mirror of
https://github.com/ClickHouse/ClickHouse.git
synced 2024-09-19 16:20:50 +00:00
do not allow no_password to co-exist with other auth methods
This commit is contained in:
parent
e36776551e
commit
acc2249288
@ -65,8 +65,17 @@ namespace
|
||||
user.authentication_methods.emplace_back();
|
||||
}
|
||||
|
||||
// a leading IDENTIFIED WITH will drop existing authentication methods in favor of new ones
|
||||
if (replace_authentication_methods)
|
||||
bool has_no_password_authentication_method = std::find_if(
|
||||
user.authentication_methods.begin(),
|
||||
user.authentication_methods.end(),
|
||||
[](const AuthenticationData & authentication_method)
|
||||
{
|
||||
return authentication_method.getType() == AuthenticationType::NO_PASSWORD;
|
||||
}) != user.authentication_methods.end();
|
||||
|
||||
// 1. a leading IDENTIFIED WITH will drop existing authentication methods in favor of new ones.
|
||||
// 2. if the user contains an auth method of type NO_PASSWORD and another one is being added, NO_PASSWORD must be dropped
|
||||
if (replace_authentication_methods || (has_no_password_authentication_method && !authentication_methods.empty()))
|
||||
{
|
||||
user.authentication_methods.clear();
|
||||
}
|
||||
|
@ -596,6 +596,19 @@ bool ParserCreateUserQuery::parseImpl(Pos & pos, ASTPtr & node, Expected & expec
|
||||
break;
|
||||
}
|
||||
|
||||
bool has_no_password_authentication_method = std::find_if(
|
||||
auth_data.begin(),
|
||||
auth_data.end(),
|
||||
[](const std::shared_ptr<ASTAuthenticationData> & ast_authentication_data)
|
||||
{
|
||||
return ast_authentication_data->type == AuthenticationType::NO_PASSWORD;
|
||||
}) != auth_data.end();
|
||||
|
||||
if (has_no_password_authentication_method && auth_data.size() > 1)
|
||||
{
|
||||
throw Exception(ErrorCodes::BAD_ARGUMENTS, "NO_PASSWORD Authentication method cannot co-exist with other authentication methods");
|
||||
}
|
||||
|
||||
if (!alter && !hosts)
|
||||
{
|
||||
String common_host_pattern;
|
||||
@ -630,7 +643,7 @@ bool ParserCreateUserQuery::parseImpl(Pos & pos, ASTPtr & node, Expected & expec
|
||||
query->valid_until = std::move(valid_until);
|
||||
query->storage_name = std::move(storage_name);
|
||||
query->reset_authentication_methods_to_new = reset_authentication_methods_to_new.value_or(false);
|
||||
query->replace_authentication_methods = parsed_identified_with;
|
||||
query->replace_authentication_methods = parsed_identified_with || has_no_password_authentication_method;
|
||||
|
||||
for (const auto & authentication_method : query->authentication_methods)
|
||||
{
|
||||
|
@ -37,4 +37,10 @@ CREATE Identified with must precede all add identified with, not allowed
|
||||
BAD_ARGUMENTS
|
||||
Create user with no identification
|
||||
Add identified with
|
||||
CREATE USER u01_03174 IDENTIFIED WITH no_password ADD IDENTIFIED WITH plaintext_password
|
||||
CREATE USER u01_03174 IDENTIFIED WITH plaintext_password
|
||||
Try to provide no_password mixed with other authentication methods, should not be allowed
|
||||
BAD_ARGUMENTS
|
||||
Adding no_password, should drop existing auth method
|
||||
CREATE USER u01_03174 IDENTIFIED WITH no_password
|
||||
Trying to auth with no pwd, should succeed
|
||||
1
|
||||
|
@ -13,6 +13,11 @@ ssh_key="-----BEGIN OPENSSH PRIVATE KEY-----
|
||||
Ux7i7d3xPoseFrwnhY4YAAAADWFydGh1ckBhcnRodXI=
|
||||
-----END OPENSSH PRIVATE KEY-----"
|
||||
|
||||
function test_login_no_pwd
|
||||
{
|
||||
${CLICKHOUSE_CLIENT} --user $1 --query "select 1"
|
||||
}
|
||||
|
||||
function test_login_pwd
|
||||
{
|
||||
${CLICKHOUSE_CLIENT} --user $1 --password $2 --query "select 1"
|
||||
@ -107,4 +112,14 @@ ${CLICKHOUSE_CLIENT} --query "ALTER USER ${user} ADD IDENTIFIED WITH plaintext_p
|
||||
|
||||
${CLICKHOUSE_CLIENT} --query "SHOW CREATE USER ${user}"
|
||||
|
||||
echo "Try to provide no_password mixed with other authentication methods, should not be allowed"
|
||||
${CLICKHOUSE_CLIENT} --query "ALTER USER ${user} ADD IDENTIFIED WITH plaintext_password by '8' ADD IDENTIFIED WITH no_password" 2>&1 | grep -m1 -o "BAD_ARGUMENTS"
|
||||
|
||||
echo "Adding no_password, should drop existing auth method"
|
||||
${CLICKHOUSE_CLIENT} --query "ALTER USER ${user} ADD IDENTIFIED WITH no_password"
|
||||
${CLICKHOUSE_CLIENT} --query "SHOW CREATE USER ${user}"
|
||||
|
||||
echo "Trying to auth with no pwd, should succeed"
|
||||
test_login_no_pwd ${user}
|
||||
|
||||
${CLICKHOUSE_CLIENT} --query "DROP USER IF EXISTS ${user}"
|
||||
|
Loading…
Reference in New Issue
Block a user