mirror of
https://github.com/ClickHouse/ClickHouse.git
synced 2024-11-27 18:12:02 +00:00
Merge pull request #62842 from ClickHouse/fix-check-in-http-handler
Allow quota key with different auth scheme in HTTPHandler
This commit is contained in:
commit
75bbb67069
@ -364,12 +364,12 @@ bool HTTPHandler::authenticateUser(
|
|||||||
/// The header 'X-ClickHouse-SSL-Certificate-Auth: on' enables checking the common name
|
/// The header 'X-ClickHouse-SSL-Certificate-Auth: on' enables checking the common name
|
||||||
/// extracted from the SSL certificate used for this connection instead of checking password.
|
/// extracted from the SSL certificate used for this connection instead of checking password.
|
||||||
bool has_ssl_certificate_auth = (request.get("X-ClickHouse-SSL-Certificate-Auth", "") == "on");
|
bool has_ssl_certificate_auth = (request.get("X-ClickHouse-SSL-Certificate-Auth", "") == "on");
|
||||||
bool has_auth_headers = !user.empty() || !password.empty() || !quota_key.empty() || has_ssl_certificate_auth;
|
bool has_auth_headers = !user.empty() || !password.empty() || has_ssl_certificate_auth;
|
||||||
|
|
||||||
/// User name and password can be passed using HTTP Basic auth or query parameters
|
/// User name and password can be passed using HTTP Basic auth or query parameters
|
||||||
/// (both methods are insecure).
|
/// (both methods are insecure).
|
||||||
bool has_http_credentials = request.hasCredentials();
|
bool has_http_credentials = request.hasCredentials();
|
||||||
bool has_credentials_in_query_params = params.has("user") || params.has("password") || params.has("quota_key");
|
bool has_credentials_in_query_params = params.has("user") || params.has("password");
|
||||||
|
|
||||||
std::string spnego_challenge;
|
std::string spnego_challenge;
|
||||||
std::string certificate_common_name;
|
std::string certificate_common_name;
|
||||||
@ -435,15 +435,12 @@ bool HTTPHandler::authenticateUser(
|
|||||||
{
|
{
|
||||||
throw Exception(ErrorCodes::AUTHENTICATION_FAILED, "Invalid authentication: '{}' HTTP Authorization scheme is not supported", scheme);
|
throw Exception(ErrorCodes::AUTHENTICATION_FAILED, "Invalid authentication: '{}' HTTP Authorization scheme is not supported", scheme);
|
||||||
}
|
}
|
||||||
|
|
||||||
quota_key = params.get("quota_key", "");
|
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
/// If the user name is not set we assume it's the 'default' user.
|
/// If the user name is not set we assume it's the 'default' user.
|
||||||
user = params.get("user", "default");
|
user = params.get("user", "default");
|
||||||
password = params.get("password", "");
|
password = params.get("password", "");
|
||||||
quota_key = params.get("quota_key", "");
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!certificate_common_name.empty())
|
if (!certificate_common_name.empty())
|
||||||
@ -495,6 +492,16 @@ bool HTTPHandler::authenticateUser(
|
|||||||
basic_credentials->setPassword(password);
|
basic_credentials->setPassword(password);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (params.has("quota_key"))
|
||||||
|
{
|
||||||
|
if (!quota_key.empty())
|
||||||
|
throw Exception(ErrorCodes::BAD_ARGUMENTS,
|
||||||
|
"Invalid authentication: it is not allowed "
|
||||||
|
"to use quota key as HTTP header and as parameter simultaneously");
|
||||||
|
|
||||||
|
quota_key = params.get("quota_key");
|
||||||
|
}
|
||||||
|
|
||||||
/// Set client info. It will be used for quota accounting parameters in 'setUser' method.
|
/// Set client info. It will be used for quota accounting parameters in 'setUser' method.
|
||||||
|
|
||||||
session->setHTTPClientInfo(request);
|
session->setHTTPClientInfo(request);
|
||||||
|
@ -4,9 +4,10 @@ Code: 516
|
|||||||
1
|
1
|
||||||
Code: 516
|
Code: 516
|
||||||
1
|
1
|
||||||
Code: 516
|
1
|
||||||
processes
|
processes
|
||||||
processes
|
processes
|
||||||
Code: 81
|
Code: 81
|
||||||
[1]
|
[1]
|
||||||
Code: 73
|
Code: 73
|
||||||
|
1
|
||||||
|
@ -10,8 +10,9 @@ ${CLICKHOUSE_CURL} -sS "${CLICKHOUSE_URL}" -H 'X-ClickHouse-User: header_test' -
|
|||||||
${CLICKHOUSE_CURL} -sS "${CLICKHOUSE_URL}" -H 'X-ClickHouse-Key: ' -d 'SELECT 1'
|
${CLICKHOUSE_CURL} -sS "${CLICKHOUSE_URL}" -H 'X-ClickHouse-Key: ' -d 'SELECT 1'
|
||||||
${CLICKHOUSE_CURL} -sS "${CLICKHOUSE_URL}" -H 'X-ClickHouse-Key: header_test' -d 'SELECT 1' | grep -o 'Code: 516'
|
${CLICKHOUSE_CURL} -sS "${CLICKHOUSE_URL}" -H 'X-ClickHouse-Key: header_test' -d 'SELECT 1' | grep -o 'Code: 516'
|
||||||
${CLICKHOUSE_CURL} -sS "${CLICKHOUSE_URL}" -H 'X-ClickHouse-Quota: ' -d 'SELECT 1'
|
${CLICKHOUSE_CURL} -sS "${CLICKHOUSE_URL}" -H 'X-ClickHouse-Quota: ' -d 'SELECT 1'
|
||||||
${CLICKHOUSE_CURL} -sS "${CLICKHOUSE_URL}" -H 'X-ClickHouse-Quota: header_test' -d 'SELECT 1' | grep -o 'Code: 516'
|
${CLICKHOUSE_CURL} -sS "${CLICKHOUSE_URL}" -H 'X-ClickHouse-Quota: header_test' -d 'SELECT 1'
|
||||||
${CLICKHOUSE_CURL} -sS "${CLICKHOUSE_URL}" -H 'X-ClickHouse-Database: system' -d 'SHOW TABLES' | grep -o 'processes'
|
${CLICKHOUSE_CURL} -sS "${CLICKHOUSE_URL}" -H 'X-ClickHouse-Database: system' -d 'SHOW TABLES' | grep -o 'processes'
|
||||||
${CLICKHOUSE_CURL} -sS "${CLICKHOUSE_URL}" -H 'X-ClickHouse-Database: header_test' -d 'SHOW TABLES' | grep -o 'Code: 81'
|
${CLICKHOUSE_CURL} -sS "${CLICKHOUSE_URL}" -H 'X-ClickHouse-Database: header_test' -d 'SHOW TABLES' | grep -o 'Code: 81'
|
||||||
${CLICKHOUSE_CURL} -sS "${CLICKHOUSE_URL}" -H 'X-ClickHouse-Format: JSONCompactEachRow' -d 'SELECT 1' | grep -o '\[1\]'
|
${CLICKHOUSE_CURL} -sS "${CLICKHOUSE_URL}" -H 'X-ClickHouse-Format: JSONCompactEachRow' -d 'SELECT 1' | grep -o '\[1\]'
|
||||||
${CLICKHOUSE_CURL} -sS "${CLICKHOUSE_URL}" -H 'X-ClickHouse-Format: header_test' -d 'SELECT 1' | grep -o 'Code: 73'
|
${CLICKHOUSE_CURL} -sS "${CLICKHOUSE_URL}" -H 'X-ClickHouse-Format: header_test' -d 'SELECT 1' | grep -o 'Code: 73'
|
||||||
|
${CLICKHOUSE_CURL} -sS "${CLICKHOUSE_URL}"a_key=pingpong" -H 'X-ClickHouse-User: default' -d 'SELECT 1'
|
||||||
|
Loading…
Reference in New Issue
Block a user