ClickHouse/src/Access/ExternalAuthenticators.h

#pragma once

#include <Access/LDAPClient.h>
#include <Access/Credentials.h>
#include <Access/GSSAcceptor.h>
#include <base/defines.h>
#include <base/types.h>

#include <chrono>
#include <map>
#include <mutex>
#include <optional>
#include <unordered_map>


namespace Poco
{
    class Logger;

    namespace Util
    {
        class AbstractConfiguration;
    }
}

namespace DB
{

class ExternalAuthenticators
{
public:
    void reset();
    void setConfiguration(const Poco::Util::AbstractConfiguration & config, Poco::Logger * log);

    // The name and readiness of the credentials must be verified before calling these.
    bool checkLDAPCredentials(const String & server, const BasicCredentials & credentials,
        const LDAPClient::RoleSearchParamsList * role_search_params = nullptr, LDAPClient::SearchResultsList * role_search_results = nullptr) const;
    bool checkKerberosCredentials(const String & realm, const GSSAcceptorContext & credentials) const;

    GSSAcceptorContext::Params getKerberosParams() const;

private:
    struct LDAPCacheEntry
    {
        std::size_t last_successful_params_hash = 0;
        std::chrono::steady_clock::time_point last_successful_authentication_timestamp;
        LDAPClient::SearchResultsList last_successful_role_search_results;
    };

    using LDAPCache = std::unordered_map<String, LDAPCacheEntry>; // user name   -> cache entry
    using LDAPCaches = std::map<String, LDAPCache>;               // server name -> cache
    using LDAPParams = std::map<String, LDAPClient::Params>;      // server name -> params

    mutable std::mutex mutex;
    LDAPParams ldap_client_params_blueprint TSA_GUARDED_BY(mutex) ;
    mutable LDAPCaches ldap_caches TSA_GUARDED_BY(mutex) ;
    std::optional<GSSAcceptorContext::Params> kerberos_params TSA_GUARDED_BY(mutex) ;

    void resetImpl() TSA_REQUIRES(mutex);
};

void parseLDAPRoleSearchParams(LDAPClient::RoleSearchParams & params, const Poco::Util::AbstractConfiguration & config, const String & prefix);

}
Add LDAP authentication support 2020-05-27 21:06:33 +00:00			`#pragma once`

Add Kerberos support for authenticating existing users when accessing over HTTP 2021-03-11 20:41:10 +00:00			`#include <Access/LDAPClient.h>`
			`#include <Access/Credentials.h>`
			`#include <Access/GSSAcceptor.h>`
Support for Clang Thread Safety Analysis (TSA) - TSA is a static analyzer build by Google which finds race conditions and deadlocks at compile time. - It works by associating a shared member variable with a synchronization primitive that protects it. The compiler can then check at each access if proper locking happened before. A good introduction are [0] and [1]. - TSA requires some help by the programmer via annotations. Luckily, LLVM's libcxx already has annotations for std::mutex, std::lock_guard, std::shared_mutex and std::scoped_lock. This commit enables them (--> contrib/libcxx-cmake/CMakeLists.txt). - Further, this commit adds convenience macros for the low-level annotations for use in ClickHouse (--> base/defines.h). For demonstration, they are leveraged in a few places. - As we compile with "-Wall -Wextra -Weverything", the required compiler flag "-Wthread-safety-analysis" was already enabled. Negative checks are an experimental feature of TSA and disabled (--> cmake/warnings.cmake). Compile times did not increase noticeably. - TSA is used in a few places with simple locking. I tried TSA also where locking is more complex. The problem was usually that it is unclear which data is protected by which lock :-(. But there was definitely some weird code where locking looked broken. So there is some potential to find bugs. *** Limitations of TSA besides the ones listed in [1]: - The programmer needs to know which lock protects which piece of shared data. This is not always easy for large classes. - Two synchronization primitives used in ClickHouse are not annotated in libcxx: (1) std::unique_lock: A releaseable lock handle often together with std::condition_variable, e.g. in solve producer-consumer problems. (2) std::recursive_mutex: A re-entrant mutex variant. Its usage can be considered a design flaw + typically it is slower than a standard mutex. In this commit, one std::recursive_mutex was converted to std::mutex and annotated with TSA. - For free-standing functions (e.g. helper functions) which are passed shared data members, it can be tricky to specify the associated lock. This is because the annotations use the normal C++ rules for symbol resolution. [0] https://clang.llvm.org/docs/ThreadSafetyAnalysis.html [1] https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/42958.pdf 2022-06-14 22:35:55 +00:00			`#include <base/defines.h>`
Rename "common" to "base" 2021-10-02 07:13:14 +00:00			`#include <base/types.h>`
Add LDAP authentication support 2020-05-27 21:06:33 +00:00
Move caching and LDAP credential verification code to ExternalAuthenticators 2020-12-24 21:49:19 +00:00			`#include <chrono>`
Add LDAP authentication support 2020-05-27 21:06:33 +00:00			`#include <map>`
			`#include <mutex>`
Add Kerberos support for authenticating existing users when accessing over HTTP 2021-03-11 20:41:10 +00:00			`#include <optional>`
Move caching and LDAP credential verification code to ExternalAuthenticators 2020-12-24 21:49:19 +00:00			`#include <unordered_map>`
Add LDAP authentication support 2020-05-27 21:06:33 +00:00

Compilation fix: add missing "/include" Style fix 2020-05-29 12:14:42 +00:00			`namespace Poco`
			`{`
Rename LDAP_PASSWORD to LDAP_SERVER and use "ldap_server" as a string key Some refactoring 2020-05-29 07:47:01 +00:00			`class Logger;`
Compilation fix: add missing "/include" Style fix 2020-05-29 12:14:42 +00:00
Rename LDAP_PASSWORD to LDAP_SERVER and use "ldap_server" as a string key Some refactoring 2020-05-29 07:47:01 +00:00			`namespace Util`
			`{`
			`class AbstractConfiguration;`
			`}`
			`}`

Add LDAP authentication support 2020-05-27 21:06:33 +00:00			`namespace DB`
			`{`

			`class ExternalAuthenticators`
			`{`
			`public:`
Refactor ExternalAuthenticators configuration process 2020-07-11 17:06:01 +00:00			`void reset();`
Implement LDAPAccessStorage and integrate it into AccessControlManager Rename ExternalAuthenticators::setConfig to setConfiguration Revisit LDAP servers config section comments Add user_directories config section with comments (only for ldap) Fix bug in MemoryAccessStorage::insertImpl 2020-07-23 17:55:24 +00:00			`void setConfiguration(const Poco::Util::AbstractConfiguration & config, Poco::Logger * log);`
Add Kerberos support for authenticating existing users when accessing over HTTP 2021-03-11 20:41:10 +00:00
			`// The name and readiness of the credentials must be verified before calling these.`
			`bool checkLDAPCredentials(const String & server, const BasicCredentials & credentials,`
Implement config parsing and actual support for user_dn_detection section and user_dn placeholder substitution Refactor some config parsing code Rename some arguments to better reflect their meaning Add documentation for user_dn_detection section and user_dn placeholder in config.xml and in docs 2021-03-28 22:23:20 +00:00			`const LDAPClient::RoleSearchParamsList * role_search_params = nullptr, LDAPClient::SearchResultsList * role_search_results = nullptr) const;`
Add Kerberos support for authenticating existing users when accessing over HTTP 2021-03-11 20:41:10 +00:00			`bool checkKerberosCredentials(const String & realm, const GSSAcceptorContext & credentials) const;`

			`GSSAcceptorContext::Params getKerberosParams() const;`
Move parseExternalAuthenticators functionality into the c-tor of ExternalAuthenticators 2020-06-02 09:37:02 +00:00
Move caching and LDAP credential verification code to ExternalAuthenticators 2020-12-24 21:49:19 +00:00			`private:`
			`struct LDAPCacheEntry`
			`{`
Refine the caching 2020-12-24 23:46:08 +00:00			`std::size_t last_successful_params_hash = 0;`
			`std::chrono::steady_clock::time_point last_successful_authentication_timestamp;`
Implement config parsing and actual support for user_dn_detection section and user_dn placeholder substitution Refactor some config parsing code Rename some arguments to better reflect their meaning Add documentation for user_dn_detection section and user_dn placeholder in config.xml and in docs 2021-03-28 22:23:20 +00:00			`LDAPClient::SearchResultsList last_successful_role_search_results;`
Move caching and LDAP credential verification code to ExternalAuthenticators 2020-12-24 21:49:19 +00:00			`};`

Add Kerberos support for authenticating existing users when accessing over HTTP 2021-03-11 20:41:10 +00:00			`using LDAPCache = std::unordered_map<String, LDAPCacheEntry>; // user name -> cache entry`
			`using LDAPCaches = std::map<String, LDAPCache>; // server name -> cache`
			`using LDAPParams = std::map<String, LDAPClient::Params>; // server name -> params`
Add LDAP authentication support 2020-05-27 21:06:33 +00:00
Support for Clang Thread Safety Analysis (TSA) - TSA is a static analyzer build by Google which finds race conditions and deadlocks at compile time. - It works by associating a shared member variable with a synchronization primitive that protects it. The compiler can then check at each access if proper locking happened before. A good introduction are [0] and [1]. - TSA requires some help by the programmer via annotations. Luckily, LLVM's libcxx already has annotations for std::mutex, std::lock_guard, std::shared_mutex and std::scoped_lock. This commit enables them (--> contrib/libcxx-cmake/CMakeLists.txt). - Further, this commit adds convenience macros for the low-level annotations for use in ClickHouse (--> base/defines.h). For demonstration, they are leveraged in a few places. - As we compile with "-Wall -Wextra -Weverything", the required compiler flag "-Wthread-safety-analysis" was already enabled. Negative checks are an experimental feature of TSA and disabled (--> cmake/warnings.cmake). Compile times did not increase noticeably. - TSA is used in a few places with simple locking. I tried TSA also where locking is more complex. The problem was usually that it is unclear which data is protected by which lock :-(. But there was definitely some weird code where locking looked broken. So there is some potential to find bugs. *** Limitations of TSA besides the ones listed in [1]: - The programmer needs to know which lock protects which piece of shared data. This is not always easy for large classes. - Two synchronization primitives used in ClickHouse are not annotated in libcxx: (1) std::unique_lock: A releaseable lock handle often together with std::condition_variable, e.g. in solve producer-consumer problems. (2) std::recursive_mutex: A re-entrant mutex variant. Its usage can be considered a design flaw + typically it is slower than a standard mutex. In this commit, one std::recursive_mutex was converted to std::mutex and annotated with TSA. - For free-standing functions (e.g. helper functions) which are passed shared data members, it can be tricky to specify the associated lock. This is because the annotations use the normal C++ rules for symbol resolution. [0] https://clang.llvm.org/docs/ThreadSafetyAnalysis.html [1] https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/42958.pdf 2022-06-14 22:35:55 +00:00			`mutable std::mutex mutex;`
			`LDAPParams ldap_client_params_blueprint TSA_GUARDED_BY(mutex) ;`
			`mutable LDAPCaches ldap_caches TSA_GUARDED_BY(mutex) ;`
			`std::optional<GSSAcceptorContext::Params> kerberos_params TSA_GUARDED_BY(mutex) ;`

			`void resetImpl() TSA_REQUIRES(mutex);`
Add LDAP authentication support 2020-05-27 21:06:33 +00:00			`};`

Implement config parsing and actual support for user_dn_detection section and user_dn placeholder substitution Refactor some config parsing code Rename some arguments to better reflect their meaning Add documentation for user_dn_detection section and user_dn placeholder in config.xml and in docs 2021-03-28 22:23:20 +00:00			`void parseLDAPRoleSearchParams(LDAPClient::RoleSearchParams & params, const Poco::Util::AbstractConfiguration & config, const String & prefix);`

Add LDAP authentication support 2020-05-27 21:06:33 +00:00			`}`