Kazoo auth for ch_keeper and keeper-monitoring

yandex · Sep 23, 2024 · 2839f1a · 2839f1a
1 parent 0e66e24
commit 2839f1a
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 8 deletions.
diff --git a/ch_tools/common/config.py b/ch_tools/common/config.py
@@ -49,6 +49,8 @@
     },
     "zookeeper": {
         "randomize_hosts": True,
+        "username": None,
+        "password": None,
     },
     "chadmin": {
         "wait": {

diff --git a/ch_tools/monrun_checks_keeper/keeper_commands.py b/ch_tools/monrun_checks_keeper/keeper_commands.py
@@ -7,8 +7,10 @@
 
 from click import command, option, pass_context
 from kazoo.client import KazooClient
+from kazoo.security import make_digest_acl
 
 from ch_tools.common.clickhouse.config import ClickhouseKeeperConfig
+from ch_tools.common.config import load_config
 from ch_tools.common.result import CRIT, OK, WARNING, Result
 from ch_tools.common.tls import check_cert_on_ports
 
@@ -26,15 +28,30 @@
 def alive_command(ctx):
     """Check (Zoo)Keeper service is alive"""
     try:
+        config = load_config()
         keeper_port, use_ssl = get_keeper_port_pair()
-        client = KazooClient(
-            f"127.0.0.1:{keeper_port}",
-            connection_retry=ctx.obj.get("retries"),
-            command_retry=ctx.obj.get("retries"),
-            timeout=ctx.obj.get("timeout"),
-            use_ssl=use_ssl,
-            verify_certs=not ctx.obj.get("no_verify_ssl_certs"),
-        )
+        username = config['zookeeper']['username']
+        password = config['zookeeper']['password']
+        args = {
+            'hosts': f"127.0.0.1:{keeper_port}",
+            'connection_retry': ctx.obj.get("retries"),
+            'command_retry': ctx.obj.get("retries"),
+            'timeout': ctx.obj.get("timeout"),
+            'use_ssl': use_ssl,
+            'verify_certs': not ctx.obj.get("no_verify_ssl_certs"),
+        }
+        if username is not None and password is not None:
+            auth_data = [
+                (
+                    'digest',
+                    f'{username}:{password}',
+                )
+            ]
+            acls = [make_digest_acl(username, password, all=True)]
+            args['auth_data'] = auth_data
+            args['default_acl'] = acls
+
+        client = KazooClient(**args)
         client.start()
         client.get("/")
         client.create(path="/{0}_alive".format(socket.getfqdn()), ephemeral=True)