test-helper/acl-migrate/README.md

2.3 KiB

Access control checker

This repo contains prepare-* and check-* scripts to verify migration of eACL policies.

prepare-* scripts must be invoked before update to create some buckets and containers with variety of policies.

check-* scripts must be invoked after update to verify that expected access control behavior is intact.

*-aws scripts invoke AWS CLI to check S3 gateway behaviour.

*-ffs scripts invoke FrostFS CLI to check storage behaviour.

Prerequisites

Make sure you have aws and frostfs-cli commands available.

Make sure S3 gateway is running with kludge.acl_enabled: true setting to create buckets with extended ACLs.

To run these scripts create env file cp env.example env

FILE

Path for a file with the size of a simple object.

FILE=./data/cat.jpg

COMPLEXFILE

Path for a file with the size of a complex object that should be split during put operation.

COMPLEXFILE=./data/70m

S3ENDPOINT

S3 Gateway endpoint.

S3ENDPOINT=http://localhost:8084

S3PROF

Profile name with AWS credentials for content owner

$ aws configure --profile main

S3PROF=main

S3PROFEXT

Profile name with AWS credentials for other user without specific permissions.

$ aws configure --profile ext

S3PROFEXT=ext

S3PREFIX

Bucket prefix for all created containers. Modify between consecutive runs.

S3PREFIX=av01

S3KEY

Object name stored in buckets.

S3KEY=some/object

FFSCONF

Path to FrostFS CLI config file with content owner credentials

FFSCONF=./data/ffs-cli.yaml

FFSCONFEXT

Path to FrostFS CLI config file with other user without specific permissions.

FFSCONFEXT=./data/ffs-cli-ext.yaml

PLACEMENT

Policy for FrostFS containers

PLACEMENT="REP 1"

CHECKFILE

Path to file with state between prepare-ffs.sh and chech-ffs.sh runs.

CHECKFILE=checkfile.txt

Run

After configuring env file, run prepare-* scripts in any order. Make sure to save logs as they can be useful for debugging.

$ ./prepare-aws.sh | tee prepare-aws.log
$ ./prepare-ffs.sh | tee prepare-aws.log

Then run check scripts after update.

$ ./check-ffs.sh | tee check-ffs.log
$ ./check-aws.sh | tee check-aws.log

In case of any failures, scripts return non-zero exit code.