[test] Add test case

2024-09-19 16:20:50 +00:00 · 2024-08-26 18:13:40 +08:00 · 2024-08-26 18:13:40 +08:00 · a3cd89a0b0
commit a3cd89a0b0
parent 8030b2a8b2
4 changed files with 198 additions and 0 deletions
--- a/tests/integration/test_check_grant/init.py
+++ b/tests/integration/test_check_grant/init.py
--- a/tests/integration/test_check_grant/configs/remote_servers.xml
+++ b/tests/integration/test_check_grant/configs/remote_servers.xml
@ -0,0 +1,17 @@
+<clickhouse>
+    <remote_servers>
+        <test_cluster>
+            <shard>
+                <internal_replication>true</internal_replication>
+                <replica>
+                    <host>node1</host>
+                    <port>9000</port>
+                </replica>
+                <replica>
+                    <host>node2</host>
+                    <port>9000</port>
+                </replica>
+            </shard>
+        </test_cluster>
+    </remote_servers>
+</clickhouse>
--- a/tests/integration/test_check_grant/configs/users.xml
+++ b/tests/integration/test_check_grant/configs/users.xml
@ -0,0 +1,121 @@
+<clickhouse>
+    <!-- See also the files in users.d directory where the settings can be overridden. -->
+
+    <!-- Profiles of settings. -->
+    <profiles>
+        <!-- Default settings. -->
+        <default>
+        </default>
+
+        <!-- Profile that allows only read queries. -->
+        <readonly>
+            <readonly>1</readonly>
+        </readonly>
+    </profiles>
+
+    <!-- Users and ACL. -->
+    <users>
+        <!-- If user name was not specified, 'default' user is used. -->
+        <default>
+            <!-- See also the files in users.d directory where the password can be overridden.
+
+                 Password could be specified in plaintext or in SHA256 (in hex format).
+
+                 If you want to specify password in plaintext (not recommended), place it in 'password' element.
+                 Example: <password>qwerty</password>.
+                 Password could be empty.
+
+                 If you want to specify SHA256, place it in 'password_sha256_hex' element.
+                 Example: <password_sha256_hex>65e84be33532fb784c48129675f9eff3a682b27168c0ea744b2cf58ee02337c5</password_sha256_hex>
+                 Restrictions of SHA256: impossibility to connect to ClickHouse using MySQL JS client (as of July 2019).
+
+                 If you want to specify double SHA1, place it in 'password_double_sha1_hex' element.
+                 Example: <password_double_sha1_hex>e395796d6546b1b65db9d665cd43f0e858dd4303</password_double_sha1_hex>
+
+                 If you want to specify a previously defined LDAP server (see 'ldap_servers' in the main config) for authentication,
+                  place its name in 'server' element inside 'ldap' element.
+                 Example: <ldap><server>my_ldap_server</server></ldap>
+
+                 If you want to authenticate the user via Kerberos (assuming Kerberos is enabled, see 'kerberos' in the main config),
+                  place 'kerberos' element instead of 'password' (and similar) elements.
+                 The name part of the canonical principal name of the initiator must match the user name for authentication to succeed.
+                 You can also place 'realm' element inside 'kerberos' element to further restrict authentication to only those requests
+                  whose initiator's realm matches it.
+                 Example: <kerberos />
+                 Example: <kerberos><realm>EXAMPLE.COM</realm></kerberos>
+
+                 How to generate decent password:
+                 Execute: PASSWORD=$(base64 < /dev/urandom | head -c8); echo "$PASSWORD"; echo -n "$PASSWORD" | sha256sum | tr -d '-'
+                 In first line will be password and in second - corresponding SHA256.
+
+                 How to generate double SHA1:
+                 Execute: PASSWORD=$(base64 < /dev/urandom | head -c8); echo "$PASSWORD"; echo -n "$PASSWORD" | sha1sum | tr -d '-' | xxd -r -p | sha1sum | tr -d '-'
+                 In first line will be password and in second - corresponding double SHA1.
+            -->
+            <password></password>
+
+            <!-- List of networks with open access.
+
+                 To open access from everywhere, specify:
+                    <ip>::/0</ip>
+
+                 To open access only from localhost, specify:
+                    <ip>::1</ip>
+                    <ip>127.0.0.1</ip>
+
+                 Each element of list has one of the following forms:
+                 <ip> IP-address or network mask. Examples: 213.180.204.3 or 10.0.0.1/8 or 10.0.0.1/255.255.255.0
+                     2a02:6b8::3 or 2a02:6b8::3/64 or 2a02:6b8::3/ffff:ffff:ffff:ffff::.
+                 <host> Hostname. Example: server01.clickhouse.com.
+                     To check access, DNS query is performed, and all received addresses compared to peer address.
+                 <host_regexp> Regular expression for host names. Example, ^server\d\d-\d\d-\d\.clickhouse\.com$
+                     To check access, DNS PTR query is performed for peer address and then regexp is applied.
+                     Then, for result of PTR query, another DNS query is performed and all received addresses compared to peer address.
+                     Strongly recommended that regexp is ends with $
+                 All results of DNS requests are cached till server restart.
+            -->
+            <networks>
+                <ip>::/0</ip>
+            </networks>
+
+            <!-- Settings profile for user. -->
+            <profile>default</profile>
+
+            <!-- Quota for user. -->
+            <quota>default</quota>
+
+            <!-- User can create other users and grant rights to them. -->
+            <access_management>1</access_management>
+
+            <!-- User can manipulate named collections. -->
+            <named_collection_control>1</named_collection_control>
+	    <show_named_collections>1</show_named_collections>
+	    <show_named_collections_secrets>1</show_named_collections_secrets>
+            <!-- User permissions can be granted here -->
+            <!--
+            <grants>
+                <query>GRANT ALL ON *.*</query>
+            </grants>
+            -->
+        </default>
+    </users>
+
+    <!-- Quotas. -->
+    <quotas>
+        <!-- Name of quota. -->
+        <default>
+            <!-- Limits for time interval. You could specify many intervals with different limits. -->
+            <interval>
+                <!-- Length of interval. -->
+                <duration>3600</duration>
+
+                <!-- No limits. Just calculate resource usage for time interval. -->
+                <queries>0</queries>
+                <errors>0</errors>
+                <result_rows>0</result_rows>
+                <read_rows>0</read_rows>
+                <execution_time>0</execution_time>
+            </interval>
+        </default>
+    </quotas>
+</clickhouse>
--- a/tests/integration/test_check_grant/test.py
+++ b/tests/integration/test_check_grant/test.py
@ -0,0 +1,60 @@
+#!/usr/bin/env python3
+
+import logging
+import pytest
+from helpers.cluster import ClickHouseCluster
+
+@pytest.fixture(scope="module")
+def cluster():
+    try:
+        cluster = ClickHouseCluster(__file__)
+        cluster.add_instance(
+            "node1",
+            user_configs=[
+                "configs/users.xml"
+            ]
+        )
+
+        cluster.add_instance(
+            "node2",
+            user_configs=[
+                "configs/users.xml",
+            ]
+        )
+        logging.info("Starting cluster...")
+        cluster.start()
+        logging.info("Cluster started")
+
+        yield cluster
+    finally:
+        cluster.shutdown()
+
+
+def test_check_grant(cluster):
+    node1 = cluster.instances["node1"]
+
+    node1.query("DROP user  IF EXISTS tuser")
+    node1.query("CREATE USER tuser")
+    node1.query("GRANT SELECT ON tb TO tuser")
+    # Has been granted but not table not exists
+    res, _ = node1.query("CHECK GRANT SELECT ON tb", user = "tuser")
+    assert res == "0"
+
+    node1.query("CREATE TABLE tb (`content` UInt64) ENGINE = MergeTree ORDER BY content")
+    node1.query("INSERT INTO tb VALUES (1)")
+    # Has been granted and table exists
+    res, _ = node1.query("CHECK GRANT SELECT ON tb", user = "tuser")
+    assert res == "1"
+
+    node1.query("REVOKE SELECT ON tb FROM tuser")
+    # Has not been granted but table exists
+    res, _ = node1.query("CHECK GRANT SELECT ON tb", user = "tuser")
+    assert res == "0"
+
+    # Role
+    node1.query("CREATE ROLE trole")
+    node1.query("GRANT SELECT ON tb TO trole")
+    node1.query("GRANT trole TO tuser")
+    node1.query("SET ROLE trole", user = "tuser")
+    res, _ = node1.query("CHECK GRANT SELECT ON tb", user = "tuser")
+    assert res == "1"