124 lines
No EOL
2.3 KiB
Markdown
124 lines
No EOL
2.3 KiB
Markdown
# Access control checker
|
|
|
|
This repo contains `prepare-*` and `check-*` scripts to verify migration of eACL
|
|
policies.
|
|
|
|
`prepare-*` scripts must be invoked before update to create some buckets and
|
|
containers with variety of policies.
|
|
|
|
`check-*` scripts must be invoked after
|
|
update to verify that expected access control behavior is intact.
|
|
|
|
`*-aws` scripts invoke AWS CLI to check S3 gateway behaviour.
|
|
|
|
`*-ffs` scripts invoke FrostFS CLI to check storage behaviour.
|
|
|
|
## Prerequisites
|
|
|
|
Make sure you have `aws` and `frostfs-cli` commands available.
|
|
|
|
Make sure S3 gateway is running with `kludge.acl_enabled: true` setting to
|
|
create buckets with extended ACLs.
|
|
|
|
To run these scripts create `env` file `cp env.example env`
|
|
|
|
### FILE
|
|
Path for a file with the size of a simple object.
|
|
|
|
```
|
|
FILE=./data/cat.jpg
|
|
```
|
|
|
|
### COMPLEXFILE
|
|
Path for a file with the size of a complex object that should be split during
|
|
put operation.
|
|
|
|
```
|
|
COMPLEXFILE=./data/70m
|
|
```
|
|
|
|
### S3ENDPOINT
|
|
S3 Gateway endpoint.
|
|
|
|
```
|
|
S3ENDPOINT=http://localhost:8084
|
|
```
|
|
|
|
### S3PROF
|
|
Profile name with AWS credentials for content owner
|
|
|
|
```
|
|
$ aws configure --profile main
|
|
|
|
S3PROF=main
|
|
```
|
|
|
|
### S3PROFEXT
|
|
|
|
Profile name with AWS credentials for other user without specific permissions.
|
|
|
|
```
|
|
$ aws configure --profile ext
|
|
|
|
S3PROFEXT=ext
|
|
```
|
|
|
|
### S3PREFIX
|
|
Bucket prefix for all created containers. Modify between consecutive runs.
|
|
|
|
```
|
|
S3PREFIX=av01
|
|
```
|
|
|
|
### S3KEY
|
|
Object name stored in buckets.
|
|
|
|
```
|
|
S3KEY=some/object
|
|
```
|
|
|
|
### FFSCONF
|
|
Path to FrostFS CLI config file with content owner credentials
|
|
|
|
```
|
|
FFSCONF=./data/ffs-cli.yaml
|
|
```
|
|
|
|
### FFSCONFEXT
|
|
Path to FrostFS CLI config file with other user without specific permissions.
|
|
|
|
```
|
|
FFSCONFEXT=./data/ffs-cli-ext.yaml
|
|
```
|
|
|
|
### PLACEMENT
|
|
Policy for FrostFS containers
|
|
|
|
```
|
|
PLACEMENT="REP 1"
|
|
```
|
|
|
|
### CHECKFILE
|
|
Path to file with state between `prepare-ffs.sh` and `chech-ffs.sh` runs.
|
|
|
|
```
|
|
CHECKFILE=checkfile.txt
|
|
```
|
|
|
|
## Run
|
|
|
|
After configuring `env` file, run `prepare-*` scripts in any order. Make sure
|
|
to save logs as they can be useful for debugging.
|
|
|
|
```
|
|
$ ./prepare-aws.sh | tee prepare-aws.log
|
|
$ ./prepare-ffs.sh | tee prepare-aws.log
|
|
```
|
|
|
|
Then run check scripts after update.
|
|
```
|
|
$ ./check-ffs.sh | tee check-ffs.log
|
|
$ ./check-aws.sh | tee check-aws.log
|
|
```
|
|
|
|
In case of any failures, scripts return non-zero exit code. |