3 # Run select tests by setting ONLY, or as arguments to the script.
4 # Skip specific tests by setting EXCEPT.
10 [ "$EXCEPT" ] && echo "Skipping tests: `echo $EXCEPT`"
13 export PATH=$PWD/$SRCDIR:$SRCDIR:$PWD/$SRCDIR/../utils:$PATH:/sbin
14 export NAME=${NAME:-local}
16 LUSTRE=${LUSTRE:-`dirname $0`/..}
17 . $LUSTRE/tests/test-framework.sh
19 . ${CONFIG:=$LUSTRE/tests/cfg/$NAME.sh}
21 RUNAS=${RUNAS:-"$LUSTRE/tests/runas"}
22 WTL=${WTL:-"$LUSTRE/tests/write_time_limit"}
25 PERM_CONF=$CONFDIR/perm.conf
26 SANITYSECLOG=${TESTSUITELOG:-$TMP/$(basename $0 .sh).log}
31 USER0=`cat /etc/passwd|grep :$ID0:$ID0:|cut -d: -f1`
32 USER1=`cat /etc/passwd|grep :$ID1:$ID1:|cut -d: -f1`
35 echo "Please add user0 (uid=$ID0 gid=$ID0)! Skip sanity-sec" && exit 0
38 echo "Please add user1 (uid=$ID1 gid=$ID1)! Skip sanity-sec" && exit 0
40 check_and_setup_lustre
43 [ -z "`echo $DIR | grep $MOUNT`" ] && \
44 error "$DIR not in $MOUNT" && sec_cleanup && exit 1
46 [ `echo $MOUNT | wc -w` -gt 1 ] && \
47 echo "NAME=$MOUNT mounted more than once" && sec_cleanup && exit 0
49 [ $MDSCOUNT -gt 1 ] && \
50 echo "skip multi-MDS test" && sec_cleanup && exit 0
53 GSS_REF=$(lsmod | grep ^ptlrpc_gss | awk '{print $3}')
54 if [ ! -z "$GSS_REF" -a "$GSS_REF" != "0" ]; then
56 echo "with GSS support"
59 echo "without GSS support"
62 MDT="`do_facet $SINGLEMDS "lctl get_param -N mdt.\*MDT\*/stats | cut -d"." -f2" || true`"
63 if [ ! -z "$MDT" ]; then
64 do_facet $SINGLEMDS "mkdir -p $CONFDIR"
65 IDENTITY_FLUSH=mdt.$MDT.identity_flush
67 CAPA_TIMEOUT=mdt.$MDT.capa_timeout
71 if [ -z "$(lctl get_param -n llite.*.client_type | grep remote 2>/dev/null)" ]; then
87 if ! $RUNAS -u $user krb5_login.sh; then
88 error "$user login kerberos failed."
92 if ! $RUNAS -u $user -g $group ls $DIR > /dev/null 2>&1; then
93 $RUNAS -u $user lfs flushctx -k
94 $RUNAS -u $user krb5_login.sh
95 if ! $RUNAS -u $user -g $group ls $DIR > /dev/null 2>&1; then
96 error "init $user $group failed."
102 declare -a identity_old
105 for num in `seq $MDSCOUNT`; do
106 switch_identity $num true || identity_old[$num]=$?
109 if ! $RUNAS -u $ID0 ls $DIR > /dev/null 2>&1; then
110 sec_login $USER0 $USER0
113 if ! $RUNAS -u $ID1 ls $DIR > /dev/null 2>&1; then
114 sec_login $USER1 $USER1
119 # run as different user
124 chown $USER0 $DIR/d0 || error "chown (1)"
125 $RUNAS -u $ID0 ls $DIR || error "ls (2)"
126 $RUNAS -u $ID0 touch $DIR/f0 && error "touch (3)"
127 $RUNAS -u $ID0 touch $DIR/d0/f1 || error "touch (4)"
128 $RUNAS -u $ID1 touch $DIR/d0/f2 && error "touch (5)"
129 touch $DIR/d0/f3 || error "touch (6)"
130 chown root $DIR/d0 || error "chown (7)"
131 chgrp $USER0 $DIR/d0 || error "chgrp (8)"
132 chmod 775 $DIR/d0 || error "chmod (9)"
133 $RUNAS -u $ID0 touch $DIR/d0/f4 || error "touch (10)"
134 $RUNAS -u $ID1 touch $DIR/d0/f5 && error "touch (11)"
135 touch $DIR/d0/f6 || error "touch (12)"
139 run_test 0 "uid permission ============================="
143 [ $GSS_SUP = 0 ] && skip "without GSS support." && return
144 [ -z "$MDT" ] && skip "do not support do_facet operations." && return
145 [ "$CLIENT_TYPE" = "remote" ] && \
146 skip "test_1 for local client only" && return
148 do_facet $SINGLEMDS "rm -f $PERM_CONF"
149 do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
154 chown $USER0 $DIR/d1 || error "chown (1)"
155 $RUNAS -u $ID1 -v $ID0 touch $DIR/d1/f0 && error "touch (2)"
156 do_facet $SINGLEMDS "echo '* $ID1 setuid' > $PERM_CONF"
157 echo "enable uid $ID1 setuid"
158 do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
159 $RUNAS -u $ID1 -v $ID0 touch $DIR/d1/f1 || error "touch (3)"
161 chown root $DIR/d1 || error "chown (4)"
162 chgrp $USER0 $DIR/d1 || error "chgrp (5)"
163 chmod 770 $DIR/d1 || error "chmod (6)"
164 $RUNAS -u $ID1 -g $ID1 touch $DIR/d1/f2 && error "touch (7)"
165 $RUNAS -u $ID1 -g $ID1 -j $ID0 touch $DIR/d1/f3 && error "touch (8)"
166 do_facet $SINGLEMDS "echo '* $ID1 setuid,setgid' > $PERM_CONF"
167 echo "enable uid $ID1 setuid,setgid"
168 do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
169 $RUNAS -u $ID1 -g $ID1 -j $ID0 touch $DIR/d1/f4 || error "touch (9)"
170 $RUNAS -u $ID1 -v $ID0 -g $ID1 -j $ID0 touch $DIR/d1/f5 || error "touch (10)"
174 do_facet $SINGLEMDS "rm -f $PERM_CONF"
175 do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
177 run_test 1 "setuid/gid ============================="
179 run_rmtacl_subtest() {
180 $SAVE_PWD/rmtacl/run $SAVE_PWD/rmtacl/$1.test
185 # for remote client only
187 [ "$CLIENT_TYPE" = "local" ] && \
188 skip "remote_acl for remote client only" && return
189 [ -z "$(lctl get_param -n mdc.*-mdc-*.connect_flags | grep ^acl)" ] && \
190 skip "must have acl enabled" && return
191 [ -z "$(which setfacl 2>/dev/null)" ] && \
192 skip "could not find setfacl" && return
193 [ "$UID" != 0 ] && skip "must run as root" && return
197 sec_login daemon daemon
198 sec_login games users
204 if [ ! -z "$MDT" ]; then
205 do_facet $SINGLEMDS "echo '* 0 rmtacl' > $PERM_CONF"
206 do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
209 if lfs rgetfacl $DIR; then
210 echo "performing cp ..."
211 run_rmtacl_subtest cp || error "cp"
213 echo "server doesn't permit current user 'lfs r{s,g}etfacl', skip cp test."
215 echo "performing getfacl-noacl..."
216 run_rmtacl_subtest getfacl-noacl || error "getfacl-noacl"
217 echo "performing misc..."
218 run_rmtacl_subtest misc || error "misc"
219 echo "performing permissions..."
220 run_rmtacl_subtest permissions || error "permissions"
221 echo "performing setfacl..."
222 run_rmtacl_subtest setfacl || error "setfacl"
224 # inheritance test got from HP
225 echo "performing inheritance..."
226 cp $SAVE_PWD/rmtacl/make-tree .
228 run_rmtacl_subtest inheritance || error "inheritance"
231 if [ ! -z "$MDT" ]; then
232 do_facet $SINGLEMDS "rm -f $PERM_CONF"
233 do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
239 run_test 2 "rmtacl ============================="
242 # root_squash will be redesigned in Lustre 1.7
244 skip "root_squash will be redesigned in Lustre 1.7" && return
246 run_test 3 "rootsquash ============================="
248 # bug 3285 - supplementary group should always succeed.
249 # NB: the supplementary groups are set for local client only,
250 # as for remote client, the groups of the specified uid on MDT
251 # will be obtained by upcall /sbin/l_getidentity and used.
257 $RUNAS -u $ID0 ls $DIR/d4 || error "setgroups (1)"
258 if [ "$CLIENT_TYPE" != "remote" ]; then
259 if [ ! -z "$MDT" ]; then
260 do_facet $SINGLEMDS "echo '* $ID1 setgrp' > $PERM_CONF"
261 do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
262 $RUNAS -u $ID1 -G1,2,$ID0 ls $DIR/d4 || error "setgroups (2)"
263 do_facet $SINGLEMDS "rm -f $PERM_CONF"
264 do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
267 $RUNAS -u $ID1 -G1,2 ls $DIR/d4 && error "setgroups (3)"
270 run_test 4 "set supplementary group ==============="
272 mds_capability_timeout() {
273 [ $# -lt 1 ] && echo "Miss mds capability timeout value" && return 1
275 echo "Set mds capability timeout as $1 seconds"
276 do_facet $SINGLEMDS "lctl set_param -n $CAPA_TIMEOUT=$1"
280 mds_capability_switch() {
281 [ $# -lt 1 ] && echo "Miss mds capability switch value" && return 1
284 0) echo "Turn off mds capability";;
285 3) echo "Turn on mds capability";;
286 *) echo "Invalid mds capability switch value" && return 2;;
289 do_facet $SINGLEMDS "lctl set_param -n $MDSCAPA=$1"
293 oss_capability_switch() {
294 [ $# -lt 1 ] && echo "Miss oss capability switch value" && return 1
297 0) echo "Turn off oss capability";;
298 1) echo "Turn on oss capability";;
299 *) echo "Invalid oss capability switch value" && return 2;;
302 for i in `seq $OSTCOUNT`; do
303 local j=`expr $i - 1`
304 local OST="`do_facet ost$i "lctl get_param -N obdfilter.\*OST\*$j/stats | cut -d"." -f2" || true`"
305 do_facet ost$i "lctl set_param -n obdfilter.$OST.capa=$1"
310 turn_capability_on() {
311 local capa_timeout=${1:-"1800"}
313 # To turn on fid capability for the system,
314 # there is a requirement that fid capability
315 # is turned on on all MDS/OSS servers before
318 umount $MOUNT || return 1
320 mds_capability_switch 3 || return 2
321 oss_capability_switch 1 || return 3
322 mds_capability_timeout $capa_timeout || return 4
324 mount_client $MOUNT || return 5
328 turn_capability_off() {
329 # to turn off fid capability, you can just do
330 # it in a live system. But, please turn off
331 # capability of all OSS servers before MDS servers.
333 oss_capability_switch 0 || return 1
334 mds_capability_switch 0 || return 2
338 # We demonstrate that access to the objects in the filesystem are not
339 # accessible without supplying secrets from the MDS by disabling a
340 # proc variable on the mds so that it does not supply secrets. We then
341 # try and access objects which result in failure.
345 [ -z "$MDT" ] && skip "do not support do_facet operations." && return
348 error "turn_capability_off"
353 # Disable proc variable
354 mds_capability_switch 0
356 error "mds_capability_switch 0"
359 oss_capability_switch 1
361 error "oss_capability_switch 1"
365 # proc variable disabled -- access to the objects in the filesystem
367 echo "Should get Write error here : (proc variable are disabled "\
368 "-- access to the objects in the filesystem is denied."
371 error "Write worked well even though secrets not supplied."
377 error "turn_capability_on"
382 # proc variable enabled, secrets supplied -- write should work now
383 echo "Should not fail here : (proc variable enabled, secrets supplied "\
384 "-- write should work now)."
387 error "Write failed even though secrets supplied."
393 error "turn_capability_off"
398 run_test 5 "capa secrets ========================="
400 # Expiry: A test program is performing I/O on a file. It has credential
401 # with an expiry half a minute later. While the program is running the
402 # credentials expire and no automatic extensions or renewals are
403 # enabled. The program will demonstrate an I/O failure.
407 [ -z "$MDT" ] && skip "do not support do_facet operations." && return
410 error "turn_capability_off"
415 turn_capability_on 30
417 error "turn_capability_on 30"
423 error "$WTL $file 60"
427 # Reset MDS capability timeout
428 mds_capability_timeout 30
430 error "mds_capability_timeout 30"
437 # To disable automatic renew, only need turn capa off on MDS.
438 mds_capability_switch 0
440 error "mds_capability_switch 0"
444 echo "We expect I/O failure."
447 echo "no I/O failure got."
453 error "turn_capability_off"
458 run_test 6 "capa expiry ========================="
460 log "cleanup: ======================================================"
463 for num in `seq $MDSCOUNT`; do
464 if [ "${identity_old[$num]}" = 1 ]; then
465 switch_identity $num false || identity_old[$num]=$?
469 $RUNAS -u $ID0 ls $DIR
470 $RUNAS -u $ID1 ls $DIR
475 if [ "$I_MOUNTED" = "yes" ]; then
476 cleanupall -f || error "sec_cleanup"
481 echo '=========================== finished ==============================='
482 [ -f "$SANITYSECLOG" ] && \
483 cat $SANITYSECLOG && grep -q FAIL $SANITYSECLOG && exit 1 || true