enabling tests

tests/testflows/kerberos/configs/kerberos/etc/krb5.conf

@@ -7,10 +7,10 @@
     dns_lookup_kdc = false
 
 [realms]
-	EXAMPLE.COM = {
-		kdc = kerberos
-		admin_server = kerberos
-	}
+    EXAMPLE.COM = {
+        kdc = kerberos_env_kerberos_1.krbnet
+        admin_server = kerberos_env_kerberos_1.krbnet
+    }
 	OTHER.COM = {
 		kdc = kerberos
 		admin_server = kerberos

tests/testflows/kerberos/configs/kerberos/etc/old.conf

@@ -1,40 +0,0 @@
-[kdc]
-    require-preauth = false
-
-[libdefaults]
-	default_realm = EXAMPLE.COM
-	ticket_lifetime  = 36000
-    dns_lookup_kdc = false
-    udp_preference_limit = 0
-
-[realms]
-	EXAMPLE.COM = {
-		kdc = kerberos_env_kerberos_1.krbnet
-		admin_server = kerberos_env_kerberos_1.krbnet
-	}
-	OTHER.COM = {
-		kdc = kerberos
-		admin_server = kerberos
-	}
-
-[domain_realm]
-	docker-compose_default = EXAMPLE.COM
-	.docker-compose_default = EXAMPLE.COM
-    krbnet = EXAMPLE.COM
-	.krbnet = EXAMPLE.COM
-    kerberos_env_default = EXAMPLE.COM
-	.kerberos_env_default = EXAMPLE.COM
-
-[appdefaults]
-    validate         = false
-    pam              = {
-	debug           = false
-	ticket_lifetime = 36000
-	renew_lifetime  = 36000
-	forwardable     = true
-	krb4_convert    = false
-    }
-
-[logging]
-    kdc              = FILE:/var/log/krb5kdc.log
-    admin_server     = FILE:/var/log/kadmin.log

tests/testflows/kerberos/regression.py

@@ -39,8 +39,8 @@ def regression(self, local, clickhouse_binary_path, stress=None, parallel=None):
         self.context.cluster = cluster
 
         Feature(run=load("kerberos.tests.generic", "generic"), flags=TE)
-        # Feature(run=load("kerberos.tests.config", "config"), flags=TE)
-        # Feature(run=load("kerberos.tests.parallel", "parallel"), flags=TE)
+        Feature(run=load("kerberos.tests.config", "config"), flags=TE)
+        Feature(run=load("kerberos.tests.parallel", "parallel"), flags=TE)
 
 
 if main():

tests/testflows/kerberos/tests/config.py

@@ -145,11 +145,6 @@ def multiple_principal(self):
                        log_error="Multiple principal sections are not allowed")
 
 
-
-
-
-
-
 @TestFeature
 def config(self):
     """Perform ClickHouse Kerberos authentication testing for incorrect configuration files

tests/testflows/kerberos/tests/generic.py

@@ -21,8 +21,6 @@ def ping(self):
             assert r.exitcode == 7, error()
 
 
-
-
 @TestScenario
 @Requirements(
     RQ_SRS_016_Kerberos_ValidUser_XMLConfiguredUser("1.0")
@@ -110,81 +108,81 @@ def invalid_server_ticket(self):
         assert r.output == "default", error()
 
 
-# @TestScenario
-# @Requirements(
-#     RQ_SRS_016_Kerberos_KerberosNotAvailable_InvalidClientTicket("1.0")
-# )
-# def invalid_client_ticket(self):
-#     """ClickHouse SHALL reject Kerberos authentication in case client has
-#      no valid ticket (or the existing ticket is outdated).
-#     """
-#     ch_nodes = self.context.ch_nodes
-#
-#     with Given("kinit for client"):
-#         kinit_no_keytab(node=ch_nodes[2], lifetime_option="-l 00:00:05")
-#
-#     with And("setting up server principal"):
-#         create_server_principal(node=ch_nodes[0])
-#
-#     # with And("I kill kerberos-server"):
-#     #     self.context.krb_server.stop()
-#
-#     with And("I wait until client ticket is expired"):
-#         time.sleep(10)
-#
-#     with When("I attempt to authenticate as kerberos_user"):
-#         r = ch_nodes[2].cmd(test_select_query(node=ch_nodes[0]))
-#
-#     with Then("I expect the user to be default"):
-#         assert r.output == "default", error()
-#
-#     with Finally(""):
-#         # self.context.krb_server.start()
-#         time.sleep(1)
-#         ch_nodes[2].cmd(f"echo pwd | kinit -l 10:00 kerberos_user")
-#         while True:
-#             time.sleep(1)
-#             if ch_nodes[2].cmd(test_select_query(node=ch_nodes[0])).output == "kerberos_user":
-#                 break
-#         ch_nodes[2].cmd("kdestroy")
+@TestScenario
+@Requirements(
+    RQ_SRS_016_Kerberos_KerberosNotAvailable_InvalidClientTicket("1.0")
+)
+def invalid_client_ticket(self):
+    """ClickHouse SHALL reject Kerberos authentication in case client has
+     no valid ticket (or the existing ticket is outdated).
+    """
+    ch_nodes = self.context.ch_nodes
+
+    with Given("kinit for client"):
+        kinit_no_keytab(node=ch_nodes[2], lifetime_option="-l 00:00:05")
+
+    with And("setting up server principal"):
+        create_server_principal(node=ch_nodes[0])
+
+    # with And("I kill kerberos-server"):
+    #     self.context.krb_server.stop()
+
+    with And("I wait until client ticket is expired"):
+        time.sleep(10)
+
+    with When("I attempt to authenticate as kerberos_user"):
+        r = ch_nodes[2].cmd(test_select_query(node=ch_nodes[0]))
+
+    with Then("I expect the user to be default"):
+        assert r.output == "default", error()
+
+    with Finally(""):
+        # self.context.krb_server.start()
+        time.sleep(1)
+        ch_nodes[2].cmd(f"echo pwd | kinit -l 10:00 kerberos_user")
+        while True:
+            time.sleep(1)
+            if ch_nodes[2].cmd(test_select_query(node=ch_nodes[0])).output == "kerberos_user":
+                break
+        ch_nodes[2].cmd("kdestroy")
 
 
-# @TestCase
-# @Requirements(
-#     RQ_SRS_016_Kerberos_KerberosNotAvailable_ValidTickets("1.0")
-# )
-# def kerberos_unreachable_valid_tickets(self):
-#     """ClickHouse SHALL accept Kerberos authentication if no Kerberos server is reachable
-#     but both CH-server and client have valid tickets.
-#     """
-#     ch_nodes = self.context.ch_nodes
-#
-#     with Given("kinit for client"):
-#         kinit_no_keytab(node=ch_nodes[2])
-#
-#     with And("setting up server principal"):
-#         create_server_principal(node=ch_nodes[0])
-#
-#     with And("make sure server obtained ticket"):
-#         ch_nodes[2].cmd(test_select_query(node=ch_nodes[0]))
-#
-#     with And("I kill kerberos-server"):
-#         self.context.krb_server.stop()
-#
-#     with When("I attempt to authenticate as kerberos_user"):
-#         r = ch_nodes[2].cmd(test_select_query(node=ch_nodes[0]))
-#
-#     with Then("I expect the user to be default"):
-#         assert r.output == "kerberos_user", error()
-#
-#     with Finally("I start kerberos server again"):
-#         self.context.krb_server.start()
-#         ch_nodes[2].cmd("kdestroy")
-#         while True:
-#             kinit_no_keytab(node=ch_nodes[2])
-#             if ch_nodes[2].cmd(test_select_query(node=ch_nodes[0])).output == "kerberos_user":
-#                 break
-#         ch_nodes[2].cmd("kdestroy")
+@TestCase
+@Requirements(
+    RQ_SRS_016_Kerberos_KerberosNotAvailable_ValidTickets("1.0")
+)
+def kerberos_unreachable_valid_tickets(self):
+    """ClickHouse SHALL accept Kerberos authentication if no Kerberos server is reachable
+    but both CH-server and client have valid tickets.
+    """
+    ch_nodes = self.context.ch_nodes
+
+    with Given("kinit for client"):
+        kinit_no_keytab(node=ch_nodes[2])
+
+    with And("setting up server principal"):
+        create_server_principal(node=ch_nodes[0])
+
+    with And("make sure server obtained ticket"):
+        ch_nodes[2].cmd(test_select_query(node=ch_nodes[0]))
+
+    with And("I kill kerberos-server"):
+        self.context.krb_server.stop()
+
+    with When("I attempt to authenticate as kerberos_user"):
+        r = ch_nodes[2].cmd(test_select_query(node=ch_nodes[0]))
+
+    with Then("I expect the user to be default"):
+        assert r.output == "kerberos_user", error()
+
+    with Finally("I start kerberos server again"):
+        self.context.krb_server.start()
+        ch_nodes[2].cmd("kdestroy")
+        while True:
+            kinit_no_keytab(node=ch_nodes[2])
+            if ch_nodes[2].cmd(test_select_query(node=ch_nodes[0])).output == "kerberos_user":
+                break
+        ch_nodes[2].cmd("kdestroy")
 
 
 @TestScenario
@@ -215,39 +213,39 @@ def kerberos_not_configured(self):
         ch_nodes[0].query("DROP USER unkerberized")
 
 
-# @TestScenario
-# @Requirements(
-#     RQ_SRS_016_Kerberos_KerberosServerRestarted("1.0")
-# )
-# def kerberos_server_restarted(self):
-#     """ClickHouse SHALL accept Kerberos authentication if Kerberos server was restarted.
-#     """
-#     ch_nodes = self.context.ch_nodes
-#     krb_server = self.context.krb_server
-#
-#     with Given("I obtain keytab for user"):
-#         kinit_no_keytab(node=ch_nodes[2])
-#     with And("I create server principal"):
-#         create_server_principal(node=ch_nodes[0])
-#     with And("I obtain server ticket"):
-#         ch_nodes[2].cmd(test_select_query(node=ch_nodes[0]), no_checks=True)
-#     with By("I dump, restart and restore kerberos server"):
-#         krb_server.cmd("kdb5_util dump dump.dmp", shell_command="/bin/sh")
-#         krb_server.restart()
-#         krb_server.cmd("kdb5_util load dump.dmp", shell_command="/bin/sh")
-#
-#     with When("I attempt to authenticate"):
-#         r = ch_nodes[2].cmd(test_select_query(node=ch_nodes[0]))
-#
-#     with And("I wait for kerberos to be healthy"):
-#         ch_nodes[2].cmd("kdestroy")
-#         while True:
-#             kinit_no_keytab(node=ch_nodes[2])
-#             if ch_nodes[2].cmd(test_select_query(node=ch_nodes[0])).output == "kerberos_user":
-#                 break
-#
-#     with Then(f"I expect kerberos_user"):
-#         assert r.output == "kerberos_user", error()
+@TestScenario
+@Requirements(
+    RQ_SRS_016_Kerberos_KerberosServerRestarted("1.0")
+)
+def kerberos_server_restarted(self):
+    """ClickHouse SHALL accept Kerberos authentication if Kerberos server was restarted.
+    """
+    ch_nodes = self.context.ch_nodes
+    krb_server = self.context.krb_server
+
+    with Given("I obtain keytab for user"):
+        kinit_no_keytab(node=ch_nodes[2])
+    with And("I create server principal"):
+        create_server_principal(node=ch_nodes[0])
+    with And("I obtain server ticket"):
+        ch_nodes[2].cmd(test_select_query(node=ch_nodes[0]), no_checks=True)
+    with By("I dump, restart and restore kerberos server"):
+        krb_server.cmd("kdb5_util dump dump.dmp", shell_command="/bin/sh")
+        krb_server.restart()
+        krb_server.cmd("kdb5_util load dump.dmp", shell_command="/bin/sh")
+
+    with When("I attempt to authenticate"):
+        r = ch_nodes[2].cmd(test_select_query(node=ch_nodes[0]))
+
+    with And("I wait for kerberos to be healthy"):
+        ch_nodes[2].cmd("kdestroy")
+        while True:
+            kinit_no_keytab(node=ch_nodes[2])
+            if ch_nodes[2].cmd(test_select_query(node=ch_nodes[0])).output == "kerberos_user":
+                break
+
+    with Then(f"I expect kerberos_user"):
+        assert r.output == "kerberos_user", error()
 
 
 @TestScenario
@@ -298,44 +296,41 @@ def user_deleted(self):
         assert "Authentication failed: password is incorrect or there is no user with such name" in r.output, error()
 
 
-# @TestScenario
-# @Requirements(
-#     RQ_SRS_016_Kerberos_Performance("1.0")
-# )
-# def authentication_performance(self):
-#     """ClickHouse's performance for Kerberos authentication SHALL shall be comparable to regular authentication.
-#     """
-#     ch_nodes = self.context.ch_nodes
-#
-#     with Given("I obtain keytab for a user"):
-#         kinit_no_keytab(node=ch_nodes[2])
-#
-#     with And("I create server principal"):
-#         create_server_principal(node=ch_nodes[0])
-#
-#     with And("I create a password-identified user"):
-#         ch_nodes[0].query("CREATE USER pwd_user IDENTIFIED WITH plaintext_password BY 'pwd'")
-#
-#     with When("I measure kerberos auth time"):
-#         start_time_krb = time.time()
-#         for i in range(100):
-#             ch_nodes[2].cmd(test_select_query(node=ch_nodes[0]))
-#         krb_time = (time.time() - start_time_krb) / 100
-#
-#     with And("I measure password auth time"):
-#         start_time_usual = time.time()
-#         for i in range(100):
-#             ch_nodes[2].cmd(f"echo 'SELECT 1' | curl 'http://pwd_user:pwd@clickhouse1:8123/' -d @-")
-#         usual_time = (time.time() - start_time_usual) / 100
-#
-#     with Then("measuring the performance compared to password auth"):
-#         metric("percentage_improvement", units="%", value=100*(krb_time - usual_time)/usual_time)
-#
-#     with Finally("I drop pwd_user"):
-#         ch_nodes[0].query("DROP USER pwd_user")
+@TestScenario
+@Requirements(
+    RQ_SRS_016_Kerberos_Performance("1.0")
+)
+def authentication_performance(self):
+    """ClickHouse's performance for Kerberos authentication SHALL shall be comparable to regular authentication.
+    """
+    ch_nodes = self.context.ch_nodes
 
+    with Given("I obtain keytab for a user"):
+        kinit_no_keytab(node=ch_nodes[2])
 
+    with And("I create server principal"):
+        create_server_principal(node=ch_nodes[0])
 
+    with And("I create a password-identified user"):
+        ch_nodes[0].query("CREATE USER pwd_user IDENTIFIED WITH plaintext_password BY 'pwd'")
+
+    with When("I measure kerberos auth time"):
+        start_time_krb = time.time()
+        for i in range(100):
+            ch_nodes[2].cmd(test_select_query(node=ch_nodes[0]))
+        krb_time = (time.time() - start_time_krb) / 100
+
+    with And("I measure password auth time"):
+        start_time_usual = time.time()
+        for i in range(100):
+            ch_nodes[2].cmd(f"echo 'SELECT 1' | curl 'http://pwd_user:pwd@clickhouse1:8123/' -d @-")
+        usual_time = (time.time() - start_time_usual) / 100
+
+    with Then("measuring the performance compared to password auth"):
+        metric("percentage_improvement", units="%", value=100*(krb_time - usual_time)/usual_time)
+
+    with Finally("I drop pwd_user"):
+        ch_nodes[0].query("DROP USER pwd_user")
 
 
 @TestFeature

tests/testflows/regression.py

@@ -22,15 +22,15 @@ def regression(self, local, clickhouse_binary_path, stress=None, parallel=None):
     tasks = []
     with Pool(8) as pool:
         try:
-            #run_scenario(pool, tasks, Feature(test=load("example.regression", "regression")), args)
-            #run_scenario(pool, tasks, Feature(test=load("ldap.regression", "regression")), args)
-            #run_scenario(pool, tasks, Feature(test=load("rbac.regression", "regression")), args)
-            #run_scenario(pool, tasks, Feature(test=load("aes_encryption.regression", "regression")), args)
-            #run_scenario(pool, tasks, Feature(test=load("map_type.regression", "regression")), args)
-            #run_scenario(pool, tasks, Feature(test=load("window_functions.regression", "regression")), args)
-            #run_scenario(pool, tasks, Feature(test=load("datetime64_extended_range.regression", "regression")), args)
+            run_scenario(pool, tasks, Feature(test=load("example.regression", "regression")), args)
+            run_scenario(pool, tasks, Feature(test=load("ldap.regression", "regression")), args)
+            run_scenario(pool, tasks, Feature(test=load("rbac.regression", "regression")), args)
+            run_scenario(pool, tasks, Feature(test=load("aes_encryption.regression", "regression")), args)
+            run_scenario(pool, tasks, Feature(test=load("map_type.regression", "regression")), args)
+            run_scenario(pool, tasks, Feature(test=load("window_functions.regression", "regression")), args)
+            run_scenario(pool, tasks, Feature(test=load("datetime64_extended_range.regression", "regression")), args)
             run_scenario(pool, tasks, Feature(test=load("kerberos.regression", "regression")), args)
-            #run_scenario(pool, tasks, Feature(test=load("extended_precision_data_types.regression", "regression")), args)
+            run_scenario(pool, tasks, Feature(test=load("extended_precision_data_types.regression", "regression")), args)
         finally:
             join(tasks)