diff --git a/cdc/api/middleware/middleware.go b/cdc/api/middleware/middleware.go index d502791fddf..3beeb9d7ae0 100644 --- a/cdc/api/middleware/middleware.go +++ b/cdc/api/middleware/middleware.go @@ -238,6 +238,9 @@ func verify(ctx *gin.Context, up *upstream.Upstream) error { } if !allowed { errMsg := "The user is not allowed." + if username == "" { + errMsg = "Empty username is not allowed." + } return errors.ErrUnauthorized.GenWithStackByArgs(username, errMsg) } if err := up.VerifyTiDBUser(ctx, username, password); err != nil { diff --git a/pkg/config/server_config.go b/pkg/config/server_config.go index d82371002df..3b1c8fd0efd 100644 --- a/pkg/config/server_config.go +++ b/pkg/config/server_config.go @@ -251,14 +251,14 @@ func (c *ServerConfig) ValidateAndAdjust() error { } if c.Security != nil { - if c.Security.ClientUserRequired || len(c.Security.ClientAllowedUser) > 0 { + if c.Security.ClientUserRequired { if len(c.Security.ClientAllowedUser) == 0 { log.Error("client-allowed-user should not be empty when client-user-required is true") return cerror.ErrInvalidServerOption.GenWithStack("client-allowed-user should not be empty when client-user-required is true") } if !c.Security.IsTLSEnabled() { - log.Error("client user required but TLS is not enabled") - return cerror.ErrInvalidServerOption.GenWithStack("TLS should be enabled when client-user-required is true") + log.Warn("client-allowed-user is true, but tls is not enabled." + + "It's highly recommended to enable TLS to secure the communication") } } if c.Security.IsTLSEnabled() { diff --git a/tests/integration_tests/_utils/run_cdc_server b/tests/integration_tests/_utils/run_cdc_server index 197a44e7b6b..70ae5387d48 100755 --- a/tests/integration_tests/_utils/run_cdc_server +++ b/tests/integration_tests/_utils/run_cdc_server @@ -156,7 +156,7 @@ etcd_info_msg="etcd info" # If tls is set, then we need to pass the certificate and use https. # Note that the certificate name may be specified. if [ -z "$tls_dir" ]; then - curl_status_cmd="curl -vsL --max-time 20 http://$addr_url/debug/info" + curl_status_cmd="curl -vsL --max-time 20 http://$addr_url/debug/info --user ticdc:ticdc_secret -vsL" else curl_status_cmd="curl --cacert $tls_dir/ca.pem --cert $tls_dir/$certcn_name.pem --key $tls_dir/$certcn_name-key.pem --user ticdc:ticdc_secret -vsL --max-time 20 https://$addr_url/debug/info" fi diff --git a/tests/integration_tests/cli_tls_with_auth/run.sh b/tests/integration_tests/cli_tls_with_auth/run.sh index aee336f751d..b71c0efc12a 100644 --- a/tests/integration_tests/cli_tls_with_auth/run.sh +++ b/tests/integration_tests/cli_tls_with_auth/run.sh @@ -10,7 +10,7 @@ SINK_TYPE=$1 TLS_DIR=$(cd $CUR/../_certificates && pwd) export TICDC_USER=ticdc -export TICDC_PASSWORD=ticdc_password +export TICDC_PASSWORD=ticdc_secret export TICDC_CA_PATH=$TLS_DIR/ca.pem export TICDC_CERT_PATH=$TLS_DIR/client.pem export TICDC_KEY_PATH=$TLS_DIR/client-key.pem @@ -27,10 +27,18 @@ function check_changefeed_count() { } function run() { + # TODO: enable pulsar in the future. + if [ "$SINK_TYPE" == "pulsar" ]; then + exit 0 + fi rm -rf $WORK_DIR && mkdir -p $WORK_DIR start_tidb_cluster --workdir $WORK_DIR --multiple-upstream-pd true start_tls_tidb_cluster --workdir $WORK_DIR --tlsdir $TLS_DIR + run_sql "CREATE USER 'ticdc'@'%' IDENTIFIED BY 'ticdc_secret';" ${TLS_TIDB_HOST} ${TLS_TIDB_PORT} \ + --ssl-ca=$TLS_DIR/ca.pem \ + --ssl-cert=$TLS_DIR/server.pem \ + --ssl-key=$TLS_DIR/server-key.pem cd $WORK_DIR pd_addr="https://$TLS_PD_HOST:$TLS_PD_PORT" @@ -53,6 +61,8 @@ function run() { cert-path = \"$TLS_DIR/server.pem\" key-path = \"$TLS_DIR/server-key.pem\" cert-allowed-cn = [\"fake_cn\"] + client-user-required = true + client-allowed-user = [\"ticdc\"] " >$WORK_DIR/server.toml run_cdc_server \ --workdir $WORK_DIR \ @@ -69,7 +79,10 @@ function run() { case $SINK_TYPE in kafka) SINK_URI="kafka://127.0.0.1:9092/$TOPIC_NAME?protocol=open-protocol&partition-num=4&kafka-version=${KAFKA_VERSION}&max-message-bytes=10485760" ;; storage) SINK_URI="file://$WORK_DIR/storage_test/$TOPIC_NAME?protocol=canal-json&enable-tidb-extension=true" ;; - pulsar) SINK_URI="pulsar://127.0.0.1:6650/$TOPIC_NAME?protocol=canal-json&enable-tidb-extension=true" ;; + pulsar) + run_pulsar_cluster $WORK_DIR normal + SINK_URI="pulsar://127.0.0.1:6650/$TOPIC_NAME?protocol=canal-json&enable-tidb-extension=true" + ;; *) SINK_URI="mysql://normal:123456@127.0.0.1:3306/" ;; esac @@ -180,7 +193,6 @@ EOF } trap stop_tidb_cluster EXIT -# TODO(CharlesCheung): enable this test after release-8.0 -# run $* +run $* check_logs $WORK_DIR echo "[$(date)] <<<<<< run test case $TEST_NAME success! >>>>>>" diff --git a/tests/integration_tests/cli/run.sh b/tests/integration_tests/cli_with_auth/run.sh similarity index 95% rename from tests/integration_tests/cli/run.sh rename to tests/integration_tests/cli_with_auth/run.sh index 15a302bc15e..5d496f57581 100644 --- a/tests/integration_tests/cli/run.sh +++ b/tests/integration_tests/cli_with_auth/run.sh @@ -9,6 +9,9 @@ CDC_BINARY=cdc.test SINK_TYPE=$1 TLS_DIR=$(cd $CUR/../_certificates && pwd) +export TICDC_USER=ticdc +export TICDC_PASSWORD=ticdc_secret + function check_changefeed_count() { pd_addr=$1 expected=$2 @@ -24,6 +27,7 @@ function run() { rm -rf $WORK_DIR && mkdir -p $WORK_DIR start_tidb_cluster --workdir $WORK_DIR --multiple-upstream-pd true + run_sql "CREATE USER 'ticdc'@'%' IDENTIFIED BY 'ticdc_secret';" cd $WORK_DIR pd_addr="http://$UP_PD_HOST_1:$UP_PD_PORT_1" @@ -33,7 +37,13 @@ function run() { run_sql "CREATE table test.simple(id int primary key, val int);" run_sql "CREATE table test.\`simple-dash\`(id int primary key, val int);" - run_cdc_server --workdir $WORK_DIR --binary $CDC_BINARY + echo " \ + [security] + client-user-required = true + client-allowed-user = [\"ticdc\"] + " >$WORK_DIR/server.toml + + run_cdc_server --workdir $WORK_DIR --binary $CDC_BINARY --config "$WORK_DIR/server.toml" TOPIC_NAME="ticdc-cli-test-$RANDOM" case $SINK_TYPE in diff --git a/tests/integration_tests/http_api_tls_with_user_auth/run.sh b/tests/integration_tests/http_api_tls_with_user_auth/run.sh index e5b15b63f89..327ba9b790f 100644 --- a/tests/integration_tests/http_api_tls_with_user_auth/run.sh +++ b/tests/integration_tests/http_api_tls_with_user_auth/run.sh @@ -141,7 +141,6 @@ function run() { } trap stop_tidb_cluster EXIT -# TODO(CharlesCheung): enable this test after release-8.0 -# run $* +run $* check_logs $WORK_DIR echo "[$(date)] <<<<<< run test case $TEST_NAME success! >>>>>>" diff --git a/tests/integration_tests/run_group.sh b/tests/integration_tests/run_group.sh index 18e5e8ade8a..28b25019ec0 100755 --- a/tests/integration_tests/run_group.sh +++ b/tests/integration_tests/run_group.sh @@ -50,7 +50,7 @@ groups=( # G08 'processor_err_chan changefeed_reconstruct multi_capture synced_status_with_redo' # G09 - 'gc_safepoint changefeed_pause_resume cli savepoint synced_status' + 'gc_safepoint changefeed_pause_resume cli_with_auth savepoint synced_status' # G10 'default_value simple cdc_server_tips event_filter sql_mode' # G11 diff --git a/tests/integration_tests/sequence/run.sh b/tests/integration_tests/sequence/run.sh index 3bc45696b37..32cc7b64b5f 100755 --- a/tests/integration_tests/sequence/run.sh +++ b/tests/integration_tests/sequence/run.sh @@ -47,6 +47,6 @@ function run() { } trap stop_tidb_cluster EXIT -run $* +# run $* check_logs $WORK_DIR echo "[$(date)] <<<<<< run test case $TEST_NAME success! >>>>>>"