[mirror_zfs.git] / tests / zfs-tests / tests / functional / privilege / privilege_001_pos.ksh

#!/bin/ksh -p
#
# CDDL HEADER START
#
# The contents of this file are subject to the terms of the
# Common Development and Distribution License (the "License").
# You may not use this file except in compliance with the License.
#
# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
# or http://www.opensolaris.org/os/licensing.
# See the License for the specific language governing permissions
# and limitations under the License.
#
# When distributing Covered Code, include this CDDL HEADER in each
# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
# If applicable, add the following below this CDDL HEADER, with the
# fields enclosed by brackets "[]" replaced with your own identifying
# information: Portions Copyright [yyyy] [name of copyright owner]
#
# CDDL HEADER END
#

#
# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#

#
# Copyright (c) 2013, 2016 by Delphix. All rights reserved.
#

. $STF_SUITE/include/libtest.shlib

#
# DESCRIPTION:
#
# The RBAC profile "ZFS Storage Management" works
#
# STRATEGY:
#	(create)
#	1. As a normal user, try to create a pool - which should fail.
#       2. Assign "ZFS Storage Management" profile, try to create pool again,
#	   which should succeed.
#
#	(works well with other ZFS profile tests)
#	3. Attempt to create a ZFS filesystem, which should fail.
#	4. Add the "ZFS File System Management" profile, attempt to create a FS
# 	   which should succeed.
#
#	(destroy)
#       5. Remove the FS profile, then attempt to destroy the pool, which
# 	   should succeed.
#	6. Remove the Storage profile, then attempt to recreate the pool, which
#	   should fail.
#

# We can only run this in the global zone
verify_runnable "global"

log_assert "The RBAC profile \"ZFS Storage Management\" works"

ZFS_USER=$(cat /tmp/zfs-privs-test-user.txt)

# the user shouldn't be able to do anything initially
log_mustnot su $ZFS_USER -c "zpool create $TESTPOOL $DISKS"
log_mustnot su $ZFS_USER -c "pfexec zpool create $TESTPOOL $DISKS"

# the first time we assign the profile, we insist it should work
log_must usermod -P "ZFS Storage Management" $ZFS_USER
log_must su $ZFS_USER -c "pfexec zpool create -f $TESTPOOL $DISKS"

# ensure the user can't create a filesystem with this profile
log_mustnot su $ZFS_USER -c "zfs create $TESTPOOL/fs"

# add ZFS File System Management profile, and try to create a fs
log_must usermod -P "ZFS File System Management" $ZFS_USER
log_must su $ZFS_USER -c "pfexec zfs create $TESTPOOL/fs"

# revoke File System Management profile
usermod -P, $ZFS_USER
usermod -P "ZFS Storage Management" $ZFS_USER

# ensure the user can destroy pools
log_mustnot su $ZFS_USER -c "zpool destroy $TESTPOOL"
log_must su $ZFS_USER -c "pfexec zpool destroy $TESTPOOL"

# revoke Storage Management profile
usermod -P, $ZFS_USER
log_mustnot su $ZFS_USER -c "pfexec zpool create -f $TESTPOOL $DISKS"

log_pass "The RBAC profile \"ZFS Storage Management\" works"
Commit	Line	Data
6bb24f4d BB	1	#!/bin/ksh -p
	2	#
	3	# CDDL HEADER START
	4	#
	5	# The contents of this file are subject to the terms of the
	6	# Common Development and Distribution License (the "License").
	7	# You may not use this file except in compliance with the License.
	8	#
	9	# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
	10	# or http://www.opensolaris.org/os/licensing.
	11	# See the License for the specific language governing permissions
	12	# and limitations under the License.
	13	#
	14	# When distributing Covered Code, include this CDDL HEADER in each
	15	# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
	16	# If applicable, add the following below this CDDL HEADER, with the
	17	# fields enclosed by brackets "[]" replaced with your own identifying
	18	# information: Portions Copyright [yyyy] [name of copyright owner]
	19	#
	20	# CDDL HEADER END
	21	#
	22
	23	#
	24	# Copyright 2007 Sun Microsystems, Inc. All rights reserved.
	25	# Use is subject to license terms.
	26	#
	27
	28	#
c1d9abf9	29	# Copyright (c) 2013, 2016 by Delphix. All rights reserved.
6bb24f4d BB	30	#
	31
	32	. $STF_SUITE/include/libtest.shlib
	33
	34	#
	35	# DESCRIPTION:
	36	#
	37	# The RBAC profile "ZFS Storage Management" works
	38	#
	39	# STRATEGY:
	40	# (create)
	41	# 1. As a normal user, try to create a pool - which should fail.
	42	# 2. Assign "ZFS Storage Management" profile, try to create pool again,
	43	# which should succeed.
	44	#
	45	# (works well with other ZFS profile tests)
	46	# 3. Attempt to create a ZFS filesystem, which should fail.
	47	# 4. Add the "ZFS File System Management" profile, attempt to create a FS
	48	# which should succeed.
	49	#
	50	# (destroy)
	51	# 5. Remove the FS profile, then attempt to destroy the pool, which
	52	# should succeed.
	53	# 6. Remove the Storage profile, then attempt to recreate the pool, which
	54	# should fail.
	55	#
	56
	57	# We can only run this in the global zone
	58	verify_runnable "global"
	59
	60	log_assert "The RBAC profile \"ZFS Storage Management\" works"
	61
c1d9abf9	62	ZFS_USER=$(cat /tmp/zfs-privs-test-user.txt)
6bb24f4d BB	63
6bb24f4d BB	64	# the user shouldn't be able to do anything initially
c1d9abf9 JWK	65	log_mustnot su $ZFS_USER -c "zpool create $TESTPOOL $DISKS"
c1d9abf9 JWK	66	log_mustnot su $ZFS_USER -c "pfexec zpool create $TESTPOOL $DISKS"
6bb24f4d BB	67
6bb24f4d BB	68	# the first time we assign the profile, we insist it should work
c1d9abf9 JWK	69	log_must usermod -P "ZFS Storage Management" $ZFS_USER
c1d9abf9 JWK	70	log_must su $ZFS_USER -c "pfexec zpool create -f $TESTPOOL $DISKS"
6bb24f4d BB	71
6bb24f4d BB	72	# ensure the user can't create a filesystem with this profile
c1d9abf9	73	log_mustnot su $ZFS_USER -c "zfs create $TESTPOOL/fs"
6bb24f4d BB	74
6bb24f4d BB	75	# add ZFS File System Management profile, and try to create a fs
c1d9abf9 JWK	76	log_must usermod -P "ZFS File System Management" $ZFS_USER
c1d9abf9 JWK	77	log_must su $ZFS_USER -c "pfexec zfs create $TESTPOOL/fs"
6bb24f4d BB	78
6bb24f4d BB	79	# revoke File System Management profile
c1d9abf9 JWK	80	usermod -P, $ZFS_USER
c1d9abf9 JWK	81	usermod -P "ZFS Storage Management" $ZFS_USER
6bb24f4d BB	82
6bb24f4d BB	83	# ensure the user can destroy pools
c1d9abf9 JWK	84	log_mustnot su $ZFS_USER -c "zpool destroy $TESTPOOL"
c1d9abf9 JWK	85	log_must su $ZFS_USER -c "pfexec zpool destroy $TESTPOOL"
6bb24f4d BB	86
6bb24f4d BB	87	# revoke Storage Management profile
c1d9abf9 JWK	88	usermod -P, $ZFS_USER
c1d9abf9 JWK	89	log_mustnot su $ZFS_USER -c "pfexec zpool create -f $TESTPOOL $DISKS"
6bb24f4d BB	90
6bb24f4d BB	91	log_pass "The RBAC profile \"ZFS Storage Management\" works"