set -e
ONLY=${ONLY:-"$*"}
-[ "$EXCEPT" ] && echo "Skipping tests: `echo $EXCEPT`"
+# bug number for skipped test: 19430 19967 19967
+ALWAYS_EXCEPT=" 2 5 6 $SANITY_SEC_EXCEPT"
+# UPDATE THE COMMENT ABOVE WITH BUG NUMBERS WHEN CHANGING ALWAYS_EXCEPT!
+
+[ "$ALWAYS_EXCEPT$EXCEPT" ] && \
+ echo "Skipping tests: $ALWAYS_EXCEPT $EXCEPT"
SRCDIR=`dirname $0`
export PATH=$PWD/$SRCDIR:$SRCDIR:$PWD/$SRCDIR/../utils:$PATH:/sbin
. $LUSTRE/tests/test-framework.sh
init_test_env $@
. ${CONFIG:=$LUSTRE/tests/cfg/$NAME.sh}
+init_logging
+
+RUNAS="runas"
-RUNAS=${RUNAS:-"$LUSTRE/tests/runas"}
WTL=${WTL:-"$LUSTRE/tests/write_time_limit"}
CONFDIR=/etc/lustre
PERM_CONF=$CONFDIR/perm.conf
-SANITYSECLOG=${TESTSUITELOG:-$TMP/$(basename $0 .sh).log}
FAIL_ON_ERROR=false
-remote_mds_nodsh && skip "remote MDS with nodsh" && exit 0
-remote_ost_nodsh && skip "remote OST with nodsh" && exit 0
+require_dsh_mds || exit 0
+require_dsh_ost || exit 0
ID0=${ID0:-500}
ID1=${ID1:-501}
check_and_setup_lustre
+sec_cleanup() {
+ if [ "$I_MOUNTED" = "yes" ]; then
+ cleanupall -f || error "sec_cleanup"
+ fi
+}
+
DIR=${DIR:-$MOUNT}
[ -z "`echo $DIR | grep $MOUNT`" ] && \
error "$DIR not in $MOUNT" && sec_cleanup && exit 1
echo "without GSS support"
fi
-MDT="`do_facet $SINGLEMDS "lctl get_param -N mdt.\*MDT\*/stats | cut -d"." -f2" || true`"
-if [ ! -z "$MDT" ]; then
- do_facet $SINGLEMDS "mkdir -p $CONFDIR"
- IDENTITY_FLUSH=mdt.$MDT.identity_flush
- MDSCAPA=mdt.$MDT.capa
- CAPA_TIMEOUT=mdt.$MDT.capa_timeout
-fi
+MDT="`do_facet $SINGLEMDS "lctl get_param -N mdt.\*MDT\*.stats 2>/dev/null | cut -d"." -f2" || true`"
+[ -z "$MDT" ] && error "fail to get MDT device" && exit 1
+do_facet $SINGLEMDS "mkdir -p $CONFDIR"
+IDENTITY_FLUSH=mdt.$MDT.identity_flush
+MDSCAPA=mdt.$MDT.capa
+CAPA_TIMEOUT=mdt.$MDT.capa_timeout
+MDSSECLEVEL=mdt.$MDT.sec_level
# for CLIENT_TYPE
if [ -z "$(lctl get_param -n llite.*.client_type | grep remote 2>/dev/null)" ]; then
# run as different user
test_0() {
- rm -rf $DIR/d0
- mkdir $DIR/d0
-
- chown $USER0 $DIR/d0 || error "chown (1)"
- $RUNAS -u $ID0 ls $DIR || error "ls (2)"
- $RUNAS -u $ID0 touch $DIR/f0 && error "touch (3)"
- $RUNAS -u $ID0 touch $DIR/d0/f1 || error "touch (4)"
- $RUNAS -u $ID1 touch $DIR/d0/f2 && error "touch (5)"
- touch $DIR/d0/f3 || error "touch (6)"
- chown root $DIR/d0 || error "chown (7)"
- chgrp $USER0 $DIR/d0 || error "chgrp (8)"
- chmod 775 $DIR/d0 || error "chmod (9)"
- $RUNAS -u $ID0 touch $DIR/d0/f4 || error "touch (10)"
- $RUNAS -u $ID1 touch $DIR/d0/f5 && error "touch (11)"
- touch $DIR/d0/f6 || error "touch (12)"
-
- rm -rf $DIR/d0
+ umask 0022
+
+ chmod 0755 $DIR || error "chmod (1)"
+ rm -rf $DIR/$tdir || error "rm (1)"
+ mkdir -p $DIR/$tdir || error "mkdir (1)"
+
+ if [ "$CLIENT_TYPE" = "remote" ]; then
+ do_facet $SINGLEMDS "echo '* 0 normtown' > $PERM_CONF"
+ do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
+ chown $USER0 $DIR/$tdir && error "chown (1)"
+ do_facet $SINGLEMDS "echo '* 0 rmtown' > $PERM_CONF"
+ do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
+ else
+ chown $USER0 $DIR/$tdir || error "chown (2)"
+ fi
+
+ $RUNAS -u $ID0 ls $DIR || error "ls (1)"
+ rm -f $DIR/f0 || error "rm (2)"
+ $RUNAS -u $ID0 touch $DIR/f0 && error "touch (1)"
+ $RUNAS -u $ID0 touch $DIR/$tdir/f1 || error "touch (2)"
+ $RUNAS -u $ID1 touch $DIR/$tdir/f2 && error "touch (3)"
+ touch $DIR/$tdir/f3 || error "touch (4)"
+ chown root $DIR/$tdir || error "chown (3)"
+ chgrp $USER0 $DIR/$tdir || error "chgrp (1)"
+ chmod 0775 $DIR/$tdir || error "chmod (2)"
+ $RUNAS -u $ID0 touch $DIR/$tdir/f4 || error "touch (5)"
+ $RUNAS -u $ID1 touch $DIR/$tdir/f5 && error "touch (6)"
+ touch $DIR/$tdir/f6 || error "touch (7)"
+ rm -rf $DIR/$tdir || error "rm (3)"
+
+ if [ "$CLIENT_TYPE" = "remote" ]; then
+ do_facet $SINGLEMDS "rm -f $PERM_CONF"
+ do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
+ fi
}
run_test 0 "uid permission ============================="
# setuid/gid
test_1() {
[ $GSS_SUP = 0 ] && skip "without GSS support." && return
- [ -z "$MDT" ] && skip "do not support do_facet operations." && return
- [ "$CLIENT_TYPE" = "remote" ] && \
- skip "test_1 for local client only" && return
- do_facet $SINGLEMDS "rm -f $PERM_CONF"
- do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
+ if [ "$CLIENT_TYPE" = "remote" ]; then
+ do_facet $SINGLEMDS "echo '* 0 rmtown' > $PERM_CONF"
+ do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
+ fi
- rm -rf $DIR/d1
- mkdir $DIR/d1
+ rm -rf $DIR/$tdir
+ mkdir -p $DIR/$tdir
- chown $USER0 $DIR/d1 || error "chown (1)"
- $RUNAS -u $ID1 -v $ID0 touch $DIR/d1/f0 && error "touch (2)"
- do_facet $SINGLEMDS "echo '* $ID1 setuid' > $PERM_CONF"
+ chown $USER0 $DIR/$tdir || error "chown (1)"
+ $RUNAS -u $ID1 -v $ID0 touch $DIR/$tdir/f0 && error "touch (2)"
echo "enable uid $ID1 setuid"
+ do_facet $SINGLEMDS "echo '* $ID1 setuid' >> $PERM_CONF"
do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
- $RUNAS -u $ID1 -v $ID0 touch $DIR/d1/f1 || error "touch (3)"
+ $RUNAS -u $ID1 -v $ID0 touch $DIR/$tdir/f1 || error "touch (3)"
- chown root $DIR/d1 || error "chown (4)"
- chgrp $USER0 $DIR/d1 || error "chgrp (5)"
- chmod 770 $DIR/d1 || error "chmod (6)"
- $RUNAS -u $ID1 -g $ID1 touch $DIR/d1/f2 && error "touch (7)"
- $RUNAS -u $ID1 -g $ID1 -j $ID0 touch $DIR/d1/f3 && error "touch (8)"
- do_facet $SINGLEMDS "echo '* $ID1 setuid,setgid' > $PERM_CONF"
+ chown root $DIR/$tdir || error "chown (4)"
+ chgrp $USER0 $DIR/$tdir || error "chgrp (5)"
+ chmod 0770 $DIR/$tdir || error "chmod (6)"
+ $RUNAS -u $ID1 -g $ID1 touch $DIR/$tdir/f2 && error "touch (7)"
+ $RUNAS -u $ID1 -g $ID1 -j $ID0 touch $DIR/$tdir/f3 && error "touch (8)"
echo "enable uid $ID1 setuid,setgid"
+ do_facet $SINGLEMDS "echo '* $ID1 setuid,setgid' > $PERM_CONF"
do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
- $RUNAS -u $ID1 -g $ID1 -j $ID0 touch $DIR/d1/f4 || error "touch (9)"
- $RUNAS -u $ID1 -v $ID0 -g $ID1 -j $ID0 touch $DIR/d1/f5 || error "touch (10)"
+ $RUNAS -u $ID1 -g $ID1 -j $ID0 touch $DIR/$tdir/f4 || error "touch (9)"
+ $RUNAS -u $ID1 -v $ID0 -g $ID1 -j $ID0 touch $DIR/$tdir/f5 || error "touch (10)"
- rm -rf $DIR/d1
+ rm -rf $DIR/$tdir
do_facet $SINGLEMDS "rm -f $PERM_CONF"
do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
skip "could not find setfacl" && return
[ "$UID" != 0 ] && skip "must run as root" && return
+ do_facet $SINGLEMDS "echo '* 0 rmtacl,rmtown' > $PERM_CONF"
+ do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
+
sec_login root root
sec_login bin bin
sec_login daemon daemon
umask 0022
cd $DIR
- if [ ! -z "$MDT" ]; then
- do_facet $SINGLEMDS "echo '* 0 rmtacl' > $PERM_CONF"
- do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
- fi
-
- if lfs rgetfacl $DIR; then
- echo "performing cp ..."
- run_rmtacl_subtest cp || error "cp"
- else
- echo "server doesn't permit current user 'lfs r{s,g}etfacl', skip cp test."
- fi
+ echo "performing cp ..."
+ run_rmtacl_subtest cp || error "cp"
echo "performing getfacl-noacl..."
run_rmtacl_subtest getfacl-noacl || error "getfacl-noacl"
echo "performing misc..."
run_rmtacl_subtest inheritance || error "inheritance"
rm -f make-tree
- if [ ! -z "$MDT" ]; then
- do_facet $SINGLEMDS "rm -f $PERM_CONF"
- do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
- fi
-
cd $SAVE_PWD
umask $SAVE_UMASK
+
+ do_facet $SINGLEMDS "rm -f $PERM_CONF"
+ do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
}
run_test 2 "rmtacl ============================="
# as for remote client, the groups of the specified uid on MDT
# will be obtained by upcall /sbin/l_getidentity and used.
test_4() {
- rm -rf $DIR/d4
- mkdir $DIR/d4
- chmod 771 $DIR/d4
- chgrp $ID0 $DIR/d4
- $RUNAS -u $ID0 ls $DIR/d4 || error "setgroups (1)"
- if [ "$CLIENT_TYPE" != "remote" ]; then
- if [ ! -z "$MDT" ]; then
- do_facet $SINGLEMDS "echo '* $ID1 setgrp' > $PERM_CONF"
- do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
- $RUNAS -u $ID1 -G1,2,$ID0 ls $DIR/d4 || error "setgroups (2)"
- do_facet $SINGLEMDS "rm -f $PERM_CONF"
- do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
- fi
+ if [ "$CLIENT_TYPE" = "remote" ]; then
+ do_facet $SINGLEMDS "echo '* 0 rmtown' > $PERM_CONF"
+ do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
+ fi
+
+ rm -rf $DIR/$tdir
+ mkdir -p $DIR/$tdir
+ chmod 0771 $DIR/$tdir
+ chgrp $ID0 $DIR/$tdir
+ $RUNAS -u $ID0 ls $DIR/$tdir || error "setgroups (1)"
+ if [ "$CLIENT_TYPE" = "local" ]; then
+ do_facet $SINGLEMDS "echo '* $ID1 setgrp' > $PERM_CONF"
+ do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
+ $RUNAS -u $ID1 -G1,2,$ID0 ls $DIR/$tdir || error "setgroups (2)"
fi
- $RUNAS -u $ID1 -G1,2 ls $DIR/d4 && error "setgroups (3)"
- rm -rf $DIR/d4
+ $RUNAS -u $ID1 -G1,2 ls $DIR/$tdir && error "setgroups (3)"
+ rm -rf $DIR/$tdir
+
+ do_facet $SINGLEMDS "rm -f $PERM_CONF"
+ do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
}
run_test 4 "set supplementary group ==============="
return 0
}
+mds_sec_level_switch() {
+ [ $# -lt 1 ] && echo "Miss mds sec level switch value" && return 1
+
+ case $1 in
+ 0) echo "Disable capa for all clients";;
+ 1) echo "Enable capa for remote client";;
+ 3) echo "Enable capa for all clients";;
+ *) echo "Invalid mds sec level switch value" && return 2;;
+ esac
+
+ do_facet $SINGLEMDS "lctl set_param -n $MDSSECLEVEL=$1"
+ return 0
+}
+
+oss_sec_level_switch() {
+ [ $# -lt 1 ] && echo "Miss oss sec level switch value" && return 1
+
+ case $1 in
+ 0) echo "Disable capa for all clients";;
+ 1) echo "Enable capa for remote client";;
+ 3) echo "Enable capa for all clients";;
+ *) echo "Invalid oss sec level switch value" && return 2;;
+ esac
+
+ for i in `seq $OSTCOUNT`; do
+ local j=`expr $i - 1`
+ local OST="`do_facet ost$i "lctl get_param -N obdfilter.\*OST\*$j/stats 2>/dev/null | cut -d"." -f2" || true`"
+ [ -z "$OST" ] && return 3
+ do_facet ost$i "lctl set_param -n obdfilter.$OST.sec_level=$1"
+ done
+ return 0
+}
+
mds_capability_switch() {
[ $# -lt 1 ] && echo "Miss mds capability switch value" && return 1
for i in `seq $OSTCOUNT`; do
local j=`expr $i - 1`
- local OST="`do_facet ost$i "lctl get_param -N obdfilter.\*OST\*$j/stats | cut -d"." -f2" || true`"
+ local OST="`do_facet ost$i "lctl get_param -N obdfilter.\*OST\*$j/stats 2>/dev/null | cut -d"." -f2" || true`"
+ [ -z "$OST" ] && return 3
do_facet ost$i "lctl set_param -n obdfilter.$OST.capa=$1"
done
return 0
}
+turn_mds_capa_on() {
+ mds_capability_switch 3 || return 1
+ mds_sec_level_switch 3 || return 2
+ return 0
+}
+
+turn_oss_capa_on() {
+ oss_capability_switch 1 || return 1
+ oss_sec_level_switch 3 || return 2
+ return 0
+}
+
turn_capability_on() {
local capa_timeout=${1:-"1800"}
# is turned on on all MDS/OSS servers before
# client mount.
- umount $MOUNT || return 1
+ turn_mds_capa_on || return 1
+ turn_oss_capa_on || return 2
+ mds_capability_timeout $capa_timeout || return 3
+ remount_client $MOUNT || return 4
+ return 0
+}
- mds_capability_switch 3 || return 2
- oss_capability_switch 1 || return 3
- mds_capability_timeout $capa_timeout || return 4
+turn_mds_capa_off() {
+ mds_sec_level_switch 0 || return 1
+ mds_capability_switch 0 || return 2
+ return 0
+}
- mount_client $MOUNT || return 5
+turn_oss_capa_off() {
+ oss_sec_level_switch 0 || return 1
+ oss_capability_switch 0 || return 2
return 0
}
# it in a live system. But, please turn off
# capability of all OSS servers before MDS servers.
- oss_capability_switch 0 || return 1
- mds_capability_switch 0 || return 2
+ turn_oss_capa_off || return 1
+ turn_mds_capa_off || return 2
return 0
}
test_5() {
local file=$DIR/f5
- [ -z "$MDT" ] && skip "do not support do_facet operations." && return
+ [ $GSS_SUP = 0 ] && skip "without GSS support." && return
+ if ! remote_mds; then
+ skip "client should be separated from server."
+ return
+ fi
+
+ rm -f $file
+
turn_capability_off
if [ $? != 0 ]; then
error "turn_capability_off"
return 1
fi
- rm -f $file
- # Disable proc variable
- mds_capability_switch 0
+ turn_oss_capa_on
if [ $? != 0 ]; then
- error "mds_capability_switch 0"
+ error "turn_oss_capa_on"
return 2
fi
- oss_capability_switch 1
- if [ $? != 0 ]; then
- error "oss_capability_switch 1"
- return 3
+
+ if [ "$CLIENT_TYPE" = "remote" ]; then
+ remount_client $MOUNT && return 3
+ turn_oss_capa_off
+ return 0
+ else
+ remount_client $MOUNT || return 4
fi
# proc variable disabled -- access to the objects in the filesystem
$WTL $file 30
if [ $? == 0 ]; then
error "Write worked well even though secrets not supplied."
- return 4
+ return 5
fi
turn_capability_on
if [ $? != 0 ]; then
error "turn_capability_on"
- return 4
+ return 6
fi
+
sleep 5
# proc variable enabled, secrets supplied -- write should work now
$WTL $file 30
if [ $? != 0 ]; then
error "Write failed even though secrets supplied."
- return 5
+ return 7
fi
turn_capability_off
if [ $? != 0 ]; then
error "turn_capability_off"
- return 7
+ return 8
fi
rm -f $file
}
test_6() {
local file=$DIR/f6
- [ -z "$MDT" ] && skip "do not support do_facet operations." && return
+ [ $GSS_SUP = 0 ] && skip "without GSS support." && return
+ if ! remote_mds; then
+ skip "client should be separated from server."
+ return
+ fi
+
turn_capability_off
if [ $? != 0 ]; then
error "turn_capability_off"
return 1
fi
+
rm -f $file
turn_capability_on 30
error "turn_capability_on 30"
return 2
fi
+
# Token expiry
$WTL $file 60
if [ $? != 0 ]; then
error "mds_capability_timeout 30"
return 4
fi
+
$WTL $file 60 &
local PID=$!
sleep 5
# To disable automatic renew, only need turn capa off on MDS.
- mds_capability_switch 0
+ turn_mds_capa_off
if [ $? != 0 ]; then
- error "mds_capability_switch 0"
+ error "turn_mds_capa_off"
return 5
fi
}
sec_unsetup
-sec_cleanup() {
- if [ "$I_MOUNTED" = "yes" ]; then
- cleanupall -f || error "sec_cleanup"
- fi
-}
sec_cleanup
-echo '=========================== finished ==============================='
-[ -f "$SANITYSECLOG" ] && \
- cat $SANITYSECLOG && grep -q FAIL $SANITYSECLOG && exit 1 || true
-echo "$0 completed"
+complete $(basename $0) $SECONDS
+exit_status