From 7140e822d6c32854d3beff005aa4287573abba7c Mon Sep 17 00:00:00 2001 From: Pritha Srivastava Date: Tue, 22 Mar 2022 13:17:42 +0530 Subject: [PATCH] rgw: adding a test to check if role metadata syncs fine. Signed-off-by: Pritha Srivastava --- qa/tasks/rgw_multisite_tests.py | 2 +- src/test/rgw/rgw_multi/conn.py | 13 +++++++++- src/test/rgw/rgw_multi/multisite.py | 11 +++++++- src/test/rgw/rgw_multi/tests.py | 39 ++++++++++++++++++++++++++++ src/test/rgw/rgw_multi/zone_cloud.py | 3 +++ src/test/rgw/rgw_multi/zone_es.py | 3 +++ src/test/rgw/rgw_multi/zone_rados.py | 25 ++++++++++++++++++ src/test/rgw/test_multi.py | 2 +- 8 files changed, 94 insertions(+), 4 deletions(-) diff --git a/qa/tasks/rgw_multisite_tests.py b/qa/tasks/rgw_multisite_tests.py index 732a2c17d22e5..888a37181690f 100644 --- a/qa/tasks/rgw_multisite_tests.py +++ b/qa/tasks/rgw_multisite_tests.py @@ -73,7 +73,7 @@ class RGWMultisiteTests(Task): log.info('creating test user..') user = multisite.User('rgw-multisite-test-user') user.create(master_zone, ['--display-name', 'Multisite Test User', - '--gen-access-key', '--gen-secret']) + '--gen-access-key', '--gen-secret', '--caps', 'roles=*']) config = self.config.get('config', {}) tests.init_multi(realm, user, tests.Config(**config)) diff --git a/src/test/rgw/rgw_multi/conn.py b/src/test/rgw/rgw_multi/conn.py index b03db36735f4d..59bc2fdd3d2f7 100644 --- a/src/test/rgw/rgw_multi/conn.py +++ b/src/test/rgw/rgw_multi/conn.py @@ -1,6 +1,6 @@ import boto import boto.s3.connection - +import boto.iam.connection def get_gateway_connection(gateway, credentials): """ connect to the given gateway """ @@ -28,3 +28,14 @@ def get_gateway_secure_connection(gateway, credentials): validate_certs=False, calling_format = boto.s3.connection.OrdinaryCallingFormat()) return gateway.secure_connection + +def get_gateway_iam_connection(gateway, credentials): + """ connect to iam api of the given gateway """ + if gateway.iam_connection is None: + gateway.iam_connection = boto.connect_iam( + aws_access_key_id = credentials.access_key, + aws_secret_access_key = credentials.secret, + host = gateway.host, + port = gateway.port, + is_secure = False) + return gateway.iam_connection diff --git a/src/test/rgw/rgw_multi/multisite.py b/src/test/rgw/rgw_multi/multisite.py index dfcde085ed0a0..ba6b13ee17f3a 100644 --- a/src/test/rgw/rgw_multi/multisite.py +++ b/src/test/rgw/rgw_multi/multisite.py @@ -3,7 +3,7 @@ from io import StringIO import json -from .conn import get_gateway_connection, get_gateway_secure_connection +from .conn import get_gateway_connection, get_gateway_iam_connection, get_gateway_secure_connection class Cluster: """ interface to run commands against a distinct ceph cluster """ @@ -26,6 +26,7 @@ class Gateway: self.connection = None self.secure_connection = None self.ssl_port = ssl_port + self.iam_connection = None @abstractmethod def start(self, args = []): @@ -184,15 +185,23 @@ class ZoneConn(object): if self.zone.gateways is not None: self.conn = get_gateway_connection(self.zone.gateways[0], self.credentials) self.secure_conn = get_gateway_secure_connection(self.zone.gateways[0], self.credentials) + + self.iam_conn = get_gateway_iam_connection(self.zone.gateways[0], self.credentials) + # create connections for the rest of the gateways (if exist) for gw in list(self.zone.gateways): get_gateway_connection(gw, self.credentials) get_gateway_secure_connection(gw, self.credentials) + get_gateway_iam_connection(gw, self.credentials) + def get_connection(self): return self.conn + def get_iam_connection(self): + return self.iam_conn + def get_bucket(self, bucket_name, credentials): raise NotImplementedError diff --git a/src/test/rgw/rgw_multi/tests.py b/src/test/rgw/rgw_multi/tests.py index 28dfcb93720b1..a8532e6562b6e 100644 --- a/src/test/rgw/rgw_multi/tests.py +++ b/src/test/rgw/rgw_multi/tests.py @@ -64,6 +64,8 @@ log = logging.getLogger('rgw_multi.tests') num_buckets = 0 run_prefix=''.join(random.choice(string.ascii_lowercase) for _ in range(6)) +num_roles = 0 + def get_zone_connection(zone, credentials): """ connect to the zone's first gateway """ if isinstance(credentials, list): @@ -444,6 +446,12 @@ def gen_bucket_name(): num_buckets += 1 return run_prefix + '-' + str(num_buckets) +def gen_role_name(): + global num_roles + + num_roles += 1 + return "roles" + '-' + run_prefix + '-' + str(num_roles) + class ZonegroupConns: def __init__(self, zonegroup): self.zonegroup = zonegroup @@ -451,6 +459,7 @@ class ZonegroupConns: self.ro_zones = [] self.rw_zones = [] self.master_zone = None + for z in zonegroup.zones: zone_conn = z.get_conn(user.credentials) self.zones.append(zone_conn) @@ -490,6 +499,19 @@ def check_all_buckets_dont_exist(zone_conn, buckets): return True +def create_role_per_zone(zonegroup_conns, roles_per_zone = 1): + roles = [] + zone_role = [] + for zone in zonegroup_conns.rw_zones: + for i in range(roles_per_zone): + role_name = gen_role_name() + policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam:::user/testuser\"]},\"Action\":[\"sts:AssumeRole\"]}]}" + role = zone.create_role("", role_name, policy_document, "") + roles.append(role_name) + zone_role.append((zone, role)) + + return roles, zone_role + def create_bucket_per_zone(zonegroup_conns, buckets_per_zone = 1): buckets = [] zone_bucket = [] @@ -577,6 +599,9 @@ def check_bucket_eq(zone_conn1, zone_conn2, bucket): if zone_conn2.zone.has_buckets(): zone_conn2.check_bucket_eq(zone_conn1, bucket.name) +def check_role_eq(zone_conn1, zone_conn2, role): + zone_conn2.check_role_eq(zone_conn1, role['create_role_response']['create_role_result']['role']['role_name']) + def test_object_sync(): zonegroup = realm.master_zonegroup() zonegroup_conns = ZonegroupConns(zonegroup) @@ -1662,3 +1687,17 @@ def test_zap_init_bucket_sync_run(): secondary.zone.start() zonegroup_bucket_checkpoint(zonegroup_conns, bucket.name) + +def test_role_sync(): + zonegroup = realm.master_zonegroup() + zonegroup_conns = ZonegroupConns(zonegroup) + roles, zone_role = create_role_per_zone(zonegroup_conns) + + zonegroup_meta_checkpoint(zonegroup) + + for source_conn, role in zone_role: + for target_conn in zonegroup_conns.zones: + if source_conn.zone == target_conn.zone: + continue + + check_role_eq(source_conn, target_conn, role) diff --git a/src/test/rgw/rgw_multi/zone_cloud.py b/src/test/rgw/rgw_multi/zone_cloud.py index 322a19e6d1807..ea1b49e1e563c 100644 --- a/src/test/rgw/rgw_multi/zone_cloud.py +++ b/src/test/rgw/rgw_multi/zone_cloud.py @@ -298,6 +298,9 @@ class CloudZone(Zone): return True + def create_role(self, path, rolename, policy_document, tag_list): + assert False + def get_conn(self, credentials): return self.Conn(self, credentials) diff --git a/src/test/rgw/rgw_multi/zone_es.py b/src/test/rgw/rgw_multi/zone_es.py index 204b9e47f2e3e..5ec20871ad5c3 100644 --- a/src/test/rgw/rgw_multi/zone_es.py +++ b/src/test/rgw/rgw_multi/zone_es.py @@ -240,6 +240,9 @@ class ESZone(Zone): return True + def create_role(self, path, rolename, policy_document, tag_list): + assert False + def get_conn(self, credentials): return self.Conn(self, credentials) diff --git a/src/test/rgw/rgw_multi/zone_rados.py b/src/test/rgw/rgw_multi/zone_rados.py index 984b0c2ffca06..ac4edd004d6e1 100644 --- a/src/test/rgw/rgw_multi/zone_rados.py +++ b/src/test/rgw/rgw_multi/zone_rados.py @@ -104,6 +104,31 @@ class RadosZone(Zone): return True + def get_role(self, role_name): + return self.iam_conn.get_role(role_name) + + def check_role_eq(self, zone_conn, role_name): + log.info('comparing role=%s zones={%s, %s}', role_name, self.name, zone_conn.name) + r1 = self.get_role(role_name) + r2 = zone_conn.get_role(role_name) + + assert r1 + assert r2 + log.debug('comparing role name=%s', r1['get_role_response']['get_role_result']['role']['role_name']) + eq(r1['get_role_response']['get_role_result']['role']['role_name'], r2['get_role_response']['get_role_result']['role']['role_name']) + eq(r1['get_role_response']['get_role_result']['role']['role_id'], r2['get_role_response']['get_role_result']['role']['role_id']) + eq(r1['get_role_response']['get_role_result']['role']['path'], r2['get_role_response']['get_role_result']['role']['path']) + eq(r1['get_role_response']['get_role_result']['role']['arn'], r2['get_role_response']['get_role_result']['role']['arn']) + eq(r1['get_role_response']['get_role_result']['role']['max_session_duration'], r2['get_role_response']['get_role_result']['role']['max_session_duration']) + eq(r1['get_role_response']['get_role_result']['role']['assume_role_policy_document'], r2['get_role_response']['get_role_result']['role']['assume_role_policy_document']) + + log.info('success, role identical: role=%s zones={%s, %s}', role_name, self.name, zone_conn.name) + + return True + + def create_role(self, path, rolename, policy_document, tag_list): + return self.iam_conn.create_role(rolename, policy_document, path) + def get_conn(self, credentials): return self.Conn(self, credentials) diff --git a/src/test/rgw/test_multi.py b/src/test/rgw/test_multi.py index e32d00f0da317..440b165523f5c 100644 --- a/src/test/rgw/test_multi.py +++ b/src/test/rgw/test_multi.py @@ -402,7 +402,7 @@ def init(parse_args): arg += admin_creds.credential_args() admin_user.create(zone, arg) # create test user - arg = ['--display-name', '"Test User"'] + arg = ['--display-name', '"Test User"', '--caps', 'roles=*'] arg += user_creds.credential_args() user.create(zone, arg) else: -- 2.39.5