mirror of
https://github.com/ClickHouse/ClickHouse.git
synced 2024-09-20 00:30:49 +00:00
fix more trash
This commit is contained in:
parent
dea39d8175
commit
5590adeffa
@ -319,10 +319,7 @@ void Session::authenticate(const Credentials & credentials_, const Poco::Net::So
|
||||
}
|
||||
catch (const Exception & e)
|
||||
{
|
||||
onAuthenticationFailure(credentials_, e);
|
||||
LOG_DEBUG(log, "{} Authentication failed with error: {}", toString(auth_id), e.what());
|
||||
if (auto session_log = getSessionLog())
|
||||
session_log->addLoginFailure(auth_id, *prepared_client_info, credentials_.getUserName(), e);
|
||||
onAuthenticationFailure(credentials_, address, e);
|
||||
throw;
|
||||
}
|
||||
|
||||
@ -337,11 +334,16 @@ void Session::authenticateInterserverFake()
|
||||
is_internal_interserver_query = true;
|
||||
}
|
||||
|
||||
void Session::onAuthenticationFailure(const Credentials & credentials_, const Exception & e)
|
||||
void Session::onAuthenticationFailure(const Credentials & credentials_, const Poco::Net::SocketAddress & address_, const Exception & e)
|
||||
{
|
||||
LOG_DEBUG(log, "{} Authentication failed with error: {}", toString(auth_id), e.what());
|
||||
if (auto session_log = getSessionLog())
|
||||
session_log->addLoginFailure(auth_id, *prepared_client_info, credentials_.getUserName(), e);
|
||||
{
|
||||
/// Add source address to the log
|
||||
auto info_for_log = *prepared_client_info;
|
||||
info_for_log.current_address = address_;
|
||||
session_log->addLoginFailure(auth_id, info_for_log, credentials_.getUserName(), e);
|
||||
}
|
||||
}
|
||||
|
||||
ClientInfo & Session::getClientInfo()
|
||||
|
@ -55,7 +55,7 @@ public:
|
||||
void authenticateInterserverFake();
|
||||
|
||||
/// Writes a row about login failure into session log (if enabled)
|
||||
void onAuthenticationFailure(const Credentials & credentials_, const Exception & e);
|
||||
void onAuthenticationFailure(const Credentials & credentials_, const Poco::Net::SocketAddress & address_, const Exception & e);
|
||||
|
||||
/// Returns a reference to session ClientInfo.
|
||||
ClientInfo & getClientInfo();
|
||||
|
@ -8,6 +8,12 @@
|
||||
|
||||
namespace DB
|
||||
{
|
||||
|
||||
namespace ErrorCodes
|
||||
{
|
||||
extern const int BAD_ARGUMENTS;
|
||||
}
|
||||
|
||||
namespace
|
||||
{
|
||||
bool parseUserNameWithHost(IParserBase::Pos & pos, Expected & expected, std::shared_ptr<ASTUserNameWithHost> & ast)
|
||||
@ -18,7 +24,10 @@ namespace
|
||||
if (!parseIdentifierOrStringLiteral(pos, expected, base_name))
|
||||
return false;
|
||||
|
||||
boost::algorithm::trim(base_name);
|
||||
/// Previously username was silently trimmed. Now we throw an exception instead.
|
||||
/// But it's not clear why spaces were not allowed.
|
||||
if (base_name.empty() || base_name.starts_with(' ') || base_name.ends_with(' '))
|
||||
throw Exception(ErrorCodes::BAD_ARGUMENTS, "User name cannot start or end with spaces and cannot be empty");
|
||||
|
||||
String host_pattern;
|
||||
if (ParserToken{TokenType::At}.ignore(pos, expected))
|
||||
|
@ -1277,7 +1277,7 @@ void TCPHandler::receiveQuery()
|
||||
if (salt.empty())
|
||||
{
|
||||
auto exception = Exception(ErrorCodes::AUTHENTICATION_FAILED, "Interserver authentication failed");
|
||||
session->onAuthenticationFailure(AlwaysAllowCredentials{USER_INTERSERVER_MARKER}, exception);
|
||||
session->onAuthenticationFailure(AlwaysAllowCredentials{USER_INTERSERVER_MARKER}, client_info.initial_address, exception);
|
||||
throw exception;
|
||||
}
|
||||
|
||||
@ -1294,7 +1294,7 @@ void TCPHandler::receiveQuery()
|
||||
if (calculated_hash != received_hash)
|
||||
{
|
||||
auto exception = Exception(ErrorCodes::AUTHENTICATION_FAILED, "Interserver authentication failed");
|
||||
session->onAuthenticationFailure(AlwaysAllowCredentials{USER_INTERSERVER_MARKER}, exception);
|
||||
session->onAuthenticationFailure(AlwaysAllowCredentials{USER_INTERSERVER_MARKER}, client_info.initial_address, exception);
|
||||
throw exception;
|
||||
}
|
||||
|
||||
@ -1312,7 +1312,7 @@ void TCPHandler::receiveQuery()
|
||||
auto exception = Exception(
|
||||
"Inter-server secret support is disabled, because ClickHouse was built without SSL library",
|
||||
ErrorCodes::AUTHENTICATION_FAILED);
|
||||
session->onAuthenticationFailure(AlwaysAllowCredentials{USER_INTERSERVER_MARKER}, exception);
|
||||
session->onAuthenticationFailure(AlwaysAllowCredentials{USER_INTERSERVER_MARKER}, client_info.initial_address, exception);
|
||||
throw exception;
|
||||
#endif
|
||||
}
|
||||
|
7
tests/config/config.d/session_log.xml
Normal file
7
tests/config/config.d/session_log.xml
Normal file
@ -0,0 +1,7 @@
|
||||
<clickhouse>
|
||||
<session_log>
|
||||
<database>system</database>
|
||||
<table>session_log</table>
|
||||
<flush_interval_milliseconds>100000</flush_interval_milliseconds>
|
||||
</session_log>
|
||||
</clickhouse>
|
@ -44,6 +44,7 @@ ln -sf $SRC_PATH/config.d/logger.xml $DEST_SERVER_PATH/config.d/
|
||||
ln -sf $SRC_PATH/config.d/named_collection.xml $DEST_SERVER_PATH/config.d/
|
||||
ln -sf $SRC_PATH/config.d/ssl_certs.xml $DEST_SERVER_PATH/config.d/
|
||||
ln -sf $SRC_PATH/config.d/filesystem_cache_log.xml $DEST_SERVER_PATH/config.d/
|
||||
ln -sf $SRC_PATH/config.d/session_log.xml $DEST_SERVER_PATH/config.d/
|
||||
|
||||
ln -sf $SRC_PATH/users.d/log_queries.xml $DEST_SERVER_PATH/users.d/
|
||||
ln -sf $SRC_PATH/users.d/readonly.xml $DEST_SERVER_PATH/users.d/
|
||||
|
13
tests/queries/0_stateless/01119_session_log.reference
Normal file
13
tests/queries/0_stateless/01119_session_log.reference
Normal file
@ -0,0 +1,13 @@
|
||||
0
|
||||
1
|
||||
LoginFailure NO_PASSWORD 1 1 TCP
|
||||
LoginFailure NO_PASSWORD 1 1 HTTP
|
||||
LoginFailure INTERSERVER SECRET NO_PASSWORD 1 1 HTTP
|
||||
LoginFailure default NO_PASSWORD 1 1 TCP
|
||||
LoginFailure default NO_PASSWORD 1 1 HTTP
|
||||
LoginFailure nonexistsnt_user_1119 NO_PASSWORD 1 1 TCP
|
||||
LoginFailure nonexistsnt_user_1119 NO_PASSWORD 1 1 HTTP
|
||||
LoginSuccess default PLAINTEXT_PASSWORD 1 1 TCP
|
||||
LoginSuccess default PLAINTEXT_PASSWORD 1 1 HTTP
|
||||
Logout default NO_PASSWORD 1 1 TCP
|
||||
Logout default NO_PASSWORD 1 1 HTTP
|
24
tests/queries/0_stateless/01119_session_log.sql
Normal file
24
tests/queries/0_stateless/01119_session_log.sql
Normal file
@ -0,0 +1,24 @@
|
||||
create user " "; -- { clientError BAD_ARGUMENTS }
|
||||
create user ' spaces'; -- { clientError BAD_ARGUMENTS }
|
||||
create user 'spaces '; -- { clientError BAD_ARGUMENTS }
|
||||
create user ` INTERSERVER SECRET `; -- { clientError BAD_ARGUMENTS }
|
||||
create user ''; -- { clientError BAD_ARGUMENTS }
|
||||
alter user default rename to " spaces "; -- { clientError BAD_ARGUMENTS }
|
||||
alter user default rename to ''; -- { clientError BAD_ARGUMENTS }
|
||||
|
||||
select * from remote('127.0.0.2', system, one, 'default', '');
|
||||
select * from remote('127.0.0.2', system, one, 'default', 'wrong password'); -- { serverError AUTHENTICATION_FAILED }
|
||||
select * from remote('127.0.0.2', system, one, 'nonexistsnt_user_1119', ''); -- { serverError AUTHENTICATION_FAILED }
|
||||
set receive_timeout=1;
|
||||
select * from remote('127.0.0.2', system, one, ' INTERSERVER SECRET ', ''); -- { serverError NO_REMOTE_SHARD_AVAILABLE }
|
||||
set receive_timeout=300;
|
||||
select * from remote('127.0.0.2', system, one, ' ', ''); -- { serverError AUTHENTICATION_FAILED }
|
||||
|
||||
select * from url('http://127.0.0.1:8123/?query=select+1&user=default', LineAsString, 's String');
|
||||
select * from url('http://127.0.0.1:8123/?query=select+1&user=default&password=wrong', LineAsString, 's String'); -- { serverError RECEIVED_ERROR_FROM_REMOTE_IO_SERVER }
|
||||
select * from url('http://127.0.0.1:8123/?query=select+1&user=nonexistsnt_user_1119', LineAsString, 's String'); -- { serverError RECEIVED_ERROR_FROM_REMOTE_IO_SERVER }
|
||||
select * from url('http://127.0.0.1:8123/?query=select+1&user=+INTERSERVER+SECRET+', LineAsString, 's String'); -- { serverError RECEIVED_ERROR_FROM_REMOTE_IO_SERVER }
|
||||
select * from url('http://127.0.0.1:8123/?query=select+1&user=+++', LineAsString, 's String'); -- { serverError RECEIVED_ERROR_FROM_REMOTE_IO_SERVER }
|
||||
|
||||
system flush logs;
|
||||
select distinct type, user, auth_type, toString(client_address)!='::ffff:0.0.0.0', client_port!=0, interface from system.session_log where event_time >= now() - interval 5 minute order by type, user, interface;
|
@ -56,7 +56,5 @@ done
|
||||
|
||||
wait
|
||||
|
||||
# $CLICKHOUSE_CLIENT -q "DROP ROLE IF EXISTS test_role_02242"
|
||||
# $CLICKHOUSE_CLIENT -q "DROP USER IF EXISTS test_user_02242"
|
||||
|
||||
# wait
|
||||
$CLICKHOUSE_CLIENT -q "DROP ROLE IF EXISTS test_role_02242"
|
||||
$CLICKHOUSE_CLIENT -q "DROP USER IF EXISTS test_user_02242"
|
||||
|
Loading…
Reference in New Issue
Block a user