Skip to content

Commit

Permalink
feat(query): add config network_policy_whitelist (databendlabs#17065)
Browse files Browse the repository at this point in the history 
* feat(query): add config network_policy_whitelist

* z

* z

* z

* z

* z

* z

* z
  • Loading branch information
@everpcpc
everpcpc authored Dec 18, 2024
1 parent d4fbfa2 commit b38c46f
Show file tree
Hide file tree
Showing 10 changed files with 39 additions and 5 deletions.
6 changes: 4 additions & 2 deletions .github/actions/setup_bendsql/action.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,15 +8,16 @@ runs:
shell: bash
run: |
if command -v bendsql >/dev/null 2>&1; then
bendsql --version
exit 0
fi
case $RUNNER_PROVIDER in
aws)
aws s3 cp s3://databend-ci/packages/bendsql_$(dpkg --print-architecture).deb /tmp/bendsql.deb
aws s3 cp s3://databend-ci/packages/bendsql_$(dpkg --print-architecture).deb /tmp/bendsql.deb --no-progress
sudo dpkg -i /tmp/bendsql.deb
;;
gcp)
gsutil cp gs://databend-ci/packages/bendsql_$(dpkg --print-architecture).deb /tmp/bendsql.deb
gsutil cp gs://databend-ci/packages/bendsql_$(dpkg --print-architecture).deb /tmp/bendsql.deb --no-progress
sudo dpkg -i /tmp/bendsql.deb
;;
*)
Expand All @@ -30,6 +31,7 @@ runs:
shell: bash
run: |
if command -v bendsql >/dev/null 2>&1; then
bendsql --version
exit 0
fi
brew install databendcloud/homebrew-tap/bendsql
Expand Down
1 change: 1 addition & 0 deletions Cargo.lock
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 2 additions & 0 deletions scripts/ci/deploy/config/databend-query-node-1.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,8 @@ udf_server_allow_insecure = true

cloud_control_grpc_server_address = "http://0.0.0.0:50051"

# network_policy_whitelist = ['127.0.0.0/8']

[[query.users]]
name = "root"
auth_type = "no_password"
Expand Down
2 changes: 2 additions & 0 deletions scripts/ci/deploy/config/databend-query-node-native.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,8 @@ enable_udf_server = true
udf_server_allow_list = ['http://0.0.0.0:8815']
udf_server_allow_insecure = true

# network_policy_whitelist = ['127.0.0.0/8']

[[query.users]]
name = "root"
auth_type = "no_password"
Expand Down
1 change: 1 addition & 0 deletions src/common/exception/Cargo.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ arrow-flight = { workspace = true }
arrow-schema = { workspace = true }
backtrace = { workspace = true, features = ["std", "serialize-serde"] }
bincode = { workspace = true }
cidr = { workspace = true }
geozero = { workspace = true }
gimli = { workspace = true }
http = { workspace = true }
Expand Down
6 changes: 6 additions & 0 deletions src/common/exception/src/exception_into.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,12 @@ impl From<std::net::AddrParseError> for ErrorCode {
}
}

impl From<cidr::errors::NetworkParseError> for ErrorCode {
fn from(error: cidr::errors::NetworkParseError) -> Self {
ErrorCode::BadAddressFormat(format!("Bad network format, cause: {}", error))
}
}

impl From<std::str::Utf8Error> for ErrorCode {
fn from(error: std::str::Utf8Error) -> Self {
ErrorCode::Internal(format!("Invalid Utf8, cause: {}", error))
Expand Down
6 changes: 6 additions & 0 deletions src/query/config/src/config.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1687,6 +1687,10 @@ pub struct QueryConfig {
#[clap(long, value_name = "VALUE", default_value = "50")]
pub max_cached_queries_profiles: usize,

/// A list of network that not to be checked by network policy.
#[clap(long, value_name = "VALUE")]
pub network_policy_whitelist: Vec<String>,

#[clap(skip)]
pub settings: HashMap<String, SettingValue>,
}
Expand Down Expand Up @@ -1776,6 +1780,7 @@ impl TryInto<InnerQueryConfig> for QueryConfig {
cloud_control_grpc_server_address: self.cloud_control_grpc_server_address,
cloud_control_grpc_timeout: self.cloud_control_grpc_timeout,
max_cached_queries_profiles: self.max_cached_queries_profiles,
network_policy_whitelist: self.network_policy_whitelist,
settings: self
.settings
.into_iter()
Expand Down Expand Up @@ -1878,6 +1883,7 @@ impl From<InnerQueryConfig> for QueryConfig {
cloud_control_grpc_server_address: inner.cloud_control_grpc_server_address,
cloud_control_grpc_timeout: inner.cloud_control_grpc_timeout,
max_cached_queries_profiles: inner.max_cached_queries_profiles,
network_policy_whitelist: inner.network_policy_whitelist,
settings: HashMap::new(),
}
}
Expand Down
4 changes: 4 additions & 0 deletions src/query/config/src/inner.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -246,6 +246,9 @@ pub struct QueryConfig {
pub cloud_control_grpc_server_address: Option<String>,
pub cloud_control_grpc_timeout: u64,
pub max_cached_queries_profiles: usize,

pub network_policy_whitelist: Vec<String>,

pub settings: HashMap<String, UserSettingValue>,
}

Expand Down Expand Up @@ -322,6 +325,7 @@ impl Default for QueryConfig {
cloud_control_grpc_timeout: 0,
data_retention_time_in_days_max: 90,
max_cached_queries_profiles: 50,
network_policy_whitelist: Vec::new(),
settings: HashMap::new(),
}
}
Expand Down
1 change: 1 addition & 0 deletions src/query/service/tests/it/storages/testdata/configs_table_basic.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -116,6 +116,7 @@ DB.Table: 'system'.'configs', Table: configs-table_id:1, ver:0, Engine: SystemCo
| 'query' | 'mysql_handler_tcp_keepalive_timeout_secs' | '120' | '' |
| 'query' | 'mysql_tls_server_cert' | '' | '' |
| 'query' | 'mysql_tls_server_key' | '' | '' |
| 'query' | 'network_policy_whitelist' | '' | '' |
| 'query' | 'num_cpus' | '0' | '' |
| 'query' | 'openai_api_chat_base_url' | 'https://api.openai.com/v1/' | '' |
| 'query' | 'openai_api_completion_model' | 'gpt-3.5-turbo' | '' |
Expand Down
15 changes: 12 additions & 3 deletions src/query/users/src/user_mgr.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ use core::net::Ipv4Addr;
use chrono::DateTime;
use chrono::Utc;
use cidr::Ipv4Cidr;
use databend_common_config::GlobalConfig;
use databend_common_exception::ErrorCode;
use databend_common_exception::Result;
use databend_common_management::UserApi;
Expand Down Expand Up @@ -91,15 +92,23 @@ impl UserApiProvider {
client_ip: Option<&str>,
) -> Result<()> {
let ip_addr: Ipv4Addr = match client_ip {
Some(client_ip) => client_ip.parse().unwrap(),
Some(client_ip) => client_ip.parse()?,
None => {
return Err(ErrorCode::AuthenticateFailure("Unknown client ip"));
}
};

let whitelist = &GlobalConfig::instance().query.network_policy_whitelist;
for whitelist_ip in whitelist {
let cidr: Ipv4Cidr = whitelist_ip.parse()?;
if cidr.contains(&ip_addr) {
return Ok(());
}
}

let network_policy = self.get_network_policy(tenant, policy).await?;
for blocked_ip in network_policy.blocked_ip_list {
let blocked_cidr: Ipv4Cidr = blocked_ip.parse().unwrap();
let blocked_cidr: Ipv4Cidr = blocked_ip.parse()?;
if blocked_cidr.contains(&ip_addr) {
return Err(ErrorCode::AuthenticateFailure(format!(
"client ip `{}` is blocked",
Expand All @@ -109,7 +118,7 @@ impl UserApiProvider {
}
let mut allow = false;
for allowed_ip in network_policy.allowed_ip_list {
let allowed_cidr: Ipv4Cidr = allowed_ip.parse().unwrap();
let allowed_cidr: Ipv4Cidr = allowed_ip.parse()?;
if allowed_cidr.contains(&ip_addr) {
allow = true;
break;
Expand Down

0 comments on commit b38c46f

Please sign in to comment.