diff --git a/ch_tools/common/clickhouse/config/clickhouse_keeper.py b/ch_tools/common/clickhouse/config/clickhouse_keeper.py index da7fcef7..080f5a0a 100644 --- a/ch_tools/common/clickhouse/config/clickhouse_keeper.py +++ b/ch_tools/common/clickhouse/config/clickhouse_keeper.py @@ -38,6 +38,14 @@ def port_pair(self): return int(self._keeper_server.get("tcp_port", 0)), False + @property + def username(self): + return self._keeper_server.get("username") + + @property + def password(self): + return self._keeper_server.get("password") + @property def tls_cert_path(self): return ( diff --git a/ch_tools/monrun_checks/ch_keeper.py b/ch_tools/monrun_checks/ch_keeper.py index 3f45895d..068b8be0 100644 --- a/ch_tools/monrun_checks/ch_keeper.py +++ b/ch_tools/monrun_checks/ch_keeper.py @@ -35,18 +35,34 @@ def keeper_command(retries: int, timeout: int, no_verify_ssl_certs: bool) -> Res """ Check ClickHouse Keeper is alive. """ - keeper_port, use_ssl = ClickhouseKeeperConfig.load().port_pair + config = ClickhouseKeeperConfig.load() + keeper_port, use_ssl = config.port_pair if not keeper_port: return Result(OK, "Disabled") - client = KazooClient( - f"127.0.0.1:{keeper_port}", - connection_retry=retries, - command_retry=retries, - timeout=timeout, - use_ssl=use_ssl, - verify_certs=not no_verify_ssl_certs, - ) + username = config.username + password = config.password + args = { + 'hosts': f"127.0.0.1:{keeper_port}", + 'connection_retry': retries, + 'command_retry': retries, + 'timeout': timeout, + 'use_ssl': use_ssl, + 'verify_certs': not no_verify_ssl_certs, + } + + if username is not None and password is not None: + auth_data = [ + ( + 'digest', + f'{username}:{password}', + ) + ] + acls = [make_digest_acl(username, password, all=True)] + args['auth_data'] = auth_data + args['default_acl'] = acls + + client = KazooClient(**args) try: client.start() client.get("/") diff --git a/ch_tools/monrun_checks_keeper/keeper_commands.py b/ch_tools/monrun_checks_keeper/keeper_commands.py index 468e2d00..270686b1 100644 --- a/ch_tools/monrun_checks_keeper/keeper_commands.py +++ b/ch_tools/monrun_checks_keeper/keeper_commands.py @@ -7,6 +7,7 @@ from click import command, option, pass_context from kazoo.client import KazooClient +from kazoo.security import make_digest_acl from ch_tools.common.clickhouse.config import ClickhouseKeeperConfig from ch_tools.common.result import CRIT, OK, WARNING, Result @@ -27,14 +28,28 @@ def alive_command(ctx): """Check (Zoo)Keeper service is alive""" try: keeper_port, use_ssl = get_keeper_port_pair() - client = KazooClient( - f"127.0.0.1:{keeper_port}", - connection_retry=ctx.obj.get("retries"), - command_retry=ctx.obj.get("retries"), - timeout=ctx.obj.get("timeout"), - use_ssl=use_ssl, - verify_certs=not ctx.obj.get("no_verify_ssl_certs"), - ) + username = get_keeper_username() + password = get_keeper_password() + args = { + 'hosts': f"127.0.0.1:{keeper_port}", + 'connection_retry': ctx.obj.get("retries"), + 'command_retry': ctx.obj.get("retries"), + 'timeout': ctx.obj.get("timeout"), + 'use_ssl': use_ssl, + 'verify_certs': not ctx.obj.get("no_verify_ssl_certs"), + } + if username is not None and password is not None: + auth_data = [ + ( + 'digest', + f'{username}:{password}', + ) + ] + acls = [make_digest_acl(username, password, all=True)] + args['auth_data'] = auth_data + args['default_acl'] = acls + + client = KazooClient(**args) client.start() client.get("/") client.create(path="/{0}_alive".format(socket.getfqdn()), ephemeral=True) @@ -234,6 +249,25 @@ def get_keeper_port_pair(): return 2181, False +def get_keeper_username(): + """ + :returns username for (Zoo)Keeper. + """ + try: + return ClickhouseKeeperConfig.load().username + except FileNotFoundError: + return None, None + + +def get_keeper_password(): + """ + :returns password for (Zoo)Keeper. + """ + try: + return ClickhouseKeeperConfig.load().password + except FileNotFoundError: + return None, None + def get_keeper_cert_path(): """ :returns path to Keeper TLS cert if exists.