mirror of
https://github.com/ceph/ceph
synced 2024-12-24 12:24:19 +00:00
f0987e5151
This new cap allows users to run the admin api op `get user info` without the S3 keys and Swift keys in the response. Signed-off-by: Ali Maredia <amaredia@redhat.com>
980 lines
37 KiB
Python
980 lines
37 KiB
Python
"""
|
|
Run a series of rgw admin commands through the rest interface.
|
|
|
|
The test cases in this file have been annotated for inventory.
|
|
To extract the inventory (in csv format) use the command:
|
|
|
|
grep '^ *# TESTCASE' | sed 's/^ *# TESTCASE //'
|
|
|
|
"""
|
|
import logging
|
|
|
|
|
|
import boto.exception
|
|
import boto.s3.connection
|
|
import boto.s3.acl
|
|
|
|
import requests
|
|
import time
|
|
|
|
from boto.connection import AWSAuthConnection
|
|
from teuthology import misc as teuthology
|
|
from tasks.util.rgw import get_user_summary, get_user_successful_ops, rgwadmin
|
|
|
|
log = logging.getLogger(__name__)
|
|
|
|
def rgwadmin_rest(connection, cmd, params=None, headers=None, raw=False):
|
|
"""
|
|
perform a rest command
|
|
"""
|
|
log.info('radosgw-admin-rest: %s %s' % (cmd, params))
|
|
put_cmds = ['create', 'link', 'add', 'set']
|
|
post_cmds = ['unlink', 'modify']
|
|
delete_cmds = ['trim', 'rm', 'process']
|
|
get_cmds = ['check', 'info', 'show', 'list', 'get', '']
|
|
|
|
bucket_sub_resources = ['object', 'policy', 'index']
|
|
user_sub_resources = ['subuser', 'key', 'caps', 'quota']
|
|
zone_sub_resources = ['pool', 'log', 'garbage']
|
|
|
|
def get_cmd_method_and_handler(cmd):
|
|
"""
|
|
Get the rest command and handler from information in cmd and
|
|
from the imported requests object.
|
|
"""
|
|
if cmd[1] in put_cmds:
|
|
return 'PUT', requests.put
|
|
elif cmd[1] in delete_cmds:
|
|
return 'DELETE', requests.delete
|
|
elif cmd[1] in post_cmds:
|
|
return 'POST', requests.post
|
|
elif cmd[1] in get_cmds:
|
|
return 'GET', requests.get
|
|
|
|
def get_resource(cmd):
|
|
"""
|
|
Get the name of the resource from information in cmd.
|
|
"""
|
|
if cmd[0] == 'bucket' or cmd[0] in bucket_sub_resources:
|
|
if cmd[0] == 'bucket':
|
|
return 'bucket', ''
|
|
else:
|
|
return 'bucket', cmd[0]
|
|
elif cmd[0] == 'user' or cmd[0] in user_sub_resources:
|
|
if cmd[0] == 'user':
|
|
return 'user', ''
|
|
else:
|
|
return 'user', cmd[0]
|
|
elif cmd[0] == 'usage':
|
|
return 'usage', ''
|
|
elif cmd[0] == 'info':
|
|
return 'info', ''
|
|
elif cmd[0] == 'ratelimit':
|
|
return 'ratelimit', ''
|
|
elif cmd[0] == 'zone' or cmd[0] in zone_sub_resources:
|
|
if cmd[0] == 'zone':
|
|
return 'zone', ''
|
|
else:
|
|
return 'zone', cmd[0]
|
|
|
|
def build_admin_request(conn, method, resource = '', headers=None, data='',
|
|
query_args=None, params=None):
|
|
"""
|
|
Build an administative request adapted from the build_request()
|
|
method of boto.connection
|
|
"""
|
|
|
|
path = conn.calling_format.build_path_base('admin', resource)
|
|
auth_path = conn.calling_format.build_auth_path('admin', resource)
|
|
host = conn.calling_format.build_host(conn.server_name(), 'admin')
|
|
if query_args:
|
|
path += '?' + query_args
|
|
boto.log.debug('path=%s' % path)
|
|
auth_path += '?' + query_args
|
|
boto.log.debug('auth_path=%s' % auth_path)
|
|
return AWSAuthConnection.build_base_http_request(conn, method, path,
|
|
auth_path, params, headers, data, host)
|
|
|
|
method, handler = get_cmd_method_and_handler(cmd)
|
|
resource, query_args = get_resource(cmd)
|
|
request = build_admin_request(connection, method, resource,
|
|
query_args=query_args, headers=headers)
|
|
|
|
url = '{protocol}://{host}{path}'.format(protocol=request.protocol,
|
|
host=request.host, path=request.path)
|
|
|
|
request.authorize(connection=connection)
|
|
result = handler(url, params=params, headers=request.headers)
|
|
|
|
if raw:
|
|
log.info(' text result: %s' % result.text)
|
|
return result.status_code, result.text
|
|
elif len(result.content) == 0:
|
|
# many admin requests return no body, so json() throws a JSONDecodeError
|
|
log.info(' empty result')
|
|
return result.status_code, None
|
|
else:
|
|
log.info(' json result: %s' % result.json())
|
|
return result.status_code, result.json()
|
|
|
|
def test_cap_user_info_without_keys_get_user_info_privileged_users(ctx, client, op, op_args, uid, display_name, access_key, secret_key, user_type):
|
|
user_caps = 'user-info-without-keys=read'
|
|
|
|
(err, out) = rgwadmin(ctx, client, [
|
|
'user', 'create',
|
|
'--uid', uid,
|
|
'--display-name', display_name,
|
|
'--access-key', access_key,
|
|
'--secret', secret_key,
|
|
'--caps', user_caps,
|
|
user_type
|
|
])
|
|
logging.error(out)
|
|
logging.error(err)
|
|
assert not err
|
|
|
|
endpoint = ctx.rgw.role_endpoints.get(client)
|
|
|
|
privileged_user_conn = boto.s3.connection.S3Connection(
|
|
aws_access_key_id=access_key,
|
|
aws_secret_access_key=secret_key,
|
|
is_secure=True if endpoint.cert else False,
|
|
port=endpoint.port,
|
|
host=endpoint.hostname,
|
|
calling_format=boto.s3.connection.OrdinaryCallingFormat(),
|
|
)
|
|
|
|
(ret, out) = rgwadmin_rest(privileged_user_conn, op, op_args)
|
|
# show that even though the cap is set, since the user is privileged the user can still see keys
|
|
assert len(out['keys']) == 1
|
|
assert out['swift_keys'] == []
|
|
|
|
(err, out) = rgwadmin(ctx, client, [
|
|
'user', 'rm',
|
|
'--uid', uid,
|
|
])
|
|
logging.error(out)
|
|
logging.error(err)
|
|
assert not err
|
|
|
|
def test_cap_user_info_without_keys_get_user_info(ctx, client, admin_conn, admin_user, op, op_args):
|
|
true_admin_uid = 'a_user'
|
|
true_admin_display_name = 'True Admin User'
|
|
true_admin_access_key = 'true_admin_akey'
|
|
true_admin_secret_key = 'true_admin_skey'
|
|
|
|
system_uid = 'system_user'
|
|
system_display_name = 'System User'
|
|
system_access_key = 'system_akey'
|
|
system_secret_key = 'system_skey'
|
|
|
|
test_cap_user_info_without_keys_get_user_info_privileged_users(ctx, client, op, op_args, system_uid, system_display_name, system_access_key, system_secret_key, '--system')
|
|
test_cap_user_info_without_keys_get_user_info_privileged_users(ctx, client, op, op_args, true_admin_uid, true_admin_display_name, true_admin_access_key, true_admin_secret_key, '--admin')
|
|
|
|
# TESTCASE 'info-existing','user','info','existing user','returns no keys with user-info-without-keys cap set to read'
|
|
(err, out) = rgwadmin(ctx, client, [
|
|
'caps', 'add',
|
|
'--uid', admin_user,
|
|
'--caps', 'user-info-without-keys=read'
|
|
])
|
|
logging.error(out)
|
|
logging.error(err)
|
|
assert not err
|
|
|
|
(ret, out) = rgwadmin_rest(admin_conn, op, op_args)
|
|
assert 'keys' not in out
|
|
assert 'swift_keys' not in out
|
|
|
|
# TESTCASE 'info-existing','user','info','existing user','returns no keys with user-info-without-keys cap set to read'
|
|
(err, out) = rgwadmin(ctx, client, [
|
|
'caps', 'add',
|
|
'--uid', admin_user,
|
|
'--caps', 'user-info-without-keys=*'
|
|
])
|
|
logging.error(out)
|
|
logging.error(err)
|
|
assert not err
|
|
|
|
(ret, out) = rgwadmin_rest(admin_conn, op, op_args)
|
|
assert 'keys' not in out
|
|
assert 'swift_keys' not in out
|
|
|
|
# TESTCASE 'info-existing','user','info','existing user','returns keys with user-info-without-keys cap set to read but cap users is set to read'
|
|
(err, out) = rgwadmin(ctx, client, [
|
|
'caps', 'add',
|
|
'--uid', admin_user,
|
|
'--caps', 'users=read, write'
|
|
])
|
|
logging.error(out)
|
|
logging.error(err)
|
|
assert not err
|
|
|
|
(ret, out) = rgwadmin_rest(admin_conn, op, op_args)
|
|
assert 'keys' in out
|
|
assert 'swift_keys' in out
|
|
|
|
# TESTCASE 'info-existing','user','info','existing user','returns 403 with user-info-without-keys cap set to write'
|
|
(err, out) = rgwadmin(ctx, client, [
|
|
'caps', 'rm',
|
|
'--uid', admin_user,
|
|
'--caps', 'users=read, write; user-info-without-keys=*'
|
|
])
|
|
logging.error(out)
|
|
logging.error(err)
|
|
assert not err
|
|
|
|
(err, out) = rgwadmin(ctx, client, [
|
|
'caps', 'add',
|
|
'--uid', admin_user,
|
|
'--caps', 'user-info-without-keys=write'
|
|
])
|
|
logging.error(out)
|
|
logging.error(err)
|
|
assert not err
|
|
|
|
(ret, out) = rgwadmin_rest(admin_conn, op, op_args)
|
|
assert ret == 403
|
|
|
|
# remove cap user-info-without-keys permenantly for future testing
|
|
(err, out) = rgwadmin(ctx, client, [
|
|
'caps', 'rm',
|
|
'--uid', admin_user,
|
|
'--caps', 'user-info-without-keys=write'
|
|
])
|
|
logging.error(out)
|
|
logging.error(err)
|
|
assert not err
|
|
|
|
# reset cap users permenantly for future testing
|
|
(err, out) = rgwadmin(ctx, client, [
|
|
'caps', 'add',
|
|
'--uid', admin_user,
|
|
'--caps', 'users=read, write'
|
|
])
|
|
logging.error(out)
|
|
logging.error(err)
|
|
assert not err
|
|
|
|
def test_cap_user_info_without_keys(ctx, client, admin_conn, admin_user, user1):
|
|
(err, out) = rgwadmin(ctx, client, [
|
|
'caps', 'rm',
|
|
'--uid', admin_user,
|
|
'--caps', 'users=read, write'
|
|
])
|
|
logging.error(out)
|
|
logging.error(err)
|
|
assert not err
|
|
|
|
op = ['user', 'info']
|
|
op_args = {'uid' : user1}
|
|
test_cap_user_info_without_keys_get_user_info(ctx, client, admin_conn, admin_user, op, op_args)
|
|
|
|
# add caps that were removed earlier in the function back in
|
|
(err, out) = rgwadmin(ctx, client, [
|
|
'caps', 'add',
|
|
'--uid', admin_user,
|
|
'--caps', 'users=read, write'
|
|
])
|
|
logging.error(out)
|
|
logging.error(err)
|
|
assert not err
|
|
|
|
def task(ctx, config):
|
|
"""
|
|
Test radosgw-admin functionality through the RESTful interface
|
|
"""
|
|
assert config is None or isinstance(config, list) \
|
|
or isinstance(config, dict), \
|
|
"task s3tests only supports a list or dictionary for configuration"
|
|
all_clients = ['client.{id}'.format(id=id_)
|
|
for id_ in teuthology.all_roles_of_type(ctx.cluster, 'client')]
|
|
if config is None:
|
|
config = all_clients
|
|
if isinstance(config, list):
|
|
config = dict.fromkeys(config)
|
|
clients = config.keys()
|
|
|
|
# just use the first client...
|
|
client = next(iter(clients))
|
|
|
|
##
|
|
admin_user = 'ada'
|
|
admin_display_name = 'Ms. Admin User'
|
|
admin_access_key = 'MH1WC2XQ1S8UISFDZC8W'
|
|
admin_secret_key = 'dQyrTPA0s248YeN5bBv4ukvKU0kh54LWWywkrpoG'
|
|
admin_caps = 'users=read, write; usage=read, write; buckets=read, write; zone=read, write; info=read;ratelimit=read, write'
|
|
|
|
user1 = 'foo'
|
|
user2 = 'fud'
|
|
ratelimit_user = 'ratelimit_user'
|
|
subuser1 = 'foo:foo1'
|
|
subuser2 = 'foo:foo2'
|
|
display_name1 = 'Foo'
|
|
display_name2 = 'Fud'
|
|
email = 'foo@foo.com'
|
|
access_key = '9te6NH5mcdcq0Tc5i8i1'
|
|
secret_key = 'Ny4IOauQoL18Gp2zM7lC1vLmoawgqcYP/YGcWfXu'
|
|
access_key2 = 'p5YnriCv1nAtykxBrupQ'
|
|
secret_key2 = 'Q8Tk6Q/27hfbFSYdSkPtUqhqx1GgzvpXa4WARozh'
|
|
swift_secret1 = 'gpS2G9RREMrnbqlp29PP2D36kgPR1tm72n5fPYfL'
|
|
swift_secret2 = 'ri2VJQcKSYATOY6uaDUX7pxgkW+W1YmC6OCxPHwy'
|
|
|
|
bucket_name = 'myfoo'
|
|
|
|
# legend (test cases can be easily grep-ed out)
|
|
# TESTCASE 'testname','object','method','operation','assertion'
|
|
# TESTCASE 'create-admin-user','user','create','administrative user','succeeds'
|
|
(err, out) = rgwadmin(ctx, client, [
|
|
'user', 'create',
|
|
'--uid', admin_user,
|
|
'--display-name', admin_display_name,
|
|
'--access-key', admin_access_key,
|
|
'--secret', admin_secret_key,
|
|
'--max-buckets', '0',
|
|
'--caps', admin_caps
|
|
])
|
|
logging.error(out)
|
|
logging.error(err)
|
|
assert not err
|
|
|
|
assert hasattr(ctx, 'rgw'), 'radosgw-admin-rest must run after the rgw task'
|
|
endpoint = ctx.rgw.role_endpoints.get(client)
|
|
assert endpoint, 'no rgw endpoint for {}'.format(client)
|
|
|
|
admin_conn = boto.s3.connection.S3Connection(
|
|
aws_access_key_id=admin_access_key,
|
|
aws_secret_access_key=admin_secret_key,
|
|
is_secure=True if endpoint.cert else False,
|
|
port=endpoint.port,
|
|
host=endpoint.hostname,
|
|
calling_format=boto.s3.connection.OrdinaryCallingFormat(),
|
|
)
|
|
|
|
# TESTCASE 'info-nosuch','user','info','non-existent user','fails'
|
|
(ret, out) = rgwadmin_rest(admin_conn, ['user', 'info'], {"uid": user1})
|
|
assert ret == 404
|
|
|
|
# TESTCASE 'create-ok','user','create','w/all valid info','succeeds'
|
|
(ret, out) = rgwadmin_rest(admin_conn,
|
|
['user', 'create'],
|
|
{'uid' : user1,
|
|
'display-name' : display_name1,
|
|
'email' : email,
|
|
'access-key' : access_key,
|
|
'secret-key' : secret_key,
|
|
'max-buckets' : '4'
|
|
})
|
|
|
|
assert ret == 200
|
|
|
|
# TESTCASE 'list-no-user','user','list','list user keys','user list object'
|
|
(ret, out) = rgwadmin_rest(admin_conn, ['user', 'list'], {'list' : '', 'max-entries' : 0})
|
|
assert ret == 200
|
|
assert out['count'] == 0
|
|
assert out['truncated'] == True
|
|
assert len(out['keys']) == 0
|
|
assert len(out['marker']) > 0
|
|
|
|
# TESTCASE 'list-user-without-marker','user','list','list user keys','user list object'
|
|
(ret, out) = rgwadmin_rest(admin_conn, ['user', 'list'], {'list' : '', 'max-entries' : 1})
|
|
assert ret == 200
|
|
assert out['count'] == 1
|
|
assert out['truncated'] == True
|
|
assert len(out['keys']) == 1
|
|
assert len(out['marker']) > 0
|
|
marker = out['marker']
|
|
|
|
# TESTCASE 'list-user-with-marker','user','list','list user keys','user list object'
|
|
(ret, out) = rgwadmin_rest(admin_conn, ['user', 'list'], {'list' : '', 'max-entries' : 1, 'marker': marker})
|
|
assert ret == 200
|
|
assert out['count'] == 1
|
|
assert out['truncated'] == False
|
|
assert len(out['keys']) == 1
|
|
|
|
# TESTCASE 'info-existing','user','info','existing user','returns correct info'
|
|
(ret, out) = rgwadmin_rest(admin_conn, ['user', 'info'], {'uid' : user1})
|
|
|
|
assert out['user_id'] == user1
|
|
assert out['email'] == email
|
|
assert out['display_name'] == display_name1
|
|
assert len(out['keys']) == 1
|
|
assert out['keys'][0]['access_key'] == access_key
|
|
assert out['keys'][0]['secret_key'] == secret_key
|
|
assert not out['suspended']
|
|
assert out['tenant'] == ''
|
|
assert out['max_buckets'] == 4
|
|
assert out['caps'] == []
|
|
assert out['op_mask'] == 'read, write, delete'
|
|
assert out['default_placement'] == ''
|
|
assert out['default_storage_class'] == ''
|
|
assert out['placement_tags'] == []
|
|
assert not out['bucket_quota']['enabled']
|
|
assert not out['bucket_quota']['check_on_raw']
|
|
assert out['bucket_quota']['max_size'] == -1
|
|
assert out['bucket_quota']['max_size_kb'] == 0
|
|
assert out['bucket_quota']['max_objects'] == -1
|
|
assert not out['user_quota']['enabled']
|
|
assert not out['user_quota']['check_on_raw']
|
|
assert out['user_quota']['max_size'] == -1
|
|
assert out['user_quota']['max_size_kb'] == 0
|
|
assert out['user_quota']['max_objects'] == -1
|
|
assert out['temp_url_keys'] == []
|
|
assert out['type'] == 'rgw'
|
|
assert out['mfa_ids'] == []
|
|
# TESTCASE 'info-existing','user','info','existing user query with wrong uid but correct access key','returns correct info'
|
|
(ret, out) = rgwadmin_rest(admin_conn, ['user', 'info'], {'access-key' : access_key, 'uid': 'uid_not_exist'})
|
|
|
|
assert out['user_id'] == user1
|
|
assert out['email'] == email
|
|
assert out['display_name'] == display_name1
|
|
assert len(out['keys']) == 1
|
|
assert out['keys'][0]['access_key'] == access_key
|
|
assert out['keys'][0]['secret_key'] == secret_key
|
|
assert not out['suspended']
|
|
assert out['tenant'] == ''
|
|
assert out['max_buckets'] == 4
|
|
assert out['caps'] == []
|
|
assert out['op_mask'] == "read, write, delete"
|
|
assert out['default_placement'] == ''
|
|
assert out['default_storage_class'] == ''
|
|
assert out['placement_tags'] == []
|
|
assert not out['bucket_quota']['enabled']
|
|
assert not out['bucket_quota']['check_on_raw']
|
|
assert out ['bucket_quota']['max_size'] == -1
|
|
assert out ['bucket_quota']['max_size_kb'] == 0
|
|
assert out ['bucket_quota']['max_objects'] == -1
|
|
assert not out['user_quota']['enabled']
|
|
assert not out['user_quota']['check_on_raw']
|
|
assert out['user_quota']['max_size'] == -1
|
|
assert out['user_quota']['max_size_kb'] == 0
|
|
assert out['user_quota']['max_objects'] == -1
|
|
assert out['temp_url_keys'] == []
|
|
assert out['type'] == 'rgw'
|
|
assert out['mfa_ids'] == []
|
|
|
|
# TESTCASES for cap user-info-without-keys
|
|
test_cap_user_info_without_keys(ctx, client, admin_conn, admin_user, user1)
|
|
|
|
# TESTCASE 'suspend-ok','user','suspend','active user','succeeds'
|
|
(ret, out) = rgwadmin_rest(admin_conn, ['user', 'modify'], {'uid' : user1, 'suspended' : True})
|
|
assert ret == 200
|
|
|
|
# TESTCASE 'suspend-suspended','user','suspend','suspended user','succeeds w/advisory'
|
|
(ret, out) = rgwadmin_rest(admin_conn, ['user', 'info'], {'uid' : user1})
|
|
assert ret == 200
|
|
assert out['suspended']
|
|
assert out['email'] == email
|
|
|
|
# TESTCASE 're-enable','user','enable','suspended user','succeeds'
|
|
(ret, out) = rgwadmin_rest(admin_conn, ['user', 'modify'], {'uid' : user1, 'suspended' : 'false'})
|
|
assert not err
|
|
|
|
# TESTCASE 'info-re-enabled','user','info','re-enabled user','no longer suspended'
|
|
(ret, out) = rgwadmin_rest(admin_conn, ['user', 'info'], {'uid' : user1})
|
|
assert ret == 200
|
|
assert not out['suspended']
|
|
|
|
# TESTCASE 'add-keys','key','create','w/valid info','succeeds'
|
|
(ret, out) = rgwadmin_rest(admin_conn,
|
|
['key', 'create'],
|
|
{'uid' : user1,
|
|
'access-key' : access_key2,
|
|
'secret-key' : secret_key2
|
|
})
|
|
|
|
|
|
assert ret == 200
|
|
|
|
# TESTCASE 'info-new-key','user','info','after key addition','returns all keys'
|
|
(ret, out) = rgwadmin_rest(admin_conn, ['user', 'info'], {'uid' : user1})
|
|
assert ret == 200
|
|
assert len(out['keys']) == 2
|
|
assert out['keys'][0]['access_key'] == access_key2 or out['keys'][1]['access_key'] == access_key2
|
|
assert out['keys'][0]['secret_key'] == secret_key2 or out['keys'][1]['secret_key'] == secret_key2
|
|
|
|
# TESTCASE 'rm-key','key','rm','newly added key','succeeds, key is removed'
|
|
(ret, out) = rgwadmin_rest(admin_conn,
|
|
['key', 'rm'],
|
|
{'uid' : user1,
|
|
'access-key' : access_key2
|
|
})
|
|
|
|
assert ret == 200
|
|
|
|
(ret, out) = rgwadmin_rest(admin_conn, ['user', 'info'], {'uid' : user1})
|
|
|
|
assert len(out['keys']) == 1
|
|
assert out['keys'][0]['access_key'] == access_key
|
|
assert out['keys'][0]['secret_key'] == secret_key
|
|
|
|
# TESTCASE 'add-swift-key','key','create','swift key','succeeds'
|
|
(ret, out) = rgwadmin_rest(admin_conn,
|
|
['subuser', 'create'],
|
|
{'subuser' : subuser1,
|
|
'secret-key' : swift_secret1,
|
|
'key-type' : 'swift'
|
|
})
|
|
|
|
assert ret == 200
|
|
|
|
# TESTCASE 'info-swift-key','user','info','after key addition','returns all keys'
|
|
(ret, out) = rgwadmin_rest(admin_conn, ['user', 'info'], {'uid' : user1})
|
|
assert ret == 200
|
|
assert len(out['swift_keys']) == 1
|
|
assert out['swift_keys'][0]['user'] == subuser1
|
|
assert out['swift_keys'][0]['secret_key'] == swift_secret1
|
|
|
|
# TESTCASE 'add-swift-subuser','key','create','swift sub-user key','succeeds'
|
|
(ret, out) = rgwadmin_rest(admin_conn,
|
|
['subuser', 'create'],
|
|
{'subuser' : subuser2,
|
|
'secret-key' : swift_secret2,
|
|
'key-type' : 'swift'
|
|
})
|
|
|
|
assert ret == 200
|
|
|
|
# TESTCASE 'info-swift-subuser','user','info','after key addition','returns all sub-users/keys'
|
|
(ret, out) = rgwadmin_rest(admin_conn, ['user', 'info'], {'uid' : user1})
|
|
assert ret == 200
|
|
assert len(out['swift_keys']) == 2
|
|
assert out['swift_keys'][0]['user'] == subuser2 or out['swift_keys'][1]['user'] == subuser2
|
|
assert out['swift_keys'][0]['secret_key'] == swift_secret2 or out['swift_keys'][1]['secret_key'] == swift_secret2
|
|
|
|
# TESTCASE 'rm-swift-key1','key','rm','subuser','succeeds, one key is removed'
|
|
(ret, out) = rgwadmin_rest(admin_conn,
|
|
['key', 'rm'],
|
|
{'subuser' : subuser1,
|
|
'key-type' :'swift'
|
|
})
|
|
|
|
assert ret == 200
|
|
|
|
(ret, out) = rgwadmin_rest(admin_conn, ['user', 'info'], {'uid' : user1})
|
|
assert len(out['swift_keys']) == 1
|
|
|
|
# TESTCASE 'rm-subuser','subuser','rm','subuser','success, subuser is removed'
|
|
(ret, out) = rgwadmin_rest(admin_conn,
|
|
['subuser', 'rm'],
|
|
{'subuser' : subuser1
|
|
})
|
|
|
|
assert ret == 200
|
|
|
|
(ret, out) = rgwadmin_rest(admin_conn, ['user', 'info'], {'uid' : user1})
|
|
assert len(out['subusers']) == 1
|
|
|
|
# TESTCASE 'rm-subuser-with-keys','subuser','rm','subuser','succeeds, second subser and key is removed'
|
|
(ret, out) = rgwadmin_rest(admin_conn,
|
|
['subuser', 'rm'],
|
|
{'subuser' : subuser2,
|
|
'key-type' : 'swift',
|
|
'{purge-keys' :True
|
|
})
|
|
|
|
assert ret == 200
|
|
|
|
(ret, out) = rgwadmin_rest(admin_conn, ['user', 'info'], {'uid' : user1})
|
|
assert len(out['swift_keys']) == 0
|
|
assert len(out['subusers']) == 0
|
|
|
|
# TESTCASE 'bucket-stats','bucket','info','no session/buckets','succeeds, empty list'
|
|
(ret, out) = rgwadmin_rest(admin_conn, ['bucket', 'info'], {'uid' : user1})
|
|
assert ret == 200
|
|
assert len(out) == 0
|
|
|
|
# connect to rgw
|
|
connection = boto.s3.connection.S3Connection(
|
|
aws_access_key_id=access_key,
|
|
aws_secret_access_key=secret_key,
|
|
is_secure=True if endpoint.cert else False,
|
|
port=endpoint.port,
|
|
host=endpoint.hostname,
|
|
calling_format=boto.s3.connection.OrdinaryCallingFormat(),
|
|
)
|
|
|
|
# TESTCASE 'bucket-stats2','bucket','stats','no buckets','succeeds, empty list'
|
|
(ret, out) = rgwadmin_rest(admin_conn, ['bucket', 'info'], {'uid' : user1, 'stats' : True})
|
|
assert ret == 200
|
|
assert len(out) == 0
|
|
|
|
# create a first bucket
|
|
bucket = connection.create_bucket(bucket_name)
|
|
|
|
# TESTCASE 'bucket-list','bucket','list','one bucket','succeeds, expected list'
|
|
(ret, out) = rgwadmin_rest(admin_conn, ['bucket', 'info'], {'uid' : user1})
|
|
assert ret == 200
|
|
assert len(out) == 1
|
|
assert out[0] == bucket_name
|
|
|
|
# TESTCASE 'bucket-stats3','bucket','stats','new empty bucket','succeeds, empty list'
|
|
(ret, out) = rgwadmin_rest(admin_conn,
|
|
['bucket', 'info'], {'bucket' : bucket_name, 'stats' : True})
|
|
|
|
assert ret == 200
|
|
assert out['owner'] == user1
|
|
assert out['tenant'] == ''
|
|
bucket_id = out['id']
|
|
|
|
# TESTCASE 'bucket-stats4','bucket','stats','new empty bucket','succeeds, expected bucket ID'
|
|
(ret, out) = rgwadmin_rest(admin_conn, ['bucket', 'info'], {'uid' : user1, 'stats' : True})
|
|
assert ret == 200
|
|
assert len(out) == 1
|
|
assert out[0]['id'] == bucket_id # does it return the same ID twice in a row?
|
|
|
|
# use some space
|
|
key = boto.s3.key.Key(bucket)
|
|
key.set_contents_from_string('one')
|
|
|
|
# TESTCASE 'bucket-stats5','bucket','stats','after creating key','succeeds, lists one non-empty object'
|
|
(ret, out) = rgwadmin_rest(admin_conn, ['bucket', 'info'], {'bucket' : bucket_name, 'stats' : True})
|
|
assert ret == 200
|
|
assert out['id'] == bucket_id
|
|
assert out['usage']['rgw.main']['num_objects'] == 1
|
|
assert out['usage']['rgw.main']['size_kb'] > 0
|
|
|
|
# TESTCASE 'bucket-stats6', 'bucket', 'stats', 'non-existent bucket', 'fails, 'bucket not found error'
|
|
(ret, out) = rgwadmin_rest(admin_conn, ['bucket', 'info'], {'bucket' : 'doesnotexist'})
|
|
assert ret == 404
|
|
assert out['Code'] == 'NoSuchBucket'
|
|
|
|
# reclaim it
|
|
key.delete()
|
|
|
|
# TESTCASE 'bucket unlink', 'bucket', 'unlink', 'unlink bucket from user', 'fails', 'access denied error'
|
|
(ret, out) = rgwadmin_rest(admin_conn, ['bucket', 'unlink'], {'uid' : user1, 'bucket' : bucket_name})
|
|
|
|
assert ret == 200
|
|
|
|
# create a second user to link the bucket to
|
|
(ret, out) = rgwadmin_rest(admin_conn,
|
|
['user', 'create'],
|
|
{'uid' : user2,
|
|
'display-name' : display_name2,
|
|
'access-key' : access_key2,
|
|
'secret-key' : secret_key2,
|
|
'max-buckets' : '1',
|
|
})
|
|
|
|
assert ret == 200
|
|
|
|
# try creating an object with the first user before the bucket is relinked
|
|
denied = False
|
|
key = boto.s3.key.Key(bucket)
|
|
|
|
try:
|
|
key.set_contents_from_string('two')
|
|
except boto.exception.S3ResponseError:
|
|
denied = True
|
|
|
|
assert not denied
|
|
|
|
# delete the object
|
|
key.delete()
|
|
|
|
# link the bucket to another user
|
|
(ret, out) = rgwadmin_rest(admin_conn,
|
|
['bucket', 'link'],
|
|
{'uid' : user2,
|
|
'bucket' : bucket_name,
|
|
'bucket-id' : bucket_id,
|
|
})
|
|
|
|
assert ret == 200
|
|
|
|
# try creating an object with the first user which should cause an error
|
|
key = boto.s3.key.Key(bucket)
|
|
|
|
try:
|
|
key.set_contents_from_string('three')
|
|
except boto.exception.S3ResponseError:
|
|
denied = True
|
|
|
|
assert denied
|
|
|
|
# relink the bucket to the first user and delete the second user
|
|
(ret, out) = rgwadmin_rest(admin_conn,
|
|
['bucket', 'link'],
|
|
{'uid' : user1,
|
|
'bucket' : bucket_name,
|
|
'bucket-id' : bucket_id,
|
|
})
|
|
assert ret == 200
|
|
|
|
(ret, out) = rgwadmin_rest(admin_conn, ['user', 'rm'], {'uid' : user2})
|
|
assert ret == 200
|
|
|
|
# TESTCASE 'object-rm', 'object', 'rm', 'remove object', 'succeeds, object is removed'
|
|
|
|
# upload an object
|
|
object_name = 'four'
|
|
key = boto.s3.key.Key(bucket, object_name)
|
|
key.set_contents_from_string(object_name)
|
|
|
|
# now delete it
|
|
(ret, out) = rgwadmin_rest(admin_conn, ['object', 'rm'], {'bucket' : bucket_name, 'object' : object_name})
|
|
assert ret == 200
|
|
|
|
# TESTCASE 'bucket-stats6','bucket','stats','after deleting key','succeeds, lists one no objects'
|
|
(ret, out) = rgwadmin_rest(admin_conn, ['bucket', 'info'], {'bucket' : bucket_name, 'stats' : True})
|
|
assert ret == 200
|
|
assert out['id'] == bucket_id
|
|
assert out['usage']['rgw.main']['num_objects'] == 0
|
|
|
|
# create a bucket for deletion stats
|
|
useless_bucket = connection.create_bucket('useless-bucket')
|
|
useless_key = useless_bucket.new_key('useless_key')
|
|
useless_key.set_contents_from_string('useless string')
|
|
|
|
# delete it
|
|
useless_key.delete()
|
|
useless_bucket.delete()
|
|
|
|
# wait for the statistics to flush
|
|
time.sleep(60)
|
|
|
|
# need to wait for all usage data to get flushed, should take up to 30 seconds
|
|
timestamp = time.time()
|
|
while time.time() - timestamp <= (20 * 60): # wait up to 20 minutes
|
|
(ret, out) = rgwadmin_rest(admin_conn, ['usage', 'show'], {'categories' : 'delete_obj'}) # last operation we did is delete obj, wait for it to flush
|
|
|
|
if get_user_successful_ops(out, user1) > 0:
|
|
break
|
|
time.sleep(1)
|
|
|
|
assert time.time() - timestamp <= (20 * 60)
|
|
|
|
# TESTCASE 'usage-show' 'usage' 'show' 'all usage' 'succeeds'
|
|
(ret, out) = rgwadmin_rest(admin_conn, ['usage', 'show'])
|
|
assert ret == 200
|
|
assert len(out['entries']) > 0
|
|
assert len(out['summary']) > 0
|
|
user_summary = get_user_summary(out, user1)
|
|
total = user_summary['total']
|
|
assert total['successful_ops'] > 0
|
|
|
|
# TESTCASE 'usage-show2' 'usage' 'show' 'user usage' 'succeeds'
|
|
(ret, out) = rgwadmin_rest(admin_conn, ['usage', 'show'], {'uid' : user1})
|
|
assert ret == 200
|
|
assert len(out['entries']) > 0
|
|
assert len(out['summary']) > 0
|
|
user_summary = out['summary'][0]
|
|
for entry in user_summary['categories']:
|
|
assert entry['successful_ops'] > 0
|
|
assert user_summary['user'] == user1
|
|
|
|
# TESTCASE 'usage-show3' 'usage' 'show' 'user usage categories' 'succeeds'
|
|
test_categories = ['create_bucket', 'put_obj', 'delete_obj', 'delete_bucket']
|
|
for cat in test_categories:
|
|
(ret, out) = rgwadmin_rest(admin_conn, ['usage', 'show'], {'uid' : user1, 'categories' : cat})
|
|
assert ret == 200
|
|
assert len(out['summary']) > 0
|
|
user_summary = out['summary'][0]
|
|
assert user_summary['user'] == user1
|
|
assert len(user_summary['categories']) == 1
|
|
entry = user_summary['categories'][0]
|
|
assert entry['category'] == cat
|
|
assert entry['successful_ops'] > 0
|
|
|
|
# TESTCASE 'usage-trim' 'usage' 'trim' 'user usage' 'succeeds, usage removed'
|
|
(ret, out) = rgwadmin_rest(admin_conn, ['usage', 'trim'], {'uid' : user1})
|
|
assert ret == 200
|
|
(ret, out) = rgwadmin_rest(admin_conn, ['usage', 'show'], {'uid' : user1})
|
|
assert ret == 200
|
|
assert len(out['entries']) == 0
|
|
assert len(out['summary']) == 0
|
|
|
|
# TESTCASE 'user-suspend2','user','suspend','existing user','succeeds'
|
|
(ret, out) = rgwadmin_rest(admin_conn, ['user', 'modify'], {'uid' : user1, 'suspended' : True})
|
|
assert ret == 200
|
|
|
|
# TESTCASE 'user-suspend3','user','suspend','suspended user','cannot write objects'
|
|
try:
|
|
key = boto.s3.key.Key(bucket)
|
|
key.set_contents_from_string('five')
|
|
except boto.exception.S3ResponseError as e:
|
|
assert e.status == 403
|
|
|
|
# TESTCASE 'user-renable2','user','enable','suspended user','succeeds'
|
|
(ret, out) = rgwadmin_rest(admin_conn, ['user', 'modify'], {'uid' : user1, 'suspended' : 'false'})
|
|
assert ret == 200
|
|
|
|
# TESTCASE 'user-renable3','user','enable','reenabled user','can write objects'
|
|
key = boto.s3.key.Key(bucket)
|
|
key.set_contents_from_string('six')
|
|
|
|
# TESTCASE 'garbage-list', 'garbage', 'list', 'get list of objects ready for garbage collection'
|
|
|
|
# create an object large enough to be split into multiple parts
|
|
test_string = 'foo'*10000000
|
|
|
|
big_key = boto.s3.key.Key(bucket)
|
|
big_key.set_contents_from_string(test_string)
|
|
|
|
# now delete the head
|
|
big_key.delete()
|
|
|
|
# TESTCASE 'rm-user-buckets','user','rm','existing user','fails, still has buckets'
|
|
(ret, out) = rgwadmin_rest(admin_conn, ['user', 'rm'], {'uid' : user1})
|
|
assert ret == 409
|
|
|
|
# delete should fail because ``key`` still exists
|
|
try:
|
|
bucket.delete()
|
|
except boto.exception.S3ResponseError as e:
|
|
assert e.status == 409
|
|
|
|
key.delete()
|
|
bucket.delete()
|
|
|
|
# TESTCASE 'policy', 'bucket', 'policy', 'get bucket policy', 'returns S3 policy'
|
|
bucket = connection.create_bucket(bucket_name)
|
|
|
|
# create an object
|
|
key = boto.s3.key.Key(bucket)
|
|
key.set_contents_from_string('seven')
|
|
|
|
# should be private already but guarantee it
|
|
key.set_acl('private')
|
|
|
|
(ret, out) = rgwadmin_rest(admin_conn, ['policy', 'show'], {'bucket' : bucket.name, 'object' : key.key})
|
|
assert ret == 200
|
|
assert len(out['acl']['grant_map']) == 1
|
|
|
|
# add another grantee by making the object public read
|
|
key.set_acl('public-read')
|
|
|
|
(ret, out) = rgwadmin_rest(admin_conn, ['policy', 'show'], {'bucket' : bucket.name, 'object' : key.key})
|
|
assert ret == 200
|
|
assert len(out['acl']['grant_map']) == 2
|
|
|
|
# TESTCASE 'rm-bucket', 'bucket', 'rm', 'bucket with objects', 'succeeds'
|
|
bucket = connection.create_bucket(bucket_name)
|
|
key_name = ['eight', 'nine', 'ten', 'eleven']
|
|
for i in range(4):
|
|
key = boto.s3.key.Key(bucket)
|
|
key.set_contents_from_string(key_name[i])
|
|
|
|
(ret, out) = rgwadmin_rest(admin_conn, ['bucket', 'rm'], {'bucket' : bucket_name, 'purge-objects' : True})
|
|
assert ret == 200
|
|
|
|
# TESTCASE 'caps-add', 'caps', 'add', 'add user cap', 'succeeds'
|
|
caps = 'usage=read'
|
|
(ret, out) = rgwadmin_rest(admin_conn, ['caps', 'add'], {'uid' : user1, 'user-caps' : caps})
|
|
assert ret == 200
|
|
assert out[0]['perm'] == 'read'
|
|
|
|
# TESTCASE 'caps-rm', 'caps', 'rm', 'remove existing cap from user', 'succeeds'
|
|
(ret, out) = rgwadmin_rest(admin_conn, ['caps', 'rm'], {'uid' : user1, 'user-caps' : caps})
|
|
assert ret == 200
|
|
assert not out
|
|
|
|
# TESTCASE 'rm-user','user','rm','existing user','fails, still has buckets'
|
|
bucket = connection.create_bucket(bucket_name)
|
|
key = boto.s3.key.Key(bucket)
|
|
|
|
(ret, out) = rgwadmin_rest(admin_conn, ['user', 'rm'], {'uid' : user1})
|
|
assert ret == 409
|
|
|
|
# TESTCASE 'rm-user2', 'user', 'rm', user with data', 'succeeds'
|
|
bucket = connection.create_bucket(bucket_name)
|
|
key = boto.s3.key.Key(bucket)
|
|
key.set_contents_from_string('twelve')
|
|
|
|
(ret, out) = rgwadmin_rest(admin_conn, ['user', 'rm'], {'uid' : user1, 'purge-data' : True})
|
|
assert ret == 200
|
|
|
|
# TESTCASE 'rm-user3','user','info','deleted user','fails'
|
|
(ret, out) = rgwadmin_rest(admin_conn, ['user', 'info'], {'uid' : user1})
|
|
assert ret == 404
|
|
|
|
# TESTCASE 'info' 'display info' 'succeeds'
|
|
(ret, out) = rgwadmin_rest(admin_conn, ['info', ''])
|
|
assert ret == 200
|
|
info = out['info']
|
|
backends = info['storage_backends']
|
|
name = backends[0]['name']
|
|
fsid = backends[0]['cluster_id']
|
|
# name is always "rados" at time of writing, but zipper would allow
|
|
# other backends, at some point
|
|
assert len(name) > 0
|
|
# fsid is a uuid, but I'm not going to try to parse it
|
|
assert len(fsid) > 0
|
|
|
|
# TESTCASE 'ratelimit' 'user' 'info' 'succeeds'
|
|
(ret, out) = rgwadmin_rest(admin_conn,
|
|
['user', 'create'],
|
|
{'uid' : ratelimit_user,
|
|
'display-name' : display_name1,
|
|
'email' : email,
|
|
'access-key' : access_key,
|
|
'secret-key' : secret_key,
|
|
'max-buckets' : '1000'
|
|
})
|
|
(ret, out) = rgwadmin_rest(admin_conn, ['ratelimit', 'info'], {'ratelimit-scope' : 'user', 'uid' : ratelimit_user})
|
|
assert ret == 200
|
|
|
|
# TESTCASE 'ratelimit' 'user' 'info' 'not existing user' 'fails'
|
|
(ret, out) = rgwadmin_rest(admin_conn, ['ratelimit', 'info'], {'ratelimit-scope' : 'user', 'uid' : ratelimit_user + 'string'})
|
|
assert ret == 404
|
|
|
|
# TESTCASE 'ratelimit' 'user' 'info' 'uid not specified' 'fails'
|
|
(ret, out) = rgwadmin_rest(admin_conn, ['ratelimit', 'info'], {'ratelimit-scope' : 'user'})
|
|
assert ret == 400
|
|
|
|
# TESTCASE 'ratelimit' 'bucket' 'info' 'succeeds'
|
|
ratelimit_bucket = 'ratelimitbucket'
|
|
connection.create_bucket(ratelimit_bucket)
|
|
(ret, out) = rgwadmin_rest(admin_conn, ['ratelimit', 'info'], {'ratelimit-scope' : 'bucket', 'bucket' : ratelimit_bucket})
|
|
assert ret == 200
|
|
|
|
# TESTCASE 'ratelimit' 'bucket' 'info' 'not existing bucket' 'fails'
|
|
(ret, out) = rgwadmin_rest(admin_conn, ['ratelimit', 'info'], {'ratelimit-scope' : 'bucket', 'bucket' : ratelimit_bucket + 'string'})
|
|
assert ret == 404
|
|
|
|
# TESTCASE 'ratelimit' 'bucket' 'info' 'bucket not specified' 'fails'
|
|
(ret, out) = rgwadmin_rest(admin_conn, ['ratelimit', 'info'], {'ratelimit-scope' : 'bucket'})
|
|
assert ret == 400
|
|
|
|
# TESTCASE 'ratelimit' 'global' 'info' 'succeeds'
|
|
(ret, out) = rgwadmin_rest(admin_conn, ['ratelimit', 'info'], {'global' : 'true'})
|
|
assert ret == 200
|
|
|
|
# TESTCASE 'ratelimit' 'user' 'modify' 'not existing user' 'fails'
|
|
(ret, out) = rgwadmin_rest(admin_conn, ['ratelimit', 'modify'], {'ratelimit-scope' : 'user', 'uid' : ratelimit_user + 'string', 'enabled' : 'true'})
|
|
assert ret == 404
|
|
|
|
# TESTCASE 'ratelimit' 'user' 'modify' 'uid not specified' 'fails'
|
|
(ret, out) = rgwadmin_rest(admin_conn, ['ratelimit', 'modify'], {'ratelimit-scope' : 'user'})
|
|
assert ret == 400
|
|
|
|
# TESTCASE 'ratelimit' 'bucket' 'modify' 'not existing bucket' 'fails'
|
|
(ret, out) = rgwadmin_rest(admin_conn, ['ratelimit', 'modify'], {'ratelimit-scope' : 'bucket', 'bucket' : ratelimit_bucket + 'string', 'enabled' : 'true'})
|
|
assert ret == 404
|
|
|
|
# TESTCASE 'ratelimit' 'bucket' 'modify' 'bucket not specified' 'fails'
|
|
(ret, out) = rgwadmin_rest(admin_conn, ['ratelimit', 'modify'], {'ratelimit-scope' : 'bucket', 'enabled' : 'true'})
|
|
assert ret == 400
|
|
|
|
# TESTCASE 'ratelimit' 'user' 'modifiy' 'enabled' 'max-read-bytes = 2' 'succeeds'
|
|
(ret, out) = rgwadmin_rest(admin_conn, ['ratelimit', 'modify'], {'ratelimit-scope' : 'user', 'uid' : ratelimit_user, 'enabled' : 'true', 'max-read-bytes' : '2'})
|
|
assert ret == 200
|
|
(ret, out) = rgwadmin_rest(admin_conn, ['ratelimit', 'info'], {'ratelimit-scope' : 'user', 'uid' : ratelimit_user})
|
|
assert ret == 200
|
|
user_ratelimit = out['user_ratelimit']
|
|
assert user_ratelimit['enabled'] == True
|
|
assert user_ratelimit['max_read_bytes'] == 2
|
|
|
|
# TESTCASE 'ratelimit' 'bucket' 'modifiy' 'enabled' 'max-write-bytes = 2' 'succeeds'
|
|
(ret, out) = rgwadmin_rest(admin_conn, ['ratelimit', 'modify'], {'ratelimit-scope' : 'bucket', 'bucket' : ratelimit_bucket, 'enabled' : 'true', 'max-write-bytes' : '2'})
|
|
assert ret == 200
|
|
(ret, out) = rgwadmin_rest(admin_conn, ['ratelimit', 'info'], {'ratelimit-scope' : 'bucket', 'bucket' : ratelimit_bucket})
|
|
assert ret == 200
|
|
bucket_ratelimit = out['bucket_ratelimit']
|
|
assert bucket_ratelimit['enabled'] == True
|
|
assert bucket_ratelimit['max_write_bytes'] == 2
|
|
|
|
# TESTCASE 'ratelimit' 'global' 'modify' 'anonymous' 'enabled' 'succeeds'
|
|
(ret, out) = rgwadmin_rest(admin_conn, ['ratelimit', 'modify'], {'ratelimit-scope' : 'bucket', 'global': 'true', 'enabled' : 'true'})
|
|
assert ret == 200
|