+create_fops_nodemaps() {
+ local i=0
+ local client
+ for client in $clients; do
+ local client_ip=$(host_nids_address $client $NETTYPE)
+ local client_nid=$(h2$NETTYPE $client_ip)
+ do_facet mgs $LCTL nodemap_add c${i} || return 1
+ do_facet mgs $LCTL nodemap_add_range \
+ --name c${i} --range $client_nid || return 1
+ do_facet ost0 $LCTL set_param nodemap.add_nodemap=c${i} ||
+ return 1
+ do_facet ost0 "$LCTL set_param nodemap.add_nodemap_range='c$i \
+ $client_nid'" || return 1
+ for map in ${FOPS_IDMAPS[i]}; do
+ do_facet mgs $LCTL nodemap_add_idmap --name c${i} \
+ --idtype uid --idmap ${map} || return 1
+ do_facet ost0 "$LCTL set_param \
+ nodemap.add_nodemap_idmap='c$i uid ${map}'" ||
+ return 1
+ do_facet mgs $LCTL nodemap_add_idmap --name c${i} \
+ --idtype gid --idmap ${map} || return 1
+ do_facet ost0 "$LCTL set_param \
+ nodemap.add_nodemap_idmap='c$i gid ${map}'" ||
+ return 1
+ done
+ out1=$(do_facet mgs $LCTL get_param nodemap.c${i}.idmap)
+ out2=$(do_facet ost0 $LCTL get_param nodemap.c${i}.idmap)
+ [ "$out1" != "$out2" ] && error "mgs and oss maps mismatch"
+ i=$((i + 1))
+ done
+ return 0
+}
+
+delete_fops_nodemaps() {
+ local i=0
+ local client
+ for client in $clients; do
+ do_facet mgs $LCTL nodemap_del c${i} || return 1
+ do_facet ost0 $LCTL set_param nodemap.remove_nodemap=c${i} ||
+ return 1
+ i=$((i + 1))
+ done
+ return 0
+}
+
+# acl test directory needs to be initialized on a privileged client
+fops_test_setup() {
+ local admin=$(do_facet mgs $LCTL get_param -n nodemap.c0.admin_nodemap)
+ local trust=$(do_facet mgs $LCTL get_param -n \
+ nodemap.c0.trusted_nodemap)
+
+ do_facet mgs $LCTL nodemap_modify --name c0 --property admin --value 1
+ do_facet mgs $LCTL nodemap_modify --name c0 --property trusted --value 1
+ do_facet ost0 $LCTL set_param nodemap.c0.admin_nodemap=1
+ do_facet ost0 $LCTL set_param nodemap.c0.trusted_nodemap=1
+
+ do_node ${clients_arr[0]} rm -rf $DIR/$tdir
+ do_node ${clients_arr[0]} mkdir -p $DIR/$tdir
+ do_node ${clients_arr[0]} chown $user $DIR/$tdir
+
+ do_facet mgs $LCTL nodemap_modify --name c0 \
+ --property admin --value $admin
+ do_facet mgs $LCTL nodemap_modify --name c0 \
+ --property trusted --value $trust
+ do_facet ost0 $LCTL set_param nodemap.c0.admin_nodemap=$admin
+ do_facet ost0 $LCTL set_param nodemap.c0.trusted_nodemap=$trust
+
+ # flush MDT locks to make sure they are reacquired before test
+ do_node ${clients_arr[0]} lctl set_param \
+ ldlm.namespaces.$FSNAME-MDT*.lru_size=clear
+}
+
+do_create_delete() {
+ local run_u=$1
+ local key=$2
+ local testfile=$DIR/$tdir/$tfile
+ local rc=0
+ local c=0 d=0
+ local qused_new
+ if $run_u touch $testfile >& /dev/null; then
+ c=1
+ $run_u rm $testfile && d=1
+ fi >& /dev/null
+
+ local res="$c $d"
+ local expected=$(get_cr_del_expected $key)
+ [ "$res" != "$expected" ] && error "test $key expected " \
+ "$expected, got $res" && rc=$(($rc+1))
+ return $rc
+}
+
+nodemap_check_quota() {
+ local run_u="$1"
+ $run_u lfs quota -q $DIR | awk '{ print $2; exit; }'
+}
+
+do_fops_quota_test() {
+ local run_u=$1
+ # define fuzz as 2x ost block size in K
+ local quota_fuzz=$(($(lctl get_param -n \
+ osc.$FSNAME-OST0000-*.blocksize | head -1) / 512))
+ local qused_orig=$(nodemap_check_quota "$run_u")
+ local qused_low=$((qused_orig - quota_fuzz))
+ local qused_high=$((qused_orig + quota_fuzz))
+ local testfile=$DIR/$tdir/$tfile
+ chmod 777 $DIR/$tdir
+ $run_u dd if=/dev/zero of=$testfile bs=1M count=1 >& /dev/null
+ sync; sync_all_data || true
+
+ local qused_new=$(nodemap_check_quota "$run_u")
+ [ $((qused_low + 1024)) -le $((qused_new)) \
+ -a $((qused_high + 1024)) -ge $((qused_new)) ] ||
+ error "$qused_new != $qused_orig + 1M after write"
+ $run_u rm $testfile && d=1
+ $NODEMAP_TEST_QUOTA && wait_delete_completed_mds
+
+ qused_new=$(nodemap_check_quota "$run_u")
+ [ $((qused_low)) -le $((qused_new)) \
+ -a $((qused_high)) -ge $((qused_new)) ] ||
+ error "quota not reclaimed, expect $qused_orig got $qused_new"
+}
+
+get_fops_mapped_user() {
+ local cli_user=$1
+
+ for ((i=0; i < ${#FOPS_IDMAPS[@]}; i++)); do
+ for map in ${FOPS_IDMAPS[i]}; do
+ if [ $(cut -d: -f1 <<< "$map") == $cli_user ]; then
+ cut -d: -f2 <<< "$map"
+ return
+ fi
+ done
+ done
+ echo -1
+}
+
+get_cr_del_expected() {
+ local -a key
+ IFS=":" read -a key <<< "$1"
+ local mapmode="${key[0]}"
+ local mds_user="${key[1]}"
+ local cluster="${key[2]}"
+ local cli_user="${key[3]}"
+ local mode="0${key[4]}"
+ local SUCCESS="1 1"
+ local FAILURE="0 0"
+ local noadmin=0
+ local mapped=0
+ local other=0
+
+ [[ $mapmode == *mapped* ]] && mapped=1
+ # only c1 is mapped in these test cases
+ [[ $mapmode == mapped_trusted* ]] && [ "$cluster" == "c0" ] && mapped=0
+ [[ $mapmode == *noadmin* ]] && noadmin=1
+
+ # o+wx works as long as the user isn't mapped
+ if [ $((mode & 3)) -eq 3 ]; then
+ other=1
+ fi
+
+ # if client user is root, check if root is squashed
+ if [ "$cli_user" == "0" ]; then
+ # squash root succeed, if other bit is on
+ case $noadmin in
+ 0) echo $SUCCESS;;
+ 1) [ "$other" == "1" ] && echo $SUCCESS
+ [ "$other" == "0" ] && echo $FAILURE;;
+ esac
+ return
+ fi
+ if [ "$mapped" == "0" ]; then
+ [ "$other" == "1" ] && echo $SUCCESS
+ [ "$other" == "0" ] && echo $FAILURE
+ return
+ fi
+
+ # if mapped user is mds user, check for u+wx
+ mapped_user=$(get_fops_mapped_user $cli_user)
+ [ "$mapped_user" == "-1" ] &&
+ error "unable to find mapping for client user $cli_user"
+
+ if [ "$mapped_user" == "$mds_user" -a \
+ $(((mode & 0300) == 0300)) -eq 1 ]; then
+ echo $SUCCESS
+ return
+ fi
+ if [ "$mapped_user" != "$mds_user" -a "$other" == "1" ]; then
+ echo $SUCCESS
+ return
+ fi
+ echo $FAILURE
+}
+
+test_fops() {
+ local mapmode="$1"
+ local single_client="$2"
+ local client_user_list=([0]="0 $((IDBASE+3)) $((IDBASE+4))"
+ [1]="0 $((IDBASE+5)) $((IDBASE+6))")
+ local mds_i
+ local rc=0
+ local perm_bit_list="0 3 $((0300)) $((0303))"
+ # SLOW tests 000-007, 010-070, 100-700 (octal modes)
+ [ "$SLOW" == "yes" ] &&
+ perm_bit_list="0 $(seq 1 7) $(seq 8 8 63) $(seq 64 64 511) \
+ $((0303))"
+
+ # step through mds users. -1 means root
+ for mds_i in -1 0 1 2; do
+ local user=$((mds_i + IDBASE))
+ local client
+ local x
+
+ [ "$mds_i" == "-1" ] && user=0
+
+ echo mkdir -p $DIR/$tdir
+ fops_test_setup
+ local cli_i=0
+ for client in $clients; do
+ local u
+ local admin=$(do_facet mgs $LCTL get_param -n \
+ nodemap.c$cli_i.admin_nodemap)
+ for u in ${client_user_list[$cli_i]}; do
+ local run_u="do_node $client \
+ $RUNAS_CMD -u$u -g$u -G$u"
+ for perm_bits in $perm_bit_list; do
+ local mode=$(printf %03o $perm_bits)
+ do_facet mgs $LCTL nodemap_modify \
+ --name c$cli_i \
+ --property admin \
+ --value 1
+ do_node $client chmod $mode $DIR/$tdir
+ do_facet mgs $LCTL nodemap_modify \
+ --name c$cli_i \
+ --property admin \
+ --value $admin
+
+ local key
+ key="$mapmode:$user:c$cli_i:$u:$mode"
+ do_create_delete "$run_u" "$key"
+ done
+
+ # check quota
+ do_fops_quota_test "$run_u"
+ done
+
+ cli_i=$((cli_i + 1))
+ [ "$single_client" == "1" ] && break
+ done
+ rm -rf $DIR/$tdir
+ done
+ return $rc
+}
+
+nodemap_test_setup() {
+ local rc
+ local active_nodemap=$1
+
+ do_facet mgs $LCTL set_param $IDENTITY_UPCALL=NONE
+
+ remote_mgs_nodsh && skip "remote MGS with nodsh" && return
+ [ $(lustre_version_code $SINGLEMGS) -lt $(version_code 2.6.90) ] &&
+ skip "Skip test on $(get_lustre_version) MGS, need 2.6.90+" &&
+ return
+
+ rc=0
+ create_fops_nodemaps
+ rc=$?
+ [[ $rc != 0 ]] && error "adding fops nodemaps failed $rc"
+
+ if [ "$active_nodemap" == "0" ]; then
+ do_facet mgs $LCTL set_param nodemap.active=0
+ do_facet ost0 $LCTL set_param nodemap.active=0
+ return
+ fi
+
+ do_facet mgs $LCTL nodemap_activate 1
+ do_facet ost0 $LCTL set_param nodemap.active=1
+ do_facet mgs $LCTL nodemap_modify --name default \
+ --property admin --value 1
+ do_facet mgs $LCTL nodemap_modify --name default \
+ --property trusted --value 1
+ do_facet ost0 $LCTL set_param nodemap.default.admin_nodemap=1
+ do_facet ost0 $LCTL set_param nodemap.default.trusted_nodemap=1
+}
+
+nodemap_test_cleanup() {
+ delete_fops_nodemaps
+ rc=$?
+ [[ $rc != 0 ]] && error "removing fops nodemaps failed $rc"
+
+ return 0
+}
+
+nodemap_clients_admin_trusted() {
+ local admin=$1
+ local tr=$2
+ local i=0
+ for client in $clients; do
+ do_facet mgs $LCTL nodemap_modify --name c0 \
+ --property admin --value $admin
+ do_facet ost0 $LCTL set_param nodemap.c${i}.admin_nodemap=$admin
+ do_facet mgs $LCTL nodemap_modify --name c0 \
+ --property trusted --value $tr
+ do_facet ost0 $LCTL set_param nodemap.c${i}.trusted_nodemap=$tr
+ i=$((i + 1))
+ done
+}
+
+test_16() {
+ nodemap_test_setup 0
+
+ test_fops all_off
+ nodemap_test_cleanup
+}
+run_test 16 "test nodemap all_off fileops"
+
+test_17() {
+ nodemap_test_setup
+
+ nodemap_clients_admin_trusted 0 1
+ test_fops trusted_noadmin 1
+ nodemap_test_cleanup
+}
+run_test 17 "test nodemap trusted_noadmin fileops"
+
+test_18() {
+ nodemap_test_setup
+ nodemap_clients_admin_trusted 0 0
+ test_fops mapped_noadmin 1
+ nodemap_test_cleanup
+}
+run_test 18 "test nodemap mapped_noadmin fileops"
+
+test_19() {
+ nodemap_test_setup
+ nodemap_clients_admin_trusted 1 1
+ test_fops trusted_admin 1
+ nodemap_test_cleanup
+}
+run_test 19 "test nodemap trusted_admin fileops"
+
+test_20() {
+ nodemap_test_setup
+ nodemap_clients_admin_trusted 1 0
+ test_fops mapped_admin 1
+ nodemap_test_cleanup
+}
+run_test 20 "test nodemap mapped_admin fileops"
+
+test_21() {
+ nodemap_test_setup
+ local x=1
+ local i=0
+ for client in $clients; do
+ do_facet mgs $LCTL nodemap_modify --name c${i} \
+ --property admin --value 0
+ do_facet mgs $LCTL nodemap_modify --name c${i} \
+ --property trusted --value $x
+ do_facet ost0 $LCTL set_param nodemap.c${i}.admin_nodemap=0
+ do_facet ost0 $LCTL set_param nodemap.c${i}.trusted_nodemap=$x
+ x=0
+ i=$((i + 1))
+ done
+ test_fops mapped_trusted_noadmin
+ nodemap_test_cleanup
+}
+run_test 21 "test nodemap mapped_trusted_noadmin fileops"
+
+test_22() {
+ nodemap_test_setup
+ local x=1
+ local i=0
+ for client in $clients; do
+ do_facet mgs $LCTL nodemap_modify --name c${i} \
+ --property admin --value 1
+ do_facet mgs $LCTL nodemap_modify --name c${i} \
+ --property trusted --value $x
+ do_facet ost0 $LCTL set_param nodemap.c${i}.admin_nodemap=1
+ do_facet ost0 $LCTL set_param nodemap.c${i}.trusted_nodemap=$x
+ x=0
+ i=$((i + 1))
+ done
+ test_fops mapped_trusted_admin
+ nodemap_test_cleanup
+}
+run_test 22 "test nodemap mapped_trusted_admin fileops"
+
+# acl test directory needs to be initialized on a privileged client
+nodemap_acl_test_setup() {
+ local admin=$(do_facet mgs $LCTL get_param -n nodemap.c0.admin_nodemap)
+ local trust=$(do_facet mgs $LCTL get_param -n \
+ nodemap.c0.trusted_nodemap)
+
+ do_facet mgs $LCTL nodemap_modify --name c0 --property admin --value 1
+ do_facet mgs $LCTL nodemap_modify --name c0 --property trusted --value 1
+ do_facet ost0 $LCTL set_param nodemap.c0.admin_nodemap=1
+ do_facet ost0 $LCTL set_param nodemap.c0.trusted_nodemap=1
+
+ do_node ${clients_arr[0]} rm -rf $DIR/$tdir
+ do_node ${clients_arr[0]} mkdir -p $DIR/$tdir
+ do_node ${clients_arr[0]} chmod a+rwx $DIR/$tdir
+
+ do_facet mgs $LCTL nodemap_modify --name c0 \
+ --property admin --value $admin
+ do_facet mgs $LCTL nodemap_modify --name c0 \
+ --property trusted --value $trust
+ do_facet ost0 $LCTL set_param nodemap.c0.admin_nodemap=$admin
+ do_facet ost0 $LCTL set_param nodemap.c0.trusted_nodemap=$trust
+
+}
+
+# returns 0 if the number of ACLs does not change on the second (mapped) client
+# after being set on the first client
+nodemap_acl_test() {
+ local user="$1"
+ local set_client="$2"
+ local get_client="$3"
+ local check_setfacl="$4"
+ local setfacl_error=0
+ local testfile=$DIR/$tdir/$tfile
+ local RUNAS_USER="$RUNAS_CMD -u $user"
+ local acl_count=0
+ local acl_count_post=0
+
+ nodemap_acl_test_setup
+ sleep 5
+
+ do_node $set_client $RUNAS_USER touch $testfile
+
+ # ACL masks aren't filtered by nodemap code, so we ignore them
+ acl_count=$(do_node $get_client getfacl $testfile | grep -v mask |
+ wc -l)
+ do_node $set_client $RUNAS_USER setfacl -m $user:rwx $testfile ||
+ setfacl_error=1
+
+ # if check setfacl is set to 1, then it's supposed to error
+ if [ "$check_setfacl" == "1" ]; then
+ [ "$setfacl_error" != "1" ] && return 1
+ return 0
+ fi
+ [ "$setfacl_error" == "1" ] && echo "WARNING: unable to setfacl"
+
+ acl_count_post=$(do_node $get_client getfacl $testfile | grep -v mask |
+ wc -l)
+ [ $acl_count -eq $acl_count_post ] && return 0
+ return 1
+}
+
+test_23() {
+ nodemap_test_setup
+
+ # 1 trusted cluster, 1 mapped cluster
+ local unmapped_fs=$((IDBASE+0))
+ local unmapped_c1=$((IDBASE+5))
+ local mapped_fs=$((IDBASE+2))
+ local mapped_c0=$((IDBASE+4))
+ local mapped_c1=$((IDBASE+6))
+
+ do_facet mgs $LCTL nodemap_modify --name c0 --property admin --value 1
+ do_facet mgs $LCTL nodemap_modify --name c0 --property trusted --value 1
+ do_facet ost0 $LCTL set_param nodemap.c0.admin_nodemap=1
+ do_facet ost0 $LCTL set_param nodemap.c0.trusted_nodemap=1
+
+ do_facet mgs $LCTL nodemap_modify --name c1 --property admin --value 0
+ do_facet mgs $LCTL nodemap_modify --name c1 --property trusted --value 0
+ do_facet ost0 $LCTL set_param nodemap.c1.admin_nodemap=0
+ do_facet ost0 $LCTL set_param nodemap.c1.trusted_nodemap=0
+
+ # setfacl on trusted cluster to unmapped user, verify it's not seen
+ nodemap_acl_test $unmapped_fs ${clients_arr[0]} ${clients_arr[1]} ||
+ error "acl count (1)"
+
+ # setfacl on trusted cluster to mapped user, verify it's seen
+ nodemap_acl_test $mapped_fs ${clients_arr[0]} ${clients_arr[1]} &&
+ error "acl count (2)"
+
+ # setfacl on mapped cluster to mapped user, verify it's seen
+ nodemap_acl_test $mapped_c1 ${clients_arr[1]} ${clients_arr[0]} &&
+ error "acl count (3)"
+
+ # setfacl on mapped cluster to unmapped user, verify error
+ nodemap_acl_test $unmapped_fs ${clients_arr[1]} ${clients_arr[0]} 1 ||
+ error "acl count (4)"
+
+ # 2 mapped clusters
+ do_facet mgs $LCTL nodemap_modify --name c0 --property admin --value 0
+ do_facet mgs $LCTL nodemap_modify --name c0 --property trusted --value 0
+ do_facet ost0 $LCTL set_param nodemap.c0.admin_nodemap=0
+ do_facet ost0 $LCTL set_param nodemap.c0.trusted_nodemap=0
+
+ # setfacl to mapped user on c1, also mapped to c0, verify it's seen
+ nodemap_acl_test $mapped_c1 ${clients_arr[1]} ${clients_arr[0]} &&
+ error "acl count (5)"
+
+ # setfacl to mapped user on c1, not mapped to c0, verify not seen
+ nodemap_acl_test $unmapped_c1 ${clients_arr[1]} ${clients_arr[0]} ||
+ error "acl count (6)"
+
+ nodemap_test_cleanup
+}
+run_test 23 "test mapped ACLs"
+