From 6cbe54cea2ae4279850d53c49843dfde8f67adb3 Mon Sep 17 00:00:00 2001 From: Thiago da Silva Date: Tue, 3 Dec 2013 18:06:21 -0500 Subject: fix issue with swauth-clean-token returning 403 errors The issue was due to missing a necessary change that was made when changing the auth account name from .auth to metadata volume. the auth account has a group of the same name, so the .auth account also had a .auth group, so we needed to change that too to the metadata volume (e.g., gsmetadata) Change-Id: Iaa3b7a1b2628f5b863807932e863593be0011a82 Signed-off-by: Thiago da Silva Reviewed-on: http://review.gluster.org/6416 Reviewed-by: Luis Pabon Tested-by: Luis Pabon Reviewed-on: http://review.gluster.org/6465 --- gluster/swift/common/middleware/gswauth/swauth/middleware.py | 5 +++-- test/unit/common/middleware/gswauth/swauth/test_middleware.py | 8 ++++++-- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/gluster/swift/common/middleware/gswauth/swauth/middleware.py b/gluster/swift/common/middleware/gswauth/swauth/middleware.py index c791423..648203e 100644 --- a/gluster/swift/common/middleware/gswauth/swauth/middleware.py +++ b/gluster/swift/common/middleware/gswauth/swauth/middleware.py @@ -386,7 +386,7 @@ class Swauth(object): user_groups = (req.remote_user or '').split(',') if '.reseller_admin' in user_groups and \ account != self.reseller_prefix and \ - account[len(self.reseller_prefix):] != 'gsmetadata': + account[len(self.reseller_prefix):] != self.metadata_volume: req.environ['swift_owner'] = True return None if account in user_groups and \ @@ -1359,7 +1359,8 @@ class Swauth(object): memcache_client.set( memcache_key, (self.itoken_expires, - '.auth,.reseller_admin,%s.auth' % self.reseller_prefix), + '%s,.reseller_admin,%s' % (self.metadata_volume, + self.auth_account)), timeout=self.token_life) return self.itoken diff --git a/test/unit/common/middleware/gswauth/swauth/test_middleware.py b/test/unit/common/middleware/gswauth/swauth/test_middleware.py index 00e6453..f01c34f 100644 --- a/test/unit/common/middleware/gswauth/swauth/test_middleware.py +++ b/test/unit/common/middleware/gswauth/swauth/test_middleware.py @@ -805,6 +805,7 @@ class TestAuth(unittest.TestCase): self.assertEquals(self.test_auth.app.calls, 2) def test_get_token_for_auth_acct_success(self): + fmc = FakeMemcache() local_auth = \ auth.filter_factory({ 'super_admin_key': 'supertest', @@ -814,7 +815,7 @@ class TestAuth(unittest.TestCase): resp = Request.blank( '/auth/v1.0', environ={'REQUEST_METHOD': 'GET', - 'swift.cache': FakeMemcache()}, + 'swift.cache': fmc}, headers={'X-Auth-User': 'act:.super_admin', 'X-Auth-Key': 'supertest'}).get_response(local_auth) self.assertEquals(resp.status_int, 200) @@ -822,6 +823,9 @@ class TestAuth(unittest.TestCase): self.assertTrue(itk.startswith('AUTH_itk'), itk) self.assertEquals(resp.headers.get('x-storage-url'), 'http://127.0.0.1:8080/v1/AUTH_gsmd') + expires, groups = fmc.get('AUTH_/auth/%s' % itk) + self.assertEquals(groups, + 'gsmd,.reseller_admin,AUTH_gsmd') def test_get_token_for_auth_acct_fail_passwd(self): local_auth = \ @@ -3870,7 +3874,7 @@ class TestAuth(unittest.TestCase): self.assert_(expires > time(), expires) self.assertEquals( groups, - '.auth,.reseller_admin,AUTH_.auth') + 'gsmetadata,.reseller_admin,AUTH_gsmetadata') def test_get_admin_detail_fail_no_colon(self): self.test_auth.app = FakeApp(iter([])) -- cgit