From 32f69aa40d892fea8de1b50e89e4378da5a74e79 Mon Sep 17 00:00:00 2001
From: Sebastien Buisson <sbuisson@ddn.com>
Date: Mon, 13 May 2024 12:03:16 +0200
Subject: [PATCH] EX-9721 tests: fix sanity-sec test_64x for interop

'server_upcall' rbac value is not known by older servers.

Fixes: b952bcb620 ("EX-9392 sec: add server_upcall rbac role")
Fixes: b5e421625b ("EX-9392 sec: use dedicated INTERNAL upcall cache")
Test-Parameters: trivial
Test-Parameters: testgroup=review-dne-part-2
Test-Parameters: testgroup=review-dne-part-2 serverversion=EXA6.3.0
Signed-off-by: Sebastien Buisson <sbuisson@ddn.com>
Change-Id: I39a69904ce4709eacf6f08173d3cfe42e247b5bd
Reviewed-on: https://review.whamcloud.com/c/ex/lustre-release/+/55088
Tested-by: jenkins <devops@whamcloud.com>
Tested-by: Maloo <maloo@whamcloud.com>
Reviewed-by: Andreas Dilger <adilger@whamcloud.com>
---
 lustre/tests/sanity-sec.sh | 102 ++++++++++++++++++++++++++++++++++++++-------
 1 file changed, 88 insertions(+), 14 deletions(-)

diff --git a/lustre/tests/sanity-sec.sh b/lustre/tests/sanity-sec.sh
index 004b441..a16e74d 100755
--- a/lustre/tests/sanity-sec.sh
+++ b/lustre/tests/sanity-sec.sh
@@ -5743,11 +5743,15 @@ cleanup_64() {
 
 test_64a() {
 	local testfile=$DIR/$tdir/$tfile
+	local srv_uc=""
 	local rbac
 
 	(( MDS1_VERSION >= $(version_code 2.14.0.86) )) ||
 		skip "Need MDS >= 2.14.0.86 for role-based controls"
 
+	(( MDS1_VERSION >= $(version_code 2.14.0.146) )) &&
+		srv_uc="server_upcall"
+
 	stack_trap cleanup_64 EXIT
 	mkdir -p $DIR/$tdir || error "mkdir $DIR/$tdir failed"
 	setup_64
@@ -5760,15 +5764,17 @@ test_64a() {
 		    byfid_ops \
 		    chlg_ops \
 		    fscrypt_admin \
-		    server_upcall \
+		    $srv_uc \
 		    ;
 	do
 		[[ "$rbac" =~ "$role" ]] ||
 			error "role '$role' not in default '$rbac'"
 	done
 
+	rbac="file_perms"
+	[ -z "$srv_uc" ] || rbac="$rbac,$srv_uc"
 	do_facet mgs $LCTL nodemap_modify --name c0 \
-		 --property rbac --value server_upcall,file_perms
+		 --property rbac --value $rbac
 	wait_nm_sync c0 rbac
 	touch $testfile
 	stack_trap "set +vx"
@@ -5779,8 +5785,14 @@ test_64a() {
 	$LFS project -p 1000 $testfile || error "setting project failed"
 	set +vx
 	rm -f $testfile
+	rbac="none"
+	if [ -z "$srv_uc" ]; then
+		rbac="none"
+	else
+		rbac="$srv_uc"
+	fi
 	do_facet mgs $LCTL nodemap_modify --name c0 --property rbac \
-		--value server_upcall
+		--value $rbac
 	wait_nm_sync c0 rbac
 	touch $testfile
 	set -vx
@@ -5795,12 +5807,17 @@ run_test 64a "Nodemap enforces file_perms RBAC roles"
 test_64b() {
 	local testdir=$DIR/$tdir/${tfile}.d
 	local dir_restripe
+	local srv_uc=""
+	local rbac
 
 	(( MDS1_VERSION >= $(version_code 2.14.0.86) )) ||
 		skip "Need MDS >= 2.14.0.86 for role-based controls"
 
 	(( MDSCOUNT >= 2 )) || skip "mdt count $MDSCOUNT, skipping dne_ops role"
 
+	(( MDS1_VERSION >= $(version_code 2.14.0.146) )) &&
+		srv_uc="server_upcall"
+
 	stack_trap cleanup_64 EXIT
 	mkdir -p $DIR/$tdir || error "mkdir $DIR/$tdir failed"
 	setup_64
@@ -5813,8 +5830,10 @@ test_64b() {
 			error "enabling dir_restripe failed"
 	stack_trap "do_nodes $(comma_list $(all_mdts_nodes)) \
 	      $LCTL set_param mdt.*.enable_dir_restripe=$dir_restripe" EXIT
+	rbac="dne_ops"
+	[ -z "$srv_uc" ] || rbac="$rbac,$srv_uc"
 	do_facet mgs $LCTL nodemap_modify --name c0 --property rbac \
-		 --value server_upcall,dne_ops
+		 --value $rbac
 	wait_nm_sync c0 rbac
 	$LFS mkdir -i 0 ${testdir}_for_migr ||
 		error "$LFS mkdir ${testdir}_for_migr failed (1)"
@@ -5846,8 +5865,14 @@ test_64b() {
 	$LFS mkdir -i 1 ${testdir}_mdt1 ||
 		error "$LFS mkdir ${testdir}_mdt1 failed (2)"
 
+	rbac="none"
+	if [ -z "$srv_uc" ]; then
+		rbac="none"
+	else
+		rbac="$srv_uc"
+	fi
 	do_facet mgs $LCTL nodemap_modify --name c0 --property rbac \
-		--value server_upcall
+		--value $rbac
 	wait_nm_sync c0 rbac
 	set -vx
 	$LFS mkdir -i 1 $testdir && error "$LFS mkdir should fail (1)"
@@ -5864,15 +5889,23 @@ test_64b() {
 run_test 64b "Nodemap enforces dne_ops RBAC roles"
 
 test_64c() {
+	local srv_uc=""
+	local rbac
+
 	(( MDS1_VERSION >= $(version_code 2.14.0.86) )) ||
 		skip "Need MDS >= 2.14.0.86 for role-based controls"
 
+	(( MDS1_VERSION >= $(version_code 2.14.0.146) )) &&
+		srv_uc="server_upcall"
+
 	stack_trap cleanup_64 EXIT
 	mkdir -p $DIR/$tdir || error "mkdir $DIR/$tdir failed"
 	setup_64
 
+	rbac="quota_ops"
+	[ -z "$srv_uc" ] || rbac="$rbac,$srv_uc"
 	do_facet mgs $LCTL nodemap_modify --name c0 \
-		 --property rbac --value server_upcall,quota_ops
+		 --property rbac --value $rbac
 	wait_nm_sync c0 rbac
 	set -vx
 	$LFS setquota -u $USER0 -b 307200 -B 309200 -i 10000 -I 11000 $MOUNT ||
@@ -5905,8 +5938,14 @@ test_64c() {
 	$LFS setquota -p 1000 --delete $MOUNT
 	set +vx
 
+	rbac="none"
+	if [ -z "$srv_uc" ]; then
+		rbac="none"
+	else
+		rbac="$srv_uc"
+	fi
 	do_facet mgs $LCTL nodemap_modify --name c0 --property rbac \
-		--value server_upcall
+		--value $rbac
 	wait_nm_sync c0 rbac
 
 	set -vx
@@ -5941,17 +5980,24 @@ run_test 64c "Nodemap enforces quota_ops RBAC roles"
 
 test_64d() {
 	local testfile=$DIR/$tdir/$tfile
+	local srv_uc=""
+	local rbac
 	local fid
 
 	(( MDS1_VERSION >= $(version_code 2.14.0.86) )) ||
 		skip "Need MDS >= 2.14.0.86 for role-based controls"
 
+	(( MDS1_VERSION >= $(version_code 2.14.0.146) )) &&
+		srv_uc="server_upcall"
+
 	stack_trap cleanup_64 EXIT
 	mkdir -p $DIR/$tdir || error "mkdir $DIR/$tdir failed"
 	setup_64
 
+	rbac="byfid_ops"
+	[ -z "$srv_uc" ] || rbac="$rbac,$srv_uc"
 	do_facet mgs $LCTL nodemap_modify --name c0 \
-		 --property rbac --value server_upcall,byfid_ops
+		 --property rbac --value $rbac
 	wait_nm_sync c0 rbac
 
 	touch $testfile
@@ -5962,8 +6008,14 @@ test_64d() {
 	lfs rmfid $MOUNT $fid || error "lfs rmfid failed"
 	set +vx
 
+	rbac="none"
+	if [ -z "$srv_uc" ]; then
+		rbac="none"
+	else
+		rbac="$srv_uc"
+	fi
 	do_facet mgs $LCTL nodemap_modify --name c0 --property rbac \
-		--value server_upcall
+		--value $rbac
 	wait_nm_sync c0 rbac
 
 	touch $testfile
@@ -5980,10 +6032,15 @@ run_test 64d "Nodemap enforces byfid_ops RBAC roles"
 test_64e() {
 	local testfile=$DIR/$tdir/$tfile
 	local testdir=$DIR/$tdir/${tfile}.d
+	local rbac
+	local fid
 
 	(( MDS1_VERSION >= $(version_code 2.14.0.86) )) ||
 		skip "Need MDS >= 2.14.0.86 for role-based controls"
 
+	(( MDS1_VERSION >= $(version_code 2.14.0.146) )) &&
+		srv_uc="server_upcall"
+
 	stack_trap cleanup_64 EXIT
 	mkdir -p $DIR/$tdir || error "mkdir $DIR/$tdir failed"
 	setup_64
@@ -5999,8 +6056,10 @@ test_64e() {
 	mkdir $testdir || error "failed to mkdir $testdir"
 	touch $testfile || error "failed to touch $testfile"
 
+	rbac="chlg_ops"
+	[ -z "$srv_uc" ] || rbac="$rbac,$srv_uc"
 	do_facet mgs $LCTL nodemap_modify --name c0 \
-		 --property rbac --value server_upcall,chlg_ops
+		 --property rbac --value $rbac
 	wait_nm_sync c0 rbac
 
 	# access changelogs
@@ -6011,8 +6070,14 @@ test_64e() {
 
 	rm -rf $testdir $testfile || error "rm -rf $testdir $testfile failed"
 
+	rbac="none"
+	if [ -z "$srv_uc" ]; then
+		rbac="none"
+	else
+		rbac="$srv_uc"
+	fi
 	do_facet mgs $LCTL nodemap_modify --name c0 --property rbac \
-		--value server_upcall
+		--value $rbac
 	wait_nm_sync c0 rbac
 
 	# do some IOs
@@ -6036,10 +6101,15 @@ test_64f() {
 	local cli_enc
 	local policy
 	local protector
+	local rbac
+	local fid
 
 	(( MDS1_VERSION >= $(version_code 2.15.54) )) ||
 		skip "Need MDS >= 2.15.54 for role-based controls"
 
+	(( MDS1_VERSION >= $(version_code 2.14.0.146) )) &&
+		srv_uc="server_upcall"
+
 	cli_enc=$($LCTL get_param mdc.*.import | grep client_encryption)
 	[ -n "$cli_enc" ] || skip "Need enc support, skip fscrypt_admin role"
         which fscrypt || skip "Need fscrypt, skip fscrypt_admin role"
@@ -6052,8 +6122,10 @@ test_64f() {
 	stack_trap "rm -rf $MOUNT/.fscrypt"
 
 	# file_perms is required because fscrypt uses chmod/chown
+	rbac="fscrypt_admin,file_perms"
+	[ -z "$srv_uc" ] || rbac="$rbac,$srv_uc"
 	do_facet mgs $LCTL nodemap_modify --name c0 --property rbac \
-		--value server_upcall,fscrypt_admin,file_perms
+		--value $rbac
 	wait_nm_sync c0 rbac
 
 	mkdir -p $vaultdir
@@ -6072,8 +6144,10 @@ test_64f() {
 
 	cancel_lru_locks
 	# file_perms is required because fscrypt uses chmod/chown
+	rbac="file_perms"
+	[ -z "$srv_uc" ] || rbac="$rbac,$srv_uc"
 	do_facet mgs $LCTL nodemap_modify --name c0 --property rbac \
-		--value server_upcall,file_perms
+		--value $rbac
 	wait_nm_sync c0 rbac
 
 	set -vx
@@ -6110,7 +6184,7 @@ test_64g() {
 	local testfile=$DIR/$tdir/$tfile
 	local fid
 
-	(( MDS1_VERSION >= $(version_code 2.14.0.138) )) ||
+	(( MDS1_VERSION >= $(version_code 2.14.0.146) )) ||
 		skip "Need MDS >= 2.14.0.138 for role-based controls"
 
 	# Add groups, and client to new group, on client only.
-- 
1.8.3.1