# Access control checker This repo contains `prepare-*` and `check-*` scripts to verify migration of eACL policies. `prepare-*` scripts must be invoked before update to create some buckets and containers with variety of policies. `check-*` scripts must be invoked after update to verify that expected access control behavior is intact. `*-aws` scripts invoke AWS CLI to check S3 gateway behaviour. `*-ffs` scripts invoke FrostFS CLI to check storage behaviour. ## Prerequisites Make sure you have `aws` and `frostfs-cli` commands available. Make sure S3 gateway is running with `kludge.acl_enabled: true` setting to create buckets with extended ACLs. To run these scripts create `env` file `cp env.example env` ### FILE Path for a file with the size of a simple object. ``` FILE=./data/cat.jpg ``` ### COMPLEXFILE Path for a file with the size of a complex object that should be split during put operation. ``` COMPLEXFILE=./data/70m ``` ### S3ENDPOINT S3 Gateway endpoint. ``` S3ENDPOINT=http://localhost:8084 ``` ### S3PROF Profile name with AWS credentials for content owner ``` $ aws configure --profile main S3PROF=main ``` ### S3PROFEXT Profile name with AWS credentials for other user without specific permissions. ``` $ aws configure --profile ext S3PROFEXT=ext ``` ### S3PREFIX Bucket prefix for all created containers. Modify between consecutive runs. ``` S3PREFIX=av01 ``` ### S3KEY Object name stored in buckets. ``` S3KEY=some/object ``` ### FFSCONF Path to FrostFS CLI config file with content owner credentials ``` FFSCONF=./data/ffs-cli.yaml ``` ### FFSCONFEXT Path to FrostFS CLI config file with other user without specific permissions. ``` FFSCONFEXT=./data/ffs-cli-ext.yaml ``` ### PLACEMENT Policy for FrostFS containers ``` PLACEMENT="REP 1" ``` ### CHECKFILE Path to file with state between `prepare-ffs.sh` and `chech-ffs.sh` runs. ``` CHECKFILE=checkfile.txt ``` ## Run After configuring `env` file, run `prepare-*` scripts in any order. Make sure to save logs as they can be useful for debugging. ``` $ ./prepare-aws.sh | tee prepare-aws.log $ ./prepare-ffs.sh | tee prepare-aws.log ``` Then run check scripts after update. ``` $ ./check-ffs.sh | tee check-ffs.log $ ./check-aws.sh | tee check-aws.log ``` In case of any failures, scripts return non-zero exit code.