Fix groups implementation (#623)

yandex · Jul 4, 2024 · b0e2b9f · b0e2b9f
1 parent f899d63
commit b0e2b9f
Show file tree

Hide file tree

Showing 10 changed files with 171 additions and 114 deletions.
diff --git a/docker/bin/setup b/docker/bin/setup
@@ -64,7 +64,7 @@ sudo sysctl -w kernel.core_pattern=/var/cores/core.%p.%e
 pgbench -i -h localhost -p 5432 -U postgres postgres
 
 # Create users
-psql -h localhost -p 5432 -U postgres -c "create role group1; create role group2; create user group_checker; create user group_user1; create user group_user2; create user group_user3; create user group_user4; create user group_user5; create user group_checker1; create user group_checker2;" -d group_db >> $SETUP_LOG 2>&1 || {
+psql -h localhost -p 5432 -U postgres -c "set password_encryption TO 'md5'; create role group1; create role group2; create user group_checker; create user group_user1 password 'password1'; create user group_user2; create user group_user3; create user group_user4; create user group_user5; create user group_checker1; create user group_checker2;" -d group_db >> $SETUP_LOG 2>&1 || {
     echo "ERROR: users creation failed, examine the log"
     cat "$SETUP_LOG"
     cat "$PG_LOG"

diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh
@@ -13,22 +13,26 @@ then
 	exit 1
 fi
 
+echo "" > /var/log/odyssey.log
 # gorm
 ody-start
 /gorm/test.sh
 ody-stop
+echo "" > /var/log/odyssey.log
 
 # proto
 ody-start
 /xproto/test.sh
 ody-stop
+echo "" > /var/log/odyssey.log
 
 # copy 
 /copy/copy_test.sh
 if [ $? -eq 1 ]
 then
 	exit 1
 fi
+echo "" > /var/log/odyssey.log
 
 # odyssey rule-address test
 /rule-address/test.sh
@@ -37,58 +41,68 @@ then
 	exit 1
 fi
 
+echo "" > /var/log/odyssey.log
+
 # odyssey target session attrs test
 /tsa/tsa.sh
 if [ $? -eq 1 ]
 then
 	exit 1
 fi
+echo "" > /var/log/odyssey.log
 
 ody-start
 /config-validation
 ody-stop
+echo "" > /var/log/odyssey.log
 
 #ldap
 /ldap/test_ldap.sh
 if [ $? -eq 1 ]
 then
 	exit 1
 fi
+echo "" > /var/log/odyssey.log
 
 # scram
 /scram/test_scram.sh
 if [ $? -eq 1 ]
 then
 	exit 1
 fi
+echo "" > /var/log/odyssey.log
 
 # auth query
 /auth_query/test_auth_query.sh
 if [ $? -eq 1 ]
 then
 	exit 1
 fi
+echo "" > /var/log/odyssey.log
 
 # odyssey hba test
 /hba/test.sh
 if [ $? -eq 1 ]
 then
 	exit 1
 fi
+echo "" > /var/log/odyssey.log
 
 #prepared statements in transaction pooling
 /usr/bin/odyssey /etc/odyssey/pstmts.conf
 sleep 1
 /pstmts-test
 
 ody-stop
+echo "" > /var/log/odyssey.log
 
 # lag polling
 /lagpolling/test-lag.sh
 if [ $? -eq 1 ]
 then
 	exit 1
 fi
+echo "" > /var/log/odyssey.log
 
 /usr/bin/odyssey-asan /etc/odyssey/odyssey.conf
 ody-stop

diff --git a/docker/group/config.conf b/docker/group/config.conf
@@ -9,14 +9,19 @@ storage "postgres_server" {
     host "localhost"
 	port 5432
 }
+database "postgres" {
+        user "postgres" {
+                authentication "none"
 
-database "group_db" {
-    user "group_user1" {
-        authentication "none"
-        storage "postgres_server"
-        pool "session"
-    }
 
+                pool_routing "internal"
+                storage "postgres_server"
+
+                pool "session"
+        }
+}
+
+database "group_db" {
     group "group1" {
             authentication "md5"
             password "password1"
@@ -25,52 +30,42 @@ database "group_db" {
             storage_db "postgres"
             storage_user "postgres"
 
-            pool_routing "internal"
+            pool_routing "client_visible"
             pool "session"
             group_query "SELECT rolname FROM pg_roles WHERE pg_has_role(rolname, 'group1', 'member');"
-    }
+            group_query_user "postgres"
+            group_query_db "postgres"
 
-    user "group_user2" {
-        authentication "none"
-        storage "postgres_server"
-        pool "session"
-    }
-
-    user "group_user3" {
-        authentication "none"
-        storage "postgres_server"
-        pool "session"
+            auth_query "SELECT usename, passwd FROM pg_shadow WHERE usename=$1"
+            auth_query_user "postgres"
+            auth_query_db "postgres"
+            storage_password "passwd"  
     }
 
     group "group2" {
-            authentication "md5"
+            authentication "none"
             password "password2"
 
             storage "postgres_server"
             storage_db "postgres"
             storage_user "postgres"
 
-            pool_routing "internal"
+            pool_routing "client_visible"
             pool "session"
-            group_query "SELECT rolname FROM pg_roles WHERE pg_has_role(rolname, 'group2', 'member');"
+            group_query "SELECT rolname FROM pg_roles WHERE pg_has_role(rolname, 'group2', 'member');"  
+            group_query_user "postgres"
+            group_query_db "postgres"
     }
-
-    user "group_user4" {
-        authentication "none"
-        storage "postgres_server"
-        pool "session"
-    }
-
-    user "group_user5" {
-        authentication "none"
+    user default {
+		authentication "block"
         storage "postgres_server"
         pool "session"
     }
 }
 
 database default {
 	user default {
-		authentication "none"
+		authentication "block"
 
 		storage "postgres_server"
 		pool "session"

diff --git a/docker/group/test_group.sh b/docker/group/test_group.sh
@@ -6,8 +6,8 @@ set -ex
 
 users=("group_user1" "group_user2" "group_user3" "group_user4" "group_user5")
 for user in "${users[@]}"; do
-	psql -h localhost -p 6432 -U "$user" -c "SELECT 1" group_db >/dev/null 2>&1 || {
-		echo "ERROR: failed backend auth with correct user auth"
+	psql -h localhost -p 6432 -U "$user" -c "SELECT 1" group_db >/dev/null 2>&1 && {
+		echo "ERROR: Authenticated with non-grouped user"
 
 		cat /var/log/odyssey.log
 		echo "
@@ -21,29 +21,17 @@ done
 
 ody-stop
 
+psql -h localhost -p 5432 -U postgres -c "GRANT group1 TO group_user1;" group_db
 psql -h localhost -p 5432 -U postgres -c "GRANT group1 TO group_user2;" group_db
-psql -h localhost -p 5432 -U postgres -c "GRANT group1 TO group_user4;" group_db
+psql -h localhost -p 5432 -U postgres -c "GRANT group2 TO group_user3;" group_db
 psql -h localhost -p 5432 -U postgres -c "GRANT group2 TO group_user4;" group_db
-psql -h localhost -p 5432 -U postgres -c "GRANT group1 TO group_user1;" group_db
 
 /usr/bin/odyssey /group/config.conf
 
-sleep 1
-
-psql -h localhost -p 6432 -U group_user1 -c "SELECT 1" group_db >/dev/null 2>&1 || {
-	echo "ERROR: group auth apply for over user at config"
-
-	cat /var/log/odyssey.log
-	echo "
-
-	"
-	cat /var/log/postgresql/postgresql-14-main.log
-
-	exit 1
-}
+sleep 3
 
-psql -h localhost -p 6432 -U group_user2 -c "SELECT 1" group_db >/dev/null 2>&1 && {
-	echo "ERROR: group auth not apply"
+psql -h localhost -p 6432 -U group_user1 -c "SELECT 1" group_db >/dev/null 2>&1 && {
+	echo "ERROR: Authenticated without password"
 
 	cat /var/log/odyssey.log
 	echo "
@@ -54,8 +42,8 @@ psql -h localhost -p 6432 -U group_user2 -c "SELECT 1" group_db >/dev/null 2>&1
 	exit 1
 }
 
-PGPASSWORD=password1 psql -h localhost -p 6432 -U group_user4 -c "SELECT 1" group_db >/dev/null 2>&1 && {
-	echo "ERROR: group auth not accepted down group"
+PGPASSWORD=password1 psql -h localhost -p 6432 -U group_user1 -c "SELECT 1" group_db >/dev/null 2>&1 || {
+	echo "ERROR: Not authenticated with correct password"
 
 	cat /var/log/odyssey.log
 	echo "
@@ -66,8 +54,8 @@ PGPASSWORD=password1 psql -h localhost -p 6432 -U group_user4 -c "SELECT 1" grou
 	exit 1
 }
 
-PGPASSWORD=password2 psql -h localhost -p 6432 -U group_user4 -c "SELECT 1" group_db >/dev/null 2>&1 || {
-	echo "ERROR: group auth not apply"
+psql -h localhost -p 6432 -U group_user3 -c "SELECT 1" group_db >/dev/null 2>&1 || {
+	echo "ERROR: Not authenticated with disabled auth"
 
 	cat /var/log/odyssey.log
 	echo "

diff --git a/docker/hba/test.sh b/docker/hba/test.sh
@@ -8,7 +8,7 @@ set -ex
 
 /usr/bin/odyssey /hba/tcp.conf
 
-PGPASSWORD=correct_password psql -h localhost -p 6432 -U user_allow -c "SELECT 1" hba_db > /dev/null 2>&1 || {
+PGPASSWORD=correct_password psql -h 127.0.0.1 -p 6432 -U user_allow -c "SELECT 1" hba_db > /dev/null 2>&1 || {
   echo "ERROR: failed auth with hba trust, correct password and plain password in config"
 
 	cat /var/log/odyssey.log
@@ -20,7 +20,7 @@ PGPASSWORD=correct_password psql -h localhost -p 6432 -U user_allow -c "SELECT 1
 	exit 1
 }
 
-PGPASSWORD=incorrect_password psql -h localhost -p 6432 -U user_allow -c "SELECT 1" hba_db > /dev/null 2>&1 && {
+PGPASSWORD=incorrect_password psql -h 127.0.0.1 -p 6432 -U user_allow -c "SELECT 1" hba_db > /dev/null 2>&1 && {
   echo "ERROR: successfully auth with hba trust, but incorrect password"
 
 	cat /var/log/odyssey.log
@@ -32,7 +32,7 @@ PGPASSWORD=incorrect_password psql -h localhost -p 6432 -U user_allow -c "SELECT
 	exit 1
 }
 
-PGPASSWORD=correct_password psql -h localhost -p 6432 -U user_reject -c "SELECT 1" hba_db > /dev/null 2>&1 && {
+PGPASSWORD=correct_password psql -h 127.0.0.1 -p 6432 -U user_reject -c "SELECT 1" hba_db > /dev/null 2>&1 && {
   echo "ERROR: successfully auth with hba reject"
 
 	cat /var/log/odyssey.log
@@ -44,7 +44,7 @@ PGPASSWORD=correct_password psql -h localhost -p 6432 -U user_reject -c "SELECT
 	exit 1
 }
 
-PGPASSWORD=correct_password psql -h localhost -p 6432 -U user_unknown -c "SELECT 1" hba_db > /dev/null 2>&1 && {
+PGPASSWORD=correct_password psql -h 127.0.0.1 -p 6432 -U user_unknown -c "SELECT 1" hba_db > /dev/null 2>&1 && {
   echo "ERROR: successfully auth without hba rule"
 
 	cat /var/log/odyssey.log
@@ -57,7 +57,7 @@ PGPASSWORD=correct_password psql -h localhost -p 6432 -U user_unknown -c "SELECT
 }  
 
 kill -s HUP $(pgrep odyssey)
-PGPASSWORD=correct_password PGCONNECT_TIMEOUT=5 psql -h localhost -p 6432 -U user_allow -c "SELECT 1" hba_db > /dev/null 2>&1 || {
+PGPASSWORD=correct_password PGCONNECT_TIMEOUT=5 psql -h 127.0.0.1 -p 6432 -U user_allow -c "SELECT 1" hba_db > /dev/null 2>&1 || {
   echo "ERROR: unable to connect after SIGHUP"
 
 	cat /var/log/odyssey.log

diff --git a/docker/rule-address/test.sh b/docker/rule-address/test.sh
@@ -4,71 +4,71 @@ set -ex
 
 /usr/bin/odyssey /rule-address/addr.conf
 
-PGPASSWORD=correct_password psql -h localhost -p 6432 -U user_addr_correct -c "SELECT 1" addr_db > /dev/null 2>&1 || {
+PGPASSWORD=correct_password psql -h 127.0.0.1 -p 6432 -U user_addr_correct -c "SELECT 1" addr_db > /dev/null 2>&1 || {
   echo "ERROR: failed auth with correct addr, correct password and plain password in config"
 
 	cat /var/log/odyssey.log
 
 	exit 1
 }
 
-PGPASSWORD=incorrect_password psql -h localhost -p 6432 -U user_addr_correct -c "SELECT 1" addr_db > /dev/null 2>&1 && {
+PGPASSWORD=incorrect_password psql -h 127.0.0.1 -p 6432 -U user_addr_correct -c "SELECT 1" addr_db > /dev/null 2>&1 && {
   echo "ERROR: successfully auth with correct addr, but incorrect password"
 
 	cat /var/log/odyssey.log
 
 	exit 1
 }
 
-PGPASSWORD=correct_password psql -h localhost -p 6432 -U user_addr_incorrect -c "SELECT 1" addr_db > /dev/null 2>&1 && {
+PGPASSWORD=correct_password psql -h 127.0.0.1 -p 6432 -U user_addr_incorrect -c "SELECT 1" addr_db > /dev/null 2>&1 && {
   echo "ERROR: successfully auth with incorrect addr"
 
 	cat /var/log/odyssey.log
 
 	exit 1
 }
 
-PGPASSWORD=correct_password psql -h localhost -p 6432 -U user_addr_default -c "SELECT 1" addr_db > /dev/null 2>&1 || {
+PGPASSWORD=correct_password psql -h 127.0.0.1 -p 6432 -U user_addr_default -c "SELECT 1" addr_db > /dev/null 2>&1 || {
   echo "ERROR: failed auth with correct addr, correct password and plain password in config"
 
 	cat /var/log/odyssey.log
 
 	exit 1
 }
 
-PGPASSWORD=incorrect_password psql -h localhost -p 6432 -U user_addr_default -c "SELECT 1" addr_db > /dev/null 2>&1 && {
+PGPASSWORD=incorrect_password psql -h 127.0.0.1 -p 6432 -U user_addr_default -c "SELECT 1" addr_db > /dev/null 2>&1 && {
   echo "ERROR: successfully auth with correct addr, but incorrect password"
 
 	cat /var/log/odyssey.log
 
 	exit 1
 }
 
-PGPASSWORD=correct_password psql -h localhost -p 6432 -U user_addr_empty -c "SELECT 1" addr_db > /dev/null 2>&1 || {
+PGPASSWORD=correct_password psql -h 127.0.0.1 -p 6432 -U user_addr_empty -c "SELECT 1" addr_db > /dev/null 2>&1 || {
   echo "ERROR: failed auth with correct addr, correct password and plain password in config"
 
 	cat /var/log/odyssey.log
 
 	exit 1
 }
 
-PGPASSWORD=incorrect_password psql -h localhost -p 6432 -U user_addr_empty -c "SELECT 1" addr_db > /dev/null 2>&1 && {
+PGPASSWORD=incorrect_password psql -h 127.0.0.1 -p 6432 -U user_addr_empty -c "SELECT 1" addr_db > /dev/null 2>&1 && {
   echo "ERROR: successfully auth with correct addr, but incorrect password"
 
 	cat /var/log/odyssey.log
 
 	exit 1
 }
 
-PGPASSWORD=correct_password psql -h localhost -p 6432 -U user_addr_hostname_localhost -c "SELECT 1" addr_db > /dev/null 2>&1 || {
+PGPASSWORD=correct_password psql -h 127.0.0.1 -p 6432 -U user_addr_hostname_localhost -c "SELECT 1" addr_db > /dev/null 2>&1 || {
   echo "ERROR: failed auth with correct addr, correct password and plain password in config"
 
 	cat /var/log/odyssey.log
 
 	exit 1
 }
 
-PGPASSWORD=incorrect_password psql -h localhost -p 6432 -U user_addr_hostname_localhost -c "SELECT 1" addr_db > /dev/null 2>&1 && {
+PGPASSWORD=incorrect_password psql -h 127.0.0.1 -p 6432 -U user_addr_hostname_localhost -c "SELECT 1" addr_db > /dev/null 2>&1 && {
   echo "ERROR: successfully auth with correct addr, but incorrect password"
 
 	cat /var/log/odyssey.log