def cleanup_user_group(self, num_user, num_group): """Remove the daos acl user and group on host. Args: num_user (int): number of user to be cleaned. num_group (int): number of group name to be cleaned. """ user_prefix = self.params.get("user_prefix", "/run/pool_acl/*") for uid in range(num_user): username = user_prefix + "_tester_" + str(uid + 1) secTestBase.add_del_user(self.hostlist_clients, "userdel", username) for gid in range(num_group): groupname = user_prefix + "_testGrp_" + str(gid + 1) secTestBase.add_del_user(self.hostlist_clients, "groupdel", groupname)
def create_pool_acl(self, num_user, num_group, current_user_acl, acl_file): """Create pool get-acl file. Create the pool acl file with specified number of users and groups with random permission. Args: num_user (int): number of users to be created. num_group (int): number of groups to be created. current_user_acl (list): acl entries on current user to be created. acl_file (str): acl file to be created. Return: list: acl permission list on the acl_file. """ user_prefix = self.params.get("user_prefix", "/run/pool_acl/*") user_list = [] group_list = [] for uid in range(num_user): username = user_prefix + "_tester_" + str(uid + 1) new_user = "******" + username + "@:" + PERMISSIONS[uid % 4] secTestBase.add_del_user(self.hostlist_clients, "useradd", username) user_list.append(new_user) for gid in range(num_group): groupname = user_prefix + "_testGrp_" + str(gid + 1) new_group = "A:G:" + groupname + "@:" + PERMISSIONS[(gid + 2) % 4] secTestBase.add_del_user(self.hostlist_clients, "groupadd", groupname) group_list.append(new_group) permission_list = group_list + user_list + current_user_acl random.shuffle(permission_list) with open(acl_file, "w") as test_file: test_file.write("\n".join(permission_list)) return permission_list
def verify_pool_acl_prim_sec_groups(self, pool_acl_list, acl_file, uuid, svc): """Verify daos pool acl access. Verify access with primary and secondary groups access permission. Args: pool_acl_list (list): pool acl entry list. acl_file (str): acl file to be used. uuid (str): daos pool uuid. svc (int): daos pool svc. Return: None. """ sec_group = self.params.get("secondary_group_name", "/run/pool_acl/*") sec_group_perm = self.params.get("sg_permission", "/run/pool_acl/*") sec_group_rw = self.params.get("sg_read_write", "/run/pool_acl/*") user_gid = os.getegid() current_group = grp.getgrgid(user_gid)[0] primary_grp_perm = self.params.get( "pg_permission", "/run/pool_acl/primary_secondary_group_test/*")[0] sec_group = self.params.get( "secondary_group_name", "/run/pool_acl/primary_secondary_group_test/*") sec_group_perm = self.params.get( "sg_permission", "/run/pool_acl/primary_secondary_group_test/*") sec_group_rw = self.params.get( "sg_read_write", "/run/pool_acl/primary_secondary_group_test/*") l_group = grp.getgrgid(os.getegid())[0] for group in sec_group: secTestBase.add_del_user(self.hostlist_clients, "groupadd", group) cmd = "usermod -G " + ",".join(sec_group) self.log.info(" (8-1)verify_pool_acl_prim_sec_groups, cmd= %s", cmd) secTestBase.add_del_user(self.hostlist_clients, cmd, l_group) self.log.info( " (8-2)Before update sec_group permission, pool_acl_list= %s", pool_acl_list) for group, permission in zip(sec_group, sec_group_perm): if permission == "none": permission = "" n_acl = secTestBase.acl_entry("group", group, permission, PERMISSIONS) pool_acl_list.append(n_acl) self.log.info( " (8-3)After update sec_group permission, pool_acl_list= %s", pool_acl_list) self.log.info(" pool acl_file= %s", acl_file) secTestBase.create_acl_file(acl_file, pool_acl_list) # modify primary-group permission for secondary-group test grp_entry = secTestBase.acl_entry("group", current_group, primary_grp_perm, PERMISSIONS) new_grp_entry = secTestBase.acl_entry("group", current_group, "", PERMISSIONS) self.modify_acl_file_entry(acl_file, grp_entry, new_grp_entry) # dmg pool overwrite-acl --pool <uuid> --acl-file <file> result = self.dmg.pool_overwrite_acl(uuid, acl_file) self.log.info(" (8-4)dmg= %s", self.dmg) self.log.info(" (8-5)dmg.run() result=\n %s", result) # Verify pool read operation # daos pool query --pool <uuid> self.log.info(" (8-6)Verify pool read by: daos pool query --pool") exp_read = sec_group_rw[0] self.verify_pool_readwrite(svc, uuid, "read", expect=exp_read) # Verify pool write operation # daos container create --pool <uuid> self.log.info( " (8-7)Verify pool write by: daos container create pool") exp_write = sec_group_rw[1] self.verify_pool_readwrite(svc, uuid, "write", expect=exp_write) for group in sec_group: secTestBase.add_del_user(self.hostlist_clients, "groupdel", group)
def test_io_sys_admin(self): """ Test Description: Performs tests to generate large data sets over various middleware, perform various system admin operations, datamover operations. :avocado: tags=all,deployment,full_regression :avocado: tags=hw,large :avocado: tags=datamover,ior,mdtest :avocado: tags=iosysadmin """ # local param new_test_user = self.params.get("new_user", "/run/container_acl/*") new_test_group = self.params.get("new_group", "/run/container_acl/*") dmg = self.get_dmg_command() daos = self.get_daos_command() secTestBase.add_del_user(self.hostlist_clients, "useradd", new_test_user) secTestBase.add_del_user(self.hostlist_clients, "groupadd", new_test_group) for idx in range(1, 4): self.add_pool_qty(1, namespace="/run/pool_{}/".format(idx), create=False) PoolTestBase.check_pool_creation(self, 60) self.pool[-1].connect() for cont_idx in range(1, 4): self.add_container_qty( 1, self.pool[-1], namespace="/run/container_{}/".format(cont_idx)) daos.container_set_owner(self.pool[-1].uuid, self.container[-1].uuid, new_test_user, new_test_group) daos.container_list(self.pool[-1].uuid) self.destroy_containers(self.container) self.container = None self.destroy_pools(self.pool) self.pool = None # dmg storage scan dmg.storage_scan() dmg.system_query() dmg.system_leader_query() # write large data sets self.run_file_count() # create snapshot self.container[-1].create_snap() # overwrite the last ior file self.ior_cmd.signature.update('456') self.run_ior_with_pool(create_pool=False, create_cont=False) nvme_free_space_before_snap_destroy = self.get_free_space()[1] # delete snapshot self.container[-1].destroy_snap(epc=self.container[-1].epoch) # Now check if the space is returned back. counter = 1 returned_space = (self.get_free_space()[1] - nvme_free_space_before_snap_destroy) data_written = (int(self.ppn) * human_to_bytes(self.ior_cmd.block_size.value)) while returned_space < int(data_written): # try to wait for 4 x 60 secs for aggregation to be completed or # else exit the test with a failure. if counter > 4: self.log.info("Free space before snapshot destroy: %s", nvme_free_space_before_snap_destroy) self.log.info("Free space when test terminated: %s", self.get_free_space()[1]) self.fail("Aggregation did not complete as expected") time.sleep(60) returned_space = (self.get_free_space()[1] - nvme_free_space_before_snap_destroy) counter += 1 self.log.info("#####Starting FS_COPY Test") self.run_dm_activities_with_ior("FS_COPY", pool=self.pool) self.log.info("#####Starting DCP Test") self.run_dm_activities_with_ior("DCP", pool=self.pool) self.log.info("#####Starting DSERIAL Test") self.run_dm_activities_with_ior("DSERIAL", pool=self.pool) self.log.info("#####Completed all Datamover tests") self.container.pop(0)
def test_container_user_acl(self): """ Description: DAOS-4838: Verify container user security with ACL. DAOS-4390: Test daos_cont_set_owner DAOS-4839: Verify container group user with ACL. DAOS-4840: Verify container user and group access with ACL grant/remove modification. DAOS-4841: Verify container ACL works when servers not sync with client compute hosts. Test container 5 users enforcement order: (defined on test.yaml) OWNER: container owner assigned with the permissions. user: container user assigned with the permissions. user-group: container user-group assigned with the permissions. GROUP: container group assigned with the permissions. EVERYONE: everyone assigned with the permissions. Test container user acl permissions: w - set_container_attribute or data r - get_container_attribute or data T - set_container_property t - get_container_property a - get_container_acl_list A - update_container_acl o - set_container_owner d - destroy_container Steps: (1)Setup (2)Create pool and container with acl (3)Verify container permissions rw, rw-attribute (4)Verify container permissions tT, rw-property (5)Verify container permissions aA, rw-acl (6)Verify container permission o, set-owner (7)Verify container permission d, delete (8)Cleanup :avocado: tags=all,full_regression,security,container_acl, :avocado: tags=cont_user_sec,cont_group_sec,cont_sec """ #(1)Setup self.log.info("(1)==>Setup container user acl test.") cont_permission, expect_read, expect_write = self.params.get( "perm_expect", "/run/container_acl/permissions/*") new_test_user = self.params.get("new_user", "/run/container_acl/*") new_test_group = self.params.get("new_group", "/run/container_acl/*") attribute_name, attribute_value = self.params.get( "attribute", "/run/container_acl/*") property_name, property_value = self.params.get( "property", "/run/container_acl/*") secTestBase.add_del_user( self.hostlist_clients, "useradd", new_test_user) secTestBase.add_del_user( self.hostlist_clients, "groupadd", new_test_group) acl_file_name = os.path.join( self.tmp, self.params.get( "acl_file_name", "/run/container_acl/*", "cont_test_acl.txt")) test_user = self.params.get( "testuser", "/run/container_acl/daos_user/*") test_user_type = secTestBase.get_user_type(test_user) base_acl_entries = self.get_base_acl_entries(test_user) if test_user == "user": test_user = self.current_user if test_user == "group": test_user = self.current_group self.log.info( "==>(1.1)Start testing container acl on user: %s", test_user) #(2)Create pool and container with acl self.log.info("(2)==>Create a pool and a container with acl\n" " base_acl_entries= %s\n", base_acl_entries) self.pool_uuid = self.create_pool_with_dmg() secTestBase.create_acl_file(acl_file_name, base_acl_entries) self.container_uuid = self.create_container_with_daos( self.pool, None, acl_file_name) #(3)Verify container permissions rw, rw-attribute permission_type = "attribute" self.log.info("(3)==>Verify container permission %s", permission_type) self.update_container_acl( secTestBase.acl_entry(test_user_type, test_user, "rw")) self.verify_cont_rw_attribute( "write", "pass", attribute_name, attribute_value) self.setup_container_acl_and_permission( test_user_type, test_user, permission_type, cont_permission) self.log.info( "(3.1)Verify container_attribute: write, expect: %s", expect_write) self.verify_cont_rw_attribute( "write", expect_write, attribute_name, attribute_value) self.log.info( "(3.2)Verify container_attribute: read, expect: %s", expect_read) self.verify_cont_rw_attribute("read", expect_read, attribute_name) #(4)Verify container permissions tT rw-property permission_type = "property" self.log.info("(4)==>Verify container permission tT, rw-property") self.log.info( "(4.1)Update container-acl %s, %s, permission_type: %s with %s", test_user_type, test_user, permission_type, cont_permission) self.setup_container_acl_and_permission( test_user_type, test_user, permission_type, cont_permission) self.log.info( "(4.2)Verify container_attribute: read, expect: %s", expect_read) self.verify_cont_rw_property("read", expect_read) self.log.info( "(4.3)Verify container_attribute: write, expect: %s", expect_write) self.verify_cont_rw_property( "write", expect_write, property_name, property_value) self.log.info( "(4.4)Verify container_attribute: read, expect: %s", expect_read) self.verify_cont_rw_property("read", expect_read) #(5)Verify container permissions aA, rw-acl permission_type = "acl" self.log.info("(5)==>Verify container permission aA, rw-acl ") self.log.info( "(5.1)Update container-acl %s, %s, permission_type: %s with %s", test_user_type, test_user, permission_type, cont_permission) expect = "pass" #User who created the container has full acl access. self.setup_container_acl_and_permission( test_user_type, test_user, permission_type, cont_permission) self.log.info("(5.2)Verify container_acl: write, expect: %s", expect) self.verify_cont_rw_acl( "write", expect, secTestBase.acl_entry( test_user_type, test_user, cont_permission)) self.log.info("(5.3)Verify container_acl: read, expect: %s", expect) self.verify_cont_rw_acl("read", expect) #(6)Verify container permission o, set-owner self.log.info("(6)==>Verify container permission o, set-owner") permission_type = "ownership" expect = "deny" if "w" in cont_permission: expect = "pass" self.log.info( "(6.1)Update container-set ownership %s, %s, permission_type:" " %s with %s", test_user_type, test_user, permission_type, cont_permission) self.setup_container_acl_and_permission( test_user_type, test_user, permission_type, cont_permission) self.log.info("(6.2)Verify container_ownership: write, expect: %s", expect) self.verify_cont_set_owner( expect, new_test_user+"@", new_test_group+"@") #Verify container permission A acl-write after set container # to a different owner. if cont_permission == "w": permission_type = "acl" expect = "deny" self.log.info("(6.3)Verify container_acl write after changed " "ownership: expect: %s", expect) self.verify_cont_rw_acl("write", expect, secTestBase.acl_entry( test_user_type, test_user, cont_permission)) #(7)Verify container permission d, delete self.log.info("(7)==>Verify cont-delete on container and pool" " with/without d permission.") permission_type = "delete" c_permission = "rwaAtTod" p_permission = "rctd" expect = "pass" if "r" not in cont_permission: #remove d from cont_permission c_permission = "rwaAtTo" if "w" not in cont_permission: #remove d from pool_permission p_permission = "rct" if cont_permission == "": expect = "deny" self.update_container_acl(secTestBase.acl_entry(test_user_type, test_user, c_permission)) self.update_pool_acl_entry(self.pool_uuid, "update", secTestBase.acl_entry("user", "OWNER", p_permission)) self.verify_cont_delete(expect) #(8)Cleanup secTestBase.add_del_user( self.hostlist_clients, "userdel", new_test_user) secTestBase.add_del_user( self.hostlist_clients, "groupdel", new_test_group)