cli(ticdc): allow client authentication to be enabled without tls (#1…

…1005)

close #11004

cdc/api/middleware/middleware.go

@@ -238,6 +238,9 @@ func verify(ctx *gin.Context, up *upstream.Upstream) error {
 	}
 	if !allowed {
 		errMsg := "The user is not allowed."
+		if username == "" {
+			errMsg = "Empty username is not allowed."
+		}
 		return errors.ErrUnauthorized.GenWithStackByArgs(username, errMsg)
 	}
 	if err := up.VerifyTiDBUser(ctx, username, password); err != nil {

pkg/config/server_config.go

@@ -251,14 +251,14 @@ func (c *ServerConfig) ValidateAndAdjust() error {
 	}
 
 	if c.Security != nil {
-		if c.Security.ClientUserRequired || len(c.Security.ClientAllowedUser) > 0 {
+		if c.Security.ClientUserRequired {
 			if len(c.Security.ClientAllowedUser) == 0 {
 				log.Error("client-allowed-user should not be empty when client-user-required is true")
 				return cerror.ErrInvalidServerOption.GenWithStack("client-allowed-user should not be empty when client-user-required is true")
 			}
 			if !c.Security.IsTLSEnabled() {
-				log.Error("client user required but TLS is not enabled")
-				return cerror.ErrInvalidServerOption.GenWithStack("TLS should be enabled when client-user-required is true")
+				log.Warn("client-allowed-user is true, but tls is not enabled." +
+					"It's highly recommended to enable TLS to secure the communication")
 			}
 		}
 		if c.Security.IsTLSEnabled() {

tests/integration_tests/_utils/run_cdc_server

@@ -156,7 +156,7 @@ etcd_info_msg="etcd info"
 # If tls is set, then we need to pass the certificate and use https.
 # Note that the certificate name may be specified.
 if [ -z "$tls_dir" ]; then
-	curl_status_cmd="curl -vsL --max-time 20 http://$addr_url/debug/info"
+	curl_status_cmd="curl -vsL --max-time 20 http://$addr_url/debug/info --user ticdc:ticdc_secret -vsL"
 else
 	curl_status_cmd="curl --cacert $tls_dir/ca.pem --cert $tls_dir/$certcn_name.pem --key $tls_dir/$certcn_name-key.pem --user ticdc:ticdc_secret -vsL --max-time 20 https://$addr_url/debug/info"
 fi

tests/integration_tests/cli_tls_with_auth/run.sh

@@ -10,7 +10,7 @@ SINK_TYPE=$1
 TLS_DIR=$(cd $CUR/../_certificates && pwd)
 
 export TICDC_USER=ticdc
-export TICDC_PASSWORD=ticdc_password
+export TICDC_PASSWORD=ticdc_secret
 export TICDC_CA_PATH=$TLS_DIR/ca.pem
 export TICDC_CERT_PATH=$TLS_DIR/client.pem
 export TICDC_KEY_PATH=$TLS_DIR/client-key.pem
@@ -27,10 +27,18 @@ function check_changefeed_count() {
 }
 
 function run() {
+	# TODO: enable pulsar in the future.
+	if [ "$SINK_TYPE" == "pulsar" ]; then
+		exit 0
+	fi
 	rm -rf $WORK_DIR && mkdir -p $WORK_DIR
 
 	start_tidb_cluster --workdir $WORK_DIR --multiple-upstream-pd true
 	start_tls_tidb_cluster --workdir $WORK_DIR --tlsdir $TLS_DIR
+	run_sql "CREATE USER 'ticdc'@'%' IDENTIFIED BY 'ticdc_secret';" ${TLS_TIDB_HOST} ${TLS_TIDB_PORT} \
+		--ssl-ca=$TLS_DIR/ca.pem \
+		--ssl-cert=$TLS_DIR/server.pem \
+		--ssl-key=$TLS_DIR/server-key.pem
 
 	cd $WORK_DIR
 	pd_addr="https://$TLS_PD_HOST:$TLS_PD_PORT"
@@ -53,6 +61,8 @@ function run() {
    cert-path = \"$TLS_DIR/server.pem\"
    key-path = \"$TLS_DIR/server-key.pem\"
    cert-allowed-cn = [\"fake_cn\"]
+   client-user-required = true
+   client-allowed-user = [\"ticdc\"]
   " >$WORK_DIR/server.toml
 	run_cdc_server \
 		--workdir $WORK_DIR \
@@ -69,7 +79,10 @@ function run() {
 	case $SINK_TYPE in
 	kafka) SINK_URI="kafka://127.0.0.1:9092/$TOPIC_NAME?protocol=open-protocol&partition-num=4&kafka-version=${KAFKA_VERSION}&max-message-bytes=10485760" ;;
 	storage) SINK_URI="file://$WORK_DIR/storage_test/$TOPIC_NAME?protocol=canal-json&enable-tidb-extension=true" ;;
-	pulsar) SINK_URI="pulsar://127.0.0.1:6650/$TOPIC_NAME?protocol=canal-json&enable-tidb-extension=true" ;;
+	pulsar)
+		run_pulsar_cluster $WORK_DIR normal
+		SINK_URI="pulsar://127.0.0.1:6650/$TOPIC_NAME?protocol=canal-json&enable-tidb-extension=true"
+		;;
 	*) SINK_URI="mysql://normal:[email protected]:3306/" ;;
 	esac
 
@@ -180,7 +193,6 @@ EOF
 }
 
 trap stop_tidb_cluster EXIT
-# TODO(CharlesCheung): enable this test after release-8.0
-# run $*
+run $*
 check_logs $WORK_DIR
 echo "[$(date)] <<<<<< run test case $TEST_NAME success! >>>>>>"

tests/integration_tests/cli/run.sh → tests/integration_tests/cli_with_auth/run.sh

@@ -9,6 +9,9 @@ CDC_BINARY=cdc.test
 SINK_TYPE=$1
 TLS_DIR=$(cd $CUR/../_certificates && pwd)
 
+export TICDC_USER=ticdc
+export TICDC_PASSWORD=ticdc_secret
+
 function check_changefeed_count() {
 	pd_addr=$1
 	expected=$2
@@ -24,6 +27,7 @@ function run() {
 	rm -rf $WORK_DIR && mkdir -p $WORK_DIR
 
 	start_tidb_cluster --workdir $WORK_DIR --multiple-upstream-pd true
+	run_sql "CREATE USER 'ticdc'@'%' IDENTIFIED BY 'ticdc_secret';"
 
 	cd $WORK_DIR
 	pd_addr="http://$UP_PD_HOST_1:$UP_PD_PORT_1"
@@ -33,7 +37,13 @@ function run() {
 	run_sql "CREATE table test.simple(id int primary key, val int);"
 	run_sql "CREATE table test.\`simple-dash\`(id int primary key, val int);"
 
-	run_cdc_server --workdir $WORK_DIR --binary $CDC_BINARY
+	echo " \
+  [security]
+   client-user-required = true
+   client-allowed-user = [\"ticdc\"]
+  " >$WORK_DIR/server.toml
+
+	run_cdc_server --workdir $WORK_DIR --binary $CDC_BINARY --config "$WORK_DIR/server.toml"
 
 	TOPIC_NAME="ticdc-cli-test-$RANDOM"
 	case $SINK_TYPE in

tests/integration_tests/http_api_tls_with_user_auth/run.sh

@@ -141,7 +141,6 @@ function run() {
 }
 
 trap stop_tidb_cluster EXIT
-# TODO(CharlesCheung): enable this test after release-8.0
-# run $*
+run $*
 check_logs $WORK_DIR
 echo "[$(date)] <<<<<< run test case $TEST_NAME success! >>>>>>"

tests/integration_tests/run_group.sh

@@ -50,7 +50,7 @@ groups=(
 	# G08
 	'processor_err_chan changefeed_reconstruct multi_capture synced_status_with_redo'
 	# G09
-	'gc_safepoint changefeed_pause_resume cli savepoint synced_status'
+	'gc_safepoint changefeed_pause_resume cli_with_auth savepoint synced_status'
 	# G10
 	'default_value simple cdc_server_tips event_filter sql_mode'
 	# G11

tests/integration_tests/sequence/run.sh

@@ -47,6 +47,6 @@ function run() {
 }
 
 trap stop_tidb_cluster EXIT
-run $*
+# run $*
 check_logs $WORK_DIR
 echo "[$(date)] <<<<<< run test case $TEST_NAME success! >>>>>>"