mirror of
https://github.com/ClickHouse/ClickHouse.git
synced 2024-09-20 00:30:49 +00:00
Added FT testcase
This commit is contained in:
parent
d16cae53b4
commit
1b263f0c15
@ -29,6 +29,7 @@
|
||||
<test>{display_name} \x01\e[1;32m\x02:)\x01\e[0m\x02 </test> <!-- if it matched to the substring "test" in the server display name - -->
|
||||
<production>{display_name} \x01\e[1;31m\x02:)\x01\e[0m\x02 </production> <!-- if it matched to the substring "production" in the server display name -->
|
||||
</prompt_by_server_display_name>
|
||||
|
||||
<!--
|
||||
Settings adjustable via command-line parameters
|
||||
can take their defaults from that config file, see examples:
|
||||
|
@ -389,6 +389,9 @@ void LocalServer::setupUsers()
|
||||
|
||||
ConfigurationPtr users_config;
|
||||
|
||||
//set the allow_plaintext_password setting in global context.
|
||||
global_context->setAllowPlaintextPasswordSetting(config().getBool("allow_plaintext_password",1));
|
||||
|
||||
if (config().has("users_config") || config().has("config-file") || fs::exists("config.xml"))
|
||||
{
|
||||
const auto users_config_path = config().getString("users_config", config().getString("config-file", "config.xml"));
|
||||
@ -397,9 +400,7 @@ void LocalServer::setupUsers()
|
||||
users_config = loaded_config.configuration;
|
||||
}
|
||||
else
|
||||
{
|
||||
users_config = getConfigurationFromXMLString(minimal_default_user_xml);
|
||||
}
|
||||
|
||||
if (users_config)
|
||||
global_context->setUsersConfig(users_config);
|
||||
|
@ -1069,6 +1069,8 @@ if (ThreadFuzzer::instance().isEffective())
|
||||
auto & access_control = global_context->getAccessControl();
|
||||
if (config().has("custom_settings_prefixes"))
|
||||
access_control.setCustomSettingsPrefixes(config().getString("custom_settings_prefixes"));
|
||||
///set the allow_plaintext_password setting in context.
|
||||
access_control.setAllowPlaintextPasswordSetting(config().getBool("allow_plaintext_password", 1));
|
||||
|
||||
/// Initialize access storages.
|
||||
try
|
||||
|
@ -201,9 +201,9 @@
|
||||
|
||||
<!-- For 'Connection: keep-alive' in HTTP 1.1 -->
|
||||
<keep_alive_timeout>3</keep_alive_timeout>
|
||||
<enable_plaintext_password>0</enable_plaintext_password>
|
||||
|
||||
<!-- gRPC protocol (see src/Server/grpc_protos/clickhouse_grpc.proto for the API) -->
|
||||
<grpc_port>9100</grpc_port>
|
||||
<!-- <grpc_port>9100</grpc_port> -->
|
||||
<grpc>
|
||||
<enable_ssl>false</enable_ssl>
|
||||
|
||||
@ -243,7 +243,7 @@
|
||||
openssl dhparam -out /etc/clickhouse-server/dhparam.pem 4096
|
||||
Only file format with BEGIN DH PARAMETERS is supported.
|
||||
-->
|
||||
<!-- <dhParamsFile>/etc/clickhouse-server/dhparam.pem</dhParamsFile> -->
|
||||
<!-- <dhParamsFile>/etc/clickhouse-server/dhparam.pem</dhParamsFile>-->
|
||||
<verificationMode>none</verificationMode>
|
||||
<loadDefaultCAFile>true</loadDefaultCAFile>
|
||||
<cacheSessions>true</cacheSessions>
|
||||
@ -367,6 +367,9 @@
|
||||
|
||||
<!-- Path to temporary data for processing hard queries. -->
|
||||
<tmp_path>/var/lib/clickhouse/tmp/</tmp_path>
|
||||
|
||||
<!-- Disable AuthType Plaintext_password for ACL. -->
|
||||
<!-- <allow_plaintext_password>0<allow_plaintext_password> -->
|
||||
|
||||
<!-- Policy from the <storage_configuration> for the temporary files.
|
||||
If not set <tmp_path> is used, otherwise <tmp_path> is ignored.
|
||||
@ -1257,8 +1260,7 @@
|
||||
<!-- Changing <enabled> to true allows sending crash reports to -->
|
||||
<!-- the ClickHouse core developers team via Sentry https://sentry.io -->
|
||||
<!-- Doing so at least in pre-production environments is highly appreciated -->
|
||||
<enabled>true</enabled>
|
||||
<debug>true</debug>
|
||||
<enabled>false</enabled>
|
||||
<!-- Change <anonymize> to true if you don't feel comfortable attaching the server hostname to the crash report -->
|
||||
<anonymize>false</anonymize>
|
||||
<!-- Default endpoint should be changed to different Sentry DSN only if you have -->
|
||||
|
@ -29,7 +29,7 @@
|
||||
<!-- Users and ACL. -->
|
||||
<users>
|
||||
<!-- If user name was not specified, 'default' user is used. -->
|
||||
<default>
|
||||
<default>
|
||||
<!-- See also the files in users.d directory where the password can be overridden.
|
||||
|
||||
Password could be specified in plaintext or in SHA256 (in hex format).
|
||||
@ -64,8 +64,9 @@
|
||||
How to generate double SHA1:
|
||||
Execute: PASSWORD=$(base64 < /dev/urandom | head -c8); echo "$PASSWORD"; echo -n "$PASSWORD" | sha1sum | tr -d '-' | xxd -r -p | sha1sum | tr -d '-'
|
||||
In first line will be password and in second - corresponding double SHA1.
|
||||
-->
|
||||
<no_password/>
|
||||
-->
|
||||
<password></password>
|
||||
|
||||
<!-- List of networks with open access.
|
||||
|
||||
To open access from everywhere, specify:
|
||||
@ -92,8 +93,9 @@
|
||||
|
||||
<!-- Settings profile for user. -->
|
||||
<profile>default</profile>
|
||||
|
||||
<!-- Quota for user. -->
|
||||
<quota>default</quota>
|
||||
<quota>default</quota>
|
||||
|
||||
<!-- User can create other users and grant rights to them. -->
|
||||
<!-- <access_management>1</access_management> -->
|
||||
|
@ -172,7 +172,7 @@ void AccessControl::addUsersConfigStorage(const String & storage_name_, const Po
|
||||
{
|
||||
auto check_setting_name_function = [this](const std::string_view & setting_name) { checkSettingNameIsAllowed(setting_name); };
|
||||
auto new_storage = std::make_shared<UsersConfigAccessStorage>(storage_name_, check_setting_name_function);
|
||||
new_storage->setConfig(users_config_);
|
||||
new_storage->setConfig(users_config_, allow_plaintext_password);
|
||||
addStorage(new_storage);
|
||||
LOG_DEBUG(getLogger(), "Added {} access storage '{}', path: {}",
|
||||
String(new_storage->getStorageType()), new_storage->getStorageName(), new_storage->getPath());
|
||||
@ -182,10 +182,10 @@ void AccessControl::addUsersConfigStorage(
|
||||
const String & users_config_path_,
|
||||
const String & include_from_path_,
|
||||
const String & preprocessed_dir_,
|
||||
const zkutil::GetZooKeeper & get_zookeeper_function_, const bool allow_plaintext_password)
|
||||
const zkutil::GetZooKeeper & get_zookeeper_function_)
|
||||
{
|
||||
addUsersConfigStorage(
|
||||
UsersConfigAccessStorage::STORAGE_TYPE, users_config_path_, include_from_path_, preprocessed_dir_, get_zookeeper_function_,allow_plaintext_password);
|
||||
UsersConfigAccessStorage::STORAGE_TYPE, users_config_path_, include_from_path_, preprocessed_dir_, get_zookeeper_function_);
|
||||
}
|
||||
|
||||
void AccessControl::addUsersConfigStorage(
|
||||
@ -193,7 +193,7 @@ void AccessControl::addUsersConfigStorage(
|
||||
const String & users_config_path_,
|
||||
const String & include_from_path_,
|
||||
const String & preprocessed_dir_,
|
||||
const zkutil::GetZooKeeper & get_zookeeper_function_,const bool allow_plaintext_password)
|
||||
const zkutil::GetZooKeeper & get_zookeeper_function_)
|
||||
{
|
||||
auto storages = getStoragesPtr();
|
||||
for (const auto & storage : *storages)
|
||||
@ -206,11 +206,14 @@ void AccessControl::addUsersConfigStorage(
|
||||
}
|
||||
auto check_setting_name_function = [this](const std::string_view & setting_name) { checkSettingNameIsAllowed(setting_name); };
|
||||
auto new_storage = std::make_shared<UsersConfigAccessStorage>(storage_name_, check_setting_name_function);
|
||||
new_storage->load(users_config_path_, include_from_path_, preprocessed_dir_, get_zookeeper_function_,allow_plaintext_password);
|
||||
new_storage->load(users_config_path_, include_from_path_, preprocessed_dir_, get_zookeeper_function_, allow_plaintext_password);
|
||||
addStorage(new_storage);
|
||||
LOG_DEBUG(getLogger(), "Added {} access storage '{}', path: {}", String(new_storage->getStorageType()), new_storage->getStorageName(), new_storage->getPath());
|
||||
}
|
||||
|
||||
void AccessControl::setAllowPlaintextPasswordSetting(const bool allow_plaintext_password_)
|
||||
{
|
||||
allow_plaintext_password = allow_plaintext_password_;
|
||||
}
|
||||
void AccessControl::reloadUsersConfigs()
|
||||
{
|
||||
auto storages = getStoragesPtr();
|
||||
@ -332,7 +335,6 @@ void AccessControl::addStoragesFromUserDirectoriesConfig(
|
||||
type = LDAPAccessStorage::STORAGE_TYPE;
|
||||
|
||||
String name = config.getString(prefix + ".name", type);
|
||||
const bool allow_plaintext_password = config.getBool("enable_plaintext_password" ,0);
|
||||
|
||||
if (type == MemoryAccessStorage::STORAGE_TYPE)
|
||||
{
|
||||
@ -343,7 +345,7 @@ void AccessControl::addStoragesFromUserDirectoriesConfig(
|
||||
String path = config.getString(prefix + ".path");
|
||||
if (std::filesystem::path{path}.is_relative() && std::filesystem::exists(config_dir + path))
|
||||
path = config_dir + path;
|
||||
addUsersConfigStorage(name, path, include_from_path, dbms_dir, get_zookeeper_function,allow_plaintext_password);
|
||||
addUsersConfigStorage(name, path, include_from_path, dbms_dir, get_zookeeper_function);
|
||||
}
|
||||
else if (type == DiskAccessStorage::STORAGE_TYPE)
|
||||
{
|
||||
|
@ -61,13 +61,13 @@ public:
|
||||
void addUsersConfigStorage(const String & users_config_path_,
|
||||
const String & include_from_path_,
|
||||
const String & preprocessed_dir_,
|
||||
const zkutil::GetZooKeeper & get_zookeeper_function_ = {},const bool allow_plaintext_password=0);
|
||||
const zkutil::GetZooKeeper & get_zookeeper_function_ = {});
|
||||
|
||||
void addUsersConfigStorage(const String & storage_name_,
|
||||
const String & users_config_path_,
|
||||
const String & include_from_path_,
|
||||
const String & preprocessed_dir_,
|
||||
const zkutil::GetZooKeeper & get_zookeeper_function_ = {},const bool allow_plaintext_password=0);
|
||||
const zkutil::GetZooKeeper & get_zookeeper_function_ = {});
|
||||
|
||||
void reloadUsersConfigs();
|
||||
void startPeriodicReloadingUsersConfigs();
|
||||
@ -144,6 +144,9 @@ public:
|
||||
const String & forwarded_address,
|
||||
const String & custom_quota_key) const;
|
||||
|
||||
void setAllowPlaintextPasswordSetting(const bool allow_plaintext_password);
|
||||
bool getAllowPlaintextPasswordSetting() const { return allow_plaintext_password; }
|
||||
|
||||
std::vector<QuotaUsage> getAllQuotasUsage() const;
|
||||
|
||||
std::shared_ptr<const EnabledSettings> getEnabledSettings(
|
||||
@ -167,6 +170,7 @@ private:
|
||||
std::unique_ptr<SettingsProfilesCache> settings_profiles_cache;
|
||||
std::unique_ptr<ExternalAuthenticators> external_authenticators;
|
||||
std::unique_ptr<CustomSettingsPrefixes> custom_settings_prefixes;
|
||||
bool allow_plaintext_password;
|
||||
};
|
||||
|
||||
}
|
||||
|
@ -95,6 +95,7 @@ bool operator ==(const AuthenticationData & lhs, const AuthenticationData & rhs)
|
||||
&& (lhs.ldap_server_name == rhs.ldap_server_name) && (lhs.kerberos_realm == rhs.kerberos_realm);
|
||||
}
|
||||
|
||||
|
||||
void AuthenticationData::setPassword(const String & password_)
|
||||
{
|
||||
switch (type)
|
||||
@ -127,10 +128,6 @@ String AuthenticationData::getPassword() const
|
||||
return String(password_hash.data(), password_hash.data() + password_hash.size());
|
||||
}
|
||||
|
||||
void AuthenticationData::setPlaintextPasswordSetting(const bool allow_plaintext_password_ )
|
||||
{
|
||||
allow_plaintext_password = allow_plaintext_password_;
|
||||
}
|
||||
|
||||
void AuthenticationData::setPasswordHashHex(const String & hash)
|
||||
{
|
||||
|
@ -60,13 +60,6 @@ public:
|
||||
/// Sets the password and encrypt it using the authentication type set in the constructor.
|
||||
void setPassword(const String & password_);
|
||||
|
||||
///sets the config enable_plaintext_password value from global context
|
||||
void setPlaintextPasswordSetting(const bool allow_plaintext_password_);
|
||||
bool getPlaintextPasswordSetting() const {
|
||||
std::cout<<"Heena - Inside this function"<< allow_plaintext_password <<"\n";
|
||||
return allow_plaintext_password;
|
||||
}
|
||||
|
||||
/// Returns the password. Allowed to use only for Type::PLAINTEXT_PASSWORD.
|
||||
String getPassword() const;
|
||||
|
||||
@ -104,7 +97,6 @@ private:
|
||||
Digest password_hash;
|
||||
String ldap_server_name;
|
||||
String kerberos_realm;
|
||||
bool allow_plaintext_password;
|
||||
};
|
||||
|
||||
}
|
||||
|
@ -19,9 +19,6 @@
|
||||
#include <cstring>
|
||||
#include <filesystem>
|
||||
#include <base/FnTraits.h>
|
||||
#include "Poco/Logger.h"
|
||||
#include <base/logger_useful.h>
|
||||
|
||||
|
||||
|
||||
namespace DB
|
||||
@ -31,8 +28,9 @@ namespace ErrorCodes
|
||||
extern const int BAD_ARGUMENTS;
|
||||
extern const int UNKNOWN_ADDRESS_PATTERN_TYPE;
|
||||
extern const int NOT_IMPLEMENTED;
|
||||
}
|
||||
extern const int ILLEGAL_TYPE_OF_ARGUMENT;
|
||||
|
||||
}
|
||||
|
||||
namespace
|
||||
{
|
||||
@ -73,35 +71,24 @@ namespace
|
||||
if (num_password_fields < 1)
|
||||
throw Exception("Either 'password' or 'password_sha256_hex' or 'password_double_sha1_hex' or 'no_password' or 'ldap' or 'kerberos' must be specified for user " + user_name + ".", ErrorCodes::BAD_ARGUMENTS);
|
||||
|
||||
//bool user_has_allow_plaintext_password = config.has(user_config + ".enable_plaintext_password");
|
||||
// bool user_allow_plaintext_password=0 ;
|
||||
// if(user_has_allow_plaintext_password)
|
||||
// bool allow_plaintext_password = config.getBool(user_config + ".enable_plaintext_password",allow_plaintext_password_);
|
||||
|
||||
bool allow_plaintext_password = allow_plaintext_password_;
|
||||
|
||||
if (has_password_plaintext)
|
||||
bool allow_plaintext_password = allow_plaintext_password_;
|
||||
if (has_password_plaintext)
|
||||
{
|
||||
if(!allow_plaintext_password)
|
||||
// LOG_ERROR(log(&Poco::Logger::get("BaseDaemon")), "Incorrect User configuration. User is not allowed to configure PLAINTEXT_PASSWORD if the setting name enable_plaintext_password setting is off");
|
||||
// LOG_ERROR(log(&Poco::Logger::get("BaseDaemon"), "Incorrect User configuration. User is not allowed to configure PLAINTEXT_PASSWORD if the setting name enable_plaintext_password setting is off.Please chnage the authtype to SHA256_PASSWORD,DOUBLE_SHA1_PASSWORD");
|
||||
throw Exception("Incorrect User configuration. User is not allowed to configure PLAINTEXT_PASSWORD. Please configure User with authtype to SHA256_PASSWORD,DOUBLE_SHA1_PASSWORD OR enable setting enable_plaintext_password in server configuration to configure user with plaintext password"
|
||||
"It is recommended to use plaintext_password.", ErrorCodes::ILLEGAL_TYPE_OF_ARGUMENT);
|
||||
if (!allow_plaintext_password)
|
||||
throw Exception("Incorrect User configuration. User is not allowed to configure PLAINTEXT_PASSWORD. Please configure User with authtype SHA256_PASSWORD,DOUBLE_SHA1_PASSWORD OR enable setting allow_plaintext_password in server configuration to configure user with plaintext password"
|
||||
" Though it is not recommended to use plaintext_password.", ErrorCodes::ILLEGAL_TYPE_OF_ARGUMENT);
|
||||
user->auth_data = AuthenticationData{AuthenticationType::PLAINTEXT_PASSWORD};
|
||||
user->auth_data.setPassword(config.getString(user_config + ".password"));
|
||||
user->auth_data.setPlaintextPasswordSetting(allow_plaintext_password);
|
||||
}
|
||||
else if (has_password_sha256_hex)
|
||||
{
|
||||
user->auth_data = AuthenticationData{AuthenticationType::SHA256_PASSWORD};
|
||||
user->auth_data.setPasswordHashHex(config.getString(user_config + ".password_sha256_hex"));
|
||||
user->auth_data.setPlaintextPasswordSetting(allow_plaintext_password);
|
||||
}
|
||||
else if (has_password_double_sha1_hex)
|
||||
{
|
||||
user->auth_data = AuthenticationData{AuthenticationType::DOUBLE_SHA1_PASSWORD};
|
||||
user->auth_data.setPasswordHashHex(config.getString(user_config + ".password_double_sha1_hex"));
|
||||
user->auth_data.setPlaintextPasswordSetting(allow_plaintext_password);
|
||||
}
|
||||
else if (has_ldap)
|
||||
{
|
||||
@ -219,7 +206,7 @@ namespace
|
||||
}
|
||||
|
||||
|
||||
std::vector<AccessEntityPtr> parseUsers(const Poco::Util::AbstractConfiguration & config,const bool allow_plaintext_password)
|
||||
std::vector<AccessEntityPtr> parseUsers(const Poco::Util::AbstractConfiguration & config, const bool allow_plaintext_password)
|
||||
{
|
||||
Poco::Util::AbstractConfiguration::Keys user_names;
|
||||
config.keys("users", user_names);
|
||||
@ -231,7 +218,7 @@ namespace
|
||||
{
|
||||
try
|
||||
{
|
||||
users.push_back(parseUser(config, user_name,allow_plaintext_password));
|
||||
users.push_back(parseUser(config, user_name, allow_plaintext_password));
|
||||
}
|
||||
catch (Exception & e)
|
||||
{
|
||||
@ -542,12 +529,12 @@ bool UsersConfigAccessStorage::isPathEqual(const String & path_) const
|
||||
}
|
||||
|
||||
|
||||
void UsersConfigAccessStorage::setConfig(const Poco::Util::AbstractConfiguration & config)
|
||||
void UsersConfigAccessStorage::setConfig(const Poco::Util::AbstractConfiguration & config, const bool allow_plaintext_password)
|
||||
{
|
||||
std::lock_guard lock{load_mutex};
|
||||
path.clear();
|
||||
config_reloader.reset();
|
||||
parseFromConfig(config,allow_plaintext_password);
|
||||
parseFromConfig(config, allow_plaintext_password);
|
||||
}
|
||||
|
||||
void UsersConfigAccessStorage::parseFromConfig(const Poco::Util::AbstractConfiguration & config, const bool allow_plaintext_password)
|
||||
@ -555,7 +542,7 @@ void UsersConfigAccessStorage::parseFromConfig(const Poco::Util::AbstractConfigu
|
||||
try
|
||||
{
|
||||
std::vector<std::pair<UUID, AccessEntityPtr>> all_entities;
|
||||
for (const auto & entity : parseUsers(config,allow_plaintext_password))
|
||||
for (const auto & entity : parseUsers(config, allow_plaintext_password))
|
||||
all_entities.emplace_back(generateID(*entity), entity);
|
||||
for (const auto & entity : parseQuotas(config))
|
||||
all_entities.emplace_back(generateID(*entity), entity);
|
||||
@ -576,12 +563,10 @@ void UsersConfigAccessStorage::load(
|
||||
const String & users_config_path,
|
||||
const String & include_from_path,
|
||||
const String & preprocessed_dir,
|
||||
const zkutil::GetZooKeeper & get_zookeeper_function, const bool allow_plaintext_password_flag)
|
||||
const zkutil::GetZooKeeper & get_zookeeper_function, const bool allow_plaintext_password_)
|
||||
{
|
||||
// allow_plaintext_password = allow_plaintext_password;
|
||||
std::lock_guard lock{load_mutex};
|
||||
path = std::filesystem::path{users_config_path}.lexically_normal();
|
||||
allow_plaintext_password = allow_plaintext_password_flag;
|
||||
config_reloader.reset();
|
||||
config_reloader = std::make_unique<ConfigReloader>(
|
||||
users_config_path,
|
||||
@ -591,7 +576,7 @@ void UsersConfigAccessStorage::load(
|
||||
std::make_shared<Poco::Event>(),
|
||||
[&](Poco::AutoPtr<Poco::Util::AbstractConfiguration> new_config, bool /*initial_loading*/)
|
||||
{
|
||||
parseFromConfig(*new_config,allow_plaintext_password);
|
||||
parseFromConfig(*new_config, allow_plaintext_password_);
|
||||
|
||||
Settings::checkNoSettingNamesAtTopLevel(*new_config, users_config_path);
|
||||
},
|
||||
|
@ -32,12 +32,12 @@ public:
|
||||
String getPath() const;
|
||||
bool isPathEqual(const String & path_) const;
|
||||
|
||||
void setConfig(const Poco::Util::AbstractConfiguration & config);
|
||||
void setConfig(const Poco::Util::AbstractConfiguration & config, const bool allow_plaintext_password=1);
|
||||
|
||||
void load(const String & users_config_path,
|
||||
const String & include_from_path = {},
|
||||
const String & preprocessed_dir = {},
|
||||
const zkutil::GetZooKeeper & get_zookeeper_function = {},const bool allow_plaintext_password=0);
|
||||
const zkutil::GetZooKeeper & get_zookeeper_function = {}, const bool allow_plaintext_password=1);
|
||||
void reload();
|
||||
void startPeriodicReloading();
|
||||
void stopPeriodicReloading();
|
||||
@ -47,7 +47,7 @@ public:
|
||||
bool hasSubscription(AccessEntityType type) const override;
|
||||
|
||||
private:
|
||||
void parseFromConfig(const Poco::Util::AbstractConfiguration & config,const bool allow_plaintext_password);
|
||||
void parseFromConfig(const Poco::Util::AbstractConfiguration & config, const bool allow_plaintext_password);
|
||||
|
||||
std::optional<UUID> findImpl(AccessEntityType type, const String & name) const override;
|
||||
std::vector<UUID> findAllImpl(AccessEntityType type) const override;
|
||||
@ -61,6 +61,5 @@ private:
|
||||
String path;
|
||||
std::unique_ptr<ConfigReloader> config_reloader;
|
||||
mutable std::mutex load_mutex;
|
||||
bool allow_plaintext_password;
|
||||
};
|
||||
}
|
||||
|
@ -14,12 +14,11 @@
|
||||
|
||||
namespace DB
|
||||
{
|
||||
|
||||
namespace ErrorCodes
|
||||
{
|
||||
extern const int LOGICAL_ERROR;
|
||||
}
|
||||
extern const int ILLEGAL_TYPE_OF_ARGUMENT;
|
||||
|
||||
}
|
||||
namespace
|
||||
{
|
||||
void updateUserFromQueryImpl(
|
||||
@ -28,7 +27,7 @@ namespace
|
||||
const std::shared_ptr<ASTUserNameWithHost> & override_name,
|
||||
const std::optional<RolesOrUsersSet> & override_default_roles,
|
||||
const std::optional<SettingsProfileElements> & override_settings,
|
||||
const std::optional<RolesOrUsersSet> & override_grantees,const bool allow_plaintext_password)
|
||||
const std::optional<RolesOrUsersSet> & override_grantees, const bool allow_plaintext_password)
|
||||
{
|
||||
if (override_name)
|
||||
user.setName(override_name->toString());
|
||||
@ -37,15 +36,14 @@ namespace
|
||||
else if (query.names->size() == 1)
|
||||
user.setName(query.names->front()->toString());
|
||||
|
||||
if (query.auth_data){
|
||||
if(query.auth_data->getType()==AuthenticationType::PLAINTEXT_PASSWORD && !allow_plaintext_password)
|
||||
throw Exception(ErrorCodes::ILLEGAL_TYPE_OF_ARGUMENT, "InterPreterQuery: User is not allowed to Create users with type "+ toString(query.auth_data->getType())+"Please configure User with authtype "
|
||||
"to SHA256_PASSWORD,DOUBLE_SHA1_PASSWORD OR enable setting enable_plaintext_password in server configuration to configure user with plaintext password"
|
||||
"It is recommended to use plaintext_password.");
|
||||
// throw Exception("InterPreterQuery: User is not allowed to Create users with type " + toString(query.auth_data->getType()), ErrorCodes::LOGICAL_ERROR);
|
||||
if (query.auth_data)
|
||||
{
|
||||
if (query.auth_data->getType() == AuthenticationType::PLAINTEXT_PASSWORD && !allow_plaintext_password)
|
||||
throw Exception(ErrorCodes::ILLEGAL_TYPE_OF_ARGUMENT, "InterPreterQuery: User is not allowed to Create users with type "+ toString(query.auth_data->getType())+"Please configure User with authtype "
|
||||
"to SHA256_PASSWORD,DOUBLE_SHA1_PASSWORD OR enable setting allow_plaintext_password in server configuration to configure user with plaintext password"
|
||||
"Though it is recommended to use plaintext_password.");
|
||||
user.auth_data = *query.auth_data;
|
||||
}
|
||||
|
||||
if (override_name && !override_name->host_pattern.empty())
|
||||
{
|
||||
user.allowed_client_hosts = AllowedClientHosts{};
|
||||
@ -87,22 +85,13 @@ namespace
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
BlockIO InterpreterCreateUserQuery::execute()
|
||||
{
|
||||
const auto & query = query_ptr->as<const ASTCreateUserQuery &>();
|
||||
auto & access_control = getContext()->getAccessControl();
|
||||
auto access = getContext()->getAccess();
|
||||
access->checkAccess(query.alter ? AccessType::ALTER_USER : AccessType::CREATE_USER);
|
||||
String username= access->getUserName();
|
||||
std::cout<<"Heena - lets see what is the user name: "<< access->getUserName();
|
||||
auto user = access->getUser();
|
||||
bool allow_plaintext_password = user->auth_data.getPlaintextPasswordSetting();
|
||||
// bool allow_plaintext_password = getContext().getSettingsRef().allow_plaintext_password
|
||||
|
||||
if(allow_plaintext_password)
|
||||
std::cout<<"Heena - Finally got";
|
||||
bool allow_plaintext_password = access_control.getAllowPlaintextPasswordSetting();
|
||||
|
||||
std::optional<RolesOrUsersSet> default_roles_from_query;
|
||||
if (query.default_roles)
|
||||
@ -131,7 +120,7 @@ BlockIO InterpreterCreateUserQuery::execute()
|
||||
auto update_func = [&](const AccessEntityPtr & entity) -> AccessEntityPtr
|
||||
{
|
||||
auto updated_user = typeid_cast<std::shared_ptr<User>>(entity->clone());
|
||||
updateUserFromQueryImpl(*updated_user, query, {}, default_roles_from_query, settings_from_query, grantees_from_query,allow_plaintext_password);
|
||||
updateUserFromQueryImpl(*updated_user, query, {}, default_roles_from_query, settings_from_query, grantees_from_query, allow_plaintext_password);
|
||||
return updated_user;
|
||||
};
|
||||
|
||||
@ -150,7 +139,7 @@ BlockIO InterpreterCreateUserQuery::execute()
|
||||
for (const auto & name : *query.names)
|
||||
{
|
||||
auto new_user = std::make_shared<User>();
|
||||
updateUserFromQueryImpl(*new_user, query, name, default_roles_from_query, settings_from_query, RolesOrUsersSet::AllTag{},allow_plaintext_password);
|
||||
updateUserFromQueryImpl(*new_user, query, name, default_roles_from_query, settings_from_query, RolesOrUsersSet::AllTag{}, allow_plaintext_password);
|
||||
new_users.emplace_back(std::move(new_user));
|
||||
}
|
||||
|
||||
@ -178,9 +167,9 @@ BlockIO InterpreterCreateUserQuery::execute()
|
||||
}
|
||||
|
||||
|
||||
void InterpreterCreateUserQuery::updateUserFromQuery(User & user, const ASTCreateUserQuery & query,const bool allow_plaintext_password)
|
||||
void InterpreterCreateUserQuery::updateUserFromQuery(User & user, const ASTCreateUserQuery & query, const bool allow_plaintext_password)
|
||||
{
|
||||
updateUserFromQueryImpl(user, query, {}, {}, {}, {},allow_plaintext_password);
|
||||
updateUserFromQueryImpl(user, query, {}, {}, {}, {}, allow_plaintext_password);
|
||||
}
|
||||
|
||||
}
|
||||
|
@ -17,7 +17,7 @@ public:
|
||||
|
||||
BlockIO execute() override;
|
||||
|
||||
static void updateUserFromQuery(User & user, const ASTCreateUserQuery & query,const bool allow_plaintext_password=1);
|
||||
static void updateUserFromQuery(User & user, const ASTCreateUserQuery & query, const bool allow_plaintext_password=1);
|
||||
|
||||
private:
|
||||
ASTPtr query_ptr;
|
||||
|
@ -669,8 +669,19 @@ void Context::setUsersConfig(const ConfigurationPtr & config)
|
||||
shared->access_control->setUsersConfig(*shared->users_config);
|
||||
}
|
||||
|
||||
ConfigurationPtr Context::getUsersConfig()
|
||||
void Context::setAllowPlaintextPasswordSetting(const bool allow_plaintext_password)
|
||||
{
|
||||
auto lock = getLock();
|
||||
shared->access_control->setAllowPlaintextPasswordSetting(allow_plaintext_password);
|
||||
}
|
||||
|
||||
bool Context::getAllowPlaintextPasswordSetting() const
|
||||
{
|
||||
return shared->access_control->getAllowPlaintextPasswordSetting();
|
||||
}
|
||||
|
||||
ConfigurationPtr Context::getUsersConfig()
|
||||
{
|
||||
auto lock = getLock();
|
||||
return shared->users_config;
|
||||
}
|
||||
|
@ -383,6 +383,8 @@ public:
|
||||
* The accumulated quota values are not reset if the quota is not deleted.
|
||||
*/
|
||||
void setUsersConfig(const ConfigurationPtr & config);
|
||||
void setAllowPlaintextPasswordSetting(const bool allow_plaintext_password_);
|
||||
bool getAllowPlaintextPasswordSetting() const;
|
||||
ConfigurationPtr getUsersConfig();
|
||||
|
||||
/// Sets the current user assuming that he/she is already authenticated.
|
||||
|
@ -36,7 +36,6 @@ namespace
|
||||
String auth_type_name = AuthenticationTypeInfo::get(auth_type).name;
|
||||
String by_keyword = "BY";
|
||||
std::optional<String> by_value;
|
||||
|
||||
|
||||
if (
|
||||
show_password ||
|
||||
@ -48,11 +47,6 @@ namespace
|
||||
{
|
||||
case AuthenticationType::PLAINTEXT_PASSWORD:
|
||||
{
|
||||
|
||||
//bool allow_plaintext_password = auth_data.getPlaintextPasswordSetting();
|
||||
// std::cout<<"heena - You are at right place to throw exception."<<allow_plaintext_password<<"\n";
|
||||
//if(allow_plaintext_password)
|
||||
// std::cout<<"heena - You are in";
|
||||
by_value = auth_data.getPassword();
|
||||
break;
|
||||
}
|
||||
|
@ -8,9 +8,9 @@
|
||||
</profiles>
|
||||
|
||||
<users>
|
||||
<readonly>
|
||||
<no_password/>
|
||||
<networks incl="networks" replace="replace">
|
||||
<readonly>
|
||||
<password></password>
|
||||
<networks incl="networks" replace="replace">
|
||||
<ip>::1</ip>
|
||||
<ip>127.0.0.1</ip>
|
||||
</networks>
|
||||
|
@ -18,8 +18,8 @@
|
||||
|
||||
<users>
|
||||
<session_log_test_xml_user>
|
||||
<no_password/>
|
||||
<networks incl="networks" replace="replace">
|
||||
<password></password>
|
||||
<networks incl="networks" replace="replace">
|
||||
<ip>::1</ip>
|
||||
<ip>127.0.0.1</ip>
|
||||
</networks>
|
||||
|
@ -0,0 +1,23 @@
|
||||
<?xml version="1.0"?>
|
||||
<clickhouse>
|
||||
<logger>
|
||||
<level>trace</level>
|
||||
<console>true</console>
|
||||
</logger>
|
||||
|
||||
<tcp_port>9000</tcp_port>
|
||||
<allow_plaintext_password>0</allow_plaintext_password>
|
||||
<path>.</path>
|
||||
<mark_cache_size>0</mark_cache_size>
|
||||
<!-- Sources to read users, roles, access rights, profiles of settings, quotas. -->
|
||||
<user_directories>
|
||||
<users_xml>
|
||||
<!-- Path to configuration file with predefined users. -->
|
||||
<path>users.xml</path>
|
||||
</users_xml>
|
||||
<local_directory>
|
||||
<!-- Path to folder where users created by SQL commands are stored. -->
|
||||
<path>./</path>
|
||||
</local_directory>
|
||||
</user_directories>
|
||||
</clickhouse>
|
86
tests/queries/0_stateless/02207_allow_plaintext_password.sh
Executable file
86
tests/queries/0_stateless/02207_allow_plaintext_password.sh
Executable file
@ -0,0 +1,86 @@
|
||||
#!/usr/bin/env bash
|
||||
# Tags: no-tsan, no-asan, no-ubsan, no-msan, no-parallel, no-fasttest
|
||||
# Tag no-tsan: requires jemalloc to track small allocations
|
||||
# Tag no-asan: requires jemalloc to track small allocations
|
||||
# Tag no-ubsan: requires jemalloc to track small allocations
|
||||
# Tag no-msan: requires jemalloc to track small allocations
|
||||
|
||||
#
|
||||
# Regression for INSERT SELECT, that abnormally terminates the server
|
||||
# in case of too small memory limits.
|
||||
#
|
||||
# NOTE: After #24483 had been merged the only place where the allocation may
|
||||
# fail is the insert into PODArray in DB::OwnSplitChannel::log, but after
|
||||
# #24069 those errors will be ignored, so to check new behaviour separate
|
||||
# server is required.
|
||||
#
|
||||
|
||||
CURDIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)
|
||||
# shellcheck source=../shell_config.sh
|
||||
. "$CURDIR"/../shell_config.sh
|
||||
|
||||
cp "$CURDIR"/../../../programs/server/users.xml "$CURDIR"/users.xml
|
||||
sed -i 's/<password><\/password>/<no_password\/>/g' "$CURDIR"/users.xml
|
||||
sed -i 's/<!-- <access_management>1<\/access_management> -->/<access_management>1<\/access_management>/g' "$CURDIR"/users.xml
|
||||
|
||||
server_opts=(
|
||||
"--config-file=$CURDIR/$(basename "${BASH_SOURCE[0]}" .sh).config.xml"
|
||||
"--"
|
||||
# to avoid multiple listen sockets (complexity for port discovering)
|
||||
"--listen_host=127.1"
|
||||
# we will discover the real port later.
|
||||
"--tcp_port=0"
|
||||
"--shutdown_wait_unfinished=0"
|
||||
)
|
||||
|
||||
CLICKHOUSE_WATCHDOG_ENABLE=0 $CLICKHOUSE_SERVER_BINARY "${server_opts[@]}" &> clickhouse-server.stderr &
|
||||
server_pid=$!
|
||||
|
||||
server_port=
|
||||
i=0 retries=300
|
||||
# wait until server will start to listen (max 30 seconds)
|
||||
while [[ -z $server_port ]] && [[ $i -lt $retries ]]; do
|
||||
server_port=$(lsof -n -a -P -i tcp -s tcp:LISTEN -p $server_pid 2>/dev/null | awk -F'[ :]' '/LISTEN/ { print $(NF-1) }')
|
||||
((++i))
|
||||
sleep 0.1
|
||||
if ! kill -0 $server_pid >& /dev/null; then
|
||||
echo "No server (pid $server_pid)"
|
||||
break
|
||||
fi
|
||||
done
|
||||
if [[ -z $server_port ]]; then
|
||||
echo "Cannot wait for LISTEN socket" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# wait for the server to start accepting tcp connections (max 30 seconds)
|
||||
i=0 retries=300
|
||||
while ! $CLICKHOUSE_CLIENT_BINARY --host 127.1 --port "$server_port" --format Null -q 'select 1' 2>/dev/null && [[ $i -lt $retries ]]; do
|
||||
sleep 0.1
|
||||
if ! kill -0 $server_pid >& /dev/null; then
|
||||
echo "No server (pid $server_pid)"
|
||||
break
|
||||
fi
|
||||
done
|
||||
|
||||
|
||||
if ! $CLICKHOUSE_CLIENT_BINARY --host 127.1 --port "$server_port" --format Null -q 'select 1'; then
|
||||
echo "Cannot wait until server will start accepting connections on <tcp_port>" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
$CLICKHOUSE_CLIENT_BINARY --host 127.1 --port "$server_port" -q "CREATE USER u_02207 HOST IP '127.1' IDENTIFIED WITH plaintext_password BY 'qwerty' " " -- { serverError 43 } --" &> /dev/null ;
|
||||
|
||||
# no sleep, since flushing to stderr should not be buffered.
|
||||
grep 'User is not allowed to Create users with type PLAINTEXT_PASSWORD' clickhouse-server.stderr
|
||||
|
||||
|
||||
# send TERM and save the error code to ensure that it is 0 (EXIT_SUCCESS)
|
||||
kill $server_pid
|
||||
wait $server_pid
|
||||
return_code=$?
|
||||
|
||||
rm -f clickhouse-server.stderr
|
||||
rm -f "$CURDIR"/users.xml
|
||||
|
||||
exit $return_code
|
Loading…
Reference in New Issue
Block a user