Refactor test_kerberos_auth test

docker/test/integration/runner/compose/docker_compose_kerberos_kdc.yml

@@ -5,7 +5,7 @@ services:
     image: clickhouse/kerberos-kdc:${DOCKER_KERBEROS_KDC_TAG:-latest}
     hostname: kerberoskdc
     volumes:
-      - ${KERBEROS_AUTH_DIR}/secrets:/tmp/keytab
-      - ${KERBEROS_AUTH_DIR}/../../kerberos_image_config.sh:/config.sh
+      - ${KERBEROS_KDC_DIR}/secrets:/tmp/keytab
+      - ${KERBEROS_KDC_DIR}/../kerberos_image_config.sh:/config.sh
       - /dev/urandom:/dev/random
     ports: [88, 749]

tests/integration/helpers/cluster.py

@@ -206,6 +206,7 @@ def check_kafka_is_available(kafka_id, kafka_port):
     p.communicate()
     return p.returncode == 0
 
+
 def check_kerberos_kdc_is_available(kerberos_kdc_id):
     p = subprocess.Popen(
         (
@@ -387,6 +388,7 @@ class ClickHouseCluster:
         self.base_mysql_cmd = []
         self.base_kafka_cmd = []
         self.base_kerberized_kafka_cmd = []
+        self.base_kerberos_kdc_cmd = []
         self.base_rabbitmq_cmd = []
         self.base_nats_cmd = []
         self.base_cassandra_cmd = []
@@ -474,9 +476,7 @@ class ClickHouseCluster:
 
         # available when with_kerberos_kdc == True
         self.kerberos_kdc_host = "kerberoskdc"
-        self.keberos_kdc_docker_id = self.get_instance_docker_id(
-            self.kerberos_kdc_host
-        )
+        self.keberos_kdc_docker_id = self.get_instance_docker_id(self.kerberos_kdc_host)
 
         # available when with_mongo == True
         self.mongo_host = "mongo1"
@@ -1082,12 +1082,9 @@ class ClickHouseCluster:
         ]
         return self.base_kerberized_kafka_cmd
 
-
-    def setup_kerberos_cmd(
-        self, instance, env_variables, docker_compose_yml_dir
-    ):
+    def setup_kerberos_cmd(self, instance, env_variables, docker_compose_yml_dir):
         self.with_kerberos_kdc = True
-        env_variables["KERBEROS_AUTH_DIR"] = instance.path + "/"
+        env_variables["KERBEROS_KDC_DIR"] = self.instances_dir + "/"
         env_variables["KERBEROS_KDC_HOST"] = self.kerberos_kdc_host
         self.base_cmd.extend(
             [
@@ -1095,7 +1092,7 @@ class ClickHouseCluster:
                 p.join(docker_compose_yml_dir, "docker_compose_kerberos_kdc.yml"),
             ]
         )
-        self.base_kerberos_cmd = [
+        self.base_kerberos_kdc_cmd = [
             "docker-compose",
             "--env-file",
             instance.env_file,
@@ -1104,8 +1101,7 @@ class ClickHouseCluster:
             "--file",
             p.join(docker_compose_yml_dir, "docker_compose_kerberos_kdc.yml"),
         ]
-        return self.base_kerberos_cmd
-
+        return self.base_kerberos_kdc_cmd
 
     def setup_redis_cmd(self, instance, env_variables, docker_compose_yml_dir):
         self.with_redis = True
@@ -1606,9 +1602,7 @@ class ClickHouseCluster:
 
         if with_kerberos_kdc and not self.with_kerberos_kdc:
             cmds.append(
-                self.setup_kerberos_cmd(
-                    instance, env_variables, docker_compose_yml_dir
-                )
+                self.setup_kerberos_cmd(instance, env_variables, docker_compose_yml_dir)
             )
 
         if with_rabbitmq and not self.with_rabbitmq:
@@ -2193,7 +2187,6 @@ class ClickHouseCluster:
                 logging.debug("Waiting for Kerberos KDC to start up")
                 time.sleep(1)
 
-
     def wait_hdfs_to_start(self, timeout=300, check_marker=False):
         start = time.time()
         while time.time() - start < timeout:
@@ -2543,12 +2536,10 @@ class ClickHouseCluster:
                     self.kerberized_kafka_docker_id, self.kerberized_kafka_port, 100
                 )
 
-            if self.with_kerberos_kdc and self.base_kerberos_cmd:
+            if self.with_kerberos_kdc and self.base_kerberos_kdc_cmd:
                 logging.debug("Setup Kerberos KDC")
                 run_and_check(
-                    self.base_kerberos_cmd
-                    + common_opts
-                    + ["--renew-anon-volumes"]
+                    self.base_kerberos_kdc_cmd + common_opts + ["--renew-anon-volumes"]
                 )
                 self.up_called = True
                 self.wait_kerberos_kdc_is_available(self.keberos_kdc_docker_id)
@@ -3071,15 +3062,13 @@ class ClickHouseInstance:
             self.odbc_ini_path = ""
 
         if with_kerberized_kafka or with_kerberized_hdfs or with_kerberos_kdc:
-            self.keytab_path = (
-                "- "
-                + os.path.dirname(self.docker_compose_path)
-                + "/secrets:/tmp/keytab"
-            )
+            if with_kerberos_kdc:
+                base_secrets_dir = self.cluster.instances_dir
+            else:
+                base_secrets_dir = os.path.dirname(self.docker_compose_path)
+            self.keytab_path = "- " + base_secrets_dir + "/secrets:/tmp/keytab"
             self.krb5_conf = (
-                "- "
-                + os.path.dirname(self.docker_compose_path)
-                + "/secrets/krb.conf:/etc/krb5.conf:ro"
+                "- " + base_secrets_dir + "/secrets/krb.conf:/etc/krb5.conf:ro"
             )
         else:
             self.keytab_path = ""
@@ -3988,9 +3977,19 @@ class ClickHouseInstance:
         if self.with_zookeeper:
             shutil.copy(self.zookeeper_config_path, conf_d_dir)
 
-        if self.with_kerberized_kafka or self.with_kerberized_hdfs or self.with_kerberos_kdc:
+        if (
+            self.with_kerberized_kafka
+            or self.with_kerberized_hdfs
+            or self.with_kerberos_kdc
+        ):
+            if self.with_kerberos_kdc:
+                base_secrets_dir = self.cluster.instances_dir
+            else:
+                base_secrets_dir = self.path
             shutil.copytree(
-                self.kerberos_secrets_dir, p.abspath(p.join(self.path, "secrets"))
+                self.kerberos_secrets_dir,
+                p.abspath(p.join(base_secrets_dir, "secrets")),
+                dirs_exist_ok=True,
             )
 
         if self.with_coredns:

tests/integration/test_kerberos_auth/test.py

@@ -43,31 +43,45 @@ def kerberos_cluster():
         cluster.shutdown()
 
 
-@pytest.fixture(autouse=True)
-def kerberos_setup_teardown():
-    yield  # run test
-
-
 # Tests
 
-def make_auth(instance, user):
-    instance.exec_in_container(
-        ["bash", "-c", "kinit -V -k -t /tmp/keytab/kuser.keytab kuser"]
-    )
-    assert (
-        instance.exec_in_container(
-            ["bash", "-c", "echo 'select currentUser()' | curl -vvv --negotiate -u : http://{}:8123/ --data-binary @-".format(instance.hostname)]
-        )
-        == user + "\n"
-    )
 
+def exec_kinit(instance):
+    instance.exec_in_container(
+        ["bash", "-c", "kinit -k -t /tmp/keytab/kuser.keytab kuser"]
+    )
 
 
 def test_kerberos_auth_with_keytab(kerberos_cluster):
-    make_auth(instance1, "kuser")
+    exec_kinit(instance1)
+    assert (
+        instance1.exec_in_container(
+            [
+                "bash",
+                "-c",
+                "echo 'select currentUser()' | curl -vvv --negotiate -u : http://{}:8123/ --data-binary @-".format(
+                    instance1.hostname
+                ),
+            ]
+        )
+        == "kuser\n"
+    )
+
 
 def test_kerberos_auth_without_keytab(kerberos_cluster):
-    make_auth(instance2, "default")
+    exec_kinit(instance2)
+    assert (
+        "DB::Exception: : Authentication failed: password is incorrect or there is no user with such name."
+        in instance2.exec_in_container(
+            [
+                "bash",
+                "-c",
+                "echo 'select currentUser()' | curl -vvv --negotiate -u : http://{}:8123/ --data-binary @-".format(
+                    instance2.hostname
+                ),
+            ]
+        )
+    )
 
 
 if __name__ == "__main__":