diff options
author | Susant Palai <spalai@redhat.com> | 2019-01-18 17:26:36 +0530 |
---|---|---|
committer | Amar Tumballi <amarts@redhat.com> | 2019-01-22 05:23:44 +0000 |
commit | 3c556353cd1dde0593096c9e9e11b877403971f0 (patch) | |
tree | 55e87230b06cf8ed635eef434dbb70a63dd736f2 /tests | |
parent | 4f58d35f064e5fba3a02b7be8b2525ebe2114254 (diff) |
locks/fencing: Add a security knob for fencing
There is a low level security issue with fencing since one client
can preempt another client's lock.
This patch does not completely eliminate the issue of a client
misbehaving, but certainly it adds a security layer for default use cases
that does not need fencing.
Change-Id: I55cd15f2ed1ae0f2556e3d27a2ef4bc10fdada1c
updates: #466
Signed-off-by: Susant Palai <spalai@redhat.com>
Diffstat (limited to 'tests')
-rwxr-xr-x | tests/basic/fencing/fence-basic.t | 2 | ||||
-rw-r--r-- | tests/basic/fencing/fencing-crash-conistency.t | 1 | ||||
-rw-r--r-- | tests/basic/fencing/test-fence-option.t | 37 |
3 files changed, 40 insertions, 0 deletions
diff --git a/tests/basic/fencing/fence-basic.t b/tests/basic/fencing/fence-basic.t index 080507c2ba5..30f379e7b20 100755 --- a/tests/basic/fencing/fence-basic.t +++ b/tests/basic/fencing/fence-basic.t @@ -18,6 +18,8 @@ EXPECT 'Started' volinfo_field $V0 'Status'; TEST $CLI volume set $V0 diagnostics.client-log-flush-timeout 30 TEST $CLI volume set $V0 performance.write-behind off TEST $CLI volume set $V0 locks.mandatory-locking forced +TEST $CLI volume set $V0 enforce-mandatory-lock on + logdir=`gluster --print-logdir` diff --git a/tests/basic/fencing/fencing-crash-conistency.t b/tests/basic/fencing/fencing-crash-conistency.t index cca8ee7343f..0c69411e90c 100644 --- a/tests/basic/fencing/fencing-crash-conistency.t +++ b/tests/basic/fencing/fencing-crash-conistency.t @@ -26,6 +26,7 @@ TEST "truncate -s 0 $M0/file" #enable mandatory locking TEST $CLI volume set $V0 locks.mandatory-locking forced +TEST $CLI volume set $V0 enforce-mandatory-lock on #write should pass TEST "echo "test" >> $M0/file" diff --git a/tests/basic/fencing/test-fence-option.t b/tests/basic/fencing/test-fence-option.t new file mode 100644 index 00000000000..115cbe7dbdf --- /dev/null +++ b/tests/basic/fencing/test-fence-option.t @@ -0,0 +1,37 @@ +#!/bin/bash + +. $(dirname $0)/../../include.rc +. $(dirname $0)/../../volume.rc + +cleanup; + +# with lock enforcement flag write should fail with out lock + +TEST glusterd +TEST pidof glusterd +TEST $CLI volume info; + +TEST $CLI volume create $V0 $H0:$B0/${V0}1 +EXPECT 'Created' volinfo_field $V0 'Status'; +TEST $CLI volume start $V0; +EXPECT 'Started' volinfo_field $V0 'Status'; +TEST glusterfs -s $H0 --volfile-id $V0 $M0 + +TEST touch $M0/file + +#setfattr for mandatory-enforcement will fail +TEST ! setfattr -n trusted.glusterfs.enforce-mandatory-lock -v 1 $M0/file + +#enable mandatory locking +TEST $CLI volume set $V0 locks.mandatory-locking forced + +#setfattr will fail +TEST ! setfattr -n trusted.glusterfs.enforce-mandatory-lock -v 1 $M0/file + +#set lock-enforcement option +TEST $CLI volume set $V0 enforce-mandatory-lock on + +#setfattr should succeed +TEST setfattr -n trusted.glusterfs.enforce-mandatory-lock -v 1 $M0/file + +cleanup;
\ No newline at end of file |