enabling tests

This commit is contained in:
Andrey Z 2021-07-07 11:54:37 +03:00
parent c0264de45a
commit aa64385944
6 changed files with 152 additions and 202 deletions

View File

@ -8,8 +8,8 @@
[realms] [realms]
EXAMPLE.COM = { EXAMPLE.COM = {
kdc = kerberos kdc = kerberos_env_kerberos_1.krbnet
admin_server = kerberos admin_server = kerberos_env_kerberos_1.krbnet
} }
OTHER.COM = { OTHER.COM = {
kdc = kerberos kdc = kerberos

View File

@ -1,40 +0,0 @@
[kdc]
require-preauth = false
[libdefaults]
default_realm = EXAMPLE.COM
ticket_lifetime = 36000
dns_lookup_kdc = false
udp_preference_limit = 0
[realms]
EXAMPLE.COM = {
kdc = kerberos_env_kerberos_1.krbnet
admin_server = kerberos_env_kerberos_1.krbnet
}
OTHER.COM = {
kdc = kerberos
admin_server = kerberos
}
[domain_realm]
docker-compose_default = EXAMPLE.COM
.docker-compose_default = EXAMPLE.COM
krbnet = EXAMPLE.COM
.krbnet = EXAMPLE.COM
kerberos_env_default = EXAMPLE.COM
.kerberos_env_default = EXAMPLE.COM
[appdefaults]
validate = false
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log

View File

@ -39,8 +39,8 @@ def regression(self, local, clickhouse_binary_path, stress=None, parallel=None):
self.context.cluster = cluster self.context.cluster = cluster
Feature(run=load("kerberos.tests.generic", "generic"), flags=TE) Feature(run=load("kerberos.tests.generic", "generic"), flags=TE)
# Feature(run=load("kerberos.tests.config", "config"), flags=TE) Feature(run=load("kerberos.tests.config", "config"), flags=TE)
# Feature(run=load("kerberos.tests.parallel", "parallel"), flags=TE) Feature(run=load("kerberos.tests.parallel", "parallel"), flags=TE)
if main(): if main():

View File

@ -145,11 +145,6 @@ def multiple_principal(self):
log_error="Multiple principal sections are not allowed") log_error="Multiple principal sections are not allowed")
@TestFeature @TestFeature
def config(self): def config(self):
"""Perform ClickHouse Kerberos authentication testing for incorrect configuration files """Perform ClickHouse Kerberos authentication testing for incorrect configuration files

View File

@ -21,8 +21,6 @@ def ping(self):
assert r.exitcode == 7, error() assert r.exitcode == 7, error()
@TestScenario @TestScenario
@Requirements( @Requirements(
RQ_SRS_016_Kerberos_ValidUser_XMLConfiguredUser("1.0") RQ_SRS_016_Kerberos_ValidUser_XMLConfiguredUser("1.0")
@ -110,81 +108,81 @@ def invalid_server_ticket(self):
assert r.output == "default", error() assert r.output == "default", error()
# @TestScenario @TestScenario
# @Requirements( @Requirements(
# RQ_SRS_016_Kerberos_KerberosNotAvailable_InvalidClientTicket("1.0") RQ_SRS_016_Kerberos_KerberosNotAvailable_InvalidClientTicket("1.0")
# ) )
# def invalid_client_ticket(self): def invalid_client_ticket(self):
# """ClickHouse SHALL reject Kerberos authentication in case client has """ClickHouse SHALL reject Kerberos authentication in case client has
# no valid ticket (or the existing ticket is outdated). no valid ticket (or the existing ticket is outdated).
# """ """
# ch_nodes = self.context.ch_nodes ch_nodes = self.context.ch_nodes
#
# with Given("kinit for client"): with Given("kinit for client"):
# kinit_no_keytab(node=ch_nodes[2], lifetime_option="-l 00:00:05") kinit_no_keytab(node=ch_nodes[2], lifetime_option="-l 00:00:05")
#
# with And("setting up server principal"): with And("setting up server principal"):
# create_server_principal(node=ch_nodes[0]) create_server_principal(node=ch_nodes[0])
#
# # with And("I kill kerberos-server"): # with And("I kill kerberos-server"):
# # self.context.krb_server.stop() # self.context.krb_server.stop()
#
# with And("I wait until client ticket is expired"): with And("I wait until client ticket is expired"):
# time.sleep(10) time.sleep(10)
#
# with When("I attempt to authenticate as kerberos_user"): with When("I attempt to authenticate as kerberos_user"):
# r = ch_nodes[2].cmd(test_select_query(node=ch_nodes[0])) r = ch_nodes[2].cmd(test_select_query(node=ch_nodes[0]))
#
# with Then("I expect the user to be default"): with Then("I expect the user to be default"):
# assert r.output == "default", error() assert r.output == "default", error()
#
# with Finally(""): with Finally(""):
# # self.context.krb_server.start() # self.context.krb_server.start()
# time.sleep(1) time.sleep(1)
# ch_nodes[2].cmd(f"echo pwd | kinit -l 10:00 kerberos_user") ch_nodes[2].cmd(f"echo pwd | kinit -l 10:00 kerberos_user")
# while True: while True:
# time.sleep(1) time.sleep(1)
# if ch_nodes[2].cmd(test_select_query(node=ch_nodes[0])).output == "kerberos_user": if ch_nodes[2].cmd(test_select_query(node=ch_nodes[0])).output == "kerberos_user":
# break break
# ch_nodes[2].cmd("kdestroy") ch_nodes[2].cmd("kdestroy")
# @TestCase @TestCase
# @Requirements( @Requirements(
# RQ_SRS_016_Kerberos_KerberosNotAvailable_ValidTickets("1.0") RQ_SRS_016_Kerberos_KerberosNotAvailable_ValidTickets("1.0")
# ) )
# def kerberos_unreachable_valid_tickets(self): def kerberos_unreachable_valid_tickets(self):
# """ClickHouse SHALL accept Kerberos authentication if no Kerberos server is reachable """ClickHouse SHALL accept Kerberos authentication if no Kerberos server is reachable
# but both CH-server and client have valid tickets. but both CH-server and client have valid tickets.
# """ """
# ch_nodes = self.context.ch_nodes ch_nodes = self.context.ch_nodes
#
# with Given("kinit for client"): with Given("kinit for client"):
# kinit_no_keytab(node=ch_nodes[2]) kinit_no_keytab(node=ch_nodes[2])
#
# with And("setting up server principal"): with And("setting up server principal"):
# create_server_principal(node=ch_nodes[0]) create_server_principal(node=ch_nodes[0])
#
# with And("make sure server obtained ticket"): with And("make sure server obtained ticket"):
# ch_nodes[2].cmd(test_select_query(node=ch_nodes[0])) ch_nodes[2].cmd(test_select_query(node=ch_nodes[0]))
#
# with And("I kill kerberos-server"): with And("I kill kerberos-server"):
# self.context.krb_server.stop() self.context.krb_server.stop()
#
# with When("I attempt to authenticate as kerberos_user"): with When("I attempt to authenticate as kerberos_user"):
# r = ch_nodes[2].cmd(test_select_query(node=ch_nodes[0])) r = ch_nodes[2].cmd(test_select_query(node=ch_nodes[0]))
#
# with Then("I expect the user to be default"): with Then("I expect the user to be default"):
# assert r.output == "kerberos_user", error() assert r.output == "kerberos_user", error()
#
# with Finally("I start kerberos server again"): with Finally("I start kerberos server again"):
# self.context.krb_server.start() self.context.krb_server.start()
# ch_nodes[2].cmd("kdestroy") ch_nodes[2].cmd("kdestroy")
# while True: while True:
# kinit_no_keytab(node=ch_nodes[2]) kinit_no_keytab(node=ch_nodes[2])
# if ch_nodes[2].cmd(test_select_query(node=ch_nodes[0])).output == "kerberos_user": if ch_nodes[2].cmd(test_select_query(node=ch_nodes[0])).output == "kerberos_user":
# break break
# ch_nodes[2].cmd("kdestroy") ch_nodes[2].cmd("kdestroy")
@TestScenario @TestScenario
@ -215,39 +213,39 @@ def kerberos_not_configured(self):
ch_nodes[0].query("DROP USER unkerberized") ch_nodes[0].query("DROP USER unkerberized")
# @TestScenario @TestScenario
# @Requirements( @Requirements(
# RQ_SRS_016_Kerberos_KerberosServerRestarted("1.0") RQ_SRS_016_Kerberos_KerberosServerRestarted("1.0")
# ) )
# def kerberos_server_restarted(self): def kerberos_server_restarted(self):
# """ClickHouse SHALL accept Kerberos authentication if Kerberos server was restarted. """ClickHouse SHALL accept Kerberos authentication if Kerberos server was restarted.
# """ """
# ch_nodes = self.context.ch_nodes ch_nodes = self.context.ch_nodes
# krb_server = self.context.krb_server krb_server = self.context.krb_server
#
# with Given("I obtain keytab for user"): with Given("I obtain keytab for user"):
# kinit_no_keytab(node=ch_nodes[2]) kinit_no_keytab(node=ch_nodes[2])
# with And("I create server principal"): with And("I create server principal"):
# create_server_principal(node=ch_nodes[0]) create_server_principal(node=ch_nodes[0])
# with And("I obtain server ticket"): with And("I obtain server ticket"):
# ch_nodes[2].cmd(test_select_query(node=ch_nodes[0]), no_checks=True) ch_nodes[2].cmd(test_select_query(node=ch_nodes[0]), no_checks=True)
# with By("I dump, restart and restore kerberos server"): with By("I dump, restart and restore kerberos server"):
# krb_server.cmd("kdb5_util dump dump.dmp", shell_command="/bin/sh") krb_server.cmd("kdb5_util dump dump.dmp", shell_command="/bin/sh")
# krb_server.restart() krb_server.restart()
# krb_server.cmd("kdb5_util load dump.dmp", shell_command="/bin/sh") krb_server.cmd("kdb5_util load dump.dmp", shell_command="/bin/sh")
#
# with When("I attempt to authenticate"): with When("I attempt to authenticate"):
# r = ch_nodes[2].cmd(test_select_query(node=ch_nodes[0])) r = ch_nodes[2].cmd(test_select_query(node=ch_nodes[0]))
#
# with And("I wait for kerberos to be healthy"): with And("I wait for kerberos to be healthy"):
# ch_nodes[2].cmd("kdestroy") ch_nodes[2].cmd("kdestroy")
# while True: while True:
# kinit_no_keytab(node=ch_nodes[2]) kinit_no_keytab(node=ch_nodes[2])
# if ch_nodes[2].cmd(test_select_query(node=ch_nodes[0])).output == "kerberos_user": if ch_nodes[2].cmd(test_select_query(node=ch_nodes[0])).output == "kerberos_user":
# break break
#
# with Then(f"I expect kerberos_user"): with Then(f"I expect kerberos_user"):
# assert r.output == "kerberos_user", error() assert r.output == "kerberos_user", error()
@TestScenario @TestScenario
@ -298,44 +296,41 @@ def user_deleted(self):
assert "Authentication failed: password is incorrect or there is no user with such name" in r.output, error() assert "Authentication failed: password is incorrect or there is no user with such name" in r.output, error()
# @TestScenario @TestScenario
# @Requirements( @Requirements(
# RQ_SRS_016_Kerberos_Performance("1.0") RQ_SRS_016_Kerberos_Performance("1.0")
# ) )
# def authentication_performance(self): def authentication_performance(self):
# """ClickHouse's performance for Kerberos authentication SHALL shall be comparable to regular authentication. """ClickHouse's performance for Kerberos authentication SHALL shall be comparable to regular authentication.
# """ """
# ch_nodes = self.context.ch_nodes ch_nodes = self.context.ch_nodes
#
# with Given("I obtain keytab for a user"):
# kinit_no_keytab(node=ch_nodes[2])
#
# with And("I create server principal"):
# create_server_principal(node=ch_nodes[0])
#
# with And("I create a password-identified user"):
# ch_nodes[0].query("CREATE USER pwd_user IDENTIFIED WITH plaintext_password BY 'pwd'")
#
# with When("I measure kerberos auth time"):
# start_time_krb = time.time()
# for i in range(100):
# ch_nodes[2].cmd(test_select_query(node=ch_nodes[0]))
# krb_time = (time.time() - start_time_krb) / 100
#
# with And("I measure password auth time"):
# start_time_usual = time.time()
# for i in range(100):
# ch_nodes[2].cmd(f"echo 'SELECT 1' | curl 'http://pwd_user:pwd@clickhouse1:8123/' -d @-")
# usual_time = (time.time() - start_time_usual) / 100
#
# with Then("measuring the performance compared to password auth"):
# metric("percentage_improvement", units="%", value=100*(krb_time - usual_time)/usual_time)
#
# with Finally("I drop pwd_user"):
# ch_nodes[0].query("DROP USER pwd_user")
with Given("I obtain keytab for a user"):
kinit_no_keytab(node=ch_nodes[2])
with And("I create server principal"):
create_server_principal(node=ch_nodes[0])
with And("I create a password-identified user"):
ch_nodes[0].query("CREATE USER pwd_user IDENTIFIED WITH plaintext_password BY 'pwd'")
with When("I measure kerberos auth time"):
start_time_krb = time.time()
for i in range(100):
ch_nodes[2].cmd(test_select_query(node=ch_nodes[0]))
krb_time = (time.time() - start_time_krb) / 100
with And("I measure password auth time"):
start_time_usual = time.time()
for i in range(100):
ch_nodes[2].cmd(f"echo 'SELECT 1' | curl 'http://pwd_user:pwd@clickhouse1:8123/' -d @-")
usual_time = (time.time() - start_time_usual) / 100
with Then("measuring the performance compared to password auth"):
metric("percentage_improvement", units="%", value=100*(krb_time - usual_time)/usual_time)
with Finally("I drop pwd_user"):
ch_nodes[0].query("DROP USER pwd_user")
@TestFeature @TestFeature

View File

@ -22,15 +22,15 @@ def regression(self, local, clickhouse_binary_path, stress=None, parallel=None):
tasks = [] tasks = []
with Pool(8) as pool: with Pool(8) as pool:
try: try:
#run_scenario(pool, tasks, Feature(test=load("example.regression", "regression")), args) run_scenario(pool, tasks, Feature(test=load("example.regression", "regression")), args)
#run_scenario(pool, tasks, Feature(test=load("ldap.regression", "regression")), args) run_scenario(pool, tasks, Feature(test=load("ldap.regression", "regression")), args)
#run_scenario(pool, tasks, Feature(test=load("rbac.regression", "regression")), args) run_scenario(pool, tasks, Feature(test=load("rbac.regression", "regression")), args)
#run_scenario(pool, tasks, Feature(test=load("aes_encryption.regression", "regression")), args) run_scenario(pool, tasks, Feature(test=load("aes_encryption.regression", "regression")), args)
#run_scenario(pool, tasks, Feature(test=load("map_type.regression", "regression")), args) run_scenario(pool, tasks, Feature(test=load("map_type.regression", "regression")), args)
#run_scenario(pool, tasks, Feature(test=load("window_functions.regression", "regression")), args) run_scenario(pool, tasks, Feature(test=load("window_functions.regression", "regression")), args)
#run_scenario(pool, tasks, Feature(test=load("datetime64_extended_range.regression", "regression")), args) run_scenario(pool, tasks, Feature(test=load("datetime64_extended_range.regression", "regression")), args)
run_scenario(pool, tasks, Feature(test=load("kerberos.regression", "regression")), args) run_scenario(pool, tasks, Feature(test=load("kerberos.regression", "regression")), args)
#run_scenario(pool, tasks, Feature(test=load("extended_precision_data_types.regression", "regression")), args) run_scenario(pool, tasks, Feature(test=load("extended_precision_data_types.regression", "regression")), args)
finally: finally:
join(tasks) join(tasks)