blob: 1eb3d55e36cb9137b5dd234132714111196e781f (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
|
#!/bin/bash
. $(dirname $0)/../include.rc
. $(dirname $0)/../nfs.rc
. $(dirname $0)/../volume.rc
. $(dirname $0)/../snapshot.rc
# This function returns a value "Y" if user can execute
# the given command. Else it will return "N"
# @arg-1 : Name of the user
# @arg-2 : Path of the file
# @arg-3 : command to be executed
function check_if_permitted () {
local usr=$1
local path=$2
local cmd=$3
local var
local ret
var=$(su - $usr -c "$cmd $path")
ret=$?
if [ "$cmd" == "cat" ]
then
if [ "$var" == "Test" ]
then
echo "Y"
else
echo "N"
fi
else
if [ "$ret" == "0" ]
then
echo "Y"
else
echo "N"
fi
fi
}
# Create a directory in /tmp to specify which directory to make
# as home directory for user
home_dir=$(cat /dev/urandom | tr -dc 'a-zA-Z' | fold -w 8 | head -n 1)
home_dir="/tmp/bug-1167580-$home_dir"
mkdir $home_dir
function get_new_user() {
local temp=$(cat /dev/urandom | tr -dc 'a-zA-Z' | fold -w 8 | head -n 1)
id $temp
if [ "$?" == "0" ]
then
get_new_user
else
echo $temp
fi
}
function create_user() {
local user=$1
local group=$2
if [ "$group" == "" ]
then
useradd -d $home_dir/$user $user
else
useradd -d $home_dir/$user -G $group $user
fi
return $?
}
cleanup;
TEST setup_lvm 1
TEST glusterd
TEST $CLI volume create $V0 $H0:$L1
TEST $CLI volume start $V0
# Mount the volume as both fuse and nfs mount
EXPECT_WITHIN $NFS_EXPORT_TIMEOUT "1" is_nfs_export_available
TEST glusterfs -s $H0 --volfile-id $V0 $M0
TEST mount_nfs $H0:/$V0 $N0 nolock
# Create 2 user
user1=$(get_new_user)
create_user $user1
user2=$(get_new_user)
create_user $user2
# create a file for which only user1 has access
echo "Test" > $M0/README
chown $user1 $M0/README
chmod 700 $M0/README
# enable uss and take a snapshot
TEST $CLI volume set $V0 uss enable
TEST $CLI snapshot config activate-on-create on
TEST $CLI snapshot create snap1 $V0
# try to access the file using user1 account.
# It should succeed with both normal mount and snapshot world.
# There is time delay in which snapd might not have got the notification
# from glusterd about snapshot create hence using "EXPECT_WITHIN"
EXPECT_WITHIN $PROCESS_UP_TIMEOUT "Y" check_if_permitted $user1 $M0/README cat
EXPECT_WITHIN $PROCESS_UP_TIMEOUT "Y" check_if_permitted $user1 $N0/README cat
EXPECT_WITHIN $PROCESS_UP_TIMEOUT "Y" check_if_permitted $user1 $M0/.snaps/snap1/README cat
EXPECT_WITHIN $PROCESS_UP_TIMEOUT "Y" check_if_permitted $user1 $N0/.snaps/snap1/README cat
# try to access the file using user2 account
# It should fail from both normal mount and snapshot world
EXPECT_WITHIN $PROCESS_UP_TIMEOUT "N" check_if_permitted $user2 $M0/README cat
EXPECT_WITHIN $PROCESS_UP_TIMEOUT "N" check_if_permitted $user2 $N0/README cat
EXPECT_WITHIN $PROCESS_UP_TIMEOUT "N" check_if_permitted $user2 $M0/.snaps/snap1/README cat
EXPECT_WITHIN $PROCESS_UP_TIMEOUT "N" check_if_permitted $user2 $N0/.snaps/snap1/README cat
# We need to test another scenario where user belonging to one group
# tries to access files from user belonging to another group
# instead of using the already created users and making the test case look complex
# I thought of using two different users.
# The test case written below does the following things
# 1) Create 2 users (user{3,4}), belonging to 2 different groups (group{3,4})
# 2) Take a snapshot "snap2"
# 3) Create a file for which only users belonging to group3 have
# permission to read
# 4) Test various combinations of Read-Write, Fuse-NFS mount, User{3,4,5}
# from both normal mount, and USS world.
echo "Test" > $M0/file3
chmod 740 $M0/file3
group3=$(get_new_user)
groupadd $group3
group4=$(get_new_user)
groupadd $group4
user3=$(get_new_user)
create_user $user3 $group3
user4=$(get_new_user)
create_user $user4 $group4
user5=$(get_new_user)
create_user $user5
chgrp $group3 $M0/file3
TEST $CLI snapshot create snap2 $V0
EXPECT_WITHIN $PROCESS_UP_TIMEOUT "Y" check_if_permitted $user3 $M0/file3 cat
EXPECT_WITHIN $PROCESS_UP_TIMEOUT "Y" check_if_permitted $user3 $M0/.snaps/snap2/file3 cat
EXPECT_WITHIN $PROCESS_UP_TIMEOUT "N" check_if_permitted $user3 $M0/file3 "echo Hello >"
EXPECT_WITHIN $PROCESS_UP_TIMEOUT "N" check_if_permitted $user3 $M0/.snaps/snap2/file3 "echo Hello >"
EXPECT_WITHIN $PROCESS_UP_TIMEOUT "Y" check_if_permitted $user3 $N0/file3 cat
EXPECT_WITHIN $PROCESS_UP_TIMEOUT "Y" check_if_permitted $user3 $N0/.snaps/snap2/file3 cat
EXPECT_WITHIN $PROCESS_UP_TIMEOUT "N" check_if_permitted $user3 $N0/file3 "echo Hello >"
EXPECT_WITHIN $PROCESS_UP_TIMEOUT "N" check_if_permitted $user3 $N0/.snaps/snap2/file3 "echo Hello >"
EXPECT_WITHIN $PROCESS_UP_TIMEOUT "N" check_if_permitted $user4 $M0/file3 cat
EXPECT_WITHIN $PROCESS_UP_TIMEOUT "N" check_if_permitted $user4 $M0/.snaps/snap2/file3 cat
EXPECT_WITHIN $PROCESS_UP_TIMEOUT "N" check_if_permitted $user4 $M0/file3 "echo Hello >"
EXPECT_WITHIN $PROCESS_UP_TIMEOUT "N" check_if_permitted $user4 $M0/.snaps/snap2/file3 "echo Hello >"
EXPECT_WITHIN $PROCESS_UP_TIMEOUT "N" check_if_permitted $user4 $N0/file3 cat
EXPECT_WITHIN $PROCESS_UP_TIMEOUT "N" check_if_permitted $user4 $N0/.snaps/snap2/file3 cat
EXPECT_WITHIN $PROCESS_UP_TIMEOUT "N" check_if_permitted $user4 $N0/file3 "echo Hello >"
EXPECT_WITHIN $PROCESS_UP_TIMEOUT "N" check_if_permitted $user4 $N0/.snaps/snap2/file3 "echo Hello >"
EXPECT_WITHIN $PROCESS_UP_TIMEOUT "N" check_if_permitted $user5 $M0/file3 cat
EXPECT_WITHIN $PROCESS_UP_TIMEOUT "N" check_if_permitted $user5 $M0/.snaps/snap2/file3 cat
EXPECT_WITHIN $PROCESS_UP_TIMEOUT "N" check_if_permitted $user5 $M0/file3 "echo Hello >"
EXPECT_WITHIN $PROCESS_UP_TIMEOUT "N" check_if_permitted $user5 $M0/.snaps/snap2/file3 "echo Hello >"
EXPECT_WITHIN $PROCESS_UP_TIMEOUT "N" check_if_permitted $user5 $N0/file3 cat
EXPECT_WITHIN $PROCESS_UP_TIMEOUT "N" check_if_permitted $user5 $N0/.snaps/snap2/file3 cat
EXPECT_WITHIN $PROCESS_UP_TIMEOUT "N" check_if_permitted $user5 $N0/file3 "echo Hello >"
EXPECT_WITHIN $PROCESS_UP_TIMEOUT "N" check_if_permitted $user5 $N0/.snaps/snap2/file3 "echo Hello >"
# cleanup
/usr/sbin/userdel -f -r $user1
/usr/sbin/userdel -f -r $user2
/usr/sbin/userdel -f -r $user3
/usr/sbin/userdel -f -r $user4
/usr/sbin/userdel -f -r $user5
#cleanup all the home directory which is created as part of this test case
if [ -d "$home_dir" ]
then
rm -rf $home_dir
fi
groupdel $group3
groupdel $group4
TEST $CLI snapshot delete all
cleanup;
|