qa: add test for checking access in client side of root_squash

Test the 'chown' and 'truncate', which will call the setattr and
'cat' will open the files. Before each testing will open the file
by non-root user and keep it to make sure the Fxw caps are issued,
and then user the 'sudo' do to the tests, which will set the uid/gid
to 0/0.

Fixes: https://tracker.ceph.com/issues/57154
Signed-off-by: Xiubo Li <xiubli@redhat.com>
(cherry picked from commit 28023f84d714488a5dfd17b2191790ed15909fb3)

Conflicts:
	qa/tasks/cephfs/caps_helper.py: missed dependency commit
	f0ffade0525("qa/cephfs/cap_tester: simplify CapTester and its
	instantiation")

diff --git a/qa/tasks/cephfs/caps_helper.py b/qa/tasks/cephfs/caps_helper.py
index ac9bc4401d945101d04a2bd8d25f3bbcf1540be8..1ead57b71565302b07b22499c5b29f3cbd33f17a 100644 (file)
--- a/qa/tasks/cephfs/caps_helper.py
+++ b/qa/tasks/cephfs/caps_helper.py
@@ -160,11 +160,11 @@ class CapTester(CephFSTestCase):
         else:
             raise RuntimeError(f'perm = {perm}\nIt should be "r" or "rw".')
 
-    def conduct_pos_test_for_read_caps(self):
+    def conduct_pos_test_for_read_caps(self, sudo_read=False):
         for mount, path, data in self.test_set:
             log.info(f'test read perm: read file {path} and expect data '
                      f'"{data}"')
-            contents = mount.read_file(path)
+            contents = mount.read_file(path, sudo_read)
             self.assertEqual(data, contents)
             log.info(f'read perm was tested successfully: "{data}" was '
                      f'successfully read from path {path}')
@@ -193,3 +193,32 @@ class CapTester(CephFSTestCase):
             cmdargs.pop(-1)
             log.info('absence of write perm was tested successfully: '
                      f'failed to be write data to file {path}.')
+
+    def _conduct_neg_test_for_root_squash_caps(self, _cmdargs, sudo_write=False):
+        possible_errmsgs = ('permission denied', 'operation not permitted')
+        cmdargs = ['sudo'] if sudo_write else ['']
+        cmdargs += _cmdargs
+
+        for mount, path, data in self.test_set:
+            log.info(f'test absence of {_cmdargs[0]} perm: expect failure {path}.')
+
+            # open the file and hold it. The MDS will issue CEPH_CAP_EXCL_*
+            # to mount
+            proc = mount.open_background(path)
+            cmdargs.append(path)
+            mount.negtestcmd(args=cmdargs, retval=1, errmsgs=possible_errmsgs)
+            cmdargs.pop(-1)
+            mount._kill_background(proc)
+            log.info(f'absence of {_cmdargs[0]} perm was tested successfully')
+
+    def conduct_neg_test_for_chown_caps(self, sudo_write=True):
+        # flip ownership to nobody. assumption: nobody's id is 65534
+        cmdargs = ['chown', '-h', '65534:65534']
+        self._conduct_neg_test_for_root_squash_caps(cmdargs, sudo_write)
+
+    def conduct_neg_test_for_truncate_caps(self, sudo_write=True):
+        cmdargs = ['truncate', '-s', '10GB']
+        self._conduct_neg_test_for_root_squash_caps(cmdargs, sudo_write)
+
+    def conduct_pos_test_for_open_caps(self, sudo_read=True):
+        self.conduct_pos_test_for_read_caps(sudo_read)

diff --git a/qa/tasks/cephfs/test_admin.py b/qa/tasks/cephfs/test_admin.py
index 866df4082de49239060ed669199bebae55850717..8c4abf44fbddbbcf1bbab97565d5c791c46affa9 100644 (file)
--- a/qa/tasks/cephfs/test_admin.py
+++ b/qa/tasks/cephfs/test_admin.py
@@ -1312,7 +1312,10 @@ class TestFsAuthorize(CephFSTestCase):
         # Since root_squash is set in client caps, client can read but not
         # write even thought access level is set to "rw".
         self.captester.conduct_pos_test_for_read_caps()
+        self.captester.conduct_pos_test_for_open_caps()
         self.captester.conduct_neg_test_for_write_caps(sudo_write=True)
+        self.captester.conduct_neg_test_for_chown_caps()
+        self.captester.conduct_neg_test_for_truncate_caps()
 
     def test_single_path_authorize_on_nonalphanumeric_fsname(self):
         """