def test_update_invalid_acl(self): """JIRA ID: DAOS-3711 Test Description: Test that container update command performs as expected with invalid values within ACL file. :avocado: tags=all,pr,security,container_acl,cont_update_invalid_acl """ invalid_file_content = self.params.get("invalid_acl_file_content", "/run/*") path_to_file = os.path.join(self.tmp, self.acl_filename) # Disable raising an exception if the daos command fails self.daos_cmd.exit_status_exception = False test_errs = [] for content in invalid_file_content: create_acl_file(path_to_file, content) # Run update command self.daos_cmd.container_update_acl(self.pool.uuid, self.pool.svc_ranks[0], self.container.uuid, path_to_file) test_errs.extend(self.error_handling(self.daos_cmd.result, "-1003")) # Check that the acl file was unchanged self.acl_file_diff(self.cont_acl) if test_errs: self.fail("container update-acl command expected to fail: \ {}".format("\n".join(test_errs)))
def test_overwrite_valid_acl_file(self): """ JIRA ID: DAOS-3708 Test Description: Test that container overwrite command performs as expected with valid ACL file provided. :avocado: tags=all,daily_regression,security,container_acl :avocado: tags=cont_overwrite_acl_file """ valid_file_acl = self.params.get("valid_acl_file", "/run/*") path_to_file = os.path.join(self.tmp, self.acl_filename) # Disable raising an exception if the daos command fails self.daos_cmd.exit_status_exception = False # Run overwrite command, test will fail if command fails. for content in valid_file_acl: create_acl_file(path_to_file, content) self.daos_cmd.container_overwrite_acl(self.pool.uuid, self.container.uuid, path_to_file) # Check that the acl file was unchanged self.acl_file_diff(content)
def test_no_user_permissions(self): """ JIRA ID: DAOS-3708 Test Description: Test that container overwrite command fails with no permission -1001 when user doesn't have the right permissions. :avocado: tags=all,pr,security,container_acl,cont_overwrite_acl_noperms """ acl_filename = "test_acl_file.txt" valid_file_content = self.params.get("valid_acl_file", "/run/*") path_to_file = os.path.join(self.tmp, acl_filename) # Let's give access to the pool to the root user self.get_dmg_command().pool_update_acl(self.pool.uuid, entry="A::EVERYONE@:rw") # The root user shouldn't have access to deleting container ACL entries self.daos_cmd.sudo = True # Disable raising an exception if the daos command fails self.daos_cmd.exit_status_exception = False # Let's check that we can't run as root (or other user) and overwrite # entries if no permissions are set for that user. test_errs = [] for content in valid_file_content: create_acl_file(path_to_file, content) self.daos_cmd.container_overwrite_acl(self.pool.uuid, self.pool.svc_ranks[0], self.container.uuid, path_to_file) test_errs.extend(self.error_handling(self.daos_cmd.result, "-1001")) # Check that the acl was unchanged. post_test_acls = self.get_container_acl_list( self.pool.uuid, self.pool.svc_ranks[0], self.container.uuid) if not self.compare_acl_lists(self.cont_acl, post_test_acls): self.fail("Previous ACL:\n{} Post command ACL:{}".format( self.cont_acl, post_test_acls)) if test_errs: self.fail("container overwrite-acl command expected to fail: \ {}".format("\n".join(test_errs)))
def test_no_user_permissions(self): """ JIRA ID: DAOS-3711 Test Description: Test that container update command fails with no permission -1001 when user doesn't have the right permissions. :avocado: tags=all,daily_regression,security,container_acl :avocado: tags=cont_update_acl_noperms """ valid_file_content = self.params.get("valid_acl_file", "/run/*") path_to_file = os.path.join(self.tmp, self.acl_filename) # Let's give access to the pool to the root user self.get_dmg_command().pool_update_acl(self.pool.uuid, entry="A::EVERYONE@:rw") # The root user shouldn't have access to updating container ACL entries self.daos_cmd.sudo = True # Disable raising an exception if the daos command fails self.daos_cmd.exit_status_exception = False # Let's check that we can't run as root (or other user) and update # entries if no permissions are set for that user. test_errs = [] for content in valid_file_content: create_acl_file(path_to_file, content) self.daos_cmd.container_update_acl(self.pool.uuid, self.container.uuid, path_to_file) test_errs.extend(self.error_handling(self.daos_cmd.result, "-1001")) # Check that the acl file was unchanged self.acl_file_diff(self.cont_acl) if test_errs: self.fail("container update-acl command expected to fail: \ {}".format("\n".join(test_errs)))
def test_update_acl_file(self): """ JIRA ID: DAOS-3711 Test Description: Test that container update command performs as expected when adding an ACL file that contains principals that are currently in the ACL. :avocado: tags=all,pr,security,container_acl,cont_update_acl """ path_to_file = os.path.join(self.tmp, self.acl_filename) # Create acl file to use for update ace_to_add = ["A:G:my_great_test@:rw", "A::my_new_principal@:rwTao"] create_acl_file(path_to_file, self.cont_acl + ace_to_add) # Run update command self.daos_cmd.container_update_acl(self.pool.uuid, self.pool.svc_ranks[0], self.container.uuid, acl_file=path_to_file) # Verify that the entry added did not affect any other entry self.acl_file_diff(self.cont_acl + ace_to_add) # Let's add a file with existing principals and verify overridden values ace_to_add_2 = ["A:G:my_great_test@:rwd", "A::my_new_principal@:rw"] create_acl_file(path_to_file, ace_to_add_2) # Run update command self.daos_cmd.container_update_acl(self.pool.uuid, self.pool.svc_ranks[0], self.container.uuid, acl_file=path_to_file) # Verify that the ACL file is now composed of the updated ACEs self.acl_file_diff(self.cont_acl + ace_to_add_2) # Lastly, let's add a file that contains only new principals ace_to_add_3 = ["A:G:new_new_principal@:rwd", "A::last_one@:rw"] create_acl_file(path_to_file, ace_to_add_3) # Run update command self.daos_cmd.container_update_acl(self.pool.uuid, self.pool.svc_ranks[0], self.container.uuid, acl_file=path_to_file) # Verify that the ACL file is now composed of the updated ACEs self.acl_file_diff(self.cont_acl + ace_to_add_2 + ace_to_add_3)
def verify_pool_acl_prim_sec_groups(self, pool_acl_list, acl_file, uuid, svc): """Verify daos pool acl access. Verify access with primary and secondary groups access permission. Args: pool_acl_list (list): pool acl entry list. acl_file (str): acl file to be used. uuid (str): daos pool uuid. svc (int): daos pool svc. Return: None. """ sec_group = self.params.get("secondary_group_name", "/run/pool_acl/*") sec_group_perm = self.params.get("sg_permission", "/run/pool_acl/*") sec_group_rw = self.params.get("sg_read_write", "/run/pool_acl/*") user_gid = os.getegid() current_group = grp.getgrgid(user_gid)[0] primary_grp_perm = self.params.get( "pg_permission", "/run/pool_acl/primary_secondary_group_test/*")[0] sec_group = self.params.get( "secondary_group_name", "/run/pool_acl/primary_secondary_group_test/*") sec_group_perm = self.params.get( "sg_permission", "/run/pool_acl/primary_secondary_group_test/*") sec_group_rw = self.params.get( "sg_read_write", "/run/pool_acl/primary_secondary_group_test/*") l_group = grp.getgrgid(os.getegid())[0] for group in sec_group: secTestBase.add_del_user(self.hostlist_clients, "groupadd", group) cmd = "usermod -G " + ",".join(sec_group) self.log.info(" (8-1)verify_pool_acl_prim_sec_groups, cmd= %s", cmd) secTestBase.add_del_user(self.hostlist_clients, cmd, l_group) self.log.info( " (8-2)Before update sec_group permission, pool_acl_list= %s", pool_acl_list) for group, permission in zip(sec_group, sec_group_perm): if permission == "none": permission = "" n_acl = secTestBase.acl_entry("group", group, permission, PERMISSIONS) pool_acl_list.append(n_acl) self.log.info( " (8-3)After update sec_group permission, pool_acl_list= %s", pool_acl_list) self.log.info(" pool acl_file= %s", acl_file) secTestBase.create_acl_file(acl_file, pool_acl_list) # modify primary-group permission for secondary-group test grp_entry = secTestBase.acl_entry("group", current_group, primary_grp_perm, PERMISSIONS) new_grp_entry = secTestBase.acl_entry("group", current_group, "", PERMISSIONS) self.modify_acl_file_entry(acl_file, grp_entry, new_grp_entry) # dmg pool overwrite-acl --pool <uuid> --acl-file <file> result = self.dmg.pool_overwrite_acl(uuid, acl_file) self.log.info(" (8-4)dmg= %s", self.dmg) self.log.info(" (8-5)dmg.run() result=\n %s", result) # Verify pool read operation # daos pool query --pool <uuid> self.log.info(" (8-6)Verify pool read by: daos pool query --pool") exp_read = sec_group_rw[0] self.verify_pool_readwrite(svc, uuid, "read", expect=exp_read) # Verify pool write operation # daos container create --pool <uuid> self.log.info( " (8-7)Verify pool write by: daos container create pool") exp_write = sec_group_rw[1] self.verify_pool_readwrite(svc, uuid, "write", expect=exp_write) for group in sec_group: secTestBase.add_del_user(self.hostlist_clients, "groupdel", group)
def test_container_user_acl(self): """ Description: DAOS-4838: Verify container user security with ACL. DAOS-4390: Test daos_cont_set_owner DAOS-4839: Verify container group user with ACL. DAOS-4840: Verify container user and group access with ACL grant/remove modification. DAOS-4841: Verify container ACL works when servers not sync with client compute hosts. Test container 5 users enforcement order: (defined on test.yaml) OWNER: container owner assigned with the permissions. user: container user assigned with the permissions. user-group: container user-group assigned with the permissions. GROUP: container group assigned with the permissions. EVERYONE: everyone assigned with the permissions. Test container user acl permissions: w - set_container_attribute or data r - get_container_attribute or data T - set_container_property t - get_container_property a - get_container_acl_list A - update_container_acl o - set_container_owner d - destroy_container Steps: (1)Setup (2)Create pool and container with acl (3)Verify container permissions rw, rw-attribute (4)Verify container permissions tT, rw-property (5)Verify container permissions aA, rw-acl (6)Verify container permission o, set-owner (7)Verify container permission d, delete (8)Cleanup :avocado: tags=all,full_regression,security,container_acl, :avocado: tags=cont_user_sec,cont_group_sec,cont_sec """ #(1)Setup self.log.info("(1)==>Setup container user acl test.") cont_permission, expect_read, expect_write = self.params.get( "perm_expect", "/run/container_acl/permissions/*") new_test_user = self.params.get("new_user", "/run/container_acl/*") new_test_group = self.params.get("new_group", "/run/container_acl/*") attribute_name, attribute_value = self.params.get( "attribute", "/run/container_acl/*") property_name, property_value = self.params.get( "property", "/run/container_acl/*") secTestBase.add_del_user( self.hostlist_clients, "useradd", new_test_user) secTestBase.add_del_user( self.hostlist_clients, "groupadd", new_test_group) acl_file_name = os.path.join( self.tmp, self.params.get( "acl_file_name", "/run/container_acl/*", "cont_test_acl.txt")) test_user = self.params.get( "testuser", "/run/container_acl/daos_user/*") test_user_type = secTestBase.get_user_type(test_user) base_acl_entries = self.get_base_acl_entries(test_user) if test_user == "user": test_user = self.current_user if test_user == "group": test_user = self.current_group self.log.info( "==>(1.1)Start testing container acl on user: %s", test_user) #(2)Create pool and container with acl self.log.info("(2)==>Create a pool and a container with acl\n" " base_acl_entries= %s\n", base_acl_entries) self.pool_uuid = self.create_pool_with_dmg() secTestBase.create_acl_file(acl_file_name, base_acl_entries) self.container_uuid = self.create_container_with_daos( self.pool, None, acl_file_name) #(3)Verify container permissions rw, rw-attribute permission_type = "attribute" self.log.info("(3)==>Verify container permission %s", permission_type) self.update_container_acl( secTestBase.acl_entry(test_user_type, test_user, "rw")) self.verify_cont_rw_attribute( "write", "pass", attribute_name, attribute_value) self.setup_container_acl_and_permission( test_user_type, test_user, permission_type, cont_permission) self.log.info( "(3.1)Verify container_attribute: write, expect: %s", expect_write) self.verify_cont_rw_attribute( "write", expect_write, attribute_name, attribute_value) self.log.info( "(3.2)Verify container_attribute: read, expect: %s", expect_read) self.verify_cont_rw_attribute("read", expect_read, attribute_name) #(4)Verify container permissions tT rw-property permission_type = "property" self.log.info("(4)==>Verify container permission tT, rw-property") self.log.info( "(4.1)Update container-acl %s, %s, permission_type: %s with %s", test_user_type, test_user, permission_type, cont_permission) self.setup_container_acl_and_permission( test_user_type, test_user, permission_type, cont_permission) self.log.info( "(4.2)Verify container_attribute: read, expect: %s", expect_read) self.verify_cont_rw_property("read", expect_read) self.log.info( "(4.3)Verify container_attribute: write, expect: %s", expect_write) self.verify_cont_rw_property( "write", expect_write, property_name, property_value) self.log.info( "(4.4)Verify container_attribute: read, expect: %s", expect_read) self.verify_cont_rw_property("read", expect_read) #(5)Verify container permissions aA, rw-acl permission_type = "acl" self.log.info("(5)==>Verify container permission aA, rw-acl ") self.log.info( "(5.1)Update container-acl %s, %s, permission_type: %s with %s", test_user_type, test_user, permission_type, cont_permission) expect = "pass" #User who created the container has full acl access. self.setup_container_acl_and_permission( test_user_type, test_user, permission_type, cont_permission) self.log.info("(5.2)Verify container_acl: write, expect: %s", expect) self.verify_cont_rw_acl( "write", expect, secTestBase.acl_entry( test_user_type, test_user, cont_permission)) self.log.info("(5.3)Verify container_acl: read, expect: %s", expect) self.verify_cont_rw_acl("read", expect) #(6)Verify container permission o, set-owner self.log.info("(6)==>Verify container permission o, set-owner") permission_type = "ownership" expect = "deny" if "w" in cont_permission: expect = "pass" self.log.info( "(6.1)Update container-set ownership %s, %s, permission_type:" " %s with %s", test_user_type, test_user, permission_type, cont_permission) self.setup_container_acl_and_permission( test_user_type, test_user, permission_type, cont_permission) self.log.info("(6.2)Verify container_ownership: write, expect: %s", expect) self.verify_cont_set_owner( expect, new_test_user+"@", new_test_group+"@") #Verify container permission A acl-write after set container # to a different owner. if cont_permission == "w": permission_type = "acl" expect = "deny" self.log.info("(6.3)Verify container_acl write after changed " "ownership: expect: %s", expect) self.verify_cont_rw_acl("write", expect, secTestBase.acl_entry( test_user_type, test_user, cont_permission)) #(7)Verify container permission d, delete self.log.info("(7)==>Verify cont-delete on container and pool" " with/without d permission.") permission_type = "delete" c_permission = "rwaAtTod" p_permission = "rctd" expect = "pass" if "r" not in cont_permission: #remove d from cont_permission c_permission = "rwaAtTo" if "w" not in cont_permission: #remove d from pool_permission p_permission = "rct" if cont_permission == "": expect = "deny" self.update_container_acl(secTestBase.acl_entry(test_user_type, test_user, c_permission)) self.update_pool_acl_entry(self.pool_uuid, "update", secTestBase.acl_entry("user", "OWNER", p_permission)) self.verify_cont_delete(expect) #(8)Cleanup secTestBase.add_del_user( self.hostlist_clients, "userdel", new_test_user) secTestBase.add_del_user( self.hostlist_clients, "groupdel", new_test_group)