syncs, and then creating a bucket on both primary and secondary.
The test name is test_assume_role_after_sync.
Signed-off-by: Pritha Srivastava <prsrivas@redhat.com>
rgw sync obj etag verify: true
rgw sync meta inject err probability: 0
rgw sync data inject err probability: 0
+ rgw s3 auth use sts: true
+ rgw sts key: abcdefghijklmnoq
rgw:
compression type: random
import boto
import boto.s3.connection
import boto.iam.connection
+import boto.sts.connection
import boto3
+from boto.regioninfo import RegionInfo
def get_gateway_connection(gateway, credentials):
""" connect to the given gateway """
use_ssl = False)
return gateway.iam_connection
+def get_gateway_sts_connection(gateway, credentials, region):
+ """ connect to sts api of the given gateway """
+ if gateway.sts_connection is None:
+ endpoint = f'http://{gateway.host}:{gateway.port}'
+ print(endpoint)
+ gateway.sts_connection = boto3.client(
+ service_name = 'sts',
+ aws_access_key_id = credentials.access_key,
+ aws_secret_access_key = credentials.secret,
+ endpoint_url = endpoint,
+ region_name=region,
+ use_ssl = False)
+ return gateway.sts_connection
+
def get_gateway_s3_client(gateway, credentials, region):
""" connect to boto3 s3 client api of the given gateway """
aws_secret_access_key=credentials.secret,
region_name=region)
return gateway.sns_client
+
+def get_gateway_temp_s3_client(gateway, credentials, session_token, region):
+ """ connect to boto3 s3 client api using temporary credntials """
+ gateway.temp_s3_client = boto3.client('s3',
+ endpoint_url='http://' + gateway.host + ':' + str(gateway.port),
+ aws_access_key_id=credentials.access_key,
+ aws_secret_access_key=credentials.secret,
+ aws_session_token = session_token,
+ region_name=region)
+ return gateway.temp_s3_client
\ No newline at end of file
import json
-from .conn import get_gateway_connection, get_gateway_iam_connection, get_gateway_secure_connection, get_gateway_s3_client, get_gateway_sns_client
+from .conn import get_gateway_connection, get_gateway_iam_connection, get_gateway_secure_connection, get_gateway_s3_client, get_gateway_sns_client, get_gateway_sts_connection, get_gateway_temp_s3_client
class Cluster:
""" interface to run commands against a distinct ceph cluster """
self.iam_connection = None
self.s3_client = None
self.sns_client = None
+ self.sts_connection = None
@abstractmethod
def start(self, args = []):
self.iam_conn = get_gateway_iam_connection(self.zone.gateways[0], self.credentials, region)
self.s3_client = get_gateway_s3_client(self.zone.gateways[0], self.credentials, region)
self.sns_client = get_gateway_sns_client(self.zone.gateways[0], self.credentials, region)
-
+ self.temp_s3_client = None
# create connections for the rest of the gateways (if exist)
for gw in list(self.zone.gateways):
get_gateway_connection(gw, self.credentials)
def get_iam_connection(self):
return self.iam_conn
+ def get_temp_s3_connection(self, credentials, session_token):
+ region = "" if self.zone.zonegroup is None else self.zone.zonegroup.name
+ self.temp_s3_client = get_gateway_temp_s3_client(self.zone.gateways[0], credentials, session_token, region)
+ return self.temp_s3_client
+
def get_bucket(self, bucket_name, credentials):
raise NotImplementedError
after_set_acl = bucket2.get_acl(k)
assert(len(after_set_acl.acl.grants) == 2) # read grant added on AllUsers
+def test_assume_role_after_sync():
+ zonegroup = realm.master_zonegroup()
+ zonegroup_conns = ZonegroupConns(zonegroup)
+ access_key = 'abcd'
+ secret_key = 'efgh'
+ tenant = 'testx'
+ uid = 'test'
+ cmd = ['user', 'create', '--tenant', tenant, '--uid', uid, '--access-key', access_key, '--secret-key', secret_key, '--display-name', 'tenanted-user']
+ zonegroup_conns.master_zone.zone.cluster.admin(cmd)
+ credentials = Credentials(access_key, secret_key)
+
+ role_name = gen_role_name()
+ log.info('create role zone=%s name=%s', zonegroup_conns.master_zone.name, role_name)
+ policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam::testx:user/test\"]},\"Action\":[\"sts:AssumeRole\"]}]}"
+ role = zonegroup_conns.master_zone.create_role("/", role_name, policy_document, "")
+ policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Resource\":\"*\",\"Action\":\"s3:*\"}]}"
+ zonegroup_conns.master_zone.put_role_policy(role_name, "Policy1", policy_document)
+
+ zonegroup_meta_checkpoint(zonegroup)
+
+ for zone in zonegroup_conns.zones:
+ log.info(f'checking if zone: {zone.name} has role: {role_name}')
+ assert(zone.has_role(role_name))
+ log.info(f'success, zone: {zone.name} has role: {role_name}')
+
+ for zone in zonegroup_conns.zones:
+ if zone == zonegroup_conns.master_zone:
+ log.info(f'creating bucket in primary zone')
+ bucket = "bucket1"
+ zone.assume_role_create_bucket(bucket, role['Role']['Arn'], "primary", credentials)
+ if zone != zonegroup_conns.master_zone:
+ log.info(f'creating bucket in secondary zone')
+ bucket = "bucket2"
+ zone.assume_role_create_bucket(bucket, role['Role']['Arn'], "secondary", credentials)
@attr('fails_with_rgw')
@attr('data_sync_init')
def has_role(self, role_name):
assert False
+ def put_role_policy(self, rolename, policyname, policy_document):
+ assert False
+
def create_topic(self, topicname, attributes):
assert False
def list_notifications(self, bucket_name):
assert False
+ def assume_role(self, role_arn, session_name, policy, duration_seconds):
+ assert False
+
def get_conn(self, credentials):
return self.Conn(self, credentials)
def has_role(self, role_name):
assert False
+ def put_role_policy(self, rolename, policyname, policy_document):
+ assert False
+
def create_topic(self, topicname, attributes):
assert False
def list_notifications(self, bucket_name):
assert False
+ def assume_role(self, role_arn, session_name, policy, duration_seconds):
+ assert False
+
def get_conn(self, credentials):
return self.Conn(self, credentials)
from .multisite import *
+from .conn import get_gateway_sts_connection
+
log = logging.getLogger(__name__)
def check_object_eq(k1, k2, check_extra = True):
return True
def get_role(self, role_name):
- return self.iam_conn.get_role(role_name)
+ return self.iam_conn.get_role(RoleName=role_name)
def check_role_eq(self, zone_conn, role_name):
log.info('comparing role=%s zones={%s, %s}', role_name, self.name, zone_conn.name)
def create_role(self, path, rolename, policy_document, tag_list):
if policy_document is None:
policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam:::user/testuser\"]},\"Action\":[\"sts:AssumeRole\"]}]}"
- return self.iam_conn.create_role(rolename, policy_document, path)
+ return self.iam_conn.create_role(RoleName=rolename, AssumeRolePolicyDocument=policy_document, Path=path)
def delete_role(self, role_name):
- return self.iam_conn.delete_role(role_name)
+ return self.iam_conn.delete_role(RoleName=role_name)
def has_role(self, role_name):
try:
return False
return True
+ def put_role_policy(self, rolename, policyname, policy_document):
+ if policy_document is None:
+ policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Resource\":\"*\",\"Action\":\"s3:*\"}]}"
+ return self.iam_conn.put_role_policy(RoleName=rolename, PolicyName=policyname, PolicyDocument=policy_document)
+
def create_topic(self, topicname, attributes):
result = self.sns_client.create_topic(Name=topicname, Attributes=attributes)
self.topic_arn = result['TopicArn']
def head_object(self, bucket_name, obj_name):
return self.s3_client.head_object(Bucket=bucket_name, Key=obj_name)
+ def assume_role_create_bucket(self, bucket, role_arn, session_name, alt_user_creds):
+ region = "" if self.zone.zonegroup is None else self.zone.zonegroup.name
+ sts_conn = None
+ if self.zone.gateways is not None:
+ sts_conn = get_gateway_sts_connection(self.zone.gateways[0], alt_user_creds, region)
+ assumed_role_object = sts_conn.assume_role(RoleArn=role_arn, RoleSessionName=session_name)
+ assumed_role_credentials = assumed_role_object['Credentials']
+ credentials = Credentials(assumed_role_credentials['AccessKeyId'], assumed_role_credentials['SecretAccessKey'])
+ self.get_temp_s3_connection(credentials, assumed_role_credentials['SessionToken'])
+ self.temp_s3_client.create_bucket(Bucket=bucket)
+
def get_conn(self, credentials):
return self.Conn(self, credentials)
projects / ceph.git / commitdiff