This is an automated email from the ASF dual-hosted git repository.
abukor pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/kudu.git
The following commit(s) were added to refs/heads/master by this push:
new 679c90c [python] KUDU-1921 Add ability to require auth/encryption
679c90c is described below
commit 679c90c81492d1ba46964a5258679fd4ed028d6c
Author: Attila Bukor <[email protected]>
AuthorDate: Tue Jul 27 20:30:34 2021 +0200
[python] KUDU-1921 Add ability to require auth/encryption
Change-Id: I10173145611ad2991c0a1b173ecadc7141ae6f5e
Reviewed-on: http://gerrit.cloudera.org:8080/17733
Tested-by: Kudu Jenkins
Reviewed-by: Alexey Serbin <[email protected]>
---
python/kudu/__init__.py | 16 +++++++++++++---
python/kudu/client.pyx | 20 +++++++++++++++++++-
python/kudu/libkudu_client.pxd | 9 +++++++++
python/kudu/tests/test_client.py | 17 +++++++++++++----
4 files changed, 54 insertions(+), 8 deletions(-)
diff --git a/python/kudu/__init__.py b/python/kudu/__init__.py
index ece031c..200d5ce 100644
--- a/python/kudu/__init__.py
+++ b/python/kudu/__init__.py
@@ -32,7 +32,10 @@ from kudu.client import (Client, Table, Scanner, Session, #
noqa
EXCLUSIVE_BOUND,
INCLUSIVE_BOUND,
CLIENT_SUPPORTS_DECIMAL,
- CLIENT_SUPPORTS_PANDAS)
+ CLIENT_SUPPORTS_PANDAS,
+ ENCRYPTION_REQUIRED_REMOTE,
+ ENCRYPTION_REQUIRED,
+ ENCRYPTION_OPTIONAL)
from kudu.errors import (KuduException, KuduBadStatus, KuduNotFound, # noqa
KuduNotSupported,
@@ -57,7 +60,8 @@ from kudu.schema import (int8, int16, int32, int64, string_
as string, # noqa
ENCODING_DICT)
-def connect(host, port=7051, admin_timeout_ms=None, rpc_timeout_ms=None):
+def connect(host, port=7051, admin_timeout_ms=None, rpc_timeout_ms=None,
+ require_authentication=False,
encryption_policy=ENCRYPTION_OPTIONAL):
"""
Connect to a Kudu master server
@@ -72,6 +76,10 @@ def connect(host, port=7051, admin_timeout_ms=None,
rpc_timeout_ms=None):
Admin timeout in milliseconds
rpc_timeout_ms : int, optional
RPC timeout in milliseconds
+ require_authentication : bool, optional
+ Whether to require authentication
+ encryption_policy : enum, optional
+ Whether to require encryption
Returns
-------
@@ -95,7 +103,9 @@ def connect(host, port=7051, admin_timeout_ms=None,
rpc_timeout_ms=None):
addresses.append('{0}:{1}'.format(host, port))
return Client(addresses, admin_timeout_ms=admin_timeout_ms,
- rpc_timeout_ms=rpc_timeout_ms)
+ rpc_timeout_ms=rpc_timeout_ms,
+ encryption_policy=encryption_policy,
+ require_authentication=require_authentication)
def timedelta(seconds=0, millis=0, micros=0, nanos=0):
diff --git a/python/kudu/client.pyx b/python/kudu/client.pyx
index f26fafc..1a09fbb 100644
--- a/python/kudu/client.pyx
+++ b/python/kudu/client.pyx
@@ -75,6 +75,16 @@ cdef dict _read_modes = {
'read_your_writes': ReadMode_ReadYourWrites
}
+ENCRYPTION_OPTIONAL = EncryptionPolicy_Optional
+ENCRYPTION_REQUIRED_REMOTE = EncryptionPolicy_RequiredRemote
+ENCRYPTION_REQUIRED = EncryptionPolicy_Required
+
+cdef dict _encryption_policies = {
+ 'optional': EncryptionPolicy_Optional,
+ 'required_remote': EncryptionPolicy_RequiredRemote,
+ 'required': EncryptionPolicy_Required
+}
+
cdef dict _type_names = {
KUDU_INT8 : "KUDU_INT8",
KUDU_INT16 : "KUDU_INT16",
@@ -281,7 +291,9 @@ cdef class Client:
"""
def __cinit__(self, addr_or_addrs, admin_timeout_ms=None,
- rpc_timeout_ms=None, sasl_protocol_name=None):
+ rpc_timeout_ms=None, sasl_protocol_name=None,
+ require_authentication=False,
+ encryption_policy=ENCRYPTION_OPTIONAL):
cdef:
string c_addr
vector[string] c_addrs
@@ -326,6 +338,12 @@ cdef class Client:
if sasl_protocol_name is not None:
builder.sasl_protocol_name(sasl_protocol_name)
+ if require_authentication:
+ builder.require_authentication(require_authentication)
+
+ builder.encryption_policy(encryption_policy)
+
+
check_status(builder.Build(&self.client))
# A convenience
diff --git a/python/kudu/libkudu_client.pxd b/python/kudu/libkudu_client.pxd
index aa91cd7..22cb249 100644
--- a/python/kudu/libkudu_client.pxd
+++ b/python/kudu/libkudu_client.pxd
@@ -538,6 +538,11 @@ cdef extern from "kudu/client/client.h" namespace
"kudu::client" nogil:
PartitionType_Exclusive "
kudu::client::KuduTableCreator::EXCLUSIVE_BOUND"
PartitionType_Inclusive "
kudu::client::KuduTableCreator::INCLUSIVE_BOUND"
+ enum EncryptionPolicy" kudu::client::KuduClientBuilder::EncryptionPolicy":
+ EncryptionPolicy_Optional "
kudu::client::KuduClientBuilder::EncryptionPolicy::OPTIONAL"
+ EncryptionPolicy_RequiredRemote "
kudu::client::KuduClientBuilder::EncryptionPolicy::REQUIRED_REMOTE"
+ EncryptionPolicy_Required "
kudu::client::KuduClientBuilder::EncryptionPolicy::REQUIRED"
+
Status DisableOpenSSLInitialization()
cdef cppclass KuduClient:
@@ -579,6 +584,10 @@ cdef extern from "kudu/client/client.h" namespace
"kudu::client" nogil:
KuduClientBuilder& sasl_protocol_name(const string& sasl_protocol_name)
+ KuduClientBuilder& require_authentication(c_bool
require_authentication)
+
+ KuduClientBuilder& encryption_policy(EncryptionPolicy
encryption_policy)
+
Status Build(shared_ptr[KuduClient]* client)
cdef cppclass KuduTabletServer:
diff --git a/python/kudu/tests/test_client.py b/python/kudu/tests/test_client.py
index 6305285..184eca6 100755
--- a/python/kudu/tests/test_client.py
+++ b/python/kudu/tests/test_client.py
@@ -18,7 +18,8 @@
from kudu.compat import unittest, long
from kudu.tests.common import KuduTestBase
-from kudu.client import Partitioning
+from kudu.client import (Partitioning, ENCRYPTION_OPTIONAL,
ENCRYPTION_REQUIRED,
+ ENCRYPTION_REQUIRED_REMOTE)
import kudu
import datetime
from pytz import utc
@@ -338,9 +339,7 @@ class TestClient(KuduTestBase, unittest.TestCase):
def test_connect_timeouts(self):
# it works! any other way to check
- kudu.connect(self.master_hosts, self.master_ports,
- admin_timeout_ms=1000,
- rpc_timeout_ms=1000)
+ kudu.connect(self.master_hosts, self.master_ports,
admin_timeout_ms=1000, rpc_timeout_ms=1000)
def test_capture_kudu_error(self):
pass
@@ -501,6 +500,16 @@ class TestClient(KuduTestBase, unittest.TestCase):
alterer.add_range_partition()
table = alterer.alter()
+ def test_require_encryption(self):
+ client = kudu.connect(self.master_hosts, self.master_ports,
+ encryption_policy=ENCRYPTION_REQUIRED)
+
+ def test_require_authn(self):
+ # Kerberos is not enabled on the cluster, so requiring
+ # authentication is expected to fail.
+ with self.assertRaises(kudu.KuduBadStatus):
+ client = kudu.connect(self.master_hosts, self.master_ports,
+ require_authentication=True)
class TestMonoDelta(unittest.TestCase):