github.com/pingcap/tiflow@v0.0.0-20240520035814-5bf52d54e205/tests/integration_tests/cli_tls_with_auth/run.sh (about)

     1  #!/bin/bash
     2  
     3  set -eu
     4  
     5  CUR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)
     6  source $CUR/../_utils/test_prepare
     7  WORK_DIR=$OUT_DIR/$TEST_NAME
     8  CDC_BINARY=cdc.test
     9  SINK_TYPE=$1
    10  TLS_DIR=$(cd $CUR/../_certificates && pwd)
    11  
    12  export TICDC_USER=ticdc
    13  export TICDC_PASSWORD=ticdc_secret
    14  export TICDC_CA_PATH=$TLS_DIR/ca.pem
    15  export TICDC_CERT_PATH=$TLS_DIR/client.pem
    16  export TICDC_KEY_PATH=$TLS_DIR/client-key.pem
    17  
    18  function check_changefeed_count() {
    19  	pd_addr=$1
    20  	expected=$2
    21  	feed_count=$(cdc cli changefeed list --pd=$pd_addr | jq '.|length')
    22  	if [[ "$feed_count" != "$expected" ]]; then
    23  		echo "[$(date)] <<<<< unexpect changefeed count! expect ${expected} got ${feed_count} >>>>>"
    24  		exit 1
    25  	fi
    26  	echo "changefeed count ${feed_count} check pass, pd_addr: $pd_addr"
    27  }
    28  
    29  function run() {
    30  	# TODO: enable pulsar in the future.
    31  	if [ "$SINK_TYPE" == "pulsar" ]; then
    32  		exit 0
    33  	fi
    34  	rm -rf $WORK_DIR && mkdir -p $WORK_DIR
    35  
    36  	start_tidb_cluster --workdir $WORK_DIR --multiple-upstream-pd true
    37  	start_tls_tidb_cluster --workdir $WORK_DIR --tlsdir $TLS_DIR
    38  	run_sql "CREATE USER 'ticdc'@'%' IDENTIFIED BY 'ticdc_secret';" ${TLS_TIDB_HOST} ${TLS_TIDB_PORT} \
    39  		--ssl-ca=$TLS_DIR/ca.pem \
    40  		--ssl-cert=$TLS_DIR/server.pem \
    41  		--ssl-key=$TLS_DIR/server-key.pem
    42  
    43  	cd $WORK_DIR
    44  	pd_addr="https://$TLS_PD_HOST:$TLS_PD_PORT"
    45  
    46  	# record tso before we create tables to skip the system table DDLs
    47  	start_ts=$(run_cdc_cli_tso_query ${TLS_PD_HOST} ${TLS_PD_PORT} true)
    48  	run_sql "CREATE table test.simple(id int primary key, val int);" ${TLS_TIDB_HOST} ${TLS_TIDB_PORT} \
    49  		--ssl-ca=$TLS_DIR/ca.pem \
    50  		--ssl-cert=$TLS_DIR/server.pem \
    51  		--ssl-key=$TLS_DIR/server-key.pem
    52  	run_sql "CREATE table test.\`simple-dash\`(id int primary key, val int);" ${TLS_TIDB_HOST} ${TLS_TIDB_PORT} \
    53  		--ssl-ca=$TLS_DIR/ca.pem \
    54  		--ssl-cert=$TLS_DIR/server.pem \
    55  		--ssl-key=$TLS_DIR/server-key.pem
    56  
    57  	cd $WORK_DIR
    58  	echo " \
    59    [security]
    60     ca-path = \"$TLS_DIR/ca.pem\"
    61     cert-path = \"$TLS_DIR/server.pem\"
    62     key-path = \"$TLS_DIR/server-key.pem\"
    63     cert-allowed-cn = [\"fake_cn\"]
    64     client-user-required = true
    65     client-allowed-user = [\"ticdc\"]
    66    " >$WORK_DIR/server.toml
    67  	run_cdc_server \
    68  		--workdir $WORK_DIR \
    69  		--binary $CDC_BINARY \
    70  		--logsuffix "_${TEST_NAME}_tls1" \
    71  		--pd "https://${TLS_PD_HOST}:${TLS_PD_PORT}" \
    72  		--addr "127.0.0.1:8300" \
    73  		--config "$WORK_DIR/server.toml" \
    74  		--tlsdir "$TLS_DIR" \
    75  		--cert-allowed-cn "client" # The common name of client.pem
    76  	sleep 2
    77  
    78  	TOPIC_NAME="ticdc-cli-test-$RANDOM"
    79  	case $SINK_TYPE in
    80  	kafka) SINK_URI="kafka://127.0.0.1:9092/$TOPIC_NAME?protocol=open-protocol&partition-num=4&kafka-version=${KAFKA_VERSION}&max-message-bytes=10485760" ;;
    81  	storage) SINK_URI="file://$WORK_DIR/storage_test/$TOPIC_NAME?protocol=canal-json&enable-tidb-extension=true" ;;
    82  	pulsar)
    83  		run_pulsar_cluster $WORK_DIR normal
    84  		SINK_URI="pulsar://127.0.0.1:6650/$TOPIC_NAME?protocol=canal-json&enable-tidb-extension=true"
    85  		;;
    86  	*) SINK_URI="mysql://normal:123456@127.0.0.1:3306/" ;;
    87  	esac
    88  
    89  	uuid="custom-changefeed-name"
    90  	run_cdc_cli changefeed create --start-ts=$start_ts --sink-uri="$SINK_URI" --tz="Asia/Shanghai" -c="$uuid"
    91  	case $SINK_TYPE in
    92  	kafka) run_kafka_consumer $WORK_DIR "kafka://127.0.0.1:9092/$TOPIC_NAME?protocol=open-protocol&partition-num=4&version=${KAFKA_VERSION}&max-message-bytes=10485760" ;;
    93  	storage) run_storage_consumer $WORK_DIR $SINK_URI "" "" ;;
    94  	pulsar) run_pulsar_consumer $WORK_DIR $SINK_URI ;;
    95  	esac
    96  
    97  	# Make sure changefeed is created.
    98  	check_table_exists test.simple ${DOWN_TIDB_HOST} ${DOWN_TIDB_PORT}
    99  	check_table_exists test."\`simple-dash\`" ${DOWN_TIDB_HOST} ${DOWN_TIDB_PORT}
   100  
   101  	check_changefeed_state "https://${TLS_PD_HOST}:${TLS_PD_PORT}" $uuid "normal" "null" "" $TLS_DIR
   102  
   103  	check_changefeed_count https://${TLS_PD_HOST}:${TLS_PD_PORT} 1
   104  
   105  	# Make sure changefeed can not be created if the name is already exists.
   106  	set +e
   107  	exists=$(run_cdc_cli changefeed create --start-ts=$start_ts --sink-uri="$SINK_URI" --changefeed-id="$uuid" 2>&1 | grep -oE 'already exists')
   108  	set -e
   109  	if [[ -z $exists ]]; then
   110  		echo "[$(date)] <<<<< unexpect output got ${exists} >>>>>"
   111  		exit 1
   112  	fi
   113  
   114  	# Update changefeed failed because changefeed is running
   115  	cat - >"$WORK_DIR/changefeed.toml" <<EOF
   116  case-sensitive = true
   117  [scheduler]
   118  enable-table-across-nodes = true
   119  EOF
   120  	set +e
   121  	update_result=$(cdc cli changefeed update --pd=$pd_addr --config="$WORK_DIR/changefeed.toml" --no-confirm --changefeed-id $uuid)
   122  	set -e
   123  	if [[ ! $update_result == *"can only update changefeed config when it is stopped"* ]]; then
   124  		echo "update changefeed config should fail when changefeed is running, got $update_result"
   125  	fi
   126  
   127  	# Pause changefeed
   128  	run_cdc_cli changefeed --changefeed-id $uuid pause && sleep 3
   129  	check_changefeed_state "https://${TLS_PD_HOST}:${TLS_PD_PORT}" $uuid "stopped" "null" "" $TLS_DIR
   130  
   131  	# Update changefeed
   132  	run_cdc_cli changefeed update --pd=$pd_addr --config="$WORK_DIR/changefeed.toml" --no-confirm --changefeed-id $uuid
   133  	changefeed_info=$(curl -s -X GET "https://127.0.0.1:8300/api/v2/changefeeds/$uuid/meta_info" --cacert "${TLS_DIR}/ca.pem" --cert "${TLS_DIR}/client.pem" --key "${TLS_DIR}/client-key.pem" 2>&1)
   134  	if [[ ! $changefeed_info == *"\"case_sensitive\":true"* ]]; then
   135  		echo "[$(date)] <<<<< changefeed info is not updated as expected ${changefeed_info} >>>>>"
   136  		exit 1
   137  	fi
   138  	if [ "$SINK_TYPE" == "kafka" ]; then
   139  		if [[ ! $changefeed_info == *"\"enable_table_across_nodes\":true"* ]]; then
   140  			echo "[$(date)] <<<<< changefeed info is not updated as expected ${changefeed_info} >>>>>"
   141  			exit 1
   142  		fi
   143  	else
   144  		# Currently, MySQL changefeed does not support scale out feature.
   145  		if [[ $changefeed_info == *"\"enable_table_across_nodes\":true"* ]]; then
   146  			echo "[$(date)] <<<<< changefeed info is not updated as expected ${changefeed_info} >>>>>"
   147  			exit 1
   148  		fi
   149  	fi
   150  
   151  	# Resume changefeed
   152  	run_cdc_cli changefeed --changefeed-id $uuid resume && sleep 3
   153  	check_changefeed_state "https://${TLS_PD_HOST}:${TLS_PD_PORT}" $uuid "normal" "null" "" $TLS_DIR
   154  
   155  	# Remove changefeed
   156  	run_cdc_cli changefeed --changefeed-id $uuid remove && sleep 3
   157  	check_changefeed_count https://${TLS_PD_HOST}:${TLS_PD_PORT} 0
   158  
   159  	run_cdc_cli changefeed create --sink-uri="$SINK_URI" --tz="Asia/Shanghai" -c="$uuid" && sleep 3
   160  	check_changefeed_state "https://${TLS_PD_HOST}:${TLS_PD_PORT}" $uuid "normal" "null" "" $TLS_DIR
   161  
   162  	# Make sure bad sink url fails at creating changefeed.
   163  	badsink=$(run_cdc_cli changefeed create --start-ts=$start_ts --sink-uri="mysql://badsink" 2>&1 | grep -oE 'fail')
   164  	if [[ -z $badsink ]]; then
   165  		echo "[$(date)] <<<<< unexpect output got ${badsink} >>>>>"
   166  		exit 1
   167  	fi
   168  
   169  	# Test Kafka SSL connection.
   170  	if [ "$SINK_TYPE" == "kafka" ]; then
   171  		SSL_TOPIC_NAME="ticdc-cli-test-ssl-$RANDOM"
   172  		SINK_URI="kafka://127.0.0.1:9093/$SSL_TOPIC_NAME?protocol=open-protocol&ca=${TLS_DIR}/ca.pem&cert=${TLS_DIR}/client.pem&key=${TLS_DIR}/client-key.pem&kafka-version=${KAFKA_VERSION}&max-message-bytes=10485760&insecure-skip-verify=true"
   173  		run_cdc_cli changefeed create --start-ts=$start_ts --sink-uri="$SINK_URI" --tz="Asia/Shanghai"
   174  	fi
   175  
   176  	# Smoke test unsafe commands
   177  	echo "y" | run_cdc_cli unsafe delete-service-gc-safepoint
   178  	run_cdc_cli unsafe reset --no-confirm --pd=$pd_addr
   179  	REGION_ID=$(pd-ctl --cacert="${TLS_DIR}/ca.pem" --cert="${TLS_DIR}/client.pem" --key="${TLS_DIR}/client-key.pem" -u=$pd_addr region | jq '.regions[0].id')
   180  	TS=$(cdc cli tso query --pd=$pd_addr)
   181  	# wait for owner online
   182  	sleep 3
   183  	run_cdc_cli unsafe resolve-lock --region=$REGION_ID
   184  	run_cdc_cli unsafe resolve-lock --region=$REGION_ID --ts=$TS
   185  
   186  	# Smoke test change log level
   187  	curl -X POST -d '"warn"' https://127.0.0.1:8300/api/v1/log --cacert "${TLS_DIR}/ca.pem" --cert "${TLS_DIR}/client.pem" --key "${TLS_DIR}/client-key.pem"
   188  	sleep 3
   189  	# make sure TiCDC does not panic
   190  	curl https://127.0.0.1:8300/status --cacert "${TLS_DIR}/ca.pem" --cert "${TLS_DIR}/client.pem" --key "${TLS_DIR}/client-key.pem"
   191  
   192  	cleanup_process $CDC_BINARY
   193  }
   194  
   195  trap stop_tidb_cluster EXIT
   196  run $*
   197  check_logs $WORK_DIR
   198  echo "[$(date)] <<<<<< run test case $TEST_NAME success! >>>>>>"