Improve RBAC backup / restore behavior

[Slach]

Expected behavior

1. 'rbac' should be always backed up by default (in new clickhouse-backup version)
2. clickhouse-backup should not fail if it can not restore rbac, but it should log warnings/errors.

Actual notes

• third item of list could be easy implements in next release
• second will implement as a config option, with default true behavior
  this behavior is dangerous

restore rbac requires restart of clickhouse-server
and if clickhouse-server already contains RBAC object with the same name and different uuid, server will not start

Good point. Is it possible to check if there is any RBAC data on the cluster and do not restore in case of a conflict?

maybe it requires develop some sql parser

to get name+type+uuid from .sql and .jsonl files
need time to researh for this task

maybe, we can use system.users system.roles, system.role_granst came in modern versions of clickhouse
need to check when these tables is become

conflict resolution rules

restore without --rm
show error about RBAC object names conflict
restore --rm
show warning about RBAC object names conflict
delete old object
restore new object

[jalavoy]

Is there a rough timeline on this release? In the meantime is there a easy way to patch rbac into the existing release?

Looks like we could just throw something into the k8s cronjob command block no?

[Slach]

@jalavoy
if you want to backup and restore RBAC related objects

just add to cronjob command --rbac parameter after create_remote and restore_remote

[jalavoy]

@Slach
create_remote isn't called in the k8s cronjob. It's doing an insert into the table to trigger the backup. What's the proper way to add it to this insert?

                  for SERVER in $CLICKHOUSE_SERVICES; do
                    echo "create ${BACKUP_NAMES[$SERVER]} on $SERVER";
                    clickhouse-client --echo -mn -q "INSERT INTO system.backup_actions(command) VALUES('create ${SERVER}-${BACKUP_NAMES[$SERVER]}')" --host="$SERVER" --port="$CLICKHOUSE_PORT" --user="$BACKUP_USER" $BACKUP_PASSWORD;
                  done;

[Slach]

VALUES('create --rbac

VALUES('restore --rbac

[jalavoy]

that didn't work but I got it, need to add it into all the SELECTS too

Thank you for your help!

[Slach]

decided to don't restore RBAC,only when --rbac excplicitly, to avoid overwrite exists users passwords or some other unexpected errors