Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
2dot5
ClickHouse
提交
3d0c26f5
C
ClickHouse
项目概览
2dot5
/
ClickHouse
通知
3
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
DevOps
流水线
流水线任务
计划
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
C
ClickHouse
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
DevOps
DevOps
流水线
流水线任务
计划
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
流水线任务
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
3d0c26f5
编写于
12月 27, 2018
作者:
A
alesapin
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Fix ipv4 mask restrictions for users and add integration tests
上级
bf7401ce
变更
12
隐藏空白更改
内联
并排
Showing
12 changed file
with
179 addition
and
13 deletion
+179
-13
dbms/src/Interpreters/Users.cpp
dbms/src/Interpreters/Users.cpp
+6
-4
dbms/tests/integration/helpers/cluster.py
dbms/tests/integration/helpers/cluster.py
+40
-4
dbms/tests/integration/helpers/docker_compose_hdfs.yml
dbms/tests/integration/helpers/docker_compose_hdfs.yml
+1
-1
dbms/tests/integration/helpers/docker_compose_kafka.yml
dbms/tests/integration/helpers/docker_compose_kafka.yml
+1
-1
dbms/tests/integration/helpers/docker_compose_mysql.yml
dbms/tests/integration/helpers/docker_compose_mysql.yml
+1
-1
dbms/tests/integration/helpers/docker_compose_postgres.yml
dbms/tests/integration/helpers/docker_compose_postgres.yml
+1
-1
dbms/tests/integration/helpers/docker_compose_zookeeper.yml
dbms/tests/integration/helpers/docker_compose_zookeeper.yml
+1
-1
dbms/tests/integration/test_user_ip_restrictions/__init__.py
dbms/tests/integration/test_user_ip_restrictions/__init__.py
+0
-0
dbms/tests/integration/test_user_ip_restrictions/configs/config_ipv6.xml
...gration/test_user_ip_restrictions/configs/config_ipv6.xml
+1
-0
dbms/tests/integration/test_user_ip_restrictions/configs/users_ipv4.xml
...egration/test_user_ip_restrictions/configs/users_ipv4.xml
+27
-0
dbms/tests/integration/test_user_ip_restrictions/configs/users_ipv6.xml
...egration/test_user_ip_restrictions/configs/users_ipv6.xml
+26
-0
dbms/tests/integration/test_user_ip_restrictions/test.py
dbms/tests/integration/test_user_ip_restrictions/test.py
+74
-0
未找到文件。
dbms/src/Interpreters/Users.cpp
浏览文件 @
3d0c26f5
...
...
@@ -70,18 +70,20 @@ public:
else
{
String
addr
(
str
,
0
,
pos
-
str
.
c_str
());
mask_address
=
toIPv6
(
Poco
::
Net
::
IPAddress
(
addr
)
);
auto
real_address
=
Poco
::
Net
::
IPAddress
(
addr
);
String
str_mask
(
str
,
addr
.
length
()
+
1
,
str
.
length
()
-
addr
.
length
()
-
1
);
if
(
isDigits
(
str_mask
))
{
UInt8
prefix_bits
=
parse
<
UInt8
>
(
pos
+
1
);
construct
(
prefix_bits
);
construct
(
prefix_bits
,
real_address
.
family
()
==
Poco
::
Net
::
AddressFamily
::
IPv4
);
}
else
{
subnet_mask
=
netmaskToIPv6
(
Poco
::
Net
::
IPAddress
(
str_mask
));
}
mask_address
=
toIPv6
(
real_address
);
}
}
...
...
@@ -97,9 +99,9 @@ private:
subnet_mask
=
Poco
::
Net
::
IPAddress
(
128
,
Poco
::
Net
::
IPAddress
::
IPv6
);
}
void
construct
(
UInt8
prefix_bits
)
void
construct
(
UInt8
prefix_bits
,
bool
is_ipv4
)
{
prefix_bits
=
mask_address
.
family
()
==
Poco
::
Net
::
IPAddress
::
IP
v4
?
prefix_bits
+
96
:
prefix_bits
;
prefix_bits
=
is_ip
v4
?
prefix_bits
+
96
:
prefix_bits
;
subnet_mask
=
Poco
::
Net
::
IPAddress
(
prefix_bits
,
Poco
::
Net
::
IPAddress
::
IPv6
);
}
...
...
dbms/tests/integration/helpers/cluster.py
浏览文件 @
3d0c26f5
...
...
@@ -97,7 +97,7 @@ class ClickHouseCluster:
cmd
+=
" client"
return
cmd
def
add_instance
(
self
,
name
,
config_dir
=
None
,
main_configs
=
[],
user_configs
=
[],
macros
=
{},
with_zookeeper
=
False
,
with_mysql
=
False
,
with_kafka
=
False
,
clickhouse_path_dir
=
None
,
with_odbc_drivers
=
False
,
with_postgres
=
False
,
with_hdfs
=
False
,
hostname
=
None
,
env_variables
=
{},
image
=
"yandex/clickhouse-integration-test"
,
stay_alive
=
False
):
def
add_instance
(
self
,
name
,
config_dir
=
None
,
main_configs
=
[],
user_configs
=
[],
macros
=
{},
with_zookeeper
=
False
,
with_mysql
=
False
,
with_kafka
=
False
,
clickhouse_path_dir
=
None
,
with_odbc_drivers
=
False
,
with_postgres
=
False
,
with_hdfs
=
False
,
hostname
=
None
,
env_variables
=
{},
image
=
"yandex/clickhouse-integration-test"
,
stay_alive
=
False
,
ipv4_address
=
None
,
ipv6_address
=
None
):
"""Add an instance to the cluster.
name - the name of the instance directory and the value of the 'instance' macro in ClickHouse.
...
...
@@ -116,7 +116,8 @@ class ClickHouseCluster:
instance
=
ClickHouseInstance
(
self
,
self
.
base_dir
,
name
,
config_dir
,
main_configs
,
user_configs
,
macros
,
with_zookeeper
,
self
.
zookeeper_config_path
,
with_mysql
,
with_kafka
,
self
.
base_configs_dir
,
self
.
server_bin_path
,
clickhouse_path_dir
,
with_odbc_drivers
,
hostname
=
hostname
,
env_variables
=
env_variables
,
image
=
image
,
stay_alive
=
stay_alive
)
clickhouse_path_dir
,
with_odbc_drivers
,
hostname
=
hostname
,
env_variables
=
env_variables
,
image
=
image
,
stay_alive
=
stay_alive
,
ipv4_address
=
ipv4_address
,
ipv6_address
=
ipv6_address
)
self
.
instances
[
name
]
=
instance
self
.
base_cmd
.
extend
([
'--file'
,
instance
.
docker_compose_path
])
...
...
@@ -332,7 +333,7 @@ CLICKHOUSE_START_COMMAND = "clickhouse server --config-file=/etc/clickhouse-serv
CLICKHOUSE_STAY_ALIVE_COMMAND
=
'bash -c "{} --daemon; tail -f /dev/null"'
.
format
(
CLICKHOUSE_START_COMMAND
)
DOCKER_COMPOSE_TEMPLATE
=
'''
version: '2'
version: '2
.2
'
services:
{name}:
image: {image}
...
...
@@ -347,6 +348,22 @@ services:
depends_on: {depends_on}
env_file:
- {env_file}
{networks}
{app_net}
{ipv4_address}
{ipv6_address}
networks:
app_net:
driver: bridge
enable_ipv6: true
ipam:
driver: default
config:
- subnet: 10.5.0.0/12
gateway: 10.5.1.1
- subnet: 2001:3984:3989::/64
gateway: 2001:3984:3989::1
'''
class
ClickHouseInstance
:
...
...
@@ -354,7 +371,8 @@ class ClickHouseInstance:
def
__init__
(
self
,
cluster
,
base_path
,
name
,
custom_config_dir
,
custom_main_configs
,
custom_user_configs
,
macros
,
with_zookeeper
,
zookeeper_config_path
,
with_mysql
,
with_kafka
,
base_configs_dir
,
server_bin_path
,
clickhouse_path_dir
,
with_odbc_drivers
,
hostname
=
None
,
env_variables
=
{},
image
=
"yandex/clickhouse-integration-test"
,
stay_alive
=
False
):
clickhouse_path_dir
,
with_odbc_drivers
,
hostname
=
None
,
env_variables
=
{},
image
=
"yandex/clickhouse-integration-test"
,
stay_alive
=
False
,
ipv4_address
=
None
,
ipv6_address
=
None
):
self
.
name
=
name
self
.
base_cmd
=
cluster
.
base_cmd
[:]
...
...
@@ -391,6 +409,8 @@ class ClickHouseInstance:
self
.
default_timeout
=
20.0
# 20 sec
self
.
image
=
image
self
.
stay_alive
=
stay_alive
self
.
ipv4_address
=
ipv4_address
self
.
ipv6_address
=
ipv6_address
# Connects to the instance via clickhouse-client, sends a query (1st argument) and returns the answer
def
query
(
self
,
sql
,
stdin
=
None
,
timeout
=
None
,
settings
=
None
,
user
=
None
,
ignore_error
=
False
):
...
...
@@ -609,6 +629,18 @@ class ClickHouseInstance:
if
self
.
stay_alive
:
entrypoint_cmd
=
CLICKHOUSE_STAY_ALIVE_COMMAND
ipv4_address
=
ipv6_address
=
""
if
self
.
ipv4_address
is
None
and
self
.
ipv6_address
is
None
:
networks
=
""
app_net
=
""
else
:
networks
=
"networks:"
app_net
=
"app_net:"
if
self
.
ipv4_address
is
not
None
:
ipv4_address
=
"ipv4_address: "
+
self
.
ipv4_address
if
self
.
ipv6_address
is
not
None
:
ipv6_address
=
"ipv6_address: "
+
self
.
ipv6_address
with
open
(
self
.
docker_compose_path
,
'w'
)
as
docker_compose
:
docker_compose
.
write
(
DOCKER_COMPOSE_TEMPLATE
.
format
(
image
=
self
.
image
,
...
...
@@ -623,6 +655,10 @@ class ClickHouseInstance:
env_file
=
env_file
,
odbc_ini_path
=
odbc_ini_path
,
entrypoint_cmd
=
entrypoint_cmd
,
networks
=
networks
,
app_net
=
app_net
,
ipv4_address
=
ipv4_address
,
ipv6_address
=
ipv6_address
,
))
...
...
dbms/tests/integration/helpers/docker_compose_hdfs.yml
浏览文件 @
3d0c26f5
version
:
'
2'
version
:
'
2
.2
'
services
:
hdfs1
:
image
:
sequenceiq/hadoop-docker:2.7.0
...
...
dbms/tests/integration/helpers/docker_compose_kafka.yml
浏览文件 @
3d0c26f5
version
:
'
2'
version
:
'
2
.2
'
services
:
kafka_zookeeper
:
...
...
dbms/tests/integration/helpers/docker_compose_mysql.yml
浏览文件 @
3d0c26f5
version
:
'
2'
version
:
'
2
.2
'
services
:
mysql1
:
image
:
mysql:5.7
...
...
dbms/tests/integration/helpers/docker_compose_postgres.yml
浏览文件 @
3d0c26f5
version
:
'
2'
version
:
'
2
.2
'
services
:
postgres1
:
image
:
postgres
...
...
dbms/tests/integration/helpers/docker_compose_zookeeper.yml
浏览文件 @
3d0c26f5
version
:
'
2'
version
:
'
2
.2
'
services
:
zoo1
:
image
:
zookeeper
...
...
dbms/tests/integration/test_user_ip_restrictions/__init__.py
0 → 100644
浏览文件 @
3d0c26f5
dbms/tests/integration/test_user_ip_restrictions/configs/config_ipv6.xml
0 → 100644
浏览文件 @
3d0c26f5
<yandex><listen_host>
::
</listen_host></yandex>
dbms/tests/integration/test_user_ip_restrictions/configs/users_ipv4.xml
0 → 100644
浏览文件 @
3d0c26f5
<yandex>
<profiles>
<default>
<max_memory_usage>
10000000000
</max_memory_usage>
<use_uncompressed_cache>
0
</use_uncompressed_cache>
<load_balancing>
random
</load_balancing>
</default>
</profiles>
<users>
<default>
<password></password>
<networks
incl=
"networks"
replace=
"replace"
>
<ip>
10.5.173.1
</ip>
<ip>
10.5.172.0/24
</ip>
<ip>
10.5.175.0/255.255.255.0
</ip>
</networks>
<profile>
default
</profile>
<quota>
default
</quota>
</default>
</users>
<quotas>
<default>
</default>
</quotas>
</yandex>
dbms/tests/integration/test_user_ip_restrictions/configs/users_ipv6.xml
0 → 100644
浏览文件 @
3d0c26f5
<yandex>
<profiles>
<default>
<max_memory_usage>
10000000000
</max_memory_usage>
<use_uncompressed_cache>
0
</use_uncompressed_cache>
<load_balancing>
random
</load_balancing>
</default>
</profiles>
<users>
<default>
<password></password>
<networks
incl=
"networks"
replace=
"replace"
>
<ip>
2001:3984:3989:0:0:0:1:1111
</ip>
<ip>
2001:3984:3989:0:0:0:0:0/112
</ip>
</networks>
<profile>
default
</profile>
<quota>
default
</quota>
</default>
</users>
<quotas>
<default>
</default>
</quotas>
</yandex>
dbms/tests/integration/test_user_ip_restrictions/test.py
0 → 100644
浏览文件 @
3d0c26f5
import
time
import
pytest
from
helpers.cluster
import
ClickHouseCluster
from
helpers.test_tools
import
assert_eq_with_retry
cluster
=
ClickHouseCluster
(
__file__
)
node_ipv4
=
cluster
.
add_instance
(
'node_ipv4'
,
config_dir
=
"configs"
,
user_configs
=
[
'configs/users_ipv4.xml'
],
ipv4_address
=
'10.5.172.77'
)
client_ipv4_ok
=
cluster
.
add_instance
(
'client_ipv4_ok'
,
config_dir
=
"configs"
,
ipv4_address
=
'10.5.172.10'
)
client_ipv4_ok_direct
=
cluster
.
add_instance
(
'client_ipv4_ok_direct'
,
config_dir
=
"configs"
,
ipv4_address
=
'10.5.173.1'
)
client_ipv4_ok_full_mask
=
cluster
.
add_instance
(
'client_ipv4_ok_full_mask'
,
config_dir
=
"configs"
,
ipv4_address
=
'10.5.175.77'
)
client_ipv4_bad
=
cluster
.
add_instance
(
'client_ipv4_bad'
,
config_dir
=
"configs"
,
ipv4_address
=
'10.5.173.10'
)
node_ipv6
=
cluster
.
add_instance
(
'node_ipv6'
,
config_dir
=
"configs"
,
main_configs
=
[
"configs/config_ipv6.xml"
],
user_configs
=
[
'configs/users_ipv6.xml'
],
ipv6_address
=
'2001:3984:3989::1:1000'
)
client_ipv6_ok
=
cluster
.
add_instance
(
'client_ipv6_ok'
,
config_dir
=
"configs"
,
ipv6_address
=
'2001:3984:3989::5555'
)
client_ipv6_ok_direct
=
cluster
.
add_instance
(
'client_ipv6_ok_direct'
,
config_dir
=
"configs"
,
ipv6_address
=
'2001:3984:3989::1:1111'
)
client_ipv6_bad
=
cluster
.
add_instance
(
'client_ipv6_bad'
,
config_dir
=
"configs"
,
ipv6_address
=
'2001:3984:3989::1:1112'
)
@
pytest
.
fixture
(
scope
=
"module"
)
def
setup_cluster
():
try
:
cluster
.
start
()
yield
cluster
finally
:
cluster
.
shutdown
()
def
test_ipv4
(
setup_cluster
):
try
:
client_ipv4_ok
.
exec_in_container
([
"bash"
,
"-c"
,
"/usr/bin/clickhouse client --host 10.5.172.77 --query 'select 1'"
],
privileged
=
True
,
user
=
'root'
)
except
Exception
as
ex
:
assert
False
,
"allowed client with 10.5.172.10 cannot connect to server with allowed mask '10.5.172.0/24'"
try
:
client_ipv4_ok_direct
.
exec_in_container
([
"bash"
,
"-c"
,
"/usr/bin/clickhouse client --host 10.5.172.77 --query 'select 1'"
],
privileged
=
True
,
user
=
'root'
)
except
Exception
as
ex
:
assert
False
,
"allowed client with 10.5.173.1 cannot connect to server with allowed ip '10.5.173.1'"
try
:
client_ipv4_ok_full_mask
.
exec_in_container
([
"bash"
,
"-c"
,
"/usr/bin/clickhouse client --host 10.5.172.77 --query 'select 1'"
],
privileged
=
True
,
user
=
'root'
)
except
Exception
as
ex
:
assert
False
,
"allowed client with 10.5.175.77 cannot connect to server with allowed ip '10.5.175.0/255.255.255.0'"
try
:
client_ipv4_bad
.
exec_in_container
([
"bash"
,
"-c"
,
"/usr/bin/clickhouse client --host 10.5.172.77 --query 'select 1'"
],
privileged
=
True
,
user
=
'root'
)
assert
False
,
"restricted client with 10.5.173.10 can connect to server with allowed mask '10.5.172.0/24'"
except
AssertionError
:
raise
except
Exception
as
ex
:
print
ex
def
test_ipv6
(
setup_cluster
):
try
:
client_ipv6_ok
.
exec_in_container
([
"bash"
,
"-c"
,
"/usr/bin/clickhouse client --host 2001:3984:3989::1:1000 --query 'select 1'"
],
privileged
=
True
,
user
=
'root'
)
except
Exception
as
ex
:
print
ex
assert
False
,
"allowed client with 2001:3984:3989:0:0:0:1:1111 cannot connect to server with allowed mask '2001:3984:3989:0:0:0:0:0/112'"
try
:
client_ipv6_ok_direct
.
exec_in_container
([
"bash"
,
"-c"
,
"/usr/bin/clickhouse client --host 2001:3984:3989:0:0:0:1:1000 --query 'select 1'"
],
privileged
=
True
,
user
=
'root'
)
except
Exception
as
ex
:
assert
False
,
"allowed client with 2001:3984:3989:0:0:0:1:1111 cannot connect to server with allowed ip '2001:3984:3989:0:0:0:1:1111'"
try
:
client_ipv6_bad
.
exec_in_container
([
"bash"
,
"-c"
,
"/usr/bin/clickhouse client --host 2001:3984:3989:0:0:0:1:1000 --query 'select 1'"
],
privileged
=
True
,
user
=
'root'
)
assert
False
,
"restricted client with 2001:3984:3989:0:0:0:1:1112 can connect to server with allowed mask '2001:3984:3989:0:0:0:0:0/112'"
except
AssertionError
:
raise
except
Exception
as
ex
:
print
ex
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录