diff --git a/pytest_tests/testsuites/ape/test_ape.py b/pytest_tests/testsuites/ape/test_ape.py index 474b6d2..c28cd6a 100644 --- a/pytest_tests/testsuites/ape/test_ape.py +++ b/pytest_tests/testsuites/ape/test_ape.py @@ -75,7 +75,7 @@ def remove_rule_ape_in_system(cluster: Cluster) -> None: parallel(local_overrides_on_node, cluster.cluster_nodes) -def pre_create_container_object_cli_object_cli( +def pre_create_container_object_cli( default_user: User, remote_frostfs_cli_first_node: FrostfsCli, frostfs_cli: FrostfsCli, @@ -138,7 +138,7 @@ def pre_create_container_object_adm( cid = ( frostfs_cli.container.create( rpc_endpoint=cluster.storage_nodes[0].get_rpc_endpoint(), - policy="REP 1 IN MOW CBF 1 SELECT 1 FROM MSK AS MOW FILTER SubDivCode EQ MOW AS MSK", + policy="REP 4", name="dcl1", await_mode=True, basic_acl="0", @@ -158,7 +158,7 @@ def pre_create_container_object_adm( with reporter.step("Put objects in container on the first node"): oid_1 = put_object(default_user.wallet, test_file, cid, shell, cluster.storage_nodes[0].get_rpc_endpoint()) - oid_2 = put_object(default_user.wallet, test_file, cid, shell, cluster.storage_nodes[0].get_rpc_endpoint()) + oid_2 = put_object(default_user.wallet, test_file, cid, shell, cluster.storage_nodes[0].get_rpc_endpoint(), copies_number=3) with reporter.step("Create a namespace rule for the first node"): remote_frostfs_adm_first_node.morph.remove_rule( @@ -757,6 +757,264 @@ class TestApeMorphRuleChain(ClusterTestBase): with expect_not_raises(): delete_object(default_user.wallet, cid, oid_1, self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint()) + @allure.title("MorphRuleChain: Allow to GetObject in root tenant") + def test_morph_rule_chain_allow_to_get_object_root( + self, + default_user: User, + remote_frostfs_adm_first_node: FrostfsAdm, + frostfs_cli: FrostfsCli, + simple_object_size: ObjectSize, + ): + cid, oids = pre_create_container_object_adm( + default_user, remote_frostfs_adm_first_node, frostfs_cli, simple_object_size, self.shell, self.cluster + ) + + with reporter.step("Create a namespace rule for the first node"): + remote_frostfs_adm_first_node.morph.add_rule( + target_type="container", + target_name=f"{cid}", + chain_id="allowGetObject", + rule=f"allow Object.Get *", + ) + + with reporter.step("Check get object from container on the first node, allow expected"): + with expect_not_raises(): + get_object(default_user.wallet, cid, oids[0], self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint()) + + with reporter.step("Check get object from container on the second node, allow expected"): + with expect_not_raises(): + get_object(default_user.wallet, cid, oids[0], self.shell, self.cluster.storage_nodes[1].get_rpc_endpoint()) + + with reporter.step("Delete a rule"): + remote_frostfs_adm_first_node.morph.remove_rule( + target_type="namespace", + target_name=f"kapusta", + chain_id="allowGetObject", + ) + + @allure.title("MorphRuleChain: allow to PutObject in root tenant") + def test_morph_rule_chain_allow_to_put_object_root( + self, + default_user: User, + remote_frostfs_adm_first_node: FrostfsAdm, + frostfs_cli: FrostfsCli, + simple_object_size: ObjectSize, + ): + + test_file = generate_file(simple_object_size.value) + + with reporter.step("Create a container on the first node"): + cid = ( + frostfs_cli.container.create( + rpc_endpoint=self.cluster.storage_nodes[0].get_rpc_endpoint(), + policy="REP 1 IN MOW CBF 1 SELECT 1 FROM MSK AS MOW FILTER SubDivCode EQ MOW AS MSK", + name="dcl1", + await_mode=True, + basic_acl="0", + ) + .stdout.split(" ")[1] + .strip() + .split("\n")[0] + ) + + with reporter.step("Create a namespace rule for the first node"): + remote_frostfs_adm_first_node.morph.add_rule( + target_type="container", + target_name=f"{cid}", + chain_id="allowPutObject", + rule=f"allow Object.Put *", + ) + + with reporter.step("Check put object to container on the first node, allow expected"): + with expect_not_raises(): + put_object(default_user.wallet, test_file, cid, self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint()) + + with reporter.step("Check put object to container on the second node, allow expected"): + with expect_not_raises(): + put_object(default_user.wallet, test_file, cid, self.shell, self.cluster.storage_nodes[1].get_rpc_endpoint()) + + with reporter.step("Delete a rule"): + remote_frostfs_adm_first_node.morph.remove_rule( + target_type="container", + target_name=f"{cid}", + chain_id="allowPutObject", + ) + + @allure.title("MorphRuleChain: Allow to HeadObject in root tenant") + def test_morph_rule_chain_allow_to_head_object_root( + self, + default_user: User, + remote_frostfs_adm_first_node: FrostfsAdm, + frostfs_cli: FrostfsCli, + simple_object_size: ObjectSize, + ): + cid, oids = pre_create_container_object_adm( + default_user, remote_frostfs_adm_first_node, frostfs_cli, simple_object_size, self.shell, self.cluster + ) + + with reporter.step("Create a namespace rule for the first node"): + remote_frostfs_adm_first_node.morph.add_rule( + target_type="container", + target_name=f"{cid}", + chain_id="allowHeadObject", + rule=f"allow Object.Head *", + ) + + with reporter.step("Check head object from container on the first node, allow expected"): + with expect_not_raises(): + head_object(default_user.wallet, cid, oids[0], self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint()) + + with reporter.step("Check head object from container on the second node, allow expected"): + with expect_not_raises(): + head_object(default_user.wallet, cid, oids[0], self.shell, self.cluster.storage_nodes[1].get_rpc_endpoint()) + + with reporter.step("Delete a rule"): + remote_frostfs_adm_first_node.morph.remove_rule( + target_type="namespace", + target_name=f"kapusta", + chain_id="allowHeadObject", + ) + + @allure.title("MorphRuleChain: Allow to SearchObject in root tenant") + def test_morph_rule_chain_allow_to_search_object_root( + self, + default_user: User, + remote_frostfs_adm_first_node: FrostfsAdm, + frostfs_cli: FrostfsCli, + simple_object_size: ObjectSize, + ): + cid, oids = pre_create_container_object_adm( + default_user, remote_frostfs_adm_first_node, frostfs_cli, simple_object_size, self.shell, self.cluster + ) + + with reporter.step("Create a namespace rule for the first node"): + remote_frostfs_adm_first_node.morph.add_rule( + target_type="container", + target_name=f"{cid}", + chain_id="allowSearchObject", + rule=f"allow Object.Search *", + ) + + with reporter.step("Check search object from container on the first node, allow expected"): + with expect_not_raises(): + search_object(default_user.wallet, cid, self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint()) + + with reporter.step("Check search object from container on the second node, allow expected"): + with expect_not_raises(): + search_object(default_user.wallet, cid, self.shell, self.cluster.storage_nodes[1].get_rpc_endpoint()) + + with reporter.step("Delete a rule"): + remote_frostfs_adm_first_node.morph.remove_rule( + target_type="namespace", + target_name=f"kapusta", + chain_id="allowSearchObject", + ) + + @allure.title("MorphRuleChain: Allow to RangehObject in root tenant") + def test_morph_rule_chain_allow_to_range_object_root( + self, + default_user: User, + remote_frostfs_adm_first_node: FrostfsAdm, + frostfs_cli: FrostfsCli, + simple_object_size: ObjectSize, + ): + cid, oids = pre_create_container_object_adm( + default_user, remote_frostfs_adm_first_node, frostfs_cli, simple_object_size, self.shell, self.cluster + ) + + with reporter.step("Create a namespace rule for the first node"): + remote_frostfs_adm_first_node.morph.add_rule( + target_type="container", + target_name=f"{cid}", + chain_id="allowRangeObject", + rule=f"allow Object.Range *", + ) + + with reporter.step("Check range object from container on the first node, allow expected"): + with expect_not_raises(): + get_range(default_user.wallet, cid, oids[0], "0:10", self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint()) + + with reporter.step("Check range object from container on the second node, allow expected"): + with expect_not_raises(): + get_range(default_user.wallet, cid, oids[0], "0:10", self.shell, self.cluster.storage_nodes[1].get_rpc_endpoint()) + + with reporter.step("Delete a rule"): + remote_frostfs_adm_first_node.morph.remove_rule( + target_type="namespace", + target_name=f"kapusta", + chain_id="allowRangeObject", + ) + + @allure.title("MorphRuleChain: Allow to Hash Object in root tenant") + def test_morph_rule_chain_allow_to_hash_object_root( + self, + default_user: User, + remote_frostfs_adm_first_node: FrostfsAdm, + frostfs_cli: FrostfsCli, + simple_object_size: ObjectSize, + ): + cid, oids = pre_create_container_object_adm( + default_user, remote_frostfs_adm_first_node, frostfs_cli, simple_object_size, self.shell, self.cluster + ) + + with reporter.step("Create a namespace rule for the first node"): + remote_frostfs_adm_first_node.morph.add_rule( + target_type="container", + target_name=f"{cid}", + chain_id="allowHashObject", + rule=f"allow Object.Hash *", + ) + + with reporter.step("Check range hash object from container on the first node, allow expected"): + with expect_not_raises(): + get_range_hash(default_user.wallet, cid, oids[0], "0:10", self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint()) + + with reporter.step("Check range hash object from container on the second node, allow expected"): + with expect_not_raises(): + get_range_hash(default_user.wallet, cid, oids[0], "0:10", self.shell, self.cluster.storage_nodes[1].get_rpc_endpoint()) + + with reporter.step("Delete a rule"): + remote_frostfs_adm_first_node.morph.remove_rule( + target_type="namespace", + target_name=f"kapusta", + chain_id="allowHashObject", + ) + + @allure.title("MorphRuleChain: Allow to Delete Object in root tenant") + def test_morph_rule_chain_allow_to_delete_object_root( + self, + default_user: User, + remote_frostfs_adm_first_node: FrostfsAdm, + frostfs_cli: FrostfsCli, + simple_object_size: ObjectSize, + ): + cid, oids = pre_create_container_object_adm( + default_user, remote_frostfs_adm_first_node, frostfs_cli, simple_object_size, self.shell, self.cluster + ) + + with reporter.step("Create a namespace rule for the first node"): + remote_frostfs_adm_first_node.morph.add_rule( + target_type="container", + target_name=f"{cid}", + chain_id="allowDeleteObject", + rule=f"allow Object.Head Object.Delete *", + ) + + with reporter.step("Check delete object from container on the first node, allow expected"): + with expect_not_raises(): + delete_object(default_user.wallet, cid, oids[0], self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint()) + + with reporter.step("Check delete object from container on the second node, allow expected"): + with expect_not_raises(): + delete_object(default_user.wallet, cid, oids[1], self.shell, self.cluster.storage_nodes[1].get_rpc_endpoint()) + + with reporter.step("Delete a rule"): + remote_frostfs_adm_first_node.morph.remove_rule( + target_type="namespace", + target_name=f"kapusta", + chain_id="allowDeleteObject", + ) + @pytest.mark.ape @pytest.mark.ape_local