def test_mcg_namespace_lifecycle_crd(
self,
mcg_obj,
cld_mgr,
awscli_pod,
bucket_factory,
test_directory_setup,
bucketclass_dict,
):
"""
Test MCG namespace resource/bucket lifecycle using CRDs
1. Create namespace resources with CRDs
2. Create namespace bucket with CRDs
3. Set bucket policy on namespace bucket with a S3 user principal
4. Verify bucket policy.
5. Read/write directly on namespace resource target.
6. Edit the namespace bucket
7. Delete namespace resource and bucket
"""
data = "Sample string content to write to a S3 object"
object_key = "ObjKey-" + str(uuid.uuid4().hex)
if (constants.RGW_PLATFORM in bucketclass_dict["namespace_policy_dict"]
["namespacestore_dict"]):
s3_creds = {
"access_key_id": cld_mgr.rgw_client.access_key,
"access_key": cld_mgr.rgw_client.secret_key,
"endpoint": cld_mgr.rgw_client.endpoint,
}
else:
s3_creds = {
"access_key_id": cld_mgr.aws_client.access_key,
"access_key": cld_mgr.aws_client.secret_key,
"endpoint": constants.MCG_NS_AWS_ENDPOINT,
"region": config.ENV_DATA["region"],
}
# Noobaa s3 account details
user_name = "noobaa-user" + str(uuid.uuid4().hex)
email = user_name + "@mail.com"
# Create the namespace resource and bucket
ns_bucket = bucket_factory(
amount=1,
interface=bucketclass_dict["interface"],
bucketclass=bucketclass_dict,
)[0]
aws_target_bucket = ns_bucket.bucketclass.namespacestores[0].uls_name
logger.info(f"Namespace bucket: {ns_bucket.name} created")
# Noobaa S3 account
user = NoobaaAccount(mcg_obj,
name=user_name,
email=email,
buckets=[ns_bucket.name])
logger.info(f"Noobaa account: {user.email_id} with S3 access created")
bucket_policy_generated = gen_bucket_policy(
user_list=[user.email_id],
actions_list=["DeleteObject"],
effect="Deny",
resources_list=[f'{ns_bucket.name}/{"*"}'],
)
bucket_policy = json.dumps(bucket_policy_generated)
logger.info(
f"Creating bucket policy on bucket: {ns_bucket.name} with wildcard (*) Principal"
)
put_policy = put_bucket_policy(mcg_obj, ns_bucket.name, bucket_policy)
logger.info(f"Put bucket policy response from Admin: {put_policy}")
# Getting Policy
logger.info(f"Getting bucket policy on bucket: {ns_bucket.name}")
get_policy = get_bucket_policy(mcg_obj, ns_bucket.name)
logger.info(f"Got bucket policy: {get_policy['Policy']}")
# MCG admin writes an object to bucket
logger.info(f"Writing object on bucket: {ns_bucket.name} by admin")
assert s3_put_object(mcg_obj, ns_bucket.name, object_key,
data), "Failed: PutObject"
# Verifying whether Get & Put object is allowed to S3 user
logger.info(f"Get object action on namespace bucket: {ns_bucket.name}"
f" with user: {user.email_id}")
assert s3_get_object(user, ns_bucket.name,
object_key), "Failed: GetObject"
logger.info(f"Put object action on namespace bucket: {ns_bucket.name}"
f" with user: {user.email_id}")
assert s3_put_object(user, ns_bucket.name, object_key,
data), "Failed: PutObject"
# Verifying whether Delete object action is denied
logger.info(f"Verifying whether user: {user.email_id} "
f"is denied to Delete object after updating policy")
try:
s3_delete_object(user, ns_bucket.name, object_key)
except boto3exception.ClientError as e:
logger.info(e.response)
response = HttpResponseParser(e.response)
if response.error["Code"] == "AccessDenied":
logger.info("Delete object action has been denied access")
else:
raise UnexpectedBehaviour(
f"{e.response} received invalid error code "
f"{response.error['Code']}")
else:
assert (
False
), "Delete object operation was granted access, when it should have denied"
logger.info(
"Setting up test files for upload, to the bucket/resources")
setup_base_objects(awscli_pod,
test_directory_setup.origin_dir,
amount=3)
# Upload files directly to NS resources
logger.info(
f"Uploading objects directly to ns resource target: {aws_target_bucket}"
)
sync_object_directory(
awscli_pod,
src=test_directory_setup.origin_dir,
target=f"s3://{aws_target_bucket}",
signed_request_creds=s3_creds,
)
# Read files directly from NS resources
logger.info(
f"Downloading objects directly from ns resource target: {aws_target_bucket}"
)
sync_object_directory(
awscli_pod,
src=f"s3://{aws_target_bucket}",
target=test_directory_setup.result_dir,
signed_request_creds=s3_creds,
)
# Edit namespace bucket
logger.info(f"Editing the namespace resource bucket: {ns_bucket.name}")
namespace_bucket_update(
mcg_obj,
bucket_name=ns_bucket.name,
read_resource=[aws_target_bucket],
write_resource=aws_target_bucket,
)
# Verify Download after editing bucket
logger.info(
f"Downloading objects directly from ns bucket target: {ns_bucket.name}"
)
sync_object_directory(
awscli_pod,
src=f"s3://{ns_bucket.name}",
target=test_directory_setup.result_dir,
s3_obj=mcg_obj,
)
# MCG namespace bucket delete
logger.info(
f"Deleting all objects on namespace resource bucket: {ns_bucket.name}"
)
rm_object_recursive(awscli_pod, ns_bucket.name, mcg_obj)
# Namespace resource delete
logger.info(f"Deleting the resource: {aws_target_bucket}")
mcg_obj.delete_ns_resource(ns_resource_name=aws_target_bucket)
def test_mcg_namespace_disruptions_crd(
self,
mcg_obj,
cld_mgr,
awscli_pod,
bucketclass_dict,
bucket_factory,
node_drain_teardown,
):
"""
Test MCG namespace disruption flow
1. Create NS resources with CRDs
2. Create NS bucket with CRDs
3. Upload to NS bucket
4. Delete noobaa related pods and verify integrity of objects
5. Create public access policy on NS bucket and verify Get op
6. Drain nodes containing noobaa pods and verify integrity of objects
7. Perform put operation to validate public access denial
7. Edit/verify and remove objects on NS bucket
"""
data = "Sample string content to write to a S3 object"
object_key = "ObjKey-" + str(uuid.uuid4().hex)
awscli_node_name = awscli_pod.get()["spec"]["nodeName"]
aws_s3_creds = {
"access_key_id": cld_mgr.aws_client.access_key,
"access_key": cld_mgr.aws_client.secret_key,
"endpoint": constants.MCG_NS_AWS_ENDPOINT,
"region": config.ENV_DATA["region"],
}
# S3 account details
user_name = "nb-user" + str(uuid.uuid4().hex)
email = user_name + "@mail.com"
logger.info("Setting up test files for upload, to the bucket/resources")
setup_base_objects(awscli_pod, MCG_NS_ORIGINAL_DIR, MCG_NS_RESULT_DIR, amount=3)
# Create the namespace resource and verify health
ns_buc = bucket_factory(
amount=1,
interface=bucketclass_dict["interface"],
bucketclass=bucketclass_dict,
)[0]
ns_bucket = ns_buc.name
aws_target_bucket = ns_buc.bucketclass.namespacestores[0].uls_name
logger.info(f"Namespace bucket: {ns_bucket} created")
logger.info(f"Uploading objects to ns bucket: {ns_bucket}")
sync_object_directory(
awscli_pod,
src=MCG_NS_ORIGINAL_DIR,
target=f"s3://{ns_bucket}",
s3_obj=mcg_obj,
)
for pod_to_respin in self.labels_map:
logger.info(f"Re-spinning mcg resource: {self.labels_map[pod_to_respin]}")
pod_obj = pod.Pod(
**pod.get_pods_having_label(
label=self.labels_map[pod_to_respin],
namespace=defaults.ROOK_CLUSTER_NAMESPACE,
)[0]
)
pod_obj.delete(force=True)
assert pod_obj.ocp.wait_for_resource(
condition=constants.STATUS_RUNNING,
selector=self.labels_map[pod_to_respin],
resource_count=1,
timeout=300,
)
logger.info(
f"Downloading objects from ns bucket: {ns_bucket} "
f"after re-spinning: {self.labels_map[pod_to_respin]}"
)
sync_object_directory(
awscli_pod,
src=f"s3://{ns_bucket}",
target=MCG_NS_RESULT_DIR,
s3_obj=mcg_obj,
)
logger.info(
f"Verifying integrity of objects "
f"after re-spinning: {self.labels_map[pod_to_respin]}"
)
compare_directory(
awscli_pod, MCG_NS_ORIGINAL_DIR, MCG_NS_RESULT_DIR, amount=3
)
# S3 account
user = NoobaaAccount(mcg_obj, name=user_name, email=email, buckets=[ns_bucket])
logger.info(f"Noobaa account: {user.email_id} with S3 access created")
# Admin sets Public access policy(*)
bucket_policy_generated = gen_bucket_policy(
user_list=["*"],
actions_list=["GetObject"],
resources_list=[f'{ns_bucket}/{"*"}'],
)
bucket_policy = json.dumps(bucket_policy_generated)
logger.info(
f"Creating bucket policy on bucket: {ns_bucket} with wildcard (*) Principal"
)
put_policy = put_bucket_policy(mcg_obj, ns_bucket, bucket_policy)
logger.info(f"Put bucket policy response from Admin: {put_policy}")
logger.info(f"Getting bucket policy on bucket: {ns_bucket}")
get_policy = get_bucket_policy(mcg_obj, ns_bucket)
logger.info(f"Got bucket policy: {get_policy['Policy']}")
# MCG admin writes an object to bucket
logger.info(f"Writing object on bucket: {ns_bucket} by admin")
assert s3_put_object(mcg_obj, ns_bucket, object_key, data), "Failed: PutObject"
# Verifying whether Get operation is allowed to any S3 user
logger.info(
f"Get object action on namespace bucket: {ns_bucket} "
f"with user: {user.email_id}"
)
assert s3_get_object(user, ns_bucket, object_key), "Failed: GetObject"
# Upload files to NS target
logger.info(
f"Uploading objects directly to ns resource target: {aws_target_bucket}"
)
sync_object_directory(
awscli_pod,
src=MCG_NS_ORIGINAL_DIR,
target=f"s3://{aws_target_bucket}",
signed_request_creds=aws_s3_creds,
)
for pod_to_drain in self.labels_map:
pod_obj = pod.Pod(
**pod.get_pods_having_label(
label=self.labels_map[pod_to_drain],
namespace=defaults.ROOK_CLUSTER_NAMESPACE,
)[0]
)
# Retrieve the node name on which the pod resides
node_name = pod_obj.get()["spec"]["nodeName"]
if awscli_node_name == node_name:
logger.info(
f"Skipping node drain since aws cli pod node: "
f"{awscli_node_name} is same as {pod_to_drain} "
f"pod node: {node_name}"
)
continue
# Drain the node
drain_nodes([node_name])
wait_for_nodes_status(
[node_name], status=constants.NODE_READY_SCHEDULING_DISABLED
)
schedule_nodes([node_name])
wait_for_nodes_status(timeout=300)
# Retrieve the new pod
pod_obj = pod.Pod(
**pod.get_pods_having_label(
label=self.labels_map[pod_to_drain],
namespace=defaults.ROOK_CLUSTER_NAMESPACE,
)[0]
)
wait_for_resource_state(pod_obj, constants.STATUS_RUNNING, timeout=120)
# Verify all storage pods are running
wait_for_storage_pods()
logger.info(
f"Downloading objects from ns bucket: {ns_bucket} "
f"after draining node: {node_name} with pod {pod_to_drain}"
)
sync_object_directory(
awscli_pod,
src=f"s3://{ns_bucket}",
target=MCG_NS_RESULT_DIR,
s3_obj=mcg_obj,
)
logger.info(
f"Verifying integrity of objects "
f"after draining node with pod: {pod_to_drain}"
)
compare_directory(
awscli_pod, MCG_NS_ORIGINAL_DIR, MCG_NS_RESULT_DIR, amount=3
)
logger.info(f"Editing the namespace resource bucket: {ns_bucket}")
namespace_bucket_update(
mcg_obj,
bucket_name=ns_bucket,
read_resource=[aws_target_bucket],
write_resource=aws_target_bucket,
)
logger.info(f"Verifying object download after edit on ns bucket: {ns_bucket}")
sync_object_directory(
awscli_pod,
src=f"s3://{ns_bucket}",
target=MCG_NS_RESULT_DIR,
s3_obj=mcg_obj,
)
# Verifying whether Put object action is denied
logger.info(
f"Verifying whether user: {user.email_id} has only public read access"
)
logger.info(f"Removing objects from ns bucket: {ns_bucket}")
rm_object_recursive(awscli_pod, target=ns_bucket, mcg_obj=mcg_obj)