thevar1able/ClickHouse
1
0
Fork 0
mirror of https://github.com/ClickHouse/ClickHouse.git synced 2024-09-20 08:40:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add docs, better tests

Browse Source
This commit is contained in:
Nikolay Degterinsky 2023-04-28 15:12:48 +00:00
parent 54c8f63a33
commit 69d8d41197
5 changed files with 52 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docs/en/operations/system-tables/users.md
View File

@ -12,7 +12,7 @@ Columns:
- `storage` ([String](../../sql-reference/data-types/string.md)) — Path to the storage of users. Configured in the `access_control_path` parameter.
- `auth_type` ([Enum8](../../sql-reference/data-types/enum.md)('no_password' = 0,'plaintext_password' = 1, 'sha256_password' = 2, 'double_sha1_password' = 3, 'ldap' = 4, 'kerberos' = 5, 'ssl_certificate' = 6)) — Shows the authentication type. There are multiple ways of user identification: with no password, with plain text password, with [SHA256](https://ru.wikipedia.org/wiki/SHA-2)-encoded password or with [double SHA-1](https://ru.wikipedia.org/wiki/SHA-1)-encoded password.
- `auth_type` ([Enum8](../../sql-reference/data-types/enum.md)('no_password' = 0, 'plaintext_password' = 1, 'sha256_password' = 2, 'double_sha1_password' = 3, 'bcrypt_password' = 4, 'ldap' = 5, 'kerberos' = 6, 'ssl_certificate' = 7)) — Shows the authentication type. There are multiple ways of user identification: with no password, with plain text password, with [SHA256](https://ru.wikipedia.org/wiki/SHA-2)-encoded password, with [double SHA-1](https://ru.wikipedia.org/wiki/SHA-1)-encoded password or with [bcrypt](https://en.wikipedia.org/wiki/Bcrypt)-encoded password.
- `auth_params` ([String](../../sql-reference/data-types/string.md)) — Authentication parameters in the JSON format depending on the `auth_type`.

32
docs/en/sql-reference/statements/create/user.md
View File

@ -32,9 +32,12 @@ There are multiple ways of user identification:
- `IDENTIFIED WITH sha256_hash BY 'hash'` or `IDENTIFIED WITH sha256_hash BY 'hash' SALT 'salt'`
- `IDENTIFIED WITH double_sha1_password BY 'qwerty'`
- `IDENTIFIED WITH double_sha1_hash BY 'hash'`
- `IDENTIFIED WITH bcrypt_password BY 'qwerty'`
- `IDENTIFIED WITH bcrypt_hash BY 'hash'`
- `IDENTIFIED WITH ldap SERVER 'server_name'`
- `IDENTIFIED WITH kerberos` or `IDENTIFIED WITH kerberos REALM 'realm'`
- `IDENTIFIED WITH ssl_certificate CN 'mysite.com:user'`
- `IDENTIFIED BY 'qwerty'`
## Examples
@ -54,21 +57,12 @@ There are multiple ways of user identification:
The password is stored in a SQL text file in `/var/lib/clickhouse/access`, so it's not a good idea to use `plaintext_password`. Try `sha256_password` instead, as demonstrated next...
:::
3. The best option is to use a password that is hashed using SHA-256. ClickHouse will hash the password for you when you specify `IDENTIFIED WITH sha256_password`. For example:
3. The most common option is to use a password that is hashed using SHA-256. ClickHouse will hash the password for you when you specify `IDENTIFIED WITH sha256_password`. For example:
```sql
CREATE USER name3 IDENTIFIED WITH sha256_password BY 'my_password'
```
Notice ClickHouse generates and runs the following command for you:
```response
CREATE USER name3
IDENTIFIED WITH sha256_hash
BY '8B3404953FCAA509540617F082DB13B3E0734F90FF6365C19300CC6A6EA818D6'
SALT 'D6489D8B5692D82FF944EA6415785A8A8A1AF33825456AFC554487725A74A609'
```
The `name3` user can now login using `my_password`, but the password is stored as the hashed value above. THe following SQL file was created in `/var/lib/clickhouse/access` and gets executed at server startup:
```bash
@ -92,10 +86,24 @@ There are multiple ways of user identification:
CREATE USER name4 IDENTIFIED WITH double_sha1_hash BY 'CCD3A959D6A004B9C3807B728BC2E55B67E10518'
```
5. The type of the password can also be omitted:
5. The `bcrypt_password` is the most secure option for storing passwords. It uses the [bcrypt](https://en.wikipedia.org/wiki/Bcrypt) algorithm, which is resilient against brute force attacks even if the password hash is compromised.
```sql
CREATE USER name4 IDENTIFIED BY 'my_password'
CREATE USER name5 IDENTIFIED WITH bcrypt_password BY 'my_password'
```
The length of the password is limited to 72 characters with this method. The bcrypt work factor parameter, which defines the amount of computations and time needed to compute the hash and verify the password, can be modified in the server configuration:
```xml
<bcrypt_workfactor>12</bcrypt_workfactor>
```
The work factor must be between 4 and 31, with a default value of 12.
6. The type of the password can also be omitted:
```sql
CREATE USER name6 IDENTIFIED BY 'my_password'
```
In this case, ClickHouse will use the default password type specified in the server configuration:

2
tests/queries/0_stateless/01292_create_user.sql
View File

@ -32,7 +32,7 @@ CREATE USER u5_01292 IDENTIFIED WITH sha256_hash BY '18138372FAD4B94533CD4881F03
CREATE USER u6_01292 IDENTIFIED WITH double_sha1_password BY 'qwe123';
CREATE USER u7_01292 IDENTIFIED WITH double_sha1_hash BY '8DCDD69CE7D121DE8013062AEAEB2A148910D50E';
CREATE USER u8_01292 IDENTIFIED WITH bcrypt_password BY 'qwe123';
CREATE USER u9_01292 IDENTIFIED WITH bcrypt_hash BY '2432612431322459345A4F6C786659746C7167594A59484C434678776537366F51506232764C71533070795135394E5744784763456D5A703278346500000000';
CREATE USER u9_01292 IDENTIFIED WITH bcrypt_hash BY '$2a$12$rz5iy2LhuwBezsM88ZzWiemOVUeJ94xHTzwAlLMDhTzwUxOHaY64q';
SHOW CREATE USER u1_01292;
SHOW CREATE USER u2_01292;
SHOW CREATE USER u3_01292;

10
tests/queries/0_stateless/02713_create_user_substitutions.reference
View File

@ -2,6 +2,10 @@
2
3
4
CREATE USER user5_02713 IDENTIFIED WITH ldap SERVER \'qwerty5\'
CREATE USER user6_02713 IDENTIFIED WITH kerberos REALM \'qwerty6\'
CREATE USER user7_02713 IDENTIFIED WITH ssl_certificate CN \'qwerty7\', \'qwerty8\'
5
6
7
8
CREATE USER user9_02713 IDENTIFIED WITH ldap SERVER \'qwerty9\'
CREATE USER user10_02713 IDENTIFIED WITH kerberos REALM \'qwerty10\'
CREATE USER user11_02713 IDENTIFIED WITH ssl_certificate CN \'qwerty11\', \'qwerty12\'

30
tests/queries/0_stateless/02713_create_user_substitutions.sh
View File

@ -11,17 +11,33 @@ $CLICKHOUSE_CLIENT --param_password=qwerty1 -q "CREATE USER user1_02713 IDENTIFI
$CLICKHOUSE_CLIENT --param_password=qwerty2 -q "CREATE USER user2_02713 IDENTIFIED WITH PLAINTEXT_PASSWORD BY {password:String}";
$CLICKHOUSE_CLIENT --param_password=qwerty3 -q "CREATE USER user3_02713 IDENTIFIED WITH SHA256_PASSWORD BY {password:String}";
$CLICKHOUSE_CLIENT --param_password=qwerty4 -q "CREATE USER user4_02713 IDENTIFIED WITH DOUBLE_SHA1_PASSWORD BY {password:String}";
$CLICKHOUSE_CLIENT --param_server=qwerty5 -q "CREATE USER user5_02713 IDENTIFIED WITH LDAP SERVER {server:String}";
$CLICKHOUSE_CLIENT --param_realm=qwerty6 -q "CREATE USER user6_02713 IDENTIFIED WITH KERBEROS REALM {realm:String}";
$CLICKHOUSE_CLIENT --param_cert1=qwerty7 --param_cert2=qwerty8 -q "CREATE USER user7_02713 IDENTIFIED WITH SSL_CERTIFICATE CN {cert1:String}, {cert2:String}";
$CLICKHOUSE_CLIENT --param_password=qwerty5 -q "CREATE USER user5_02713 IDENTIFIED WITH BCRYPT_PASSWORD BY {password:String}";
# Generated online
$CLICKHOUSE_CLIENT --param_hash=310cef2caff72c0224f38ca8e2141ca6012cd4da550c692573c25a917d9a75e6 \
-q "CREATE USER user6_02713 IDENTIFIED WITH SHA256_HASH BY {hash:String}";
# Generated with ClickHouse
$CLICKHOUSE_CLIENT --param_hash=5886A74C452575627522F3A80D8B9E239FD8955F \
-q "CREATE USER user7_02713 IDENTIFIED WITH DOUBLE_SHA1_HASH BY {hash:String}";
# Generated online
$CLICKHOUSE_CLIENT --param_hash=\$2a\$12\$wuohz0HFSBBNE8huN0Yx6.kmWrefiYVKeMp4gsuNoO1rOWwF2FXXC \
-q "CREATE USER user8_02713 IDENTIFIED WITH BCRYPT_HASH BY {hash:String}";
$CLICKHOUSE_CLIENT --param_server=qwerty9 -q "CREATE USER user9_02713 IDENTIFIED WITH LDAP SERVER {server:String}";
$CLICKHOUSE_CLIENT --param_realm=qwerty10 -q "CREATE USER user10_02713 IDENTIFIED WITH KERBEROS REALM {realm:String}";
$CLICKHOUSE_CLIENT --param_cert1=qwerty11 --param_cert2=qwerty12 -q "CREATE USER user11_02713 IDENTIFIED WITH SSL_CERTIFICATE CN {cert1:String}, {cert2:String}";
$CLICKHOUSE_CLIENT --user=user1_02713 --password=qwerty1 -q "SELECT 1";
$CLICKHOUSE_CLIENT --user=user2_02713 --password=qwerty2 -q "SELECT 2";
$CLICKHOUSE_CLIENT --user=user3_02713 --password=qwerty3 -q "SELECT 3";
$CLICKHOUSE_CLIENT --user=user4_02713 --password=qwerty4 -q "SELECT 4";
$CLICKHOUSE_CLIENT --user=user5_02713 --password=qwerty5 -q "SELECT 5";
$CLICKHOUSE_CLIENT --user=user6_02713 --password=qwerty6 -q "SELECT 6";
$CLICKHOUSE_CLIENT --user=user7_02713 --password=qwerty7 -q "SELECT 7";
$CLICKHOUSE_CLIENT --user=user8_02713 --password=qwerty8 -q "SELECT 8";
$CLICKHOUSE_CLIENT -q "SHOW CREATE USER user5_02713";
$CLICKHOUSE_CLIENT -q "SHOW CREATE USER user6_02713";
$CLICKHOUSE_CLIENT -q "SHOW CREATE USER user7_02713";
$CLICKHOUSE_CLIENT -q "SHOW CREATE USER user9_02713";
$CLICKHOUSE_CLIENT -q "SHOW CREATE USER user10_02713";
$CLICKHOUSE_CLIENT -q "SHOW CREATE USER user11_02713";
$CLICKHOUSE_CLIENT -q "DROP USER user1_02713, user2_02713, user3_02713, user4_02713, user5_02713, user6_02713, user7_02713";
$CLICKHOUSE_CLIENT -q "DROP USER user1_02713, user2_02713, user3_02713, user4_02713, user5_02713, user6_02713, user7_02713, user8_02713, user9_02713, user10_02713, user11_02713";