system to
|
The user starts a session by sending a ReST request to the auth system to
|
||||||
@ -130,6 +135,11 @@ This user who have one of those role will be able to give ACLs to
|
|||||||
other users on containers, see the documentation on ACL here
|
other users on containers, see the documentation on ACL here
|
||||||
:mod:`swift.common.middleware.acl`.
|
:mod:`swift.common.middleware.acl`.
|
||||||
|
|
||||||
|
Users with the Keystone role defined in ``reseller_admin_role``
|
||||||
|
(``ResellerAdmin`` by default) can operate on any account. The auth system
|
||||||
|
sets the request environ reseller_request to True if a request is coming
|
||||||
|
from an user with this role. This can be used by other middlewares.
|
||||||
|
|
||||||
--------------
|
--------------
|
||||||
Extending Auth
|
Extending Auth
|
||||||
--------------
|
--------------
|
||||||
|
@ -79,6 +79,13 @@ class SwiftAuth(unittest.TestCase):
|
|||||||
resp = req.get_response(self._get_successful_middleware())
|
resp = req.get_response(self._get_successful_middleware())
|
||||||
self.assertEqual(resp.status_int, 200)
|
self.assertEqual(resp.status_int, 200)
|
||||||
|
|
||||||
|
def test_detect_reseller_request(self):
|
||||||
|
role = self.test_auth.reseller_admin_role
|
||||||
|
headers = self._get_identity_headers(role=role)
|
||||||
|
req = self._make_request('/v1/AUTH_acct/c', headers)
|
||||||
|
resp = req.get_response(self._get_successful_middleware())
|
||||||
|
self.assertTrue(req.environ.get('reseller_request'))
|
||||||
|
|
||||||
def test_confirmed_identity_is_not_authorized(self):
|
def test_confirmed_identity_is_not_authorized(self):
|
||||||
headers = self._get_identity_headers()
|
headers = self._get_identity_headers()
|
||||||
req = self._make_request('/v1/AUTH_acct/c', headers)
|
req = self._make_request('/v1/AUTH_acct/c', headers)
|
||||||
|
@ -16,6 +16,7 @@
|
|||||||
import unittest
|
import unittest
|
||||||
from contextlib import contextmanager
|
from contextlib import contextmanager
|
||||||
from base64 import b64encode
|
from base64 import b64encode
|
||||||
|
from time import time
|
||||||
|
|
||||||
from swift.common.middleware import tempauth as auth
|
from swift.common.middleware import tempauth as auth
|
||||||
from swift.common.swob import Request, Response
|
from swift.common.swob import Request, Response
|
||||||
@ -327,6 +328,15 @@ class TestAuth(unittest.TestCase):
|
|||||||
req.acl = '.r:.example.com,.rlistings'
|
req.acl = '.r:.example.com,.rlistings'
|
||||||
self.assertEquals(self.test_auth.authorize(req), None)
|
self.assertEquals(self.test_auth.authorize(req), None)
|
||||||
|
|
||||||
|
def test_detect_reseller_request(self):
|
||||||
|
req = self._make_request('/v1/AUTH_admin',
|
||||||
|
headers={'X-Auth-Token': 'AUTH_t'})
|
||||||
|
cache_key = 'AUTH_/token/AUTH_t'
|
||||||
|
cache_entry = (time()+3600, '.reseller_admin')
|
||||||
|
req.environ['swift.cache'].set(cache_key, cache_entry)
|
||||||
|
resp = req.get_response(self.test_auth)
|
||||||
|
self.assertTrue(req.environ.get('reseller_request', False))
|
||||||
|
|
||||||
def test_account_put_permissions(self):
|
def test_account_put_permissions(self):
|
||||||
req = self._make_request('/v1/AUTH_new',
|
req = self._make_request('/v1/AUTH_new',
|
||||||
environ={'REQUEST_METHOD': 'PUT'})
|
environ={'REQUEST_METHOD': 'PUT'})
|
||||||
|
Loading…
Reference in New Issue
Block a user