mirror of
https://github.com/ClickHouse/ClickHouse.git
synced 2024-09-19 16:20:50 +00:00
do not allow no_password to co-exist with other auth methods
This commit is contained in:
parent
e36776551e
commit
acc2249288
@ -65,8 +65,17 @@ namespace
|
|||||||
user.authentication_methods.emplace_back();
|
user.authentication_methods.emplace_back();
|
||||||
}
|
}
|
||||||
|
|
||||||
// a leading IDENTIFIED WITH will drop existing authentication methods in favor of new ones
|
bool has_no_password_authentication_method = std::find_if(
|
||||||
if (replace_authentication_methods)
|
user.authentication_methods.begin(),
|
||||||
|
user.authentication_methods.end(),
|
||||||
|
[](const AuthenticationData & authentication_method)
|
||||||
|
{
|
||||||
|
return authentication_method.getType() == AuthenticationType::NO_PASSWORD;
|
||||||
|
}) != user.authentication_methods.end();
|
||||||
|
|
||||||
|
// 1. a leading IDENTIFIED WITH will drop existing authentication methods in favor of new ones.
|
||||||
|
// 2. if the user contains an auth method of type NO_PASSWORD and another one is being added, NO_PASSWORD must be dropped
|
||||||
|
if (replace_authentication_methods || (has_no_password_authentication_method && !authentication_methods.empty()))
|
||||||
{
|
{
|
||||||
user.authentication_methods.clear();
|
user.authentication_methods.clear();
|
||||||
}
|
}
|
||||||
|
@ -596,6 +596,19 @@ bool ParserCreateUserQuery::parseImpl(Pos & pos, ASTPtr & node, Expected & expec
|
|||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
bool has_no_password_authentication_method = std::find_if(
|
||||||
|
auth_data.begin(),
|
||||||
|
auth_data.end(),
|
||||||
|
[](const std::shared_ptr<ASTAuthenticationData> & ast_authentication_data)
|
||||||
|
{
|
||||||
|
return ast_authentication_data->type == AuthenticationType::NO_PASSWORD;
|
||||||
|
}) != auth_data.end();
|
||||||
|
|
||||||
|
if (has_no_password_authentication_method && auth_data.size() > 1)
|
||||||
|
{
|
||||||
|
throw Exception(ErrorCodes::BAD_ARGUMENTS, "NO_PASSWORD Authentication method cannot co-exist with other authentication methods");
|
||||||
|
}
|
||||||
|
|
||||||
if (!alter && !hosts)
|
if (!alter && !hosts)
|
||||||
{
|
{
|
||||||
String common_host_pattern;
|
String common_host_pattern;
|
||||||
@ -630,7 +643,7 @@ bool ParserCreateUserQuery::parseImpl(Pos & pos, ASTPtr & node, Expected & expec
|
|||||||
query->valid_until = std::move(valid_until);
|
query->valid_until = std::move(valid_until);
|
||||||
query->storage_name = std::move(storage_name);
|
query->storage_name = std::move(storage_name);
|
||||||
query->reset_authentication_methods_to_new = reset_authentication_methods_to_new.value_or(false);
|
query->reset_authentication_methods_to_new = reset_authentication_methods_to_new.value_or(false);
|
||||||
query->replace_authentication_methods = parsed_identified_with;
|
query->replace_authentication_methods = parsed_identified_with || has_no_password_authentication_method;
|
||||||
|
|
||||||
for (const auto & authentication_method : query->authentication_methods)
|
for (const auto & authentication_method : query->authentication_methods)
|
||||||
{
|
{
|
||||||
|
@ -37,4 +37,10 @@ CREATE Identified with must precede all add identified with, not allowed
|
|||||||
BAD_ARGUMENTS
|
BAD_ARGUMENTS
|
||||||
Create user with no identification
|
Create user with no identification
|
||||||
Add identified with
|
Add identified with
|
||||||
CREATE USER u01_03174 IDENTIFIED WITH no_password ADD IDENTIFIED WITH plaintext_password
|
CREATE USER u01_03174 IDENTIFIED WITH plaintext_password
|
||||||
|
Try to provide no_password mixed with other authentication methods, should not be allowed
|
||||||
|
BAD_ARGUMENTS
|
||||||
|
Adding no_password, should drop existing auth method
|
||||||
|
CREATE USER u01_03174 IDENTIFIED WITH no_password
|
||||||
|
Trying to auth with no pwd, should succeed
|
||||||
|
1
|
||||||
|
@ -13,6 +13,11 @@ ssh_key="-----BEGIN OPENSSH PRIVATE KEY-----
|
|||||||
Ux7i7d3xPoseFrwnhY4YAAAADWFydGh1ckBhcnRodXI=
|
Ux7i7d3xPoseFrwnhY4YAAAADWFydGh1ckBhcnRodXI=
|
||||||
-----END OPENSSH PRIVATE KEY-----"
|
-----END OPENSSH PRIVATE KEY-----"
|
||||||
|
|
||||||
|
function test_login_no_pwd
|
||||||
|
{
|
||||||
|
${CLICKHOUSE_CLIENT} --user $1 --query "select 1"
|
||||||
|
}
|
||||||
|
|
||||||
function test_login_pwd
|
function test_login_pwd
|
||||||
{
|
{
|
||||||
${CLICKHOUSE_CLIENT} --user $1 --password $2 --query "select 1"
|
${CLICKHOUSE_CLIENT} --user $1 --password $2 --query "select 1"
|
||||||
@ -107,4 +112,14 @@ ${CLICKHOUSE_CLIENT} --query "ALTER USER ${user} ADD IDENTIFIED WITH plaintext_p
|
|||||||
|
|
||||||
${CLICKHOUSE_CLIENT} --query "SHOW CREATE USER ${user}"
|
${CLICKHOUSE_CLIENT} --query "SHOW CREATE USER ${user}"
|
||||||
|
|
||||||
|
echo "Try to provide no_password mixed with other authentication methods, should not be allowed"
|
||||||
|
${CLICKHOUSE_CLIENT} --query "ALTER USER ${user} ADD IDENTIFIED WITH plaintext_password by '8' ADD IDENTIFIED WITH no_password" 2>&1 | grep -m1 -o "BAD_ARGUMENTS"
|
||||||
|
|
||||||
|
echo "Adding no_password, should drop existing auth method"
|
||||||
|
${CLICKHOUSE_CLIENT} --query "ALTER USER ${user} ADD IDENTIFIED WITH no_password"
|
||||||
|
${CLICKHOUSE_CLIENT} --query "SHOW CREATE USER ${user}"
|
||||||
|
|
||||||
|
echo "Trying to auth with no pwd, should succeed"
|
||||||
|
test_login_no_pwd ${user}
|
||||||
|
|
||||||
${CLICKHOUSE_CLIENT} --query "DROP USER IF EXISTS ${user}"
|
${CLICKHOUSE_CLIENT} --query "DROP USER IF EXISTS ${user}"
|
||||||
|
Loading…
Reference in New Issue
Block a user