2 files changed, 325 insertions, 0 deletions
diff --git a/glustolibs-io/shared_files/scripts/nfs_ganesha/nfsv4_acl_test.sh b/glustolibs-io/shared_files/scripts/nfs_ganesha/nfsv4_acl_test.sh
new file mode 100644
index 000000000..74e662432
--- /dev/null
+++ b/glustolibs-io/shared_files/scripts/nfs_ganesha/nfsv4_acl_test.sh
@@ -0,0 +1,212 @@
+#!/bin/sh
+#  Copyright (C) 2016-2017  Red Hat, Inc. <http://www.redhat.com>
+#
+#  This program is free software; you can redistribute it and/or modify
+#  it under the terms of the GNU General Public License as published by
+#  the Free Software Foundation; either version 2 of the License, or
+#  any later version.
+#
+#  This program is distributed in the hope that it will be useful,
+#  but WITHOUT ANY WARRANTY; without even the implied warranty of
+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#  GNU General Public License for more details.
+#
+#  You should have received a copy of the GNU General Public License along
+#  with this program; if not, write to the Free Software Foundation, Inc.,
+#  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#  Author: Jiffin Tony Thottan
+
+# set ONLY_CREATE_USERS_AND_GROUPS to a non-empty string to exit before testing
+#ONLY_CREATE_USERS_AND_GROUPS=yes
+
+# if anything goes wrong, exit
+set -e
+
+TESTDIR=${1}
+if [ -z "${TESTDIR}" -o ! -d "${TESTDIR}" ]
+then
+	echo "Usage: ${0} <testdir>"
+        echo ""
+        echo "    <testdir>    existing directory to use for testing"
+        echo ""
+	exit 1
+fi
+
+# get the domain for this system, maybe get it from /etc/idmapd.conf instead?
+
+error()
+{
+	echo "ERROR: ${@}" > /dev/stderr
+}
+
+clean_mkdir()
+{
+	local dir=${1}
+
+	[ -d ${dir} ] && rm -rf ${dir}
+	mkdir ${dir}
+}
+
+OK()
+{
+	local user=${1}
+	shift
+	local cmd="${@}"
+
+	if ! su ${user} sh -c "${cmd}" > /dev/null
+	then
+		error "FAILED as ${user}: ${cmd}"
+		return 1
+        else
+                echo "OK as ${user}: ${cmd}"
+	fi
+
+	return 0
+}
+
+FAIL()
+{
+	local user=${1}
+	shift
+	local cmd="${@}"
+
+	if su ${user} sh -c "${cmd}" > /dev/null 2>&1
+	then
+		error "OK but should have FAILED as ${user}: ${cmd}"
+		return 1
+	else
+		echo "OK(=FAILED) as ${user}: ${cmd}"
+	fi
+
+	return 0
+}
+
+# test for existing user, create if missing
+# there is no need for home directories
+# each used should have its own group
+add_user()
+{
+	local username=${1}
+        shift
+        local userid=${1}
+	getent passwd ${username} >/dev/null \
+                || useradd --no-create-home --shell /bin/sh --user-group ${username} -u ${userid}
+}
+
+
+add_user testuser1 5600
+add_user testuser2 5601
+add_user testuser3 5602
+add_user testuser4 5603
+add_user testuser5 5604
+add_user testuser6 5605
+
+# test for existing group, create if missing, add the additional
+add_group()
+{
+	local groupname=${1}
+	shift
+        local groupid=${1}
+        shift
+	local users=${@}
+	local username=''
+
+	# create the group, if missing
+	getent group ${groupname} > /dev/null \
+                || groupadd ${groupname} -g ${groupid}
+
+	# add each user to the group
+	for username in ${users}
+	do
+		usermod -a -G ${groupname} ${username}
+	done
+}
+
+add_group devgrp 6600 testuser2 testuser3
+add_group qegrp 6601 testuser4
+add_group managergrp 6602 testuser6 testuser5
+
+# only create users/groups, exit here
+if [ -n "${ONLY_CREATE_USERS_AND_GROUPS}" ]
+then
+	echo "Users and groups created, exiting..."
+	exit 0
+fi
+
+cd ${TESTDIR}
+
+# create an STATUS file where all users/groups can write progress
+[ -e STATUS ] && rm -f STATUS
+OK root "/bin/echo 'Status of this test:' > STATUS"
+OK root nfs4_setfacl -a A:g:devgrp:RW STATUS
+OK root nfs4_setfacl -a A:g:qegrp:RW STATUS
+OK root nfs4_setfacl -a A:g:managergrp:RW STATUS
+
+for USER in testuser2 testuser3 testuser4 testuser5 testuser6
+do
+	OK ${USER} "/bin/echo '- ${USER} can write' > STATUS"
+done
+
+OK testuser1 "cat STATUS"
+FAIL testuser1 "/bin/echo '- testuser1 should not be able to write' > STATUS"
+
+# some notes that testuser2 owns, only testuser3 may read them
+[ -e NOTES.testuser2 ] && rm -f NOTES.testuser2
+# create the file and hand it over to testuser2
+OK root touch NOTES.testuser2
+OK root chown testuser2:testuser2 NOTES.testuser2
+# these notes are secret
+OK testuser2 chmod 0600 NOTES.testuser2
+sleep 2
+OK testuser2 nfs4_setfacl -a A::testuser3:R NOTES.testuser2
+# testuser2 should be able to write his own notes
+OK testuser2 "/bin/echo 'This is my secret with testuser3' > NOTES.testuser2"
+OK testuser3 cat NOTES.testuser2
+FAIL testuser4 cat NOTES.testuser2
+FAIL testuser5 cat NOTES.testuser2
+# actually, also allow qegrp people to read the notes after previous failure
+OK testuser2 nfs4_setfacl -a A:g:qegrp:R NOTES.testuser2
+OK testuser4 cat NOTES.testuser2
+FAIL testuser5 cat NOTES.testuser2
+
+# any developer should be able to create filed/dirs under the src directory
+clean_mkdir src
+OK root nfs4_setfacl -a A:gdf:devgrp:RWX src
+OK root nfs4_setfacl -a A:gdf:OWNER@:RWX src
+OK testuser2 "/bin/echo 'Please send patches' > src/CONTRIBUTING"
+OK testuser3 "/bin/echo 'Thanks to all contributors:' > src/THANKS"
+OK testuser3 "/bin/echo 'Jiffin' >> src/THANKS"
+
+# the testuser1 user should not be able to read our propriatary source code
+OK root nfs4_setfacl -a D::testuser1:RWX -R src
+FAIL testuser1 "cat src/THANKS"
+
+# qegrp members may read the source code, but not modify it
+OK root nfs4_setfacl -a A:g:qegrp:RX -R src
+OK testuser4 "cat src/THANKS"
+FAIL testuser4 "/bin/echo 'Saurabh' >> src/THANKS"
+FAIL testuser4 "rm src/THANKS"
+
+# newly added files should inherit the permissions, qegrp can read them
+OK testuser3 "/bin/echo 'ACLs' > src/TODO"
+
+# managergrp should create a compass for their reporting employees
+clean_mkdir compass
+OK root nfs4_setfacl -a "A:g:managergrp:RWX" compass
+# devgrp and qegrp should be able to list contents of the compass directory
+OK root nfs4_setfacl -a "A:g:devgrp:X" compass
+OK root nfs4_setfacl -a "A:g:qegrp:X" compass
+OK root nfs4_setfacl -a "D:dfi:EVERYONE@:RWX" compass
+OK root nfs4_setfacl -a "A:dfi:OWNER@:RWX" compass
+OK root nfs4_setfacl -a "A:dgfi:managergrp:RX" compass
+OK testuser6 "/bin/echo 'You should have started compass yesterday' > compass/testuser3"
+OK testuser6 nfs4_setfacl -a "A::testuser3:RW" compass/testuser3
+# testuser5 should also be able to read testuser3' compass
+OK testuser5 "cat compass/testuser3"
+# testuser2 should not be able to read testuser3' compass
+FAIL testuser2 "cat compass/testuser3"
+
+# each employee may only read/edit their own compass
+OK testuser3 "/bin/echo 'I will start really soon now...' > compass/testuser3"
+OK testuser3 "cat compass/testuser3"
diff --git a/tests/functional/nfs_ganesha/acls/test_nfs_ganesha_acls.py b/tests/functional/nfs_ganesha/acls/test_nfs_ganesha_acls.py
new file mode 100644
index 000000000..871ad1090
--- /dev/null
+++ b/tests/functional/nfs_ganesha/acls/test_nfs_ganesha_acls.py
@@ -0,0 +1,113 @@
+#  Copyright (C) 2016-2017  Red Hat, Inc. <http://www.redhat.com>
+#
+#  This program is free software; you can redistribute it and/or modify
+#  it under the terms of the GNU General Public License as published by
+#  the Free Software Foundation; either version 2 of the License, or
+#  any later version.
+#
+#  This program is distributed in the hope that it will be useful,
+#  but WITHOUT ANY WARRANTY; without even the implied warranty of
+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#  GNU General Public License for more details.
+#
+#  You should have received a copy of the GNU General Public License along
+#  with this program; if not, write to the Free Software Foundation, Inc.,
+#  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+""" Description:
+        Test Cases in this module tests the nfs ganesha version 4
+        ACL functionality.
+"""
+
+from glusto.core import Glusto as g
+from glustolibs.gluster.gluster_base_class import runs_on
+from glustolibs.gluster.nfs_ganesha_libs import NfsGaneshaVolumeBaseClass
+from glustolibs.gluster.nfs_ganesha_ops import enable_acl, disable_acl
+from glustolibs.gluster.exceptions import ExecutionError
+import time
+import re
+
+
+@runs_on([['replicated', 'distributed', 'distributed-replicated',
+           'dispersed', 'distributed-dispersed'],
+          ['nfs']])
+class TestNfsGaneshaAcls(NfsGaneshaVolumeBaseClass):
+    """
+        Tests to verify Nfs Ganesha v4 ACL stability
+    """
+
+    @classmethod
+    def setUpClass(cls):
+        NfsGaneshaVolumeBaseClass.setUpClass.im_func(cls)
+
+    def setUp(self):
+        ret = enable_acl(self.servers[0], self.volname)
+        if not ret:
+            raise ExecutionError("Failed to enable ACL on the nfs "
+                                 "ganesha cluster")
+
+    def test_nfsv4_acls(self):
+
+        source_file = ("/usr/share/glustolibs/io/scripts/nfs_ganesha/"
+                       "nfsv4_acl_test.sh")
+        test_acl_file = "/tmp/nfsv4_acl_test.sh"
+
+        for server in self.servers:
+            g.upload(server, source_file, "/tmp/", user="root")
+
+            cmd = ("export ONLY_CREATE_USERS_AND_GROUPS=\"yes\";sh %s %s"
+                   % (test_acl_file, "/tmp"))
+            ret, _, _ = g.run(server, cmd)
+            self.assertEqual(ret, 0, ("Failed to create users and groups "
+                                      "for running acl test in server %s"
+                                      % server))
+        time.sleep(5)
+
+        for client in self.clients:
+            g.upload(client, source_file, "/tmp/", user="root")
+            option_flag = 0
+            for mount in self.mounts:
+                if mount.client_system == client:
+                    mountpoint = mount.mountpoint
+                    if "vers=4" not in mount.options:
+                        option_flag = 1
+                    break
+
+            if option_flag:
+                g.log.info("This acl test required mount option to be "
+                           "vers=4 in %s" % client)
+                continue
+
+            dirname = mountpoint + "/" + "testdir_" + client
+            cmd = "[ -d %s ] || mkdir %s" % (dirname, dirname)
+            ret, _, _ = g.run(client, cmd)
+            self.assertEqual(ret, 0, ("Failed to create dir %s for running "
+                             "acl test" % dirname))
+
+            cmd = "sh %s %s" % (test_acl_file, dirname)
+            ret, out, _ = g.run(client, cmd)
+            self.assertEqual(ret, 0, ("Failed to execute acl test on %s"
+                                      % client))
+
+            g.log.info("ACL test output in %s : %s" % (client, out))
+            acl_output = out.split('\n')[:-1]
+            for output in acl_output:
+                match = re.search("^OK.*", output)
+                if match is None:
+                    self.assertTrue(False, ("Unexpected behaviour in acl "
+                                    "functionality in %s" % client))
+
+            cmd = "rm -rf %s" % dirname
+            ret, _, _ = g.run(client, cmd)
+            self.assertEqual(ret, 0, ("Failed to remove dir %s after running "
+                             "acl test" % dirname))
+
+    def tearDown(self):
+        ret = disable_acl(self.servers[0], self.volname)
+        if not ret:
+            raise ExecutionError("Failed to disable ACL on nfs "
+                                 "ganesha cluster")
+
+    @classmethod
+    def tearDownClass(cls):
+        NfsGaneshaVolumeBaseClass.tearDownClass.im_func(cls)