-mds_capability_timeout() {
- [ $# -lt 1 ] && echo "Miss mds capability timeout value" && return 1
-
- echo "Set mds capability timeout as $1 seconds"
- do_facet $SINGLEMDS "lctl set_param -n $CAPA_TIMEOUT=$1"
- return 0
-}
-
-mds_sec_level_switch() {
- [ $# -lt 1 ] && echo "Miss mds sec level switch value" && return 1
-
- case $1 in
- 0) echo "Disable capa for all clients";;
- 1) echo "Enable capa for remote client";;
- 3) echo "Enable capa for all clients";;
- *) echo "Invalid mds sec level switch value" && return 2;;
- esac
-
- do_facet $SINGLEMDS "lctl set_param -n $MDSSECLEVEL=$1"
- return 0
-}
-
-oss_sec_level_switch() {
- [ $# -lt 1 ] && echo "Miss oss sec level switch value" && return 1
-
- case $1 in
- 0) echo "Disable capa for all clients";;
- 1) echo "Enable capa for remote client";;
- 3) echo "Enable capa for all clients";;
- *) echo "Invalid oss sec level switch value" && return 2;;
- esac
-
- for i in `seq $OSTCOUNT`; do
- local j=`expr $i - 1`
- local OST="`do_facet ost$i "lctl get_param -N obdfilter.\*OST\*$j/stats 2>/dev/null | cut -d"." -f2" || true`"
- [ -z "$OST" ] && return 3
- do_facet ost$i "lctl set_param -n obdfilter.$OST.sec_level=$1"
- done
- return 0
-}
-
-mds_capability_switch() {
- [ $# -lt 1 ] && echo "Miss mds capability switch value" && return 1
-
- case $1 in
- 0) echo "Turn off mds capability";;
- 3) echo "Turn on mds capability";;
- *) echo "Invalid mds capability switch value" && return 2;;
- esac
-
- do_facet $SINGLEMDS "lctl set_param -n $MDSCAPA=$1"
- return 0
-}
-
-oss_capability_switch() {
- [ $# -lt 1 ] && echo "Miss oss capability switch value" && return 1
-
- case $1 in
- 0) echo "Turn off oss capability";;
- 1) echo "Turn on oss capability";;
- *) echo "Invalid oss capability switch value" && return 2;;
- esac
-
- for i in `seq $OSTCOUNT`; do
- local j=`expr $i - 1`
- local OST="`do_facet ost$i "lctl get_param -N obdfilter.\*OST\*$j/stats 2>/dev/null | cut -d"." -f2" || true`"
- [ -z "$OST" ] && return 3
- do_facet ost$i "lctl set_param -n obdfilter.$OST.capa=$1"
- done
- return 0
-}
-
-turn_mds_capa_on() {
- mds_capability_switch 3 || return 1
- mds_sec_level_switch 3 || return 2
- return 0
-}
-
-turn_oss_capa_on() {
- oss_capability_switch 1 || return 1
- oss_sec_level_switch 3 || return 2
- return 0
-}
-
-turn_capability_on() {
- local capa_timeout=${1:-"1800"}
-
- # To turn on fid capability for the system,
- # there is a requirement that fid capability
- # is turned on on all MDS/OSS servers before
- # client mount.
-
- turn_mds_capa_on || return 1
- turn_oss_capa_on || return 2
- mds_capability_timeout $capa_timeout || return 3
- remount_client $MOUNT || return 4
- return 0
-}
-
-turn_mds_capa_off() {
- mds_sec_level_switch 0 || return 1
- mds_capability_switch 0 || return 2
- return 0
-}
-
-turn_oss_capa_off() {
- oss_sec_level_switch 0 || return 1
- oss_capability_switch 0 || return 2
- return 0
-}
-
-turn_capability_off() {
- # to turn off fid capability, you can just do
- # it in a live system. But, please turn off
- # capability of all OSS servers before MDS servers.
-
- turn_oss_capa_off || return 1
- turn_mds_capa_off || return 2
- return 0
-}
-
-# We demonstrate that access to the objects in the filesystem are not
-# accessible without supplying secrets from the MDS by disabling a
-# proc variable on the mds so that it does not supply secrets. We then
-# try and access objects which result in failure.
-test_5() {
- local file=$DIR/f5
-
- [ $GSS_SUP = 0 ] && skip "without GSS support." && return
- if ! remote_mds; then
- skip "client should be separated from server."
- return
- fi
-
- rm -f $file
-
- turn_capability_off
- if [ $? != 0 ]; then
- error "turn_capability_off"
- return 1
- fi
-
- turn_oss_capa_on
- if [ $? != 0 ]; then
- error "turn_oss_capa_on"
- return 2
- fi
-
- if [ "$CLIENT_TYPE" = "remote" ]; then
- remount_client $MOUNT && return 3
- turn_oss_capa_off
- return 0
- else
- remount_client $MOUNT || return 4
- fi
-
- # proc variable disabled -- access to the objects in the filesystem
- # is not allowed
- echo "Should get Write error here : (proc variable are disabled "\
- "-- access to the objects in the filesystem is denied."
- $WTL $file 30
- if [ $? == 0 ]; then
- error "Write worked well even though secrets not supplied."
- return 5
- fi
-
- turn_capability_on
- if [ $? != 0 ]; then
- error "turn_capability_on"
- return 6
- fi
-
- sleep 5
-
- # proc variable enabled, secrets supplied -- write should work now
- echo "Should not fail here : (proc variable enabled, secrets supplied "\
- "-- write should work now)."
- $WTL $file 30
- if [ $? != 0 ]; then
- error "Write failed even though secrets supplied."
- return 7
- fi
-
- turn_capability_off
- if [ $? != 0 ]; then
- error "turn_capability_off"
- return 8
- fi
- rm -f $file
-}
-run_test 5 "capa secrets ========================="
-
-# Expiry: A test program is performing I/O on a file. It has credential
-# with an expiry half a minute later. While the program is running the
-# credentials expire and no automatic extensions or renewals are
-# enabled. The program will demonstrate an I/O failure.
-test_6() {
- local file=$DIR/f6
-
- [ $GSS_SUP = 0 ] && skip "without GSS support." && return
- if ! remote_mds; then
- skip "client should be separated from server."
- return
- fi
-
- turn_capability_off
- if [ $? != 0 ]; then
- error "turn_capability_off"
- return 1
- fi
-
- rm -f $file
-
- turn_capability_on 30
- if [ $? != 0 ]; then
- error "turn_capability_on 30"
- return 2
- fi
-
- # Token expiry
- $WTL $file 60
- if [ $? != 0 ]; then
- error "$WTL $file 60"
- return 3
- fi
-
- # Reset MDS capability timeout
- mds_capability_timeout 30
- if [ $? != 0 ]; then
- error "mds_capability_timeout 30"
- return 4
- fi
-
- $WTL $file 60 &
- local PID=$!
- sleep 5
-
- # To disable automatic renew, only need turn capa off on MDS.
- turn_mds_capa_off
- if [ $? != 0 ]; then
- error "turn_mds_capa_off"
- return 5
- fi
-
- echo "We expect I/O failure."
- wait $PID
- if [ $? == 0 ]; then
- echo "no I/O failure got."
- return 6
- fi
-
- turn_capability_off
- if [ $? != 0 ]; then
- error "turn_capability_off"
- return 7
- fi
- rm -f $file
-}
-run_test 6 "capa expiry ========================="
-