Add another user for s3api func tests

Previously we'd use two users, one admin and one unprivileged.

Ceph's s3-tests, however, assume that both users should have access to
create buckets. Further, there are different errors that may be returned
depending on whether you are the *bucket* owner or not when using
s3_acl. So now we've got:

  test:tester1  (admin)
  test:tester2  (also admin)
  test:tester3  (unprivileged)

Change-Id: I0b67c53de3bcadc2c656d86131fca5f2c3114f14

7 files changed, 58 insertions, 24 deletions

diff --git a/doc/saio/swift/proxy-server.conf b/doc/saio/swift/proxy-server.conf
index 079f94103..c656e3aea 100644
--- a/doc/saio/swift/proxy-server.conf
+++ b/doc/saio/swift/proxy-server.conf
@@ -53,8 +53,9 @@ use = egg:swift#tempurl
 use = egg:swift#tempauth
 user_admin_admin = admin .admin .reseller_admin
 user_test_tester = testing .admin
-user_test2_tester2 = testing2 .admin
+user_test_tester2 = testing2 .admin
 user_test_tester3 = testing3
+user_test2_tester2 = testing2 .admin
 
 [filter:staticweb]
 use = egg:swift#staticweb
diff --git a/etc/proxy-server.conf-sample b/etc/proxy-server.conf-sample
index a7e813b64..7ad971fc5 100644
--- a/etc/proxy-server.conf-sample
+++ b/etc/proxy-server.conf-sample
@@ -351,8 +351,9 @@ use = egg:swift#tempauth
 # Here are example entries, required for running the tests:
 user_admin_admin = admin .admin .reseller_admin
 user_test_tester = testing .admin
-user_test2_tester2 = testing2 .admin
+user_test_tester2 = testing2 .admin
 user_test_tester3 = testing3
+user_test2_tester2 = testing2 .admin
 user_test5_tester5 = testing5 service
 
 # To enable Keystone authentication you need to have the auth token
diff --git a/test/functional/__init__.py b/test/functional/__init__.py
index 37cf9bce5..02e30e530 100644
--- a/test/functional/__init__.py
+++ b/test/functional/__init__.py
@@ -589,6 +589,10 @@ def in_process_setup(the_object_server=object_server):
         'password': 'testing',
         's3_access_key': 'test:tester',
         's3_secret_key': 'testing',
+        # Secondary user of the primary test account (needs admin access
+        # to the account) for s3api
+        's3_access_key2': 'test:tester2',
+        's3_secret_key2': 'testing2',
         # User on a second account (needs admin access to the account)
         'account2': 'test2',
         'username2': 'tester2',
@@ -596,8 +600,8 @@ def in_process_setup(the_object_server=object_server):
         # User on same account as first, but without admin access
         'username3': 'tester3',
         'password3': 'testing3',
-        's3_access_key2': 'test:tester3',
-        's3_secret_key2': 'testing3',
+        's3_access_key3': 'test:tester3',
+        's3_secret_key3': 'testing3',
         # Service user and prefix (emulates glance, cinder, etc. user)
         'account5': 'test5',
         'username5': 'tester5',
diff --git a/test/functional/s3api/test_acl.py b/test/functional/s3api/test_acl.py
index 33b01c628..cc71410ea 100644
--- a/test/functional/s3api/test_acl.py
+++ b/test/functional/s3api/test_acl.py
@@ -35,14 +35,15 @@ class TestS3Acl(S3ApiBase):
         super(TestS3Acl, self).setUp()
         self.bucket = 'bucket'
         self.obj = 'object'
-        if 's3_access_key2' not in tf.config or \
-                's3_secret_key2' not in tf.config:
+        if 's3_access_key3' not in tf.config or \
+                's3_secret_key3' not in tf.config:
             raise tf.SkipTest(
-                'TestS3Acl requires s3_access_key2 and s3_secret_key2 setting')
+                'TestS3Acl requires s3_access_key3 and s3_secret_key3 '
+                'configured for reduced-access user')
         self.conn.make_request('PUT', self.bucket)
-        access_key2 = tf.config['s3_access_key2']
-        secret_key2 = tf.config['s3_secret_key2']
-        self.conn2 = Connection(access_key2, secret_key2, access_key2)
+        access_key3 = tf.config['s3_access_key3']
+        secret_key3 = tf.config['s3_secret_key3']
+        self.conn3 = Connection(access_key3, secret_key3, access_key3)
 
     def test_acl(self):
         self.conn.make_request('PUT', self.bucket, self.obj)
@@ -103,7 +104,7 @@ class TestS3Acl(S3ApiBase):
         self.assertEqual(get_error_code(body), 'NoSuchBucket')
 
         status, headers, body = \
-            self.conn2.make_request('PUT', self.bucket,
+            self.conn3.make_request('PUT', self.bucket,
                                     headers=req_headers, query='acl')
         self.assertEqual(get_error_code(body), 'AccessDenied')
 
@@ -118,7 +119,7 @@ class TestS3Acl(S3ApiBase):
         self.assertEqual(get_error_code(body), 'NoSuchBucket')
 
         status, headers, body = \
-            self.conn2.make_request('GET', self.bucket, query='acl')
+            self.conn3.make_request('GET', self.bucket, query='acl')
         self.assertEqual(get_error_code(body), 'AccessDenied')
 
     def test_get_object_acl_error(self):
@@ -135,7 +136,7 @@ class TestS3Acl(S3ApiBase):
         self.assertEqual(get_error_code(body), 'NoSuchKey')
 
         status, headers, body = \
-            self.conn2.make_request('GET', self.bucket, self.obj, query='acl')
+            self.conn3.make_request('GET', self.bucket, self.obj, query='acl')
         self.assertEqual(get_error_code(body), 'AccessDenied')
 
 
diff --git a/test/functional/s3api/test_bucket.py b/test/functional/s3api/test_bucket.py
index 451dfbd47..28083da5f 100644
--- a/test/functional/s3api/test_bucket.py
+++ b/test/functional/s3api/test_bucket.py
@@ -151,11 +151,34 @@ class TestS3ApiBucket(S3ApiBase):
 
         self.conn.make_request('PUT', 'bucket')
         status, headers, body = self.conn.make_request('PUT', 'bucket')
+        self.assertEqual(status, 409)
+        self.assertEqual(get_error_code(body), 'BucketAlreadyExists')
+
+        if 's3_access_key2' not in tf.config or \
+                's3_secret_key2' not in tf.config:
+            raise tf.SkipTest(
+                'Cannot test for BucketAlreadyExists with second user; need '
+                's3_access_key2 and s3_secret_key2 configured')
+        # Other users of the same account get the same error
+        conn2 = Connection(tf.config['s3_access_key2'],
+                           tf.config['s3_secret_key2'],
+                           tf.config['s3_access_key2'])
+        status, headers, body = conn2.make_request('PUT', 'bucket')
+        self.assertEqual(status, 409)
+        self.assertEqual(get_error_code(body), 'BucketAlreadyExists')
+
+        if 's3_access_key3' not in tf.config or \
+                's3_secret_key3' not in tf.config:
+            raise tf.SkipTest('Cannot test for AccessDenied; need '
+                              's3_access_key3 and s3_secret_key3 configured')
         # If the user can't create buckets, they shouldn't even know
-        # whether the bucket exists. For some reason, though, when s3_acl
-        # is disabled, we translate 403 -> BucketAlreadyExists??
-        self.assertIn(get_error_code(body),
-                      ('AccessDenied', 'BucketAlreadyExists'))
+        # whether the bucket exists.
+        conn3 = Connection(tf.config['s3_access_key3'],
+                           tf.config['s3_secret_key3'],
+                           tf.config['s3_access_key3'])
+        status, headers, body = conn3.make_request('PUT', 'bucket')
+        self.assertEqual(status, 403)
+        self.assertEqual(get_error_code(body), 'AccessDenied')
 
     def test_put_bucket_with_LocationConstraint(self):
         bucket = 'bucket'
diff --git a/test/sample.conf b/test/sample.conf
index 283e64192..d33be7548 100644
--- a/test/sample.conf
+++ b/test/sample.conf
@@ -29,8 +29,12 @@ password2 = testing2
 username3 = tester3
 password3 = testing3
 # s3api requires the same account with the primary one and different users
-s3_access_key2 = test:tester3
-s3_secret_key2 = testing3
+# one swift owner:
+s3_access_key2 = test:tester2
+s3_secret_key2 = testing2
+# one unprivileged:
+s3_access_key3 = test:tester3
+s3_secret_key3 = testing3
 
 # Fourth user is required for keystone v3 specific tests.
 # Account must be in a non-default domain.
diff --git a/tools/playbooks/ceph-s3tests/ceph-s3.conf b/tools/playbooks/ceph-s3tests/ceph-s3.conf
index 7e66923a7..3f9ebedb0 100644
--- a/tools/playbooks/ceph-s3tests/ceph-s3.conf
+++ b/tools/playbooks/ceph-s3tests/ceph-s3.conf
@@ -11,8 +11,8 @@ access_key = test:tester
 secret_key = testing
 
 [s3 alt]
-user_id = test:tester3
-display_name = test:tester3
-email = test:tester3
-access_key = test:tester3
-secret_key = testing3
+user_id = test:tester2
+display_name = test:tester2
+email = test:tester2
+access_key = test:tester2
+secret_key = testing2