clickhouse-backup icon indicating copy to clipboard operation
clickhouse-backup copied to clipboard
verified publisher icon Altinity

Improve RBAC backup / restore behavior

Open Slach opened this issue 2 years ago • 5 comments

Expected behavior

  1. 'rbac' should be always backed up by default (in new clickhouse-backup version)
  2. 'rbac' should be restored by default if it exists in a backup
  3. clickhouse-backup should not fail if it can not restore rbac, but it should log warnings/errors.

Actual notes

  • third item of list could be easy implements in next release
  • 1-2 will implement as a config option, with default true behavior this behavior is dangerous restore rbac requires restart of clickhouse-server and if clickhouse-server already contains RBAC object with the same name and different uuid, server will not start

Good point. Is it possible to check if there is any RBAC data on the cluster and do not restore in case of a conflict?

it requires develop some sql parser to get name+type+uuid from .sql and .jsonl files need time to researh for this task

maybe we can use system.users system.roles, system.role_granst came in modern versions of clickhouse need to check when these tables is become

Slach avatar Dec 01 '23 09:12 Slach

Is there a rough timeline on this release? In the meantime is there a easy way to patch rbac into the existing release?

Looks like we could just throw something into the k8s cronjob command block no?

jalavoy avatar Feb 08 '24 17:02 jalavoy

@jalavoy if you want to backup and restore RBAC related objects

just add to cronjob command --rbac parameter after create_remote and restore_remote

Slach avatar Feb 09 '24 07:02 Slach

@Slach create_remote isn't called in the k8s cronjob. It's doing an insert into the table to trigger the backup. What's the proper way to add it to this insert?

                  for SERVER in $CLICKHOUSE_SERVICES; do
                    echo "create ${BACKUP_NAMES[$SERVER]} on $SERVER";
                    clickhouse-client --echo -mn -q "INSERT INTO system.backup_actions(command) VALUES('create ${SERVER}-${BACKUP_NAMES[$SERVER]}')" --host="$SERVER" --port="$CLICKHOUSE_PORT" --user="$BACKUP_USER" $BACKUP_PASSWORD;
                  done;

jalavoy avatar Feb 09 '24 16:02 jalavoy

VALUES('create --rbac

VALUES('restore --rbac

Slach avatar Feb 09 '24 16:02 Slach

that didn't work but I got it, need to add it into all the SELECTS too

Thank you for your help!

jalavoy avatar Feb 09 '24 17:02 jalavoy

decided to don't restore RBAC,only when --rbac excplicitly, to avoid overwrite exists users passwords or some other unexpected errors

Slach avatar Apr 01 '24 10:04 Slach