Merge pull request #62842 from ClickHouse/fix-check-in-http-handler

Allow quota key with different auth scheme in HTTPHandler
This commit is contained in:
Kseniia Sumarokova 2024-04-26 10:21:02 +00:00 committed by GitHub
commit 75bbb67069
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 16 additions and 7 deletions

View File

@ -364,12 +364,12 @@ bool HTTPHandler::authenticateUser(
/// The header 'X-ClickHouse-SSL-Certificate-Auth: on' enables checking the common name /// The header 'X-ClickHouse-SSL-Certificate-Auth: on' enables checking the common name
/// extracted from the SSL certificate used for this connection instead of checking password. /// extracted from the SSL certificate used for this connection instead of checking password.
bool has_ssl_certificate_auth = (request.get("X-ClickHouse-SSL-Certificate-Auth", "") == "on"); bool has_ssl_certificate_auth = (request.get("X-ClickHouse-SSL-Certificate-Auth", "") == "on");
bool has_auth_headers = !user.empty() || !password.empty() || !quota_key.empty() || has_ssl_certificate_auth; bool has_auth_headers = !user.empty() || !password.empty() || has_ssl_certificate_auth;
/// User name and password can be passed using HTTP Basic auth or query parameters /// User name and password can be passed using HTTP Basic auth or query parameters
/// (both methods are insecure). /// (both methods are insecure).
bool has_http_credentials = request.hasCredentials(); bool has_http_credentials = request.hasCredentials();
bool has_credentials_in_query_params = params.has("user") || params.has("password") || params.has("quota_key"); bool has_credentials_in_query_params = params.has("user") || params.has("password");
std::string spnego_challenge; std::string spnego_challenge;
std::string certificate_common_name; std::string certificate_common_name;
@ -435,15 +435,12 @@ bool HTTPHandler::authenticateUser(
{ {
throw Exception(ErrorCodes::AUTHENTICATION_FAILED, "Invalid authentication: '{}' HTTP Authorization scheme is not supported", scheme); throw Exception(ErrorCodes::AUTHENTICATION_FAILED, "Invalid authentication: '{}' HTTP Authorization scheme is not supported", scheme);
} }
quota_key = params.get("quota_key", "");
} }
else else
{ {
/// If the user name is not set we assume it's the 'default' user. /// If the user name is not set we assume it's the 'default' user.
user = params.get("user", "default"); user = params.get("user", "default");
password = params.get("password", ""); password = params.get("password", "");
quota_key = params.get("quota_key", "");
} }
if (!certificate_common_name.empty()) if (!certificate_common_name.empty())
@ -495,6 +492,16 @@ bool HTTPHandler::authenticateUser(
basic_credentials->setPassword(password); basic_credentials->setPassword(password);
} }
if (params.has("quota_key"))
{
if (!quota_key.empty())
throw Exception(ErrorCodes::BAD_ARGUMENTS,
"Invalid authentication: it is not allowed "
"to use quota key as HTTP header and as parameter simultaneously");
quota_key = params.get("quota_key");
}
/// Set client info. It will be used for quota accounting parameters in 'setUser' method. /// Set client info. It will be used for quota accounting parameters in 'setUser' method.
session->setHTTPClientInfo(request); session->setHTTPClientInfo(request);

View File

@ -4,9 +4,10 @@ Code: 516
1 1
Code: 516 Code: 516
1 1
Code: 516 1
processes processes
processes processes
Code: 81 Code: 81
[1] [1]
Code: 73 Code: 73
1

View File

@ -10,8 +10,9 @@ ${CLICKHOUSE_CURL} -sS "${CLICKHOUSE_URL}" -H 'X-ClickHouse-User: header_test' -
${CLICKHOUSE_CURL} -sS "${CLICKHOUSE_URL}" -H 'X-ClickHouse-Key: ' -d 'SELECT 1' ${CLICKHOUSE_CURL} -sS "${CLICKHOUSE_URL}" -H 'X-ClickHouse-Key: ' -d 'SELECT 1'
${CLICKHOUSE_CURL} -sS "${CLICKHOUSE_URL}" -H 'X-ClickHouse-Key: header_test' -d 'SELECT 1' | grep -o 'Code: 516' ${CLICKHOUSE_CURL} -sS "${CLICKHOUSE_URL}" -H 'X-ClickHouse-Key: header_test' -d 'SELECT 1' | grep -o 'Code: 516'
${CLICKHOUSE_CURL} -sS "${CLICKHOUSE_URL}" -H 'X-ClickHouse-Quota: ' -d 'SELECT 1' ${CLICKHOUSE_CURL} -sS "${CLICKHOUSE_URL}" -H 'X-ClickHouse-Quota: ' -d 'SELECT 1'
${CLICKHOUSE_CURL} -sS "${CLICKHOUSE_URL}" -H 'X-ClickHouse-Quota: header_test' -d 'SELECT 1' | grep -o 'Code: 516' ${CLICKHOUSE_CURL} -sS "${CLICKHOUSE_URL}" -H 'X-ClickHouse-Quota: header_test' -d 'SELECT 1'
${CLICKHOUSE_CURL} -sS "${CLICKHOUSE_URL}" -H 'X-ClickHouse-Database: system' -d 'SHOW TABLES' | grep -o 'processes' ${CLICKHOUSE_CURL} -sS "${CLICKHOUSE_URL}" -H 'X-ClickHouse-Database: system' -d 'SHOW TABLES' | grep -o 'processes'
${CLICKHOUSE_CURL} -sS "${CLICKHOUSE_URL}" -H 'X-ClickHouse-Database: header_test' -d 'SHOW TABLES' | grep -o 'Code: 81' ${CLICKHOUSE_CURL} -sS "${CLICKHOUSE_URL}" -H 'X-ClickHouse-Database: header_test' -d 'SHOW TABLES' | grep -o 'Code: 81'
${CLICKHOUSE_CURL} -sS "${CLICKHOUSE_URL}" -H 'X-ClickHouse-Format: JSONCompactEachRow' -d 'SELECT 1' | grep -o '\[1\]' ${CLICKHOUSE_CURL} -sS "${CLICKHOUSE_URL}" -H 'X-ClickHouse-Format: JSONCompactEachRow' -d 'SELECT 1' | grep -o '\[1\]'
${CLICKHOUSE_CURL} -sS "${CLICKHOUSE_URL}" -H 'X-ClickHouse-Format: header_test' -d 'SELECT 1' | grep -o 'Code: 73' ${CLICKHOUSE_CURL} -sS "${CLICKHOUSE_URL}" -H 'X-ClickHouse-Format: header_test' -d 'SELECT 1' | grep -o 'Code: 73'
${CLICKHOUSE_CURL} -sS "${CLICKHOUSE_URL}&quota_key=pingpong" -H 'X-ClickHouse-User: default' -d 'SELECT 1'