Add groups (#559)

yandex · May 14, 2024 · 8ba1e23 · 8ba1e23
1 parent 3f50c15
commit 8ba1e23
Show file tree

Hide file tree

Showing 18 changed files with 815 additions and 22 deletions.
diff --git a/.clion.source.upload.marker b/.clion.source.upload.marker
diff --git a/config-examples/odyssey-dev-with-watchdog.conf b/config-examples/odyssey-dev-with-watchdog.conf
@@ -45,7 +45,6 @@ listen {
 	compression yes
 }
 
-
 storage "postgres_server" {
 	type "remote"
 	host "localhost"

diff --git a/docker/Dockerfile b/docker/Dockerfile
@@ -79,6 +79,7 @@ COPY ./docker/ldap /ldap
 COPY ./docker/lagpolling /lagpolling
 COPY ./docker/shell-test /shell-test
 COPY ./docker/tsa /tsa
+COPY ./docker/group /group
 COPY ./docker/xproto /xproto
 COPY ./docker/copy /copy
 COPY ./docker/gorm /gorm

diff --git a/docker/bin/setup b/docker/bin/setup
@@ -49,7 +49,7 @@ sudo -u postgres /usr/bin/pg_basebackup -D /var/lib/postgresql/14/repl -R -h loc
 sudo -u postgres /usr/lib/postgresql/14/bin/pg_ctl -D /var/lib/postgresql/14/repl/ -o '-p 5433' start
 
 # Create databases
-for database_name in db scram_db ldap_db auth_query_db db1 hba_db tsa_db addr_db xproto_db "spqr-console"; do
+for database_name in db scram_db ldap_db auth_query_db db1 hba_db tsa_db group_db addr_db xproto_db "spqr-console"; do
     sudo -u postgres createdb $database_name >> "$SETUP_LOG" 2>&1 || {
         echo "ERROR: 'createdb $database_name' failed, examine the log"
         cat "$SETUP_LOG"
@@ -63,6 +63,14 @@ mkdir /var/cores
 sudo sysctl -w kernel.core_pattern=/var/cores/core.%p.%e
 pgbench -i -h localhost -p 5432 -U postgres postgres
 
+# Create users
+psql -h localhost -p 5432 -U postgres -c "create role group1; create role group2; create user group_checker; create user group_user1; create user group_user2; create user group_user3; create user group_user4; create user group_user5; create user group_checker1; create user group_checker2;" -d group_db >> $SETUP_LOG 2>&1 || {
+    echo "ERROR: users creation failed, examine the log"
+    cat "$SETUP_LOG"
+    cat "$PG_LOG"
+    exit 1
+}
+
 # Create users
 psql -h localhost -p 5432 -U postgres -c "set password_encryption = 'scram-sha-256'; create user scram_user password 'scram_user_password';" -d scram_db >> $SETUP_LOG 2>&1 || {
     echo "ERROR: users creation failed, examine the log"

diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh
@@ -6,6 +6,13 @@ cd /test_dir/test && /usr/bin/odyssey_test
 
 setup
 
+# group
+/group/test_group.sh
+if [ $? -eq 1 ]
+then
+	exit 1
+fi
+
 # gorm
 ody-start
 /gorm/test.sh

diff --git a/docker/group/config.conf b/docker/group/config.conf
@@ -0,0 +1,122 @@
+listen {
+	host "*"
+	port 6432
+}
+
+storage "postgres_server" {
+	type "remote"
+
+    host "localhost"
+	port 5432
+}
+
+database "group_db" {
+    user "group_user1" {
+        authentication "none"
+        storage "postgres_server"
+        pool "session"
+    }
+
+    group "group1" {
+            authentication "md5"
+            password "password1"
+
+            storage "postgres_server"
+            storage_db "postgres"
+            storage_user "postgres"
+
+            pool_routing "internal"
+            pool "session"
+            group_query "SELECT rolname FROM pg_roles WHERE pg_has_role(rolname, 'group1', 'member');"
+    }
+
+    user "group_user2" {
+        authentication "none"
+        storage "postgres_server"
+        pool "session"
+    }
+
+    user "group_user3" {
+        authentication "none"
+        storage "postgres_server"
+        pool "session"
+    }
+
+    group "group2" {
+            authentication "md5"
+            password "password2"
+
+            storage "postgres_server"
+            storage_db "postgres"
+            storage_user "postgres"
+
+            pool_routing "internal"
+            pool "session"
+            group_query "SELECT rolname FROM pg_roles WHERE pg_has_role(rolname, 'group2', 'member');"
+    }
+
+    user "group_user4" {
+        authentication "none"
+        storage "postgres_server"
+        pool "session"
+    }
+
+    user "group_user5" {
+        authentication "none"
+        storage "postgres_server"
+        pool "session"
+    }
+}
+
+database default {
+	user default {
+		authentication "none"
+
+		storage "postgres_server"
+		pool "session"
+		pool_size 0
+
+		pool_timeout 0
+
+		pool_ttl 1201
+
+		pool_discard no
+
+		pool_cancel yes
+
+		pool_rollback yes
+#		seconds
+		pool_client_idle_timeout 20
+#		seconds
+		pool_idle_in_transaction_timeout 20
+
+		client_fwd_error yes
+		application_name_add_host yes
+		server_lifetime 1901
+		log_debug no
+
+		quantiles "0.99,0.95,0.5"
+		client_max 107
+	}
+}
+
+unix_socket_dir "/tmp"
+unix_socket_mode "0644"
+
+log_file "/var/log/odyssey.log"
+log_format "%p %t %l [%i %s] (%c) %m\n"
+log_debug no
+log_config yes
+log_session no
+log_query no
+log_stats yes
+daemonize yes
+
+locks_dir "/tmp/odyssey"
+graceful_die_on_errors yes
+enable_online_restart yes
+bindwith_reuseport yes
+
+stats_interval 60
+
+pid_file "/var/run/odyssey.pid"
diff --git a/docker/group/test_group.sh b/docker/group/test_group.sh
@@ -0,0 +1,81 @@
+#!/bin/bash -x
+
+set -ex
+
+/usr/bin/odyssey /group/config.conf
+
+users=("group_user1" "group_user2" "group_user3" "group_user4" "group_user5")
+for user in "${users[@]}"; do
+	psql -h localhost -p 6432 -U "$user" -c "SELECT 1" group_db >/dev/null 2>&1 || {
+		echo "ERROR: failed backend auth with correct user auth"
+
+		cat /var/log/odyssey.log
+		echo "
+
+		"
+		cat /var/log/postgresql/postgresql-14-main.log
+
+		exit 1
+	}
+done
+
+ody-stop
+
+psql -h localhost -p 5432 -U postgres -c "GRANT group1 TO group_user2;" group_db
+psql -h localhost -p 5432 -U postgres -c "GRANT group1 TO group_user4;" group_db
+psql -h localhost -p 5432 -U postgres -c "GRANT group2 TO group_user4;" group_db
+psql -h localhost -p 5432 -U postgres -c "GRANT group1 TO group_user1;" group_db
+
+/usr/bin/odyssey /group/config.conf
+
+sleep 1
+
+psql -h localhost -p 6432 -U group_user1 -c "SELECT 1" group_db >/dev/null 2>&1 || {
+	echo "ERROR: group auth apply for over user at config"
+
+	cat /var/log/odyssey.log
+	echo "
+
+	"
+	cat /var/log/postgresql/postgresql-14-main.log
+
+	exit 1
+}
+
+psql -h localhost -p 6432 -U group_user2 -c "SELECT 1" group_db >/dev/null 2>&1 && {
+	echo "ERROR: group auth not apply"
+
+	cat /var/log/odyssey.log
+	echo "
+
+	"
+	cat /var/log/postgresql/postgresql-14-main.log
+
+	exit 1
+}
+
+PGPASSWORD=password1 psql -h localhost -p 6432 -U group_user4 -c "SELECT 1" group_db >/dev/null 2>&1 && {
+	echo "ERROR: group auth not accepted down group"
+
+	cat /var/log/odyssey.log
+	echo "
+
+	"
+	cat /var/log/postgresql/postgresql-14-main.log
+
+	exit 1
+}
+
+PGPASSWORD=password2 psql -h localhost -p 6432 -U group_user4 -c "SELECT 1" group_db >/dev/null 2>&1 || {
+	echo "ERROR: group auth not apply"
+
+	cat /var/log/odyssey.log
+	echo "
+
+	"
+	cat /var/log/postgresql/postgresql-14-main.log
+
+	exit 1
+}
+
+ody-stop
diff --git a/sources/CMakeLists.txt b/sources/CMakeLists.txt
@@ -52,7 +52,8 @@ set(od_src
     hba.c
     hba_reader.c
     hba_rule.c
-    mdb_iamproxy.c)
+    mdb_iamproxy.c
+    group.c)
 
 if (PAM_FOUND)
         list(APPEND od_src pam.c)