ClickHouse/dbms/include/DB/Interpreters/Users.h

#pragma once

#include <string.h>

#include <Poco/RegularExpression.h>
#include <Poco/Net/IPAddress.h>
#include <Poco/Net/SocketAddress.h>
#include <Poco/Net/DNS.h>
#include <Poco/Util/Application.h>
#include <Poco/Util/AbstractConfiguration.h>
#include <Poco/String.h>

#include <DB/Core/Types.h>
#include <DB/Common/Exception.h>
#include <DB/Core/ErrorCodes.h>
#include <DB/IO/ReadHelpers.h>
#include <DB/IO/HexWriteBuffer.h>
#include <DB/IO/WriteBufferFromString.h>
#include <DB/IO/WriteHelpers.h>
#include <DB/Common/SimpleCache.h>

#include <openssl/sha.h>

#include <common/logger_useful.h>

#include <unordered_set>

namespace DB
{


/// Позволяет проверить соответствие адреса шаблону.
class IAddressPattern
{
public:
	virtual bool contains(const Poco::Net::IPAddress & addr) const = 0;
	virtual ~IAddressPattern() {}

	static Poco::Net::IPAddress toIPv6(const Poco::Net::IPAddress addr)
	{
		if (addr.family() == Poco::Net::IPAddress::IPv6)
			return addr;

		return Poco::Net::IPAddress("::FFFF:" + addr.toString());
	}
};


/// IP-адрес или маска подсети. Например, 213.180.204.3 или 10.0.0.1/8 или 2a02:6b8::3 или 2a02:6b8::3/64.
class IPAddressPattern : public IAddressPattern
{
private:
	/// Адрес маски. Всегда переводится в IPv6.
	Poco::Net::IPAddress mask_address;
	/// Количество бит в маске.
	UInt8 prefix_bits;

public:
	explicit IPAddressPattern(const String & str)
	{
		const char * pos = strchr(str.c_str(), '/');

		if (nullptr == pos)
		{
			construct(Poco::Net::IPAddress(str));
		}
		else
		{
			String addr(str, 0, pos - str.c_str());
			UInt8 prefix_bits_ = parse<UInt8>(pos + 1);

			construct(Poco::Net::IPAddress(addr), prefix_bits_);
		}
	}

	bool contains(const Poco::Net::IPAddress & addr) const
	{
		return prefixBitsEquals(reinterpret_cast<const char *>(toIPv6(addr).addr()), reinterpret_cast<const char *>(mask_address.addr()), prefix_bits);
	}

private:
	void construct(const Poco::Net::IPAddress & mask_address_)
	{
		mask_address = toIPv6(mask_address_);
		prefix_bits = 128;
	}

	void construct(const Poco::Net::IPAddress & mask_address_, UInt8 prefix_bits_)
	{
		mask_address = toIPv6(mask_address_);
		prefix_bits = mask_address_.family() == Poco::Net::IPAddress::IPv4
			? prefix_bits_ + 96
			: prefix_bits_;
	}

	static bool prefixBitsEquals(const char * lhs, const char * rhs, UInt8 prefix_bits)
	{
		UInt8 prefix_bytes = prefix_bits / 8;
		UInt8 remaining_bits = prefix_bits % 8;

		return 0 == memcmp(lhs, rhs, prefix_bytes)
			&& (remaining_bits % 8 == 0
				 || (lhs[prefix_bytes] >> (8 - remaining_bits)) == (rhs[prefix_bytes] >> (8 - remaining_bits)));
	}
};


/// Проверяет соответствие адреса одному из адресов хоста.
class HostExactPattern : public IAddressPattern
{
private:
	String host;

	static bool containsImpl(const String & host, const Poco::Net::IPAddress & addr)
	{
		Poco::Net::IPAddress addr_v6 = toIPv6(addr);

		/// Резолвим вручную, потому что в Poco не используется флаг AI_ALL, а он важен.
		addrinfo * ai = nullptr;

		addrinfo hints;
		memset(&hints, 0, sizeof(hints));
		hints.ai_family = AF_UNSPEC;
		hints.ai_flags |= AI_V4MAPPED | AI_ALL;

		int ret = getaddrinfo(host.c_str(), nullptr, &hints, &ai);
		if (0 != ret)
			throw Exception("Cannot getaddrinfo: " + std::string(gai_strerror(ret)), ErrorCodes::DNS_ERROR);

		try
		{
			for (; ai != nullptr; ai = ai->ai_next)
			{
				if (ai->ai_addrlen && ai->ai_addr)
				{
					if (ai->ai_family == AF_INET6)
					{
						if (addr_v6 == Poco::Net::IPAddress(
							&reinterpret_cast<sockaddr_in6*>(ai->ai_addr)->sin6_addr, sizeof(in6_addr),
							reinterpret_cast<sockaddr_in6*>(ai->ai_addr)->sin6_scope_id))
						{
							return true;
						}
					}
					else if (ai->ai_family == AF_INET)
					{
						if (addr_v6 == toIPv6(Poco::Net::IPAddress(
							&reinterpret_cast<sockaddr_in*>(ai->ai_addr)->sin_addr, sizeof(in_addr))))
						{
							return true;
						}
					}
				}
			}
		}
		catch (...)
		{
			freeaddrinfo(ai);
			throw;
		}
		freeaddrinfo(ai);

		return false;
	}

public:
	HostExactPattern(const String & host_) : host(host_) {}

	bool contains(const Poco::Net::IPAddress & addr) const
	{
		static SimpleCache<decltype(containsImpl), &containsImpl> cache;
		return cache(host, addr);
	}
};


/// Проверяет соответствие PTR-записи для адреса регекспу (и дополнительно проверяет, что PTR-запись резолвится обратно в адрес клиента).
class HostRegexpPattern : public IAddressPattern
{
private:
	Poco::RegularExpression host_regexp;

	static String getDomain(const Poco::Net::IPAddress & addr)
	{
		Poco::Net::SocketAddress sock_addr(addr, 0);

		/// Резолвим вручную, потому что в Poco нет такой функциональности.
		char domain[1024];
		int gai_errno = getnameinfo(sock_addr.addr(), sock_addr.length(), domain, sizeof(domain), nullptr, 0, NI_NAMEREQD);
		if (0 != gai_errno)
			throw Exception("Cannot getnameinfo: " + std::string(gai_strerror(gai_errno)), ErrorCodes::DNS_ERROR);

		return domain;
	}

public:
	HostRegexpPattern(const String & host_regexp_) : host_regexp(host_regexp_) {}

	bool contains(const Poco::Net::IPAddress & addr) const
	{
		static SimpleCache<decltype(getDomain), &getDomain> cache;

		String domain = cache(addr);
		Poco::RegularExpression::Match match;

		if (host_regexp.match(domain, match) && HostExactPattern(domain).contains(addr))
			return true;

		return false;
	}
};


class AddressPatterns
{
private:
	typedef std::vector<std::unique_ptr<IAddressPattern>> Container;
	Container patterns;

public:
	bool contains(const Poco::Net::IPAddress & addr) const
	{
		for (size_t i = 0, size = patterns.size(); i < size; ++i)
		{
			/// если хост не резолвится, то пропустим его и попробуем другой
			try
			{
				if (patterns[i]->contains(addr))
					return true;
			}
			catch (const DB::Exception & e)
			{
				LOG_WARNING(&Logger::get("AddressPatterns"),
					"Failed to check if pattern contains address " << addr.toString() << ". " << e.displayText() << ", code = " << e.code());

				if (e.code() == ErrorCodes::DNS_ERROR)
				{
					continue;
				}
				else
					throw;
			}
		}

		return false;
	}

	void addFromConfig(const String & config_elem, Poco::Util::AbstractConfiguration & config)
	{
		Poco::Util::AbstractConfiguration::Keys config_keys;
		config.keys(config_elem, config_keys);

		for (Poco::Util::AbstractConfiguration::Keys::const_iterator it = config_keys.begin(); it != config_keys.end(); ++it)
		{
			Container::value_type pattern;
			String value = config.getString(config_elem + "." + *it);

			if (0 == it->compare(0, strlen("ip"), "ip"))
				pattern.reset(new IPAddressPattern(value));
			else if (0 == it->compare(0, strlen("host_regexp"), "host_regexp"))
				pattern.reset(new HostRegexpPattern(value));
			else if (0 == it->compare(0, strlen("host"), "host"))
				pattern.reset(new HostExactPattern(value));
			else
				throw Exception("Unknown address pattern type: " + *it, ErrorCodes::UNKNOWN_ADDRESS_PATTERN_TYPE);

			patterns.push_back(pattern);
		}
	}
};


/** Пользователь и ACL.
  */
struct User
{
	String name;

	/// Требуемый пароль. Может храниться либо в открытом виде, либо в виде SHA256.
	String password;
	String password_sha256_hex;

	String profile;
	String quota;

	AddressPatterns addresses;

	/// Список разрешённых баз данных.
	using DatabaseSet = std::unordered_set<std::string>;
	DatabaseSet databases;

	User(const String & name_, const String & config_elem, Poco::Util::AbstractConfiguration & config)
		: name(name_)
	{
		bool has_password = config.has(config_elem + ".password");
		bool has_password_sha256_hex = config.has(config_elem + ".password_sha256_hex");

		if (has_password && has_password_sha256_hex)
			throw Exception("Both fields 'password' and 'password_sha256_hex' are specified for user " + name + ". Must be only one of them.", ErrorCodes::BAD_ARGUMENTS);

		if (!has_password && !has_password_sha256_hex)
			throw Exception("Either 'password' or 'password_sha256_hex' must be specified for user " + name + ".", ErrorCodes::BAD_ARGUMENTS);

		if (has_password)
			password 	= config.getString(config_elem + ".password");

		if (has_password_sha256_hex)
		{
			password_sha256_hex = Poco::toLower(config.getString(config_elem + ".password_sha256_hex"));

			if (password_sha256_hex.size() != 64)
				throw Exception("password_sha256_hex for user " + name + " has length " + toString(password_sha256_hex.size()) + " but must be exactly 64 symbols.", ErrorCodes::BAD_ARGUMENTS);
		}

		profile 	= config.getString(config_elem + ".profile");
		quota 		= config.getString(config_elem + ".quota");

		addresses.addFromConfig(config_elem + ".networks", config);

		/// Заполнить список разрешённых баз данных.
		const auto config_sub_elem = config_elem + ".allow_databases";
		if (config.has(config_sub_elem))
		{
			Poco::Util::AbstractConfiguration::Keys config_keys;
			config.keys(config_sub_elem, config_keys);

			databases.reserve(config_keys.size());
			for (const auto & key : config_keys)
			{
				const auto database_name = config.getString(config_sub_elem + "." + key);
				databases.insert(database_name);
			}
		}
	}

	/// Для вставки в контейнер.
	User() {}
};


/// Известные пользователи.
class Users
{
private:
	typedef std::map<String, User> Container;
	Container cont;

public:
	void loadFromConfig(Poco::Util::AbstractConfiguration & config)
	{
		cont.clear();

		Poco::Util::AbstractConfiguration::Keys config_keys;
		config.keys("users", config_keys);

		for (Poco::Util::AbstractConfiguration::Keys::const_iterator it = config_keys.begin(); it != config_keys.end(); ++it)
			cont[*it] = User(*it, "users." + *it, config);
	}

	const User & get(const String & name, const String & password, const Poco::Net::IPAddress & address) const
	{
		Container::const_iterator it = cont.find(name);

		if (cont.end() == it)
			throw Exception("Unknown user " + name, ErrorCodes::UNKNOWN_USER);

		if (!it->second.addresses.contains(address))
			throw Exception("User " + name + " is not allowed to connect from address " + address.toString(), ErrorCodes::IP_ADDRESS_NOT_ALLOWED);

		auto on_wrong_password = [&]()
		{
			if (password.empty())
				throw Exception("Password required for user " + name, ErrorCodes::REQUIRED_PASSWORD);
			else
				throw Exception("Wrong password for user " + name, ErrorCodes::WRONG_PASSWORD);
		};

		if (!it->second.password_sha256_hex.empty())
		{
			unsigned char hash[32];

			SHA256_CTX ctx;
			SHA256_Init(&ctx);
			SHA256_Update(&ctx, reinterpret_cast<const unsigned char *>(password.data()), password.size());
			SHA256_Final(hash, &ctx);

			String hash_hex;
			{
				WriteBufferFromString buf(hash_hex);
				HexWriteBuffer hex_buf(buf);
				hex_buf.write(reinterpret_cast<const char *>(hash), sizeof(hash));
			}

			Poco::toLowerInPlace(hash_hex);

			if (hash_hex != it->second.password_sha256_hex)
				on_wrong_password();
		}
		else if (password != it->second.password)
		{
			on_wrong_password();
		}

		return it->second;
	}

	/// Проверить, имеет ли заданный клиент доступ к заданной базе данных.
	bool isAllowedDatabase(const std::string & user_name, const std::string & database_name) const
	{
		auto it = cont.find(user_name);
		if (it == cont.end())
			throw Exception("Unknown user " + user_name, ErrorCodes::UNKNOWN_USER);

		const auto & user = it->second;
		return user.databases.empty() || user.databases.count(database_name);
	}
};


}
-												dbms: development of users and ACLs [#CONV-8458].



											
										
										
											2013-08-10 07:46:45 +00:00
+								#pragma once
 								#include <string.h>
 								#include <Poco/RegularExpression.h>
 								#include <Poco/Net/IPAddress.h>
-												dbms: fixed error, added test [#CONV-8458].



											
										
										
											2013-08-11 00:07:49 +00:00
+								#include <Poco/Net/SocketAddress.h>
-												dbms: development of users and ACLs [#CONV-8458].



											
										
										
											2013-08-10 07:46:45 +00:00
+								#include <Poco/Net/DNS.h>
 								#include <Poco/Util/Application.h>
 								#include <Poco/Util/AbstractConfiguration.h>
-												dbms: allowed to specify passwords in hashed form [#METR-18119].

											
										
										
											2015-09-24 07:18:05 +00:00
+								#include <Poco/String.h>
-												dbms: development of users and ACLs [#CONV-8458].



											
										
										
											2013-08-10 07:46:45 +00:00
 								#include <DB/Core/Types.h>
-												Moved files [#METR-17973].

											
										
										
											2015-10-05 01:35:28 +00:00
+								#include <DB/Common/Exception.h>
-												dbms: development of users and ACLs [#CONV-8458].



											
										
										
											2013-08-10 07:46:45 +00:00
+								#include <DB/Core/ErrorCodes.h>
 								#include <DB/IO/ReadHelpers.h>
-												dbms: allowed to specify passwords in hashed form [#METR-18119].

											
										
										
											2015-09-24 07:18:05 +00:00
+								#include <DB/IO/HexWriteBuffer.h>
 								#include <DB/IO/WriteBufferFromString.h>
-												dbms: fixed build [#METR-2807].

											
										
										
											2015-09-27 14:28:43 +00:00
+								#include <DB/IO/WriteHelpers.h>
-												dbms: caching DNS requests for authentification [#METR-18213].

											
										
										
											2015-09-27 02:18:00 +00:00
+								#include <DB/Common/SimpleCache.h>
-												dbms: allowed to specify passwords in hashed form [#METR-18119].

											
										
										
											2015-09-24 07:18:05 +00:00
 								#include <openssl/sha.h>
-												dbms: development of users and ACLs [#CONV-8458].



											
										
										
											2013-08-10 07:46:45 +00:00
-												dbms: fixed build [#METR-18202].

											
										
										
											2015-09-29 19:19:54 +00:00
+								#include <common/logger_useful.h>
-												dbms: added message [#METR-9462]


											
										
										
											2013-12-26 09:42:32 +00:00
-												Merge

											
										
										
											2015-10-01 15:10:41 +00:00
+								#include <unordered_set>
-												dbms: development of users and ACLs [#CONV-8458].



											
										
										
											2013-08-10 07:46:45 +00:00
 								namespace DB
 								{
 								/// Позволяет проверить соответствие адреса шаблону.
 								class IAddressPattern
 								{
 								public:
 									virtual bool contains(const Poco::Net::IPAddress & addr) const = 0;
 									virtual ~IAddressPattern() {}
 									static Poco::Net::IPAddress toIPv6(const Poco::Net::IPAddress addr)
 									{
 										if (addr.family() == Poco::Net::IPAddress::IPv6)
 											return addr;
 										return Poco::Net::IPAddress("::FFFF:" + addr.toString());
 									}
 								};
 								/// IP-адрес или маска подсети. Например, 213.180.204.3 или 10.0.0.1/8 или 2a02:6b8::3 или 2a02:6b8::3/64.
 								class IPAddressPattern : public IAddressPattern
 								{
 								private:
 									/// Адрес маски. Всегда переводится в IPv6.
 									Poco::Net::IPAddress mask_address;
 									/// Количество бит в маске.
 									UInt8 prefix_bits;
 								public:
 									explicit IPAddressPattern(const String & str)
 									{
 										const char * pos = strchr(str.c_str(), '/');
-												Improvement [#METR-2807].

											
										
										
											2014-04-08 07:47:51 +00:00
+										if (nullptr == pos)
-												dbms: development of users and ACLs [#CONV-8458].



											
										
										
											2013-08-10 07:46:45 +00:00
+										{
 											construct(Poco::Net::IPAddress(str));
 										}
 										else
 										{
 											String addr(str, 0, pos - str.c_str());
 											UInt8 prefix_bits_ = parse<UInt8>(pos + 1);
 											construct(Poco::Net::IPAddress(addr), prefix_bits_);
 										}
 									}
-												dbms: allowed to specify passwords in hashed form [#METR-18119].

											
										
										
											2015-09-24 07:18:05 +00:00
-												dbms: development of users and ACLs [#CONV-8458].



											
										
										
											2013-08-10 07:46:45 +00:00
+									bool contains(const Poco::Net::IPAddress & addr) const
 									{
 										return prefixBitsEquals(reinterpret_cast<const char *>(toIPv6(addr).addr()), reinterpret_cast<const char *>(mask_address.addr()), prefix_bits);
 									}
 								private:
 									void construct(const Poco::Net::IPAddress & mask_address_)
 									{
 										mask_address = toIPv6(mask_address_);
 										prefix_bits = 128;
 									}
 									void construct(const Poco::Net::IPAddress & mask_address_, UInt8 prefix_bits_)
 									{
 										mask_address = toIPv6(mask_address_);
 										prefix_bits = mask_address_.family() == Poco::Net::IPAddress::IPv4
 											? prefix_bits_ + 96
 											: prefix_bits_;
 									}
 									static bool prefixBitsEquals(const char * lhs, const char * rhs, UInt8 prefix_bits)
 									{
 										UInt8 prefix_bytes = prefix_bits / 8;
 										UInt8 remaining_bits = prefix_bits % 8;
 										return 0 == memcmp(lhs, rhs, prefix_bytes)
 											&& (remaining_bits % 8 == 0
 												 || (lhs[prefix_bytes] >> (8 - remaining_bits)) == (rhs[prefix_bytes] >> (8 - remaining_bits)));
 									}
 								};
 								/// Проверяет соответствие адреса одному из адресов хоста.
 								class HostExactPattern : public IAddressPattern
 								{
 								private:
 									String host;
-												dbms: caching DNS requests for authentification [#METR-18213].

											
										
										
											2015-09-27 02:18:00 +00:00
+									static bool containsImpl(const String & host, const Poco::Net::IPAddress & addr)
-												dbms: development of users and ACLs [#CONV-8458].



											
										
										
											2013-08-10 07:46:45 +00:00
+									{
 										Poco::Net::IPAddress addr_v6 = toIPv6(addr);
-												dbms: fixed error with users [#CONV-8458].



											
										
										
											2013-08-11 02:00:13 +00:00
+										/// Резолвим вручную, потому что в Poco не используется флаг AI_ALL, а он важен.
-												Improvement [#METR-2807].

											
										
										
											2014-04-08 07:31:51 +00:00
+										addrinfo * ai = nullptr;
-												dbms: fixed error with users [#CONV-8458].



											
										
										
											2013-08-11 02:00:13 +00:00
 										addrinfo hints;
 										memset(&hints, 0, sizeof(hints));
 										hints.ai_family = AF_UNSPEC;
 										hints.ai_flags |= AI_V4MAPPED | AI_ALL;
-												Improvement [#METR-2807].

											
										
										
											2014-04-08 07:58:53 +00:00
+										int ret = getaddrinfo(host.c_str(), nullptr, &hints, &ai);
-												dbms: fixed error with users [#CONV-8458].



											
										
										
											2013-08-11 02:00:13 +00:00
+										if (0 != ret)
 											throw Exception("Cannot getaddrinfo: " + std::string(gai_strerror(ret)), ErrorCodes::DNS_ERROR);
 										try
 										{
-												Improvement [#METR-2807].

											
										
										
											2014-04-08 07:31:51 +00:00
+											for (; ai != nullptr; ai = ai->ai_next)
-												dbms: fixed error with users [#CONV-8458].



											
										
										
											2013-08-11 02:00:13 +00:00
+											{
 												if (ai->ai_addrlen && ai->ai_addr)
 												{
 													if (ai->ai_family == AF_INET6)
 													{
 														if (addr_v6 == Poco::Net::IPAddress(
 															&reinterpret_cast<sockaddr_in6*>(ai->ai_addr)->sin6_addr, sizeof(in6_addr),
 															reinterpret_cast<sockaddr_in6*>(ai->ai_addr)->sin6_scope_id))
 														{
 															return true;
 														}
 													}
 													else if (ai->ai_family == AF_INET)
 													{
 														if (addr_v6 == toIPv6(Poco::Net::IPAddress(
 															&reinterpret_cast<sockaddr_in*>(ai->ai_addr)->sin_addr, sizeof(in_addr))))
 														{
 															return true;
 														}
 													}
 												}
 											}
 										}
 										catch (...)
 										{
 											freeaddrinfo(ai);
 											throw;
 										}
 										freeaddrinfo(ai);
-												dbms: development of users and ACLs [#CONV-8458].



											
										
										
											2013-08-10 07:46:45 +00:00
 										return false;
 									}
-												dbms: caching DNS requests for authentification [#METR-18213].

											
										
										
											2015-09-27 02:18:00 +00:00
 								public:
 									HostExactPattern(const String & host_) : host(host_) {}
 									bool contains(const Poco::Net::IPAddress & addr) const
 									{
 										static SimpleCache<decltype(containsImpl), &containsImpl> cache;
 										return cache(host, addr);
 									}
-												dbms: development of users and ACLs [#CONV-8458].



											
										
										
											2013-08-10 07:46:45 +00:00
+								};
 								/// Проверяет соответствие PTR-записи для адреса регекспу (и дополнительно проверяет, что PTR-запись резолвится обратно в адрес клиента).
 								class HostRegexpPattern : public IAddressPattern
 								{
 								private:
 									Poco::RegularExpression host_regexp;
-												dbms: caching DNS requests for authentification [#METR-18213].

											
										
										
											2015-09-27 02:18:00 +00:00
+									static String getDomain(const Poco::Net::IPAddress & addr)
-												dbms: development of users and ACLs [#CONV-8458].



											
										
										
											2013-08-10 07:46:45 +00:00
+									{
-												dbms: fixed error, added test [#CONV-8458].



											
										
										
											2013-08-11 00:07:49 +00:00
+										Poco::Net::SocketAddress sock_addr(addr, 0);
 										/// Резолвим вручную, потому что в Poco нет такой функциональности.
 										char domain[1024];
-												Improvement [#METR-2807].

											
										
										
											2014-04-08 07:58:53 +00:00
+										int gai_errno = getnameinfo(sock_addr.addr(), sock_addr.length(), domain, sizeof(domain), nullptr, 0, NI_NAMEREQD);
-												dbms: fixed error, added test [#CONV-8458].



											
										
										
											2013-08-11 00:07:49 +00:00
+										if (0 != gai_errno)
-												dbms: development of users [#CONV-8458].



											
										
										
											2013-08-11 00:48:28 +00:00
+											throw Exception("Cannot getnameinfo: " + std::string(gai_strerror(gai_errno)), ErrorCodes::DNS_ERROR);
-												dbms: fixed error, added test [#CONV-8458].



											
										
										
											2013-08-11 00:07:49 +00:00
-												dbms: caching DNS requests for authentification [#METR-18213].

											
										
										
											2015-09-27 02:18:00 +00:00
+										return domain;
 									}
 								public:
 									HostRegexpPattern(const String & host_regexp_) : host_regexp(host_regexp_) {}
 									bool contains(const Poco::Net::IPAddress & addr) const
 									{
 										static SimpleCache<decltype(getDomain), &getDomain> cache;
 										String domain = cache(addr);
-												dbms: development of users and ACLs [#CONV-8458].



											
										
										
											2013-08-10 07:46:45 +00:00
+										Poco::RegularExpression::Match match;
-												dbms: caching DNS requests for authentification [#METR-18213].

											
										
										
											2015-09-27 02:18:00 +00:00
+										if (host_regexp.match(domain, match) && HostExactPattern(domain).contains(addr))
-												dbms: fixed error, added test [#CONV-8458].



											
										
										
											2013-08-11 00:07:49 +00:00
+											return true;
-												dbms: development of users and ACLs [#CONV-8458].



											
										
										
											2013-08-10 07:46:45 +00:00
 										return false;
 									}
 								};
 								class AddressPatterns
 								{
 								private:
-												Moved files [#METR-17973].

											
										
										
											2015-10-05 01:50:42 +00:00
+									typedef std::vector<std::unique_ptr<IAddressPattern>> Container;
-												dbms: development of users and ACLs [#CONV-8458].



											
										
										
											2013-08-10 07:46:45 +00:00
+									Container patterns;
 								public:
 									bool contains(const Poco::Net::IPAddress & addr) const
 									{
 										for (size_t i = 0, size = patterns.size(); i < size; ++i)
-												dbms: development [#METR-9462]


											
										
										
											2013-12-24 14:00:18 +00:00
+										{
 											/// если хост не резолвится, то пропустим его и попробуем другой
 											try
 											{
 												if (patterns[i]->contains(addr))
 													return true;
 											}
 											catch (const DB::Exception & e)
 											{
-												Addition to prev. revision [#METR-2944].



											
										
										
											2013-12-27 18:01:53 +00:00
+												LOG_WARNING(&Logger::get("AddressPatterns"),
-												dbms: tiny improvement [#METR-2944].



											
										
										
											2013-12-27 17:43:36 +00:00
+													"Failed to check if pattern contains address " << addr.toString() << ". " << e.displayText() << ", code = " << e.code());
-												dbms: development [#METR-9462]


											
										
										
											2013-12-24 14:00:18 +00:00
+												if (e.code() == ErrorCodes::DNS_ERROR)
-												dbms: added message [#METR-9462]


											
										
										
											2013-12-26 09:42:32 +00:00
+												{
-												dbms: development [#METR-9462]


											
										
										
											2013-12-24 14:00:18 +00:00
+													continue;
-												dbms: added message [#METR-9462]


											
										
										
											2013-12-26 09:42:32 +00:00
+												}
-												dbms: development [#METR-9462]


											
										
										
											2013-12-24 14:00:18 +00:00
+												else
 													throw;
 											}
 										}
-												dbms: development of users and ACLs [#CONV-8458].



											
										
										
											2013-08-10 07:46:45 +00:00
 										return false;
 									}
-												clickhouse-server: loading users, profiles and quotas form separate config file. [#METR-8956]


											
										
										
											2014-02-13 07:17:22 +00:00
+									void addFromConfig(const String & config_elem, Poco::Util::AbstractConfiguration & config)
-												dbms: development of users and ACLs [#CONV-8458].



											
										
										
											2013-08-10 07:46:45 +00:00
+									{
 										Poco::Util::AbstractConfiguration::Keys config_keys;
 										config.keys(config_elem, config_keys);
 										for (Poco::Util::AbstractConfiguration::Keys::const_iterator it = config_keys.begin(); it != config_keys.end(); ++it)
 										{
-												Moved files [#METR-17973].

											
										
										
											2015-10-05 01:50:42 +00:00
+											Container::value_type pattern;
-												dbms: development of users and ACLs [#CONV-8458].



											
										
										
											2013-08-10 07:46:45 +00:00
+											String value = config.getString(config_elem + "." + *it);
 											if (0 == it->compare(0, strlen("ip"), "ip"))
-												Moved files [#METR-17973].

											
										
										
											2015-10-05 01:50:42 +00:00
+												pattern.reset(new IPAddressPattern(value));
-												dbms: development of users and ACLs [#CONV-8458].



											
										
										
											2013-08-10 07:46:45 +00:00
+											else if (0 == it->compare(0, strlen("host_regexp"), "host_regexp"))
-												Moved files [#METR-17973].

											
										
										
											2015-10-05 01:50:42 +00:00
+												pattern.reset(new HostRegexpPattern(value));
-												dbms: development of users and ACLs [#CONV-8458].



											
										
										
											2013-08-10 07:46:45 +00:00
+											else if (0 == it->compare(0, strlen("host"), "host"))
-												Moved files [#METR-17973].

											
										
										
											2015-10-05 01:50:42 +00:00
+												pattern.reset(new HostExactPattern(value));
-												dbms: development of users and ACLs [#CONV-8458].



											
										
										
											2013-08-10 07:46:45 +00:00
+											else
 												throw Exception("Unknown address pattern type: " + *it, ErrorCodes::UNKNOWN_ADDRESS_PATTERN_TYPE);
-												dbms: allowed to specify passwords in hashed form [#METR-18119].

											
										
										
											2015-09-24 07:18:05 +00:00
-												dbms: development of users and ACLs [#CONV-8458].



											
										
										
											2013-08-10 07:46:45 +00:00
+											patterns.push_back(pattern);
 										}
 									}
 								};
 								/** Пользователь и ACL.
 								  */
 								struct User
 								{
 									String name;
-												dbms: allowed to specify passwords in hashed form [#METR-18119].

											
										
										
											2015-09-24 07:18:05 +00:00
+									/// Требуемый пароль. Может храниться либо в открытом виде, либо в виде SHA256.
-												dbms: development of users and ACLs [#CONV-8458].



											
										
										
											2013-08-10 07:46:45 +00:00
+									String password;
-												dbms: allowed to specify passwords in hashed form [#METR-18119].

											
										
										
											2015-09-24 07:18:05 +00:00
+									String password_sha256_hex;
-												dbms: development of users and ACLs [#CONV-8458].



											
										
										
											2013-08-10 07:46:45 +00:00
 									String profile;
-												dbms: quotas: development [#CONV-8459].



											
										
										
											2013-08-12 00:36:18 +00:00
+									String quota;
-												dbms: development of users and ACLs [#CONV-8458].



											
										
										
											2013-08-10 07:46:45 +00:00
 									AddressPatterns addresses;
-												Merge

											
										
										
											2015-10-01 15:10:41 +00:00
+									/// Список разрешённых баз данных.
 									using DatabaseSet = std::unordered_set<std::string>;
 									DatabaseSet databases;
-												clickhouse-server: loading users, profiles and quotas form separate config file. [#METR-8956]


											
										
										
											2014-02-13 07:17:22 +00:00
+									User(const String & name_, const String & config_elem, Poco::Util::AbstractConfiguration & config)
-												dbms: development of users and ACLs [#CONV-8458].



											
										
										
											2013-08-10 07:46:45 +00:00
+										: name(name_)
 									{
-												dbms: allowed to specify passwords in hashed form [#METR-18119].

											
										
										
											2015-09-24 07:18:05 +00:00
+										bool has_password = config.has(config_elem + ".password");
 										bool has_password_sha256_hex = config.has(config_elem + ".password_sha256_hex");
 										if (has_password && has_password_sha256_hex)
 											throw Exception("Both fields 'password' and 'password_sha256_hex' are specified for user " + name + ". Must be only one of them.", ErrorCodes::BAD_ARGUMENTS);
 										if (!has_password && !has_password_sha256_hex)
 											throw Exception("Either 'password' or 'password_sha256_hex' must be specified for user " + name + ".", ErrorCodes::BAD_ARGUMENTS);
 										if (has_password)
 											password 	= config.getString(config_elem + ".password");
 										if (has_password_sha256_hex)
 										{
 											password_sha256_hex = Poco::toLower(config.getString(config_elem + ".password_sha256_hex"));
 											if (password_sha256_hex.size() != 64)
 												throw Exception("password_sha256_hex for user " + name + " has length " + toString(password_sha256_hex.size()) + " but must be exactly 64 symbols.", ErrorCodes::BAD_ARGUMENTS);
 										}
-												dbms: development of users and ACLs [#CONV-8458].



											
										
										
											2013-08-10 07:46:45 +00:00
+										profile 	= config.getString(config_elem + ".profile");
-												dbms: quotas: development [#CONV-8459].



											
										
										
											2013-08-12 00:36:18 +00:00
+										quota 		= config.getString(config_elem + ".quota");
-												dbms: development of users and ACLs [#CONV-8458].



											
										
										
											2013-08-10 07:46:45 +00:00
-												clickhouse-server: loading users, profiles and quotas form separate config file. [#METR-8956]


											
										
										
											2014-02-13 07:17:22 +00:00
+										addresses.addFromConfig(config_elem + ".networks", config);
-												Merge

											
										
										
											2015-10-01 15:10:41 +00:00
 										/// Заполнить список разрешённых баз данных.
 										const auto config_sub_elem = config_elem + ".allow_databases";
 										if (config.has(config_sub_elem))
 										{
 											Poco::Util::AbstractConfiguration::Keys config_keys;
 											config.keys(config_sub_elem, config_keys);
 											databases.reserve(config_keys.size());
 											for (const auto & key : config_keys)
 											{
 												const auto database_name = config.getString(config_sub_elem + "." + key);
 												databases.insert(database_name);
 											}
 										}
-												dbms: development of users and ACLs [#CONV-8458].



											
										
										
											2013-08-10 07:46:45 +00:00
+									}
 									/// Для вставки в контейнер.
 									User() {}
 								};
 								/// Известные пользователи.
 								class Users
 								{
 								private:
 									typedef std::map<String, User> Container;
 									Container cont;
-												dbms: allowed to specify passwords in hashed form [#METR-18119].

											
										
										
											2015-09-24 07:18:05 +00:00
-												dbms: development of users and ACLs [#CONV-8458].



											
										
										
											2013-08-10 07:46:45 +00:00
+								public:
-												clickhouse-server: loading users, profiles and quotas form separate config file. [#METR-8956]


											
										
										
											2014-02-13 07:17:22 +00:00
+									void loadFromConfig(Poco::Util::AbstractConfiguration & config)
-												dbms: development of users and ACLs [#CONV-8458].



											
										
										
											2013-08-10 07:46:45 +00:00
+									{
-												clickhouse-server: loading users, profiles and quotas form separate config file. [#METR-8956]


											
										
										
											2014-02-13 07:17:22 +00:00
+										cont.clear();
-												dbms: development of users and ACLs [#CONV-8458].



											
										
										
											2013-08-10 07:46:45 +00:00
 										Poco::Util::AbstractConfiguration::Keys config_keys;
 										config.keys("users", config_keys);
 										for (Poco::Util::AbstractConfiguration::Keys::const_iterator it = config_keys.begin(); it != config_keys.end(); ++it)
-												clickhouse-server: loading users, profiles and quotas form separate config file. [#METR-8956]


											
										
										
											2014-02-13 07:17:22 +00:00
+											cont[*it] = User(*it, "users." + *it, config);
-												dbms: development of users and ACLs [#CONV-8458].



											
										
										
											2013-08-10 07:46:45 +00:00
+									}
 									const User & get(const String & name, const String & password, const Poco::Net::IPAddress & address) const
 									{
 										Container::const_iterator it = cont.find(name);
 										if (cont.end() == it)
 											throw Exception("Unknown user " + name, ErrorCodes::UNKNOWN_USER);
 										if (!it->second.addresses.contains(address))
 											throw Exception("User " + name + " is not allowed to connect from address " + address.toString(), ErrorCodes::IP_ADDRESS_NOT_ALLOWED);
-												dbms: allowed to specify passwords in hashed form [#METR-18119].

											
										
										
											2015-09-24 07:18:05 +00:00
+										auto on_wrong_password = [&]()
-												dbms: development of users and ACLs [#CONV-8458].



											
										
										
											2013-08-10 07:46:45 +00:00
+										{
 											if (password.empty())
 												throw Exception("Password required for user " + name, ErrorCodes::REQUIRED_PASSWORD);
 											else
 												throw Exception("Wrong password for user " + name, ErrorCodes::WRONG_PASSWORD);
-												dbms: allowed to specify passwords in hashed form [#METR-18119].

											
										
										
											2015-09-24 07:18:05 +00:00
+										};
 										if (!it->second.password_sha256_hex.empty())
 										{
 											unsigned char hash[32];
 											SHA256_CTX ctx;
 											SHA256_Init(&ctx);
 											SHA256_Update(&ctx, reinterpret_cast<const unsigned char *>(password.data()), password.size());
 											SHA256_Final(hash, &ctx);
 											String hash_hex;
 											{
 												WriteBufferFromString buf(hash_hex);
 												HexWriteBuffer hex_buf(buf);
 												hex_buf.write(reinterpret_cast<const char *>(hash), sizeof(hash));
 											}
 											Poco::toLowerInPlace(hash_hex);
 											if (hash_hex != it->second.password_sha256_hex)
 												on_wrong_password();
 										}
 										else if (password != it->second.password)
 										{
 											on_wrong_password();
-												dbms: development of users and ACLs [#CONV-8458].



											
										
										
											2013-08-10 07:46:45 +00:00
+										}
 										return it->second;
 									}
-												Merge

											
										
										
											2015-10-01 15:10:41 +00:00
 									/// Проверить, имеет ли заданный клиент доступ к заданной базе данных.
 									bool isAllowedDatabase(const std::string & user_name, const std::string & database_name) const
 									{
 										auto it = cont.find(user_name);
 										if (it == cont.end())
 											throw Exception("Unknown user " + user_name, ErrorCodes::UNKNOWN_USER);
 										const auto & user = it->second;
 										return user.databases.empty() || user.databases.count(database_name);
 									}
-												dbms: development of users and ACLs [#CONV-8458].



											
										
										
											2013-08-10 07:46:45 +00:00
+								};
 								}