test-helper/acl-migrate/README.md

124 lines
No EOL
2.3 KiB
Markdown

# Access control checker
This repo contains `prepare-*` and `check-*` scripts to verify migration of eACL
policies.
`prepare-*` scripts must be invoked before update to create some buckets and
containers with variety of policies.
`check-*` scripts must be invoked after
update to verify that expected access control behavior is intact.
`*-aws` scripts invoke AWS CLI to check S3 gateway behaviour.
`*-ffs` scripts invoke FrostFS CLI to check storage behaviour.
## Prerequisites
Make sure you have `aws` and `frostfs-cli` commands available.
Make sure S3 gateway is running with `kludge.acl_enabled: true` setting to
create buckets with extended ACLs.
To run these scripts create `env` file `cp env.example env`
### FILE
Path for a file with the size of a simple object.
```
FILE=./data/cat.jpg
```
### COMPLEXFILE
Path for a file with the size of a complex object that should be split during
put operation.
```
COMPLEXFILE=./data/70m
```
### S3ENDPOINT
S3 Gateway endpoint.
```
S3ENDPOINT=http://localhost:8084
```
### S3PROF
Profile name with AWS credentials for content owner
```
$ aws configure --profile main
S3PROF=main
```
### S3PROFEXT
Profile name with AWS credentials for other user without specific permissions.
```
$ aws configure --profile ext
S3PROFEXT=ext
```
### S3PREFIX
Bucket prefix for all created containers. Modify between consecutive runs.
```
S3PREFIX=av01
```
### S3KEY
Object name stored in buckets.
```
S3KEY=some/object
```
### FFSCONF
Path to FrostFS CLI config file with content owner credentials
```
FFSCONF=./data/ffs-cli.yaml
```
### FFSCONFEXT
Path to FrostFS CLI config file with other user without specific permissions.
```
FFSCONFEXT=./data/ffs-cli-ext.yaml
```
### PLACEMENT
Policy for FrostFS containers
```
PLACEMENT="REP 1"
```
### CHECKFILE
Path to file with state between `prepare-ffs.sh` and `chech-ffs.sh` runs.
```
CHECKFILE=checkfile.txt
```
## Run
After configuring `env` file, run `prepare-*` scripts in any order. Make sure
to save logs as they can be useful for debugging.
```
$ ./prepare-aws.sh | tee prepare-aws.log
$ ./prepare-ffs.sh | tee prepare-aws.log
```
Then run check scripts after update.
```
$ ./check-ffs.sh | tee check-ffs.log
$ ./check-aws.sh | tee check-aws.log
```
In case of any failures, scripts return non-zero exit code.