Add minimal privileges test for backup using dynamic privs

Makefile

@@ -20,6 +20,7 @@ build: bindir consistency isolation pocket on-dup sqllogic block-writer \
 		region-available crud \
 		read-stress follower-read pessimistic resolve-lock cdc-bank \
     example ttl \
+    dynamicprivs \
 # +tipocket:scaffold:makefile_build
 
 bindir:
@@ -134,6 +135,10 @@ ttl:
 	cd testcase/ttl ; make build; \
 	cp bin/* ../../bin/
 
+dynamicprivs:
+	cd testcase/dynamicprivs; make build; \
+	cp bin/* ../../bin/
+
 # +tipocket:scaffold:makefile_build_cmd
 
 tipocket:

run/lib/case.libsonnet

@@ -70,5 +70,9 @@
     [
       '/bin/tll',
     ],
+  'dynamicprivs'(args={})::
+    [
+      '/bin/dynamicprivs',
+    ],
   // +tipocket:scaffold:case_decls
 }

run/workflow/dynamicprivs.jsonnet

@@ -0,0 +1,11 @@
+{
+  _config+:: {
+    case_name: 'dynamicprivs',
+    image_name: 'hub.pingcap.net/qa/tipocket',
+    args+: {
+      // k8s configurations
+      // 'storage-class': 'local-storage',
+    },
+    command: {},
+  },
+}

testcase/dynamicprivs/Makefile

@@ -0,0 +1,60 @@
+
+GOARCH := $(if $(GOARCH),$(GOARCH),amd64)
+GO=GO15VENDOREXPERIMENT="1" CGO_ENABLED=1 GOOS=$(GOOS) GOARCH=$(GOARCH) GO111MODULE=on go
+GOTEST=GO15VENDOREXPERIMENT="1" CGO_ENABLED=1 GO111MODULE=on go test # go race detector requires cgo
+VERSION   := $(if $(VERSION),$(VERSION),latest)
+
+PACKAGES := go list ./...| grep -vE 'vendor'
+
+LDFLAGS += -s -w
+LDFLAGS += -X "github.com/pingcap/tipocket/pkg/test-infra/fixture.BuildTS=$(shell date -u '+%Y-%m-%d %I:%M:%S')"
+LDFLAGS += -X "github.com/pingcap/tipocket/pkg/test-infra/fixture.BuildHash=$(shell git rev-parse HEAD)"
+
+GOBUILD=$(GO) build -ldflags '$(LDFLAGS)'
+
+DOCKER_REGISTRY_PREFIX := $(if $(DOCKER_REGISTRY),$(DOCKER_REGISTRY)/,)
+
+default: tidy fmt lint build
+
+build: mod-sum dynamicprivs
+
+dynamicprivs:
+	$(GOBUILD) $(GOMOD) -o bin/dynamicprivs cmd/*.go
+
+fmt: groupimports
+	go fmt ./...
+
+mod-sum:
+	$(GO) mod tidy
+
+tidy:
+	@echo "go mod tidy"
+	GO111MODULE=on go mod tidy
+	@git diff --exit-code -- go.mod
+
+lint: revive
+	@echo "linting"
+	revive -formatter friendly -config revive.toml $$($(PACKAGES))
+
+revive:
+ifeq (,$(shell which revive))
+	@echo "installing revive"
+	$(GO) get github.com/mgechev/[email protected]
+endif
+
+groupimports: install-goimports
+	goimports -w -l -local github.com/pingcap/tipocket .
+
+install-goimports:
+ifeq (,$(shell which goimports))
+	@echo "installing goimports"
+	go get golang.org/x/tools/cmd/goimports
+endif
+
+clean:
+	@rm -rf bin/*
+
+test:
+	$(GOTEST) ./...
+
+.PHONY: all clean build

testcase/dynamicprivs/client.go

@@ -0,0 +1,133 @@
+// Copyright 2021 PingCAP, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package dynamicprivs
+
+import (
+	"context"
+	"database/sql"
+	"fmt"
+	"io/ioutil"
+	"os"
+
+	"github.com/ngaut/log"
+	"github.com/pingcap/tipocket/pkg/cluster"
+	"github.com/pingcap/tipocket/pkg/core"
+	"github.com/pingcap/tipocket/pkg/test-infra/fixture"
+	"github.com/pingcap/tipocket/util"
+)
+
+// CaseCreator is a creator of test client
+type CaseCreator struct{}
+
+// Create creates a test client
+func (c CaseCreator) Create(node cluster.ClientNode) core.Client {
+	return &Client{}
+}
+
+// Client defines how our test case works
+type Client struct {
+	db      *sql.DB
+	tempdir string
+}
+
+// SetUp implements the core.Client interface.
+func (c *Client) SetUp(ctx context.Context, _ []cluster.Node, clientNodes []cluster.ClientNode, idx int) error {
+	log.Info("start to setup client...")
+	node := clientNodes[idx]
+	dsn := fmt.Sprintf("root@tcp(%s:%d)/test", node.IP, node.Port)
+	util.SetMySQLProxy(fixture.Context.MySQLProxy)
+	db, err := util.OpenDB(dsn, 1)
+	if err != nil {
+		log.Fatalf("open db error: %v", err)
+	}
+
+	util.MustExec(db, "drop table if exists t")
+	util.MustExec(db, "create table t(id int)")
+	util.MustExec(db, "insert into t(id) values(1)")
+
+	// Create a user that only has the privileges to backup
+	// and nothing else. Make sure the test confirms these
+	// are the minimal privileges.
+
+	util.MustExec(db, "DROP USER IF EXISTS backupadmin")
+	util.MustExec(db, "CREATE USER backupadmin")
+	util.MustExec(db, "GRANT BACKUP_ADMIN, RESTORE_ADMIN ON *.* TO backupadmin")
+
+	if err := db.Close(); err != nil {
+		log.Fatalf("could not close initial connection due to: %v", err)
+	}
+
+	dsn = fmt.Sprintf("backupadmin@tcp(%s:%d)/information_schema", node.IP, node.Port)
+	db, err = util.OpenDB(dsn, 1)
+	if err != nil {
+		log.Fatalf("open db error: %v", err)
+	}
+
+	// Create a tempdir.
+	c.tempdir, err = ioutil.TempDir("", "dynamicprivstest")
+	if err != nil {
+		log.Fatalf("failed to setup temp dir: %v", err)
+	}
+
+	c.db = db
+	return nil
+}
+
+// TearDown implements the core.Client interface.
+func (c *Client) TearDown(ctx context.Context, nodes []cluster.ClientNode, idx int) error {
+	// delete the tempdir.
+	os.RemoveAll(c.tempdir)
+	return nil
+}
+
+// Start implements the core.StandardClientExtensions interface.
+func (c *Client) Start(ctx context.Context, cfg interface{}, clientNodes []cluster.ClientNode) error {
+
+	expectedLocation := fmt.Sprintf("local://%s", c.tempdir)
+	backupStmt := fmt.Sprintf("BACKUP DATABASE * TO '%s'", expectedLocation)
+	log.Info("creating a backup in: " + c.tempdir)
+	rows, err := c.db.QueryContext(ctx, backupStmt)
+	if err != nil {
+		return err
+	}
+	var (
+		location      string
+		size          string
+		backupTs      string
+		queueTime     string
+		executionTime string
+	)
+	if rows.Next() {
+		if err := rows.Scan(&location, &size, &backupTs, &queueTime, &executionTime); err != nil {
+			return err
+		}
+	}
+	if location != expectedLocation {
+		return fmt.Errorf("expected backup to %s, but got %s", expectedLocation, location)
+	}
+	rows.Close()
+	log.Info("backup complete")
+
+	// In future we should try restoring as well, but it currently won't work due to
+	// https://github.com/pingcap/tidb/issues/24912
+	restoreStmt := fmt.Sprintf("RESTORE DATABASE * FROM '%s'", expectedLocation)
+	log.Info("restoring database from: ", expectedLocation)
+	rows, err = c.db.QueryContext(ctx, restoreStmt)
+	if err != nil {
+		return err
+	}
+	defer rows.Close()
+	log.Info("restore completed")
+	return nil
+}

testcase/dynamicprivs/cmd/main.go

@@ -0,0 +1,50 @@
+// Copyright 2021 PingCAP, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package main
+
+import (
+	"context"
+	"flag"
+
+	// use mysql
+	_ "github.com/go-sql-driver/mysql"
+
+	"github.com/pingcap/tipocket/cmd/util"
+	logs "github.com/pingcap/tipocket/logsearch/pkg/logs"
+	"github.com/pingcap/tipocket/pkg/cluster"
+	"github.com/pingcap/tipocket/pkg/control"
+	test_infra "github.com/pingcap/tipocket/pkg/test-infra"
+	"github.com/pingcap/tipocket/pkg/test-infra/fixture"
+
+	testcase "github.com/pingcap/tipocket/testcase/dynamicprivs"
+)
+
+func main() {
+	flag.Parse()
+	cfg := control.Config{
+		Mode:        control.ModeStandard,
+		ClientCount: 1,
+		RunTime:     fixture.Context.RunTime,
+	}
+	c := fixture.Context
+	suit := util.Suit{
+		Config:        &cfg,
+		Provider:      cluster.NewDefaultClusterProvider(),
+		ClientCreator: testcase.CaseCreator{},
+		NemesisGens:   util.ParseNemesisGenerators(fixture.Context.Nemesis),
+		ClusterDefs:   test_infra.NewDefaultCluster(c.Namespace, c.ClusterName, c.TiDBClusterConfig),
+		LogsClient:    logs.NewDiagnosticLogClient(),
+	}
+	suit.Run(context.Background())
+}

testcase/dynamicprivs/go.mod

@@ -0,0 +1,48 @@
+module github.com/pingcap/tipocket/testcase/dynamicprivs
+
+go 1.15
+
+require (
+	github.com/go-sql-driver/mysql v1.5.0
+	github.com/ngaut/log v0.0.0-20180314031856-b8e36e7ba5ac
+	github.com/pingcap/tipocket v1.0.0
+	github.com/pingcap/tipocket/logsearch v1.0.0
+)
+
+replace google.golang.org/grpc => google.golang.org/grpc v1.26.0
+
+replace github.com/prometheus/prometheus => github.com/prometheus/prometheus v1.8.2-0.20200213233353-b90be6f32a33
+
+replace github.com/uber-go/atomic => go.uber.org/atomic v1.5.0
+
+replace (
+	k8s.io/api => k8s.io/api v0.17.0
+	k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.17.0
+	k8s.io/apimachinery => k8s.io/apimachinery v0.17.0
+	k8s.io/apiserver => k8s.io/apiserver v0.17.0
+	k8s.io/cli-runtime => k8s.io/cli-runtime v0.17.0
+	k8s.io/client-go => k8s.io/client-go v0.17.0
+	k8s.io/cloud-provider => k8s.io/cloud-provider v0.17.0
+	k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.17.0
+	k8s.io/code-generator => k8s.io/code-generator v0.17.0
+	k8s.io/component-base => k8s.io/component-base v0.17.0
+	k8s.io/cri-api => k8s.io/cri-api v0.17.0
+	k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.17.0
+	k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.17.0
+	k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.17.0
+	k8s.io/kube-proxy => k8s.io/kube-proxy v0.17.0
+	k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.17.0
+	k8s.io/kubectl => k8s.io/kubectl v0.17.0
+	k8s.io/kubelet => k8s.io/kubelet v0.17.0
+	k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.17.0
+	k8s.io/metrics => k8s.io/metrics v0.17.0
+	k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.17.0
+)
+
+replace github.com/Azure/go-autorest => github.com/Azure/go-autorest v12.2.0+incompatible
+
+replace golang.org/x/net v0.0.0-20190813000000-74dc4d7220e7 => golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7
+
+replace github.com/pingcap/tipocket => ../../.
+
+replace github.com/pingcap/tipocket/logsearch => ../../logsearch