iam: add tests for account-based IAM apis by cbodley · Pull Request #537 · ceph/s3-tests

cbodley · 2023-12-19T15:51:43Z

renames the test_of_iam label to iam_tenant for the existing tenant-based iam tests

adds new [iam root] and [iam alt root] config sections for account root users, and a new set of iam_account and iam_cross_account test cases that use them

adds pytest fixtures iam_root and iam_alt_root that return the corresponding boto client, with cleanup logic to nuke any created users/roles/etc. all iam resources created by the tests have names starting with iam name prefix = s3-tests- and paths starting with iam path prefix = /s3-tests/ so this cleanup logic doesn't nuke anything else in the aws account

adds account-based test cases for the following iam api categories:

User
AccessKey
UserPolicy
Group
GroupPolicy
Role
RolePolicy
OpenIDConnectProvider

verified to pass against aws when an account root user's credentials are provided in the [iam] section of s3tests.conf (haven't tested iam_cross_account tests yet)

TODO:

assuming another account's role uses same-account rules to access that account's resources
assuming another account's role uses cross-account rules to access the original user's resources
buckets/objects created by the assumed role belong to the role's account
test that identity policy can grant non-root users access to iam account apis

s3tests_boto3/functional/test_iam.py

cbodley · 2024-02-16T14:49:45Z

@pritha-srivastava thanks for the review! i updated the pr description with a TODO list of test cases to add

cbodley · 2024-03-07T20:46:12Z

hey @alimaredia, i'm close to getting account stuff passing in teuthology. just wanted to get this on your radar

Signed-off-by: Casey Bodley <cbodley@redhat.com>

adds test cases for the following iam actions: * PutUserPolicy * GetUserPolicy * DeleteUserPolicy * ListUserPolicies verified to pass against aws when an account root user's credentials are provided in the [iam] section of s3tests.conf Signed-off-by: Casey Bodley <cbodley@redhat.com>

Signed-off-by: Casey Bodley <cbodley@redhat.com>

adds test cases for the following iam actions: * CreateRole * GetRole * ListRoles * DeleteRole * UpdateRole verified to pass against aws when an account root user's credentials are provided in the [iam] section of s3tests.conf Signed-off-by: Casey Bodley <cbodley@redhat.com>

adds test cases for the following iam actions: * PutRolePolicy * GetRolePolicy * DeleteRolePolicy * ListRolePolicies verified to pass against aws when an account root user's credentials are provided in the [iam] section of s3tests.conf Signed-off-by: Casey Bodley <cbodley@redhat.com>

Signed-off-by: Casey Bodley <cbodley@redhat.com>

test the [iam alt root] user's access to buckets owned by [iam root] using various policy principals and acl grantees Signed-off-by: Casey Bodley <cbodley@redhat.com>

Signed-off-by: Casey Bodley <cbodley@redhat.com>

aws doesn't consult acls for same-account access. rgw doesn't for account users either Fixes: ceph#184 Signed-off-by: Casey Bodley <cbodley@redhat.com>

alimaredia · 2024-03-12T15:07:15Z

@cbodley are these still underdevelopment? I see you force pushed just a couple hours ago and I don't see a run linked yet. Have these only been run locally?

cbodley · 2024-03-12T15:17:25Z

@alimaredia this is ready for review. i'm still iterating on ceph/ceph#54333 to get a clean run. all tests pass locally but i'm working through differences in configuration between rgw/verify rgw/sts etc

Signed-off-by: Casey Bodley <cbodley@redhat.com>

cbodley · 2024-03-15T17:38:37Z

ping @alimaredia

https://pulpito.ceph.com/cbodley-2024-03-13_12:14:22-rgw-wip-rgw-account-v3-distro-default-smithi/ has a clean run against this s3-tests branch

cbodley · 2024-04-12T17:12:35Z

pulled in sns commits from cbodley#1

accounts pr passed qa against this in https://pulpito.ceph.com/cbodley-2024-04-12_12:44:47-rgw-wip-rgw-account-v3-distro-default-smithi/

cbodley · 2024-04-15T18:12:15Z

haven't cherry-picked for master or squid yet. for squid, i still have one batch pending qa. for main, i'll wait til later in the week

cbodley · 2024-04-16T15:27:50Z

cherry-picked for ceph-squid

cbodley · 2024-04-17T15:59:33Z

cherry-picked for ceph-master too

This was referenced Dec 19, 2023

rgw: user accounts implementation ceph/ceph#54333

Merged

cls/user: add interfaces to index user account resources ceph/ceph#54563

Closed

cbodley force-pushed the wip-iam-user-apis branch 2 times, most recently from 5ce3342 to 1f14eda Compare December 20, 2023 19:18

cbodley force-pushed the wip-iam-user-apis branch from b9484d5 to 513c1b2 Compare January 12, 2024 21:08

cbodley force-pushed the wip-iam-user-apis branch 4 times, most recently from afc402d to ac893c5 Compare January 30, 2024 23:20

cbodley force-pushed the wip-iam-user-apis branch 3 times, most recently from 6645cbb to 69492d4 Compare February 6, 2024 17:47

cbodley changed the title ~~iam: add tests for User apis~~ iam: add tests for account-based IAM apis Feb 6, 2024

cbodley requested a review from pritha-srivastava February 14, 2024 18:39

cbodley force-pushed the wip-iam-user-apis branch from b38849a to 12615b1 Compare February 15, 2024 21:20