Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

test(integ): add test for RCS process owner #389

Merged
merged 1 commit into from
Apr 14, 2021
Merged

test(integ): add test for RCS process owner #389

merged 1 commit into from
Apr 14, 2021

Conversation

jusiskin
Copy link
Contributor

@jusiskin jusiskin commented Apr 13, 2021
edited
Loading

Problem

The RFDK integration tests does not have any coverage for the owning user of the process that the Deadline RCS runs as within the ECS task container. This means that we have no assurance that RFDK follows the principle of least-privilege with respect to the process permissions within these containers.

Solution

Add a test that checks the OS user of the RCS process running within the ECS task containers deployed by RFDK's RenderQueue construct. The Deadline RCS already reports it's process' user to Deadline's database. This tests relies on:

deadlinecommand GetProxyServerInfos

which returns this information as reported by the RCS.

Testing

Ran the integration tests and confirmed that the new test was run and passed:

Complete!
Pretest setup runtime: 0m 4s
Infrastructure stack deploy runtime: 4m 1s
Infrastructure stack cleanup runtime: 2m 0s
Results for test component deadline_02_renderQueue:
  -Tests ran: 10
  -Tests passed: 10
  -Tests failed: 0
  -Deploy runtime:     24m 12s
  -Test suite runtime: 0m 57s
  -Cleanup runtime:    16m 18s
Cleaning up folders...

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@jusiskin jusiskin added the contribution/core This is a PR that came from AWS. label Apr 13, 2021
horsmand
horsmand approved these changes Apr 14, 2021
View reviewed changes
Copy link
Contributor

@horsmand horsmand left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I discussed with Josh about using something like ps to determine what the OS is reporting the process owner as, but he explained how since we're only running these SSM commands against the bastion instance, there is a lot of overhead to running the command against the RCS.

This method of using Deadline Command to query for the list of proxy servers and then read the user from that info relies on Deadline reporting the correct user, but I don't see any reason for that to report incorrectly in the farm setups we use in our integration tests, so I believe this is fine.

@horsmand horsmand merged commit 7070b4b into aws:mainline Apr 14, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jericht jericht jericht approved these changes

@horsmand horsmand horsmand approved these changes

Assignees
No one assigned
Labels
contribution/core This is a PR that came from AWS.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jusiskin @horsmand @jericht