Skip to content

Commit

Permalink
Kazoo auth for ch_keeper and keeper-monitoring
Browse files Browse the repository at this point in the history
  • Loading branch information
@munakoiso
munakoiso committed Sep 20, 2024
1 parent 0e66e24 commit ab8196d
Show file tree
Hide file tree
Showing 3 changed files with 75 additions and 17 deletions.
8 changes: 8 additions & 0 deletions ch_tools/common/clickhouse/config/clickhouse_keeper.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,14 @@ def port_pair(self):

return int(self._keeper_server.get("tcp_port", 0)), False

@property
def username(self):
return self._keeper_server.get("username")

@property
def password(self):
return self._keeper_server.get("password")

@property
def tls_cert_path(self):
return (
Expand Down
34 changes: 25 additions & 9 deletions ch_tools/monrun_checks/ch_keeper.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,18 +35,34 @@ def keeper_command(retries: int, timeout: int, no_verify_ssl_certs: bool) -> Res
"""
Check ClickHouse Keeper is alive.
"""
keeper_port, use_ssl = ClickhouseKeeperConfig.load().port_pair
config = ClickhouseKeeperConfig.load()
keeper_port, use_ssl = config.port_pair
if not keeper_port:
return Result(OK, "Disabled")

client = KazooClient(
f"127.0.0.1:{keeper_port}",
connection_retry=retries,
command_retry=retries,
timeout=timeout,
use_ssl=use_ssl,
verify_certs=not no_verify_ssl_certs,
)
username = config.username
password = config.password
args = {
'hosts': f"127.0.0.1:{keeper_port}",
'connection_retry': retries,
'command_retry': retries,
'timeout': timeout,
'use_ssl': use_ssl,
'verify_certs': not no_verify_ssl_certs,
}

if username is not None and password is not None:
auth_data = [
(
'digest',
f'{username}:{password}',
)
]
acls = [make_digest_acl(username, password, all=True)]
args['auth_data'] = auth_data
args['default_acl'] = acls

client = KazooClient(**args)
try:
client.start()
client.get("/")
Expand Down
50 changes: 42 additions & 8 deletions ch_tools/monrun_checks_keeper/keeper_commands.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@

from click import command, option, pass_context
from kazoo.client import KazooClient
from kazoo.security import make_digest_acl

from ch_tools.common.clickhouse.config import ClickhouseKeeperConfig
from ch_tools.common.result import CRIT, OK, WARNING, Result
Expand All @@ -27,14 +28,28 @@ def alive_command(ctx):
"""Check (Zoo)Keeper service is alive"""
try:
keeper_port, use_ssl = get_keeper_port_pair()
client = KazooClient(
f"127.0.0.1:{keeper_port}",
connection_retry=ctx.obj.get("retries"),
command_retry=ctx.obj.get("retries"),
timeout=ctx.obj.get("timeout"),
use_ssl=use_ssl,
verify_certs=not ctx.obj.get("no_verify_ssl_certs"),
)
username = get_keeper_username()
password = get_keeper_password()
args = {
'hosts': f"127.0.0.1:{keeper_port}",
'connection_retry': ctx.obj.get("retries"),
'command_retry': ctx.obj.get("retries"),
'timeout': ctx.obj.get("timeout"),
'use_ssl': use_ssl,
'verify_certs': not ctx.obj.get("no_verify_ssl_certs"),
}
if username is not None and password is not None:
auth_data = [
(
'digest',
f'{username}:{password}',
)
]
acls = [make_digest_acl(username, password, all=True)]
args['auth_data'] = auth_data
args['default_acl'] = acls

client = KazooClient(**args)
client.start()
client.get("/")
client.create(path="/{0}_alive".format(socket.getfqdn()), ephemeral=True)
Expand Down Expand Up @@ -234,6 +249,25 @@ def get_keeper_port_pair():
return 2181, False


def get_keeper_username():
"""
:returns username for (Zoo)Keeper.
"""
try:
return ClickhouseKeeperConfig.load().username
except FileNotFoundError:
return None, None


def get_keeper_password():
"""
:returns password for (Zoo)Keeper.
"""
try:
return ClickhouseKeeperConfig.load().password
except FileNotFoundError:
return None, None

def get_keeper_cert_path():
"""
:returns path to Keeper TLS cert if exists.
Expand Down

0 comments on commit ab8196d

Please sign in to comment.