test-helper/acl-migrate/README.md

# Access control checker 

This repo contains `prepare-*` and `check-*` scripts to verify migration of eACL
policies. 

`prepare-*` scripts must be invoked before update to create some buckets and
containers with variety of policies. 

`check-*` scripts must be invoked after
update to verify that expected access control behavior is intact.

`*-aws` scripts invoke AWS CLI to check S3 gateway behaviour.

`*-ffs` scripts invoke FrostFS CLI to check storage behaviour.

## Prerequisites

Make sure you have `aws` and `frostfs-cli` commands available.

Make sure S3 gateway is running with `kludge.acl_enabled: true` setting to
create buckets with extended ACLs.

To run these scripts create `env` file `cp env.example env`

### FILE
Path for a file with the size of a simple object.

```
FILE=./data/cat.jpg
```

### COMPLEXFILE
Path for a file with the size of a complex object that should be split during
put operation.

```
COMPLEXFILE=./data/70m
```

### S3ENDPOINT
S3 Gateway endpoint.

```
S3ENDPOINT=http://localhost:8084
```

### S3PROF
Profile name with AWS credentials for content owner

```
$ aws configure --profile main

S3PROF=main
```

### S3PROFEXT

Profile name with AWS credentials for other user without specific permissions.

```
$ aws configure --profile ext

S3PROFEXT=ext
```

### S3PREFIX
Bucket prefix for all created containers. Modify between consecutive runs. 

```
S3PREFIX=av01
```

### S3KEY
Object name stored in buckets.

```
S3KEY=some/object
```

### FFSCONF
Path to FrostFS CLI config file with content owner credentials

```
FFSCONF=./data/ffs-cli.yaml
```

### FFSCONFEXT
Path to FrostFS CLI config file with other user without specific permissions.

```
FFSCONFEXT=./data/ffs-cli-ext.yaml
```

### PLACEMENT
Policy for FrostFS containers

```
PLACEMENT="REP 1"
```

### CHECKFILE
Path to file with state between `prepare-ffs.sh` and `chech-ffs.sh` runs.

```
CHECKFILE=checkfile.txt
```

## Run

After configuring `env` file, run `prepare-*` scripts in any order. Make sure
to save logs as they can be useful for debugging.

```
$ ./prepare-aws.sh | tee prepare-aws.log
$ ./prepare-ffs.sh | tee prepare-aws.log
```

Then run check scripts after update. 
```
$ ./check-ffs.sh | tee check-ffs.log
$ ./check-aws.sh | tee check-aws.log
```

In case of any failures, scripts return non-zero exit code.
Initial commit 2024-07-16 17:47:56 +00:00			`# Access control checker`

			This repo contains `prepare-` and `check-` scripts to verify migration of eACL
			`policies.`

			`prepare-*` scripts must be invoked before update to create some buckets and
			`containers with variety of policies.`

			`check-*` scripts must be invoked after
			`update to verify that expected access control behavior is intact.`

			`*-aws` scripts invoke AWS CLI to check S3 gateway behaviour.

			`*-ffs` scripts invoke FrostFS CLI to check storage behaviour.

			`## Prerequisites`

			Make sure you have `aws` and `frostfs-cli` commands available.

Add a note on s3 gateway running setting 2024-07-16 18:05:25 +00:00			Make sure S3 gateway is running with `kludge.acl_enabled: true` setting to
			`create buckets with extended ACLs.`

Initial commit 2024-07-16 17:47:56 +00:00			To run these scripts create `env` file `cp env.example env`

			`### FILE`
			`Path for a file with the size of a simple object.`

			```
			`FILE=./data/cat.jpg`
			```

			`### COMPLEXFILE`
			`Path for a file with the size of a complex object that should be split during`
			`put operation.`

			```
			`COMPLEXFILE=./data/70m`
			```

			`### S3ENDPOINT`
			`S3 Gateway endpoint.`

			```
			`S3ENDPOINT=http://localhost:8084`
			```

			`### S3PROF`
			`Profile name with AWS credentials for content owner`

			```
			`$ aws configure --profile main`

			`S3PROF=main`
			```

			`### S3PROFEXT`

			`Profile name with AWS credentials for other user without specific permissions.`

			```
			`$ aws configure --profile ext`

			`S3PROFEXT=ext`
			```

			`### S3PREFIX`
			`Bucket prefix for all created containers. Modify between consecutive runs.`

			```
			`S3PREFIX=av01`
			```

			`### S3KEY`
			`Object name stored in buckets.`

			```
			`S3KEY=some/object`
			```

			`### FFSCONF`
			`Path to FrostFS CLI config file with content owner credentials`

			```
			`FFSCONF=./data/ffs-cli.yaml`
			```

			`### FFSCONFEXT`
			`Path to FrostFS CLI config file with other user without specific permissions.`

			```
			`FFSCONFEXT=./data/ffs-cli-ext.yaml`
			```

			`### PLACEMENT`
			`Policy for FrostFS containers`

			```
			`PLACEMENT="REP 1"`
			```

			`### CHECKFILE`
			Path to file with state between `prepare-ffs.sh` and `chech-ffs.sh` runs.

			```
			`CHECKFILE=checkfile.txt`
			```

			`## Run`

			After configuring `env` file, run `prepare-*` scripts in any order. Make sure
			`to save logs as they can be useful for debugging.`

			```
			`$ ./prepare-aws.sh \| tee prepare-aws.log`
			`$ ./prepare-ffs.sh \| tee prepare-aws.log`
			```

			`Then run check scripts after update.`
			```
			`$ ./check-ffs.sh \| tee check-ffs.log`
			`$ ./check-aws.sh \| tee check-aws.log`
			```

			`In case of any failures, scripts return non-zero exit code.`