Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

enh: grant support s3/active-active/dual-replica/db_encryption #25731

Merged
merged 11 commits into from
May 15, 2024
Merged

enh: grant support s3/active-active/dual-replica/db_encryption #25731

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
a0fffa7
enh: grant support s3/active-active/dual-replica/db_encryption
kailixu May 9, 2024
e5547ec
encrypt grant
cadem May 9, 2024
41eb82c
enh(s3/grant): disable s3 with expired grant
stephenkgu May 9, 2024
7418711
test: test case for show grants full
kailixu May 10, 2024
9cf2529
check grant first
cadem May 11, 2024
c575d7a
enh: grant check for dual-replica-ha
LiShunGang May 9, 2024
e344247
fix: grants for database encryption
kailixu May 12, 2024
60e02eb
Merge branch '3.0' into enh/TD-29968-3.0
kailixu May 12, 2024
6f07e48
Merge branch '3.0' into enh/TD-29968-3.0
kailixu May 13, 2024
b318121
Merge branch '3.0' into enh/TD-29968-3.0
stephenkgu May 14, 2024
b6eec20
fix(s3/grant): checking grant when doing migrate
stephenkgu May 13, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
4 changes: 4 additions & 0 deletions include/common/tgrant.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,10 @@ typedef enum {
TSDB_GRANT_VIEW,
TSDB_GRANT_MULTI_TIER,
TSDB_GRANT_BACKUP_RESTORE,
TSDB_GRANT_OBJECT_STORAGE,
TSDB_GRANT_ACTIVE_ACTIVE,
TSDB_GRANT_DUAL_REPLICA_HA,
TSDB_GRANT_DB_ENCRYPTION,
} EGrantType;

int32_t checkAndGetCryptKey(const char *encryptCode, const char *machineId, char **key);
Expand Down
1 change: 1 addition & 0 deletions include/util/taoserror.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -327,6 +327,7 @@ int32_t* taosGetErrno();
#define TSDB_CODE_MND_DB_IN_CREATING TAOS_DEF_ERROR_CODE(0, 0x0396) //
#define TSDB_CODE_MND_INVALID_SYS_TABLENAME TAOS_DEF_ERROR_CODE(0, 0x039A)
#define TSDB_CODE_MND_ENCRYPT_NOT_ALLOW_CHANGE TAOS_DEF_ERROR_CODE(0, 0x039B)
#define TSDB_CODE_MND_DB_ENCRYPT_GRANT_EXPIRED TAOS_DEF_ERROR_CODE(0, 0x039C)

// mnode-node
#define TSDB_CODE_MND_MNODE_ALREADY_EXIST TAOS_DEF_ERROR_CODE(0, 0x03A0)
Expand Down
2 changes: 2 additions & 0 deletions source/common/src/tglobal.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -296,6 +296,7 @@ char tsS3AccessKeySecret[TSDB_FQDN_LEN] = "<accesskeysecrect>";
char tsS3BucketName[TSDB_FQDN_LEN] = "<bucketname>";
char tsS3AppId[TSDB_FQDN_LEN] = "<appid>";
int8_t tsS3Enabled = false;
int8_t tsS3EnabledCfg = false;
int8_t tsS3Oss = false;
int8_t tsS3StreamEnabled = false;

Expand Down Expand Up @@ -375,6 +376,7 @@ int32_t taosSetS3Cfg(SConfig *pCfg) {
#if defined(USE_COS) || defined(USE_S3)
#ifdef TD_ENTERPRISE
/*if (tsDiskCfgNum > 1) */ tsS3Enabled = true;
tsS3EnabledCfg = true;
#endif
tsS3StreamEnabled = true;
#endif
Expand Down
2 changes: 2 additions & 0 deletions source/dnode/mgmt/node_mgmt/src/dmEnv.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
#include "dmMgmt.h"
#include "audit.h"
#include "libs/function/tudf.h"
#include "tgrant.h"

#define DM_INIT_AUDIT() \
do { \
Expand Down Expand Up @@ -150,6 +151,7 @@ static bool dmCheckDataDirVersion() {

extern int32_t s3Begin();
extern void s3End();
extern int8_t tsS3Enabled;

#endif

Expand Down
17 changes: 17 additions & 0 deletions source/dnode/mnode/impl/src/mndDb.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -821,6 +821,10 @@ static int32_t mndCheckDbEncryptKey(SMnode *pMnode, SCreateDbReq *pReq) {

#ifdef TD_ENTERPRISE
if (pReq->encryptAlgorithm == TSDB_ENCRYPT_ALGO_NONE) goto _exit;
if (grantCheck(TSDB_GRANT_DB_ENCRYPTION) != 0) {
code = TSDB_CODE_MND_DB_ENCRYPT_GRANT_EXPIRED;
goto _exit;
}
if (tsEncryptionKeyStat != ENCRYPT_KEY_STAT_LOADED) {
code = TSDB_CODE_MND_INVALID_ENCRYPT_KEY;
mError("db:%s, failed to check encryption key:%" PRIi8 " in mnode leader since it's not loaded", pReq->db,
Expand Down Expand Up @@ -903,6 +907,13 @@ static int32_t mndProcessCreateDbReq(SRpcMsg *pReq) {
goto _OVER;
}

if (createReq.replications == 2) {
if ((terrno = grantCheck(TSDB_GRANT_DUAL_REPLICA_HA)) != 0) {
code = terrno;
goto _OVER;
}
}

if ((code = mndCheckDbEncryptKey(pMnode, &createReq)) != 0) {
terrno = code;
goto _OVER;
Expand Down Expand Up @@ -1163,6 +1174,12 @@ static int32_t mndProcessAlterDbReq(SRpcMsg *pReq) {
goto _OVER;
}

if (alterReq.replications == 2) {
if ((code = grantCheck(TSDB_GRANT_DUAL_REPLICA_HA)) != 0) {
goto _OVER;
}
}

int32_t numOfTopics = 0;
if (mndGetNumOfTopics(pMnode, pDb->name, &numOfTopics) != 0) {
goto _OVER;
Expand Down
10 changes: 10 additions & 0 deletions source/dnode/vnode/src/tsdb/tsdbRetention.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -757,6 +757,16 @@ static int32_t tsdbDoS3MigrateAsync(void *arg) {
int32_t tsdbS3Migrate(STsdb *tsdb, int64_t now, int32_t sync) {
int32_t code = 0;

extern int8_t tsS3EnabledCfg;

int32_t expired = grantCheck(TSDB_GRANT_OBJECT_STORAGE);
if (expired && tsS3Enabled) {
tsdbWarn("s3 grant expired: %d", expired);
tsS3Enabled = false;
} else if (!expired && tsS3EnabledCfg) {
tsS3Enabled = true;
}

if (!tsS3Enabled) {
return code;
}
Expand Down
1 change: 1 addition & 0 deletions source/util/src/terror.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -259,6 +259,7 @@ TAOS_DEFINE_ERROR(TSDB_CODE_MND_DB_IN_CREATING, "Database in creating
TAOS_DEFINE_ERROR(TSDB_CODE_MND_ENCRYPT_NOT_ALLOW_CHANGE, "Encryption is not allowed to be changed after database is created")
TAOS_DEFINE_ERROR(TSDB_CODE_MND_INCONSIST_ENCRYPT_KEY, "Inconsistent encryption key")
TAOS_DEFINE_ERROR(TSDB_CODE_MND_INVALID_ENCRYPT_KEY, "The cluster has not been set properly for database encryption")
TAOS_DEFINE_ERROR(TSDB_CODE_MND_DB_ENCRYPT_GRANT_EXPIRED, "The database encryption function grant expired")

// mnode-node
TAOS_DEFINE_ERROR(TSDB_CODE_MND_MNODE_ALREADY_EXIST, "Mnode already exists")
Expand Down
25 changes: 16 additions & 9 deletions tests/system-test/0-others/information_schema.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -269,13 +269,17 @@ def ins_dnodes_check(self):

def ins_grants_check(self):
grant_name_dict = {
'stream':'stream',
'subscription':'subscription',
'view':'view',
'audit':'audit',
'csv':'csv',
'storage':'multi_tier_storage',
'backup_restore':'backup_restore',
'stream':'Stream',
'subscription':'Subscription',
'view':'View',
'audit':'Audit',
'csv':'CSV',
'storage':'Multi-Tier Storage',
'backup_restore':'Data Backup & Restore',
'object_storage':'Object Storage',
'active_active':'Active-Active',
'dual_replica':'Dual-Replica HA',
'db_encryption':'Database Encryption',
'opc_da':'OPC_DA',
'opc_ua':'OPC_UA',
'pi':'Pi',
Expand All @@ -285,7 +289,10 @@ def ins_grants_check(self):
'avevahistorian':'avevaHistorian',
'opentsdb':'OpenTSDB',
'td2.6':'TDengine2.6',
'td3.0':'TDengine3.0'
'td3.0':'TDengine3.0',
'mysql':'MySQL',
'postgres':'PostgreSQL',
'oracle':'Oracle',
}

tdSql.execute('drop database if exists db2')
Expand All @@ -297,7 +304,7 @@ def ins_grants_check(self):
if result[i][0] in grant_name_dict:
tdSql.checkEqual(result[i][1], grant_name_dict[result[i][0]])
index += 1
tdSql.checkEqual(index, 17)
tdSql.checkEqual(index, 24)
tdSql.query(f'select * from information_schema.ins_grants_logs')
result = tdSql.queryResult
tdSql.checkEqual(True, len(result) >= 0)
Expand Down