Add tt-ee 2.5.1 authentication features (#4621)

Resolves tarantool/enterprise_doc#283, tarantool/enterprise_doc#284, tarantool/enterprise_doc#285 --token for tt tdg2 commands SSL options for tt crud and tt tdg2 commands Co-authored-by: Alexander Tulchinskiy <[email protected]> Co-authored-by: Elena Shebunyaeva <[email protected]>
tarantool · Nov 6, 2024 · 6167d93 · 6167d93
1 parent 4a06933
commit 6167d93
Show file tree

Hide file tree

Showing 3 changed files with 240 additions and 13 deletions.
diff --git a/doc/tooling/tt_cli/connect.rst b/doc/tooling/tt_cli/connect.rst
@@ -104,9 +104,9 @@ If no credentials are provided for a remote connection, the user is automaticall
 Encrypted connection
 ~~~~~~~~~~~~~~~~~~~~
 
-To connect to instances that use SSL encryption, provide the SSL certificate and
-SSL key files in the ``--sslcertfile`` and ``--sslkeyfile`` options. If necessary,
-add other SSL parameters -- ``--sslcafile`` and ``--sslciphers``.
+To connect to instances that use :ref:`SSL encryption <configuration_connections_ssl>`,
+provide the SSL certificate and SSL key files in the ``--sslcertfile`` and ``--sslkeyfile`` options.
+If necessary, add other SSL parameters -- ``--sslcafile`` and ``--sslciphers``.
 
 Script evaluation
 ~~~~~~~~~~~~~~~~~

diff --git a/doc/tooling/tt_cli/export.rst b/doc/tooling/tt_cli/export.rst
@@ -130,15 +130,23 @@ the ``customers.jsonl`` file:
 
     $ tt tdg2 export localhost:3301 customers:customers.jsonl
 
-If the ``customers`` type has four fields (``id``, ``firstname``, ``lastname``, and ``age``), the file with exported data might look like this:
+If token authentication is enabled in TDG2, pass the application token in the ``--token`` option:
+
+.. code-block:: console
+
+    $ tt tdg2 export localhost:3301 customers:customers.jsonl \
+                     --token=2fc136cf-8cae-4655-a431-7c318967263d
+
+If the ``customers`` type has four fields (``id``, ``firstname``, ``lastname``, and ``age``),
+the file with exported data might look like this:
 
 .. code-block:: json
 
     {"age":30,"first_name":"Samantha","id":1,"second_name":"Carter"}
     {"age":41,"first_name":"Fay","id":2,"second_name":"Rivers"}
     {"age":74,"first_name":"Milo","id":4,"second_name":"Walters"}
 
-If an object contains a ``null`` value in a field, this field skipped:
+``null`` field values are skipped:
 
 .. code-block:: json
 
@@ -168,11 +176,55 @@ Set the ``tt tdg2 export`` batch size less or equal to 1000:
 
     $ tt tdg2 export localhost:3301 customers:customers.jsonl --batch-size=1000
 
+.. _tt-export-auth:
+
+Authentication
+--------------
+
+When connecting to the cluster with enabled authentication, specify access credentials
+in the ``--username`` and ``--password`` command options:
+
+.. code-block:: console
+
+    $ tt crud export localhost:3301 customers:customers.csv \
+                     --username myuser --password p4$$w0rD
+
+.. _tt-export-ssl:
+
+Encrypted connection
+--------------------
+
+To connect to instances that use :ref:`SSL encryption <configuration_connections_ssl>`,
+provide the SSL certificate and SSL key files in the ``--sslcertfile`` and ``--sslkeyfile`` options.
+If necessary, add other SSL parameters in the ``--ssl*`` options.
+
+.. code-block:: console
+
+    $ tt crud export localhost:3301 customers:customers.csv \
+                     --username myuser --password p4$$w0rD   \
+                     --auth pap-sha256 --sslcertfile certs/server.crt \
+                     --sslkeyfile certs/server.key
+
+For connections that use SSL but don't require additional parameters, add the ``--use-ssl``
+option:
+
+.. code-block:: console
+
+    $ tt crud export localhost:3301 customers:customers.csv \
+                     --username myuser --password p4$$w0rD   \
+                     --use-ssl
+
 .. _tt-export-options:
 
 Options
 -------
 
+..  option:: --auth STRING
+
+    **Applicable to:** ``tt crud export``, ``tt tdg2 export``
+
+    Authentication type: ``chap-sha1``, ``pap-sha256``, or ``auto``.
+
 ..  option:: --batch-queue-size INT
 
     The maximum number of tuple batches in a queue between a fetch and write threads (the default is ``32``).
@@ -226,6 +278,66 @@ Options
 
     Export data using a :ref:`read view <read_views>`.
 
+..  option:: --sslcafile STRING
+
+    **Applicable to:** ``tt crud export``, ``tt tdg2 export``
+
+    The path to a trusted certificate authorities (CA) file for encrypted connections.
+
+    See also :ref:`tt-export-ssl`.
+
+..  option:: --sslcertfile STRING
+
+    **Applicable to:** ``tt crud export``, ``tt tdg2 export``
+
+    The path to an SSL certificate file for encrypted connections.
+
+    See also :ref:`tt-export-ssl`.
+
+..  option:: --sslciphersfile STRING
+
+    **Applicable to:** ``tt crud export``, ``tt tdg2 export``
+
+    The list of SSL cipher suites used for encrypted connections, separated by colons (``:``).
+
+    See also :ref:`tt-export-ssl`.
+
+..  option:: --sslkeyfile STRING
+
+    **Applicable to:** ``tt crud export``, ``tt tdg2 export``
+
+    The path to a private SSL key file for encrypted connections.
+
+    See also :ref:`tt-export-ssl`.
+
+..  option:: --sslpassword STRING
+
+    **Applicable to:** ``tt crud export``, ``tt tdg2 export``
+
+    The password for the SSL key file for encrypted connections.
+
+    See also :ref:`tt-export-ssl`.
+
+..  option:: --sslpasswordfile STRING
+
+    **Applicable to:** ``tt crud export``, ``tt tdg2 export``
+
+    A file with list of passwords to the SSL key file for encrypted connections.
+
+    See also :ref:`tt-export-auth`.
+
+..  option:: --token STRING
+
+    **Applicable to:** ``tt tdg2 export``
+
+    An application token for connecting to TDG2.
+
+..  option:: --use-ssl STRING
+
+    Use SSL without providing any additional SSL parameters.
+
+    See also :ref:`tt-export-ssl`.
+
 ..  option:: --username STRING
 
     A username for connecting to the instance.
diff --git a/doc/tooling/tt_cli/import.rst b/doc/tooling/tt_cli/import.rst
@@ -184,6 +184,13 @@ The objects are described in the ``customers.jsonl`` file.
 
     $ tt tdg2 import localhost:3301 customers.jsonl:customers
 
+If token authentication is enabled in TDG2, pass the application token in the ``--token`` option:
+
+.. code-block:: console
+
+    $ tt tdg2 import localhost:3301 customers.jsonl:customers \
+                     --token=2fc136cf-8cae-4655-a431-7c318967263d
+
 The input file can look like this:
 
 .. code-block:: json
@@ -220,11 +227,58 @@ To automatically confirm a batch import operation, add the ``--force`` option:
                      --force
 
 
+.. _tt-import-auth:
+
+Authentication
+--------------
+
+When connecting to the cluster with enabled authentication, specify access credentials
+in the ``--username`` and ``--password`` command options:
+
+.. code-block:: console
+
+    $ tt crud import localhost:3301 customers.csv:customers \
+                     --header --match=header \
+                     --username myuser --password p4$$w0rD
+
+.. _tt-import-ssl:
+
+Encrypted connection
+--------------------
+
+To connect to instances that use :ref:`SSL encryption <configuration_connections_ssl>`,
+provide the SSL certificate and SSL key files in the ``--sslcertfile`` and ``--sslkeyfile`` options.
+If necessary, add other SSL parameters in the ``--ssl*`` options.
+
+.. code-block:: console
+
+    $ tt crud import localhost:3301 customers.csv:customers \
+                     --header --match=header \
+                     --username myuser --password p4$$w0rD   \
+                     --auth pap-sha256 --sslcertfile certs/server.crt \
+                     --sslkeyfile certs/server.key
+
+For connections that use SSL but don't require additional parameters, add the ``--use-ssl``
+option:
+
+.. code-block:: console
+
+    $ tt crud import localhost:3301 customers.csv:customers \
+                     --header --match=header \
+                     --username myuser --password p4$$w0rD   \
+                     --use-ssl
+
 .. _tt-import-options:
 
 Options
 -------
 
+..  option:: --auth STRING
+
+    **Applicable to:** ``tt crud import``, ``tt tdg2 import``
+
+    Authentication type: ``chap-sha1``, ``pap-sha256``, or ``auto``.
+
 ..  option:: --batch-size INT
 
     **Applicable to:** ``tt crud import``, ``tt tdg2 import``
@@ -377,6 +431,65 @@ Options
     For CSV, double quotes are used by default (``"``).
     The double symbol of this option acts as the escaping symbol within input data.
 
+..  option:: --rollback-on-error
+
+    **Applicable to:** ``tt crud import``
+
+    Specify whether any operation failed on a storage leads to rolling back batch
+    import on this storage.
+
+    .. note::
+
+        ``tt tdg2 import`` always works as if ``--rollback-on-error`` is ``true``.
+
+..  option:: --sslcafile STRING
+
+    **Applicable to:** ``tt crud import``, ``tt tdg2 import``
+
+    The path to a trusted certificate authorities (CA) file for encrypted connections.
+
+    See also :ref:`tt-import-ssl`.
+
+..  option:: --sslcertfile STRING
+
+    **Applicable to:** ``tt crud import``, ``tt tdg2 import``
+
+    The path to an SSL certificate file for encrypted connections.
+
+    See also :ref:`tt-import-ssl`.
+
+..  option:: --sslciphersfile STRING
+
+    **Applicable to:** ``tt crud import``, ``tt tdg2 import``
+
+    The list of SSL cipher suites used for encrypted connections, separated by colons (``:``).
+
+    See also :ref:`tt-import-ssl`.
+
+..  option:: --sslkeyfile STRING
+
+    **Applicable to:** ``tt crud import``, ``tt tdg2 import``
+
+    The path to a private SSL key file for encrypted connections.
+
+    See also :ref:`tt-import-ssl`.
+
+..  option:: --sslpassword STRING
+
+    **Applicable to:** ``tt crud import``, ``tt tdg2 import``
+
+    The password for the SSL key file for encrypted connections.
+
+    See also :ref:`tt-import-ssl`.
+
+..  option:: --sslpasswordfile STRING
+
+    **Applicable to:** ``tt crud import``, ``tt tdg2 import``
+
+    A file with a list of passwords to the SSL key file for encrypted connections.
+
+    See also :ref:`tt-import-auth`.
+
 ..  option:: -success STRING
 
     The name of a file with rows that were imported (the default is ``success``).
@@ -394,17 +507,19 @@ Options
 
         Symbols specified in this option cannot intersect with ``--dec-sep``.
 
-..  option:: --username STRING
+..  option:: --token STRING
 
-    A username for connecting to the instance.
+    **Applicable to:** ``tt tdg2 import``
 
-..  option:: --rollback-on-error
+    An application token for connecting to TDG2.
 
-    **Applicable to:** ``tt crud import``
+..  option:: --use-ssl STRING
 
-    Specify whether any operation failed on a storage leads to rollback of a batch
-    import on this storage.
+    Use SSL without providing any additional SSL parameters.
 
-    .. note::
+    See also :ref:`tt-import-ssl`.
+
+..  option:: --username STRING
+
+    A username for connecting to the instance.
 
-        ``tt tdg2 import`` always works as if ``--rollback-on-error`` is ``true``.