diff --git a/05-install-druid.yaml b/05-install-druid.yaml new file mode 100644 index 00000000..6a3c9d8b --- /dev/null +++ b/05-install-druid.yaml @@ -0,0 +1,158 @@ +--- +apiVersion: druid.stackable.tech/v1alpha1 +kind: DruidCluster +metadata: + name: derby-druid +spec: + version: 24.0.0-stackable0.2.0 + clusterConfig: + authorization: + opa: + configMapName: test-opa + package: druid + deepStorage: + hdfs: + configMapName: druid-hdfs + directory: /druid + metadataStorageDatabase: + dbType: derby + connString: jdbc:derby://localhost:1527/var/druid/metadata.db;create=true + host: localhost + port: 1527 + tls: null + zookeeperConfigMapName: druid-znode + brokers: + configOverrides: + runtime.properties: + druid.auth.authenticatorChain: "[\"ldap\"]" + druid.auth.authenticator.ldap.type: basic + druid.auth.authenticator.ldap.enableCacheNotifications: 'true' + druid.auth.authenticator.ldap.credentialsValidator.type: ldap + druid.auth.authenticator.ldap.credentialsValidator.url: ldap://openldap:1389 + druid.auth.authenticator.ldap.credentialsValidator.bindUser: uid=admin,ou=Users,dc=example,dc=org + druid.auth.authenticator.ldap.credentialsValidator.bindPassword: admin + druid.auth.authenticator.ldap.initialAdminPassword: admin + druid.auth.authenticator.ldap.initialInternalClientPassword: druidsystem + druid.auth.authenticator.ldap.credentialsValidator.baseDn: ou=Users,dc=example,dc=org + druid.auth.authenticator.ldap.credentialsValidator.userSearch: (&(uid=%s)(objectClass=inetOrgPerson)) + druid.auth.authenticator.ldap.credentialsValidator.userAttribute: uid + druid.auth.authenticator.ldap.authorizeQueryContextParams: 'true' + # use the opa authorizer instead of ldap groups + #druid.auth.authenticator.ldap.authorizerName: OpaAuthorizer + + # Escalator + druid.escalator.type: basic + druid.escalator.internalClientUsername: druid_system + druid.escalator.internalClientPassword: druidsystem + #druid.escalator.authorizerName: OpaAuthorizer + roleGroups: + default: + replicas: 1 + coordinators: + configOverrides: + runtime.properties: + druid.auth.authenticatorChain: "[\"ldap\"]" + druid.auth.authenticator.ldap.type: basic + druid.auth.authenticator.ldap.enableCacheNotifications: 'true' + druid.auth.authenticator.ldap.credentialsValidator.type: ldap + druid.auth.authenticator.ldap.credentialsValidator.url: ldap://openldap:1389 + druid.auth.authenticator.ldap.credentialsValidator.bindUser: uid=admin,ou=Users,dc=example,dc=org + druid.auth.authenticator.ldap.credentialsValidator.bindPassword: admin + druid.auth.authenticator.ldap.initialAdminPassword: admin + druid.auth.authenticator.ldap.initialInternalClientPassword: druidsystem + druid.auth.authenticator.ldap.credentialsValidator.baseDn: ou=Users,dc=example,dc=org + druid.auth.authenticator.ldap.credentialsValidator.userSearch: (&(uid=%s)(objectClass=inetOrgPerson)) + druid.auth.authenticator.ldap.credentialsValidator.userAttribute: uid + druid.auth.authenticator.ldap.authorizeQueryContextParams: 'true' + # use the opa authorizer instead of ldap groups + #druid.auth.authenticator.ldap.authorizerName: OpaAuthorizer + + # Escalator + druid.escalator.type: basic + druid.escalator.internalClientUsername: druid_system + druid.escalator.internalClientPassword: druidsystem + druid.escalator.authorizerName: OpaAuthorizer + roleGroups: + default: + replicas: 1 + historicals: + configOverrides: + runtime.properties: + druid.auth.authenticatorChain: "[\"ldap\"]" + druid.auth.authenticator.ldap.type: basic + druid.auth.authenticator.ldap.enableCacheNotifications: 'true' + druid.auth.authenticator.ldap.credentialsValidator.type: ldap + druid.auth.authenticator.ldap.credentialsValidator.url: ldap://openldap:1389 + druid.auth.authenticator.ldap.credentialsValidator.bindUser: uid=admin,ou=Users,dc=example,dc=org + druid.auth.authenticator.ldap.credentialsValidator.bindPassword: admin + druid.auth.authenticator.ldap.initialAdminPassword: admin + druid.auth.authenticator.ldap.initialInternalClientPassword: druidsystem + druid.auth.authenticator.ldap.credentialsValidator.baseDn: ou=Users,dc=example,dc=org + druid.auth.authenticator.ldap.credentialsValidator.userSearch: (&(uid=%s)(objectClass=inetOrgPerson)) + druid.auth.authenticator.ldap.credentialsValidator.userAttribute: uid + druid.auth.authenticator.ldap.authorizeQueryContextParams: 'true' + # use the opa authorizer instead of ldap groups + #druid.auth.authenticator.ldap.authorizerName: OpaAuthorizer + + # Escalator + druid.escalator.type: basic + druid.escalator.internalClientUsername: druid_system + druid.escalator.internalClientPassword: druidsystem + druid.escalator.authorizerName: OpaAuthorizer + roleGroups: + default: + replicas: 1 + middleManagers: + configOverrides: + runtime.properties: + druid.auth.authenticatorChain: "[\"ldap\"]" + druid.auth.authenticator.ldap.type: basic + druid.auth.authenticator.ldap.enableCacheNotifications: 'true' + druid.auth.authenticator.ldap.credentialsValidator.type: ldap + druid.auth.authenticator.ldap.credentialsValidator.url: ldap://openldap:1389 + druid.auth.authenticator.ldap.credentialsValidator.bindUser: uid=admin,ou=Users,dc=example,dc=org + druid.auth.authenticator.ldap.credentialsValidator.bindPassword: admin + druid.auth.authenticator.ldap.initialAdminPassword: admin + druid.auth.authenticator.ldap.initialInternalClientPassword: druidsystem + druid.auth.authenticator.ldap.credentialsValidator.baseDn: ou=Users,dc=example,dc=org + druid.auth.authenticator.ldap.credentialsValidator.userSearch: (&(uid=%s)(objectClass=inetOrgPerson)) + druid.auth.authenticator.ldap.credentialsValidator.userAttribute: uid + druid.auth.authenticator.ldap.authorizeQueryContextParams: 'true' + # use the opa authorizer instead of ldap groups + #druid.auth.authenticator.ldap.authorizerName: OpaAuthorizer + + # Escalator + druid.escalator.type: basic + druid.escalator.internalClientUsername: druid_system + druid.escalator.internalClientPassword: druidsystem + #druid.escalator.authorizerName: OpaAuthorizer + roleGroups: + default: + replicas: 1 + routers: + configOverrides: + runtime.properties: + druid.auth.authenticatorChain: "[\"ldap\"]" + druid.auth.authenticator.ldap.type: basic + druid.auth.authenticator.ldap.enableCacheNotifications: 'true' + druid.auth.authenticator.ldap.credentialsValidator.type: ldap + druid.auth.authenticator.ldap.credentialsValidator.url: ldap://openldap:1389 + druid.auth.authenticator.ldap.credentialsValidator.bindUser: uid=admin,ou=Users,dc=example,dc=org + druid.auth.authenticator.ldap.credentialsValidator.bindPassword: admin + druid.auth.authenticator.ldap.initialAdminPassword: admin + druid.auth.authenticator.ldap.initialInternalClientPassword: druidsystem + druid.auth.authenticator.ldap.credentialsValidator.baseDn: ou=Users,dc=example,dc=org + druid.auth.authenticator.ldap.credentialsValidator.userSearch: (&(uid=%s)(objectClass=inetOrgPerson)) + druid.auth.authenticator.ldap.credentialsValidator.userAttribute: uid + druid.auth.authenticator.ldap.authorizeQueryContextParams: 'true' + # use the opa authorizer instead of ldap groups + #druid.auth.authenticator.ldap.authorizerName: OpaAuthorizer + + # Escalator + druid.escalator.type: basic + druid.escalator.internalClientUsername: druid_system + druid.escalator.internalClientPassword: druidsystem + #druid.escalator.authorizerName: OpaAuthorizer + roleGroups: + default: + replicas: 1 diff --git a/tests/templates/kuttl/ldap-authentication/00-assert.yaml b/tests/templates/kuttl/ldap-authentication/00-assert.yaml new file mode 100644 index 00000000..4998bcdd --- /dev/null +++ b/tests/templates/kuttl/ldap-authentication/00-assert.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: kuttl.dev/v1beta1 +kind: TestAssert +timeout: 300 +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: druid-zk-server-default +status: + readyReplicas: 1 + replicas: 1 +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: hdfs-znode diff --git a/tests/templates/kuttl/ldap-authentication/00-install-zk.yaml.j2 b/tests/templates/kuttl/ldap-authentication/00-install-zk.yaml.j2 new file mode 100644 index 00000000..c3e1b98d --- /dev/null +++ b/tests/templates/kuttl/ldap-authentication/00-install-zk.yaml.j2 @@ -0,0 +1,27 @@ +--- +apiVersion: zookeeper.stackable.tech/v1alpha1 +kind: ZookeeperCluster +metadata: + name: druid-zk +spec: + version: {{ test_scenario['values']['zookeeper-latest'] }} + servers: + roleGroups: + default: + replicas: 1 +--- +apiVersion: zookeeper.stackable.tech/v1alpha1 +kind: ZookeeperZnode +metadata: + name: druid-znode +spec: + clusterRef: + name: druid-zk +--- +apiVersion: zookeeper.stackable.tech/v1alpha1 +kind: ZookeeperZnode +metadata: + name: hdfs-znode +spec: + clusterRef: + name: druid-zk diff --git a/tests/templates/kuttl/ldap-authentication/02-assert.yaml b/tests/templates/kuttl/ldap-authentication/02-assert.yaml new file mode 100644 index 00000000..7138c1b0 --- /dev/null +++ b/tests/templates/kuttl/ldap-authentication/02-assert.yaml @@ -0,0 +1,28 @@ +--- +apiVersion: kuttl.dev/v1beta1 +kind: TestAssert +timeout: 600 +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: druid-hdfs-namenode-default +status: + readyReplicas: 2 + replicas: 2 +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: druid-hdfs-journalnode-default +status: + readyReplicas: 1 + replicas: 1 +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: druid-hdfs-datanode-default +status: + readyReplicas: 1 + replicas: 1 diff --git a/tests/templates/kuttl/ldap-authentication/02-install-hdfs.yaml.j2 b/tests/templates/kuttl/ldap-authentication/02-install-hdfs.yaml.j2 new file mode 100644 index 00000000..eda973b8 --- /dev/null +++ b/tests/templates/kuttl/ldap-authentication/02-install-hdfs.yaml.j2 @@ -0,0 +1,27 @@ +--- +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +metadata: + name: druid-hdfs +timeout: 600 +--- +apiVersion: hdfs.stackable.tech/v1alpha1 +kind: HdfsCluster +metadata: + name: druid-hdfs +spec: + version: {{ test_scenario['values']['hadoop'] }} + zookeeperConfigMapName: hdfs-znode + dfsReplication: 1 + nameNodes: + roleGroups: + default: + replicas: 2 + dataNodes: + roleGroups: + default: + replicas: 1 + journalNodes: + roleGroups: + default: + replicas: 1 diff --git a/tests/templates/kuttl/ldap-authentication/03-assert-openldap.yaml b/tests/templates/kuttl/ldap-authentication/03-assert-openldap.yaml new file mode 100644 index 00000000..9bcbc0e0 --- /dev/null +++ b/tests/templates/kuttl/ldap-authentication/03-assert-openldap.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: kuttl.dev/v1beta1 +kind: TestAssert +timeout: 300 +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: openldap +status: + readyReplicas: 1 + replicas: 1 diff --git a/tests/templates/kuttl/ldap-authentication/03-install-openldap.yaml b/tests/templates/kuttl/ldap-authentication/03-install-openldap.yaml new file mode 100644 index 00000000..b5898764 --- /dev/null +++ b/tests/templates/kuttl/ldap-authentication/03-install-openldap.yaml @@ -0,0 +1,73 @@ +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: openldap + labels: + app.kubernetes.io/name: openldap +spec: + selector: + matchLabels: + app.kubernetes.io/name: openldap + serviceName: openldap + replicas: 1 + template: + metadata: + labels: + app.kubernetes.io/name: openldap + spec: + containers: + - name: openldap + image: docker.io/bitnami/openldap:2.5 + env: + - name: LDAP_ADMIN_USERNAME + value: admin + - name: LDAP_ADMIN_PASSWORD + value: admin + - name: LDAP_ENABLE_TLS + value: "yes" + - name: LDAP_TLS_CERT_FILE + value: /tls/tls.crt + - name: LDAP_TLS_KEY_FILE + value: /tls/tls.key + - name: LDAP_TLS_CA_FILE + value: /tls/ca.crt + ports: + - name: ldap + containerPort: 1389 + - name: tls-ldap + containerPort: 1636 + volumeMounts: + - name: tls + mountPath: /tls + startupProbe: + tcpSocket: + port: 1389 + readinessProbe: + tcpSocket: + port: 1389 + volumes: + - name: tls + csi: + driver: secrets.stackable.tech + volumeAttributes: + secrets.stackable.tech/class: openldap-tls + secrets.stackable.tech/scope: pod +--- +apiVersion: v1 +kind: Service +metadata: + name: openldap + labels: + app.kubernetes.io/name: openldap +spec: + type: ClusterIP + ports: + - name: ldap + port: 1389 + targetPort: ldap + - name: tls-ldap + port: 1636 + targetPort: tls-ldap + selector: + app.kubernetes.io/name: openldap diff --git a/tests/templates/kuttl/ldap-authentication/03-openldap-secret-class.yaml b/tests/templates/kuttl/ldap-authentication/03-openldap-secret-class.yaml new file mode 100644 index 00000000..0da7016e --- /dev/null +++ b/tests/templates/kuttl/ldap-authentication/03-openldap-secret-class.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +metadata: + name: openldap +commands: + # SecretClass requires an explicit namespace to work + - script: | + kubectl apply -n $NAMESPACE -f - < /dev/null + - script: kubectl exec -n $NAMESPACE openldap-0 -- bash -c LDAPTLS_CACERT=/tls/ca.crt ldapsearch -Z -H ldaps://localhost:1636 -D uid=admin,ou=Users,dc=example,dc=org -w admin -b ou=Users,dc=example,dc=org > /dev/null diff --git a/tests/templates/kuttl/ldap-authentication/04-ldap-user.yaml b/tests/templates/kuttl/ldap-authentication/04-ldap-user.yaml new file mode 100644 index 00000000..463e57f6 --- /dev/null +++ b/tests/templates/kuttl/ldap-authentication/04-ldap-user.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +metadata: + name: create-ldap-user +commands: + - script: kubectl cp -n $NAMESPACE ./create_ldap_user.sh openldap-0:/tmp + - script: kubectl exec -n $NAMESPACE openldap-0 -- sh /tmp/create_ldap_user.sh diff --git a/tests/templates/kuttl/ldap-authentication/05-assert.yaml b/tests/templates/kuttl/ldap-authentication/05-assert.yaml new file mode 100644 index 00000000..a3331d5c --- /dev/null +++ b/tests/templates/kuttl/ldap-authentication/05-assert.yaml @@ -0,0 +1,44 @@ +--- +apiVersion: kuttl.dev/v1beta1 +kind: TestAssert +timeout: 600 +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: derby-druid-broker-default +status: + readyReplicas: 1 + replicas: 1 +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: derby-druid-coordinator-default +status: + readyReplicas: 1 + replicas: 1 +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: derby-druid-historical-default +status: + readyReplicas: 1 + replicas: 1 +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: derby-druid-middlemanager-default +status: + readyReplicas: 1 + replicas: 1 +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: derby-druid-router-default +status: + readyReplicas: 1 + replicas: 1 diff --git a/tests/templates/kuttl/ldap-authentication/05-install-druid.yaml.j2 b/tests/templates/kuttl/ldap-authentication/05-install-druid.yaml.j2 new file mode 100644 index 00000000..f2124837 --- /dev/null +++ b/tests/templates/kuttl/ldap-authentication/05-install-druid.yaml.j2 @@ -0,0 +1,145 @@ +--- +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +metadata: + name: install-druid +timeout: 600 +--- +apiVersion: druid.stackable.tech/v1alpha1 +kind: DruidCluster +metadata: + name: derby-druid +spec: + version: {{ test_scenario['values']['druid'] }} + clusterConfig: + deepStorage: + hdfs: + configMapName: druid-hdfs + directory: /druid + metadataStorageDatabase: + dbType: derby + connString: jdbc:derby://localhost:1527/var/druid/metadata.db;create=true + host: localhost + port: 1527 + tls: null + zookeeperConfigMapName: druid-znode + brokers: + configOverrides: + runtime.properties: + druid.auth.authenticatorChain: "[\"ldap\"]" + druid.auth.authenticator.ldap.type: basic + druid.auth.authenticator.ldap.enableCacheNotifications: 'true' + druid.auth.authenticator.ldap.credentialsValidator.type: ldap + druid.auth.authenticator.ldap.credentialsValidator.url: ldap://openldap:1389 + druid.auth.authenticator.ldap.credentialsValidator.bindUser: uid=admin,ou=Users,dc=example,dc=org + druid.auth.authenticator.ldap.credentialsValidator.bindPassword: admin + druid.auth.authenticator.ldap.initialAdminPassword: admin + druid.auth.authenticator.ldap.initialInternalClientPassword: druidsystem + druid.auth.authenticator.ldap.credentialsValidator.baseDn: ou=Users,dc=example,dc=org + druid.auth.authenticator.ldap.credentialsValidator.userSearch: (&(uid=%s)(objectClass=inetOrgPerson)) + druid.auth.authenticator.ldap.credentialsValidator.userAttribute: uid + druid.auth.authenticator.ldap.authorizeQueryContextParams: 'true' + + # Escalator + druid.escalator.type: basic + druid.escalator.internalClientUsername: druid_system + druid.escalator.internalClientPassword: druidsystem + roleGroups: + default: + replicas: 1 + coordinators: + configOverrides: + runtime.properties: + druid.auth.authenticatorChain: "[\"ldap\"]" + druid.auth.authenticator.ldap.type: basic + druid.auth.authenticator.ldap.enableCacheNotifications: 'true' + druid.auth.authenticator.ldap.credentialsValidator.type: ldap + druid.auth.authenticator.ldap.credentialsValidator.url: ldap://openldap:1389 + druid.auth.authenticator.ldap.credentialsValidator.bindUser: uid=admin,ou=Users,dc=example,dc=org + druid.auth.authenticator.ldap.credentialsValidator.bindPassword: admin + druid.auth.authenticator.ldap.initialAdminPassword: admin + druid.auth.authenticator.ldap.initialInternalClientPassword: druidsystem + druid.auth.authenticator.ldap.credentialsValidator.baseDn: ou=Users,dc=example,dc=org + druid.auth.authenticator.ldap.credentialsValidator.userSearch: (&(uid=%s)(objectClass=inetOrgPerson)) + druid.auth.authenticator.ldap.credentialsValidator.userAttribute: uid + druid.auth.authenticator.ldap.authorizeQueryContextParams: 'true' + + # Escalator + druid.escalator.type: basic + druid.escalator.internalClientUsername: druid_system + druid.escalator.internalClientPassword: druidsystem + roleGroups: + default: + replicas: 1 + historicals: + configOverrides: + runtime.properties: + druid.auth.authenticatorChain: "[\"ldap\"]" + druid.auth.authenticator.ldap.type: basic + druid.auth.authenticator.ldap.enableCacheNotifications: 'true' + druid.auth.authenticator.ldap.credentialsValidator.type: ldap + druid.auth.authenticator.ldap.credentialsValidator.url: ldap://openldap:1389 + druid.auth.authenticator.ldap.credentialsValidator.bindUser: uid=admin,ou=Users,dc=example,dc=org + druid.auth.authenticator.ldap.credentialsValidator.bindPassword: admin + druid.auth.authenticator.ldap.initialAdminPassword: admin + druid.auth.authenticator.ldap.initialInternalClientPassword: druidsystem + druid.auth.authenticator.ldap.credentialsValidator.baseDn: ou=Users,dc=example,dc=org + druid.auth.authenticator.ldap.credentialsValidator.userSearch: (&(uid=%s)(objectClass=inetOrgPerson)) + druid.auth.authenticator.ldap.credentialsValidator.userAttribute: uid + druid.auth.authenticator.ldap.authorizeQueryContextParams: 'true' + + # Escalator + druid.escalator.type: basic + druid.escalator.internalClientUsername: druid_system + druid.escalator.internalClientPassword: druidsystem + roleGroups: + default: + replicas: 1 + middleManagers: + configOverrides: + runtime.properties: + druid.auth.authenticatorChain: "[\"ldap\"]" + druid.auth.authenticator.ldap.type: basic + druid.auth.authenticator.ldap.enableCacheNotifications: 'true' + druid.auth.authenticator.ldap.credentialsValidator.type: ldap + druid.auth.authenticator.ldap.credentialsValidator.url: ldap://openldap:1389 + druid.auth.authenticator.ldap.credentialsValidator.bindUser: uid=admin,ou=Users,dc=example,dc=org + druid.auth.authenticator.ldap.credentialsValidator.bindPassword: admin + druid.auth.authenticator.ldap.initialAdminPassword: admin + druid.auth.authenticator.ldap.initialInternalClientPassword: druidsystem + druid.auth.authenticator.ldap.credentialsValidator.baseDn: ou=Users,dc=example,dc=org + druid.auth.authenticator.ldap.credentialsValidator.userSearch: (&(uid=%s)(objectClass=inetOrgPerson)) + druid.auth.authenticator.ldap.credentialsValidator.userAttribute: uid + druid.auth.authenticator.ldap.authorizeQueryContextParams: 'true' + + # Escalator + druid.escalator.type: basic + druid.escalator.internalClientUsername: druid_system + druid.escalator.internalClientPassword: druidsystem + roleGroups: + default: + replicas: 1 + routers: + configOverrides: + runtime.properties: + druid.auth.authenticatorChain: "[\"ldap\"]" + druid.auth.authenticator.ldap.type: basic + druid.auth.authenticator.ldap.enableCacheNotifications: 'true' + druid.auth.authenticator.ldap.credentialsValidator.type: ldap + druid.auth.authenticator.ldap.credentialsValidator.url: ldap://openldap:1389 + druid.auth.authenticator.ldap.credentialsValidator.bindUser: uid=admin,ou=Users,dc=example,dc=org + druid.auth.authenticator.ldap.credentialsValidator.bindPassword: admin + druid.auth.authenticator.ldap.initialAdminPassword: admin + druid.auth.authenticator.ldap.initialInternalClientPassword: druidsystem + druid.auth.authenticator.ldap.credentialsValidator.baseDn: ou=Users,dc=example,dc=org + druid.auth.authenticator.ldap.credentialsValidator.userSearch: (&(uid=%s)(objectClass=inetOrgPerson)) + druid.auth.authenticator.ldap.credentialsValidator.userAttribute: uid + druid.auth.authenticator.ldap.authorizeQueryContextParams: 'true' + + # Escalator + druid.escalator.type: basic + druid.escalator.internalClientUsername: druid_system + druid.escalator.internalClientPassword: druidsystem + roleGroups: + default: + replicas: 1 diff --git a/tests/templates/kuttl/ldap-authentication/06-assert.yaml b/tests/templates/kuttl/ldap-authentication/06-assert.yaml new file mode 100644 index 00000000..dc085bb1 --- /dev/null +++ b/tests/templates/kuttl/ldap-authentication/06-assert.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: kuttl.dev/v1beta1 +kind: TestAssert +timeout: 300 +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: checks +status: + readyReplicas: 1 + replicas: 1 diff --git a/tests/templates/kuttl/ldap-authentication/06-checks-container.yaml b/tests/templates/kuttl/ldap-authentication/06-checks-container.yaml new file mode 100644 index 00000000..e1cea63a --- /dev/null +++ b/tests/templates/kuttl/ldap-authentication/06-checks-container.yaml @@ -0,0 +1,21 @@ +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: checks + labels: + app: checks +spec: + replicas: 1 + selector: + matchLabels: + app: checks + template: + metadata: + labels: + app: checks + spec: + containers: + - name: checks + image: docker.stackable.tech/stackable/testing-tools:0.1.0-stackable0.1.0 + command: ["sleep", "infinity"] diff --git a/tests/templates/kuttl/ldap-authentication/07-assert.yaml b/tests/templates/kuttl/ldap-authentication/07-assert.yaml new file mode 100644 index 00000000..a3cc6c3f --- /dev/null +++ b/tests/templates/kuttl/ldap-authentication/07-assert.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kuttl.dev/v1beta1 +kind: TestAssert +commands: + - script: kubectl exec -n $NAMESPACE checks-0 -- python /tmp/authcheck.py +timeout: 600 diff --git a/tests/templates/kuttl/ldap-authentication/07-authcheck.yaml b/tests/templates/kuttl/ldap-authentication/07-authcheck.yaml new file mode 100644 index 00000000..719f96a9 --- /dev/null +++ b/tests/templates/kuttl/ldap-authentication/07-authcheck.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +timeout: 600 +commands: + - script: kubectl cp -n $NAMESPACE ./authcheck.py checks-0:/tmp diff --git a/tests/templates/kuttl/ldap-authentication/README.md b/tests/templates/kuttl/ldap-authentication/README.md new file mode 100644 index 00000000..01d9d576 --- /dev/null +++ b/tests/templates/kuttl/ldap-authentication/README.md @@ -0,0 +1,8 @@ +# LDAP Authenticator Test + +This test sets up the following LDAP users: +- `admin` : for Druid administration. Part of the `admin` group. +- `druid_system` : for Druid internal communications, also part of the `admin` group. +- `alice` : not part of the `admin` group + +See `authcheck.py` for examples of authorized access. \ No newline at end of file diff --git a/tests/templates/kuttl/ldap-authentication/authcheck.py b/tests/templates/kuttl/ldap-authentication/authcheck.py new file mode 100755 index 00000000..592ce51f --- /dev/null +++ b/tests/templates/kuttl/ldap-authentication/authcheck.py @@ -0,0 +1,57 @@ +import requests +import sys +import logging + + +def main(): + result = 0 + + proto = "http" + druid_cluster_name = "derby-druid" + + druid_ports = { + "coordinator": 8081, + # "broker": 8082, + # "middlemanager": 8091, + # "historical": 8083, + # "router": 8888 + } + log_level = 'INFO' + logging.basicConfig(level=log_level, format='%(asctime)s %(levelname)s: %(message)s', stream=sys.stdout) + + for role, port in druid_ports.items(): + url = f"{proto}://{druid_cluster_name}-{role}-default:{port}/status" + # make an authorized request -> return 401 expected + logging.info(f"making unauthorized request to {role}.") + res = requests.get(url) + if res.status_code != 401: + logging.error(f"expected 401 but got {res.status_code}") + result = 1 + break + else: + logging.info("success") + # make an authorized request -> return 200 expected + logging.info(f"making request as LDAP user [alice] to {role}") + res = requests.get(url, auth=("alice", "alice")) + if res.status_code != 200: + logging.error(f"expected 200 but got {res.status_code}") + result = 1 + break + else: + logging.info("success") + # make an unauthorized request -> return 403 expected + # eve is not an ldap user + logging.info(f"making request as unknown user [eve] to {role}") + res = requests.get(url, auth=("eve", "eve")) + if res.status_code != 401: + logging.error(f"expected 401 but got {res.status_code}") + result = 1 + break + else: + logging.info("success") + + return result + + +if __name__ == "__main__": + sys.exit(main()) diff --git a/tests/templates/kuttl/ldap-authentication/create_ldap_user.sh b/tests/templates/kuttl/ldap-authentication/create_ldap_user.sh new file mode 100644 index 00000000..38758c8b --- /dev/null +++ b/tests/templates/kuttl/ldap-authentication/create_ldap_user.sh @@ -0,0 +1,57 @@ +#!/bin/sh + +# To check the existing users +# ldapsearch -H ldap://localhost:1389 -D cn=admin,dc=example,dc=org -w admin -b ou=users,dc=example,dc=org + +# To check the new user +# ldapsearch -H ldap://localhost:1389 -D cn=integrationtest,ou=users,dc=example,dc=org -w integrationtest -b ou=users,dc=example,dc=org + +cat << 'EOF' | ldapadd -H ldap://localhost:1389 -D cn=admin,dc=example,dc=org -w admin +dn: ou=Groups,dc=example,dc=org +objectClass: top +objectClass: organizationalUnit +ou: Groups + +dn: uid=admin,ou=Users,dc=example,dc=org +uid: admin +cn: admin +sn: admin +objectClass: top +objectClass: posixAccount +objectClass: inetOrgPerson +homeDirectory: /home/admin +uidNumber: 1 +gidNumber: 1 +userPassword: admin + +dn: uid=druid_system,ou=Users,dc=example,dc=org +uid: druid_system +cn: druid_system +sn: druid_system +objectClass: top +objectClass: posixAccount +objectClass: inetOrgPerson +homeDirectory: /home/druid_system +uidNumber: 2 +gidNumber: 2 +userPassword: druidsystem + +dn: cn=admin,ou=Groups,dc=example,dc=org +objectClass: groupOfUniqueNames +cn: admin +description: Admin users +uniqueMember: uid=admin,ou=Users,dc=example,dc=org +uniqueMember: uid=druid_system,ou=Users,dc=example,dc=org + +dn: uid=alice,ou=Users,dc=example,dc=org +uid: alice +cn: alice +sn: alice +objectClass: top +objectClass: posixAccount +objectClass: inetOrgPerson +homeDirectory: /home/alice +uidNumber: 3 +gidNumber: 3 +userPassword: alice +EOF diff --git a/tests/test-definition.yaml b/tests/test-definition.yaml index ec7c01ac..87e7939d 100644 --- a/tests/test-definition.yaml +++ b/tests/test-definition.yaml @@ -2,7 +2,7 @@ dimensions: - name: druid values: - - 0.23.0-stackable0.2.0 + #- 0.23.0-stackable0.2.0 - 24.0.0-stackable0.2.0 - name: zookeeper values: @@ -30,49 +30,55 @@ dimensions: - "true" - "false" tests: - - name: smoke - dimensions: - - druid - - zookeeper - - hadoop - - name: authorizer + - name: ldap-authentication dimensions: - druid - zookeeper-latest - opa - hadoop - - name: ingestion-no-s3-ext - dimensions: - - druid - - zookeeper-latest - - hadoop - - name: ingestion-s3-ext - dimensions: - - druid - - zookeeper-latest - - hadoop - - name: s3-deep-storage - dimensions: - - druid - - zookeeper-latest - - s3-use-tls - - name: hdfs-deep-storage - dimensions: - - druid - - hadoop - - zookeeper-latest - - name: resources - dimensions: - - druid - - zookeeper-latest - - name: orphaned-resources - dimensions: - - druid - - zookeeper-latest - - hadoop - - name: tls - dimensions: - - druid - - zookeeper-latest - - use-tls - - use-tls-auth + # - name: smoke + # dimensions: + # - druid + # - zookeeper + # - hadoop + # - name: authorizer + # dimensions: + # - druid + # - zookeeper-latest + # - opa + # - hadoop + # - name: ingestion-no-s3-ext + # dimensions: + # - druid + # - zookeeper-latest + # - hadoop + # - name: ingestion-s3-ext + # dimensions: + # - druid + # - zookeeper-latest + # - hadoop + # - name: s3-deep-storage + # dimensions: + # - druid + # - zookeeper-latest + # - s3-use-tls + # - name: hdfs-deep-storage + # dimensions: + # - druid + # - hadoop + # - zookeeper-latest + # - name: resources + # dimensions: + # - druid + # - zookeeper-latest + # - name: orphaned-resources + # dimensions: + # - druid + # - zookeeper-latest + # - hadoop + # - name: tls + # dimensions: + # - druid + # - zookeeper-latest + # - use-tls + # - use-tls-auth