2.3 KiB
Access control checker
This repo contains prepare-*
and check-*
scripts to verify migration of eACL
policies.
prepare-*
scripts must be invoked before update to create some buckets and
containers with variety of policies.
check-*
scripts must be invoked after
update to verify that expected access control behavior is intact.
*-aws
scripts invoke AWS CLI to check S3 gateway behaviour.
*-ffs
scripts invoke FrostFS CLI to check storage behaviour.
Prerequisites
Make sure you have aws
and frostfs-cli
commands available.
Make sure S3 gateway is running with kludge.acl_enabled: true
setting to
create buckets with extended ACLs.
To run these scripts create env
file cp env.example env
FILE
Path for a file with the size of a simple object.
FILE=./data/cat.jpg
COMPLEXFILE
Path for a file with the size of a complex object that should be split during put operation.
COMPLEXFILE=./data/70m
S3ENDPOINT
S3 Gateway endpoint.
S3ENDPOINT=http://localhost:8084
S3PROF
Profile name with AWS credentials for content owner
$ aws configure --profile main
S3PROF=main
S3PROFEXT
Profile name with AWS credentials for other user without specific permissions.
$ aws configure --profile ext
S3PROFEXT=ext
S3PREFIX
Bucket prefix for all created containers. Modify between consecutive runs.
S3PREFIX=av01
S3KEY
Object name stored in buckets.
S3KEY=some/object
FFSCONF
Path to FrostFS CLI config file with content owner credentials
FFSCONF=./data/ffs-cli.yaml
FFSCONFEXT
Path to FrostFS CLI config file with other user without specific permissions.
FFSCONFEXT=./data/ffs-cli-ext.yaml
PLACEMENT
Policy for FrostFS containers
PLACEMENT="REP 1"
CHECKFILE
Path to file with state between prepare-ffs.sh
and chech-ffs.sh
runs.
CHECKFILE=checkfile.txt
Run
After configuring env
file, run prepare-*
scripts in any order. Make sure
to save logs as they can be useful for debugging.
$ ./prepare-aws.sh | tee prepare-aws.log
$ ./prepare-ffs.sh | tee prepare-aws.log
Then run check scripts after update.
$ ./check-ffs.sh | tee check-ffs.log
$ ./check-aws.sh | tee check-aws.log
In case of any failures, scripts return non-zero exit code.