Change s3 auth func

Signed-off-by: Dmitriy Zayakin <d.zayakin@yadro.com>
This commit is contained in:
Dmitriy Zayakin 2023-06-21 13:02:16 +03:00
parent c0f63e3783
commit fcde457bf4
2 changed files with 37 additions and 37 deletions

View file

@ -8,17 +8,20 @@ from typing import Optional
from dateutil.parser import parse from dateutil.parser import parse
from frostfs_testlib.cli import FrostfsAuthmate
from frostfs_testlib.reporter import get_reporter from frostfs_testlib.reporter import get_reporter
from frostfs_testlib.resources.cli import FROSTFS_AUTHMATE_EXEC from frostfs_testlib.resources.cli import FROSTFS_AUTHMATE_EXEC
from frostfs_testlib.resources.common import CREDENTIALS_CREATE_TIMEOUT from frostfs_testlib.resources.common import CREDENTIALS_CREATE_TIMEOUT
from frostfs_testlib.s3 import S3ClientWrapper, VersioningStatus from frostfs_testlib.s3 import S3ClientWrapper, VersioningStatus
from frostfs_testlib.shell import Shell from frostfs_testlib.shell import CommandOptions, InteractiveInput, Shell
from frostfs_testlib.shell.interfaces import SshCredentials
from frostfs_testlib.steps.cli.container import ( from frostfs_testlib.steps.cli.container import (
search_container_by_name, search_container_by_name,
search_nodes_with_container, search_nodes_with_container,
) )
from frostfs_testlib.storage.cluster import Cluster, ClusterNode from frostfs_testlib.storage.cluster import Cluster, ClusterNode
from frostfs_testlib.storage.dataclasses.frostfs_services import S3Gate from frostfs_testlib.storage.dataclasses.frostfs_services import S3Gate
from frostfs_testlib.storage.dataclasses.wallet import WalletInfo
from frostfs_testlib.utils.cli_utils import _run_with_passwd from frostfs_testlib.utils.cli_utils import _run_with_passwd
reporter = get_reporter() reporter = get_reporter()
@ -183,48 +186,45 @@ def assert_s3_acl(acl_grants: list, permitted_users: str):
@reporter.step_deco("Init S3 Credentials") @reporter.step_deco("Init S3 Credentials")
def init_s3_credentials( def init_s3_credentials(
wallet_path: str, wallet: WalletInfo,
shell: Shell,
cluster: Cluster, cluster: Cluster,
s3_bearer_rules_file: str, s3_bearer_rules_file: str,
policy: Optional[dict] = None, policy: Optional[dict] = None,
s3gates: Optional[list[S3Gate]] = None,
): ):
gate_public_keys = []
bucket = str(uuid.uuid4()) bucket = str(uuid.uuid4())
if not s3gates:
s3gate_node = cluster.services(S3Gate)[0] s3gates = [cluster.s3_gates[0]]
gate_public_key = s3gate_node.get_wallet_public_key() for s3gate in s3gates:
cmd = ( gate_public_keys.append(s3gate.get_wallet_public_key())
f"{FROSTFS_AUTHMATE_EXEC} --debug --with-log --timeout {CREDENTIALS_CREATE_TIMEOUT} " frostfs_authmate_exec: FrostfsAuthmate = FrostfsAuthmate(shell, FROSTFS_AUTHMATE_EXEC)
f"issue-secret --wallet {wallet_path} --gate-public-key={gate_public_key} " issue_secret_output = frostfs_authmate_exec.secret.issue(
f"--peer {cluster.default_rpc_endpoint} --container-friendly-name {bucket} " wallet=wallet.path,
f"--bearer-rules {s3_bearer_rules_file}" peer=cluster.default_rpc_endpoint,
bearer_rules=s3_bearer_rules_file,
gate_public_key=gate_public_keys,
wallet_password=wallet.password,
container_policy=policy,
container_friendly_name=bucket,
).stdout
aws_access_key_id = str(
re.search(r"access_key_id.*:\s.(?P<aws_access_key_id>\w*)", issue_secret_output).group(
"aws_access_key_id"
)
) )
if policy: aws_secret_access_key = str(
cmd += f" --container-policy {policy}'" re.search(
logger.info(f"Executing command: {cmd}") r"secret_access_key.*:\s.(?P<aws_secret_access_key>\w*)", issue_secret_output
).group("aws_secret_access_key")
try: )
output = _run_with_passwd(cmd) cid = str(
logger.info(f"Command completed with output: {output}") re.search(r"container_id.*:\s.(?P<container_id>\w*)", issue_secret_output).group(
"container_id"
# output contains some debug info and then several JSON structures, so we find each )
# JSON structure by curly brackets (naive approach, but works while JSON is not nested) )
# and then we take JSON containing secret_access_key return cid, aws_access_key_id, aws_secret_access_key
json_blocks = re.findall(r"\{.*?\}", output, re.DOTALL)
for json_block in json_blocks:
try:
parsed_json_block = json.loads(json_block)
if "secret_access_key" in parsed_json_block:
return (
parsed_json_block["container_id"],
parsed_json_block["access_key_id"],
parsed_json_block["secret_access_key"],
)
except json.JSONDecodeError:
raise AssertionError(f"Could not parse info from output\n{output}")
raise AssertionError(f"Could not find AWS credentials in output:\n{output}")
except Exception as exc:
raise RuntimeError(f"Failed to init s3 credentials because of error\n{exc}") from exc
@reporter.step_deco("Delete bucket with all objects") @reporter.step_deco("Delete bucket with all objects")