summaryrefslogtreecommitdiffstats
path: root/tests/basic/mount-nfs-auth.t
blob: fcb41e8e35bfb78ee88f68dd7b39e3994a3a889c (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
#!/bin/bash

. $(dirname $0)/../include.rc
. $(dirname $0)/../nfs.rc

cleanup;
## Check whether glusterd is running
TEST glusterd
TEST pidof glusterd
TEST $CLI volume info

# Export variables for allow & deny
EXPORT_ALLOW="/$V0 $H0(sec=sys,rw,anonuid=0) @ngtop(sec=sys,rw,anonuid=0)"
EXPORT_ALLOW_SLASH="/$V0/ $H0(sec=sys,rw,anonuid=0) @ngtop(sec=sys,rw,anonuid=0)"
EXPORT_DENY="/$V0 1.2.3.4(sec=sys,rw,anonuid=0) @ngtop(sec=sys,rw,anonuid=0)"

# Netgroup variables for allow & deny
NETGROUP_ALLOW="ngtop ng1000\nng1000 ng999\nng999 ng1\nng1 ng2\nng2 ($H0,,)"
NETGROUP_DENY="ngtop ng1000\nng1000 ng999\nng999 ng1\nng1 ng2\nng2 (1.2.3.4,,)"

V0L1="$V0/L1"
V0L2="$V0L1/L2"
V0L3="$V0L2/L3"

# Other variations for allow & deny
EXPORT_ALLOW_RO="/$V0 $H0(sec=sys,ro,anonuid=0) @ngtop(sec=sys,ro,anonuid=0)"
EXPORT_ALLOW_L1="/$V0L1 $H0(sec=sys,rw,anonuid=0) @ngtop(sec=sys,rw,anonuid=0)"
EXPORT_WILDCARD="/$V0 *(sec=sys,rw,anonuid=0) @ngtop(sec=sys,rw,anonuid=0)"

function build_dirs () {
        mkdir -p $B0/b{0,1,2}/L1/L2/L3
}

function export_allow_this_host () {
        printf "$EXPORT_ALLOW\n" > ${NFSDIR}/exports
}

function export_allow_this_host_with_slash () {
        printf "$EXPORT_ALLOW_SLASH\n" > ${NFSDIR}/exports
}

function export_deny_this_host () {
        printf "$EXPORT_DENY\n" > ${NFSDIR}/exports
}

function export_allow_this_host_l1 () {
        printf "$EXPORT_ALLOW_L1\n" >> ${NFSDIR}/exports
}

function export_allow_wildcard () {
        printf "$EXPORT_WILDCARD\n" > ${NFSDIR}/exports
}

function export_allow_this_host_ro () {
        printf "$EXPORT_ALLOW_RO\n" > ${NFSDIR}/exports
}

function netgroup_allow_this_host () {
        printf "$NETGROUP_ALLOW\n" > ${NFSDIR}/netgroups
}

function netgroup_deny_this_host () {
        printf "$NETGROUP_DENY\n" > ${NFSDIR}/netgroups
}

function create_vol () {
        TEST $CLI vol create $V0 replica 3 $H0:$B0/b0 $H0:$B0/b1 $H0:$B0/b2
}

function setup_cluster() {
        build_dirs                      # Build directories
        export_allow_this_host          # Allow this host in the exports file
        netgroup_allow_this_host        # Allow this host in the netgroups file

        glusterd
        create_vol                      # Create the volume
}

function check_mount_success {
        mount_nfs $H0:/$1 $N0 nolock
        if [ $? -eq 0 ]; then
                echo "Y"
        else
                echo "N"
        fi
}

function check_mount_failure {
        mount_nfs $H0:/$1 $N0 nolock
        if [ $? -ne 0 ]; then
                echo "Y"
        else
                local timeout=$UMOUNT_TIMEOUT
                while ! umount_nfs $N0 && [$timeout -ne 0] ; do
                        timeout=$(( $timeout - 1 ))
                        sleep 1
                done
        fi
}

function small_write () {
        dd if=/dev/zero of=$N0/test-small-write count=1 bs=1k 2>&1
        if [ $? -ne 0 ]; then
                echo "N"
        else
                echo "Y"
        fi
}

function bg_write () {
        dd if=/dev/zero of=$N0/test-bg-write count=1 bs=1k &
        BG_WRITE_PID=$!
}

function big_write() {
        dd if=/dev/zero of=$N0/test-big-write count=500 bs=1024k
}

function create () {
        touch $N0/create-test
}

function stat_nfs () {
        ls $N0/
}

# Restarts the NFS server
function restart_nfs () {
        PID=$(ps auxww | grep nfs | grep sbin/glusterfs | awk '{print $2}')
        CMD=$(ps axww | grep nfs | grep sbin/glusterfs |      \
              awk '{$1=""; $2=""; $3=""; $4=""; print $0}' |  \
              sed 's/ *([^()]*)$//')
        kill $PID
        timeout=$PROCESS_UP_TIMEOUT;
        while kill -0 $PID 2>/dev/null; do
                test $timeout -eq 0  && break
                timout=$(( $timeout - 1 ))
                sleep 1
        done
        $CMD
}

setup_cluster

# run preliminary tests
TEST $CLI vol set $V0 cluster.self-heal-daemon off
TEST $CLI vol set $V0 nfs.disable off
TEST $CLI vol set $V0 cluster.choose-local off
TEST $CLI vol start $V0

# Get NFS state directory
NFSDIR=$( $CLI volume get patchy nfs.mount-rmtab | \
          awk '/^nfs.mount-rmtab/{print $2}' | \
          xargs dirname )

## Wait for volume to register with rpc.mountd
EXPECT_WITHIN $NFS_EXPORT_TIMEOUT "1" is_nfs_export_available

## NFS server starts with auth disabled
## Do some tests to verify that.

EXPECT "Y" check_mount_success $V0
EXPECT_WITHIN $UMOUNT_TIMEOUT "Y" umount_nfs $N0

## Disallow host
TEST export_deny_this_host
TEST netgroup_deny_this_host

## Technically deauthorized this host, but since auth is disabled we should be
## able to do mounts, writes, etc.
EXPECT_WITHIN $AUTH_REFRESH_INTERVAL "Y" check_mount_success $V0
EXPECT "Y" small_write
EXPECT_WITHIN $UMOUNT_TIMEOUT "Y" umount_nfs $N0

## Reauthorize this host
export_allow_this_host
netgroup_allow_this_host

## Restart NFS with auth enabled
$CLI vol stop $V0
TEST $CLI vol set $V0 nfs.exports-auth-enable on
$CLI vol start $V0
EXPECT_WITHIN $NFS_EXPORT_TIMEOUT "1" is_nfs_export_available

## Mount NFS
EXPECT "Y" check_mount_success $V0

## Disallow host
TEST export_deny_this_host
TEST netgroup_deny_this_host

## Writes should not be allowed, host is not authorized
EXPECT_WITHIN $AUTH_REFRESH_INTERVAL "N" small_write

## Unmount so we can test mount
EXPECT_WITHIN $UMOUNT_TIMEOUT "Y" umount_nfs $N0

## Subsequent ounts should not be allowed, host is not authorized
EXPECT "Y" check_mount_failure $V0

## Reauthorize host
TEST export_allow_this_host
TEST netgroup_allow_this_host

EXPECT_WITHIN $AUTH_REFRESH_INTERVAL "Y" check_mount_success $V0
EXPECT_WITHIN $UMOUNT_TIMEOUT "Y" umount_nfs $N0

## Allow host in netgroups but not in exports, host should be allowed
TEST export_deny_this_host
TEST netgroup_allow_this_host

EXPECT_WITHIN $AUTH_REFRESH_INTERVAL "Y" check_mount_success $V0
EXPECT "Y" small_write
TEST big_write
EXPECT_WITHIN $UMOUNT_TIMEOUT "Y" umount_nfs $N0

## Allow host in exports but not in netgroups, host should be allowed
TEST export_allow_this_host
TEST netgroup_deny_this_host

EXPECT_WITHIN $AUTH_REFRESH_INTERVAL "Y" check_mount_success $V0
EXPECT_WITHIN $UMOUNT_TIMEOUT "Y" umount_nfs $N0

## Finally, reauth the host in export and netgroup, test mount & write
TEST export_allow_this_host_l1
TEST netgroup_allow_this_host

EXPECT_WITHIN $AUTH_REFRESH_INTERVAL "Y" check_mount_success $V0L1
EXPECT "Y" small_write

## Failover test: Restarting NFS and then doing a write should pass
bg_write
TEST restart_nfs
EXPECT_WITHIN $NFS_EXPORT_TIMEOUT "1" is_nfs_export_available

TEST wait $BG_WRITE_PID
EXPECT "Y" small_write
EXPECT_WITHIN $UMOUNT_TIMEOUT "Y" umount_nfs $N0

## Test deep mounts
EXPECT "Y" check_mount_success $V0L1
EXPECT "Y" small_write
EXPECT_WITHIN $UMOUNT_TIMEOUT "Y" umount_nfs $N0

TEST export_allow_this_host_ro
TEST netgroup_deny_this_host

EXPECT "Y" check_mount_success $V0
EXPECT_WITHIN $AUTH_REFRESH_INTERVAL "N" small_write # Writes should not be allowed
TEST ! create      # Create should not be allowed
TEST stat_nfs      # Stat should be allowed
EXPECT_WITHIN $UMOUNT_TIMEOUT "Y" umount_nfs $N0

TEST export_deny_this_host
TEST netgroup_deny_this_host
TEST export_allow_this_host_l1 # Allow this host at L1

EXPECT_WITHIN $AUTH_REFRESH_INTERVAL "Y" check_mount_failure $V0 #V0 shouldnt be allowed
EXPECT "Y" check_mount_success $V0L1 #V0L1 should be
EXPECT_WITHIN $UMOUNT_TIMEOUT "Y" umount_nfs $N0

## Test wildcard hosts
TEST export_allow_wildcard

EXPECT_WITHIN $AUTH_REFRESH_INTERVAL "Y" check_mount_success $V0
EXPECT_WITHIN $AUTH_REFRESH_INTERVAL "Y" small_write
EXPECT_WITHIN $UMOUNT_TIMEOUT "Y" umount_nfs $N0

## Test if path is parsed correctly
## by mounting host:vol/ instead of host:vol
EXPECT "Y" check_mount_success $V0/
EXPECT "Y" small_write
EXPECT_WITHIN $UMOUNT_TIMEOUT "Y" umount_nfs $N0

TEST export_allow_this_host_with_slash

EXPECT_WITHIN $AUTH_REFRESH_INTERVAL "Y" check_mount_success $V0
EXPECT "Y" small_write
EXPECT_WITHIN $UMOUNT_TIMEOUT "Y" umount_nfs $N0

EXPECT "Y" check_mount_success $V0/
EXPECT "Y" small_write
EXPECT_WITHIN $UMOUNT_TIMEOUT "Y" umount_nfs $N0


## Turn off exports authentication
$CLI vol stop $V0
TEST $CLI vol set $V0 nfs.exports-auth-enable off
$CLI vol start $V0
EXPECT_WITHIN $NFS_EXPORT_TIMEOUT "1" is_nfs_export_available

TEST export_deny_this_host # Deny the host
TEST netgroup_deny_this_host

EXPECT_WITHIN $AUTH_REFRESH_INTERVAL "Y" check_mount_success $V0 # Do a mount & test
EXPECT_WITHIN $UMOUNT_TIMEOUT "Y" umount_nfs $N0

## Turn back on the exports authentication
$CLI vol stop $V0
TEST $CLI vol set $V0 nfs.exports-auth-enable on
$CLI vol start $V0
EXPECT_WITHIN $NFS_EXPORT_TIMEOUT "1" is_nfs_export_available

## Do a simple test to set the refresh time to 20 seconds
TEST $CLI vol set $V0 nfs.auth-refresh-interval-sec 20

## Do a simple test to see if the volume option exists
TEST $CLI vol set $V0 nfs.auth-cache-ttl-sec 400

## Finish up
TEST $CLI volume stop $V0
TEST $CLI volume delete $V0;
TEST ! $CLI volume info $V0;

cleanup