ClickHouse/src/Interpreters/InterserverCredentials.cpp

#include <Interpreters/InterserverCredentials.h>
#include <common/logger_useful.h>

namespace DB
{
namespace ErrorCodes
{
    extern const int NO_ELEMENTS_IN_CONFIG;
}

std::shared_ptr<ConfigInterserverCredentials>
ConfigInterserverCredentials::make(const Poco::Util::AbstractConfiguration & config, const std::string root_tag)
{
    const auto user = config.getString(root_tag + ".user", "");
    const auto password = config.getString(root_tag + ".password", "");

    if (user.empty())
        throw Exception("Configuration parameter interserver_http_credentials user can't be empty", ErrorCodes::NO_ELEMENTS_IN_CONFIG);

    auto store = makeCredentialStore(user, password, config, root_tag);

    return std::make_shared<ConfigInterserverCredentials>(user, password, store);
}

ConfigInterserverCredentials::Store ConfigInterserverCredentials::makeCredentialStore(
    const std::string current_user_,
    const std::string current_password_,
    const Poco::Util::AbstractConfiguration & config,
    const std::string root_tag)
{
    Store store;
    store.insert({{current_user_, current_password_}, true});
    if (config.has(root_tag + ".allow_empty") && config.getBool(root_tag + ".allow_empty"))
    {
        /// Allow empty credential to support migrating from no auth
        store.insert({{"", ""}, true});
    }


    Poco::Util::AbstractConfiguration::Keys users;
    config.keys(root_tag + ".users", users);
    for (const auto & user : users)
    {
        LOG_DEBUG(&Poco::Logger::get("InterserverCredentials"), "Adding credential for {}", user);
        const auto password = config.getString(root_tag + ".users." + user);
        store.insert({{user, password}, true});
    }

    return store;
}

std::pair<String, bool> ConfigInterserverCredentials::isValidUser(const std::pair<std::string, std::string> credentials)
{
    const auto & valid = store.find(credentials);
    if (valid == store.end())
        return {"Incorrect user or password in HTTP basic authentication: " + credentials.first, false};
    return {"", true};
}

}
Support interserver credential rotation Restarting a server instance to change the interserver password results in many replicas being out of sync until all clusters are using the new credential. This commit adds dynamic credential loading for both the client (Replicated* tables) and server (InterserverIOHTTPHandler). This commit also adds the ability to rotate credentials, i.e. accept more than one credential during a credential change. state0 (no auth): <interserver_http_credentials /> state1 (auth+allow_empty migration): <interserver_http_credentials> <user>admin</user> <password>222</password> <allow_empty>true</allow_empty> </interserver_http_credentials> state2 (auth+new admin password migration): <interserver_http_credentials> <user>admin</user> <password>333</password> <users> <admin>222</admin> </users> </interserver_http_credentials> 2020-08-26 08:36:58 +00:00			`#include <Interpreters/InterserverCredentials.h>`
			`#include <common/logger_useful.h>`

			`namespace DB`
			`{`
			`namespace ErrorCodes`
			`{`
			`extern const int NO_ELEMENTS_IN_CONFIG;`
			`}`

			`std::shared_ptr<ConfigInterserverCredentials>`
			`ConfigInterserverCredentials::make(const Poco::Util::AbstractConfiguration & config, const std::string root_tag)`
			`{`
			`const auto user = config.getString(root_tag + ".user", "");`
			`const auto password = config.getString(root_tag + ".password", "");`

			`if (user.empty())`
			`throw Exception("Configuration parameter interserver_http_credentials user can't be empty", ErrorCodes::NO_ELEMENTS_IN_CONFIG);`

			`auto store = makeCredentialStore(user, password, config, root_tag);`

			`return std::make_shared<ConfigInterserverCredentials>(user, password, store);`
			`}`

			`ConfigInterserverCredentials::Store ConfigInterserverCredentials::makeCredentialStore(`
			`const std::string current_user_,`
			`const std::string current_password_,`
			`const Poco::Util::AbstractConfiguration & config,`
			`const std::string root_tag)`
			`{`
			`Store store;`
			`store.insert({{current_user_, current_password_}, true});`
			`if (config.has(root_tag + ".allow_empty") && config.getBool(root_tag + ".allow_empty"))`
			`{`
			`/// Allow empty credential to support migrating from no auth`
			`store.insert({{"", ""}, true});`
			`}`


			`Poco::Util::AbstractConfiguration::Keys users;`
			`config.keys(root_tag + ".users", users);`
			`for (const auto & user : users)`
			`{`
			`LOG_DEBUG(&Poco::Logger::get("InterserverCredentials"), "Adding credential for {}", user);`
			`const auto password = config.getString(root_tag + ".users." + user);`
			`store.insert({{user, password}, true});`
			`}`

			`return store;`
			`}`

Merge branch 'master' into johnskopis/dynamic-interserver-creds-v20 2021-04-06 13:28:46 +00:00			`std::pair<String, bool> ConfigInterserverCredentials::isValidUser(const std::pair<std::string, std::string> credentials)`
Support interserver credential rotation Restarting a server instance to change the interserver password results in many replicas being out of sync until all clusters are using the new credential. This commit adds dynamic credential loading for both the client (Replicated* tables) and server (InterserverIOHTTPHandler). This commit also adds the ability to rotate credentials, i.e. accept more than one credential during a credential change. state0 (no auth): <interserver_http_credentials /> state1 (auth+allow_empty migration): <interserver_http_credentials> <user>admin</user> <password>222</password> <allow_empty>true</allow_empty> </interserver_http_credentials> state2 (auth+new admin password migration): <interserver_http_credentials> <user>admin</user> <password>333</password> <users> <admin>222</admin> </users> </interserver_http_credentials> 2020-08-26 08:36:58 +00:00			`{`
			`const auto & valid = store.find(credentials);`
			`if (valid == store.end())`
Some fixes 2021-04-06 13:56:14 +00:00			`return {"Incorrect user or password in HTTP basic authentication: " + credentials.first, false};`
Merge branch 'master' into johnskopis/dynamic-interserver-creds-v20 2021-04-06 13:28:46 +00:00			`return {"", true};`
Support interserver credential rotation Restarting a server instance to change the interserver password results in many replicas being out of sync until all clusters are using the new credential. This commit adds dynamic credential loading for both the client (Replicated* tables) and server (InterserverIOHTTPHandler). This commit also adds the ability to rotate credentials, i.e. accept more than one credential during a credential change. state0 (no auth): <interserver_http_credentials /> state1 (auth+allow_empty migration): <interserver_http_credentials> <user>admin</user> <password>222</password> <allow_empty>true</allow_empty> </interserver_http_credentials> state2 (auth+new admin password migration): <interserver_http_credentials> <user>admin</user> <password>333</password> <users> <admin>222</admin> </users> </interserver_http_credentials> 2020-08-26 08:36:58 +00:00			`}`

			`}`