thevar1able/ClickHouse
1
0
Fork 0
mirror of https://github.com/ClickHouse/ClickHouse.git synced 2024-11-22 15:42:02 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix user specific auth with incremental backups

Browse Source
This commit is contained in:
Antonio Andelic 2024-06-20 09:37:53 +02:00
parent 755b73f3fc
commit 0b175336a6
6 changed files with 92 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/Backups/BackupImpl.cpp
View File

@ -24,8 +24,6 @@
#include <Poco/Util/XMLConfiguration.h>
#include <Poco/DOM/DOMParser.h>
#include <ranges>
namespace ProfileEvents
{
@ -93,6 +91,7 @@ BackupImpl::BackupImpl(
const std::optional<BackupInfo> & base_backup_info_,
std::shared_ptr<IBackupReader> reader_,
const ContextPtr & context_,
bool is_internal_backup_,
bool use_same_s3_credentials_for_base_backup_)
: backup_info(backup_info_)
, backup_name_for_logging(backup_info.toStringForLogging())
@ -101,7 +100,7 @@ BackupImpl::BackupImpl(
, open_mode(OpenMode::READ)
, reader(std::move(reader_))
, context(context_)
, is_internal_backup(false)
, is_internal_backup(is_internal_backup_)
, version(INITIAL_BACKUP_VERSION)
, base_backup_info(base_backup_info_)
, use_same_s3_credentials_for_base_backup(use_same_s3_credentials_for_base_backup_)
@ -256,6 +255,7 @@ std::shared_ptr<const IBackup> BackupImpl::getBaseBackupUnlocked() const
params.backup_info = *base_backup_info;
params.open_mode = OpenMode::READ;
params.context = context;
params.is_internal_backup = is_internal_backup;
/// use_same_s3_credentials_for_base_backup should be inherited for base backups
params.use_same_s3_credentials_for_base_backup = use_same_s3_credentials_for_base_backup;

1
src/Backups/BackupImpl.h
View File

@ -40,6 +40,7 @@ public:
const std::optional<BackupInfo> & base_backup_info_,
std::shared_ptr<IBackupReader> reader_,
const ContextPtr & context_,
bool is_internal_backup_,
bool use_same_s3_credentials_for_base_backup_);
BackupImpl(

1
src/Backups/registerBackupEngineAzureBlobStorage.cpp
View File

@ -153,6 +153,7 @@ void registerBackupEngineAzureBlobStorage(BackupFactory & factory)
params.base_backup_info,
reader,
params.context,
params.is_internal_backup,
/* use_same_s3_credentials_for_base_backup*/ false);
}
else

1
src/Backups/registerBackupEngineS3.cpp
View File

@ -119,6 +119,7 @@ void registerBackupEngineS3(BackupFactory & factory)
params.base_backup_info,
reader,
params.context,
params.is_internal_backup,
params.use_same_s3_credentials_for_base_backup);
}
else

1
src/Backups/registerBackupEnginesFileAndDisk.cpp
View File

@ -177,6 +177,7 @@ void registerBackupEnginesFileAndDisk(BackupFactory & factory)
params.base_backup_info,
reader,
params.context,
params.is_internal_backup,
params.use_same_s3_credentials_for_base_backup);
}
else

111
tests/integration/test_backup_restore_s3/test.py
View File

@ -627,67 +627,126 @@ def test_user_specific_auth(start_cluster):
create_user("superuser2")
create_user("regularuser")
node.query("CREATE TABLE specific_auth (col UInt64) ENGINE=Memory")
node.query("CREATE TABLE specific_auth (col UInt64) ENGINE=MergeTree ORDER BY col")
node.query("INSERT INTO specific_auth VALUES (1)")
assert "Access" in node.query_and_get_error(
"BACKUP TABLE specific_auth TO S3('http://minio1:9001/root/data/backups/limited/backup1.zip')"
def backup_restore(backup, user, should_fail, on_cluster=False, base_backup=None):
on_cluster_clause = "ON CLUSTER 'cluster'" if on_cluster else ""
base_backup = (
f" SETTINGS base_backup = {base_backup}" if base_backup is not None else ""
)
backup_query = (
f"BACKUP TABLE specific_auth {on_cluster_clause} TO {backup} {base_backup}"
)
restore_query = f"RESTORE TABLE specific_auth {on_cluster_clause} FROM {backup}"
if should_fail:
assert "Access" in node.query_and_get_error(backup_query, user=user)
else:
node.query(backup_query, user=user)
node.query("DROP TABLE specific_auth SYNC")
node.query(restore_query, user=user)
backup_restore(
"S3('http://minio1:9001/root/data/backups/limited/backup1/')",
user=None,
should_fail=True,
)
assert "Access" in node.query_and_get_error(
"BACKUP TABLE specific_auth TO S3('http://minio1:9001/root/data/backups/limited/backup1.zip')",
backup_restore(
"S3('http://minio1:9001/root/data/backups/limited/backup1/')",
user="regularuser",
should_fail=True,
)
node.query(
"BACKUP TABLE specific_auth TO S3('http://minio1:9001/root/data/backups/limited/backup1.zip')",
user="superuser1",
)
node.query(
"RESTORE TABLE specific_auth FROM S3('http://minio1:9001/root/data/backups/limited/backup1.zip')",
backup_restore(
"S3('http://minio1:9001/root/data/backups/limited/backup1/')",
user="superuser1",
should_fail=False,
)
node.query(
"BACKUP TABLE specific_auth TO S3('http://minio1:9001/root/data/backups/limited/backup2.zip')",
user="superuser2",
)
node.query(
"RESTORE TABLE specific_auth FROM S3('http://minio1:9001/root/data/backups/limited/backup2.zip')",
backup_restore(
"S3('http://minio1:9001/root/data/backups/limited/backup2/')",
user="superuser2",
should_fail=False,
)
assert "Access" in node.query_and_get_error(
"RESTORE TABLE specific_auth FROM S3('http://minio1:9001/root/data/backups/limited/backup1.zip')",
"RESTORE TABLE specific_auth FROM S3('http://minio1:9001/root/data/backups/limited/backup1/')",
user="regularuser",
)
assert "HTTP response code: 403" in node.query_and_get_error(
"SELECT * FROM s3('http://minio1:9001/root/data/backups/limited/backup1.zip', 'RawBLOB')",
node.query("INSERT INTO specific_auth VALUES (2)")
backup_restore(
"S3('http://minio1:9001/root/data/backups/limited/backup1_inc/')",
user="regularuser",
should_fail=True,
base_backup="S3('http://minio1:9001/root/data/backups/limited/backup1/')",
)
node.query(
"SELECT * FROM s3('http://minio1:9001/root/data/backups/limited/backup1.zip', 'RawBLOB')",
backup_restore(
"S3('http://minio1:9001/root/data/backups/limited/backup1_inc/')",
user="superuser1",
should_fail=False,
base_backup="S3('http://minio1:9001/root/data/backups/limited/backup1/')",
)
assert "Access" in node.query_and_get_error(
"RESTORE TABLE specific_auth FROM S3('http://minio1:9001/root/data/backups/limited/backup1_inc/')",
user="regularuser",
)
assert "Access Denied" in node.query_and_get_error(
"BACKUP TABLE specific_auth ON CLUSTER 'cluster' TO S3('http://minio1:9001/root/data/backups/limited/backup3/')",
"SELECT * FROM s3('http://minio1:9001/root/data/backups/limited/backup1/*', 'RawBLOB')",
user="regularuser",
)
node.query(
"BACKUP TABLE specific_auth ON CLUSTER 'cluster' TO S3('http://minio1:9001/root/data/backups/limited/backup3/')",
"SELECT * FROM s3('http://minio1:9001/root/data/backups/limited/backup1/*', 'RawBLOB')",
user="superuser1",
)
backup_restore(
"S3('http://minio1:9001/root/data/backups/limited/backup3/')",
user="regularuser",
should_fail=True,
on_cluster=True,
)
backup_restore(
"S3('http://minio1:9001/root/data/backups/limited/backup3/')",
user="superuser1",
should_fail=False,
on_cluster=True,
)
assert "Access Denied" in node.query_and_get_error(
"RESTORE TABLE specific_auth ON CLUSTER 'cluster' FROM S3('http://minio1:9001/root/data/backups/limited/backup3/')",
user="regularuser",
)
node.query(
"RESTORE TABLE specific_auth ON CLUSTER 'cluster' FROM S3('http://minio1:9001/root/data/backups/limited/backup3/')",
node.query("INSERT INTO specific_auth VALUES (3)")
backup_restore(
"S3('http://minio1:9001/root/data/backups/limited/backup3_inc/')",
user="regularuser",
should_fail=True,
on_cluster=True,
base_backup="S3('http://minio1:9001/root/data/backups/limited/backup3/')",
)
backup_restore(
"S3('http://minio1:9001/root/data/backups/limited/backup3_inc/')",
user="superuser1",
should_fail=False,
on_cluster=True,
base_backup="S3('http://minio1:9001/root/data/backups/limited/backup3/')",
)
assert "Access Denied" in node.query_and_get_error(
"RESTORE TABLE specific_auth ON CLUSTER 'cluster' FROM S3('http://minio1:9001/root/data/backups/limited/backup3_inc/')",
user="regularuser",
)
assert "Access Denied" in node.query_and_get_error(