Go OpenStack Exchange

Merge lp://staging/~wallyworld/goose/public-containers into lp://staging/~gophers/goose/trunk

  1. public-containers
  2. Merge into trunk
Proposed by Ian Booth
Status: Merged
Merged at revision: 47
Proposed branch: lp://staging/~wallyworld/goose/public-containers
Merge into: lp://staging/~gophers/goose/trunk
Diff against target: 843 lines (+175/-183)
16 files modified
client/client.go (+0/-139)
client/live_test.go (+6/-2)
client/local_test.go (+11/-1)
http/client.go (+5/-5)
identity/legacy.go (+10/-3)
identity/legacy_test.go (+4/-2)
identity/userpass_test.go (+1/-1)
nova/live_test.go (+3/-3)
swift/live_test.go (+100/-6)
swift/local_test.go (+9/-3)
swift/swift.go (+13/-12)
testservices/identityservice/legacy.go (+2/-1)
testservices/identityservice/legacy_test.go (+2/-1)
testservices/identityservice/userpass.go (+1/-1)
testservices/swiftservice/service_http.go (+4/-1)
testservices/swiftservice/service_http_test.go (+4/-2)
To merge this branch: bzr merge lp://staging/~wallyworld/goose/public-containers
Reviewer Review Type Date Requested Status
The Go Language Gophers Pending
Review via email: mp+140821@code.staging.launchpad.net

Description of the change

Introduce container ACLs

The purpose of this branch is to support Swift container ACLs, allowing a public container to be set up to store the juju tools.
Containers which are public do not require authorisation tokens, and the setup workflow for accessing the container is different.
For a private container, the OpenStack client authenticates in order to not only get the authorisation token, but also the URLs
used to access the various service end points (incl swift). For public containers, we just want to be able to nominate the
swift URL directly. So the OpenStack client implementation has been split into authenticating and nonauthenticating variants.
Authenticating clients are initialised with user credentials as before. Unauthenticating clients are given a base URL.
The swift client doesn't care whether it is initialised with a public or authenticating connection to OpenStack; it works the same
either way, but operations which are forbidden by the ACL will return a 401.

When I ran the tests, some of the legacy authorisation test doubles didn't return any swift info so the tests broke. This has always been that way
so I'm not sure how the tests passed originally. I fixed everything so it's good now.

The next step in this work is to configure the OpenStack provider in juju-core to be able to use a public container from which it
gets the juju tools. This will mirror what the ec2 provider does.

https://codereview.appspot.com/6962052/

To post a comment you must log in.
Revision history for this message
Ian Booth (wallyworld) wrote :

Reviewers: mp+140821_code.launchpad.net,

Message:
Please take a look.

Description:
Introduce container ACLs

The purpose of this branch is to support Swift container ACLs, allowing
a public container to be set up to store the juju tools.
Containers which are public do not require authorisation tokens, and the
setup workflow for accessing the container is different.
For a private container, the OpenStack client authenticates in order to
not only get the authorisation token, but also the URLs
used to access the various service end points (incl swift). For public
containers, we just want to be able to nominate the
swift URL directly. So the OpenStack client implementation has been
split into authenticated and unauthenticated variants.
Authenticated clients are initialised with user credentials as before.
Unauthenticated clients are given a base URL and all
authentication operations are NOOPs. The swift client doesn't care
whether it is initialised with a public or authenticated
connection to OpenStack; it works the same either way, but operations
which are forbidden by the ACL will return a 401.

The next step in this work is to configure the OpenStack provider in
juju-core to be able to use a public container from which it
gets the juju tools. This will mirror what the ec2 provider does.

https://code.launchpad.net/~wallyworld/goose/public-containers/+merge/140821

(do not edit description out of merge proposal)

Please review this at https://codereview.appspot.com/6962052/

Affected files:
   A [revision details]
   M client/auth_client.go
   A client/client.go
   M http/client.go
   M nova/live_test.go
   M swift/live_test.go
   M swift/local_test.go
   M swift/swift.go
   M testservices/swiftservice/service_http.go
   M testservices/swiftservice/service_http_test.go

lp://staging/~wallyworld/goose/public-containers updated
48. By Ian Booth

Ensure we handle public urls with and without trailing slash

Revision history for this message
Martin Packman (gz) wrote :

Changes LGTM, I've got a couple of suggested tweaks (including
re-joining the revision history of client/client.go), but will make
those myself and propose/land.

https://codereview.appspot.com/6962052/diff/9001/client/local_test.go
File client/local_test.go (right):

https://codereview.appspot.com/6962052/diff/9001/client/local_test.go#newcode47
client/local_test.go:47: + s.Server.URL, //public
Rather than relying on the order here and trusting the comments remain
in sync with the code, I'd prefer using the named field idiom, which
self-documents and is checked by the compiler:
     AdminURL: s.server.URL,
     InternalURL: s.server.URL,
     PublicURL: s.server.URL,

https://codereview.appspot.com/6962052/diff/9001/identity/legacy_test.go
File identity/legacy_test.go (right):

https://codereview.appspot.com/6962052/diff/9001/identity/legacy_test.go#newcode27
identity/legacy_test.go:27: + map[string]string{"compute":
"http://management/url/compute", "object-store":
"http://management/url/object-store"})
When making up urls for testing, I like using http://test.invalid/...
which you can trust will raise an error on dns lookup if the test
accidentally tries to resolve it.

https://codereview.appspot.com/6962052/diff/9001/swift/live_test.go
File swift/live_test.go (right):

https://codereview.appspot.com/6962052/diff/9001/swift/live_test.go#newcode208
swift/live_test.go:208: s.swift.DeleteObject(s.containerName, files[i])
Reasonable use of Check above to ensure the DeleteObject calls should
always happen, test might be clearer with comment to that effect though.

https://codereview.appspot.com/6962052/diff/9001/swift/swift.go
File swift/swift.go (left):

https://codereview.appspot.com/6962052/diff/9001/swift/swift.go#oldcode33
swift/swift.go:33: // with some refactoring, but for now just make
everything public.
This comment wants updating/removing now I'd say.

https://codereview.appspot.com/6962052/

lp://staging/~wallyworld/goose/public-containers updated
49. By Ian Booth

Code review tweaks

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
The diff is not available at this time. You can reload the page or download it.

Subscribers

People subscribed via source and target branches