[#353] Extend testsuites for PATCH method
Expandable suites: - TestApeContainer - TestApeBearer - TestApeLocalOverrideAllow - TestApeLocalOverrideDeny - TestObjectApiWithoutUser - TestObjectApiWithBearerToken Signed-off-by: Kirill Sosnovskikh <k.sosnovskikh@yadro.com>
This commit is contained in:
parent
d466e1a721
commit
b4d27260ef
8 changed files with 656 additions and 181 deletions
|
@ -20,7 +20,10 @@ ALL_OBJECT_OPERATIONS = ape.ObjectOperations.get_all()
|
|||
|
||||
FULL_ACCESS = {op: True for op in ALL_OBJECT_OPERATIONS}
|
||||
NO_ACCESS = {op: False for op in ALL_OBJECT_OPERATIONS}
|
||||
RO_ACCESS = {op: True if op not in [ape.ObjectOperations.PUT, ape.ObjectOperations.DELETE] else False for op in ALL_OBJECT_OPERATIONS}
|
||||
RO_ACCESS = {
|
||||
op: True if op not in [ape.ObjectOperations.PUT, ape.ObjectOperations.DELETE, ape.ObjectOperations.PATCH] else False
|
||||
for op in ALL_OBJECT_OPERATIONS
|
||||
}
|
||||
|
||||
|
||||
def assert_access_to_container(
|
||||
|
|
|
@ -2,10 +2,12 @@ import allure
|
|||
import pytest
|
||||
from frostfs_testlib import reporter
|
||||
from frostfs_testlib.cli.frostfs_cli.cli import FrostfsCli
|
||||
from frostfs_testlib.resources.error_patterns import OBJECT_ACCESS_DENIED
|
||||
from frostfs_testlib.steps.cli.object import put_object_to_random_node
|
||||
from frostfs_testlib.steps.node_management import drop_object
|
||||
from frostfs_testlib.storage.dataclasses import ape
|
||||
from frostfs_testlib.storage.dataclasses.wallet import WalletInfo
|
||||
from frostfs_testlib.storage.grpc_operations.interfaces import GrpcClientWrapper
|
||||
from frostfs_testlib.testing.cluster_test_base import ClusterTestBase
|
||||
from frostfs_testlib.utils import wallet_utils
|
||||
from frostfs_testlib.utils.failover_utils import wait_object_replication
|
||||
|
@ -33,9 +35,12 @@ def allowed_wallet(default_wallet: WalletInfo, other_wallet: WalletInfo, role: a
|
|||
@pytest.mark.nightly
|
||||
@pytest.mark.ape
|
||||
class TestApeContainer(ClusterTestBase):
|
||||
# TODO: Without PATCH operation,
|
||||
# since it requires specific permissions that do not apply when testing all operations at once
|
||||
@pytest.mark.sanity
|
||||
@allure.title("Deny operations via APE by role (role={role}, obj_size={object_size})")
|
||||
@pytest.mark.parametrize("role", [ape.Role.OWNER, ape.Role.OTHERS], indirect=True)
|
||||
@pytest.mark.parametrize("objects", [4], indirect=True)
|
||||
def test_deny_operations_via_ape_by_role(
|
||||
self,
|
||||
denied_wallet: WalletInfo,
|
||||
|
@ -44,7 +49,7 @@ class TestApeContainer(ClusterTestBase):
|
|||
container: str,
|
||||
objects: list[str],
|
||||
role: ape.Role,
|
||||
file_path: TestFile,
|
||||
test_file: TestFile,
|
||||
rpc_endpoint: str,
|
||||
):
|
||||
with reporter.step(f"Deny all operations for {role} via APE"):
|
||||
|
@ -58,10 +63,10 @@ class TestApeContainer(ClusterTestBase):
|
|||
|
||||
with reporter.step(f"Assert denied role have no access to public container"):
|
||||
# access checks will try to remove object, so we use .pop() to ensure we have object before deletion
|
||||
assert_no_access_to_container(denied_wallet, container, objects.pop(), file_path, self.shell, self.cluster)
|
||||
assert_no_access_to_container(denied_wallet, container, objects.pop(), test_file, self.shell, self.cluster)
|
||||
|
||||
with reporter.step(f"Assert allowed role have full access to public container"):
|
||||
assert_full_access_to_container(allowed_wallet, container, objects.pop(), file_path, self.shell, self.cluster)
|
||||
assert_full_access_to_container(allowed_wallet, container, objects.pop(), test_file, self.shell, self.cluster)
|
||||
|
||||
with reporter.step(f"Remove deny rule from APE"):
|
||||
frostfs_cli.ape_manager.remove(rpc_endpoint, deny_rule.chain_id, target_name=container, target_type="container")
|
||||
|
@ -70,12 +75,15 @@ class TestApeContainer(ClusterTestBase):
|
|||
self.wait_for_blocks()
|
||||
|
||||
with reporter.step("Assert allowed role have full access to public container"):
|
||||
assert_full_access_to_container(allowed_wallet, container, objects.pop(), file_path, self.shell, self.cluster)
|
||||
assert_full_access_to_container(allowed_wallet, container, objects.pop(), test_file, self.shell, self.cluster)
|
||||
|
||||
with reporter.step("Assert denied role have full access to public container"):
|
||||
assert_full_access_to_container(denied_wallet, container, objects.pop(), file_path, self.shell, self.cluster)
|
||||
assert_full_access_to_container(denied_wallet, container, objects.pop(), test_file, self.shell, self.cluster)
|
||||
|
||||
# TODO: Without PATCH operation,
|
||||
# since it requires specific permissions that do not apply when testing all operations at once
|
||||
@allure.title("Deny operations for others via APE excluding single pubkey (obj_size={object_size})")
|
||||
@pytest.mark.parametrize("objects", [2], indirect=True)
|
||||
def test_deny_opeartions_excluding_pubkey(
|
||||
self,
|
||||
frostfs_cli: FrostfsCli,
|
||||
|
@ -85,7 +93,7 @@ class TestApeContainer(ClusterTestBase):
|
|||
container: str,
|
||||
objects: list[str],
|
||||
rpc_endpoint: str,
|
||||
file_path: TestFile,
|
||||
test_file: TestFile,
|
||||
):
|
||||
with reporter.step("Add deny APE rules for others except single wallet"):
|
||||
rule_conditions = [
|
||||
|
@ -103,13 +111,13 @@ class TestApeContainer(ClusterTestBase):
|
|||
|
||||
with reporter.step("Assert others have no access to public container"):
|
||||
# access checks will try to remove object, so we use .pop() to ensure we have object before deletion
|
||||
assert_no_access_to_container(other_wallet, container, objects[0], file_path, self.shell, self.cluster)
|
||||
assert_no_access_to_container(other_wallet, container, objects[0], test_file, self.shell, self.cluster)
|
||||
|
||||
with reporter.step("Assert owner have full access to public container"):
|
||||
assert_full_access_to_container(default_wallet, container, objects.pop(), file_path, self.shell, self.cluster)
|
||||
assert_full_access_to_container(default_wallet, container, objects.pop(), test_file, self.shell, self.cluster)
|
||||
|
||||
with reporter.step("Assert allowed wallet have full access to public container"):
|
||||
assert_full_access_to_container(other_wallet_2, container, objects.pop(), file_path, self.shell, self.cluster)
|
||||
assert_full_access_to_container(other_wallet_2, container, objects.pop(), test_file, self.shell, self.cluster)
|
||||
|
||||
@allure.title("Replication works with APE deny rules on OWNER and OTHERS (obj_size={object_size})")
|
||||
@pytest.mark.parametrize(
|
||||
|
@ -123,10 +131,10 @@ class TestApeContainer(ClusterTestBase):
|
|||
frostfs_cli: FrostfsCli,
|
||||
container: str,
|
||||
rpc_endpoint: str,
|
||||
file_path: TestFile,
|
||||
test_file: TestFile,
|
||||
):
|
||||
with reporter.step("Put object to container"):
|
||||
oid = put_object_to_random_node(default_wallet, file_path, container, self.shell, self.cluster)
|
||||
oid = put_object_to_random_node(default_wallet, test_file, container, self.shell, self.cluster)
|
||||
|
||||
with reporter.step("Wait for object replication after upload"):
|
||||
wait_object_replication(container, oid, len(self.cluster.cluster_nodes), self.shell, self.cluster.storage_nodes)
|
||||
|
@ -151,10 +159,13 @@ class TestApeContainer(ClusterTestBase):
|
|||
with reporter.step("Wait for dropped object to be replicated"):
|
||||
wait_object_replication(container, oid, len(self.cluster.storage_nodes), self.shell, self.cluster.storage_nodes)
|
||||
|
||||
# TODO: Without PATCH operation,
|
||||
# since it requires specific permissions that do not apply when testing all operations at once
|
||||
@allure.title("Deny operations via APE by role (role=ir, obj_size={object_size})")
|
||||
@pytest.mark.parametrize("container_request", [OWNER_ALLOW_ALL], indirect=True)
|
||||
@pytest.mark.parametrize("objects", [3], indirect=True)
|
||||
def test_deny_operations_via_ape_by_role_ir(
|
||||
self, frostfs_cli: FrostfsCli, ir_wallet: WalletInfo, container: str, objects: list[str], rpc_endpoint: str, file_path: TestFile
|
||||
self, frostfs_cli: FrostfsCli, ir_wallet: WalletInfo, container: str, objects: list[str], rpc_endpoint: str, test_file: TestFile
|
||||
):
|
||||
default_ir_access = {
|
||||
ape.ObjectOperations.PUT: False,
|
||||
|
@ -163,11 +174,12 @@ class TestApeContainer(ClusterTestBase):
|
|||
ape.ObjectOperations.GET_RANGE: True,
|
||||
ape.ObjectOperations.GET_RANGE_HASH: True,
|
||||
ape.ObjectOperations.SEARCH: True,
|
||||
ape.ObjectOperations.PATCH: False,
|
||||
ape.ObjectOperations.DELETE: False,
|
||||
}
|
||||
|
||||
with reporter.step("Assert IR wallet access in default state"):
|
||||
assert_access_to_container(default_ir_access, ir_wallet, container, objects[0], file_path, self.shell, self.cluster)
|
||||
assert_access_to_container(default_ir_access, ir_wallet, container, objects.pop(), test_file, self.shell, self.cluster)
|
||||
|
||||
with reporter.step("Add deny APE rule with deny all operations for IR role"):
|
||||
rule = ape.Rule(ape.Verb.DENY, ALL_OBJECT_OPERATIONS, [ape.Condition.by_role(ape.Role.IR.value)])
|
||||
|
@ -177,7 +189,7 @@ class TestApeContainer(ClusterTestBase):
|
|||
self.wait_for_blocks()
|
||||
|
||||
with reporter.step("Assert IR wallet ignores APE rules"):
|
||||
assert_access_to_container(default_ir_access, ir_wallet, container, objects[0], file_path, self.shell, self.cluster)
|
||||
assert_access_to_container(default_ir_access, ir_wallet, container, objects.pop(), test_file, self.shell, self.cluster)
|
||||
|
||||
with reporter.step("Remove APE rule"):
|
||||
frostfs_cli.ape_manager.remove(rpc_endpoint, rule.chain_id, target_name=container, target_type="container")
|
||||
|
@ -186,10 +198,13 @@ class TestApeContainer(ClusterTestBase):
|
|||
self.wait_for_blocks()
|
||||
|
||||
with reporter.step("Assert IR wallet access is restored"):
|
||||
assert_access_to_container(default_ir_access, ir_wallet, container, objects[0], file_path, self.shell, self.cluster)
|
||||
assert_access_to_container(default_ir_access, ir_wallet, container, objects.pop(), test_file, self.shell, self.cluster)
|
||||
|
||||
# TODO: Without PATCH operation,
|
||||
# since it requires specific permissions that do not apply when testing all operations at once
|
||||
@allure.title("Deny operations via APE by role (role=container, obj_size={object_size})")
|
||||
@pytest.mark.parametrize("container_request", [OWNER_ALLOW_ALL], indirect=True)
|
||||
@pytest.mark.parametrize("objects", [3], indirect=True)
|
||||
def test_deny_operations_via_ape_by_role_container(
|
||||
self,
|
||||
frostfs_cli: FrostfsCli,
|
||||
|
@ -197,7 +212,7 @@ class TestApeContainer(ClusterTestBase):
|
|||
container: str,
|
||||
objects: list[str],
|
||||
rpc_endpoint: str,
|
||||
file_path: TestFile,
|
||||
test_file: TestFile,
|
||||
):
|
||||
access_matrix = {
|
||||
ape.ObjectOperations.PUT: True,
|
||||
|
@ -206,11 +221,12 @@ class TestApeContainer(ClusterTestBase):
|
|||
ape.ObjectOperations.GET_RANGE: True,
|
||||
ape.ObjectOperations.GET_RANGE_HASH: True,
|
||||
ape.ObjectOperations.SEARCH: True,
|
||||
ape.ObjectOperations.PATCH: True,
|
||||
ape.ObjectOperations.DELETE: True,
|
||||
}
|
||||
|
||||
with reporter.step("Assert CONTAINER wallet access in default state"):
|
||||
assert_access_to_container(access_matrix, container_node_wallet, container, objects[0], file_path, self.shell, self.cluster)
|
||||
assert_access_to_container(access_matrix, container_node_wallet, container, objects.pop(), test_file, self.shell, self.cluster)
|
||||
|
||||
rule = ape.Rule(ape.Verb.DENY, ALL_OBJECT_OPERATIONS, ape.Condition.by_role(ape.Role.CONTAINER.value))
|
||||
|
||||
|
@ -221,7 +237,7 @@ class TestApeContainer(ClusterTestBase):
|
|||
self.wait_for_blocks()
|
||||
|
||||
with reporter.step("Assert CONTAINER wallet ignores APE rule"):
|
||||
assert_access_to_container(access_matrix, container_node_wallet, container, objects[1], file_path, self.shell, self.cluster)
|
||||
assert_access_to_container(access_matrix, container_node_wallet, container, objects.pop(), test_file, self.shell, self.cluster)
|
||||
|
||||
with reporter.step("Remove APE rule"):
|
||||
frostfs_cli.ape_manager.remove(rpc_endpoint, rule.chain_id, target_name=container, target_type="container")
|
||||
|
@ -230,4 +246,152 @@ class TestApeContainer(ClusterTestBase):
|
|||
self.wait_for_blocks()
|
||||
|
||||
with reporter.step("Assert CONTAINER wallet access after rule was removed"):
|
||||
assert_access_to_container(access_matrix, container_node_wallet, container, objects[2], file_path, self.shell, self.cluster)
|
||||
assert_access_to_container(access_matrix, container_node_wallet, container, objects.pop(), test_file, self.shell, self.cluster)
|
||||
|
||||
# ^
|
||||
@allure.title("Deny PATCH operation via APE (object_size={object_size})")
|
||||
@pytest.mark.parametrize("objects", [1], indirect=True)
|
||||
def test_patch_object_with_deny_rule(
|
||||
self,
|
||||
frostfs_cli: FrostfsCli,
|
||||
grpc_client: GrpcClientWrapper,
|
||||
grpc_client_with_other_wallet: GrpcClientWrapper,
|
||||
grpc_client_with_container_wallet: GrpcClientWrapper,
|
||||
grpc_client_with_ir_wallet: GrpcClientWrapper,
|
||||
container: str,
|
||||
objects: list[str],
|
||||
test_file: TestFile,
|
||||
):
|
||||
patch_params = {
|
||||
"cid": container,
|
||||
"oid": objects[0],
|
||||
"endpoint": self.cluster.default_rpc_endpoint,
|
||||
"ranges": ["300:200"],
|
||||
"payloads": [test_file],
|
||||
"new_attrs": "owner=true",
|
||||
"timeout": "200s",
|
||||
}
|
||||
|
||||
with reporter.step("Check that PATCH is available with owner wallet"):
|
||||
patched_oid = grpc_client.object.patch(**patch_params)
|
||||
assert patched_oid != patch_params["oid"], "OID of patched object must be different from original one"
|
||||
patch_params["oid"] = patched_oid
|
||||
|
||||
with reporter.step("Check that PATCH is available with another wallet"):
|
||||
patch_params["ranges"] = ["100:50"]
|
||||
patch_params["new_attrs"] = "other=true"
|
||||
|
||||
patched_oid = grpc_client_with_other_wallet.object.patch(**patch_params)
|
||||
assert patched_oid != patch_params["oid"], "OID of patched object must be different from original one"
|
||||
patch_params["oid"] = patched_oid
|
||||
|
||||
with reporter.step("Check that PATCH is available with container wallet"):
|
||||
patch_params["ranges"] = ["600:0"]
|
||||
patch_params["new_attrs"] = "container=true"
|
||||
|
||||
patched_oid = grpc_client_with_container_wallet.object.patch(**patch_params)
|
||||
assert patched_oid != patch_params["oid"], "OID of patched object must be different from original one"
|
||||
patch_params["oid"] = patched_oid
|
||||
|
||||
with reporter.step("Check that PATCH is available with ir wallet"):
|
||||
patch_params["ranges"] = ["0:1000"]
|
||||
patch_params["new_attrs"] = "ir=true"
|
||||
|
||||
patched_oid = grpc_client_with_ir_wallet.object.patch(**patch_params)
|
||||
assert patched_oid != patch_params["oid"], "OID of patched object must be different from original one"
|
||||
patch_params["oid"] = patched_oid
|
||||
|
||||
rule = ape.Rule(ape.Verb.DENY, ape.ObjectOperations.PATCH)
|
||||
with reporter.step("Add APE rule with deny PATCH operation"):
|
||||
frostfs_cli.ape_manager.add(
|
||||
self.cluster.default_rpc_endpoint,
|
||||
rule.chain_id,
|
||||
target_name=container,
|
||||
target_type="container",
|
||||
rule=rule.as_string(),
|
||||
)
|
||||
|
||||
with reporter.step("Wait for one block"):
|
||||
self.wait_for_blocks(1)
|
||||
|
||||
with reporter.step("Check that PATCH is not allowed with owner wallet"):
|
||||
patch_params["ranges"] = ["300:200"]
|
||||
patch_params["new_attrs"] = "owner_2=false"
|
||||
|
||||
with pytest.raises(Exception, match=OBJECT_ACCESS_DENIED):
|
||||
grpc_client.object.patch(**patch_params)
|
||||
|
||||
with reporter.step("Check that PATCH is not allowed with another wallet"):
|
||||
patch_params["ranges"] = ["100:50"]
|
||||
patch_params["new_attrs"] = "other_2=false"
|
||||
|
||||
with pytest.raises(Exception, match=OBJECT_ACCESS_DENIED):
|
||||
grpc_client_with_other_wallet.object.patch(**patch_params)
|
||||
|
||||
with reporter.step("Check that PATCH is allowed with container wallet as rule is ignored"):
|
||||
patch_params["ranges"] = ["600:0"]
|
||||
patch_params["new_attrs"] = "container_2=true"
|
||||
|
||||
patched_oid = grpc_client_with_container_wallet.object.patch(**patch_params)
|
||||
assert patched_oid != patch_params["oid"], "OID of patched object must be different from original one"
|
||||
patch_params["oid"] = patched_oid
|
||||
|
||||
with reporter.step("Check that PATCH is not allowed with ir waller"):
|
||||
patch_params["ranges"] = ["0:1000"]
|
||||
patch_params["new_attrs"] = "ir_2=true"
|
||||
|
||||
with pytest.raises(Exception, match=OBJECT_ACCESS_DENIED):
|
||||
grpc_client_with_ir_wallet.object.patch(**patch_params)
|
||||
|
||||
with reporter.step("Remove APE rule"):
|
||||
frostfs_cli.ape_manager.remove(
|
||||
self.cluster.default_rpc_endpoint,
|
||||
rule.chain_id,
|
||||
target_name=container,
|
||||
target_type="container",
|
||||
)
|
||||
|
||||
with reporter.step("Wait for one block"):
|
||||
self.wait_for_blocks(1)
|
||||
|
||||
with reporter.step("Check that PATCH is available with owner wallet"):
|
||||
patch_params["ranges"] = ["300:200"]
|
||||
patch_params["new_attrs"] = "owner_3=true"
|
||||
|
||||
patched_oid = grpc_client.object.patch(**patch_params)
|
||||
assert patched_oid != patch_params["oid"], "OID of patched object must be different from original one"
|
||||
patch_params["oid"] = patched_oid
|
||||
|
||||
with reporter.step("Check that PATCH is available with another wallet"):
|
||||
patch_params["ranges"] = ["100:50"]
|
||||
patch_params["new_attrs"] = "other_3=true"
|
||||
|
||||
patched_oid = grpc_client_with_other_wallet.object.patch(**patch_params)
|
||||
assert patched_oid != patch_params["oid"], "OID of patched object must be different from original one"
|
||||
patch_params["oid"] = patched_oid
|
||||
|
||||
with reporter.step("Check that PATCH is available with container wallet"):
|
||||
patch_params["ranges"] = ["600:0"]
|
||||
patch_params["new_attrs"] = "container_3=true"
|
||||
|
||||
patched_oid = grpc_client_with_container_wallet.object.patch(**patch_params)
|
||||
assert patched_oid != patch_params["oid"], "OID of patched object must be different from original one"
|
||||
patch_params["oid"] = patched_oid
|
||||
|
||||
with reporter.step("Check that PATCH is available with ir wallet"):
|
||||
patch_params["ranges"] = ["0:1000"]
|
||||
patch_params["new_attrs"] = "ir_3=true"
|
||||
|
||||
patched_oid = grpc_client_with_ir_wallet.object.patch(**patch_params)
|
||||
assert patched_oid != patch_params["oid"], "OID of patched object must be different from original one"
|
||||
patch_params["oid"] = patched_oid
|
||||
|
||||
attrs = {"owner", "other", "container", "ir", "container_2", "owner_3", "other_3", "container_3", "ir_3"}
|
||||
|
||||
with reporter.step("Ensure that all attributes match expected values"):
|
||||
object_info: dict = grpc_client.object.head(container, patch_params["oid"], self.cluster.default_rpc_endpoint)
|
||||
object_attrs: dict = object_info["header"]["attributes"]
|
||||
assert attrs <= {k for k in object_attrs.keys()}, f"Received attributes do not match expected ones: {object_attrs}"
|
||||
assert all(
|
||||
v == "true" for k, v in object_attrs.items() if k in attrs
|
||||
), f"Received attributes do not match expected ones: {object_attrs}"
|
||||
|
|
|
@ -2,8 +2,10 @@ import allure
|
|||
import pytest
|
||||
from frostfs_testlib import reporter
|
||||
from frostfs_testlib.cli.frostfs_cli.cli import FrostfsCli
|
||||
from frostfs_testlib.resources.error_patterns import OBJECT_ACCESS_DENIED
|
||||
from frostfs_testlib.storage.dataclasses import ape
|
||||
from frostfs_testlib.storage.dataclasses.wallet import WalletInfo
|
||||
from frostfs_testlib.storage.grpc_operations.interfaces import GrpcClientWrapper
|
||||
from frostfs_testlib.testing.cluster_test_base import ClusterTestBase
|
||||
from frostfs_testlib.utils.file_utils import TestFile
|
||||
|
||||
|
@ -22,8 +24,11 @@ from ....helpers.container_access import (
|
|||
@pytest.mark.ape
|
||||
@pytest.mark.parametrize("user_tag", ["ApeBearer"], indirect=True) # provide dedicated user with no APE side-policies
|
||||
class TestApeBearer(ClusterTestBase):
|
||||
# TODO: Without PATCH operation,
|
||||
# since it requires specific permissions that do not apply when testing all operations at once
|
||||
@allure.title("Operations with BearerToken (role={role}, obj_size={object_size})")
|
||||
@pytest.mark.parametrize("role", [ape.Role.OWNER, ape.Role.OTHERS], indirect=True)
|
||||
@pytest.mark.parametrize("objects", [4], indirect=True)
|
||||
def test_bearer_token_operations(
|
||||
self,
|
||||
container: str,
|
||||
|
@ -32,11 +37,11 @@ class TestApeBearer(ClusterTestBase):
|
|||
temp_directory: str,
|
||||
test_wallet: WalletInfo,
|
||||
role: ape.Role,
|
||||
file_path: TestFile,
|
||||
test_file: TestFile,
|
||||
rpc_endpoint: str,
|
||||
):
|
||||
with reporter.step(f"Check {role} has full access to container without bearer token"):
|
||||
assert_full_access_to_container(test_wallet, container, objects.pop(), file_path, self.shell, self.cluster)
|
||||
assert_full_access_to_container(test_wallet, container, objects.pop(), test_file, self.shell, self.cluster)
|
||||
|
||||
with reporter.step(f"Deny all operations for everyone via APE"):
|
||||
rule = ape.Rule(ape.Verb.DENY, ALL_OBJECT_OPERATIONS)
|
||||
|
@ -55,10 +60,10 @@ class TestApeBearer(ClusterTestBase):
|
|||
)
|
||||
|
||||
with reporter.step(f"Check {role} without token has no access to all operations with container"):
|
||||
assert_no_access_to_container(test_wallet, container, objects.pop(), file_path, self.shell, self.cluster)
|
||||
assert_no_access_to_container(test_wallet, container, objects.pop(), test_file, self.shell, self.cluster)
|
||||
|
||||
with reporter.step(f"Check {role} with token has access to all operations with container"):
|
||||
assert_full_access_to_container(test_wallet, container, objects.pop(), file_path, self.shell, self.cluster, bearer)
|
||||
assert_full_access_to_container(test_wallet, container, objects.pop(), test_file, self.shell, self.cluster, bearer)
|
||||
|
||||
with reporter.step(f"Remove deny rule from APE"):
|
||||
frostfs_cli.ape_manager.remove(rpc_endpoint, rule.chain_id, target_name=container, target_type="container")
|
||||
|
@ -67,9 +72,121 @@ class TestApeBearer(ClusterTestBase):
|
|||
self.wait_for_blocks()
|
||||
|
||||
with reporter.step(f"Check {role} without token has access to all operations with container"):
|
||||
assert_full_access_to_container(test_wallet, container, objects.pop(), file_path, self.shell, self.cluster)
|
||||
assert_full_access_to_container(test_wallet, container, objects.pop(), test_file, self.shell, self.cluster)
|
||||
|
||||
# ^
|
||||
@allure.title("Patch operation with BearerToken (object_size={object_size})")
|
||||
@pytest.mark.parametrize("objects", [1], indirect=True)
|
||||
def test_patch_object_with_bearer_token(
|
||||
self,
|
||||
frostfs_cli: FrostfsCli,
|
||||
grpc_client_with_other_wallet: GrpcClientWrapper,
|
||||
container: str,
|
||||
objects: list[str],
|
||||
test_file: TestFile,
|
||||
temp_directory: str,
|
||||
):
|
||||
oid = objects[0]
|
||||
|
||||
with reporter.step("Check if the patch is available with another wallet"):
|
||||
patched_oid = grpc_client_with_other_wallet.object.patch(
|
||||
container,
|
||||
oid,
|
||||
self.cluster.default_rpc_endpoint,
|
||||
ranges=["100:300"],
|
||||
payloads=[test_file],
|
||||
new_attrs="allow-patch=true",
|
||||
timeout="200s",
|
||||
)
|
||||
assert patched_oid != oid, "OID of patched object must be different from original one"
|
||||
oid = patched_oid
|
||||
|
||||
rule = ape.Rule(ape.Verb.DENY, ape.ObjectOperations.PATCH)
|
||||
|
||||
with reporter.step("Deny PATCH operation for everyone via APE"):
|
||||
frostfs_cli.ape_manager.add(
|
||||
self.cluster.default_rpc_endpoint,
|
||||
rule.chain_id,
|
||||
target_name=container,
|
||||
target_type="container",
|
||||
rule=rule.as_string(),
|
||||
)
|
||||
|
||||
with reporter.step("Wait for one block"):
|
||||
self.wait_for_blocks(1)
|
||||
|
||||
with reporter.step("Check that patch is not allowed with another wallet"):
|
||||
with pytest.raises(Exception, match=OBJECT_ACCESS_DENIED):
|
||||
grpc_client_with_other_wallet.object.patch(
|
||||
container,
|
||||
oid,
|
||||
self.cluster.default_rpc_endpoint,
|
||||
ranges=["100:300"],
|
||||
payloads=[test_file],
|
||||
new_attrs="deny-patch=true",
|
||||
timeout="200s",
|
||||
)
|
||||
|
||||
with reporter.step("Create bearer token with all operations allowed"):
|
||||
bearer = create_bearer_token(
|
||||
frostfs_cli,
|
||||
temp_directory,
|
||||
container,
|
||||
rule=ape.Rule(ape.Verb.ALLOW, ALL_OBJECT_OPERATIONS),
|
||||
endpoint=self.cluster.default_rpc_endpoint,
|
||||
)
|
||||
|
||||
with reporter.step("Check that patch is available with another wallet with BearerToken"):
|
||||
patched_oid = grpc_client_with_other_wallet.object.patch(
|
||||
container,
|
||||
oid,
|
||||
self.cluster.default_rpc_endpoint,
|
||||
bearer=bearer,
|
||||
ranges=["100:300"],
|
||||
payloads=[test_file],
|
||||
new_attrs="bearer-patch=true",
|
||||
timeout="200s",
|
||||
)
|
||||
assert patched_oid != oid, "OID of patched object must be different from original one"
|
||||
oid = patched_oid
|
||||
|
||||
with reporter.step(f"Remove deny rule from APE"):
|
||||
frostfs_cli.ape_manager.remove(
|
||||
self.cluster.default_rpc_endpoint,
|
||||
rule.chain_id,
|
||||
target_name=container,
|
||||
target_type="container",
|
||||
)
|
||||
|
||||
with reporter.step("Wait for one block"):
|
||||
self.wait_for_blocks(1)
|
||||
|
||||
with reporter.step("Check if the patch is available with another wallet"):
|
||||
patched_oid = grpc_client_with_other_wallet.object.patch(
|
||||
container,
|
||||
oid,
|
||||
self.cluster.default_rpc_endpoint,
|
||||
bearer=bearer,
|
||||
ranges=["100:300"],
|
||||
payloads=[test_file],
|
||||
new_attrs="allow-patch-2=true",
|
||||
timeout="200s",
|
||||
)
|
||||
assert patched_oid != oid, "OID of patched object must be different from original one"
|
||||
oid = patched_oid
|
||||
|
||||
attrs = {"allow-patch", "bearer-patch", "allow-patch-2"}
|
||||
|
||||
with reporter.step("Ensure that all attributes match expected values"):
|
||||
object_info: dict = grpc_client_with_other_wallet.object.head(container, oid, self.cluster.default_rpc_endpoint)
|
||||
object_attrs: dict = object_info["header"]["attributes"]
|
||||
assert attrs <= {k for k in object_attrs.keys()}, f"Received attributes do not match expected ones: {object_attrs}"
|
||||
assert all(
|
||||
v == "true" for k, v in object_attrs.items() if k in attrs
|
||||
), f"Received attributes do not match expected ones: {object_attrs}"
|
||||
|
||||
@allure.title("BearerToken for compound operations (obj_size={object_size})")
|
||||
@pytest.mark.parametrize("objects", [4], indirect=True)
|
||||
def test_bearer_token_compound_operations(
|
||||
self,
|
||||
frostfs_cli: FrostfsCli,
|
||||
|
@ -79,7 +196,7 @@ class TestApeBearer(ClusterTestBase):
|
|||
container: str,
|
||||
objects: list[str],
|
||||
rpc_endpoint: str,
|
||||
file_path: TestFile,
|
||||
test_file: TestFile,
|
||||
):
|
||||
"""
|
||||
Bearer Token COMPLETLY overrides chains set for the specific target.
|
||||
|
@ -151,7 +268,7 @@ class TestApeBearer(ClusterTestBase):
|
|||
ape.ObjectOperations.PUT,
|
||||
ape.ObjectOperations.HEAD,
|
||||
ape.ObjectOperations.GET_RANGE,
|
||||
# Delete also requires PUT (to make tobstone) and HEAD (to get simple objects header)
|
||||
# Delete also requires PUT (to make tombstone) and HEAD (to get simple objects header)
|
||||
ape.ObjectOperations.DELETE,
|
||||
],
|
||||
ape.Role.OTHERS: [
|
||||
|
@ -180,7 +297,7 @@ class TestApeBearer(ClusterTestBase):
|
|||
|
||||
for role, wallet in wallets_map.items():
|
||||
with reporter.step(f"Assert access to container without bearer token for {role}"):
|
||||
assert_access_to_container(access_map[role], wallet, container, objects.pop(), file_path, self.shell, self.cluster)
|
||||
assert_access_to_container(access_map[role], wallet, container, objects.pop(), test_file, self.shell, self.cluster)
|
||||
|
||||
bearer_tokens = {}
|
||||
for role in wallets_map.keys():
|
||||
|
@ -192,5 +309,5 @@ class TestApeBearer(ClusterTestBase):
|
|||
for role, wallet in wallets_map.items():
|
||||
with reporter.step(f"Assert access to container with bearer token for {role}"):
|
||||
assert_access_to_container(
|
||||
bt_access_map[role], wallet, container, objects.pop(), file_path, self.shell, self.cluster, bearer_tokens[role]
|
||||
bt_access_map[role], wallet, container, objects.pop(), test_file, self.shell, self.cluster, bearer_tokens[role]
|
||||
)
|
||||
|
|
|
@ -2,16 +2,18 @@ import json
|
|||
|
||||
import pytest
|
||||
from frostfs_testlib import reporter
|
||||
from frostfs_testlib.cli.frostfs_cli.cli import FrostfsCli
|
||||
from frostfs_testlib.resources.cli import FROSTFS_CLI_EXEC
|
||||
from frostfs_testlib.shell import Shell
|
||||
from frostfs_testlib.steps.cli.container import search_nodes_with_container
|
||||
from frostfs_testlib.steps.cli.object import put_object_to_random_node
|
||||
from frostfs_testlib.storage.cluster import Cluster, ClusterNode
|
||||
from frostfs_testlib.storage.dataclasses import ape
|
||||
from frostfs_testlib.storage.dataclasses.wallet import WalletInfo
|
||||
from frostfs_testlib.storage.grpc_operations.client_wrappers import CliClientWrapper
|
||||
from frostfs_testlib.storage.grpc_operations.interfaces import GrpcClientWrapper
|
||||
from frostfs_testlib.testing.parallel import parallel
|
||||
|
||||
OBJECT_COUNT = 5
|
||||
|
||||
|
||||
@pytest.fixture(scope="session")
|
||||
def ir_wallet(cluster: Cluster) -> WalletInfo:
|
||||
|
@ -40,13 +42,22 @@ def test_wallet(default_wallet: WalletInfo, other_wallet: WalletInfo, role: ape.
|
|||
return role_to_wallet_map[role]
|
||||
|
||||
|
||||
@pytest.fixture
|
||||
def objects(container: str, default_wallet: WalletInfo, client_shell: Shell, cluster: Cluster, file_path: str):
|
||||
@pytest.fixture(scope="function", params=[5])
|
||||
def objects(
|
||||
container: str,
|
||||
default_wallet: WalletInfo,
|
||||
client_shell: Shell,
|
||||
cluster: Cluster,
|
||||
test_file: str,
|
||||
request: pytest.FixtureRequest,
|
||||
):
|
||||
object_count = request.param
|
||||
|
||||
with reporter.step("Add test objects to container"):
|
||||
put_results = parallel(
|
||||
[put_object_to_random_node] * OBJECT_COUNT,
|
||||
[put_object_to_random_node] * object_count,
|
||||
wallet=default_wallet,
|
||||
path=file_path,
|
||||
path=test_file,
|
||||
cid=container,
|
||||
shell=client_shell,
|
||||
cluster=cluster,
|
||||
|
@ -70,3 +81,18 @@ def container_nodes(default_wallet: WalletInfo, container: str, client_shell: Sh
|
|||
@pytest.fixture
|
||||
def container_node_wallet(container_nodes: list[ClusterNode]) -> WalletInfo:
|
||||
return WalletInfo.from_node(container_nodes[0].storage_node)
|
||||
|
||||
|
||||
@pytest.fixture
|
||||
def grpc_client_with_container_wallet(client_shell: Shell, container_node_wallet: WalletInfo) -> GrpcClientWrapper:
|
||||
return CliClientWrapper(FrostfsCli(client_shell, FROSTFS_CLI_EXEC, container_node_wallet.config_path))
|
||||
|
||||
|
||||
@pytest.fixture(scope="session")
|
||||
def grpc_client_with_other_wallet(client_shell: Shell, other_wallet: WalletInfo) -> GrpcClientWrapper:
|
||||
return CliClientWrapper(FrostfsCli(client_shell, FROSTFS_CLI_EXEC, other_wallet.config_path))
|
||||
|
||||
|
||||
@pytest.fixture(scope="session")
|
||||
def grpc_client_with_ir_wallet(client_shell: Shell, ir_wallet: WalletInfo) -> GrpcClientWrapper:
|
||||
return CliClientWrapper(FrostfsCli(client_shell, FROSTFS_CLI_EXEC, ir_wallet.config_path))
|
||||
|
|
|
@ -3,12 +3,10 @@ import pytest
|
|||
from frostfs_testlib import reporter
|
||||
from frostfs_testlib.cli import FrostfsCli
|
||||
from frostfs_testlib.resources.error_patterns import NO_RULE_FOUND_OBJECT
|
||||
from frostfs_testlib.steps.cli.object import delete_object, get_object, get_range, get_range_hash, head_object, put_object, search_object
|
||||
from frostfs_testlib.storage.dataclasses.object_size import ObjectSize
|
||||
from frostfs_testlib.storage.dataclasses.wallet import WalletInfo
|
||||
from frostfs_testlib.storage.grpc_operations.interfaces import GrpcClientWrapper
|
||||
from frostfs_testlib.testing.cluster_test_base import ClusterTestBase
|
||||
from frostfs_testlib.testing.test_control import expect_not_raises
|
||||
from frostfs_testlib.utils.file_utils import generate_file
|
||||
from frostfs_testlib.utils.file_utils import TestFile
|
||||
|
||||
from ...helpers.container_request import ContainerRequest
|
||||
|
||||
|
@ -25,8 +23,8 @@ class TestApeLocalOverrideAllow(ClusterTestBase):
|
|||
@allure.title("LocalOverride: Allow to GetObject in root tenant")
|
||||
def test_local_override_allow_to_get_object_root(
|
||||
self,
|
||||
default_wallet: WalletInfo,
|
||||
frostfs_cli_on_first_node: FrostfsCli,
|
||||
grpc_client: GrpcClientWrapper,
|
||||
container: str,
|
||||
object_id: str,
|
||||
):
|
||||
|
@ -41,11 +39,11 @@ class TestApeLocalOverrideAllow(ClusterTestBase):
|
|||
|
||||
with reporter.step("Check get object in container on the first node, expected allow"):
|
||||
with expect_not_raises():
|
||||
get_object(default_wallet, container, object_id, self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint())
|
||||
grpc_client.object.get(container, object_id, self.cluster.storage_nodes[0].get_rpc_endpoint())
|
||||
|
||||
with reporter.step("Check get object in container on the second node, epxected access denied error"):
|
||||
with pytest.raises(RuntimeError, match=NO_RULE_FOUND_OBJECT):
|
||||
get_object(default_wallet, container, object_id, self.shell, self.cluster.storage_nodes[1].get_rpc_endpoint())
|
||||
grpc_client.object.get(container, object_id, self.cluster.storage_nodes[1].get_rpc_endpoint())
|
||||
|
||||
with reporter.step("Delete a rule"):
|
||||
frostfs_cli_on_first_node.control.remove_rule(
|
||||
|
@ -56,15 +54,14 @@ class TestApeLocalOverrideAllow(ClusterTestBase):
|
|||
)
|
||||
|
||||
@allure.title("LocalOverride: Allow to PutObject in root tenant")
|
||||
@pytest.mark.parametrize("object_size", ["simple"], indirect=True)
|
||||
def test_local_override_allow_to_put_object_root(
|
||||
self,
|
||||
default_wallet: WalletInfo,
|
||||
frostfs_cli_on_first_node: FrostfsCli,
|
||||
simple_object_size: ObjectSize,
|
||||
grpc_client: GrpcClientWrapper,
|
||||
container: str,
|
||||
test_file: TestFile,
|
||||
):
|
||||
test_file = generate_file(simple_object_size.value)
|
||||
|
||||
with reporter.step("Create local override on first node"):
|
||||
frostfs_cli_on_first_node.control.add_rule(
|
||||
endpoint=self.cluster.storage_nodes[0].get_control_endpoint(),
|
||||
|
@ -76,11 +73,11 @@ class TestApeLocalOverrideAllow(ClusterTestBase):
|
|||
|
||||
with reporter.step("Check put object in container on the first node, expected allow"):
|
||||
with expect_not_raises():
|
||||
put_object(default_wallet, test_file, container, self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint())
|
||||
grpc_client.object.put(test_file, container, self.cluster.storage_nodes[0].get_rpc_endpoint())
|
||||
|
||||
with reporter.step("Check get object in container on the second node, epxected access denied error"):
|
||||
with reporter.step("Check put object in container on the second node, epxected access denied error"):
|
||||
with pytest.raises(RuntimeError, match=NO_RULE_FOUND_OBJECT):
|
||||
put_object(default_wallet, test_file, container, self.shell, self.cluster.storage_nodes[1].get_rpc_endpoint())
|
||||
grpc_client.object.put(test_file, container, self.cluster.storage_nodes[1].get_rpc_endpoint())
|
||||
|
||||
with reporter.step("Delete a rule"):
|
||||
frostfs_cli_on_first_node.control.remove_rule(
|
||||
|
@ -93,8 +90,8 @@ class TestApeLocalOverrideAllow(ClusterTestBase):
|
|||
@allure.title("LocalOverride: Allow to HeadObject in root tenant")
|
||||
def test_local_override_allow_to_head_object_root(
|
||||
self,
|
||||
default_wallet: WalletInfo,
|
||||
frostfs_cli_on_first_node: FrostfsCli,
|
||||
grpc_client: GrpcClientWrapper,
|
||||
container: str,
|
||||
object_id: str,
|
||||
):
|
||||
|
@ -109,11 +106,11 @@ class TestApeLocalOverrideAllow(ClusterTestBase):
|
|||
|
||||
with reporter.step("Check head object in container on the first node, expected allow"):
|
||||
with expect_not_raises():
|
||||
head_object(default_wallet, container, object_id, self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint())
|
||||
grpc_client.object.head(container, object_id, self.cluster.storage_nodes[0].get_rpc_endpoint())
|
||||
|
||||
with reporter.step("Check head object in container on the second node, expected access denied error"):
|
||||
with pytest.raises(RuntimeError, match=NO_RULE_FOUND_OBJECT):
|
||||
head_object(default_wallet, container, object_id, self.shell, self.cluster.storage_nodes[1].get_rpc_endpoint())
|
||||
grpc_client.object.head(container, object_id, self.cluster.storage_nodes[1].get_rpc_endpoint())
|
||||
|
||||
with reporter.step("Delete a rule"):
|
||||
frostfs_cli_on_first_node.control.remove_rule(
|
||||
|
@ -126,8 +123,8 @@ class TestApeLocalOverrideAllow(ClusterTestBase):
|
|||
@allure.title("LocalOverride: Allow to SearchObject in root tenant")
|
||||
def test_local_override_allow_to_search_object_root(
|
||||
self,
|
||||
default_wallet: WalletInfo,
|
||||
frostfs_cli_on_first_node: FrostfsCli,
|
||||
grpc_client: GrpcClientWrapper,
|
||||
container: str,
|
||||
):
|
||||
with reporter.step("Create local override on first node"):
|
||||
|
@ -141,11 +138,11 @@ class TestApeLocalOverrideAllow(ClusterTestBase):
|
|||
|
||||
with reporter.step("Check search object in container on the first node, expected allow"):
|
||||
with expect_not_raises():
|
||||
search_object(default_wallet, container, self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint())
|
||||
grpc_client.object.search(container, self.cluster.storage_nodes[0].get_rpc_endpoint())
|
||||
|
||||
with reporter.step("Check search object from container on the second node, expected access denied error"):
|
||||
with pytest.raises(RuntimeError, match=NO_RULE_FOUND_OBJECT):
|
||||
search_object(default_wallet, container, self.shell, self.cluster.storage_nodes[1].get_rpc_endpoint())
|
||||
grpc_client.object.search(container, self.cluster.storage_nodes[1].get_rpc_endpoint())
|
||||
|
||||
with reporter.step("Delete a rule"):
|
||||
frostfs_cli_on_first_node.control.remove_rule(
|
||||
|
@ -158,8 +155,8 @@ class TestApeLocalOverrideAllow(ClusterTestBase):
|
|||
@allure.title("LocalOverride: Allow to RangeObject in root tenant")
|
||||
def test_local_override_allow_to_range_object_root(
|
||||
self,
|
||||
default_wallet: WalletInfo,
|
||||
frostfs_cli_on_first_node: FrostfsCli,
|
||||
grpc_client: GrpcClientWrapper,
|
||||
container: str,
|
||||
object_id: str,
|
||||
):
|
||||
|
@ -174,11 +171,11 @@ class TestApeLocalOverrideAllow(ClusterTestBase):
|
|||
|
||||
with reporter.step("Check get range object in container on the first node, expected allow"):
|
||||
with expect_not_raises():
|
||||
get_range(default_wallet, container, object_id, "0:10", self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint())
|
||||
grpc_client.object.range(container, object_id, "0:10", self.cluster.storage_nodes[0].get_rpc_endpoint())
|
||||
|
||||
with reporter.step("Check range object in container on the second node. expected access denied error"):
|
||||
with reporter.step("Check get range object in container on the second node, expected access denied error"):
|
||||
with pytest.raises(RuntimeError, match=NO_RULE_FOUND_OBJECT):
|
||||
get_range(default_wallet, container, object_id, "0:10", self.shell, self.cluster.storage_nodes[1].get_rpc_endpoint())
|
||||
grpc_client.object.range(container, object_id, "0:10", self.cluster.storage_nodes[1].get_rpc_endpoint())
|
||||
|
||||
with reporter.step("Delete a rule"):
|
||||
frostfs_cli_on_first_node.control.remove_rule(
|
||||
|
@ -191,8 +188,8 @@ class TestApeLocalOverrideAllow(ClusterTestBase):
|
|||
@allure.title("LocalOverride: Allow to HashObject in root tenant")
|
||||
def test_local_override_allow_to_hash_object_root(
|
||||
self,
|
||||
default_wallet: WalletInfo,
|
||||
frostfs_cli_on_first_node: FrostfsCli,
|
||||
grpc_client: GrpcClientWrapper,
|
||||
container: str,
|
||||
object_id: str,
|
||||
):
|
||||
|
@ -207,11 +204,11 @@ class TestApeLocalOverrideAllow(ClusterTestBase):
|
|||
|
||||
with reporter.step("Check get range hash object in container on the first node, expected allow"):
|
||||
with expect_not_raises():
|
||||
get_range_hash(default_wallet, container, object_id, "0:10", self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint())
|
||||
grpc_client.object.hash(self.cluster.storage_nodes[0].get_rpc_endpoint(), container, object_id, range="0:10")
|
||||
|
||||
with reporter.step("Check get range hash object in container on the second node, expected access denied error"):
|
||||
with pytest.raises(RuntimeError, match=NO_RULE_FOUND_OBJECT):
|
||||
get_range_hash(default_wallet, container, object_id, "0:10", self.shell, self.cluster.storage_nodes[1].get_rpc_endpoint())
|
||||
grpc_client.object.hash(self.cluster.storage_nodes[1].get_rpc_endpoint(), container, object_id, range="0:10")
|
||||
|
||||
with reporter.step("Delete a rule"):
|
||||
frostfs_cli_on_first_node.control.remove_rule(
|
||||
|
@ -224,8 +221,8 @@ class TestApeLocalOverrideAllow(ClusterTestBase):
|
|||
@allure.title("LocalOverride: Allow to DeleteObject in root tenant")
|
||||
def test_local_override_allow_to_delete_object_root(
|
||||
self,
|
||||
default_wallet: WalletInfo,
|
||||
frostfs_cli_on_first_node: FrostfsCli,
|
||||
grpc_client: GrpcClientWrapper,
|
||||
container: str,
|
||||
object_id: str,
|
||||
):
|
||||
|
@ -240,11 +237,11 @@ class TestApeLocalOverrideAllow(ClusterTestBase):
|
|||
|
||||
with reporter.step("Check delete object from container on the second node, expected access denied error"):
|
||||
with pytest.raises(RuntimeError, match=NO_RULE_FOUND_OBJECT):
|
||||
delete_object(default_wallet, container, object_id, self.shell, self.cluster.storage_nodes[1].get_rpc_endpoint())
|
||||
grpc_client.object.delete(container, object_id, self.cluster.storage_nodes[1].get_rpc_endpoint())
|
||||
|
||||
with reporter.step("Check delete object in container on the first node, expected allow"):
|
||||
with expect_not_raises():
|
||||
delete_object(default_wallet, container, object_id, self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint())
|
||||
grpc_client.object.delete(container, object_id, self.cluster.storage_nodes[0].get_rpc_endpoint())
|
||||
|
||||
with reporter.step("Delete a rule"):
|
||||
frostfs_cli_on_first_node.control.remove_rule(
|
||||
|
@ -253,3 +250,55 @@ class TestApeLocalOverrideAllow(ClusterTestBase):
|
|||
target_name=container,
|
||||
chain_id="allowDeleteObject",
|
||||
)
|
||||
|
||||
@allure.title("LocalOverride: Allow to PatchObject in root tenant")
|
||||
@pytest.mark.parametrize("object_size", ["simple"], indirect=True)
|
||||
def test_local_override_allow_to_patch_object_root(
|
||||
self,
|
||||
frostfs_cli_on_first_node: FrostfsCli,
|
||||
grpc_client: GrpcClientWrapper,
|
||||
container: str,
|
||||
object_id: str,
|
||||
test_file: TestFile,
|
||||
):
|
||||
with reporter.step("Create local override on first node"):
|
||||
frostfs_cli_on_first_node.control.add_rule(
|
||||
endpoint=self.cluster.storage_nodes[0].get_control_endpoint(),
|
||||
target_type="container",
|
||||
target_name=container,
|
||||
chain_id="allowPatchObject",
|
||||
rule=f"allow Object.Patch *",
|
||||
)
|
||||
|
||||
with reporter.step("Check patch object in container on the second node, epxected access denied error"):
|
||||
with pytest.raises(RuntimeError, match=NO_RULE_FOUND_OBJECT):
|
||||
grpc_client.object.patch(
|
||||
container,
|
||||
object_id,
|
||||
self.cluster.storage_nodes[1].get_rpc_endpoint(),
|
||||
ranges=["500:300"],
|
||||
payloads=[test_file],
|
||||
new_attrs="patched=false",
|
||||
timeout="200s",
|
||||
)
|
||||
|
||||
with reporter.step("Check patch object in container on the first node, expected allow"):
|
||||
with expect_not_raises():
|
||||
patched_oid = grpc_client.object.patch(
|
||||
container,
|
||||
object_id,
|
||||
self.cluster.storage_nodes[0].get_rpc_endpoint(),
|
||||
ranges=["100:200"],
|
||||
payloads=[test_file],
|
||||
new_attrs="patched=true",
|
||||
timeout="200s",
|
||||
)
|
||||
assert patched_oid != object_id, "OID of patched object must be different from original one"
|
||||
|
||||
with reporter.step("Delete a rule"):
|
||||
frostfs_cli_on_first_node.control.remove_rule(
|
||||
endpoint=self.cluster.storage_nodes[0].get_control_endpoint(),
|
||||
target_type="container",
|
||||
target_name=container,
|
||||
chain_id="allowPatchObject",
|
||||
)
|
||||
|
|
|
@ -1,20 +1,15 @@
|
|||
import allure
|
||||
import pytest
|
||||
from frostfs_testlib import reporter
|
||||
from frostfs_testlib.cli import FrostfsCli
|
||||
from frostfs_testlib.reporter import get_reporter
|
||||
from frostfs_testlib.resources.error_patterns import OBJECT_ACCESS_DENIED, RULE_ACCESS_DENIED_OBJECT
|
||||
from frostfs_testlib.steps.cli.object import delete_object, get_object, get_range, get_range_hash, head_object, put_object, search_object
|
||||
from frostfs_testlib.storage.dataclasses.ape import Operations
|
||||
from frostfs_testlib.storage.dataclasses.object_size import ObjectSize
|
||||
from frostfs_testlib.storage.dataclasses.wallet import WalletInfo
|
||||
from frostfs_testlib.resources.error_patterns import RULE_ACCESS_DENIED_OBJECT
|
||||
from frostfs_testlib.storage.grpc_operations.interfaces import GrpcClientWrapper
|
||||
from frostfs_testlib.testing.cluster_test_base import ClusterTestBase
|
||||
from frostfs_testlib.testing.test_control import expect_not_raises
|
||||
from frostfs_testlib.utils.file_utils import generate_file
|
||||
from frostfs_testlib.utils.file_utils import TestFile
|
||||
|
||||
from ...helpers.container_request import APE_EVERYONE_ALLOW_ALL, ContainerRequest
|
||||
|
||||
reporter = get_reporter()
|
||||
|
||||
REP2 = ContainerRequest("REP 2", ape_rules=APE_EVERYONE_ALLOW_ALL, short_name="REP2_allow_all_ape")
|
||||
|
||||
|
||||
|
@ -25,15 +20,14 @@ REP2 = ContainerRequest("REP 2", ape_rules=APE_EVERYONE_ALLOW_ALL, short_name="R
|
|||
class TestApeLocalOverrideDeny(ClusterTestBase):
|
||||
@allure.title("LocalOverride: Deny to GetObject in root tenant")
|
||||
@pytest.mark.parametrize("container_request", [REP2], indirect=True)
|
||||
@pytest.mark.parametrize("object_size", ["simple"], indirect=True)
|
||||
def test_local_override_deny_to_get_object_root(
|
||||
self,
|
||||
default_wallet: WalletInfo,
|
||||
frostfs_cli_on_first_node: FrostfsCli,
|
||||
simple_object_size: ObjectSize,
|
||||
grpc_client: GrpcClientWrapper,
|
||||
container: str,
|
||||
test_file: TestFile,
|
||||
):
|
||||
test_file = generate_file(simple_object_size.value)
|
||||
|
||||
with reporter.step("Create local override on first node"):
|
||||
frostfs_cli_on_first_node.control.add_rule(
|
||||
endpoint=self.cluster.storage_nodes[0].get_control_endpoint(),
|
||||
|
@ -44,15 +38,15 @@ class TestApeLocalOverrideDeny(ClusterTestBase):
|
|||
)
|
||||
|
||||
with reporter.step("Put object in container on the first node"):
|
||||
oid = put_object(default_wallet, test_file, container, self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint())
|
||||
oid = grpc_client.object.put(test_file, container, self.cluster.storage_nodes[0].get_rpc_endpoint())
|
||||
|
||||
with reporter.step("Check get object from container on the first node, expected access denied error"):
|
||||
with pytest.raises(RuntimeError, match=RULE_ACCESS_DENIED_OBJECT):
|
||||
get_object(default_wallet, container, oid, self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint())
|
||||
grpc_client.object.get(container, oid, self.cluster.storage_nodes[0].get_rpc_endpoint())
|
||||
|
||||
with reporter.step("Check get object from container on the second node, expected allow"):
|
||||
with expect_not_raises():
|
||||
get_object(default_wallet, container, oid, self.shell, self.cluster.storage_nodes[1].get_rpc_endpoint())
|
||||
grpc_client.object.get(container, oid, self.cluster.storage_nodes[1].get_rpc_endpoint())
|
||||
|
||||
with reporter.step("Delete a rule"):
|
||||
frostfs_cli_on_first_node.control.remove_rule(
|
||||
|
@ -64,19 +58,18 @@ class TestApeLocalOverrideDeny(ClusterTestBase):
|
|||
|
||||
with reporter.step("Check get object in container on the first node, expected allow"):
|
||||
with expect_not_raises():
|
||||
get_object(default_wallet, container, oid, self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint())
|
||||
grpc_client.object.get(container, oid, self.cluster.storage_nodes[0].get_rpc_endpoint())
|
||||
|
||||
@allure.title("LocalOverride: Deny to PutObject in root tenant")
|
||||
@pytest.mark.parametrize("container_request", [REP2], indirect=True)
|
||||
@pytest.mark.parametrize("object_size", ["simple"], indirect=True)
|
||||
def test_local_override_deny_to_put_object_root(
|
||||
self,
|
||||
default_wallet: WalletInfo,
|
||||
frostfs_cli_on_first_node: FrostfsCli,
|
||||
simple_object_size: ObjectSize,
|
||||
grpc_client: GrpcClientWrapper,
|
||||
container: str,
|
||||
test_file: TestFile,
|
||||
):
|
||||
test_file = generate_file(simple_object_size.value)
|
||||
|
||||
with reporter.step("Create local override on first node"):
|
||||
frostfs_cli_on_first_node.control.add_rule(
|
||||
endpoint=self.cluster.storage_nodes[0].get_control_endpoint(),
|
||||
|
@ -87,14 +80,12 @@ class TestApeLocalOverrideDeny(ClusterTestBase):
|
|||
)
|
||||
|
||||
with reporter.step("Check put object from container on the first node, expected access denied error"):
|
||||
with pytest.raises(RuntimeError, match=OBJECT_ACCESS_DENIED):
|
||||
put_object(default_wallet, test_file, container, self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint())
|
||||
with pytest.raises(RuntimeError, match=RULE_ACCESS_DENIED_OBJECT):
|
||||
grpc_client.object.put(test_file, container, self.cluster.storage_nodes[0].get_rpc_endpoint())
|
||||
|
||||
with reporter.step("Check put object from container on the second node, expected allow"):
|
||||
with expect_not_raises():
|
||||
put_object(
|
||||
default_wallet, test_file, container, self.shell, self.cluster.storage_nodes[1].get_rpc_endpoint(), copies_number=3
|
||||
)
|
||||
grpc_client.object.put(test_file, container, self.cluster.storage_nodes[1].get_rpc_endpoint())
|
||||
|
||||
with reporter.step("Delete a rule"):
|
||||
frostfs_cli_on_first_node.control.remove_rule(
|
||||
|
@ -106,19 +97,18 @@ class TestApeLocalOverrideDeny(ClusterTestBase):
|
|||
|
||||
with reporter.step("Check get object in container on the first node, expected allow"):
|
||||
with expect_not_raises():
|
||||
put_object(default_wallet, test_file, container, self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint())
|
||||
grpc_client.object.put(test_file, container, self.cluster.storage_nodes[0].get_rpc_endpoint())
|
||||
|
||||
@allure.title("LocalOverride: Deny to HeadObject in root tenant")
|
||||
@pytest.mark.parametrize("container_request", [REP2], indirect=True)
|
||||
@pytest.mark.parametrize("object_size", ["simple"], indirect=True)
|
||||
def test_local_override_deny_to_head_object_root(
|
||||
self,
|
||||
default_wallet: WalletInfo,
|
||||
frostfs_cli_on_first_node: FrostfsCli,
|
||||
simple_object_size: ObjectSize,
|
||||
grpc_client: GrpcClientWrapper,
|
||||
container: str,
|
||||
test_file: TestFile,
|
||||
):
|
||||
test_file = generate_file(simple_object_size.value)
|
||||
|
||||
with reporter.step("Create local override on first node"):
|
||||
frostfs_cli_on_first_node.control.add_rule(
|
||||
endpoint=self.cluster.storage_nodes[0].get_control_endpoint(),
|
||||
|
@ -129,15 +119,15 @@ class TestApeLocalOverrideDeny(ClusterTestBase):
|
|||
)
|
||||
|
||||
with reporter.step("Put object in container on the first node"):
|
||||
oid = put_object(default_wallet, test_file, container, self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint())
|
||||
oid = grpc_client.object.put(test_file, container, self.cluster.storage_nodes[0].get_rpc_endpoint())
|
||||
|
||||
with reporter.step("Check head object from container on the first node, expected access denied error"):
|
||||
with pytest.raises(RuntimeError, match=RULE_ACCESS_DENIED_OBJECT):
|
||||
head_object(default_wallet, container, oid, self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint())
|
||||
grpc_client.object.head(container, oid, self.cluster.storage_nodes[0].get_rpc_endpoint())
|
||||
|
||||
with reporter.step("Check head object from container on the second node, expected allow"):
|
||||
with expect_not_raises():
|
||||
head_object(default_wallet, container, oid, self.shell, self.cluster.storage_nodes[1].get_rpc_endpoint())
|
||||
grpc_client.object.head(container, oid, self.cluster.storage_nodes[1].get_rpc_endpoint())
|
||||
|
||||
with reporter.step("Delete a rule"):
|
||||
frostfs_cli_on_first_node.control.remove_rule(
|
||||
|
@ -149,14 +139,14 @@ class TestApeLocalOverrideDeny(ClusterTestBase):
|
|||
|
||||
with reporter.step("Check head object in container on the first node, expected allow"):
|
||||
with expect_not_raises():
|
||||
head_object(default_wallet, container, oid, self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint())
|
||||
grpc_client.object.head(container, oid, self.cluster.storage_nodes[0].get_rpc_endpoint())
|
||||
|
||||
@allure.title("LocalOverride: Deny to SearchObject in root tenant")
|
||||
@pytest.mark.parametrize("container_request", [REP2], indirect=True)
|
||||
def test_local_override_deny_to_search_object_root(
|
||||
self,
|
||||
default_wallet: WalletInfo,
|
||||
frostfs_cli_on_first_node: FrostfsCli,
|
||||
grpc_client: GrpcClientWrapper,
|
||||
container: str,
|
||||
):
|
||||
with reporter.step("Create local override on first node"):
|
||||
|
@ -169,12 +159,12 @@ class TestApeLocalOverrideDeny(ClusterTestBase):
|
|||
)
|
||||
|
||||
with reporter.step("Check search object from container on the first node, expected access denied error"):
|
||||
with pytest.raises(RuntimeError, match=RULE_ACCESS_DENIED_OBJECT.format(operation=Operations.SEARCH_OBJECT)):
|
||||
search_object(default_wallet, container, self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint())
|
||||
with pytest.raises(RuntimeError, match=RULE_ACCESS_DENIED_OBJECT):
|
||||
grpc_client.object.search(container, self.cluster.storage_nodes[0].get_rpc_endpoint())
|
||||
|
||||
with reporter.step("Check search object from container on the second node, expected allow"):
|
||||
with expect_not_raises():
|
||||
search_object(default_wallet, container, self.shell, self.cluster.storage_nodes[1].get_rpc_endpoint())
|
||||
grpc_client.object.search(container, self.cluster.storage_nodes[1].get_rpc_endpoint())
|
||||
|
||||
with reporter.step("Delete a rule"):
|
||||
frostfs_cli_on_first_node.control.remove_rule(
|
||||
|
@ -186,19 +176,18 @@ class TestApeLocalOverrideDeny(ClusterTestBase):
|
|||
|
||||
with reporter.step("Check search object in container on the first node, expected allow"):
|
||||
with expect_not_raises():
|
||||
search_object(default_wallet, container, self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint())
|
||||
grpc_client.object.search(container, self.cluster.storage_nodes[0].get_rpc_endpoint())
|
||||
|
||||
@allure.title("LocalOverride: Deny to RangeObject in root tenant")
|
||||
@pytest.mark.parametrize("container_request", [REP2], indirect=True)
|
||||
@pytest.mark.parametrize("object_size", ["simple"], indirect=True)
|
||||
def test_local_override_deny_to_range_object_root(
|
||||
self,
|
||||
default_wallet: WalletInfo,
|
||||
frostfs_cli_on_first_node: FrostfsCli,
|
||||
simple_object_size: ObjectSize,
|
||||
grpc_client: GrpcClientWrapper,
|
||||
container: str,
|
||||
test_file: TestFile,
|
||||
):
|
||||
test_file = generate_file(simple_object_size.value)
|
||||
|
||||
with reporter.step("Create local override on first node"):
|
||||
frostfs_cli_on_first_node.control.add_rule(
|
||||
endpoint=self.cluster.storage_nodes[0].get_control_endpoint(),
|
||||
|
@ -209,15 +198,15 @@ class TestApeLocalOverrideDeny(ClusterTestBase):
|
|||
)
|
||||
|
||||
with reporter.step("Put object in container on the first node"):
|
||||
oid = put_object(default_wallet, test_file, container, self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint())
|
||||
oid = grpc_client.object.put(test_file, container, self.cluster.storage_nodes[0].get_rpc_endpoint())
|
||||
|
||||
with reporter.step("Check range object from container on the first node, expected access denied error"):
|
||||
with pytest.raises(RuntimeError, match=RULE_ACCESS_DENIED_OBJECT.format(operation=Operations.RANGE_OBJECT)):
|
||||
get_range(default_wallet, container, oid, "0:10", self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint())
|
||||
with pytest.raises(RuntimeError, match=RULE_ACCESS_DENIED_OBJECT):
|
||||
grpc_client.object.range(container, oid, "0:10", self.cluster.storage_nodes[0].get_rpc_endpoint())
|
||||
|
||||
with reporter.step("Check get range object from container on the second node, expected allow"):
|
||||
with expect_not_raises():
|
||||
get_range(default_wallet, container, oid, "0:10", self.shell, self.cluster.storage_nodes[1].get_rpc_endpoint())
|
||||
grpc_client.object.range(container, oid, "0:10", self.cluster.storage_nodes[1].get_rpc_endpoint())
|
||||
|
||||
with reporter.step("Delete a rule"):
|
||||
frostfs_cli_on_first_node.control.remove_rule(
|
||||
|
@ -229,19 +218,18 @@ class TestApeLocalOverrideDeny(ClusterTestBase):
|
|||
|
||||
with reporter.step("Check get range object in container on the first node, expected allow"):
|
||||
with expect_not_raises():
|
||||
get_range(default_wallet, container, oid, "0:10", self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint())
|
||||
grpc_client.object.range(container, oid, "0:10", self.cluster.storage_nodes[0].get_rpc_endpoint())
|
||||
|
||||
@allure.title("LocalOverride: Deny to HashObject in root tenant")
|
||||
@pytest.mark.parametrize("container_request", [REP2], indirect=True)
|
||||
@pytest.mark.parametrize("object_size", ["simple"], indirect=True)
|
||||
def test_local_override_deny_to_hash_object_root(
|
||||
self,
|
||||
default_wallet: WalletInfo,
|
||||
frostfs_cli_on_first_node: FrostfsCli,
|
||||
simple_object_size: ObjectSize,
|
||||
grpc_client: GrpcClientWrapper,
|
||||
container: str,
|
||||
test_file: TestFile,
|
||||
):
|
||||
test_file = generate_file(simple_object_size.value)
|
||||
|
||||
with reporter.step("Create local override on first node"):
|
||||
frostfs_cli_on_first_node.control.add_rule(
|
||||
endpoint=self.cluster.storage_nodes[0].get_control_endpoint(),
|
||||
|
@ -252,15 +240,15 @@ class TestApeLocalOverrideDeny(ClusterTestBase):
|
|||
)
|
||||
|
||||
with reporter.step("Put object in container on the first node"):
|
||||
oid = put_object(default_wallet, test_file, container, self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint())
|
||||
oid = grpc_client.object.put(test_file, container, self.cluster.storage_nodes[0].get_rpc_endpoint())
|
||||
|
||||
with reporter.step("Check get range hash object from container on the first node, expected access denied error"):
|
||||
with pytest.raises(RuntimeError, match=RULE_ACCESS_DENIED_OBJECT.format(operation=Operations.HASH_OBJECT)):
|
||||
get_range_hash(default_wallet, container, oid, "0:10", self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint())
|
||||
with pytest.raises(RuntimeError, match=RULE_ACCESS_DENIED_OBJECT):
|
||||
grpc_client.object.hash(self.cluster.storage_nodes[0].get_rpc_endpoint(), container, oid, range="0:10")
|
||||
|
||||
with reporter.step("Check get range hash object from container on the second node, expected allow"):
|
||||
with expect_not_raises():
|
||||
get_range_hash(default_wallet, container, oid, "0:10", self.shell, self.cluster.storage_nodes[1].get_rpc_endpoint())
|
||||
grpc_client.object.hash(self.cluster.storage_nodes[1].get_rpc_endpoint(), container, oid, range="0:10")
|
||||
|
||||
with reporter.step("Delete a rule"):
|
||||
frostfs_cli_on_first_node.control.remove_rule(
|
||||
|
@ -272,19 +260,18 @@ class TestApeLocalOverrideDeny(ClusterTestBase):
|
|||
|
||||
with reporter.step("Check get range hash object in container on the first node, expected allow"):
|
||||
with expect_not_raises():
|
||||
get_range_hash(default_wallet, container, oid, "0:10", self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint())
|
||||
grpc_client.object.hash(self.cluster.storage_nodes[0].get_rpc_endpoint(), container, oid, range="0:10")
|
||||
|
||||
@allure.title("LocalOverride: Deny to DeleteObject in root tenant")
|
||||
@pytest.mark.parametrize("container_request", [REP2], indirect=True)
|
||||
@pytest.mark.parametrize("object_size", ["simple"], indirect=True)
|
||||
def test_local_override_deny_to_delete_object_root(
|
||||
self,
|
||||
default_wallet: WalletInfo,
|
||||
frostfs_cli_on_first_node: FrostfsCli,
|
||||
simple_object_size: ObjectSize,
|
||||
grpc_client: GrpcClientWrapper,
|
||||
container: str,
|
||||
test_file: TestFile,
|
||||
):
|
||||
test_file = generate_file(simple_object_size.value)
|
||||
|
||||
with reporter.step("Create local override on first node"):
|
||||
frostfs_cli_on_first_node.control.add_rule(
|
||||
endpoint=self.cluster.storage_nodes[0].get_control_endpoint(),
|
||||
|
@ -295,30 +282,26 @@ class TestApeLocalOverrideDeny(ClusterTestBase):
|
|||
)
|
||||
|
||||
with reporter.step("Put objects in container on the first node"):
|
||||
oid_1 = put_object(default_wallet, test_file, container, self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint())
|
||||
oid_2 = put_object(default_wallet, test_file, container, self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint())
|
||||
oid_1 = grpc_client.object.put(test_file, container, self.cluster.storage_nodes[0].get_rpc_endpoint())
|
||||
oid_2 = grpc_client.object.put(test_file, container, self.cluster.storage_nodes[0].get_rpc_endpoint())
|
||||
|
||||
with reporter.step("Search object in container on the first node"):
|
||||
search_object_in_container_1 = search_object(
|
||||
default_wallet, container, self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint()
|
||||
)
|
||||
search_object_in_container_1 = grpc_client.object.search(container, self.cluster.storage_nodes[0].get_rpc_endpoint())
|
||||
assert oid_1 in search_object_in_container_1, f"Object {oid_1} was not found"
|
||||
assert oid_2 in search_object_in_container_1, f"Object {oid_2} was not found"
|
||||
|
||||
with reporter.step("Search object from container on the second node"):
|
||||
search_object_in_container_2 = search_object(
|
||||
default_wallet, container, self.shell, self.cluster.storage_nodes[1].get_rpc_endpoint()
|
||||
)
|
||||
search_object_in_container_2 = grpc_client.object.search(container, self.cluster.storage_nodes[1].get_rpc_endpoint())
|
||||
assert oid_1 in search_object_in_container_2, f"Object {oid_1} was not found"
|
||||
assert oid_2 in search_object_in_container_2, f"Object {oid_2} was not found"
|
||||
|
||||
with reporter.step("Check delete object from container on the first node, expected access denied error"):
|
||||
with pytest.raises(RuntimeError, match=RULE_ACCESS_DENIED_OBJECT):
|
||||
delete_object(default_wallet, container, oid_1, self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint())
|
||||
grpc_client.object.delete(container, oid_1, self.cluster.storage_nodes[0].get_rpc_endpoint())
|
||||
|
||||
with reporter.step("Check delete object from container on the second node, expected allow"):
|
||||
with expect_not_raises():
|
||||
delete_object(default_wallet, container, oid_2, self.shell, self.cluster.storage_nodes[1].get_rpc_endpoint())
|
||||
grpc_client.object.delete(container, oid_2, self.cluster.storage_nodes[1].get_rpc_endpoint())
|
||||
|
||||
with reporter.step("Delete a rule"):
|
||||
frostfs_cli_on_first_node.control.remove_rule(
|
||||
|
@ -330,4 +313,70 @@ class TestApeLocalOverrideDeny(ClusterTestBase):
|
|||
|
||||
with reporter.step("Check delete object in container on the first node, expected allow"):
|
||||
with expect_not_raises():
|
||||
delete_object(default_wallet, container, oid_1, self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint())
|
||||
grpc_client.object.delete(container, oid_1, self.cluster.storage_nodes[0].get_rpc_endpoint())
|
||||
|
||||
@allure.title("LocalOverride: Deny to PatchObject in root tenant")
|
||||
@pytest.mark.parametrize("container_request", [REP2], indirect=True)
|
||||
@pytest.mark.parametrize("object_size", ["simple"], indirect=True)
|
||||
def test_local_override_deny_to_patch_object_root(
|
||||
self,
|
||||
frostfs_cli_on_first_node: FrostfsCli,
|
||||
grpc_client: GrpcClientWrapper,
|
||||
test_file: TestFile,
|
||||
container: str,
|
||||
object_id: str,
|
||||
):
|
||||
with reporter.step("Create local override on first node"):
|
||||
frostfs_cli_on_first_node.control.add_rule(
|
||||
endpoint=self.cluster.storage_nodes[0].get_control_endpoint(),
|
||||
target_type="container",
|
||||
target_name=container,
|
||||
chain_id="denyPatchObject",
|
||||
rule=f"deny Object.Patch /{container}/*",
|
||||
)
|
||||
|
||||
with reporter.step("Check patch object from container on the first node, expected access denied error"):
|
||||
with pytest.raises(RuntimeError, match=RULE_ACCESS_DENIED_OBJECT):
|
||||
grpc_client.object.patch(
|
||||
container,
|
||||
object_id,
|
||||
self.cluster.storage_nodes[0].get_rpc_endpoint(),
|
||||
ranges=["0:350"],
|
||||
payloads=[test_file],
|
||||
new_attrs="patched_by_first_node=false",
|
||||
timeout="200s",
|
||||
)
|
||||
|
||||
with reporter.step("Check patch object from container on the second node, expected allow"):
|
||||
with expect_not_raises():
|
||||
patched_oid_1 = grpc_client.object.patch(
|
||||
container,
|
||||
object_id,
|
||||
self.cluster.storage_nodes[1].get_rpc_endpoint(),
|
||||
ranges=["200:400"],
|
||||
payloads=[test_file],
|
||||
new_attrs="patched_by_second_node=true",
|
||||
timeout="200s",
|
||||
)
|
||||
assert patched_oid_1 != object_id, "OID of patched object must be different from original one"
|
||||
|
||||
with reporter.step("Delete a rule"):
|
||||
frostfs_cli_on_first_node.control.remove_rule(
|
||||
endpoint=self.cluster.storage_nodes[0].get_control_endpoint(),
|
||||
target_type="container",
|
||||
target_name=container,
|
||||
chain_id="denyPatchObject",
|
||||
)
|
||||
|
||||
with reporter.step("Check patch object in container on the first node, expected allow"):
|
||||
with expect_not_raises():
|
||||
patched_oid_2 = grpc_client.object.patch(
|
||||
container,
|
||||
patched_oid_1,
|
||||
self.cluster.storage_nodes[0].get_rpc_endpoint(),
|
||||
ranges=["600:0"],
|
||||
payloads=[test_file],
|
||||
new_attrs="patched_by_first_node=true",
|
||||
timeout="200s",
|
||||
)
|
||||
assert patched_oid_1 != patched_oid_2, "OID of patched object must be different from original one"
|
||||
|
|
|
@ -2,6 +2,7 @@ import allure
|
|||
import pytest
|
||||
from frostfs_testlib import reporter
|
||||
from frostfs_testlib.cli import FrostfsCli
|
||||
from frostfs_testlib.resources.cli import FROSTFS_CLI_EXEC
|
||||
from frostfs_testlib.shell import Shell
|
||||
from frostfs_testlib.steps.cli.container import (
|
||||
REP_2_FOR_3_NODES_PLACEMENT_RULE,
|
||||
|
@ -15,6 +16,8 @@ from frostfs_testlib.storage.cluster import Cluster
|
|||
from frostfs_testlib.storage.dataclasses import ape
|
||||
from frostfs_testlib.storage.dataclasses.object_size import ObjectSize
|
||||
from frostfs_testlib.storage.dataclasses.wallet import WalletInfo
|
||||
from frostfs_testlib.storage.grpc_operations.client_wrappers import CliClientWrapper
|
||||
from frostfs_testlib.storage.grpc_operations.interfaces import GrpcClientWrapper
|
||||
from frostfs_testlib.testing.cluster_test_base import ClusterTestBase
|
||||
from frostfs_testlib.testing.test_control import expect_not_raises
|
||||
from pytest import FixtureRequest
|
||||
|
@ -46,6 +49,11 @@ def bearer_token(frostfs_cli: FrostfsCli, temp_directory: str, user_container: S
|
|||
return create_bearer_token(frostfs_cli, temp_directory, user_container.get_id(), rule, cluster.default_rpc_endpoint)
|
||||
|
||||
|
||||
@pytest.fixture(scope="session")
|
||||
def grpc_client_with_other_wallet(client_shell: Shell, other_wallet: WalletInfo) -> GrpcClientWrapper:
|
||||
return CliClientWrapper(FrostfsCli(client_shell, FROSTFS_CLI_EXEC, other_wallet.config_path))
|
||||
|
||||
|
||||
@pytest.fixture()
|
||||
def storage_objects(
|
||||
user_container: StorageContainer,
|
||||
|
@ -126,6 +134,8 @@ class TestObjectApiWithBearerToken(ClusterTestBase):
|
|||
bearer_token,
|
||||
)
|
||||
|
||||
# TODO: Without PATCH operation,
|
||||
# since it requires specific permissions that do not apply when testing all operations at once
|
||||
@allure.title("Wildcard APE rule contains all permissions (obj_size={object_size})")
|
||||
def test_ape_wildcard_contains_all_rules(
|
||||
self,
|
||||
|
@ -134,5 +144,27 @@ class TestObjectApiWithBearerToken(ClusterTestBase):
|
|||
bearer_token: str,
|
||||
):
|
||||
obj = storage_objects.pop()
|
||||
with reporter.step(f"Assert all operations available with object"):
|
||||
with reporter.step("Assert all operations available with object"):
|
||||
assert_full_access_to_container(other_wallet, obj.cid, obj.oid, obj.file_path, self.shell, self.cluster, bearer_token)
|
||||
|
||||
# ^
|
||||
@allure.title("Wildcard APE rule contains PATCH permission (obj_size={object_size})")
|
||||
def test_ape_wildcard_contains_patch_rule(
|
||||
self,
|
||||
grpc_client_with_other_wallet: GrpcClientWrapper,
|
||||
storage_objects: list[StorageObjectInfo],
|
||||
bearer_token: str,
|
||||
):
|
||||
obj = storage_objects.pop()
|
||||
with reporter.step("Verify patch is available"):
|
||||
patched_oid = grpc_client_with_other_wallet.object.patch(
|
||||
obj.cid,
|
||||
obj.oid,
|
||||
self.cluster.default_rpc_endpoint,
|
||||
ranges=["99:88"],
|
||||
payloads=[obj.file_path],
|
||||
new_attrs="test-attribute=100",
|
||||
bearer=bearer_token,
|
||||
timeout="200s",
|
||||
)
|
||||
assert patched_oid != obj.oid, "OID of patched object must be different from original one"
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
import logging
|
||||
import re
|
||||
from typing import Literal
|
||||
|
||||
import allure
|
||||
import pytest
|
||||
|
@ -8,6 +9,7 @@ from frostfs_testlib.cli import FrostfsCli
|
|||
from frostfs_testlib.resources.cli import CLI_DEFAULT_TIMEOUT, FROSTFS_CLI_EXEC
|
||||
from frostfs_testlib.resources.error_patterns import OBJECT_IS_LOCKED
|
||||
from frostfs_testlib.shell import Shell
|
||||
from frostfs_testlib.shell.interfaces import CommandResult
|
||||
from frostfs_testlib.storage.dataclasses.wallet import WalletInfo
|
||||
from frostfs_testlib.testing.cluster_test_base import ClusterTestBase
|
||||
from frostfs_testlib.testing.test_control import expect_not_raises
|
||||
|
@ -16,20 +18,24 @@ from frostfs_testlib.utils.file_utils import TestFile, get_file_hash
|
|||
logger = logging.getLogger("NeoLogger")
|
||||
|
||||
|
||||
def parse_oid(response: CommandResult, response_type: Literal["tombstone", "patch"] = None) -> str:
|
||||
if response_type == "tombstone":
|
||||
id_str = response.stdout.split("\n")[1]
|
||||
oid = id_str.split(":")[1]
|
||||
return oid.strip()
|
||||
|
||||
if response_type == "patch":
|
||||
return response.stdout.split(":")[1].strip()
|
||||
|
||||
id_str = response.stdout.strip().split("\n")[-2]
|
||||
oid = id_str.split(":")[1]
|
||||
return oid.strip()
|
||||
|
||||
|
||||
@pytest.mark.nightly
|
||||
@pytest.mark.grpc_api
|
||||
@pytest.mark.grpc_without_user
|
||||
class TestObjectApiWithoutUser(ClusterTestBase):
|
||||
def _parse_oid(self, stdout: str) -> str:
|
||||
id_str = stdout.strip().split("\n")[-2]
|
||||
oid = id_str.split(":")[1]
|
||||
return oid.strip()
|
||||
|
||||
def _parse_tombstone_oid(self, stdout: str) -> str:
|
||||
id_str = stdout.split("\n")[1]
|
||||
tombstone = id_str.split(":")[1]
|
||||
return tombstone.strip()
|
||||
|
||||
@pytest.fixture(scope="class")
|
||||
def cli_without_wallet(self, client_shell: Shell) -> FrostfsCli:
|
||||
return FrostfsCli(client_shell, FROSTFS_CLI_EXEC)
|
||||
|
@ -86,7 +92,7 @@ class TestObjectApiWithoutUser(ClusterTestBase):
|
|||
cli_without_wallet.container.search_node(rpc_endpoint, container, generate_key=True, timeout=CLI_DEFAULT_TIMEOUT)
|
||||
|
||||
@allure.title("Put object into public container by native API with generate private key (obj_size={object_size})")
|
||||
def test_put_object_with_generate_key(self, cli_without_wallet: FrostfsCli, container: str, file_path: TestFile, rpc_endpoint: str):
|
||||
def test_put_object_with_generate_key(self, cli_without_wallet: FrostfsCli, container: str, test_file: TestFile, rpc_endpoint: str):
|
||||
"""
|
||||
Validate `object put` into container with public ACL and flag `--generate-key`.
|
||||
"""
|
||||
|
@ -96,13 +102,13 @@ class TestObjectApiWithoutUser(ClusterTestBase):
|
|||
result = cli_without_wallet.object.put(
|
||||
rpc_endpoint,
|
||||
container,
|
||||
file_path,
|
||||
test_file,
|
||||
generate_key=True,
|
||||
no_progress=True,
|
||||
timeout=CLI_DEFAULT_TIMEOUT,
|
||||
)
|
||||
|
||||
oid = self._parse_oid(result.stdout)
|
||||
oid = parse_oid(result)
|
||||
|
||||
with reporter.step("List objects with generate key"):
|
||||
result = cli_without_wallet.container.list_objects(rpc_endpoint, container, generate_key=True, timeout=CLI_DEFAULT_TIMEOUT)
|
||||
|
@ -112,24 +118,24 @@ class TestObjectApiWithoutUser(ClusterTestBase):
|
|||
assert oid in objects, objects
|
||||
|
||||
@allure.title("Get public container object by native API with generate private key (obj_size={object_size})")
|
||||
def test_get_object_with_generate_key(self, cli_without_wallet: FrostfsCli, container: str, file_path: TestFile, rpc_endpoint: str):
|
||||
def test_get_object_with_generate_key(self, cli_without_wallet: FrostfsCli, container: str, test_file: TestFile, rpc_endpoint: str):
|
||||
"""
|
||||
Validate `object get` for container with public ACL and flag `--generate-key`.
|
||||
"""
|
||||
|
||||
expected_hash = get_file_hash(file_path)
|
||||
expected_hash = get_file_hash(test_file)
|
||||
|
||||
with reporter.step("Put object with generate key"):
|
||||
result = cli_without_wallet.object.put(
|
||||
rpc_endpoint,
|
||||
container,
|
||||
file_path,
|
||||
test_file,
|
||||
generate_key=True,
|
||||
no_progress=True,
|
||||
timeout=CLI_DEFAULT_TIMEOUT,
|
||||
)
|
||||
|
||||
oid = self._parse_oid(result.stdout)
|
||||
oid = parse_oid(result)
|
||||
|
||||
with reporter.step("Get object with generate key"):
|
||||
with expect_not_raises():
|
||||
|
@ -137,19 +143,19 @@ class TestObjectApiWithoutUser(ClusterTestBase):
|
|||
rpc_endpoint,
|
||||
container,
|
||||
oid,
|
||||
file=file_path,
|
||||
file=test_file,
|
||||
generate_key=True,
|
||||
no_progress=True,
|
||||
timeout=CLI_DEFAULT_TIMEOUT,
|
||||
)
|
||||
|
||||
downloaded_hash = get_file_hash(file_path)
|
||||
downloaded_hash = get_file_hash(test_file)
|
||||
|
||||
with reporter.step("Validate downloaded file"):
|
||||
assert expected_hash == downloaded_hash
|
||||
|
||||
@allure.title("Head public container object by native API with generate private key (obj_size={object_size})")
|
||||
def test_head_object_with_generate_key(self, cli_without_wallet: FrostfsCli, container: str, file_path: TestFile, rpc_endpoint: str):
|
||||
def test_head_object_with_generate_key(self, cli_without_wallet: FrostfsCli, container: str, test_file: TestFile, rpc_endpoint: str):
|
||||
"""
|
||||
Validate `object head` for container with public ACL and flag `--generate-key`.
|
||||
"""
|
||||
|
@ -158,20 +164,20 @@ class TestObjectApiWithoutUser(ClusterTestBase):
|
|||
result = cli_without_wallet.object.put(
|
||||
rpc_endpoint,
|
||||
container,
|
||||
file_path,
|
||||
test_file,
|
||||
generate_key=True,
|
||||
no_progress=True,
|
||||
timeout=CLI_DEFAULT_TIMEOUT,
|
||||
)
|
||||
|
||||
oid = self._parse_oid(result.stdout)
|
||||
oid = parse_oid(result)
|
||||
|
||||
with reporter.step("Head object with generate key"):
|
||||
with expect_not_raises():
|
||||
cli_without_wallet.object.head(rpc_endpoint, container, oid, generate_key=True, timeout=CLI_DEFAULT_TIMEOUT)
|
||||
|
||||
@allure.title("Delete public container object by native API with generate private key (obj_size={object_size})")
|
||||
def test_delete_object_with_generate_key(self, cli_without_wallet: FrostfsCli, container: str, file_path: TestFile, rpc_endpoint: str):
|
||||
def test_delete_object_with_generate_key(self, cli_without_wallet: FrostfsCli, container: str, test_file: TestFile, rpc_endpoint: str):
|
||||
"""
|
||||
Validate `object delete` for container with public ACL and flag `--generate key`.
|
||||
"""
|
||||
|
@ -180,19 +186,19 @@ class TestObjectApiWithoutUser(ClusterTestBase):
|
|||
result = cli_without_wallet.object.put(
|
||||
rpc_endpoint,
|
||||
container,
|
||||
file_path,
|
||||
test_file,
|
||||
generate_key=True,
|
||||
no_progress=True,
|
||||
timeout=CLI_DEFAULT_TIMEOUT,
|
||||
)
|
||||
|
||||
oid = self._parse_oid(result.stdout)
|
||||
oid = parse_oid(result)
|
||||
|
||||
with reporter.step("Delete object with generate key"):
|
||||
with expect_not_raises():
|
||||
result = cli_without_wallet.object.delete(rpc_endpoint, container, oid, generate_key=True, timeout=CLI_DEFAULT_TIMEOUT)
|
||||
|
||||
oid = self._parse_tombstone_oid(result.stdout)
|
||||
oid = parse_oid(result, response_type="tombstone")
|
||||
|
||||
with reporter.step("Head object with generate key"):
|
||||
result = cli_without_wallet.object.head(
|
||||
|
@ -207,8 +213,37 @@ class TestObjectApiWithoutUser(ClusterTestBase):
|
|||
object_type = re.search(r"(?<=type: )tombstone", result.stdout, re.IGNORECASE).group()
|
||||
assert object_type == "TOMBSTONE", object_type
|
||||
|
||||
@allure.title("Patch object in public container with generate private key (obj_size={object_size})")
|
||||
def test_patch_object_with_generate_key(self, cli_without_wallet: FrostfsCli, container: str, test_file: TestFile, rpc_endpoint: str):
|
||||
with reporter.step("Put object with generate key"):
|
||||
result = cli_without_wallet.object.put(
|
||||
rpc_endpoint,
|
||||
container,
|
||||
test_file,
|
||||
generate_key=True,
|
||||
no_progress=True,
|
||||
timeout=CLI_DEFAULT_TIMEOUT,
|
||||
)
|
||||
|
||||
oid = parse_oid(result)
|
||||
|
||||
with reporter.step("Patch object with generate key"):
|
||||
with expect_not_raises():
|
||||
result = cli_without_wallet.object.patch(
|
||||
rpc_endpoint,
|
||||
container,
|
||||
oid,
|
||||
["0:500"],
|
||||
[test_file],
|
||||
generate_key=True,
|
||||
timeout=CLI_DEFAULT_TIMEOUT,
|
||||
)
|
||||
|
||||
patched_oid = parse_oid(result, response_type="patch")
|
||||
assert oid != patched_oid, "Patched object must have new object id"
|
||||
|
||||
@allure.title("Lock public container object by native API with generate private key (obj_size={object_size})")
|
||||
def test_lock_object_with_generate_key(self, cli_without_wallet: FrostfsCli, container: str, file_path: TestFile, rpc_endpoint: str):
|
||||
def test_lock_object_with_generate_key(self, cli_without_wallet: FrostfsCli, container: str, test_file: TestFile, rpc_endpoint: str):
|
||||
"""
|
||||
Validate `object lock` for container with public ACL and flag `--generate-key`.
|
||||
Attempt to delete the locked object.
|
||||
|
@ -218,13 +253,13 @@ class TestObjectApiWithoutUser(ClusterTestBase):
|
|||
result = cli_without_wallet.object.put(
|
||||
rpc_endpoint,
|
||||
container,
|
||||
file_path,
|
||||
test_file,
|
||||
generate_key=True,
|
||||
no_progress=True,
|
||||
timeout=CLI_DEFAULT_TIMEOUT,
|
||||
)
|
||||
|
||||
oid = self._parse_oid(result.stdout)
|
||||
oid = parse_oid(result)
|
||||
|
||||
with reporter.step("Lock object with generate key"):
|
||||
with expect_not_raises():
|
||||
|
@ -248,7 +283,7 @@ class TestObjectApiWithoutUser(ClusterTestBase):
|
|||
)
|
||||
|
||||
@allure.title("Search public container objects by native API with generate private key (obj_size={object_size})")
|
||||
def test_search_object_with_generate_key(self, cli_without_wallet: FrostfsCli, container: str, file_path: TestFile, rpc_endpoint: str):
|
||||
def test_search_object_with_generate_key(self, cli_without_wallet: FrostfsCli, container: str, test_file: TestFile, rpc_endpoint: str):
|
||||
"""
|
||||
Validate `object search` for container with public ACL and flag `--generate-key`.
|
||||
"""
|
||||
|
@ -257,13 +292,13 @@ class TestObjectApiWithoutUser(ClusterTestBase):
|
|||
result = cli_without_wallet.object.put(
|
||||
rpc_endpoint,
|
||||
container,
|
||||
file_path,
|
||||
test_file,
|
||||
generate_key=True,
|
||||
no_progress=True,
|
||||
timeout=CLI_DEFAULT_TIMEOUT,
|
||||
)
|
||||
|
||||
oid = self._parse_oid(result.stdout)
|
||||
oid = parse_oid(result)
|
||||
|
||||
with reporter.step("Object search with generate key"):
|
||||
with expect_not_raises():
|
||||
|
@ -274,7 +309,7 @@ class TestObjectApiWithoutUser(ClusterTestBase):
|
|||
assert oid in object_ids
|
||||
|
||||
@allure.title("Get range of public container object by native API with generate private key (obj_size={object_size})")
|
||||
def test_range_with_generate_key(self, cli_without_wallet: FrostfsCli, container: str, file_path: TestFile, rpc_endpoint: str):
|
||||
def test_range_with_generate_key(self, cli_without_wallet: FrostfsCli, container: str, test_file: TestFile, rpc_endpoint: str):
|
||||
"""
|
||||
Validate `object range` for container with public ACL and `--generate-key`.
|
||||
"""
|
||||
|
@ -283,13 +318,13 @@ class TestObjectApiWithoutUser(ClusterTestBase):
|
|||
result = cli_without_wallet.object.put(
|
||||
rpc_endpoint,
|
||||
container,
|
||||
file_path,
|
||||
test_file,
|
||||
generate_key=True,
|
||||
no_progress=True,
|
||||
timeout=CLI_DEFAULT_TIMEOUT,
|
||||
)
|
||||
|
||||
oid = self._parse_oid(result.stdout)
|
||||
oid = parse_oid(result)
|
||||
|
||||
with reporter.step("Get range of object with generate key"):
|
||||
with expect_not_raises():
|
||||
|
@ -298,13 +333,13 @@ class TestObjectApiWithoutUser(ClusterTestBase):
|
|||
container,
|
||||
oid,
|
||||
"0:10",
|
||||
file=file_path,
|
||||
file=test_file,
|
||||
generate_key=True,
|
||||
timeout=CLI_DEFAULT_TIMEOUT,
|
||||
)
|
||||
|
||||
@allure.title("Get hash of public container object by native API with generate private key (obj_size={object_size})")
|
||||
def test_hash_with_generate_key(self, cli_without_wallet: FrostfsCli, container: str, file_path: TestFile, rpc_endpoint: str):
|
||||
def test_hash_with_generate_key(self, cli_without_wallet: FrostfsCli, container: str, test_file: TestFile, rpc_endpoint: str):
|
||||
"""
|
||||
Validate `object hash` for container with public ACL and `--generate-key`.
|
||||
"""
|
||||
|
@ -313,13 +348,13 @@ class TestObjectApiWithoutUser(ClusterTestBase):
|
|||
result = cli_without_wallet.object.put(
|
||||
rpc_endpoint,
|
||||
container,
|
||||
file_path,
|
||||
test_file,
|
||||
generate_key=True,
|
||||
no_progress=True,
|
||||
timeout=CLI_DEFAULT_TIMEOUT,
|
||||
)
|
||||
|
||||
oid = self._parse_oid(result.stdout)
|
||||
oid = parse_oid(result)
|
||||
|
||||
with reporter.step("Get range hash of object with generate key"):
|
||||
with expect_not_raises():
|
||||
|
@ -333,7 +368,7 @@ class TestObjectApiWithoutUser(ClusterTestBase):
|
|||
)
|
||||
|
||||
@allure.title("Get public container object nodes by native API with generate private key (obj_size={object_size})")
|
||||
def test_nodes_with_generate_key(self, cli_without_wallet: FrostfsCli, container: str, file_path: TestFile, rpc_endpoint: str):
|
||||
def test_nodes_with_generate_key(self, cli_without_wallet: FrostfsCli, container: str, test_file: TestFile, rpc_endpoint: str):
|
||||
"""
|
||||
Validate `object nodes` for container with public ACL and `--generate-key`.
|
||||
"""
|
||||
|
@ -342,13 +377,13 @@ class TestObjectApiWithoutUser(ClusterTestBase):
|
|||
result = cli_without_wallet.object.put(
|
||||
rpc_endpoint,
|
||||
container,
|
||||
file_path,
|
||||
test_file,
|
||||
no_progress=True,
|
||||
generate_key=True,
|
||||
timeout=CLI_DEFAULT_TIMEOUT,
|
||||
)
|
||||
|
||||
oid = self._parse_oid(result.stdout)
|
||||
oid = parse_oid(result)
|
||||
|
||||
with reporter.step("Configure frostfs-cli for alive remote node"):
|
||||
alive_node = self.cluster.cluster_nodes[0]
|
||||
|
|
Loading…
Reference in a new issue