TrueCloudLab/frostfs-testcases
25
0
Fork 21
Code Issues 2 Pull requests 2 Releases Activity Actions

[#303] add morph and local deny ape tests

Browse source
This commit is contained in:
Ekaterina Chernitsyna 2024-10-10 17:03:59 +03:00
parent b439a0badd
commit 975c564e6c
1 changed files with 371 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

371
pytest_tests/testsuites/ape/test_ape.py
View file

@ -75,6 +75,101 @@ def remove_rule_ape_in_system(cluster: Cluster) -> None:
parallel(local_overrides_on_node, cluster.cluster_nodes)
def pre_create_container_object_cli(
default_user: User,
remote_frostfs_cli_first_node: FrostfsCli,
frostfs_cli: FrostfsCli,
simple_object_size: ObjectSize,
shell: Shell,
cluster: Cluster,
):
test_file = generate_file(simple_object_size.value)
with reporter.step("Create a container on the first node"):
cid = (
frostfs_cli.container.create(
rpc_endpoint=cluster.storage_nodes[0].get_rpc_endpoint(),
policy="REP 1 IN MOW CBF 1 SELECT 1 FROM MSK AS MOW FILTER SubDivCode EQ MOW AS MSK",
name="dcl1",
await_mode=True,
basic_acl="0",
)
.stdout.split(" ")[1]
.strip()
.split("\n")[0]
)
with reporter.step("Create a namespace rule for the first node"):
remote_frostfs_cli_first_node.control.add_rule(
endpoint=cluster.storage_nodes[0].get_control_endpoint(),
target_type="container",
target_name=f"{cid}",
chain_id="allowPutObject",
rule=f"allow Object.Put *",
)
with reporter.step("Put objects in container on the first node"):
oid = put_object(default_user.wallet, test_file, cid, shell, cluster.storage_nodes[0].get_rpc_endpoint())
with reporter.step("Create a namespace rule for the first node"):
remote_frostfs_cli_first_node.control.remove_rule(
endpoint=cluster.storage_nodes[0].get_control_endpoint(),
target_type="container",
target_name=f"{cid}",
chain_id="allowPutObject",
)
return cid, oid
def pre_create_container_object_adm(
default_user: User,
remote_frostfs_adm_first_node: FrostfsAdm,
frostfs_cli: FrostfsCli,
simple_object_size: ObjectSize,
shell: Shell,
cluster: Cluster,
):
test_file = generate_file(simple_object_size.value)
with reporter.step("Create a container on the first node"):
cid = (
frostfs_cli.container.create(
rpc_endpoint=cluster.storage_nodes[0].get_rpc_endpoint(),
policy="REP 1 IN MOW CBF 1 SELECT 1 FROM MSK AS MOW FILTER SubDivCode EQ MOW AS MSK",
name="dcl1",
await_mode=True,
basic_acl="0",
)
.stdout.split(" ")[1]
.strip()
.split("\n")[0]
)
with reporter.step("Create a namespace rule for the first node"):
remote_frostfs_adm_first_node.morph.add_rule(
target_type="container",
target_name=f"{cid}",
chain_id="allowPutObject",
rule=f"allow Object.Put *",
)
with reporter.step("Put objects in container on the first node"):
oid_1 = put_object(default_user.wallet, test_file, cid, shell, cluster.storage_nodes[0].get_rpc_endpoint())
oid_2 = put_object(default_user.wallet, test_file, cid, shell, cluster.storage_nodes[0].get_rpc_endpoint())
with reporter.step("Create a namespace rule for the first node"):
remote_frostfs_adm_first_node.morph.remove_rule(
target_type="container",
target_name=f"{cid}",
chain_id="allowPutObject",
)
return cid, (oid_1, oid_2)
@pytest.mark.ape
@pytest.mark.ape_morph_rule
class TestApeMorphRuleChain(ClusterTestBase):
@ -1280,3 +1375,279 @@ class TestApeLocalOverride(ClusterTestBase):
with reporter.step("Check delete object in container on the first node, expected allow"):
with expect_not_raises():
delete_object(default_user.wallet, cid, oid_1, self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint())
@allure.title("LocalOverride: Allow to GetObject in root tenant")
def test_local_override_allow_to_get_object_root(
self,
default_user: User,
remote_frostfs_cli_first_node: FrostfsCli,
frostfs_cli: FrostfsCli,
simple_object_size: ObjectSize,
):
cid, oid = pre_create_container(
default_user, remote_frostfs_cli_first_node, frostfs_cli, simple_object_size, self.shell, self.cluster
)
with reporter.step("Create a namespace rule for the first node"):
remote_frostfs_cli_first_node.control.add_rule(
endpoint=self.cluster.storage_nodes[0].get_control_endpoint(),
target_type="container",
target_name=f"{cid}",
chain_id="allowGetObject",
rule=f"allow Object.Get *",
)
with reporter.step("Check get object in container on the first node, expected allow"):
with expect_not_raises():
get_object(default_user.wallet, cid, oid, self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint())
with reporter.step("Check get object in container on the second node, epxected access denied error"):
with pytest.raises(RuntimeError, match=NO_RULE_FOUND_OBJECT.format(operation=Operations.GET_OBJECT)):
get_object(default_user.wallet, cid, oid, self.shell, self.cluster.storage_nodes[1].get_rpc_endpoint())
with reporter.step("Delete a rule"):
remote_frostfs_cli_first_node.control.remove_rule(
endpoint=self.cluster.storage_nodes[0].get_control_endpoint(),
target_type="container",
target_name=f"{cid}",
chain_id="allowGetObject",
)
@allure.title("LocalOverride: Allow to PutObject in root tenant")
def test_local_override_allow_to_put_object_root(
self,
default_user: User,
remote_frostfs_cli_first_node: FrostfsCli,
frostfs_cli: FrostfsCli,
simple_object_size: ObjectSize,
):
test_file = generate_file(simple_object_size.value)
with reporter.step("Create a container on the first node"):
cid = (
frostfs_cli.container.create(
rpc_endpoint=self.cluster.storage_nodes[0].get_rpc_endpoint(),
policy="REP 1 IN MOW CBF 1 SELECT 1 FROM MSK AS MOW FILTER SubDivCode EQ MOW AS MSK",
name="dcl1",
await_mode=True,
basic_acl="0",
)
.stdout.split(" ")[1]
.strip()
.split("\n")[0]
)
with reporter.step("Create a namespace rule for the first node"):
remote_frostfs_cli_first_node.control.add_rule(
endpoint=self.cluster.storage_nodes[0].get_control_endpoint(),
target_type="container",
target_name=f"{cid}",
chain_id="allowPutObject",
rule=f"allow Object.Put *",
)
with reporter.step("Check put object in container on the first node, expected allow"):
with expect_not_raises():
put_object(default_user.wallet, test_file, cid, self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint())
with reporter.step("Check get object in container on the second node, epxected access denied error"):
with pytest.raises(RuntimeError, match=NO_RULE_FOUND_OBJECT.format(operation=Operations.PUT_OBJECT)):
put_object(default_user.wallet, test_file, cid, self.shell, self.cluster.storage_nodes[1].get_rpc_endpoint())
with reporter.step("Delete a rule"):
remote_frostfs_cli_first_node.control.remove_rule(
endpoint=self.cluster.storage_nodes[0].get_control_endpoint(),
target_type="container",
target_name=f"{cid}",
chain_id="allowPutObject",
)
@allure.title("LocalOverride: Allow to HeadObject in root tenant")
def test_local_override_allow_to_head_object_root(
self,
default_user: User,
remote_frostfs_cli_first_node: FrostfsCli,
frostfs_cli: FrostfsCli,
simple_object_size: ObjectSize,
):
cid, oid = pre_create_container(
default_user, remote_frostfs_cli_first_node, frostfs_cli, simple_object_size, self.shell, self.cluster
)
with reporter.step("Create a namespace rule for the first node"):
remote_frostfs_cli_first_node.control.add_rule(
endpoint=self.cluster.storage_nodes[0].get_control_endpoint(),
target_type="container",
target_name=f"{cid}",
chain_id="allowHeadObject",
rule=f"allow Object.Head *",
)
with reporter.step("Check head object in container on the first node, expected allow"):
with expect_not_raises():
head_object(default_user.wallet, cid, oid, self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint())
with reporter.step("Check head object in container on the second node, expected access denied error"):
with pytest.raises(RuntimeError, match=NO_RULE_FOUND_OBJECT.format(operation=Operations.HEAD_OBJECT)):
head_object(default_user.wallet, cid, oid, self.shell, self.cluster.storage_nodes[1].get_rpc_endpoint())
with reporter.step("Delete a rule"):
remote_frostfs_cli_first_node.control.remove_rule(
endpoint=self.cluster.storage_nodes[0].get_control_endpoint(),
target_type="container",
target_name=f"{cid}",
chain_id="allowHeadObject",
)
@allure.title("LocalOverride: Allow to SearchObject in root tenant")
def test_local_override_allow_to_search_object_root(
self,
default_user: User,
remote_frostfs_cli_first_node: FrostfsCli,
frostfs_cli: FrostfsCli,
simple_object_size: ObjectSize,
):
cid, oid = pre_create_container(
default_user, remote_frostfs_cli_first_node, frostfs_cli, simple_object_size, self.shell, self.cluster
)
with reporter.step("Create a namespace rule for the first node"):
remote_frostfs_cli_first_node.control.add_rule(
endpoint=self.cluster.storage_nodes[0].get_control_endpoint(),
target_type="container",
target_name=f"{cid}",
chain_id="allowSearchObject",
rule=f"allow Object.Search *",
)
with reporter.step("Check search object in container on the first node, expected allow"):
with expect_not_raises():
search_object(default_user.wallet, cid, self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint())
with reporter.step("Check search object from container on the second node, expected access denied error"):
with pytest.raises(RuntimeError, match=NO_RULE_FOUND_OBJECT.format(operation=Operations.SEARCH_OBJECT)):
search_object(default_user.wallet, cid, self.shell, self.cluster.storage_nodes[1].get_rpc_endpoint())
with reporter.step("Delete a rule"):
remote_frostfs_cli_first_node.control.remove_rule(
endpoint=self.cluster.storage_nodes[0].get_control_endpoint(),
target_type="container",
target_name=f"{cid}",
chain_id="allowSearchObject",
)
@allure.title("LocalOverride: Allow to RangeObject in root tenant")
def test_local_override_allow_to_range_object_root(
self,
default_user: User,
remote_frostfs_cli_first_node: FrostfsCli,
frostfs_cli: FrostfsCli,
simple_object_size: ObjectSize,
):
cid, oid = pre_create_container(
default_user, remote_frostfs_cli_first_node, frostfs_cli, simple_object_size, self.shell, self.cluster
)
with reporter.step("Create a namespace rule for the first node"):
remote_frostfs_cli_first_node.control.add_rule(
endpoint=self.cluster.storage_nodes[0].get_control_endpoint(),
target_type="container",
target_name=f"{cid}",
chain_id="allowRangeObject",
rule=f"allow Object.Range *",
)
with reporter.step("Check get range object in container on the first node, expected allow"):
with expect_not_raises():
get_range(default_user.wallet, cid, oid, "0:10", self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint())
with reporter.step("Check range object in container on the second node. expected access denied error"):
with pytest.raises(RuntimeError, match=NO_RULE_FOUND_OBJECT.format(operation=Operations.RANGE_OBJECT)):
get_range(default_user.wallet, cid, oid, "0:10", self.shell, self.cluster.storage_nodes[1].get_rpc_endpoint())
with reporter.step("Delete a rule"):
remote_frostfs_cli_first_node.control.remove_rule(
endpoint=self.cluster.storage_nodes[0].get_control_endpoint(),
target_type="container",
target_name=f"{cid}",
chain_id="allowRangeObject",
)
@allure.title("LocalOverride: Allow to HashObject in root tenant")
def test_local_override_allow_to_hash_object_root(
self,
default_user: User,
remote_frostfs_cli_first_node: FrostfsCli,
frostfs_cli: FrostfsCli,
simple_object_size: ObjectSize,
):
cid, oid = pre_create_container(
default_user, remote_frostfs_cli_first_node, frostfs_cli, simple_object_size, self.shell, self.cluster
)
with reporter.step("Create a namespace rule for the first node"):
remote_frostfs_cli_first_node.control.add_rule(
endpoint=self.cluster.storage_nodes[0].get_control_endpoint(),
target_type="container",
target_name=f"{cid}",
chain_id="allowHashObject",
rule=f"allow Object.Hash *",
)
with reporter.step("Check get range hash object in container on the first node, expected allow"):
with expect_not_raises():
get_range_hash(default_user.wallet, cid, oid, "0:10", self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint())
with reporter.step("Check get range hash object in container on the second node, expected access denied error"):
with pytest.raises(RuntimeError, match=NO_RULE_FOUND_OBJECT.format(operation=Operations.HASH_OBJECT)):
get_range_hash(default_user.wallet, cid, oid, "0:10", self.shell, self.cluster.storage_nodes[1].get_rpc_endpoint())
with reporter.step("Delete a rule"):
remote_frostfs_cli_first_node.control.remove_rule(
endpoint=self.cluster.storage_nodes[0].get_control_endpoint(),
target_type="container",
target_name=f"{cid}",
chain_id="allowHashObject",
)
@allure.title("LocalOverride: Allow to DeleteObject in root tenant")
def test_local_override_allow_to_delete_object_root(
self,
default_user: User,
remote_frostfs_cli_first_node: FrostfsCli,
frostfs_cli: FrostfsCli,
simple_object_size: ObjectSize,
):
cid, oid = pre_create_container(
default_user, remote_frostfs_cli_first_node, frostfs_cli, simple_object_size, self.shell, self.cluster
)
with reporter.step("Create a namespace rule for the first node"):
remote_frostfs_cli_first_node.control.add_rule(
endpoint=self.cluster.storage_nodes[0].get_control_endpoint(),
target_type="container",
target_name=f"{cid}",
chain_id="allowDeleteObject",
rule=f"allow Object.Head Object.Delete *",
)
with reporter.step("Check delete object from container on the second node, expected access denied error"):
with pytest.raises(RuntimeError, match=NO_RULE_FOUND_OBJECT.format(operation=Operations.HEAD_OBJECT)):
delete_object(default_user.wallet, cid, oid, self.shell, self.cluster.storage_nodes[1].get_rpc_endpoint())
with reporter.step("Check delete object in container on the first node, expected allow"):
with expect_not_raises():
delete_object(default_user.wallet, cid, oid, self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint())
with reporter.step("Delete a rule"):
remote_frostfs_cli_first_node.control.remove_rule(
endpoint=self.cluster.storage_nodes[0].get_control_endpoint(),
target_type="container",
target_name=f"{cid}",
chain_id="allowDeleteObject",
)