[python] KUDU-1921 Add ability to require auth/encryption

Change-Id: I10173145611ad2991c0a1b173ecadc7141ae6f5e
Reviewed-on: http://gerrit.cloudera.org:8080/17733
Tested-by: Kudu Jenkins
Reviewed-by: Alexey Serbin <[email protected]>

python/kudu/__init__.py

@@ -32,7 +32,10 @@
                          EXCLUSIVE_BOUND,
                          INCLUSIVE_BOUND,
                          CLIENT_SUPPORTS_DECIMAL,
-                         CLIENT_SUPPORTS_PANDAS)
+                         CLIENT_SUPPORTS_PANDAS,
+                         ENCRYPTION_REQUIRED_REMOTE,
+                         ENCRYPTION_REQUIRED,
+                         ENCRYPTION_OPTIONAL)
 
 from kudu.errors import (KuduException, KuduBadStatus, KuduNotFound,  # noqa
                          KuduNotSupported,
@@ -57,7 +60,8 @@
                          ENCODING_DICT)
 
 
-def connect(host, port=7051, admin_timeout_ms=None, rpc_timeout_ms=None):
+def connect(host, port=7051, admin_timeout_ms=None, rpc_timeout_ms=None,
+            require_authentication=False, encryption_policy=ENCRYPTION_OPTIONAL):
     """
     Connect to a Kudu master server
 
@@ -72,6 +76,10 @@ def connect(host, port=7051, admin_timeout_ms=None, rpc_timeout_ms=None):
       Admin timeout in milliseconds
     rpc_timeout_ms : int, optional
       RPC timeout in milliseconds
+    require_authentication : bool, optional
+      Whether to require authentication
+    encryption_policy : enum, optional
+      Whether to require encryption
 
     Returns
     -------
@@ -95,7 +103,9 @@ def connect(host, port=7051, admin_timeout_ms=None, rpc_timeout_ms=None):
             addresses.append('{0}:{1}'.format(host, port))
 
     return Client(addresses, admin_timeout_ms=admin_timeout_ms,
-                  rpc_timeout_ms=rpc_timeout_ms)
+                  rpc_timeout_ms=rpc_timeout_ms,
+                  encryption_policy=encryption_policy,
+                  require_authentication=require_authentication)
 
 
 def timedelta(seconds=0, millis=0, micros=0, nanos=0):

python/kudu/client.pyx

@@ -75,6 +75,16 @@ cdef dict _read_modes = {
     'read_your_writes': ReadMode_ReadYourWrites
 }
 
+ENCRYPTION_OPTIONAL = EncryptionPolicy_Optional
+ENCRYPTION_REQUIRED_REMOTE = EncryptionPolicy_RequiredRemote
+ENCRYPTION_REQUIRED = EncryptionPolicy_Required
+
+cdef dict _encryption_policies = {
+    'optional': EncryptionPolicy_Optional,
+    'required_remote': EncryptionPolicy_RequiredRemote,
+    'required': EncryptionPolicy_Required
+}
+
 cdef dict _type_names = {
     KUDU_INT8 : "KUDU_INT8",
     KUDU_INT16 : "KUDU_INT16",
@@ -281,7 +291,9 @@ cdef class Client:
     """
 
     def __cinit__(self, addr_or_addrs, admin_timeout_ms=None,
-                  rpc_timeout_ms=None, sasl_protocol_name=None):
+                  rpc_timeout_ms=None, sasl_protocol_name=None,
+                  require_authentication=False,
+                  encryption_policy=ENCRYPTION_OPTIONAL):
         cdef:
             string c_addr
             vector[string] c_addrs
@@ -326,6 +338,12 @@ cdef class Client:
         if sasl_protocol_name is not None:
             builder.sasl_protocol_name(sasl_protocol_name)
 
+        if require_authentication:
+            builder.require_authentication(require_authentication)
+
+        builder.encryption_policy(encryption_policy)
+
+
         check_status(builder.Build(&self.client))
 
         # A convenience

python/kudu/libkudu_client.pxd

@@ -538,6 +538,11 @@ cdef extern from "kudu/client/client.h" namespace "kudu::client" nogil:
         PartitionType_Exclusive " kudu::client::KuduTableCreator::EXCLUSIVE_BOUND"
         PartitionType_Inclusive " kudu::client::KuduTableCreator::INCLUSIVE_BOUND"
 
+    enum EncryptionPolicy" kudu::client::KuduClientBuilder::EncryptionPolicy":
+        EncryptionPolicy_Optional " kudu::client::KuduClientBuilder::EncryptionPolicy::OPTIONAL"
+        EncryptionPolicy_RequiredRemote " kudu::client::KuduClientBuilder::EncryptionPolicy::REQUIRED_REMOTE"
+        EncryptionPolicy_Required " kudu::client::KuduClientBuilder::EncryptionPolicy::REQUIRED"
+
     Status DisableOpenSSLInitialization()
 
     cdef cppclass KuduClient:
@@ -579,6 +584,10 @@ cdef extern from "kudu/client/client.h" namespace "kudu::client" nogil:
 
         KuduClientBuilder& sasl_protocol_name(const string& sasl_protocol_name)
 
+        KuduClientBuilder& require_authentication(c_bool require_authentication)
+
+        KuduClientBuilder& encryption_policy(EncryptionPolicy encryption_policy)
+
         Status Build(shared_ptr[KuduClient]* client)
 
     cdef cppclass KuduTabletServer:

python/kudu/tests/test_client.py

@@ -18,7 +18,8 @@
 
 from kudu.compat import unittest, long
 from kudu.tests.common import KuduTestBase
-from kudu.client import Partitioning
+from kudu.client import (Partitioning, ENCRYPTION_OPTIONAL, ENCRYPTION_REQUIRED,
+                         ENCRYPTION_REQUIRED_REMOTE)
 import kudu
 import datetime
 from pytz import utc
@@ -338,9 +339,7 @@ def test_session_mutation_buffer_errors(self):
 
     def test_connect_timeouts(self):
         # it works! any other way to check
-        kudu.connect(self.master_hosts, self.master_ports,
-                     admin_timeout_ms=1000,
-                     rpc_timeout_ms=1000)
+        kudu.connect(self.master_hosts, self.master_ports, admin_timeout_ms=1000, rpc_timeout_ms=1000)
 
     def test_capture_kudu_error(self):
         pass
@@ -501,6 +500,16 @@ def test_alter_table_add_drop_partition(self):
         alterer.add_range_partition()
         table = alterer.alter()
 
+    def test_require_encryption(self):
+        client = kudu.connect(self.master_hosts, self.master_ports,
+                              encryption_policy=ENCRYPTION_REQUIRED)
+
+    def test_require_authn(self):
+        # Kerberos is not enabled on the cluster, so requiring
+        # authentication is expected to fail.
+        with self.assertRaises(kudu.KuduBadStatus):
+            client = kudu.connect(self.master_hosts, self.master_ports,
+                     require_authentication=True)
 
 class TestMonoDelta(unittest.TestCase):