From 5862582cd7d0067793698d1fcd9a7c3ed331aa27 Mon Sep 17 00:00:00 2001 From: Shubhendu Date: Thu, 12 Sep 2024 21:29:00 +0530 Subject: [PATCH] IAM import test with missing entities (#20368) Signed-off-by: Shubhendu Ram Tripathi --- .github/workflows/iam-integrations.yaml | 17 +++ Makefile | 4 + .../iam-import-with-missing-entities.sh | 107 +++++++++++++++ .../samples/bootstrap-complete.ldif | 123 ++++++++++++++++++ .../samples/bootstrap-partial.ldif | 56 ++++++++ docs/distributed/samples/myminio-iam-info.zip | Bin 0 -> 1945 bytes 6 files changed, 307 insertions(+) create mode 100755 docs/distributed/iam-import-with-missing-entities.sh create mode 100644 docs/distributed/samples/bootstrap-complete.ldif create mode 100644 docs/distributed/samples/bootstrap-partial.ldif create mode 100644 docs/distributed/samples/myminio-iam-info.zip diff --git a/.github/workflows/iam-integrations.yaml b/.github/workflows/iam-integrations.yaml index d659a0cf1..92566f42c 100644 --- a/.github/workflows/iam-integrations.yaml +++ b/.github/workflows/iam-integrations.yaml @@ -125,3 +125,20 @@ jobs: if: matrix.openid == 'http://127.0.0.1:5556/dex' run: | make test-site-replication-oidc + iam-import-with-missing-entities: + name: Test IAM import in new cluster with missing entities + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-go@v5 + with: + go-version: ${{ matrix.go-version }} + check-latest: true + - name: Checkout minio-iam-testing + uses: actions/checkout@v4 + with: + repository: minio/minio-iam-testing + path: minio-iam-testing + - name: Test import of IAM artifacts when in fresh cluster there are missing groups etc + run: | + make test-iam-import-with-missing-entities diff --git a/Makefile b/Makefile index 7594e5181..7ecdb4a76 100644 --- a/Makefile +++ b/Makefile @@ -97,6 +97,10 @@ test-iam-ldap-upgrade-import: install-race ## verify IAM (external LDAP IDP) @echo "Running upgrade tests for IAM (LDAP backend)" @env bash $(PWD)/buildscripts/minio-iam-ldap-upgrade-import-test.sh +test-iam-import-with-missing-entities: install-race ## test import of external iam config withg missing entities + @echo "Test IAM import configurations with missing entities" + @env bash $(PWD)/docs/distributed/iam-import-with-missing-entities.sh + test-sio-error: @(env bash $(PWD)/docs/bucket/replication/sio-error.sh) diff --git a/docs/distributed/iam-import-with-missing-entities.sh b/docs/distributed/iam-import-with-missing-entities.sh new file mode 100755 index 000000000..9b50c6baf --- /dev/null +++ b/docs/distributed/iam-import-with-missing-entities.sh @@ -0,0 +1,107 @@ +#!/bin/bash + +if [ -n "$TEST_DEBUG" ]; then + set -x +fi + +pkill minio +docker rm -f $(docker ps -aq) +rm -rf /tmp/ldap{1..4} +rm -rf /tmp/ldap1{1..4} + +if [ ! -f ./mc ]; then + wget --quiet -O mc https://dl.minio.io/client/mc/release/linux-amd64/mc && + chmod +x mc +fi + +mc -v + +# Start LDAP server +echo "Copying docs/distributed/samples/bootstrap-complete.ldif => minio-iam-testing/ldap/50-bootstrap.ldif" +cp docs/distributed/samples/bootstrap-complete.ldif minio-iam-testing/ldap/50-bootstrap.ldif || exit 1 +cd ./minio-iam-testing +make docker-images +make docker-run +cd - + +export MC_HOST_myminio="http://minioadmin:minioadmin@localhost:22000" +export MC_HOST_myminio1="http://minioadmin:minioadmin@localhost:24000" + +# Start MinIO instance +export CI=true +(minio server --address :22000 --console-address :10000 http://localhost:22000/tmp/ldap{1...4} 2>&1 >/dev/null) & +sleep 30 +./mc ready myminio + +./mc idp ldap add myminio server_addr=localhost:1389 server_insecure=on lookup_bind_dn=cn=admin,dc=min,dc=io lookup_bind_password=admin user_dn_search_base_dn=dc=min,dc=io user_dn_search_filter="(uid=%s)" group_search_base_dn=ou=swengg,dc=min,dc=io group_search_filter="(&(objectclass=groupOfNames)(member=%d))" +./mc admin service restart myminio --json +./mc ready myminio +./mc admin cluster iam import myminio docs/distributed/samples/myminio-iam-info.zip +sleep 10 + +# Verify the list of users and service accounts from the import +./mc admin user list myminio +USER_COUNT=$(./mc admin user list myminio | wc -l) +if [ "${USER_COUNT}" -ne 2 ]; then + echo "BUG: Expected no of users: 2 Found: ${USER_COUNT}" + exit 1 +fi +./mc admin user svcacct list myminio "uid=bobfisher,ou=people,ou=hwengg,dc=min,dc=io" --json +SVCACCT_COUNT_1=$(./mc admin user svcacct list myminio "uid=bobfisher,ou=people,ou=hwengg,dc=min,dc=io" --json | jq '.accessKey' | wc -l) +if [ "${SVCACCT_COUNT_1}" -ne 2 ]; then + echo "BUG: Expected svcacct count for 'uid=bobfisher,ou=people,ou=hwengg,dc=min,dc=io': 2. Found: ${SVCACCT_COUNT_1}" + exit 1 +fi +./mc admin user svcacct list myminio "uid=dillon,ou=people,ou=swengg,dc=min,dc=io" --json +SVCACCT_COUNT_2=$(./mc admin user svcacct list myminio "uid=dillon,ou=people,ou=swengg,dc=min,dc=io" --json | jq '.accessKey' | wc -l) +if [ "${SVCACCT_COUNT_2}" -ne 2 ]; then + echo "BUG: Expected svcacct count for 'uid=dillon,ou=people,ou=swengg,dc=min,dc=io': 2. Found: ${SVCACCT_COUNT_2}" + exit 1 +fi + +# Kill MinIO and LDAP to start afresh with missing groups/DN +pkill minio +docker rm -f $(docker ps -aq) +rm -rf /tmp/ldap{1..4} + +# Deploy the LDAP config witg missing groups/DN +echo "Copying docs/distributed/samples/bootstrap-partial.ldif => minio-iam-testing/ldap/50-bootstrap.ldif" +cp docs/distributed/samples/bootstrap-partial.ldif minio-iam-testing/ldap/50-bootstrap.ldif || exit 1 +cd ./minio-iam-testing +make docker-images +make docker-run +cd - + +(minio server --address ":24000" --console-address :10000 http://localhost:24000/tmp/ldap1{1...4} 2>&1 >/dev/null) & +sleep 30 +./mc ready myminio1 + +./mc idp ldap add myminio1 server_addr=localhost:1389 server_insecure=on lookup_bind_dn=cn=admin,dc=min,dc=io lookup_bind_password=admin user_dn_search_base_dn=dc=min,dc=io user_dn_search_filter="(uid=%s)" group_search_base_dn=ou=hwengg,dc=min,dc=io group_search_filter="(&(objectclass=groupOfNames)(member=%d))" +./mc admin service restart myminio1 --json +./mc ready myminio1 +./mc admin cluster iam import myminio1 docs/distributed/samples/myminio-iam-info.zip +sleep 10 + +# Verify the list of users and service accounts from the import +./mc admin user list myminio1 +USER_COUNT=$(./mc admin user list myminio1 | wc -l) +if [ "${USER_COUNT}" -ne 1 ]; then + echo "BUG: Expected no of users: 1 Found: ${USER_COUNT}" + exit 1 +fi +./mc admin user svcacct list myminio1 "uid=bobfisher,ou=people,ou=hwengg,dc=min,dc=io" --json +SVCACCT_COUNT_1=$(./mc admin user svcacct list myminio1 "uid=bobfisher,ou=people,ou=hwengg,dc=min,dc=io" --json | jq '.accessKey' | wc -l) +if [ "${SVCACCT_COUNT_1}" -ne 2 ]; then + echo "BUG: Expected svcacct count for 'uid=bobfisher,ou=people,ou=hwengg,dc=min,dc=io': 2. Found: ${SVCACCT_COUNT_1}" + exit 1 +fi +./mc admin user svcacct list myminio1 "uid=dillon,ou=people,ou=swengg,dc=min,dc=io" --json +SVCACCT_COUNT_2=$(./mc admin user svcacct list myminio1 "uid=dillon,ou=people,ou=swengg,dc=min,dc=io" --json | jq '.accessKey' | wc -l) +if [ "${SVCACCT_COUNT_2}" -ne 0 ]; then + echo "BUG: Expected svcacct count for 'uid=dillon,ou=people,ou=swengg,dc=min,dc=io': 0. Found: ${SVCACCT_COUNT_2}" + exit 1 +fi + +# Finally kill running processes +pkill minio +docker rm -f $(docker ps -aq) diff --git a/docs/distributed/samples/bootstrap-complete.ldif b/docs/distributed/samples/bootstrap-complete.ldif new file mode 100644 index 000000000..6f4f45710 --- /dev/null +++ b/docs/distributed/samples/bootstrap-complete.ldif @@ -0,0 +1,123 @@ +# Create hardware engg org unit +dn: ou=hwengg,dc=min,dc=io +objectClass: organizationalUnit +ou: hwengg + +# Create people sub-org +dn: ou=people,ou=hwengg,dc=min,dc=io +objectClass: organizationalUnit +ou: people + +# Create Alice, Bob and Cody in hwengg +dn: uid=alice1,ou=people,ou=hwengg,dc=min,dc=io +objectClass: inetOrgPerson +cn: Alice Smith +sn: Smith +uid: alice1 +mail: alice@example.io +userPassword: {SSHA}Yeh2/IV/q/HjG2yzN3YdE9CAF3EJFCLu + +dn: uid=bobfisher,ou=people,ou=hwengg,dc=min,dc=io +objectClass: inetOrgPerson +cn: Robert Fisher +sn: Fisher +uid: bobfisher +mail: bob@example.io +userPassword: {SSHA}LktfbhK5oXSdDWCNzauJ9JA+Poxinl3y + +dn: uid=cody3,ou=people,ou=hwengg,dc=min,dc=io +objectClass: inetOrgPerson +cn: Cody Thomas +sn: Thomas +uid: cody3 +mail: cody@example.io +userPassword: {SSHA}H8B0gaOd4bRklK3fXj9ltHvJXWQFXW5Q + +# Create groups ou for hwengg +dn: ou=groups,ou=hwengg,dc=min,dc=io +objectclass: organizationalUnit +ou: groups +description: groups branch + +# Create project groups + +dn: cn=projectx,ou=groups,ou=hwengg,dc=min,dc=io +objectclass: groupofnames +cn: projectx +description: Project X group members +member: uid=alice1,ou=people,ou=hwengg,dc=min,dc=io +member: uid=bobfisher,ou=people,ou=hwengg,dc=min,dc=io + +dn: cn=projecty,ou=groups,ou=hwengg,dc=min,dc=io +objectclass: groupofnames +cn: projecty +description: Project Y group members +member: uid=bobfisher,ou=people,ou=hwengg,dc=min,dc=io +member: uid=cody3,ou=people,ou=hwengg,dc=min,dc=io + +# Create software engg org unit +dn: ou=swengg,dc=min,dc=io +objectClass: organizationalUnit +ou: swengg + +# Create people sub-org +dn: ou=people,ou=swengg,dc=min,dc=io +objectClass: organizationalUnit +ou: people + +# Create Dillon, Elizabeth and Fahim in swengg +dn: uid=dillon,ou=people,ou=swengg,dc=min,dc=io +objectClass: inetOrgPerson +cn: Dillon Harper +sn: Harper +uid: dillon +mail: dillon@example.io +userPassword: {SSHA}UH+LmoEhWWW6s9rjgdpqHPI0qCMouY8+ + +dn: uid=liza,ou=people,ou=swengg,dc=min,dc=io +objectClass: inetOrgPerson +cn: Elizabeth Jones +sn: Jones +uid: liza +mail: ejones@example.io +userPassword: {SSHA}feVkKkafHtsu2Io7n0tQP4Cnh8/Oy1PK + +dn: uid=fahim,ou=people,ou=swengg,dc=min,dc=io +objectClass: inetOrgPerson +cn: Fahim Ahmed +sn: Ahmed +uid: fahim +mail: fahmed@example.io +userPassword: {SSHA}lRNH+PHooRaruiEb+CBEA21EZLMkAmcc + +# Add a user with special chars. The password = example here. +dn: uid=Пользователь,OU=people,OU=swengg,DC=min,DC=io +objectClass: inetOrgPerson +cn: Special Charsman +sn: Charsman +uid: Пользователь +mail: scharsman@example.io +userPassword: {SSHA}XQSZqLPvYgm30wR7pk67a1GW+q+DDvSj + +# Creates groups ou for swengg +dn: ou=groups,ou=swengg,dc=min,dc=io +objectclass: organizationalUnit +ou: groups +description: groups branch + +# Create project groups + +dn: cn=projecta,ou=groups,ou=swengg,dc=min,dc=io +objectclass: groupofnames +cn: projecta +description: Project A group members +member: uid=dillon,ou=people,ou=swengg,dc=min,dc=io + +dn: cn=projectb,ou=groups,ou=swengg,dc=min,dc=io +objectclass: groupofnames +cn: projectb +description: Project B group members +member: uid=dillon,ou=people,ou=swengg,dc=min,dc=io +member: uid=liza,ou=people,ou=swengg,dc=min,dc=io +member: uid=fahim,ou=people,ou=swengg,dc=min,dc=io +member: uid=Пользователь,OU=people,OU=swengg,DC=min,DC=io diff --git a/docs/distributed/samples/bootstrap-partial.ldif b/docs/distributed/samples/bootstrap-partial.ldif new file mode 100644 index 000000000..02cbb8321 --- /dev/null +++ b/docs/distributed/samples/bootstrap-partial.ldif @@ -0,0 +1,56 @@ +# Create hardware engg org unit +dn: ou=hwengg,dc=min,dc=io +objectClass: organizationalUnit +ou: hwengg + +# Create people sub-org +dn: ou=people,ou=hwengg,dc=min,dc=io +objectClass: organizationalUnit +ou: people + +# Create Alice, Bob and Cody in hwengg +dn: uid=alice1,ou=people,ou=hwengg,dc=min,dc=io +objectClass: inetOrgPerson +cn: Alice Smith +sn: Smith +uid: alice1 +mail: alice@example.io +userPassword: {SSHA}Yeh2/IV/q/HjG2yzN3YdE9CAF3EJFCLu + +dn: uid=bobfisher,ou=people,ou=hwengg,dc=min,dc=io +objectClass: inetOrgPerson +cn: Robert Fisher +sn: Fisher +uid: bobfisher +mail: bob@example.io +userPassword: {SSHA}LktfbhK5oXSdDWCNzauJ9JA+Poxinl3y + +dn: uid=cody3,ou=people,ou=hwengg,dc=min,dc=io +objectClass: inetOrgPerson +cn: Cody Thomas +sn: Thomas +uid: cody3 +mail: cody@example.io +userPassword: {SSHA}H8B0gaOd4bRklK3fXj9ltHvJXWQFXW5Q + +# Create groups ou for hwengg +dn: ou=groups,ou=hwengg,dc=min,dc=io +objectclass: organizationalUnit +ou: groups +description: groups branch + +# Create project groups + +dn: cn=projectx,ou=groups,ou=hwengg,dc=min,dc=io +objectclass: groupofnames +cn: projectx +description: Project X group members +member: uid=alice1,ou=people,ou=hwengg,dc=min,dc=io +member: uid=bobfisher,ou=people,ou=hwengg,dc=min,dc=io + +dn: cn=projecty,ou=groups,ou=hwengg,dc=min,dc=io +objectclass: groupofnames +cn: projecty +description: Project Y group members +member: uid=bobfisher,ou=people,ou=hwengg,dc=min,dc=io +member: uid=cody3,ou=people,ou=hwengg,dc=min,dc=io diff --git a/docs/distributed/samples/myminio-iam-info.zip b/docs/distributed/samples/myminio-iam-info.zip new file mode 100644 index 0000000000000000000000000000000000000000..cd1d7ec1de38b96644477060d6b0434e154333a8 GIT binary patch literal 1945 zcmWIWW@Zs#-~dA72F*wYBp|`S$&i_ttD9I{oLW+>Uyz@ZnVgwgtd~`spBEa!%E0(o z`hMD)Nsiu!9RyncpO#7G_AM6pHf=?RK<37y-Y*mH`rI--+4shWN9fai)r}&r9g9vF z#@~B0`}+(&oyuigllPR#m9VduxG|BPcXjHPD3{Z&CEQ%wl3238Fjd_@=p48}^umM? z(X9&`M48<`$_^g>{dnQnI9R=I!Q+T$GGow+F7 zz1b$dYxn#-BdaDW_S;E6j(m8+y=#GNZAyywzNXh-{=Kp`wabsyTb};OPa|fTd1KZT zVY5HdqU(zOt$(d2(LMPVM@G@7tJh^h3)aX7UOF~SLo(91sPx$D?cW~?EPHo_P2J*h z(B*eYC37}*`5N06|F>lb@Mh;wtv)h`nUR4Zj+p_-#}%TYs3BTfoLYnyoD571fB#q4 zGJ_3u-oI=yCon>ofEc%-VyK3u7v+~0P;M$(NN+HY~a|}`&i2s2~1L=z$Ab> z_GM9HAC#oxa}x^+GV{{WB8!ZqC5LJ_IB8MObOlt?i%W{}xPHw!!@O1lo`#3JE6!CH zIR~Y9^W0e|9IdDs!Byz8AhdNywd?kGbN|)<@v~4VS==WdG<}Dp?Jl9MODgVv68&s5 z+n{vy6YE6>)N78d?Mh292{1YNg_mdYvsIek5~uR8^$FekF7ZoNLMQ6GLzTkby%pb% z%$vt6xb?{#*#}1Z+Y~f2|8cMQ&tH-1a_rg7s84-TTbN_6p9e?NJl6XrQ-K+j4H#7c z-i%Bl%!twyxl{mUC>UsH1hEK~t?0%fmj|Gt1O^%!gMgMJ8Hc4{!Dkkz1c8Bu#^tDH zVJlD24MR?4fe}d9C3^X(@1s1Pp{=|_U@tFxq)-ce}$i#wTCcZ?D kZYXlxgHkgLG&Cll8j3${2Y9oxfwZy%p*gUy_hAL`0BIq9%K!iX literal 0 HcmV?d00001