hailin0 commented on code in PR #331: URL: https://github.com/apache/skywalking-banyandb/pull/331#discussion_r1365725043
########## docs/installation/cluster.md: ########## @@ -28,3 +28,45 @@ The host is registered to the etcd cluster by the `banyand-server` automatically - `node-host-provider=hostname` : Default. The OS's hostname is registered as the host part in the address. - `node-host-provider=ip` : The OS's the first non-loopback active IP address(IPv4) is registered as the host part in the address. - `node-host-provider=flag` : `node-host` is registered as the host part in the address. + +## Etcd Client Authentication + +etcd supports through tls certificates and RBAC based authentication for both clients to server communication. This section is intended to help users set up authentication in etcd client. Review Comment: fixed ########## test/integration/etcd/client_test.go: ########## @@ -0,0 +1,304 @@ +// Licensed to Apache Software Foundation (ASF) under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Apache Software Foundation (ASF) licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package integration_etcd_test + +import ( + "context" + "crypto/tls" + "fmt" + "log" + "net/url" + "path/filepath" + "time" + + . "github.com/onsi/ginkgo/v2" + . "github.com/onsi/gomega" + "github.com/onsi/gomega/gleak" + "go.etcd.io/etcd/client/pkg/v3/transport" + clientv3 "go.etcd.io/etcd/client/v3" + "go.etcd.io/etcd/server/v3/embed" + + databasev1 "github.com/apache/skywalking-banyandb/api/proto/banyandb/database/v1" + "github.com/apache/skywalking-banyandb/banyand/metadata/schema" + "github.com/apache/skywalking-banyandb/pkg/test" + "github.com/apache/skywalking-banyandb/pkg/test/flags" + "github.com/apache/skywalking-banyandb/pkg/test/helpers" + "github.com/apache/skywalking-banyandb/pkg/test/setup" +) + +const host = "127.0.0.1" + +const namespace = "liaison-test" + +const nodeHost = "liaison-1" + +var _ = Describe("Client Test", func() { + var ( + dir string + dirSpaceDef func() + caFilePath string + serverKeyFilePath string + serverCertFilePath string + clientKeyFilePath string + clientCertFilePath string + goods []gleak.Goroutine + ) + BeforeEach(func() { + var err error + dir, dirSpaceDef, err = test.NewSpace() + Expect(err).ShouldNot(HaveOccurred()) + caFilePath, err = filepath.Abs("./cafile/ca.crt") + Expect(err).ShouldNot(HaveOccurred()) + serverKeyFilePath, err = filepath.Abs("./cafile/server-serverusage.key.insecure") + Expect(err).ShouldNot(HaveOccurred()) + serverCertFilePath, err = filepath.Abs("./cafile/server-serverusage.crt") + Expect(err).ShouldNot(HaveOccurred()) + clientKeyFilePath, err = filepath.Abs("./cafile/client-clientusage.key.insecure") + Expect(err).ShouldNot(HaveOccurred()) + clientCertFilePath, err = filepath.Abs("./cafile/client-clientusage.crt") + Expect(err).ShouldNot(HaveOccurred()) + + goods = gleak.Goroutines() + }) + AfterEach(func() { + dirSpaceDef() + Eventually(gleak.Goroutines, flags.EventuallyTimeout).ShouldNot(gleak.HaveLeaked(goods)) + }) + + It("should be using user/password connect etcd server successfully", func() { + serverTLSInfo := transport.TLSInfo{} + clientTLSInfo := transport.TLSInfo{} + clientConfig, err := clientTLSInfo.ClientConfig() + Expect(err).ShouldNot(HaveOccurred()) + username := "banyandb" + password := "banyandb" + + etcdServer, err := createEtcdServer(dir, serverTLSInfo) + Expect(err).ShouldNot(HaveOccurred()) + // wait for e.Server to join the cluster + <-etcdServer.Server.ReadyNotify() + etcdEndpoint := etcdServer.Config().ListenClientUrls[0].String() + defer etcdServer.Close() + + adminClient, err := clientv3.New(clientv3.Config{ + Endpoints: []string{etcdEndpoint}, + }) + Expect(err).ShouldNot(HaveOccurred()) + defer adminClient.Close() + adminClient.RoleAdd(context.Background(), "root") + adminClient.UserAdd(context.Background(), "root", "root") + adminClient.UserGrantRole(context.Background(), "root", "root") + adminClient.UserAdd(context.Background(), username, password) + adminClient.UserGrantRole(context.Background(), username, "root") + adminClient.AuthEnable(context.Background()) + + ports, err := test.AllocateFreePorts(2) + Expect(err).NotTo(HaveOccurred()) + addr := fmt.Sprintf("%s:%d", host, ports[0]) + httpAddr := fmt.Sprintf("%s:%d", host, ports[1]) + closeFn := setup.CMD("liaison", + "--namespace", namespace, + "--grpc-host="+host, + fmt.Sprintf("--grpc-port=%d", ports[0]), + "--http-host="+host, + fmt.Sprintf("--http-port=%d", ports[1]), + "--http-grpc-addr="+addr, + "--node-host-provider", "flag", + "--node-host", nodeHost, + "--etcd-endpoints", etcdEndpoint, + "--etcd-username", username, + "--etcd-password", password) + defer closeFn() + + Eventually(helpers.HTTPHealthCheck(httpAddr), flags.EventuallyTimeout).Should(Succeed()) + Eventually(func() (map[string]*databasev1.Node, error) { + return listKeys(etcdEndpoint, username, password, clientConfig, fmt.Sprintf("/%s/nodes/%s:%d", namespace, nodeHost, ports[0])) + }, flags.EventuallyTimeout).Should(HaveLen(1)) + }) + + It("should be using cacert connect etcd server successfully", func() { + serverTLSInfo := transport.TLSInfo{ + KeyFile: serverKeyFilePath, + CertFile: serverCertFilePath, + } + clientTLSInfo := transport.TLSInfo{ + TrustedCAFile: caFilePath, + } + clientConfig, err := clientTLSInfo.ClientConfig() + Expect(err).ShouldNot(HaveOccurred()) + + etcdServer, err := createEtcdServer(dir, serverTLSInfo) + Expect(err).ShouldNot(HaveOccurred()) + // wait for e.Server to join the cluster + <-etcdServer.Server.ReadyNotify() + etcdEndpoint := etcdServer.Config().ListenClientUrls[0].String() + defer etcdServer.Close() + + ports, err := test.AllocateFreePorts(2) + Expect(err).NotTo(HaveOccurred()) + addr := fmt.Sprintf("%s:%d", host, ports[0]) + httpAddr := fmt.Sprintf("%s:%d", host, ports[1]) + closeFn := setup.CMD("liaison", + "--namespace", namespace, + "--grpc-host="+host, + fmt.Sprintf("--grpc-port=%d", ports[0]), + "--http-host="+host, + fmt.Sprintf("--http-port=%d", ports[1]), + "--http-grpc-addr="+addr, + "--node-host-provider", "flag", + "--node-host", nodeHost, + "--etcd-endpoints", etcdEndpoint, + "--etcd-tls-ca-file", caFilePath) + defer closeFn() + + Eventually(helpers.HTTPHealthCheck(httpAddr), flags.EventuallyTimeout).Should(Succeed()) + Eventually(func() (map[string]*databasev1.Node, error) { + return listKeys(etcdEndpoint, "", "", clientConfig, fmt.Sprintf("/%s/nodes/%s:%d", namespace, nodeHost, ports[0])) + }, flags.EventuallyTimeout).Should(HaveLen(1)) + }) + + It("should be using key pair connect etcd server successfully", func() { Review Comment: fixed -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@skywalking.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
