x/swiftonhpss
Code Issues Proposed changes

fix issue with swauth-clean-token returning 403 errors

Browse Source 
The issue was due to missing a necessary change that was made when changing
the auth account name from .auth to metadata volume.

the auth account has a group of the same name, so the .auth account
also had a .auth group, so we needed to change that too to the
metadata volume (e.g., gsmetadata)

Change-Id: Iaa3b7a1b2628f5b863807932e863593be0011a82
Signed-off-by: Thiago da Silva <thiago@redhat.com>
Reviewed-on: http://review.gluster.org/6416
Reviewed-by: Luis Pabon <lpabon@redhat.com>
Tested-by: Luis Pabon <lpabon@redhat.com>
This commit is contained in:
Thiago da Silva 2013-12-03 18:06:21 -05:00 committed by Luis Pabon
parent b36fe03702
commit 2d818c06b8
2 changed files with 9 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
gluster/swift/common/middleware/gswauth/swauth/middleware.py
View File

@ -386,7 +386,7 @@ class Swauth(object):
user_groups = (req.remote_user or '').split(',') user_groups = (req.remote_user or '').split(',')
if '.reseller_admin' in user_groups and \ if '.reseller_admin' in user_groups and \
account != self.reseller_prefix and \ account != self.reseller_prefix and \
account[len(self.reseller_prefix):] != 'gsmetadata': account[len(self.reseller_prefix):] != self.metadata_volume:
req.environ['swift_owner'] = True req.environ['swift_owner'] = True
return None return None
if account in user_groups and \ if account in user_groups and \
@ -1357,7 +1357,8 @@ class Swauth(object):
memcache_client.set( memcache_client.set(
memcache_key, memcache_key,
(self.itoken_expires, (self.itoken_expires,
'.auth,.reseller_admin,%s.auth' % self.reseller_prefix), '%s,.reseller_admin,%s' % (self.metadata_volume,
self.auth_account)),
timeout=self.token_life) timeout=self.token_life)
return self.itoken return self.itoken

8
test/unit/common/middleware/gswauth/swauth/test_middleware.py
View File

@ -805,6 +805,7 @@ class TestAuth(unittest.TestCase):
self.assertEquals(self.test_auth.app.calls, 2) self.assertEquals(self.test_auth.app.calls, 2)
def test_get_token_for_auth_acct_success(self): def test_get_token_for_auth_acct_success(self):
fmc = FakeMemcache()
local_auth = \ local_auth = \
auth.filter_factory({ auth.filter_factory({
'super_admin_key': 'supertest', 'super_admin_key': 'supertest',
@ -814,7 +815,7 @@ class TestAuth(unittest.TestCase):
resp = Request.blank( resp = Request.blank(
'/auth/v1.0', '/auth/v1.0',
environ={'REQUEST_METHOD': 'GET', environ={'REQUEST_METHOD': 'GET',
'swift.cache': FakeMemcache()}, 'swift.cache': fmc},
headers={'X-Auth-User': 'act:.super_admin', headers={'X-Auth-User': 'act:.super_admin',
'X-Auth-Key': 'supertest'}).get_response(local_auth) 'X-Auth-Key': 'supertest'}).get_response(local_auth)
self.assertEquals(resp.status_int, 200) self.assertEquals(resp.status_int, 200)
@ -822,6 +823,9 @@ class TestAuth(unittest.TestCase):
self.assertTrue(itk.startswith('AUTH_itk'), itk) self.assertTrue(itk.startswith('AUTH_itk'), itk)
self.assertEquals(resp.headers.get('x-storage-url'), self.assertEquals(resp.headers.get('x-storage-url'),
'http://127.0.0.1:8080/v1/AUTH_gsmd') 'http://127.0.0.1:8080/v1/AUTH_gsmd')
expires, groups = fmc.get('AUTH_/auth/%s' % itk)
self.assertEquals(groups,
'gsmd,.reseller_admin,AUTH_gsmd')
def test_get_token_for_auth_acct_fail_passwd(self): def test_get_token_for_auth_acct_fail_passwd(self):
local_auth = \ local_auth = \
@ -3870,7 +3874,7 @@ class TestAuth(unittest.TestCase):
self.assert_(expires > time(), expires) self.assert_(expires > time(), expires)
self.assertEquals( self.assertEquals(
groups, groups,
'.auth,.reseller_admin,AUTH_.auth') 'gsmetadata,.reseller_admin,AUTH_gsmetadata')
def test_get_admin_detail_fail_no_colon(self): def test_get_admin_detail_fail_no_colon(self):
self.test_auth.app = FakeApp(iter([])) self.test_auth.app = FakeApp(iter([]))