Skip to content

Commit dd042b8

Browse files
marcoppenheimermarcoppenheimer
authored
[DPE-5208] - fix: enforce client auth (#150)
1 parent 3d7c421 commit dd042b8

4 files changed

Lines changed: 19 additions & 12 deletions

File tree

lib/charms/zookeeper/v0/client.py

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -74,7 +74,7 @@ def update_cluster(new_members: List[str], event: EventBase) -> None:
7474

7575
# Increment this PATCH version before using `charmcraft publish-lib` or reset
7676
# to 0 if you are raising the major API version
77-
LIBPATCH = 6
77+
LIBPATCH = 7
7878

7979

8080
logger = logging.getLogger(__name__)
@@ -369,7 +369,7 @@ def leader_znodes(self, path: str) -> Set[str]:
369369

370370
return all_znode_children
371371

372-
def create_znode_leader(self, path: str, acls: List[ACL]) -> None:
372+
def create_znode_leader(self, path: str, acls: List[ACL] | None = None) -> None:
373373
"""Creates a new zNode on the current quorum leader with given ACLs.
374374
375375
Args:
@@ -388,7 +388,7 @@ def create_znode_leader(self, path: str, acls: List[ACL]) -> None:
388388
) as zk:
389389
zk.create_znode(path=path, acls=acls)
390390

391-
def set_acls_znode_leader(self, path: str, acls: List[ACL]) -> None:
391+
def set_acls_znode_leader(self, path: str, acls: List[ACL] | None = None) -> None:
392392
"""Updates ACLs for an existing zNode on the current quorum leader.
393393
394394
Args:
@@ -577,7 +577,7 @@ def delete_znode(self, path: str) -> None:
577577
return
578578
self.client.delete(path, recursive=True)
579579

580-
def create_znode(self, path: str, acls: List[ACL]) -> None:
580+
def create_znode(self, path: str, acls: List[ACL] | None = None) -> None:
581581
"""Create new znode.
582582
583583
Args:
@@ -599,7 +599,7 @@ def get_acls(self, path: str) -> List[ACL]:
599599

600600
return acl_list if acl_list else []
601601

602-
def set_acls(self, path: str, acls: List[ACL]) -> None:
602+
def set_acls(self, path: str, acls: List[ACL] | None = None) -> None:
603603
"""Sets acls for a desired znode path.
604604
605605
Args:

src/managers/config.py

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,9 @@
2828
quorum.auth.learnerRequireSasl=true
2929
quorum.auth.serverRequireSasl=true
3030
authProvider.sasl=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
31+
enforce.auth.enabled=true
32+
enforce.auth.schemes=sasl
33+
sessionRequireClientSASLAuth=true
3134
audit.enable=true
3235
"""
3336

src/managers/quorum.py

Lines changed: 1 addition & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -195,7 +195,6 @@ def update_acls(self, event: RelationEvent | None = None) -> None:
195195
leader_chroots = self.client.leader_znodes(path="/")
196196
logger.debug(f"{leader_chroots=}")
197197

198-
requested_acls = set()
199198
requested_chroots = set()
200199

201200
for client in self.state.clients:
@@ -213,8 +212,6 @@ def update_acls(self, event: RelationEvent | None = None) -> None:
213212
)
214213
logger.info(f"{generated_acl=}")
215214

216-
requested_acls.add(generated_acl)
217-
218215
# FIXME: data-platform-libs should handle this when it's implemented
219216
if client.database:
220217
if event and client.relation and client.relation.id == event.relation.id:
@@ -228,7 +225,7 @@ def update_acls(self, event: RelationEvent | None = None) -> None:
228225
self.client.create_znode_leader(path=client.database, acls=[generated_acl])
229226

230227
# Looks for existing related applications
231-
logger.info(f"UPDATE CHROOT - {client.database}")
228+
logger.debug(f"UPDATE CHROOT - {client.database}")
232229
self.client.set_acls_znode_leader(path=client.database, acls=[generated_acl])
233230

234231
# Looks for applications no longer in the relation but still in config

tests/unit/test_config.py

Lines changed: 10 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -132,14 +132,21 @@ def test_multiple_jaas_users_are_added(harness):
132132
def test_tls_enabled(harness):
133133
with harness.hooks_disabled():
134134
harness.update_relation_data(
135-
harness.charm.state.peer_relation.id, CHARM_KEY, {"tls": "enabled"}
135+
harness.charm.state.peer_relation.id,
136+
CHARM_KEY,
137+
{"tls": "enabled", "quorum": "ssl"},
138+
)
139+
harness.update_relation_data(
140+
harness.charm.state.peer_relation.id,
141+
f"{CHARM_KEY}/0",
142+
{"certificate": "foo"},
136143
)
137144

138-
assert "ssl.clientAuth=none" in harness.charm.config_manager.zookeeper_properties
145+
assert "sslQuorum=true" in harness.charm.config_manager.zookeeper_properties
139146

140147

141148
def test_tls_disabled(harness):
142-
assert "ssl.clientAuth=none" not in harness.charm.config_manager.zookeeper_properties
149+
assert "sslQuorum=true" not in harness.charm.config_manager.zookeeper_properties
143150

144151

145152
def test_tls_switching_encryption(harness):

0 commit comments

Comments
 (0)