def test_update_invalid_acl(self):
"""JIRA ID: DAOS-3711
Test Description: Test that container update command performs as
expected with invalid values within ACL file.
:avocado: tags=all,pr,security,container_acl,cont_update_invalid_acl
"""
invalid_file_content = self.params.get("invalid_acl_file_content",
"/run/*")
path_to_file = os.path.join(self.tmp, self.acl_filename)
# Disable raising an exception if the daos command fails
self.daos_cmd.exit_status_exception = False
test_errs = []
for content in invalid_file_content:
create_acl_file(path_to_file, content)
# Run update command
self.daos_cmd.container_update_acl(self.pool.uuid,
self.pool.svc_ranks[0],
self.container.uuid,
path_to_file)
test_errs.extend(self.error_handling(self.daos_cmd.result,
"-1003"))
# Check that the acl file was unchanged
self.acl_file_diff(self.cont_acl)
if test_errs:
self.fail("container update-acl command expected to fail: \
{}".format("\n".join(test_errs)))
def test_overwrite_valid_acl_file(self):
"""
JIRA ID: DAOS-3708
Test Description: Test that container overwrite command performs as
expected with valid ACL file provided.
:avocado: tags=all,daily_regression,security,container_acl
:avocado: tags=cont_overwrite_acl_file
"""
valid_file_acl = self.params.get("valid_acl_file", "/run/*")
path_to_file = os.path.join(self.tmp, self.acl_filename)
# Disable raising an exception if the daos command fails
self.daos_cmd.exit_status_exception = False
# Run overwrite command, test will fail if command fails.
for content in valid_file_acl:
create_acl_file(path_to_file, content)
self.daos_cmd.container_overwrite_acl(self.pool.uuid,
self.container.uuid,
path_to_file)
# Check that the acl file was unchanged
self.acl_file_diff(content)
def test_no_user_permissions(self):
"""
JIRA ID: DAOS-3708
Test Description: Test that container overwrite command fails with
no permission -1001 when user doesn't have the right permissions.
:avocado: tags=all,pr,security,container_acl,cont_overwrite_acl_noperms
"""
acl_filename = "test_acl_file.txt"
valid_file_content = self.params.get("valid_acl_file", "/run/*")
path_to_file = os.path.join(self.tmp, acl_filename)
# Let's give access to the pool to the root user
self.get_dmg_command().pool_update_acl(self.pool.uuid,
entry="A::EVERYONE@:rw")
# The root user shouldn't have access to deleting container ACL entries
self.daos_cmd.sudo = True
# Disable raising an exception if the daos command fails
self.daos_cmd.exit_status_exception = False
# Let's check that we can't run as root (or other user) and overwrite
# entries if no permissions are set for that user.
test_errs = []
for content in valid_file_content:
create_acl_file(path_to_file, content)
self.daos_cmd.container_overwrite_acl(self.pool.uuid,
self.pool.svc_ranks[0],
self.container.uuid,
path_to_file)
test_errs.extend(self.error_handling(self.daos_cmd.result,
"-1001"))
# Check that the acl was unchanged.
post_test_acls = self.get_container_acl_list(
self.pool.uuid, self.pool.svc_ranks[0], self.container.uuid)
if not self.compare_acl_lists(self.cont_acl, post_test_acls):
self.fail("Previous ACL:\n{} Post command ACL:{}".format(
self.cont_acl, post_test_acls))
if test_errs:
self.fail("container overwrite-acl command expected to fail: \
{}".format("\n".join(test_errs)))
def test_no_user_permissions(self):
"""
JIRA ID: DAOS-3711
Test Description: Test that container update command fails with
no permission -1001 when user doesn't have the right permissions.
:avocado: tags=all,daily_regression,security,container_acl
:avocado: tags=cont_update_acl_noperms
"""
valid_file_content = self.params.get("valid_acl_file", "/run/*")
path_to_file = os.path.join(self.tmp, self.acl_filename)
# Let's give access to the pool to the root user
self.get_dmg_command().pool_update_acl(self.pool.uuid,
entry="A::EVERYONE@:rw")
# The root user shouldn't have access to updating container ACL entries
self.daos_cmd.sudo = True
# Disable raising an exception if the daos command fails
self.daos_cmd.exit_status_exception = False
# Let's check that we can't run as root (or other user) and update
# entries if no permissions are set for that user.
test_errs = []
for content in valid_file_content:
create_acl_file(path_to_file, content)
self.daos_cmd.container_update_acl(self.pool.uuid,
self.container.uuid,
path_to_file)
test_errs.extend(self.error_handling(self.daos_cmd.result,
"-1001"))
# Check that the acl file was unchanged
self.acl_file_diff(self.cont_acl)
if test_errs:
self.fail("container update-acl command expected to fail: \
{}".format("\n".join(test_errs)))
def test_update_acl_file(self):
"""
JIRA ID: DAOS-3711
Test Description: Test that container update command performs as
expected when adding an ACL file that contains principals that are
currently in the ACL.
:avocado: tags=all,pr,security,container_acl,cont_update_acl
"""
path_to_file = os.path.join(self.tmp, self.acl_filename)
# Create acl file to use for update
ace_to_add = ["A:G:my_great_test@:rw", "A::my_new_principal@:rwTao"]
create_acl_file(path_to_file, self.cont_acl + ace_to_add)
# Run update command
self.daos_cmd.container_update_acl(self.pool.uuid,
self.pool.svc_ranks[0],
self.container.uuid,
acl_file=path_to_file)
# Verify that the entry added did not affect any other entry
self.acl_file_diff(self.cont_acl + ace_to_add)
# Let's add a file with existing principals and verify overridden values
ace_to_add_2 = ["A:G:my_great_test@:rwd", "A::my_new_principal@:rw"]
create_acl_file(path_to_file, ace_to_add_2)
# Run update command
self.daos_cmd.container_update_acl(self.pool.uuid,
self.pool.svc_ranks[0],
self.container.uuid,
acl_file=path_to_file)
# Verify that the ACL file is now composed of the updated ACEs
self.acl_file_diff(self.cont_acl + ace_to_add_2)
# Lastly, let's add a file that contains only new principals
ace_to_add_3 = ["A:G:new_new_principal@:rwd", "A::last_one@:rw"]
create_acl_file(path_to_file, ace_to_add_3)
# Run update command
self.daos_cmd.container_update_acl(self.pool.uuid,
self.pool.svc_ranks[0],
self.container.uuid,
acl_file=path_to_file)
# Verify that the ACL file is now composed of the updated ACEs
self.acl_file_diff(self.cont_acl + ace_to_add_2 + ace_to_add_3)
def verify_pool_acl_prim_sec_groups(self, pool_acl_list, acl_file, uuid,
svc):
"""Verify daos pool acl access.
Verify access with primary and secondary groups access permission.
Args:
pool_acl_list (list): pool acl entry list.
acl_file (str): acl file to be used.
uuid (str): daos pool uuid.
svc (int): daos pool svc.
Return:
None.
"""
sec_group = self.params.get("secondary_group_name", "/run/pool_acl/*")
sec_group_perm = self.params.get("sg_permission", "/run/pool_acl/*")
sec_group_rw = self.params.get("sg_read_write", "/run/pool_acl/*")
user_gid = os.getegid()
current_group = grp.getgrgid(user_gid)[0]
primary_grp_perm = self.params.get(
"pg_permission", "/run/pool_acl/primary_secondary_group_test/*")[0]
sec_group = self.params.get(
"secondary_group_name",
"/run/pool_acl/primary_secondary_group_test/*")
sec_group_perm = self.params.get(
"sg_permission", "/run/pool_acl/primary_secondary_group_test/*")
sec_group_rw = self.params.get(
"sg_read_write", "/run/pool_acl/primary_secondary_group_test/*")
l_group = grp.getgrgid(os.getegid())[0]
for group in sec_group:
secTestBase.add_del_user(self.hostlist_clients, "groupadd", group)
cmd = "usermod -G " + ",".join(sec_group)
self.log.info(" (8-1)verify_pool_acl_prim_sec_groups, cmd= %s", cmd)
secTestBase.add_del_user(self.hostlist_clients, cmd, l_group)
self.log.info(
" (8-2)Before update sec_group permission, pool_acl_list= %s",
pool_acl_list)
for group, permission in zip(sec_group, sec_group_perm):
if permission == "none":
permission = ""
n_acl = secTestBase.acl_entry("group", group, permission,
PERMISSIONS)
pool_acl_list.append(n_acl)
self.log.info(
" (8-3)After update sec_group permission, pool_acl_list= %s",
pool_acl_list)
self.log.info(" pool acl_file= %s", acl_file)
secTestBase.create_acl_file(acl_file, pool_acl_list)
# modify primary-group permission for secondary-group test
grp_entry = secTestBase.acl_entry("group", current_group,
primary_grp_perm, PERMISSIONS)
new_grp_entry = secTestBase.acl_entry("group", current_group, "",
PERMISSIONS)
self.modify_acl_file_entry(acl_file, grp_entry, new_grp_entry)
# dmg pool overwrite-acl --pool <uuid> --acl-file <file>
result = self.dmg.pool_overwrite_acl(uuid, acl_file)
self.log.info(" (8-4)dmg= %s", self.dmg)
self.log.info(" (8-5)dmg.run() result=\n %s", result)
# Verify pool read operation
# daos pool query --pool <uuid>
self.log.info(" (8-6)Verify pool read by: daos pool query --pool")
exp_read = sec_group_rw[0]
self.verify_pool_readwrite(svc, uuid, "read", expect=exp_read)
# Verify pool write operation
# daos container create --pool <uuid>
self.log.info(
" (8-7)Verify pool write by: daos container create pool")
exp_write = sec_group_rw[1]
self.verify_pool_readwrite(svc, uuid, "write", expect=exp_write)
for group in sec_group:
secTestBase.add_del_user(self.hostlist_clients, "groupdel", group)
def test_container_user_acl(self):
"""
Description:
DAOS-4838: Verify container user security with ACL.
DAOS-4390: Test daos_cont_set_owner
DAOS-4839: Verify container group user with ACL.
DAOS-4840: Verify container user and group access with
ACL grant/remove modification.
DAOS-4841: Verify container ACL works when servers
not sync with client compute hosts.
Test container 5 users enforcement order:
(defined on test.yaml)
OWNER: container owner assigned with the permissions.
user: container user assigned with the permissions.
user-group: container user-group assigned with the permissions.
GROUP: container group assigned with the permissions.
EVERYONE: everyone assigned with the permissions.
Test container user acl permissions:
w - set_container_attribute or data
r - get_container_attribute or data
T - set_container_property
t - get_container_property
a - get_container_acl_list
A - update_container_acl
o - set_container_owner
d - destroy_container
Steps:
(1)Setup
(2)Create pool and container with acl
(3)Verify container permissions rw, rw-attribute
(4)Verify container permissions tT, rw-property
(5)Verify container permissions aA, rw-acl
(6)Verify container permission o, set-owner
(7)Verify container permission d, delete
(8)Cleanup
:avocado: tags=all,full_regression,security,container_acl,
:avocado: tags=cont_user_sec,cont_group_sec,cont_sec
"""
#(1)Setup
self.log.info("(1)==>Setup container user acl test.")
cont_permission, expect_read, expect_write = self.params.get(
"perm_expect", "/run/container_acl/permissions/*")
new_test_user = self.params.get("new_user", "/run/container_acl/*")
new_test_group = self.params.get("new_group", "/run/container_acl/*")
attribute_name, attribute_value = self.params.get(
"attribute", "/run/container_acl/*")
property_name, property_value = self.params.get(
"property", "/run/container_acl/*")
secTestBase.add_del_user(
self.hostlist_clients, "useradd", new_test_user)
secTestBase.add_del_user(
self.hostlist_clients, "groupadd", new_test_group)
acl_file_name = os.path.join(
self.tmp, self.params.get(
"acl_file_name", "/run/container_acl/*", "cont_test_acl.txt"))
test_user = self.params.get(
"testuser", "/run/container_acl/daos_user/*")
test_user_type = secTestBase.get_user_type(test_user)
base_acl_entries = self.get_base_acl_entries(test_user)
if test_user == "user":
test_user = self.current_user
if test_user == "group":
test_user = self.current_group
self.log.info(
"==>(1.1)Start testing container acl on user: %s", test_user)
#(2)Create pool and container with acl
self.log.info("(2)==>Create a pool and a container with acl\n"
" base_acl_entries= %s\n", base_acl_entries)
self.pool_uuid = self.create_pool_with_dmg()
secTestBase.create_acl_file(acl_file_name, base_acl_entries)
self.container_uuid = self.create_container_with_daos(
self.pool, None, acl_file_name)
#(3)Verify container permissions rw, rw-attribute
permission_type = "attribute"
self.log.info("(3)==>Verify container permission %s", permission_type)
self.update_container_acl(
secTestBase.acl_entry(test_user_type, test_user, "rw"))
self.verify_cont_rw_attribute(
"write", "pass", attribute_name, attribute_value)
self.setup_container_acl_and_permission(
test_user_type, test_user, permission_type, cont_permission)
self.log.info(
"(3.1)Verify container_attribute: write, expect: %s", expect_write)
self.verify_cont_rw_attribute(
"write", expect_write, attribute_name, attribute_value)
self.log.info(
"(3.2)Verify container_attribute: read, expect: %s", expect_read)
self.verify_cont_rw_attribute("read", expect_read, attribute_name)
#(4)Verify container permissions tT rw-property
permission_type = "property"
self.log.info("(4)==>Verify container permission tT, rw-property")
self.log.info(
"(4.1)Update container-acl %s, %s, permission_type: %s with %s",
test_user_type, test_user, permission_type, cont_permission)
self.setup_container_acl_and_permission(
test_user_type, test_user, permission_type, cont_permission)
self.log.info(
"(4.2)Verify container_attribute: read, expect: %s", expect_read)
self.verify_cont_rw_property("read", expect_read)
self.log.info(
"(4.3)Verify container_attribute: write, expect: %s", expect_write)
self.verify_cont_rw_property(
"write", expect_write, property_name, property_value)
self.log.info(
"(4.4)Verify container_attribute: read, expect: %s", expect_read)
self.verify_cont_rw_property("read", expect_read)
#(5)Verify container permissions aA, rw-acl
permission_type = "acl"
self.log.info("(5)==>Verify container permission aA, rw-acl ")
self.log.info(
"(5.1)Update container-acl %s, %s, permission_type: %s with %s",
test_user_type, test_user, permission_type, cont_permission)
expect = "pass" #User who created the container has full acl access.
self.setup_container_acl_and_permission(
test_user_type, test_user, permission_type, cont_permission)
self.log.info("(5.2)Verify container_acl: write, expect: %s", expect)
self.verify_cont_rw_acl(
"write", expect, secTestBase.acl_entry(
test_user_type, test_user, cont_permission))
self.log.info("(5.3)Verify container_acl: read, expect: %s", expect)
self.verify_cont_rw_acl("read", expect)
#(6)Verify container permission o, set-owner
self.log.info("(6)==>Verify container permission o, set-owner")
permission_type = "ownership"
expect = "deny"
if "w" in cont_permission:
expect = "pass"
self.log.info(
"(6.1)Update container-set ownership %s, %s, permission_type:"
" %s with %s", test_user_type, test_user, permission_type,
cont_permission)
self.setup_container_acl_and_permission(
test_user_type, test_user, permission_type, cont_permission)
self.log.info("(6.2)Verify container_ownership: write, expect: %s",
expect)
self.verify_cont_set_owner(
expect, new_test_user+"@", new_test_group+"@")
#Verify container permission A acl-write after set container
# to a different owner.
if cont_permission == "w":
permission_type = "acl"
expect = "deny"
self.log.info("(6.3)Verify container_acl write after changed "
"ownership: expect: %s", expect)
self.verify_cont_rw_acl("write", expect,
secTestBase.acl_entry(
test_user_type, test_user,
cont_permission))
#(7)Verify container permission d, delete
self.log.info("(7)==>Verify cont-delete on container and pool"
" with/without d permission.")
permission_type = "delete"
c_permission = "rwaAtTod"
p_permission = "rctd"
expect = "pass"
if "r" not in cont_permission: #remove d from cont_permission
c_permission = "rwaAtTo"
if "w" not in cont_permission: #remove d from pool_permission
p_permission = "rct"
if cont_permission == "":
expect = "deny"
self.update_container_acl(secTestBase.acl_entry(test_user_type,
test_user,
c_permission))
self.update_pool_acl_entry(self.pool_uuid,
"update",
secTestBase.acl_entry("user",
"OWNER",
p_permission))
self.verify_cont_delete(expect)
#(8)Cleanup
secTestBase.add_del_user(
self.hostlist_clients, "userdel", new_test_user)
secTestBase.add_del_user(
self.hostlist_clients, "groupdel", new_test_group)
