qa: add test for checking access in client side of root_squash

Test the 'chown' and 'truncate', which will call the setattr and 'cat' will open the files. Before each testing will open the file by non-root user and keep it to make sure the Fxw caps are issued, and then user the 'sudo' do to the tests, which will set the uid/gid to 0/0. Fixes: https://tracker.ceph.com/issues/57154 Signed-off-by: Xiubo Li <xiubli@redhat.com> (cherry picked from commit 28023f8) Conflicts: qa/tasks/cephfs/caps_helper.py: missed dependency commit f0ffade("qa/cephfs/cap_tester: simplify CapTester and its instantiation")
batrick · Mar 27, 2024 · 59c9104 · 59c9104
1 parent 7547e8a
commit 59c9104
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 2 deletions.
diff --git a/qa/tasks/cephfs/caps_helper.py b/qa/tasks/cephfs/caps_helper.py
@@ -160,11 +160,11 @@ def run_mds_cap_tests(self, perm, mntpt=None):
         else:
             raise RuntimeError(f'perm = {perm}\nIt should be "r" or "rw".')
 
-    def conduct_pos_test_for_read_caps(self):
+    def conduct_pos_test_for_read_caps(self, sudo_read=False):
         for mount, path, data in self.test_set:
             log.info(f'test read perm: read file {path} and expect data '
                      f'"{data}"')
-            contents = mount.read_file(path)
+            contents = mount.read_file(path, sudo_read)
             self.assertEqual(data, contents)
             log.info(f'read perm was tested successfully: "{data}" was '
                      f'successfully read from path {path}')
@@ -193,3 +193,32 @@ def conduct_neg_test_for_write_caps(self, sudo_write=False):
             cmdargs.pop(-1)
             log.info('absence of write perm was tested successfully: '
                      f'failed to be write data to file {path}.')
+
+    def _conduct_neg_test_for_root_squash_caps(self, _cmdargs, sudo_write=False):
+        possible_errmsgs = ('permission denied', 'operation not permitted')
+        cmdargs = ['sudo'] if sudo_write else ['']
+        cmdargs += _cmdargs
+
+        for mount, path, data in self.test_set:
+            log.info(f'test absence of {_cmdargs[0]} perm: expect failure {path}.')
+
+            # open the file and hold it. The MDS will issue CEPH_CAP_EXCL_*
+            # to mount
+            proc = mount.open_background(path)
+            cmdargs.append(path)
+            mount.negtestcmd(args=cmdargs, retval=1, errmsgs=possible_errmsgs)
+            cmdargs.pop(-1)
+            mount._kill_background(proc)
+            log.info(f'absence of {_cmdargs[0]} perm was tested successfully')
+
+    def conduct_neg_test_for_chown_caps(self, sudo_write=True):
+        # flip ownership to nobody. assumption: nobody's id is 65534
+        cmdargs = ['chown', '-h', '65534:65534']
+        self._conduct_neg_test_for_root_squash_caps(cmdargs, sudo_write)
+
+    def conduct_neg_test_for_truncate_caps(self, sudo_write=True):
+        cmdargs = ['truncate', '-s', '10GB']
+        self._conduct_neg_test_for_root_squash_caps(cmdargs, sudo_write)
+
+    def conduct_pos_test_for_open_caps(self, sudo_read=True):
+        self.conduct_pos_test_for_read_caps(sudo_read)
diff --git a/qa/tasks/cephfs/test_admin.py b/qa/tasks/cephfs/test_admin.py
@@ -1312,7 +1312,10 @@ def test_single_path_rootsquash(self):
         # Since root_squash is set in client caps, client can read but not
         # write even thought access level is set to "rw".
         self.captester.conduct_pos_test_for_read_caps()
+        self.captester.conduct_pos_test_for_open_caps()
         self.captester.conduct_neg_test_for_write_caps(sudo_write=True)
+        self.captester.conduct_neg_test_for_chown_caps()
+        self.captester.conduct_neg_test_for_truncate_caps()
 
     def test_single_path_authorize_on_nonalphanumeric_fsname(self):
         """