1. Learn About Storage Modernization with Oracle Cloud Infrastructure Object Storage
  2. Test and Validate

Test and Validate

This page covers some of the testing that can be performed directly from VM instances that are members of the configured dynamic groups. RCLONE and OCIFS should be tested similarly, using a variety of commands that test read and write access.

RCLONE Testing

As part of this effort, the retention rule on the bucket is removed for a portion of time, so that we could fully test rclone's ability to read and write to a bucket.

Once testing is complete, the rule can be re-established and locked. Testing is done by starting with a dynamic group having "bucket read" and "object read" permissions on all buckets within the compartment holding the archive bucket.

To see a configured RCLONE remote, run the following command:
OS prompt> rclone config show [OCI-IP]
type = oracleobjectstorage
provider = instance_principal_auth
namespace = <tenancy-namespace>
compartment = ocid1.compartment.oc1..xxx
region = us-ashburn-1
All commands that follow will require OCI-IP in order to refer to our configured object storage environment and credentials. To synchronize (copy or update) a file to a bucket, the bucket was pre-created using the OCI console, because our narrow permission set does not include bucket creation or deletion. The following block shows the sync operation, followed by a bucket listing.
OS prompt> rclone sync rclone-test.txt OCI-IP:rclone-testing
OS prompt> rclone ls OCI-IP:rclone-testing 
 33 rclone-test.txt

Deleting files can be tested as well. Follow the RCLONE documentation for all of the available options, such as filtering.

OS prompt> rclone delete OCI-IP:rclone-testing/rclone-test.txt

Policy changes

Generally RCLONE will simply return to the prompt if the operation is successful, but it will give an error message if the permissions for a particular operation are missing. For example, if an attempt is made to delete a bucket, given our previously defined permissions, the action fails with the following message: 
OS prompt> rclone purge OCI-IP:rclone-testing
2024/08/29 14:36:15 ERROR : : Failed to rmdir: Error returned by ObjectStorage Service. Http Status Code: 404. Error Code: BucketNotFound. Opc request id: iad-1:xxx. Message: Either the bucket named 'rclone-testing' does not exist in the namespace '<namespace>' or you are not authorized to access it
Operation Name: DeleteBucket
As mentioned earlier, the policy statements which had been defined for the dynamic group can be changed as necessary. For example, to allow bucket creation or deletion, the following statement can be added:
allow dynamic-group oci-rclone-full-dg to manage buckets in compartment cis-landing-top:app-cmp where ANY {target.bucket.name =
    'rclone-testing'}
After adding this policy statement, the previous operation can be retried, and the bucket will be deleted.

It is helpful to keep a browser open for the OCI Object Storage screen, and refresh the page on a bucket, so that each operation can be verified.

OCIFS Testing

Using the provided examples in the previous section, the OCIFS utility was tested in a variety of ways. Once the dynamic group and policy are functioning as designed, it is possible to alter policies and quickly see the results changing as permissions are edited.

It is recommended to unmount OCIFS filesystems as part of testing permission changes. The documentation provides the syntax for unmount.

Caching that is provided by OCIFS is also available and was tested as part of the solution. There are several options described, any of which will work with the solution.

Note:

Using automount can affect the OCIFS caching, as it removes the cache unless the cache-reuse and cache-keep options are used.

The following example shows creating a mountpoint and connecting to a bucket using OCIFS:

root OS prompt# mkdir /mnt/read-bucket
root OS prompt# ocifs --auth=instance_principal read-bucket /mnt/read-bucket/
root OS prompt# cd /mnt/read-bucket
root OS prompt# ls -al
total 0
drwxr-xr-x. 2 root root 6 Nov 6 14:56 .
drwxr-xr-x. 5 root root 68 Nov 6 14:56 ..
-rw-r--r--. 1 root root 4 Nov 6 14:57 file.txt
As a test of limited permissions, this VM should not have the ability to delete a file from this bucket. An error should occur as follows:
root OS prompt# rm file.txt
rm: remove regular file 'file.txt'? y
rm: cannot remove file.txt': Input/output error

Further tests with additional buckets, dynamic group definitions, and policy statements can be performed. Allow a minute or two between changes and tests, so that the permissions can propagate.