Implement proper ACL checks and suid permission

[pkit]

Placeholder, not finished yet.

Tests needed still:

Anonymous (api/1.0):

• simple denial case
• if we reference two containers, 1 has setuid, 1 does not (api container has, other doesn't, and vice versa) <--- should be denied
• if setuid and read, should be allowed
• setuid on api container, and setuid and no acl on another container, check if we can write to other container (that is, create objects there)
• if job has read permissions and no setuid, anonymous should not work in this case (authorized users would be allowed, though-- because other user will be billed instead of the owner-- and we can't bill anonymous users, sadly =P )

[pkit]

Needs the following:

• tests for anonymous access
• tests for "/open" for zapp (has one)
• tests for "/api"
• tests for "/open" an object with specific "content_type"

[larsbutler]

@pkit Can you give me some ideas about how to set up the tests for /api and /open? I've been trying for several hours and can't make any sense of it.

[larsbutler]

For example, I can't figure out how--with the test utils and fixtures--to set up a zapp to handle requests for /open/account/container/foo.zapp, or set the suid, or anything. I'm lost.

[larsbutler]

According to the spec for this feature, the suid stuff should only apply to api/1.0 and open/1.0 features. However, the tests so far implemented on this branch test suid features of everything BUT the REST features.

Why is that? Do we need to update the spec?

[pkit]

Added example with API/1.0 call, fixed a bug regarding anonymous access to API endpoint.

[larsbutler]

See https://github.com/zerovm/zerocloud/pull/172 for a rebased version of this branch.