diff options
-rw-r--r-- | glustolibs-io/shared_files/scripts/nfs_ganesha/nfsv4_acl_test.sh | 212 | ||||
-rw-r--r-- | tests/functional/nfs_ganesha/acls/test_nfs_ganesha_acls.py | 113 |
2 files changed, 325 insertions, 0 deletions
diff --git a/glustolibs-io/shared_files/scripts/nfs_ganesha/nfsv4_acl_test.sh b/glustolibs-io/shared_files/scripts/nfs_ganesha/nfsv4_acl_test.sh new file mode 100644 index 000000000..74e662432 --- /dev/null +++ b/glustolibs-io/shared_files/scripts/nfs_ganesha/nfsv4_acl_test.sh @@ -0,0 +1,212 @@ +#!/bin/sh +# Copyright (C) 2016-2017 Red Hat, Inc. <http://www.redhat.com> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Author: Jiffin Tony Thottan + +# set ONLY_CREATE_USERS_AND_GROUPS to a non-empty string to exit before testing +#ONLY_CREATE_USERS_AND_GROUPS=yes + +# if anything goes wrong, exit +set -e + +TESTDIR=${1} +if [ -z "${TESTDIR}" -o ! -d "${TESTDIR}" ] +then + echo "Usage: ${0} <testdir>" + echo "" + echo " <testdir> existing directory to use for testing" + echo "" + exit 1 +fi + +# get the domain for this system, maybe get it from /etc/idmapd.conf instead? + +error() +{ + echo "ERROR: ${@}" > /dev/stderr +} + +clean_mkdir() +{ + local dir=${1} + + [ -d ${dir} ] && rm -rf ${dir} + mkdir ${dir} +} + +OK() +{ + local user=${1} + shift + local cmd="${@}" + + if ! su ${user} sh -c "${cmd}" > /dev/null + then + error "FAILED as ${user}: ${cmd}" + return 1 + else + echo "OK as ${user}: ${cmd}" + fi + + return 0 +} + +FAIL() +{ + local user=${1} + shift + local cmd="${@}" + + if su ${user} sh -c "${cmd}" > /dev/null 2>&1 + then + error "OK but should have FAILED as ${user}: ${cmd}" + return 1 + else + echo "OK(=FAILED) as ${user}: ${cmd}" + fi + + return 0 +} + +# test for existing user, create if missing +# there is no need for home directories +# each used should have its own group +add_user() +{ + local username=${1} + shift + local userid=${1} + getent passwd ${username} >/dev/null \ + || useradd --no-create-home --shell /bin/sh --user-group ${username} -u ${userid} +} + + +add_user testuser1 5600 +add_user testuser2 5601 +add_user testuser3 5602 +add_user testuser4 5603 +add_user testuser5 5604 +add_user testuser6 5605 + +# test for existing group, create if missing, add the additional +add_group() +{ + local groupname=${1} + shift + local groupid=${1} + shift + local users=${@} + local username='' + + # create the group, if missing + getent group ${groupname} > /dev/null \ + || groupadd ${groupname} -g ${groupid} + + # add each user to the group + for username in ${users} + do + usermod -a -G ${groupname} ${username} + done +} + +add_group devgrp 6600 testuser2 testuser3 +add_group qegrp 6601 testuser4 +add_group managergrp 6602 testuser6 testuser5 + +# only create users/groups, exit here +if [ -n "${ONLY_CREATE_USERS_AND_GROUPS}" ] +then + echo "Users and groups created, exiting..." + exit 0 +fi + +cd ${TESTDIR} + +# create an STATUS file where all users/groups can write progress +[ -e STATUS ] && rm -f STATUS +OK root "/bin/echo 'Status of this test:' > STATUS" +OK root nfs4_setfacl -a A:g:devgrp:RW STATUS +OK root nfs4_setfacl -a A:g:qegrp:RW STATUS +OK root nfs4_setfacl -a A:g:managergrp:RW STATUS + +for USER in testuser2 testuser3 testuser4 testuser5 testuser6 +do + OK ${USER} "/bin/echo '- ${USER} can write' > STATUS" +done + +OK testuser1 "cat STATUS" +FAIL testuser1 "/bin/echo '- testuser1 should not be able to write' > STATUS" + +# some notes that testuser2 owns, only testuser3 may read them +[ -e NOTES.testuser2 ] && rm -f NOTES.testuser2 +# create the file and hand it over to testuser2 +OK root touch NOTES.testuser2 +OK root chown testuser2:testuser2 NOTES.testuser2 +# these notes are secret +OK testuser2 chmod 0600 NOTES.testuser2 +sleep 2 +OK testuser2 nfs4_setfacl -a A::testuser3:R NOTES.testuser2 +# testuser2 should be able to write his own notes +OK testuser2 "/bin/echo 'This is my secret with testuser3' > NOTES.testuser2" +OK testuser3 cat NOTES.testuser2 +FAIL testuser4 cat NOTES.testuser2 +FAIL testuser5 cat NOTES.testuser2 +# actually, also allow qegrp people to read the notes after previous failure +OK testuser2 nfs4_setfacl -a A:g:qegrp:R NOTES.testuser2 +OK testuser4 cat NOTES.testuser2 +FAIL testuser5 cat NOTES.testuser2 + +# any developer should be able to create filed/dirs under the src directory +clean_mkdir src +OK root nfs4_setfacl -a A:gdf:devgrp:RWX src +OK root nfs4_setfacl -a A:gdf:OWNER@:RWX src +OK testuser2 "/bin/echo 'Please send patches' > src/CONTRIBUTING" +OK testuser3 "/bin/echo 'Thanks to all contributors:' > src/THANKS" +OK testuser3 "/bin/echo 'Jiffin' >> src/THANKS" + +# the testuser1 user should not be able to read our propriatary source code +OK root nfs4_setfacl -a D::testuser1:RWX -R src +FAIL testuser1 "cat src/THANKS" + +# qegrp members may read the source code, but not modify it +OK root nfs4_setfacl -a A:g:qegrp:RX -R src +OK testuser4 "cat src/THANKS" +FAIL testuser4 "/bin/echo 'Saurabh' >> src/THANKS" +FAIL testuser4 "rm src/THANKS" + +# newly added files should inherit the permissions, qegrp can read them +OK testuser3 "/bin/echo 'ACLs' > src/TODO" + +# managergrp should create a compass for their reporting employees +clean_mkdir compass +OK root nfs4_setfacl -a "A:g:managergrp:RWX" compass +# devgrp and qegrp should be able to list contents of the compass directory +OK root nfs4_setfacl -a "A:g:devgrp:X" compass +OK root nfs4_setfacl -a "A:g:qegrp:X" compass +OK root nfs4_setfacl -a "D:dfi:EVERYONE@:RWX" compass +OK root nfs4_setfacl -a "A:dfi:OWNER@:RWX" compass +OK root nfs4_setfacl -a "A:dgfi:managergrp:RX" compass +OK testuser6 "/bin/echo 'You should have started compass yesterday' > compass/testuser3" +OK testuser6 nfs4_setfacl -a "A::testuser3:RW" compass/testuser3 +# testuser5 should also be able to read testuser3' compass +OK testuser5 "cat compass/testuser3" +# testuser2 should not be able to read testuser3' compass +FAIL testuser2 "cat compass/testuser3" + +# each employee may only read/edit their own compass +OK testuser3 "/bin/echo 'I will start really soon now...' > compass/testuser3" +OK testuser3 "cat compass/testuser3" diff --git a/tests/functional/nfs_ganesha/acls/test_nfs_ganesha_acls.py b/tests/functional/nfs_ganesha/acls/test_nfs_ganesha_acls.py new file mode 100644 index 000000000..871ad1090 --- /dev/null +++ b/tests/functional/nfs_ganesha/acls/test_nfs_ganesha_acls.py @@ -0,0 +1,113 @@ +# Copyright (C) 2016-2017 Red Hat, Inc. <http://www.redhat.com> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + +""" Description: + Test Cases in this module tests the nfs ganesha version 4 + ACL functionality. +""" + +from glusto.core import Glusto as g +from glustolibs.gluster.gluster_base_class import runs_on +from glustolibs.gluster.nfs_ganesha_libs import NfsGaneshaVolumeBaseClass +from glustolibs.gluster.nfs_ganesha_ops import enable_acl, disable_acl +from glustolibs.gluster.exceptions import ExecutionError +import time +import re + + +@runs_on([['replicated', 'distributed', 'distributed-replicated', + 'dispersed', 'distributed-dispersed'], + ['nfs']]) +class TestNfsGaneshaAcls(NfsGaneshaVolumeBaseClass): + """ + Tests to verify Nfs Ganesha v4 ACL stability + """ + + @classmethod + def setUpClass(cls): + NfsGaneshaVolumeBaseClass.setUpClass.im_func(cls) + + def setUp(self): + ret = enable_acl(self.servers[0], self.volname) + if not ret: + raise ExecutionError("Failed to enable ACL on the nfs " + "ganesha cluster") + + def test_nfsv4_acls(self): + + source_file = ("/usr/share/glustolibs/io/scripts/nfs_ganesha/" + "nfsv4_acl_test.sh") + test_acl_file = "/tmp/nfsv4_acl_test.sh" + + for server in self.servers: + g.upload(server, source_file, "/tmp/", user="root") + + cmd = ("export ONLY_CREATE_USERS_AND_GROUPS=\"yes\";sh %s %s" + % (test_acl_file, "/tmp")) + ret, _, _ = g.run(server, cmd) + self.assertEqual(ret, 0, ("Failed to create users and groups " + "for running acl test in server %s" + % server)) + time.sleep(5) + + for client in self.clients: + g.upload(client, source_file, "/tmp/", user="root") + option_flag = 0 + for mount in self.mounts: + if mount.client_system == client: + mountpoint = mount.mountpoint + if "vers=4" not in mount.options: + option_flag = 1 + break + + if option_flag: + g.log.info("This acl test required mount option to be " + "vers=4 in %s" % client) + continue + + dirname = mountpoint + "/" + "testdir_" + client + cmd = "[ -d %s ] || mkdir %s" % (dirname, dirname) + ret, _, _ = g.run(client, cmd) + self.assertEqual(ret, 0, ("Failed to create dir %s for running " + "acl test" % dirname)) + + cmd = "sh %s %s" % (test_acl_file, dirname) + ret, out, _ = g.run(client, cmd) + self.assertEqual(ret, 0, ("Failed to execute acl test on %s" + % client)) + + g.log.info("ACL test output in %s : %s" % (client, out)) + acl_output = out.split('\n')[:-1] + for output in acl_output: + match = re.search("^OK.*", output) + if match is None: + self.assertTrue(False, ("Unexpected behaviour in acl " + "functionality in %s" % client)) + + cmd = "rm -rf %s" % dirname + ret, _, _ = g.run(client, cmd) + self.assertEqual(ret, 0, ("Failed to remove dir %s after running " + "acl test" % dirname)) + + def tearDown(self): + ret = disable_acl(self.servers[0], self.volname) + if not ret: + raise ExecutionError("Failed to disable ACL on nfs " + "ganesha cluster") + + @classmethod + def tearDownClass(cls): + NfsGaneshaVolumeBaseClass.tearDownClass.im_func(cls) |