+ echo "Set mds capability timeout as $1 seconds"
+ do_facet $SINGLEMDS echo $1 > $CAPA_TIMEOUT
+ return 0
+}
+
+mds_capability_switch() {
+ [ $# -lt 1 ] && echo "Miss mds capability switch value" && return 1
+
+ case $1 in
+ 0) echo "Turn off mds capability";;
+ 3) echo "Turn on mds capability";;
+ *) echo "Invalid mds capability switch value" && return 2;;
+ esac
+
+ do_facet $SINGLEMDS echo $1 > $MDSCAPA
+ return 0
+}
+
+oss_capability_switch() {
+ [ $# -lt 1 ] && echo "Miss oss capability switch value" && return 1
+
+ case $1 in
+ 0) echo "Turn off oss capability";;
+ 1) echo "Turn on oss capability";;
+ *) echo "Invalid oss capability switch value" && return 2;;
+ esac
+
+ i=0;
+ while [ $i -lt $OST_COUNT ]; do
+ j=$i;
+ i=`expr $i + 1`
+ OST="`do_facet ost$i ls -l $OST_LPROC/ | grep OST | awk '{print $9}' | grep $j$`"
+ do_facet ost$i echo $1 > $OST_LPROC/$OST/capa
+ done
+ return 0
+}
+
+turn_capability_on() {
+ local capa_timeout=${1:-"1800"}
+
+ # To turn on fid capability for the system,
+ # there is a requirement that fid capability
+ # is turned on on all MDS/OSS servers before
+ # client mount.
+
+ umount $MOUNT || return 1
+
+ mds_capability_switch 3 || return 2
+ oss_capability_switch 1 || return 3
+ mds_capability_timeout $capa_timeout || return 4
+
+ mount_client $MOUNT || return 5
+ return 0
+}
+
+turn_capability_off() {
+ # to turn off fid capability, you can just do
+ # it in a live system. But, please turn off
+ # capability of all OSS servers before MDS servers.
+
+ oss_capability_switch 0 || return 1
+ mds_capability_switch 0 || return 2
+ return 0
+}
+
+# We demonstrate that access to the objects in the filesystem are not
+# accessible without supplying secrets from the MDS by disabling a
+# proc variable on the mds so that it does not supply secrets. We then
+# try and access objects which result in failure.
+test_5() {
+ local file=$DIR/f5
+
+ [ -z "$MDT" ] && sec_skip "do not support do_facet operations." && return
+ turn_capability_off
+ rm -f $file
+
+ # Disable proc variable
+ mds_capability_switch 0 || return 1
+ oss_capability_switch 1 || return 2
+
+ # proc variable disabled -- access to the objects in the filesystem
+ # is not allowed
+ echo "Should get Write error here : (proc variable are disabled "\
+ "-- access to the objects in the filesystem is denied."
+ $WTL $file 30
+ if [ $? == 0 ]; then
+ echo "Write worked well even though secrets not supplied."
+ return 3
+ fi
+
+ turn_capability_on || return 4
+ sleep 5
+
+ # proc variable enabled, secrets supplied -- write should work now
+ echo "Should not fail here : (proc variable enabled, secrets supplied "\
+ "-- write should work now)."
+ $WTL $file 30
+ if [ $? != 0 ]; then
+ echo "Write failed even though secrets supplied."
+ return 5
+ fi
+
+ turn_capability_off
+ rm -f $file
+}
+sec_run_test 5 "capa secrets ========================="
+
+# Expiry: A test program is performing I/O on a file. It has credential
+# with an expiry half a minute later. While the program is running the
+# credentials expire and no automatic extensions or renewals are
+# enabled. The program will demonstrate an I/O failure.
+test_6() {
+ local file=$DIR/f6
+
+ [ -z "$MDT" ] && sec_skip "do not support do_facet operations." && return
+ turn_capability_off
+ rm -f $file
+
+ turn_capability_on 30 || return 1
+ # Token expiry
+ $WTL $file 60 || return 2
+
+ # Reset MDS capability timeout
+ mds_capability_timeout 30 || exit 3
+ $WTL $file 60 &
+ local PID=$!
+ sleep 5
+
+ # To disable automatic renew, only need turn capa off on MDS.
+ mds_capability_switch 0 || return 4
+
+ echo "We expect I/O failure."
+ wait $PID
+ if [ $? == 0 ]; then
+ echo "no I/O failure got."
+ return 5