3 # Run select tests by setting ONLY, or as arguments to the script.
4 # Skip specific tests by setting EXCEPT.
10 [ "$EXCEPT" ] && echo "Skipping tests: `echo $EXCEPT`"
13 export PATH=$PWD/$SRCDIR:$SRCDIR:$PWD/$SRCDIR/../utils:$PATH:/sbin
14 export NAME=${NAME:-local}
16 LUSTRE=${LUSTRE:-`dirname $0`/..}
17 . $LUSTRE/tests/test-framework.sh
19 . ${CONFIG:=$LUSTRE/tests/cfg/$NAME.sh}
21 RUNAS=${RUNAS:-"$LUSTRE/tests/runas"}
22 WTL=${WTL:-"$LUSTRE/tests/write_time_limit"}
25 PERM_CONF=$CONFDIR/perm.conf
26 SANITYSECLOG=${TESTSUITELOG:-$TMP/$(basename $0 .sh).log}
29 remote_mds_nodsh && skip "remote MDS with nodsh" && exit 0
30 remote_ost_nodsh && skip "remote OST with nodsh" && exit 0
34 USER0=`cat /etc/passwd|grep :$ID0:$ID0:|cut -d: -f1`
35 USER1=`cat /etc/passwd|grep :$ID1:$ID1:|cut -d: -f1`
38 echo "Please add user0 (uid=$ID0 gid=$ID0)! Skip sanity-sec" && exit 0
41 echo "Please add user1 (uid=$ID1 gid=$ID1)! Skip sanity-sec" && exit 0
43 check_and_setup_lustre
46 [ -z "`echo $DIR | grep $MOUNT`" ] && \
47 error "$DIR not in $MOUNT" && sec_cleanup && exit 1
49 [ `echo $MOUNT | wc -w` -gt 1 ] && \
50 echo "NAME=$MOUNT mounted more than once" && sec_cleanup && exit 0
52 [ $MDSCOUNT -gt 1 ] && \
53 echo "skip multi-MDS test" && sec_cleanup && exit 0
56 GSS_REF=$(lsmod | grep ^ptlrpc_gss | awk '{print $3}')
57 if [ ! -z "$GSS_REF" -a "$GSS_REF" != "0" ]; then
59 echo "with GSS support"
62 echo "without GSS support"
65 MDT="`do_facet $SINGLEMDS "lctl get_param -N mdt.\*MDT\*/stats 2>/dev/null | cut -d"." -f2" || true`"
66 if [ ! -z "$MDT" ]; then
67 do_facet $SINGLEMDS "mkdir -p $CONFDIR"
68 IDENTITY_FLUSH=mdt.$MDT.identity_flush
70 CAPA_TIMEOUT=mdt.$MDT.capa_timeout
71 MDSSECLEVEL=mdt.$MDT.sec_level
78 if [ -z "$(lctl get_param -n llite.*.client_type | grep remote 2>/dev/null)" ]; then
94 if ! $RUNAS -u $user krb5_login.sh; then
95 error "$user login kerberos failed."
99 if ! $RUNAS -u $user -g $group ls $DIR > /dev/null 2>&1; then
100 $RUNAS -u $user lfs flushctx -k
101 $RUNAS -u $user krb5_login.sh
102 if ! $RUNAS -u $user -g $group ls $DIR > /dev/null 2>&1; then
103 error "init $user $group failed."
109 declare -a identity_old
112 for num in `seq $MDSCOUNT`; do
113 switch_identity $num true || identity_old[$num]=$?
116 if ! $RUNAS -u $ID0 ls $DIR > /dev/null 2>&1; then
117 sec_login $USER0 $USER0
120 if ! $RUNAS -u $ID1 ls $DIR > /dev/null 2>&1; then
121 sec_login $USER1 $USER1
126 # run as different user
130 chmod 0755 $DIR || error "chmod (1)"
131 rm -rf $DIR/* || error "rm (1)"
132 mkdir -p $DIR/$tdir || error "mkdir (1)"
134 if [ "$CLIENT_TYPE" = "remote" ]; then
135 [ -z "$MDT" ] && skip "do not support do_facet operations." && return
136 do_facet $SINGLEMDS "echo '* 0 normtown' > $PERM_CONF"
137 do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
138 chown $USER0 $DIR/$tdir && error "chown (1)"
139 do_facet $SINGLEMDS "echo '* 0 rmtown' > $PERM_CONF"
140 do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
142 chown $USER0 $DIR/$tdir || error "chown (2)"
145 $RUNAS -u $ID0 ls $DIR || error "ls (1)"
146 rm -f $DIR/f0 || error "rm (2)"
147 $RUNAS -u $ID0 touch $DIR/f0 && error "touch (1)"
148 $RUNAS -u $ID0 touch $DIR/$tdir/f1 || error "touch (2)"
149 $RUNAS -u $ID1 touch $DIR/$tdir/f2 && error "touch (3)"
150 touch $DIR/$tdir/f3 || error "touch (4)"
151 chown root $DIR/$tdir || error "chown (3)"
152 chgrp $USER0 $DIR/$tdir || error "chgrp (1)"
153 chmod 0775 $DIR/$tdir || error "chmod (2)"
154 $RUNAS -u $ID0 touch $DIR/$tdir/f4 || error "touch (5)"
155 $RUNAS -u $ID1 touch $DIR/$tdir/f5 && error "touch (6)"
156 touch $DIR/$tdir/f6 || error "touch (7)"
157 rm -rf $DIR/* || error "rm (3)"
159 if [ "$CLIENT_TYPE" = "remote" ]; then
160 do_facet $SINGLEMDS "rm -f $PERM_CONF"
161 do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
164 run_test 0 "uid permission ============================="
168 [ $GSS_SUP = 0 ] && skip "without GSS support." && return
169 [ -z "$MDT" ] && skip "do not support do_facet operations." && return
171 if [ "$CLIENT_TYPE" = "remote" ]; then
172 do_facet $SINGLEMDS "echo '* 0 rmtown' > $PERM_CONF"
173 do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
179 chown $USER0 $DIR/$tdir || error "chown (1)"
180 $RUNAS -u $ID1 -v $ID0 touch $DIR/$tdir/f0 && error "touch (2)"
181 echo "enable uid $ID1 setuid"
182 do_facet $SINGLEMDS "echo '* $ID1 setuid' >> $PERM_CONF"
183 do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
184 $RUNAS -u $ID1 -v $ID0 touch $DIR/$tdir/f1 || error "touch (3)"
186 chown root $DIR/$tdir || error "chown (4)"
187 chgrp $USER0 $DIR/$tdir || error "chgrp (5)"
188 chmod 0770 $DIR/$tdir || error "chmod (6)"
189 $RUNAS -u $ID1 -g $ID1 touch $DIR/$tdir/f2 && error "touch (7)"
190 $RUNAS -u $ID1 -g $ID1 -j $ID0 touch $DIR/$tdir/f3 && error "touch (8)"
191 echo "enable uid $ID1 setuid,setgid"
192 do_facet $SINGLEMDS "echo '* $ID1 setuid,setgid' > $PERM_CONF"
193 do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
194 $RUNAS -u $ID1 -g $ID1 -j $ID0 touch $DIR/$tdir/f4 || error "touch (9)"
195 $RUNAS -u $ID1 -v $ID0 -g $ID1 -j $ID0 touch $DIR/$tdir/f5 || error "touch (10)"
199 do_facet $SINGLEMDS "rm -f $PERM_CONF"
200 do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
202 run_test 1 "setuid/gid ============================="
204 run_rmtacl_subtest() {
205 $SAVE_PWD/rmtacl/run $SAVE_PWD/rmtacl/$1.test
210 # for remote client only
212 [ "$CLIENT_TYPE" = "local" ] && \
213 skip "remote_acl for remote client only" && return
214 [ -z "$(lctl get_param -n mdc.*-mdc-*.connect_flags | grep ^acl)" ] && \
215 skip "must have acl enabled" && return
216 [ -z "$(which setfacl 2>/dev/null)" ] && \
217 skip "could not find setfacl" && return
218 [ "$UID" != 0 ] && skip "must run as root" && return
219 [ -z "$MDT" ] && skip "do not support do_facet operations." && return
221 do_facet $SINGLEMDS "echo '* 0 rmtacl,rmtown' > $PERM_CONF"
222 do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
226 sec_login daemon daemon
227 sec_login games users
233 echo "performing cp ..."
234 run_rmtacl_subtest cp || error "cp"
235 echo "performing getfacl-noacl..."
236 run_rmtacl_subtest getfacl-noacl || error "getfacl-noacl"
237 echo "performing misc..."
238 run_rmtacl_subtest misc || error "misc"
239 echo "performing permissions..."
240 run_rmtacl_subtest permissions || error "permissions"
241 echo "performing setfacl..."
242 run_rmtacl_subtest setfacl || error "setfacl"
244 # inheritance test got from HP
245 echo "performing inheritance..."
246 cp $SAVE_PWD/rmtacl/make-tree .
248 run_rmtacl_subtest inheritance || error "inheritance"
254 do_facet $SINGLEMDS "rm -f $PERM_CONF"
255 do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
257 run_test 2 "rmtacl ============================="
260 # root_squash will be redesigned in Lustre 1.7
262 skip "root_squash will be redesigned in Lustre 1.7" && return
264 run_test 3 "rootsquash ============================="
266 # bug 3285 - supplementary group should always succeed.
267 # NB: the supplementary groups are set for local client only,
268 # as for remote client, the groups of the specified uid on MDT
269 # will be obtained by upcall /sbin/l_getidentity and used.
271 if [ "$CLIENT_TYPE" = "remote" ]; then
272 [ -z "$MDT" ] && skip "do not support do_facet operations." && return
273 do_facet $SINGLEMDS "echo '* 0 rmtown' > $PERM_CONF"
274 do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
279 chmod 0771 $DIR/$tdir
280 chgrp $ID0 $DIR/$tdir
281 $RUNAS -u $ID0 ls $DIR/$tdir || error "setgroups (1)"
282 if [ "$CLIENT_TYPE" = "local" ]; then
283 if [ ! -z "$MDT" ]; then
284 do_facet $SINGLEMDS "echo '* $ID1 setgrp' > $PERM_CONF"
285 do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
286 $RUNAS -u $ID1 -G1,2,$ID0 ls $DIR/$tdir || error "setgroups (2)"
289 $RUNAS -u $ID1 -G1,2 ls $DIR/$tdir && error "setgroups (3)"
292 if [ ! -z "$MDT" ]; then
293 do_facet $SINGLEMDS "rm -f $PERM_CONF"
294 do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
297 run_test 4 "set supplementary group ==============="
299 mds_capability_timeout() {
300 [ $# -lt 1 ] && echo "Miss mds capability timeout value" && return 1
302 echo "Set mds capability timeout as $1 seconds"
303 do_facet $SINGLEMDS "lctl set_param -n $CAPA_TIMEOUT=$1"
307 mds_sec_level_switch() {
308 [ $# -lt 1 ] && echo "Miss mds sec level switch value" && return 1
311 0) echo "Disable capa for all clients";;
312 1) echo "Enable capa for remote client";;
313 3) echo "Enable capa for all clients";;
314 *) echo "Invalid mds sec level switch value" && return 2;;
317 do_facet $SINGLEMDS "lctl set_param -n $MDSSECLEVEL=$1"
321 oss_sec_level_switch() {
322 [ $# -lt 1 ] && echo "Miss oss sec level switch value" && return 1
325 0) echo "Disable capa for all clients";;
326 1) echo "Enable capa for remote client";;
327 3) echo "Enable capa for all clients";;
328 *) echo "Invalid oss sec level switch value" && return 2;;
331 for i in `seq $OSTCOUNT`; do
332 local j=`expr $i - 1`
333 local OST="`do_facet ost$i "lctl get_param -N obdfilter.\*OST\*$j/stats 2>/dev/null | cut -d"." -f2" || true`"
334 [ -z "$OST" ] && return 3
335 do_facet ost$i "lctl set_param -n obdfilter.$OST.sec_level=$1"
340 mds_capability_switch() {
341 [ $# -lt 1 ] && echo "Miss mds capability switch value" && return 1
344 0) echo "Turn off mds capability";;
345 3) echo "Turn on mds capability";;
346 *) echo "Invalid mds capability switch value" && return 2;;
349 do_facet $SINGLEMDS "lctl set_param -n $MDSCAPA=$1"
353 oss_capability_switch() {
354 [ $# -lt 1 ] && echo "Miss oss capability switch value" && return 1
357 0) echo "Turn off oss capability";;
358 1) echo "Turn on oss capability";;
359 *) echo "Invalid oss capability switch value" && return 2;;
362 for i in `seq $OSTCOUNT`; do
363 local j=`expr $i - 1`
364 local OST="`do_facet ost$i "lctl get_param -N obdfilter.\*OST\*$j/stats 2>/dev/null | cut -d"." -f2" || true`"
365 [ -z "$OST" ] && return 3
366 do_facet ost$i "lctl set_param -n obdfilter.$OST.capa=$1"
372 mds_capability_switch 3 || return 1
373 mds_sec_level_switch 3 || return 2
378 oss_capability_switch 1 || return 1
379 oss_sec_level_switch 3 || return 2
383 turn_capability_on() {
384 local capa_timeout=${1:-"1800"}
386 # To turn on fid capability for the system,
387 # there is a requirement that fid capability
388 # is turned on on all MDS/OSS servers before
391 turn_mds_capa_on || return 1
392 turn_oss_capa_on || return 2
393 mds_capability_timeout $capa_timeout || return 3
394 remount_client $MOUNT || return 4
398 turn_mds_capa_off() {
399 mds_sec_level_switch 0 || return 1
400 mds_capability_switch 0 || return 2
404 turn_oss_capa_off() {
405 oss_sec_level_switch 0 || return 1
406 oss_capability_switch 0 || return 2
410 turn_capability_off() {
411 # to turn off fid capability, you can just do
412 # it in a live system. But, please turn off
413 # capability of all OSS servers before MDS servers.
415 turn_oss_capa_off || return 1
416 turn_mds_capa_off || return 2
420 # We demonstrate that access to the objects in the filesystem are not
421 # accessible without supplying secrets from the MDS by disabling a
422 # proc variable on the mds so that it does not supply secrets. We then
423 # try and access objects which result in failure.
427 [ $GSS_SUP = 0 ] && skip "without GSS support." && return
428 [ -z "$MDT" ] && skip "do not support do_facet operations." && return
429 [ ! -z "$LOCALMDT" ] && skip "client should be separated from server." && return
434 error "turn_capability_off"
440 error "turn_oss_capa_on"
444 if [ "$CLIENT_TYPE" = "remote" ]; then
445 remount_client $MOUNT && return 3
449 remount_client $MOUNT || return 4
452 # proc variable disabled -- access to the objects in the filesystem
454 echo "Should get Write error here : (proc variable are disabled "\
455 "-- access to the objects in the filesystem is denied."
458 error "Write worked well even though secrets not supplied."
464 error "turn_capability_on"
470 # proc variable enabled, secrets supplied -- write should work now
471 echo "Should not fail here : (proc variable enabled, secrets supplied "\
472 "-- write should work now)."
475 error "Write failed even though secrets supplied."
481 error "turn_capability_off"
486 run_test 5 "capa secrets ========================="
488 # Expiry: A test program is performing I/O on a file. It has credential
489 # with an expiry half a minute later. While the program is running the
490 # credentials expire and no automatic extensions or renewals are
491 # enabled. The program will demonstrate an I/O failure.
495 [ $GSS_SUP = 0 ] && skip "without GSS support." && return
496 [ -z "$MDT" ] && skip "do not support do_facet operations." && return
497 [ ! -z "$LOCALMDT" ] && skip "client should be separated from server." && return
501 error "turn_capability_off"
507 turn_capability_on 30
509 error "turn_capability_on 30"
516 error "$WTL $file 60"
520 # Reset MDS capability timeout
521 mds_capability_timeout 30
523 error "mds_capability_timeout 30"
531 # To disable automatic renew, only need turn capa off on MDS.
534 error "turn_mds_capa_off"
538 echo "We expect I/O failure."
541 echo "no I/O failure got."
547 error "turn_capability_off"
552 run_test 6 "capa expiry ========================="
554 log "cleanup: ======================================================"
557 for num in `seq $MDSCOUNT`; do
558 if [ "${identity_old[$num]}" = 1 ]; then
559 switch_identity $num false || identity_old[$num]=$?
563 $RUNAS -u $ID0 ls $DIR
564 $RUNAS -u $ID1 ls $DIR
569 if [ "$I_MOUNTED" = "yes" ]; then
570 cleanupall -f || error "sec_cleanup"
575 echo '=========================== finished ==============================='
576 [ -f "$SANITYSECLOG" ] && \
577 cat $SANITYSECLOG && grep -q FAIL $SANITYSECLOG && exit 1 || true