Exemplo n.º 1
0
    def cleanup_user_group(self, num_user, num_group):
        """Remove the daos acl user and group on host.

        Args:
            num_user (int): number of user to be cleaned.
            num_group (int): number of group name to be cleaned.
        """
        user_prefix = self.params.get("user_prefix", "/run/pool_acl/*")
        for uid in range(num_user):
            username = user_prefix + "_tester_" + str(uid + 1)
            secTestBase.add_del_user(self.hostlist_clients, "userdel",
                                     username)
        for gid in range(num_group):
            groupname = user_prefix + "_testGrp_" + str(gid + 1)
            secTestBase.add_del_user(self.hostlist_clients, "groupdel",
                                     groupname)
Exemplo n.º 2
0
    def create_pool_acl(self, num_user, num_group, current_user_acl, acl_file):
        """Create pool get-acl file.

        Create the pool acl file with specified number of users and groups with
        random permission.

        Args:
            num_user (int):  number of users to be created.
            num_group (int): number of groups to be created.
            current_user_acl (list): acl entries on current user to be created.
            acl_file (str): acl file to be created.

        Return:
            list: acl permission list on the acl_file.

        """
        user_prefix = self.params.get("user_prefix", "/run/pool_acl/*")
        user_list = []
        group_list = []
        for uid in range(num_user):
            username = user_prefix + "_tester_" + str(uid + 1)
            new_user = "******" + username + "@:" + PERMISSIONS[uid % 4]
            secTestBase.add_del_user(self.hostlist_clients, "useradd",
                                     username)
            user_list.append(new_user)
        for gid in range(num_group):
            groupname = user_prefix + "_testGrp_" + str(gid + 1)
            new_group = "A:G:" + groupname + "@:" + PERMISSIONS[(gid + 2) % 4]
            secTestBase.add_del_user(self.hostlist_clients, "groupadd",
                                     groupname)
            group_list.append(new_group)
        permission_list = group_list + user_list + current_user_acl
        random.shuffle(permission_list)
        with open(acl_file, "w") as test_file:
            test_file.write("\n".join(permission_list))
        return permission_list
Exemplo n.º 3
0
    def verify_pool_acl_prim_sec_groups(self, pool_acl_list, acl_file, uuid,
                                        svc):
        """Verify daos pool acl access.

        Verify access with primary and secondary groups access permission.

        Args:
            pool_acl_list (list): pool acl entry list.
            acl_file (str): acl file to be used.
            uuid (str): daos pool uuid.
            svc (int):  daos pool svc.

        Return:
            None.

        """
        sec_group = self.params.get("secondary_group_name", "/run/pool_acl/*")
        sec_group_perm = self.params.get("sg_permission", "/run/pool_acl/*")
        sec_group_rw = self.params.get("sg_read_write", "/run/pool_acl/*")
        user_gid = os.getegid()
        current_group = grp.getgrgid(user_gid)[0]
        primary_grp_perm = self.params.get(
            "pg_permission", "/run/pool_acl/primary_secondary_group_test/*")[0]
        sec_group = self.params.get(
            "secondary_group_name",
            "/run/pool_acl/primary_secondary_group_test/*")
        sec_group_perm = self.params.get(
            "sg_permission", "/run/pool_acl/primary_secondary_group_test/*")
        sec_group_rw = self.params.get(
            "sg_read_write", "/run/pool_acl/primary_secondary_group_test/*")
        l_group = grp.getgrgid(os.getegid())[0]
        for group in sec_group:
            secTestBase.add_del_user(self.hostlist_clients, "groupadd", group)
        cmd = "usermod -G " + ",".join(sec_group)
        self.log.info("  (8-1)verify_pool_acl_prim_sec_groups, cmd= %s", cmd)
        secTestBase.add_del_user(self.hostlist_clients, cmd, l_group)

        self.log.info(
            "  (8-2)Before update sec_group permission, pool_acl_list= %s",
            pool_acl_list)
        for group, permission in zip(sec_group, sec_group_perm):
            if permission == "none":
                permission = ""
            n_acl = secTestBase.acl_entry("group", group, permission,
                                          PERMISSIONS)
            pool_acl_list.append(n_acl)

        self.log.info(
            "  (8-3)After update sec_group permission, pool_acl_list= %s",
            pool_acl_list)
        self.log.info("      pool acl_file= %s", acl_file)
        secTestBase.create_acl_file(acl_file, pool_acl_list)

        # modify primary-group permission for secondary-group test
        grp_entry = secTestBase.acl_entry("group", current_group,
                                          primary_grp_perm, PERMISSIONS)
        new_grp_entry = secTestBase.acl_entry("group", current_group, "",
                                              PERMISSIONS)
        self.modify_acl_file_entry(acl_file, grp_entry, new_grp_entry)

        # dmg pool overwrite-acl --pool <uuid> --acl-file <file>
        result = self.dmg.pool_overwrite_acl(uuid, acl_file)
        self.log.info("  (8-4)dmg= %s", self.dmg)
        self.log.info("  (8-5)dmg.run() result=\n %s", result)

        # Verify pool read operation
        # daos pool query --pool <uuid>
        self.log.info("  (8-6)Verify pool read by: daos pool query --pool")
        exp_read = sec_group_rw[0]
        self.verify_pool_readwrite(svc, uuid, "read", expect=exp_read)

        # Verify pool write operation
        # daos container create --pool <uuid>
        self.log.info(
            "  (8-7)Verify pool write by: daos container create pool")
        exp_write = sec_group_rw[1]
        self.verify_pool_readwrite(svc, uuid, "write", expect=exp_write)

        for group in sec_group:
            secTestBase.add_del_user(self.hostlist_clients, "groupdel", group)
Exemplo n.º 4
0
    def test_io_sys_admin(self):
        """
        Test Description: Performs tests to generate large data sets over
                          various middleware, perform various system admin
                          operations, datamover operations.
        :avocado: tags=all,deployment,full_regression
        :avocado: tags=hw,large
        :avocado: tags=datamover,ior,mdtest
        :avocado: tags=iosysadmin
        """
        # local param
        new_test_user = self.params.get("new_user", "/run/container_acl/*")
        new_test_group = self.params.get("new_group", "/run/container_acl/*")

        dmg = self.get_dmg_command()
        daos = self.get_daos_command()

        secTestBase.add_del_user(self.hostlist_clients, "useradd",
                                 new_test_user)
        secTestBase.add_del_user(self.hostlist_clients, "groupadd",
                                 new_test_group)

        for idx in range(1, 4):
            self.add_pool_qty(1,
                              namespace="/run/pool_{}/".format(idx),
                              create=False)
            PoolTestBase.check_pool_creation(self, 60)
            self.pool[-1].connect()
            for cont_idx in range(1, 4):
                self.add_container_qty(
                    1,
                    self.pool[-1],
                    namespace="/run/container_{}/".format(cont_idx))
                daos.container_set_owner(self.pool[-1].uuid,
                                         self.container[-1].uuid,
                                         new_test_user, new_test_group)

            daos.container_list(self.pool[-1].uuid)
            self.destroy_containers(self.container)
            self.container = None
            self.destroy_pools(self.pool)
            self.pool = None

        # dmg storage scan
        dmg.storage_scan()
        dmg.system_query()
        dmg.system_leader_query()

        # write large data sets
        self.run_file_count()
        # create snapshot
        self.container[-1].create_snap()
        # overwrite the last ior file
        self.ior_cmd.signature.update('456')
        self.run_ior_with_pool(create_pool=False, create_cont=False)

        nvme_free_space_before_snap_destroy = self.get_free_space()[1]
        # delete snapshot
        self.container[-1].destroy_snap(epc=self.container[-1].epoch)
        # Now check if the space is returned back.
        counter = 1
        returned_space = (self.get_free_space()[1] -
                          nvme_free_space_before_snap_destroy)

        data_written = (int(self.ppn) *
                        human_to_bytes(self.ior_cmd.block_size.value))
        while returned_space < int(data_written):
            # try to wait for 4 x 60 secs for aggregation to be completed or
            # else exit the test with a failure.
            if counter > 4:
                self.log.info("Free space before snapshot destroy: %s",
                              nvme_free_space_before_snap_destroy)
                self.log.info("Free space when test terminated: %s",
                              self.get_free_space()[1])
                self.fail("Aggregation did not complete as expected")

            time.sleep(60)
            returned_space = (self.get_free_space()[1] -
                              nvme_free_space_before_snap_destroy)
            counter += 1

        self.log.info("#####Starting FS_COPY Test")
        self.run_dm_activities_with_ior("FS_COPY", pool=self.pool)
        self.log.info("#####Starting DCP Test")
        self.run_dm_activities_with_ior("DCP", pool=self.pool)
        self.log.info("#####Starting DSERIAL Test")
        self.run_dm_activities_with_ior("DSERIAL", pool=self.pool)
        self.log.info("#####Completed all Datamover tests")
        self.container.pop(0)
Exemplo n.º 5
0
    def test_container_user_acl(self):
        """
        Description:
            DAOS-4838: Verify container user security with ACL.
            DAOS-4390: Test daos_cont_set_owner
            DAOS-4839: Verify container group user with ACL.
            DAOS-4840: Verify container user and group access with
                       ACL grant/remove modification.
            DAOS-4841: Verify container ACL works when servers
                       not sync with client compute hosts.
        Test container 5 users enforcement order:
            (defined on test.yaml)
            OWNER: container owner assigned with the permissions.
            user:  container user assigned with the permissions.
            user-group: container user-group assigned with the permissions.
            GROUP: container group assigned with the permissions.
            EVERYONE: everyone assigned with the permissions.
        Test container user acl permissions:
            w  - set_container_attribute or data
            r  - get_container_attribute or data
            T  - set_container_property
            t  - get_container_property
            a  - get_container_acl_list
            A  - update_container_acl
            o  - set_container_owner
            d  - destroy_container
        Steps:
            (1)Setup
            (2)Create pool and container with acl
            (3)Verify container permissions rw, rw-attribute
            (4)Verify container permissions tT, rw-property
            (5)Verify container permissions aA, rw-acl
            (6)Verify container permission o, set-owner
            (7)Verify container permission d, delete
            (8)Cleanup

        :avocado: tags=all,full_regression,security,container_acl,
        :avocado: tags=cont_user_sec,cont_group_sec,cont_sec
        """

        #(1)Setup
        self.log.info("(1)==>Setup container user acl test.")
        cont_permission, expect_read, expect_write = self.params.get(
            "perm_expect", "/run/container_acl/permissions/*")
        new_test_user = self.params.get("new_user", "/run/container_acl/*")
        new_test_group = self.params.get("new_group", "/run/container_acl/*")
        attribute_name, attribute_value = self.params.get(
            "attribute", "/run/container_acl/*")
        property_name, property_value = self.params.get(
            "property", "/run/container_acl/*")
        secTestBase.add_del_user(
            self.hostlist_clients, "useradd", new_test_user)
        secTestBase.add_del_user(
            self.hostlist_clients, "groupadd", new_test_group)
        acl_file_name = os.path.join(
            self.tmp, self.params.get(
                "acl_file_name", "/run/container_acl/*", "cont_test_acl.txt"))
        test_user = self.params.get(
            "testuser", "/run/container_acl/daos_user/*")
        test_user_type = secTestBase.get_user_type(test_user)
        base_acl_entries = self.get_base_acl_entries(test_user)
        if test_user == "user":
            test_user = self.current_user
        if test_user == "group":
            test_user = self.current_group
        self.log.info(
            "==>(1.1)Start testing container acl on user: %s", test_user)

        #(2)Create pool and container with acl
        self.log.info("(2)==>Create a pool and a container with acl\n"
                      "   base_acl_entries= %s\n", base_acl_entries)
        self.pool_uuid = self.create_pool_with_dmg()
        secTestBase.create_acl_file(acl_file_name, base_acl_entries)
        self.container_uuid = self.create_container_with_daos(
            self.pool, None, acl_file_name)

        #(3)Verify container permissions rw, rw-attribute
        permission_type = "attribute"
        self.log.info("(3)==>Verify container permission %s", permission_type)

        self.update_container_acl(
            secTestBase.acl_entry(test_user_type, test_user, "rw"))
        self.verify_cont_rw_attribute(
            "write", "pass", attribute_name, attribute_value)
        self.setup_container_acl_and_permission(
            test_user_type, test_user, permission_type, cont_permission)
        self.log.info(
            "(3.1)Verify container_attribute: write, expect: %s", expect_write)
        self.verify_cont_rw_attribute(
            "write", expect_write, attribute_name, attribute_value)
        self.log.info(
            "(3.2)Verify container_attribute: read, expect: %s", expect_read)
        self.verify_cont_rw_attribute("read", expect_read, attribute_name)

        #(4)Verify container permissions tT rw-property
        permission_type = "property"
        self.log.info("(4)==>Verify container permission tT, rw-property")
        self.log.info(
            "(4.1)Update container-acl %s, %s, permission_type: %s with %s",
            test_user_type, test_user, permission_type, cont_permission)
        self.setup_container_acl_and_permission(
            test_user_type, test_user, permission_type, cont_permission)
        self.log.info(
            "(4.2)Verify container_attribute: read, expect: %s", expect_read)
        self.verify_cont_rw_property("read", expect_read)
        self.log.info(
            "(4.3)Verify container_attribute: write, expect: %s", expect_write)
        self.verify_cont_rw_property(
            "write", expect_write, property_name, property_value)
        self.log.info(
            "(4.4)Verify container_attribute: read, expect: %s", expect_read)
        self.verify_cont_rw_property("read", expect_read)

        #(5)Verify container permissions aA, rw-acl
        permission_type = "acl"
        self.log.info("(5)==>Verify container permission aA, rw-acl ")
        self.log.info(
            "(5.1)Update container-acl %s, %s, permission_type: %s with %s",
            test_user_type, test_user, permission_type, cont_permission)
        expect = "pass"  #User who created the container has full acl access.
        self.setup_container_acl_and_permission(
            test_user_type, test_user, permission_type, cont_permission)
        self.log.info("(5.2)Verify container_acl: write, expect: %s", expect)
        self.verify_cont_rw_acl(
            "write", expect, secTestBase.acl_entry(
                test_user_type, test_user, cont_permission))
        self.log.info("(5.3)Verify container_acl: read, expect: %s", expect)
        self.verify_cont_rw_acl("read", expect)

        #(6)Verify container permission o, set-owner
        self.log.info("(6)==>Verify container permission o, set-owner")
        permission_type = "ownership"
        expect = "deny"
        if "w" in cont_permission:
            expect = "pass"
        self.log.info(
            "(6.1)Update container-set ownership %s, %s, permission_type:"
            " %s with %s", test_user_type, test_user, permission_type,
            cont_permission)
        self.setup_container_acl_and_permission(
            test_user_type, test_user, permission_type, cont_permission)
        self.log.info("(6.2)Verify container_ownership: write, expect: %s",
                      expect)
        self.verify_cont_set_owner(
            expect, new_test_user+"@", new_test_group+"@")

        #Verify container permission A acl-write after set container
        #  to a different owner.
        if cont_permission == "w":
            permission_type = "acl"
            expect = "deny"
            self.log.info("(6.3)Verify container_acl write after changed "
                          "ownership: expect: %s", expect)
            self.verify_cont_rw_acl("write", expect,
                                    secTestBase.acl_entry(
                                        test_user_type, test_user,
                                        cont_permission))

        #(7)Verify container permission d, delete
        self.log.info("(7)==>Verify cont-delete on container and pool"
                      " with/without d permission.")
        permission_type = "delete"
        c_permission = "rwaAtTod"
        p_permission = "rctd"
        expect = "pass"
        if "r" not in cont_permission:  #remove d from cont_permission
            c_permission = "rwaAtTo"
        if "w" not in cont_permission:  #remove d from pool_permission
            p_permission = "rct"
        if cont_permission == "":
            expect = "deny"
        self.update_container_acl(secTestBase.acl_entry(test_user_type,
                                                        test_user,
                                                        c_permission))
        self.update_pool_acl_entry(self.pool_uuid,
                                   "update",
                                   secTestBase.acl_entry("user",
                                                         "OWNER",
                                                         p_permission))
        self.verify_cont_delete(expect)

        #(8)Cleanup
        secTestBase.add_del_user(
            self.hostlist_clients, "userdel", new_test_user)
        secTestBase.add_del_user(
            self.hostlist_clients, "groupdel", new_test_group)