X-Git-Url: https://git.whamcloud.com/?p=fs%2Flustre-release.git;a=blobdiff_plain;f=lustre%2Ftests%2Fsanity-sec.sh;h=d592192480b56811494b6220fcf68ed4bc7b3c76;hp=8f5d366523a6d81e00e36bd520c3defebd64a76b;hb=2e3e6ff54c312903e69633fcd0fea90da969c3a9;hpb=a7fb215903f6fc9ea93e85b89d1ef9abcff0cdb7

diff --git a/lustre/tests/sanity-sec.sh b/lustre/tests/sanity-sec.sh
index 8f5d366..d592192 100644
--- a/lustre/tests/sanity-sec.sh
+++ b/lustre/tests/sanity-sec.sh
@@ -7,7 +7,12 @@
 set -e
 
 ONLY=${ONLY:-"$*"}
-[ "$EXCEPT" ] && echo "Skipping tests: `echo $EXCEPT`"
+# bug number for skipped test: 19430 19967 19967
+ALWAYS_EXCEPT="                2     5     6    $SANITY_SEC_EXCEPT"
+# UPDATE THE COMMENT ABOVE WITH BUG NUMBERS WHEN CHANGING ALWAYS_EXCEPT!
+
+[ "$ALWAYS_EXCEPT$EXCEPT" ] && \
+    echo "Skipping tests: $ALWAYS_EXCEPT $EXCEPT"
 
 SRCDIR=`dirname $0`
 export PATH=$PWD/$SRCDIR:$SRCDIR:$PWD/$SRCDIR/../utils:$PATH:/sbin
@@ -17,8 +22,10 @@ LUSTRE=${LUSTRE:-`dirname $0`/..}
 . $LUSTRE/tests/test-framework.sh
 init_test_env $@
 . ${CONFIG:=$LUSTRE/tests/cfg/$NAME.sh}
+init_logging
+
+RUNAS="runas"
 
-RUNAS=${RUNAS:-"$LUSTRE/tests/runas"}
 WTL=${WTL:-"$LUSTRE/tests/write_time_limit"}
 
 CONFDIR=/etc/lustre
@@ -26,8 +33,8 @@ PERM_CONF=$CONFDIR/perm.conf
 SANITYSECLOG=${TESTSUITELOG:-$TMP/$(basename $0 .sh).log}
 FAIL_ON_ERROR=false
 
-remote_mds_nodsh && skip "remote MDS with nodsh" && exit 0
-remote_ost_nodsh && skip "remote OST with nodsh" && exit 0
+require_dsh_mds || exit 0
+require_dsh_ost || exit 0
 
 ID0=${ID0:-500}
 ID1=${ID1:-501}
@@ -42,6 +49,12 @@ USER1=`cat /etc/passwd|grep :$ID1:$ID1:|cut -d: -f1`
 
 check_and_setup_lustre
 
+sec_cleanup() {
+	if [ "$I_MOUNTED" = "yes" ]; then
+		cleanupall -f || error "sec_cleanup"
+	fi
+}
+
 DIR=${DIR:-$MOUNT}
 [ -z "`echo $DIR | grep $MOUNT`" ] && \
 	error "$DIR not in $MOUNT" && sec_cleanup && exit 1
@@ -62,13 +75,13 @@ else
 	echo "without GSS support"
 fi
 
-MDT="`do_facet $SINGLEMDS "lctl get_param -N mdt.\*MDT\*/stats | cut -d"." -f2" || true`"
-if [ ! -z "$MDT" ]; then
-        do_facet $SINGLEMDS "mkdir -p $CONFDIR"
-	IDENTITY_FLUSH=mdt.$MDT.identity_flush
-	MDSCAPA=mdt.$MDT.capa
-	CAPA_TIMEOUT=mdt.$MDT.capa_timeout
-fi
+MDT="`do_facet $SINGLEMDS "lctl get_param -N mdt.\*MDT\*.stats 2>/dev/null | cut -d"." -f2" || true`"
+[ -z "$MDT" ] && error "fail to get MDT device" && exit 1
+do_facet $SINGLEMDS "mkdir -p $CONFDIR"
+IDENTITY_FLUSH=mdt.$MDT.identity_flush
+MDSCAPA=mdt.$MDT.capa
+CAPA_TIMEOUT=mdt.$MDT.capa_timeout
+MDSSECLEVEL=mdt.$MDT.sec_level
 
 # for CLIENT_TYPE
 if [ -z "$(lctl get_param -n llite.*.client_type | grep remote 2>/dev/null)" ]; then
@@ -121,58 +134,74 @@ sec_setup
 
 # run as different user
 test_0() {
-	rm -rf $DIR/d0
-	mkdir $DIR/d0
-
-	chown $USER0 $DIR/d0 || error "chown (1)"
-	$RUNAS -u $ID0 ls $DIR || error "ls (2)"
-	$RUNAS -u $ID0 touch $DIR/f0 && error "touch (3)"
-	$RUNAS -u $ID0 touch $DIR/d0/f1 || error "touch (4)"
-	$RUNAS -u $ID1 touch $DIR/d0/f2 && error "touch (5)"
-	touch $DIR/d0/f3 || error "touch (6)"
-	chown root $DIR/d0 || error "chown (7)"
-	chgrp $USER0 $DIR/d0 || error "chgrp (8)"
-	chmod 775 $DIR/d0 || error "chmod (9)"
-	$RUNAS -u $ID0 touch $DIR/d0/f4 || error "touch (10)"
-	$RUNAS -u $ID1 touch $DIR/d0/f5 && error "touch (11)"
-	touch $DIR/d0/f6 || error "touch (12)"
-
-	rm -rf $DIR/d0
+	umask 0022
+
+	chmod 0755 $DIR || error "chmod (1)"
+	rm -rf $DIR/$tdir || error "rm (1)"
+	mkdir -p $DIR/$tdir || error "mkdir (1)"
+
+	if [ "$CLIENT_TYPE" = "remote" ]; then
+		do_facet $SINGLEMDS "echo '* 0 normtown' > $PERM_CONF"
+	        do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
+		chown $USER0 $DIR/$tdir && error "chown (1)"
+		do_facet $SINGLEMDS "echo '* 0 rmtown' > $PERM_CONF"
+	        do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
+	else
+		chown $USER0 $DIR/$tdir || error "chown (2)"
+	fi
+
+	$RUNAS -u $ID0 ls $DIR || error "ls (1)"
+        rm -f $DIR/f0 || error "rm (2)"
+	$RUNAS -u $ID0 touch $DIR/f0 && error "touch (1)"
+	$RUNAS -u $ID0 touch $DIR/$tdir/f1 || error "touch (2)"
+	$RUNAS -u $ID1 touch $DIR/$tdir/f2 && error "touch (3)"
+	touch $DIR/$tdir/f3 || error "touch (4)"
+	chown root $DIR/$tdir || error "chown (3)"
+	chgrp $USER0 $DIR/$tdir || error "chgrp (1)"
+	chmod 0775 $DIR/$tdir || error "chmod (2)"
+	$RUNAS -u $ID0 touch $DIR/$tdir/f4 || error "touch (5)"
+	$RUNAS -u $ID1 touch $DIR/$tdir/f5 && error "touch (6)"
+	touch $DIR/$tdir/f6 || error "touch (7)"
+	rm -rf $DIR/$tdir || error "rm (3)"
+
+	if [ "$CLIENT_TYPE" = "remote" ]; then
+		do_facet $SINGLEMDS "rm -f $PERM_CONF"
+	        do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
+	fi
 }
 run_test 0 "uid permission ============================="
 
 # setuid/gid
 test_1() {
 	[ $GSS_SUP = 0 ] && skip "without GSS support." && return
-	[ -z "$MDT" ] && skip "do not support do_facet operations." && return
-	[ "$CLIENT_TYPE" = "remote" ] && \
-		skip "test_1 for local client only" && return
 
-	do_facet $SINGLEMDS "rm -f $PERM_CONF"
-	do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
+	if [ "$CLIENT_TYPE" = "remote" ]; then
+		do_facet $SINGLEMDS "echo '* 0 rmtown' > $PERM_CONF"
+	        do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
+	fi
 
-	rm -rf $DIR/d1
-	mkdir $DIR/d1
+	rm -rf $DIR/$tdir
+	mkdir -p $DIR/$tdir
 
-	chown $USER0 $DIR/d1 || error "chown (1)"
-	$RUNAS -u $ID1 -v $ID0 touch $DIR/d1/f0 && error "touch (2)"
-	do_facet $SINGLEMDS "echo '* $ID1 setuid' > $PERM_CONF"
+	chown $USER0 $DIR/$tdir || error "chown (1)"
+	$RUNAS -u $ID1 -v $ID0 touch $DIR/$tdir/f0 && error "touch (2)"
 	echo "enable uid $ID1 setuid"
+	do_facet $SINGLEMDS "echo '* $ID1 setuid' >> $PERM_CONF"
 	do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
-	$RUNAS -u $ID1 -v $ID0 touch $DIR/d1/f1 || error "touch (3)"
+	$RUNAS -u $ID1 -v $ID0 touch $DIR/$tdir/f1 || error "touch (3)"
 
-	chown root $DIR/d1 || error "chown (4)"
-	chgrp $USER0 $DIR/d1 || error "chgrp (5)"
-	chmod 770 $DIR/d1 || error "chmod (6)"
-	$RUNAS -u $ID1 -g $ID1 touch $DIR/d1/f2 && error "touch (7)"
-	$RUNAS -u $ID1 -g $ID1 -j $ID0 touch $DIR/d1/f3 && error "touch (8)"
-	do_facet $SINGLEMDS "echo '* $ID1 setuid,setgid' > $PERM_CONF"
+	chown root $DIR/$tdir || error "chown (4)"
+	chgrp $USER0 $DIR/$tdir || error "chgrp (5)"
+	chmod 0770 $DIR/$tdir || error "chmod (6)"
+	$RUNAS -u $ID1 -g $ID1 touch $DIR/$tdir/f2 && error "touch (7)"
+	$RUNAS -u $ID1 -g $ID1 -j $ID0 touch $DIR/$tdir/f3 && error "touch (8)"
 	echo "enable uid $ID1 setuid,setgid"
+	do_facet $SINGLEMDS "echo '* $ID1 setuid,setgid' > $PERM_CONF"
 	do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
-	$RUNAS -u $ID1 -g $ID1 -j $ID0 touch $DIR/d1/f4 || error "touch (9)"
-	$RUNAS -u $ID1 -v $ID0 -g $ID1 -j $ID0 touch $DIR/d1/f5 || error "touch (10)"
+	$RUNAS -u $ID1 -g $ID1 -j $ID0 touch $DIR/$tdir/f4 || error "touch (9)"
+	$RUNAS -u $ID1 -v $ID0 -g $ID1 -j $ID0 touch $DIR/$tdir/f5 || error "touch (10)"
 
-	rm -rf $DIR/d1
+	rm -rf $DIR/$tdir
 
 	do_facet $SINGLEMDS "rm -f $PERM_CONF"
 	do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
@@ -195,6 +224,9 @@ test_2 () {
 		skip "could not find setfacl" && return
 	[ "$UID" != 0 ] && skip "must run as root" && return
 
+	do_facet $SINGLEMDS "echo '* 0 rmtacl,rmtown' > $PERM_CONF"
+	do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
+
 	sec_login root root
 	sec_login bin bin
 	sec_login daemon daemon
@@ -204,17 +236,8 @@ test_2 () {
     	umask 0022
     	cd $DIR
 
-	if [ ! -z "$MDT" ]; then
-		do_facet $SINGLEMDS "echo '* 0 rmtacl' > $PERM_CONF"
-		do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
-	fi
-
-        if lfs rgetfacl $DIR; then
-                echo "performing cp ..."
-                run_rmtacl_subtest cp || error "cp"
-        else
-                echo "server doesn't permit current user 'lfs r{s,g}etfacl', skip cp test."
-        fi
+        echo "performing cp ..."
+        run_rmtacl_subtest cp || error "cp"
     	echo "performing getfacl-noacl..."
     	run_rmtacl_subtest getfacl-noacl || error "getfacl-noacl"
     	echo "performing misc..."
@@ -231,13 +254,11 @@ test_2 () {
     	run_rmtacl_subtest inheritance || error "inheritance"
     	rm -f make-tree
 
-	if [ ! -z "$MDT" ]; then
-		do_facet $SINGLEMDS "rm -f $PERM_CONF"
-		do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
-	fi
-
     	cd $SAVE_PWD
     	umask $SAVE_UMASK
+
+	do_facet $SINGLEMDS "rm -f $PERM_CONF"
+	do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
 }
 run_test 2 "rmtacl ============================="
 
@@ -253,22 +274,26 @@ run_test 3 "rootsquash ============================="
 # as for remote client, the groups of the specified uid on MDT
 # will be obtained by upcall /sbin/l_getidentity and used.
 test_4() {
-	rm -rf $DIR/d4
-        mkdir $DIR/d4
-        chmod 771 $DIR/d4
-        chgrp $ID0 $DIR/d4
-	$RUNAS -u $ID0 ls $DIR/d4 || error "setgroups (1)"
-	if [ "$CLIENT_TYPE" != "remote" ]; then
-		if [ ! -z "$MDT" ]; then
-			do_facet $SINGLEMDS "echo '* $ID1 setgrp' > $PERM_CONF"
-			do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
-        		$RUNAS -u $ID1 -G1,2,$ID0 ls $DIR/d4 || error "setgroups (2)"
-			do_facet $SINGLEMDS "rm -f $PERM_CONF"
-			do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
-		fi
+	if [ "$CLIENT_TYPE" = "remote" ]; then
+		do_facet $SINGLEMDS "echo '* 0 rmtown' > $PERM_CONF"
+	        do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
+	fi
+
+	rm -rf $DIR/$tdir
+        mkdir -p $DIR/$tdir
+        chmod 0771 $DIR/$tdir
+        chgrp $ID0 $DIR/$tdir
+	$RUNAS -u $ID0 ls $DIR/$tdir || error "setgroups (1)"
+	if [ "$CLIENT_TYPE" = "local" ]; then
+		do_facet $SINGLEMDS "echo '* $ID1 setgrp' > $PERM_CONF"
+		do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
+		$RUNAS -u $ID1 -G1,2,$ID0 ls $DIR/$tdir || error "setgroups (2)"
 	fi
-	$RUNAS -u $ID1 -G1,2 ls $DIR/d4 && error "setgroups (3)"
-	rm -rf $DIR/d4
+	$RUNAS -u $ID1 -G1,2 ls $DIR/$tdir && error "setgroups (3)"
+	rm -rf $DIR/$tdir
+
+	do_facet $SINGLEMDS "rm -f $PERM_CONF"
+	do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
 }
 run_test 4 "set supplementary group ==============="
 
@@ -280,6 +305,39 @@ mds_capability_timeout() {
         return 0
 }
 
+mds_sec_level_switch() {
+        [ $# -lt 1 ] && echo "Miss mds sec level switch value" && return 1
+
+        case $1 in
+                0) echo "Disable capa for all clients";;
+                1) echo "Enable capa for remote client";;
+		3) echo "Enable capa for all clients";;
+                *) echo "Invalid mds sec level switch value" && return 2;;
+        esac
+
+	do_facet $SINGLEMDS "lctl set_param -n $MDSSECLEVEL=$1"
+        return 0
+}
+
+oss_sec_level_switch() {
+        [ $# -lt 1 ] && echo "Miss oss sec level switch value" && return 1
+
+        case $1 in
+                0) echo "Disable capa for all clients";;
+                1) echo "Enable capa for remote client";;
+		3) echo "Enable capa for all clients";;
+                *) echo "Invalid oss sec level switch value" && return 2;;
+        esac
+
+	for i in `seq $OSTCOUNT`; do
+		local j=`expr $i - 1`
+		local OST="`do_facet ost$i "lctl get_param -N obdfilter.\*OST\*$j/stats 2>/dev/null | cut -d"." -f2" || true`"
+                [ -z "$OST" ] && return 3
+		do_facet ost$i "lctl set_param -n obdfilter.$OST.sec_level=$1"
+	done
+        return 0
+}
+
 mds_capability_switch() {
         [ $# -lt 1 ] && echo "Miss mds capability switch value" && return 1
 
@@ -304,12 +362,25 @@ oss_capability_switch() {
 
 	for i in `seq $OSTCOUNT`; do
 		local j=`expr $i - 1`
-		local OST="`do_facet ost$i "lctl get_param -N obdfilter.\*OST\*$j/stats | cut -d"." -f2" || true`"
+		local OST="`do_facet ost$i "lctl get_param -N obdfilter.\*OST\*$j/stats 2>/dev/null | cut -d"." -f2" || true`"
+                [ -z "$OST" ] && return 3
 		do_facet ost$i "lctl set_param -n obdfilter.$OST.capa=$1"
 	done
         return 0
 }
 
+turn_mds_capa_on() {
+        mds_capability_switch 3 || return 1
+	mds_sec_level_switch 3	|| return 2
+        return 0
+}
+
+turn_oss_capa_on() {
+        oss_capability_switch 1 || return 1
+	oss_sec_level_switch 3	|| return 2
+        return 0
+}
+
 turn_capability_on() {
         local capa_timeout=${1:-"1800"}
 
@@ -318,13 +389,22 @@ turn_capability_on() {
         # is turned on on all MDS/OSS servers before
         # client mount.
 
-        umount $MOUNT || return 1
+	turn_mds_capa_on || return 1
+	turn_oss_capa_on || return 2
+        mds_capability_timeout $capa_timeout || return 3
+        remount_client $MOUNT || return 4
+        return 0
+}
 
-        mds_capability_switch 3 || return 2
-        oss_capability_switch 1 || return 3
-        mds_capability_timeout $capa_timeout || return 4
+turn_mds_capa_off() {
+	mds_sec_level_switch 0	|| return 1
+        mds_capability_switch 0 || return 2
+        return 0
+}
 
-        mount_client $MOUNT || return 5
+turn_oss_capa_off() {
+	oss_sec_level_switch 0	|| return 1
+        oss_capability_switch 0 || return 2
         return 0
 }
 
@@ -333,8 +413,8 @@ turn_capability_off() {
         # it in a live system. But, please turn off
         # capability of all OSS servers before MDS servers.
 
-        oss_capability_switch 0 || return 1
-        mds_capability_switch 0 || return 2
+	turn_oss_capa_off || return 1
+	turn_mds_capa_off || return 2
         return 0
 }
 
@@ -345,24 +425,32 @@ turn_capability_off() {
 test_5() {
         local file=$DIR/f5
 
-	[ -z "$MDT" ] && skip "do not support do_facet operations." && return
+	[ $GSS_SUP = 0 ] && skip "without GSS support." && return
+	if ! remote_mds; then
+                skip "client should be separated from server."
+                return
+        fi
+
+	rm -f $file
+
 	turn_capability_off
 	if [ $? != 0 ]; then
 		error "turn_capability_off"
 		return 1
 	fi
-	rm -f $file
 
-        # Disable proc variable
-        mds_capability_switch 0
+        turn_oss_capa_on
 	if [ $? != 0 ]; then
-		error "mds_capability_switch 0"
+		error "turn_oss_capa_on"
 		return 2
 	fi
-        oss_capability_switch 1
-	if [ $? != 0 ]; then
-		error "oss_capability_switch 1"
-		return 3
+
+	if [ "$CLIENT_TYPE" = "remote" ]; then
+		remount_client $MOUNT && return 3
+		turn_oss_capa_off
+		return 0
+	else
+        	remount_client $MOUNT || return 4
 	fi
 
         # proc variable disabled -- access to the objects in the filesystem
@@ -372,14 +460,15 @@ test_5() {
 	$WTL $file 30
 	if [ $? == 0 ]; then
         	error "Write worked well even though secrets not supplied."
-		return 4
+		return 5
         fi
 
         turn_capability_on
 	if [ $? != 0 ]; then
 		error "turn_capability_on"
-		return 4
+		return 6
 	fi
+
         sleep 5
 
         # proc variable enabled, secrets supplied -- write should work now
@@ -388,13 +477,13 @@ test_5() {
 	$WTL $file 30
 	if [ $? != 0 ]; then
         	error "Write failed even though secrets supplied."
-		return 5
+		return 7
         fi
 
 	turn_capability_off
 	if [ $? != 0 ]; then
 		error "turn_capability_off"
-		return 7
+		return 8
 	fi
 	rm -f $file
 }
@@ -407,12 +496,18 @@ run_test 5 "capa secrets ========================="
 test_6() {
         local file=$DIR/f6
 
-	[ -z "$MDT" ] && skip "do not support do_facet operations." && return
+	[ $GSS_SUP = 0 ] && skip "without GSS support." && return
+	if ! remote_mds; then
+                skip "client should be separated from server."
+                return
+        fi
+
 	turn_capability_off
 	if [ $? != 0 ]; then
 		error "turn_capability_off"
 		return 1
 	fi
+
 	rm -f $file
 
         turn_capability_on 30
@@ -420,6 +515,7 @@ test_6() {
 		error "turn_capability_on 30"
 		return 2
 	fi
+
         # Token expiry
 	$WTL $file 60
 	if [ $? != 0 ]; then
@@ -433,14 +529,15 @@ test_6() {
 		error "mds_capability_timeout 30"
 		return 4
 	fi
+
 	$WTL $file 60 &
 	local PID=$!
 	sleep 5
 
         # To disable automatic renew, only need turn capa off on MDS.
-        mds_capability_switch 0
+	turn_mds_capa_off
 	if [ $? != 0 ]; then
-		error "mds_capability_switch 0"
+		error "turn_mds_capa_off"
 		return 5
 	fi
 
@@ -474,11 +571,6 @@ sec_unsetup() {
 }
 sec_unsetup
 
-sec_cleanup() {
-	if [ "$I_MOUNTED" = "yes" ]; then
-		cleanupall -f || error "sec_cleanup"
-	fi
-}
 sec_cleanup
 
 echo '=========================== finished ==============================='