mirror of
https://github.com/ClickHouse/ClickHouse.git
synced 2024-09-21 01:00:48 +00:00
Merge pull request #30973 from vitlibar/move-access-code
Move access-rights source code
This commit is contained in:
Vitaly Baranov
GitHub
commit
acf4e66771
@ -7,26 +7,26 @@
|
||||
#include <Access/SettingsProfile.h>
|
||||
#include <Access/User.h>
|
||||
#include <Core/Defines.h>
|
||||
#include <Interpreters/InterpreterCreateQuotaQuery.h>
|
||||
#include <Interpreters/InterpreterCreateRoleQuery.h>
|
||||
#include <Interpreters/InterpreterCreateRowPolicyQuery.h>
|
||||
#include <Interpreters/InterpreterCreateSettingsProfileQuery.h>
|
||||
#include <Interpreters/InterpreterCreateUserQuery.h>
|
||||
#include <Interpreters/InterpreterGrantQuery.h>
|
||||
#include <Interpreters/InterpreterShowCreateAccessEntityQuery.h>
|
||||
#include <Interpreters/InterpreterShowGrantsQuery.h>
|
||||
#include <Parsers/ASTCreateQuotaQuery.h>
|
||||
#include <Parsers/ASTCreateRoleQuery.h>
|
||||
#include <Parsers/ASTCreateRowPolicyQuery.h>
|
||||
#include <Parsers/ASTCreateSettingsProfileQuery.h>
|
||||
#include <Parsers/ASTCreateUserQuery.h>
|
||||
#include <Parsers/ASTGrantQuery.h>
|
||||
#include <Parsers/ParserCreateQuotaQuery.h>
|
||||
#include <Parsers/ParserCreateRoleQuery.h>
|
||||
#include <Parsers/ParserCreateRowPolicyQuery.h>
|
||||
#include <Parsers/ParserCreateSettingsProfileQuery.h>
|
||||
#include <Parsers/ParserCreateUserQuery.h>
|
||||
#include <Parsers/ParserGrantQuery.h>
|
||||
#include <Interpreters/Access/InterpreterCreateQuotaQuery.h>
|
||||
#include <Interpreters/Access/InterpreterCreateRoleQuery.h>
|
||||
#include <Interpreters/Access/InterpreterCreateRowPolicyQuery.h>
|
||||
#include <Interpreters/Access/InterpreterCreateSettingsProfileQuery.h>
|
||||
#include <Interpreters/Access/InterpreterCreateUserQuery.h>
|
||||
#include <Interpreters/Access/InterpreterGrantQuery.h>
|
||||
#include <Interpreters/Access/InterpreterShowCreateAccessEntityQuery.h>
|
||||
#include <Interpreters/Access/InterpreterShowGrantsQuery.h>
|
||||
#include <Parsers/Access/ASTCreateQuotaQuery.h>
|
||||
#include <Parsers/Access/ASTCreateRoleQuery.h>
|
||||
#include <Parsers/Access/ASTCreateRowPolicyQuery.h>
|
||||
#include <Parsers/Access/ASTCreateSettingsProfileQuery.h>
|
||||
#include <Parsers/Access/ASTCreateUserQuery.h>
|
||||
#include <Parsers/Access/ASTGrantQuery.h>
|
||||
#include <Parsers/Access/ParserCreateQuotaQuery.h>
|
||||
#include <Parsers/Access/ParserCreateRoleQuery.h>
|
||||
#include <Parsers/Access/ParserCreateRowPolicyQuery.h>
|
||||
#include <Parsers/Access/ParserCreateSettingsProfileQuery.h>
|
||||
#include <Parsers/Access/ParserCreateUserQuery.h>
|
||||
#include <Parsers/Access/ParserGrantQuery.h>
|
||||
#include <Parsers/formatAST.h>
|
||||
#include <Parsers/parseQuery.h>
|
||||
#include <boost/range/algorithm/copy.hpp>
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
#pragma once
|
||||
|
||||
#include <base/types.h>
|
||||
#include <Access/AccessRightsElement.h>
|
||||
#include <Access/Common/AccessRightsElement.h>
|
||||
#include <memory>
|
||||
#include <vector>
|
||||
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
#include <Access/Authentication.h>
|
||||
#include <Access/Common/AuthenticationData.h>
|
||||
#include <Access/Credentials.h>
|
||||
#include <Access/ExternalAuthenticators.h>
|
||||
#include <Access/LDAPClient.h>
|
||||
@ -17,8 +18,8 @@ namespace ErrorCodes
|
||||
|
||||
namespace
|
||||
{
|
||||
using Digest = Authentication::Digest;
|
||||
using Util = Authentication::Util;
|
||||
using Digest = AuthenticationData::Digest;
|
||||
using Util = AuthenticationData::Util;
|
||||
|
||||
bool checkPasswordPlainText(const String & password, const Digest & password_plaintext)
|
||||
{
|
||||
@ -67,76 +68,76 @@ namespace
|
||||
}
|
||||
|
||||
|
||||
bool Authentication::areCredentialsValid(const Credentials & credentials, const ExternalAuthenticators & external_authenticators) const
|
||||
bool Authentication::areCredentialsValid(const Credentials & credentials, const AuthenticationData & auth_data, const ExternalAuthenticators & external_authenticators)
|
||||
{
|
||||
if (!credentials.isReady())
|
||||
return false;
|
||||
|
||||
if (const auto * gss_acceptor_context = typeid_cast<const GSSAcceptorContext *>(&credentials))
|
||||
{
|
||||
switch (type)
|
||||
switch (auth_data.getType())
|
||||
{
|
||||
case NO_PASSWORD:
|
||||
case PLAINTEXT_PASSWORD:
|
||||
case SHA256_PASSWORD:
|
||||
case DOUBLE_SHA1_PASSWORD:
|
||||
case LDAP:
|
||||
throw Require<BasicCredentials>("ClickHouse Basic Authentication");
|
||||
case AuthenticationType::NO_PASSWORD:
|
||||
case AuthenticationType::PLAINTEXT_PASSWORD:
|
||||
case AuthenticationType::SHA256_PASSWORD:
|
||||
case AuthenticationType::DOUBLE_SHA1_PASSWORD:
|
||||
case AuthenticationType::LDAP:
|
||||
throw Authentication::Require<BasicCredentials>("ClickHouse Basic Authentication");
|
||||
|
||||
case KERBEROS:
|
||||
return external_authenticators.checkKerberosCredentials(kerberos_realm, *gss_acceptor_context);
|
||||
case AuthenticationType::KERBEROS:
|
||||
return external_authenticators.checkKerberosCredentials(auth_data.getKerberosRealm(), *gss_acceptor_context);
|
||||
|
||||
case MAX_TYPE:
|
||||
case AuthenticationType::MAX_TYPE:
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
if (const auto * mysql_credentials = typeid_cast<const MySQLNative41Credentials *>(&credentials))
|
||||
{
|
||||
switch (type)
|
||||
switch (auth_data.getType())
|
||||
{
|
||||
case NO_PASSWORD:
|
||||
case AuthenticationType::NO_PASSWORD:
|
||||
return true; // N.B. even if the password is not empty!
|
||||
|
||||
case PLAINTEXT_PASSWORD:
|
||||
return checkPasswordPlainTextMySQL(mysql_credentials->getScramble(), mysql_credentials->getScrambledPassword(), password_hash);
|
||||
case AuthenticationType::PLAINTEXT_PASSWORD:
|
||||
return checkPasswordPlainTextMySQL(mysql_credentials->getScramble(), mysql_credentials->getScrambledPassword(), auth_data.getPasswordHashBinary());
|
||||
|
||||
case DOUBLE_SHA1_PASSWORD:
|
||||
return checkPasswordDoubleSHA1MySQL(mysql_credentials->getScramble(), mysql_credentials->getScrambledPassword(), password_hash);
|
||||
case AuthenticationType::DOUBLE_SHA1_PASSWORD:
|
||||
return checkPasswordDoubleSHA1MySQL(mysql_credentials->getScramble(), mysql_credentials->getScrambledPassword(), auth_data.getPasswordHashBinary());
|
||||
|
||||
case SHA256_PASSWORD:
|
||||
case LDAP:
|
||||
case KERBEROS:
|
||||
throw Require<BasicCredentials>("ClickHouse Basic Authentication");
|
||||
case AuthenticationType::SHA256_PASSWORD:
|
||||
case AuthenticationType::LDAP:
|
||||
case AuthenticationType::KERBEROS:
|
||||
throw Authentication::Require<BasicCredentials>("ClickHouse Basic Authentication");
|
||||
|
||||
case MAX_TYPE:
|
||||
case AuthenticationType::MAX_TYPE:
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
if (const auto * basic_credentials = typeid_cast<const BasicCredentials *>(&credentials))
|
||||
{
|
||||
switch (type)
|
||||
switch (auth_data.getType())
|
||||
{
|
||||
case NO_PASSWORD:
|
||||
case AuthenticationType::NO_PASSWORD:
|
||||
return true; // N.B. even if the password is not empty!
|
||||
|
||||
case PLAINTEXT_PASSWORD:
|
||||
return checkPasswordPlainText(basic_credentials->getPassword(), password_hash);
|
||||
case AuthenticationType::PLAINTEXT_PASSWORD:
|
||||
return checkPasswordPlainText(basic_credentials->getPassword(), auth_data.getPasswordHashBinary());
|
||||
|
||||
case SHA256_PASSWORD:
|
||||
return checkPasswordSHA256(basic_credentials->getPassword(), password_hash);
|
||||
case AuthenticationType::SHA256_PASSWORD:
|
||||
return checkPasswordSHA256(basic_credentials->getPassword(), auth_data.getPasswordHashBinary());
|
||||
|
||||
case DOUBLE_SHA1_PASSWORD:
|
||||
return checkPasswordDoubleSHA1(basic_credentials->getPassword(), password_hash);
|
||||
case AuthenticationType::DOUBLE_SHA1_PASSWORD:
|
||||
return checkPasswordDoubleSHA1(basic_credentials->getPassword(), auth_data.getPasswordHashBinary());
|
||||
|
||||
case LDAP:
|
||||
return external_authenticators.checkLDAPCredentials(ldap_server_name, *basic_credentials);
|
||||
case AuthenticationType::LDAP:
|
||||
return external_authenticators.checkLDAPCredentials(auth_data.getLDAPServerName(), *basic_credentials);
|
||||
|
||||
case KERBEROS:
|
||||
throw Require<GSSAcceptorContext>(kerberos_realm);
|
||||
case AuthenticationType::KERBEROS:
|
||||
throw Authentication::Require<GSSAcceptorContext>(auth_data.getKerberosRealm());
|
||||
|
||||
case MAX_TYPE:
|
||||
case AuthenticationType::MAX_TYPE:
|
||||
break;
|
||||
}
|
||||
}
|
||||
@ -144,7 +145,7 @@ bool Authentication::areCredentialsValid(const Credentials & credentials, const
|
||||
if ([[maybe_unused]] const auto * always_allow_credentials = typeid_cast<const AlwaysAllowCredentials *>(&credentials))
|
||||
return true;
|
||||
|
||||
throw Exception("areCredentialsValid(): authentication type " + toString(type) + " not supported", ErrorCodes::NOT_IMPLEMENTED);
|
||||
throw Exception("areCredentialsValid(): authentication type " + toString(auth_data.getType()) + " not supported", ErrorCodes::NOT_IMPLEMENTED);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@ -1,60 +1,26 @@
|
||||
#pragma once
|
||||
|
||||
#include <base/types.h>
|
||||
#include <Access/Common/AuthenticationData.h>
|
||||
#include <Common/Exception.h>
|
||||
#include <Common/OpenSSLHelpers.h>
|
||||
#include <Poco/SHA1Engine.h>
|
||||
#include <boost/algorithm/hex.hpp>
|
||||
#include <boost/algorithm/string/case_conv.hpp>
|
||||
#include <base/types.h>
|
||||
|
||||
|
||||
namespace DB
|
||||
{
|
||||
namespace ErrorCodes
|
||||
{
|
||||
extern const int SUPPORT_IS_DISABLED;
|
||||
extern const int BAD_ARGUMENTS;
|
||||
extern const int LOGICAL_ERROR;
|
||||
extern const int NOT_IMPLEMENTED;
|
||||
}
|
||||
|
||||
class Credentials;
|
||||
class ExternalAuthenticators;
|
||||
|
||||
/// Authentication type and encrypted password for checking when a user logins.
|
||||
class Authentication
|
||||
|
||||
/// TODO: Try to move this checking to Credentials.
|
||||
struct Authentication
|
||||
{
|
||||
public:
|
||||
enum Type
|
||||
{
|
||||
/// User doesn't have to enter password.
|
||||
NO_PASSWORD,
|
||||
|
||||
/// Password is stored as is.
|
||||
PLAINTEXT_PASSWORD,
|
||||
|
||||
/// Password is encrypted in SHA256 hash.
|
||||
SHA256_PASSWORD,
|
||||
|
||||
/// SHA1(SHA1(password)).
|
||||
/// This kind of hash is used by the `mysql_native_password` authentication plugin.
|
||||
DOUBLE_SHA1_PASSWORD,
|
||||
|
||||
/// Password is checked by a [remote] LDAP server. Connection will be made at each authentication attempt.
|
||||
LDAP,
|
||||
|
||||
/// Kerberos authentication performed through GSS-API negotiation loop.
|
||||
KERBEROS,
|
||||
|
||||
MAX_TYPE,
|
||||
};
|
||||
|
||||
struct TypeInfo
|
||||
{
|
||||
const char * const raw_name;
|
||||
const String name; /// Lowercased with underscores, e.g. "sha256_password".
|
||||
static const TypeInfo & get(Type type_);
|
||||
};
|
||||
/// Checks the credentials (passwords, readiness, etc.)
|
||||
static bool areCredentialsValid(const Credentials & credentials, const AuthenticationData & auth_data, const ExternalAuthenticators & external_authenticators);
|
||||
|
||||
// A signaling class used to communicate requirements for credentials.
|
||||
template <typename CredentialsType>
|
||||
@ -67,110 +33,9 @@ public:
|
||||
private:
|
||||
const String realm;
|
||||
};
|
||||
|
||||
using Digest = std::vector<uint8_t>;
|
||||
|
||||
Authentication(Authentication::Type type_ = NO_PASSWORD) : type(type_) {}
|
||||
Authentication(const Authentication & src) = default;
|
||||
Authentication & operator =(const Authentication & src) = default;
|
||||
Authentication(Authentication && src) = default;
|
||||
Authentication & operator =(Authentication && src) = default;
|
||||
|
||||
Type getType() const { return type; }
|
||||
|
||||
/// Sets the password and encrypt it using the authentication type set in the constructor.
|
||||
void setPassword(const String & password_);
|
||||
|
||||
/// Returns the password. Allowed to use only for Type::PLAINTEXT_PASSWORD.
|
||||
String getPassword() const;
|
||||
|
||||
/// Sets the password as a string of hexadecimal digits.
|
||||
void setPasswordHashHex(const String & hash);
|
||||
String getPasswordHashHex() const;
|
||||
|
||||
/// Sets the password in binary form.
|
||||
void setPasswordHashBinary(const Digest & hash);
|
||||
const Digest & getPasswordHashBinary() const { return password_hash; }
|
||||
|
||||
/// Sets the server name for authentication type LDAP.
|
||||
const String & getLDAPServerName() const;
|
||||
void setLDAPServerName(const String & name);
|
||||
|
||||
/// Sets the realm name for authentication type KERBEROS.
|
||||
const String & getKerberosRealm() const;
|
||||
void setKerberosRealm(const String & realm);
|
||||
|
||||
/// Checks the credentials (passwords, readiness, etc.)
|
||||
bool areCredentialsValid(const Credentials & credentials, const ExternalAuthenticators & external_authenticators) const;
|
||||
|
||||
friend bool operator ==(const Authentication & lhs, const Authentication & rhs) { return (lhs.type == rhs.type) && (lhs.password_hash == rhs.password_hash); }
|
||||
friend bool operator !=(const Authentication & lhs, const Authentication & rhs) { return !(lhs == rhs); }
|
||||
|
||||
struct Util
|
||||
{
|
||||
static Digest encodePlainText(const std::string_view & text) { return Digest(text.data(), text.data() + text.size()); }
|
||||
static Digest encodeSHA256(const std::string_view & text);
|
||||
static Digest encodeSHA1(const std::string_view & text);
|
||||
static Digest encodeSHA1(const Digest & text) { return encodeSHA1(std::string_view{reinterpret_cast<const char *>(text.data()), text.size()}); }
|
||||
static Digest encodeDoubleSHA1(const std::string_view & text) { return encodeSHA1(encodeSHA1(text)); }
|
||||
static Digest encodeDoubleSHA1(const Digest & text) { return encodeSHA1(encodeSHA1(text)); }
|
||||
};
|
||||
|
||||
private:
|
||||
Type type = Type::NO_PASSWORD;
|
||||
Digest password_hash;
|
||||
String ldap_server_name;
|
||||
String kerberos_realm;
|
||||
};
|
||||
|
||||
|
||||
inline const Authentication::TypeInfo & Authentication::TypeInfo::get(Type type_)
|
||||
{
|
||||
static constexpr auto make_info = [](const char * raw_name_)
|
||||
{
|
||||
String init_name = raw_name_;
|
||||
boost::to_lower(init_name);
|
||||
return TypeInfo{raw_name_, std::move(init_name)};
|
||||
};
|
||||
|
||||
switch (type_)
|
||||
{
|
||||
case NO_PASSWORD:
|
||||
{
|
||||
static const auto info = make_info("NO_PASSWORD");
|
||||
return info;
|
||||
}
|
||||
case PLAINTEXT_PASSWORD:
|
||||
{
|
||||
static const auto info = make_info("PLAINTEXT_PASSWORD");
|
||||
return info;
|
||||
}
|
||||
case SHA256_PASSWORD:
|
||||
{
|
||||
static const auto info = make_info("SHA256_PASSWORD");
|
||||
return info;
|
||||
}
|
||||
case DOUBLE_SHA1_PASSWORD:
|
||||
{
|
||||
static const auto info = make_info("DOUBLE_SHA1_PASSWORD");
|
||||
return info;
|
||||
}
|
||||
case LDAP:
|
||||
{
|
||||
static const auto info = make_info("LDAP");
|
||||
return info;
|
||||
}
|
||||
case KERBEROS:
|
||||
{
|
||||
static const auto info = make_info("KERBEROS");
|
||||
return info;
|
||||
}
|
||||
case MAX_TYPE:
|
||||
break;
|
||||
}
|
||||
throw Exception("Unknown authentication type: " + std::to_string(static_cast<int>(type_)), ErrorCodes::LOGICAL_ERROR);
|
||||
}
|
||||
|
||||
template <typename CredentialsType>
|
||||
Authentication::Require<CredentialsType>::Require(const String & realm_)
|
||||
: Exception("Credentials required", ErrorCodes::BAD_ARGUMENTS)
|
||||
@ -184,148 +49,4 @@ const String & Authentication::Require<CredentialsType>::getRealm() const
|
||||
return realm;
|
||||
}
|
||||
|
||||
inline String toString(Authentication::Type type_)
|
||||
{
|
||||
return Authentication::TypeInfo::get(type_).raw_name;
|
||||
}
|
||||
|
||||
|
||||
inline Authentication::Digest Authentication::Util::encodeSHA256(const std::string_view & text [[maybe_unused]])
|
||||
{
|
||||
#if USE_SSL
|
||||
Digest hash;
|
||||
hash.resize(32);
|
||||
::DB::encodeSHA256(text, hash.data());
|
||||
return hash;
|
||||
#else
|
||||
throw DB::Exception(
|
||||
"SHA256 passwords support is disabled, because ClickHouse was built without SSL library",
|
||||
DB::ErrorCodes::SUPPORT_IS_DISABLED);
|
||||
#endif
|
||||
}
|
||||
|
||||
inline Authentication::Digest Authentication::Util::encodeSHA1(const std::string_view & text)
|
||||
{
|
||||
Poco::SHA1Engine engine;
|
||||
engine.update(text.data(), text.size());
|
||||
return engine.digest();
|
||||
}
|
||||
|
||||
|
||||
inline void Authentication::setPassword(const String & password_)
|
||||
{
|
||||
switch (type)
|
||||
{
|
||||
case PLAINTEXT_PASSWORD:
|
||||
return setPasswordHashBinary(Util::encodePlainText(password_));
|
||||
|
||||
case SHA256_PASSWORD:
|
||||
return setPasswordHashBinary(Util::encodeSHA256(password_));
|
||||
|
||||
case DOUBLE_SHA1_PASSWORD:
|
||||
return setPasswordHashBinary(Util::encodeDoubleSHA1(password_));
|
||||
|
||||
case NO_PASSWORD:
|
||||
case LDAP:
|
||||
case KERBEROS:
|
||||
throw Exception("Cannot specify password for authentication type " + toString(type), ErrorCodes::LOGICAL_ERROR);
|
||||
|
||||
case MAX_TYPE:
|
||||
break;
|
||||
}
|
||||
throw Exception("setPassword(): authentication type " + toString(type) + " not supported", ErrorCodes::NOT_IMPLEMENTED);
|
||||
}
|
||||
|
||||
|
||||
inline String Authentication::getPassword() const
|
||||
{
|
||||
if (type != PLAINTEXT_PASSWORD)
|
||||
throw Exception("Cannot decode the password", ErrorCodes::LOGICAL_ERROR);
|
||||
return String(password_hash.data(), password_hash.data() + password_hash.size());
|
||||
}
|
||||
|
||||
|
||||
inline void Authentication::setPasswordHashHex(const String & hash)
|
||||
{
|
||||
Digest digest;
|
||||
digest.resize(hash.size() / 2);
|
||||
boost::algorithm::unhex(hash.begin(), hash.end(), digest.data());
|
||||
setPasswordHashBinary(digest);
|
||||
}
|
||||
|
||||
inline String Authentication::getPasswordHashHex() const
|
||||
{
|
||||
if (type == LDAP || type == KERBEROS)
|
||||
throw Exception("Cannot get password hex hash for authentication type " + toString(type), ErrorCodes::LOGICAL_ERROR);
|
||||
|
||||
String hex;
|
||||
hex.resize(password_hash.size() * 2);
|
||||
boost::algorithm::hex(password_hash.begin(), password_hash.end(), hex.data());
|
||||
return hex;
|
||||
}
|
||||
|
||||
|
||||
inline void Authentication::setPasswordHashBinary(const Digest & hash)
|
||||
{
|
||||
switch (type)
|
||||
{
|
||||
case PLAINTEXT_PASSWORD:
|
||||
{
|
||||
password_hash = hash;
|
||||
return;
|
||||
}
|
||||
|
||||
case SHA256_PASSWORD:
|
||||
{
|
||||
if (hash.size() != 32)
|
||||
throw Exception(
|
||||
"Password hash for the 'SHA256_PASSWORD' authentication type has length " + std::to_string(hash.size())
|
||||
+ " but must be exactly 32 bytes.",
|
||||
ErrorCodes::BAD_ARGUMENTS);
|
||||
password_hash = hash;
|
||||
return;
|
||||
}
|
||||
|
||||
case DOUBLE_SHA1_PASSWORD:
|
||||
{
|
||||
if (hash.size() != 20)
|
||||
throw Exception(
|
||||
"Password hash for the 'DOUBLE_SHA1_PASSWORD' authentication type has length " + std::to_string(hash.size())
|
||||
+ " but must be exactly 20 bytes.",
|
||||
ErrorCodes::BAD_ARGUMENTS);
|
||||
password_hash = hash;
|
||||
return;
|
||||
}
|
||||
|
||||
case NO_PASSWORD:
|
||||
case LDAP:
|
||||
case KERBEROS:
|
||||
throw Exception("Cannot specify password binary hash for authentication type " + toString(type), ErrorCodes::LOGICAL_ERROR);
|
||||
|
||||
case MAX_TYPE:
|
||||
break;
|
||||
}
|
||||
throw Exception("setPasswordHashBinary(): authentication type " + toString(type) + " not supported", ErrorCodes::NOT_IMPLEMENTED);
|
||||
}
|
||||
|
||||
inline const String & Authentication::getLDAPServerName() const
|
||||
{
|
||||
return ldap_server_name;
|
||||
}
|
||||
|
||||
inline void Authentication::setLDAPServerName(const String & name)
|
||||
{
|
||||
ldap_server_name = name;
|
||||
}
|
||||
|
||||
inline const String & Authentication::getKerberosRealm() const
|
||||
{
|
||||
return kerberos_realm;
|
||||
}
|
||||
|
||||
inline void Authentication::setKerberosRealm(const String & realm)
|
||||
{
|
||||
kerberos_realm = realm;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
#pragma once
|
||||
|
||||
#include <Access/AccessType.h>
|
||||
#include <Access/Common/AccessType.h>
|
||||
#include <base/types.h>
|
||||
#include <base/range.h>
|
||||
#include <Common/Exception.h>
|
||||
@ -1,4 +1,4 @@
|
||||
#include <Access/AccessRightsElement.h>
|
||||
#include <Access/Common/AccessRightsElement.h>
|
||||
#include <Common/quoteString.h>
|
||||
#include <boost/range/algorithm_ext/erase.hpp>
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
#pragma once
|
||||
|
||||
#include <Access/AccessFlags.h>
|
||||
#include <Access/Common/AccessFlags.h>
|
||||
|
||||
|
||||
namespace DB
|
||||
@ -1,4 +1,4 @@
|
||||
#include <Access/AllowedClientHosts.h>
|
||||
#include <Access/Common/AllowedClientHosts.h>
|
||||
#include <Common/Exception.h>
|
||||
#include <base/logger_useful.h>
|
||||
#include <base/scope_guard.h>
|
||||
196
src/Access/Common/AuthenticationData.cpp
Normal file
196
src/Access/Common/AuthenticationData.cpp
Normal file
@ -0,0 +1,196 @@
|
||||
#include <Access/Common/AuthenticationData.h>
|
||||
#include <Common/Exception.h>
|
||||
#include <Common/OpenSSLHelpers.h>
|
||||
#include <Poco/SHA1Engine.h>
|
||||
#include <base/types.h>
|
||||
#include <boost/algorithm/hex.hpp>
|
||||
#include <boost/algorithm/string/case_conv.hpp>
|
||||
|
||||
|
||||
namespace DB
|
||||
{
|
||||
namespace ErrorCodes
|
||||
{
|
||||
extern const int SUPPORT_IS_DISABLED;
|
||||
extern const int BAD_ARGUMENTS;
|
||||
extern const int LOGICAL_ERROR;
|
||||
extern const int NOT_IMPLEMENTED;
|
||||
}
|
||||
|
||||
|
||||
const AuthenticationTypeInfo & AuthenticationTypeInfo::get(AuthenticationType type_)
|
||||
{
|
||||
static constexpr auto make_info = [](const char * raw_name_)
|
||||
{
|
||||
String init_name = raw_name_;
|
||||
boost::to_lower(init_name);
|
||||
return AuthenticationTypeInfo{raw_name_, std::move(init_name)};
|
||||
};
|
||||
|
||||
switch (type_)
|
||||
{
|
||||
case AuthenticationType::NO_PASSWORD:
|
||||
{
|
||||
static const auto info = make_info("NO_PASSWORD");
|
||||
return info;
|
||||
}
|
||||
case AuthenticationType::PLAINTEXT_PASSWORD:
|
||||
{
|
||||
static const auto info = make_info("PLAINTEXT_PASSWORD");
|
||||
return info;
|
||||
}
|
||||
case AuthenticationType::SHA256_PASSWORD:
|
||||
{
|
||||
static const auto info = make_info("SHA256_PASSWORD");
|
||||
return info;
|
||||
}
|
||||
case AuthenticationType::DOUBLE_SHA1_PASSWORD:
|
||||
{
|
||||
static const auto info = make_info("DOUBLE_SHA1_PASSWORD");
|
||||
return info;
|
||||
}
|
||||
case AuthenticationType::LDAP:
|
||||
{
|
||||
static const auto info = make_info("LDAP");
|
||||
return info;
|
||||
}
|
||||
case AuthenticationType::KERBEROS:
|
||||
{
|
||||
static const auto info = make_info("KERBEROS");
|
||||
return info;
|
||||
}
|
||||
case AuthenticationType::MAX_TYPE:
|
||||
break;
|
||||
}
|
||||
throw Exception("Unknown authentication type: " + std::to_string(static_cast<int>(type_)), ErrorCodes::LOGICAL_ERROR);
|
||||
}
|
||||
|
||||
|
||||
AuthenticationData::Digest AuthenticationData::Util::encodeSHA256(const std::string_view & text [[maybe_unused]])
|
||||
{
|
||||
#if USE_SSL
|
||||
Digest hash;
|
||||
hash.resize(32);
|
||||
::DB::encodeSHA256(text, hash.data());
|
||||
return hash;
|
||||
#else
|
||||
throw DB::Exception(
|
||||
"SHA256 passwords support is disabled, because ClickHouse was built without SSL library",
|
||||
DB::ErrorCodes::SUPPORT_IS_DISABLED);
|
||||
#endif
|
||||
}
|
||||
|
||||
|
||||
AuthenticationData::Digest AuthenticationData::Util::encodeSHA1(const std::string_view & text)
|
||||
{
|
||||
Poco::SHA1Engine engine;
|
||||
engine.update(text.data(), text.size());
|
||||
return engine.digest();
|
||||
}
|
||||
|
||||
|
||||
bool operator ==(const AuthenticationData & lhs, const AuthenticationData & rhs)
|
||||
{
|
||||
return (lhs.type == rhs.type) && (lhs.password_hash == rhs.password_hash)
|
||||
&& (lhs.ldap_server_name == rhs.ldap_server_name) && (lhs.kerberos_realm == rhs.kerberos_realm);
|
||||
}
|
||||
|
||||
|
||||
void AuthenticationData::setPassword(const String & password_)
|
||||
{
|
||||
switch (type)
|
||||
{
|
||||
case AuthenticationType::PLAINTEXT_PASSWORD:
|
||||
return setPasswordHashBinary(Util::encodePlainText(password_));
|
||||
|
||||
case AuthenticationType::SHA256_PASSWORD:
|
||||
return setPasswordHashBinary(Util::encodeSHA256(password_));
|
||||
|
||||
case AuthenticationType::DOUBLE_SHA1_PASSWORD:
|
||||
return setPasswordHashBinary(Util::encodeDoubleSHA1(password_));
|
||||
|
||||
case AuthenticationType::NO_PASSWORD:
|
||||
case AuthenticationType::LDAP:
|
||||
case AuthenticationType::KERBEROS:
|
||||
throw Exception("Cannot specify password for authentication type " + toString(type), ErrorCodes::LOGICAL_ERROR);
|
||||
|
||||
case AuthenticationType::MAX_TYPE:
|
||||
break;
|
||||
}
|
||||
throw Exception("setPassword(): authentication type " + toString(type) + " not supported", ErrorCodes::NOT_IMPLEMENTED);
|
||||
}
|
||||
|
||||
|
||||
String AuthenticationData::getPassword() const
|
||||
{
|
||||
if (type != AuthenticationType::PLAINTEXT_PASSWORD)
|
||||
throw Exception("Cannot decode the password", ErrorCodes::LOGICAL_ERROR);
|
||||
return String(password_hash.data(), password_hash.data() + password_hash.size());
|
||||
}
|
||||
|
||||
|
||||
void AuthenticationData::setPasswordHashHex(const String & hash)
|
||||
{
|
||||
Digest digest;
|
||||
digest.resize(hash.size() / 2);
|
||||
boost::algorithm::unhex(hash.begin(), hash.end(), digest.data());
|
||||
setPasswordHashBinary(digest);
|
||||
}
|
||||
|
||||
|
||||
String AuthenticationData::getPasswordHashHex() const
|
||||
{
|
||||
if (type == AuthenticationType::LDAP || type == AuthenticationType::KERBEROS)
|
||||
throw Exception("Cannot get password hex hash for authentication type " + toString(type), ErrorCodes::LOGICAL_ERROR);
|
||||
|
||||
String hex;
|
||||
hex.resize(password_hash.size() * 2);
|
||||
boost::algorithm::hex(password_hash.begin(), password_hash.end(), hex.data());
|
||||
return hex;
|
||||
}
|
||||
|
||||
|
||||
void AuthenticationData::setPasswordHashBinary(const Digest & hash)
|
||||
{
|
||||
switch (type)
|
||||
{
|
||||
case AuthenticationType::PLAINTEXT_PASSWORD:
|
||||
{
|
||||
password_hash = hash;
|
||||
return;
|
||||
}
|
||||
|
||||
case AuthenticationType::SHA256_PASSWORD:
|
||||
{
|
||||
if (hash.size() != 32)
|
||||
throw Exception(
|
||||
"Password hash for the 'SHA256_PASSWORD' authentication type has length " + std::to_string(hash.size())
|
||||
+ " but must be exactly 32 bytes.",
|
||||
ErrorCodes::BAD_ARGUMENTS);
|
||||
password_hash = hash;
|
||||
return;
|
||||
}
|
||||
|
||||
case AuthenticationType::DOUBLE_SHA1_PASSWORD:
|
||||
{
|
||||
if (hash.size() != 20)
|
||||
throw Exception(
|
||||
"Password hash for the 'DOUBLE_SHA1_PASSWORD' authentication type has length " + std::to_string(hash.size())
|
||||
+ " but must be exactly 20 bytes.",
|
||||
ErrorCodes::BAD_ARGUMENTS);
|
||||
password_hash = hash;
|
||||
return;
|
||||
}
|
||||
|
||||
case AuthenticationType::NO_PASSWORD:
|
||||
case AuthenticationType::LDAP:
|
||||
case AuthenticationType::KERBEROS:
|
||||
throw Exception("Cannot specify password binary hash for authentication type " + toString(type), ErrorCodes::LOGICAL_ERROR);
|
||||
|
||||
case AuthenticationType::MAX_TYPE:
|
||||
break;
|
||||
}
|
||||
throw Exception("setPasswordHashBinary(): authentication type " + toString(type) + " not supported", ErrorCodes::NOT_IMPLEMENTED);
|
||||
}
|
||||
|
||||
}
|
||||
103
src/Access/Common/AuthenticationData.h
Normal file
103
src/Access/Common/AuthenticationData.h
Normal file
@ -0,0 +1,103 @@
|
||||
#pragma once
|
||||
|
||||
#include <base/types.h>
|
||||
#include <vector>
|
||||
|
||||
namespace DB
|
||||
{
|
||||
|
||||
enum class AuthenticationType
|
||||
{
|
||||
/// User doesn't have to enter password.
|
||||
NO_PASSWORD,
|
||||
|
||||
/// Password is stored as is.
|
||||
PLAINTEXT_PASSWORD,
|
||||
|
||||
/// Password is encrypted in SHA256 hash.
|
||||
SHA256_PASSWORD,
|
||||
|
||||
/// SHA1(SHA1(password)).
|
||||
/// This kind of hash is used by the `mysql_native_password` authentication plugin.
|
||||
DOUBLE_SHA1_PASSWORD,
|
||||
|
||||
/// Password is checked by a [remote] LDAP server. Connection will be made at each authentication attempt.
|
||||
LDAP,
|
||||
|
||||
/// Kerberos authentication performed through GSS-API negotiation loop.
|
||||
KERBEROS,
|
||||
|
||||
MAX_TYPE,
|
||||
};
|
||||
|
||||
struct AuthenticationTypeInfo
|
||||
{
|
||||
const char * const raw_name;
|
||||
const String name; /// Lowercased with underscores, e.g. "sha256_password".
|
||||
static const AuthenticationTypeInfo & get(AuthenticationType type_);
|
||||
};
|
||||
|
||||
|
||||
/// Stores data for checking password when a user logins.
|
||||
class AuthenticationData
|
||||
{
|
||||
public:
|
||||
using Digest = std::vector<uint8_t>;
|
||||
|
||||
AuthenticationData(AuthenticationType type_ = AuthenticationType::NO_PASSWORD) : type(type_) {}
|
||||
AuthenticationData(const AuthenticationData & src) = default;
|
||||
AuthenticationData & operator =(const AuthenticationData & src) = default;
|
||||
AuthenticationData(AuthenticationData && src) = default;
|
||||
AuthenticationData & operator =(AuthenticationData && src) = default;
|
||||
|
||||
AuthenticationType getType() const { return type; }
|
||||
|
||||
/// Sets the password and encrypt it using the authentication type set in the constructor.
|
||||
void setPassword(const String & password_);
|
||||
|
||||
/// Returns the password. Allowed to use only for Type::PLAINTEXT_PASSWORD.
|
||||
String getPassword() const;
|
||||
|
||||
/// Sets the password as a string of hexadecimal digits.
|
||||
void setPasswordHashHex(const String & hash);
|
||||
String getPasswordHashHex() const;
|
||||
|
||||
/// Sets the password in binary form.
|
||||
void setPasswordHashBinary(const Digest & hash);
|
||||
const Digest & getPasswordHashBinary() const { return password_hash; }
|
||||
|
||||
/// Sets the server name for authentication type LDAP.
|
||||
const String & getLDAPServerName() const { return ldap_server_name; }
|
||||
void setLDAPServerName(const String & name) { ldap_server_name = name; }
|
||||
|
||||
/// Sets the realm name for authentication type KERBEROS.
|
||||
const String & getKerberosRealm() const { return kerberos_realm; }
|
||||
void setKerberosRealm(const String & realm) { kerberos_realm = realm; }
|
||||
|
||||
friend bool operator ==(const AuthenticationData & lhs, const AuthenticationData & rhs);
|
||||
friend bool operator !=(const AuthenticationData & lhs, const AuthenticationData & rhs) { return !(lhs == rhs); }
|
||||
|
||||
struct Util
|
||||
{
|
||||
static Digest encodePlainText(const std::string_view & text) { return Digest(text.data(), text.data() + text.size()); }
|
||||
static Digest encodeSHA256(const std::string_view & text);
|
||||
static Digest encodeSHA1(const std::string_view & text);
|
||||
static Digest encodeSHA1(const Digest & text) { return encodeSHA1(std::string_view{reinterpret_cast<const char *>(text.data()), text.size()}); }
|
||||
static Digest encodeDoubleSHA1(const std::string_view & text) { return encodeSHA1(encodeSHA1(text)); }
|
||||
static Digest encodeDoubleSHA1(const Digest & text) { return encodeSHA1(encodeSHA1(text)); }
|
||||
};
|
||||
|
||||
private:
|
||||
AuthenticationType type = AuthenticationType::NO_PASSWORD;
|
||||
Digest password_hash;
|
||||
String ldap_server_name;
|
||||
String kerberos_realm;
|
||||
};
|
||||
|
||||
|
||||
inline String toString(AuthenticationType type_)
|
||||
{
|
||||
return AuthenticationTypeInfo::get(type_).raw_name;
|
||||
}
|
||||
|
||||
}
|
||||
5
src/Access/Common/CMakeLists.txt
Normal file
5
src/Access/Common/CMakeLists.txt
Normal file
@ -0,0 +1,5 @@
|
||||
include("${ClickHouse_SOURCE_DIR}/cmake/dbms_glob_sources.cmake")
|
||||
|
||||
add_headers_and_sources(clickhouse_common_access .)
|
||||
add_library(clickhouse_common_access ${clickhouse_common_access_headers} ${clickhouse_common_access_sources})
|
||||
target_link_libraries(clickhouse_common_access PUBLIC clickhouse_common_io)
|
||||
@ -1,19 +1,19 @@
|
||||
#include <Access/DiskAccessStorage.h>
|
||||
#include <IO/WriteHelpers.h>
|
||||
#include <IO/ReadHelpers.h>
|
||||
#include <IO/ReadBufferFromFile.h>
|
||||
#include <IO/WriteBufferFromFile.h>
|
||||
#include <IO/ReadBufferFromString.h>
|
||||
#include <Access/AccessEntityIO.h>
|
||||
#include <Access/User.h>
|
||||
#include <Access/Role.h>
|
||||
#include <Access/RowPolicy.h>
|
||||
#include <Access/Quota.h>
|
||||
#include <Parsers/ASTCreateUserQuery.h>
|
||||
#include <Parsers/formatAST.h>
|
||||
#include <Interpreters/InterpreterCreateUserQuery.h>
|
||||
#include <Interpreters/InterpreterShowGrantsQuery.h>
|
||||
#include <Common/quoteString.h>
|
||||
#include <IO/WriteHelpers.h>
|
||||
#include <IO/ReadHelpers.h>
|
||||
#include <IO/ReadBufferFromFile.h>
|
||||
#include <IO/WriteBufferFromFile.h>
|
||||
#include <IO/ReadBufferFromString.h>
|
||||
#include <Interpreters/Access/InterpreterCreateUserQuery.h>
|
||||
#include <Interpreters/Access/InterpreterShowGrantsQuery.h>
|
||||
#include <Parsers/Access/ASTCreateUserQuery.h>
|
||||
#include <Parsers/formatAST.h>
|
||||
#include <base/logger_useful.h>
|
||||
#include <Poco/JSON/JSON.h>
|
||||
#include <Poco/JSON/Object.h>
|
||||
|
||||
@ -1,6 +1,7 @@
|
||||
#include <Access/IAccessStorage.h>
|
||||
#include <Access/User.h>
|
||||
#include <Access/Authentication.h>
|
||||
#include <Access/Credentials.h>
|
||||
#include <Access/User.h>
|
||||
#include <Common/Exception.h>
|
||||
#include <Common/quoteString.h>
|
||||
#include <IO/WriteHelpers.h>
|
||||
@ -495,7 +496,7 @@ bool IAccessStorage::areCredentialsValidImpl(
|
||||
if (credentials.getUserName() != user.getName())
|
||||
return false;
|
||||
|
||||
return user.authentication.areCredentialsValid(credentials, external_authenticators);
|
||||
return Authentication::areCredentialsValid(credentials, user.auth_data, external_authenticators);
|
||||
}
|
||||
|
||||
|
||||
|
||||
@ -527,8 +527,8 @@ UUID LDAPAccessStorage::loginImpl(const Credentials & credentials, const Poco::N
|
||||
// User does not exist, so we create one, and will add it if authentication is successful.
|
||||
auto user = std::make_shared<User>();
|
||||
user->setName(credentials.getUserName());
|
||||
user->authentication = Authentication(Authentication::Type::LDAP);
|
||||
user->authentication.setLDAPServerName(ldap_server_name);
|
||||
user->auth_data = AuthenticationData(AuthenticationType::LDAP);
|
||||
user->auth_data.setLDAPServerName(ldap_server_name);
|
||||
|
||||
if (!isAddressAllowedImpl(*user, address))
|
||||
throwAddressNotAllowed(address);
|
||||
@ -555,8 +555,8 @@ UUID LDAPAccessStorage::getIDOfLoggedUserImpl(const String & user_name) const
|
||||
// User does not exist, so we create one, and add it pretending that the authentication is successful.
|
||||
auto user = std::make_shared<User>();
|
||||
user->setName(user_name);
|
||||
user->authentication = Authentication(Authentication::Type::LDAP);
|
||||
user->authentication.setLDAPServerName(ldap_server_name);
|
||||
user->auth_data = AuthenticationData(AuthenticationType::LDAP);
|
||||
user->auth_data.setLDAPServerName(ldap_server_name);
|
||||
|
||||
LDAPClient::SearchResultsList external_roles;
|
||||
|
||||
|
||||
@ -1,9 +1,9 @@
|
||||
#include <Access/RolesOrUsersSet.h>
|
||||
#include <Parsers/Access/ASTRolesOrUsersSet.h>
|
||||
#include <Parsers/formatAST.h>
|
||||
#include <Access/AccessControlManager.h>
|
||||
#include <Access/User.h>
|
||||
#include <Access/Role.h>
|
||||
#include <Parsers/ASTRolesOrUsersSet.h>
|
||||
#include <Parsers/formatAST.h>
|
||||
#include <IO/ReadHelpers.h>
|
||||
#include <IO/WriteHelpers.h>
|
||||
#include <boost/range/algorithm/set_algorithm.hpp>
|
||||
|
||||
@ -2,11 +2,11 @@
|
||||
#include <Access/SettingsConstraints.h>
|
||||
#include <Access/AccessControlManager.h>
|
||||
#include <Access/SettingsProfile.h>
|
||||
#include <Parsers/ASTSettingsProfileElement.h>
|
||||
#include <Core/Settings.h>
|
||||
#include <Common/SettingsChanges.h>
|
||||
#include <IO/ReadHelpers.h>
|
||||
#include <IO/WriteHelpers.h>
|
||||
#include <Parsers/Access/ASTSettingsProfileElement.h>
|
||||
#include <base/removeDuplicates.h>
|
||||
|
||||
|
||||
|
||||
@ -9,7 +9,7 @@ bool User::equal(const IAccessEntity & other) const
|
||||
if (!IAccessEntity::equal(other))
|
||||
return false;
|
||||
const auto & other_user = typeid_cast<const User &>(other);
|
||||
return (authentication == other_user.authentication) && (allowed_client_hosts == other_user.allowed_client_hosts)
|
||||
return (auth_data == other_user.auth_data) && (allowed_client_hosts == other_user.allowed_client_hosts)
|
||||
&& (access == other_user.access) && (granted_roles == other_user.granted_roles) && (default_roles == other_user.default_roles)
|
||||
&& (settings == other_user.settings) && (grantees == other_user.grantees) && (default_database == other_user.default_database);
|
||||
}
|
||||
|
||||
@ -2,8 +2,8 @@
|
||||
|
||||
#include <Access/IAccessEntity.h>
|
||||
#include <Access/AccessRights.h>
|
||||
#include <Access/Authentication.h>
|
||||
#include <Access/AllowedClientHosts.h>
|
||||
#include <Access/Common/AuthenticationData.h>
|
||||
#include <Access/Common/AllowedClientHosts.h>
|
||||
#include <Access/GrantedRoles.h>
|
||||
#include <Access/RolesOrUsersSet.h>
|
||||
#include <Access/SettingsProfileElement.h>
|
||||
@ -15,7 +15,7 @@ namespace DB
|
||||
*/
|
||||
struct User : public IAccessEntity
|
||||
{
|
||||
Authentication authentication;
|
||||
AuthenticationData auth_data;
|
||||
AllowedClientHosts allowed_client_hosts = AllowedClientHosts::AnyHostTag{};
|
||||
AccessRights access;
|
||||
GrantedRoles granted_roles;
|
||||
|
||||
@ -75,18 +75,18 @@ namespace
|
||||
|
||||
if (has_password_plaintext)
|
||||
{
|
||||
user->authentication = Authentication{Authentication::PLAINTEXT_PASSWORD};
|
||||
user->authentication.setPassword(config.getString(user_config + ".password"));
|
||||
user->auth_data = AuthenticationData{AuthenticationType::PLAINTEXT_PASSWORD};
|
||||
user->auth_data.setPassword(config.getString(user_config + ".password"));
|
||||
}
|
||||
else if (has_password_sha256_hex)
|
||||
{
|
||||
user->authentication = Authentication{Authentication::SHA256_PASSWORD};
|
||||
user->authentication.setPasswordHashHex(config.getString(user_config + ".password_sha256_hex"));
|
||||
user->auth_data = AuthenticationData{AuthenticationType::SHA256_PASSWORD};
|
||||
user->auth_data.setPasswordHashHex(config.getString(user_config + ".password_sha256_hex"));
|
||||
}
|
||||
else if (has_password_double_sha1_hex)
|
||||
{
|
||||
user->authentication = Authentication{Authentication::DOUBLE_SHA1_PASSWORD};
|
||||
user->authentication.setPasswordHashHex(config.getString(user_config + ".password_double_sha1_hex"));
|
||||
user->auth_data = AuthenticationData{AuthenticationType::DOUBLE_SHA1_PASSWORD};
|
||||
user->auth_data.setPasswordHashHex(config.getString(user_config + ".password_double_sha1_hex"));
|
||||
}
|
||||
else if (has_ldap)
|
||||
{
|
||||
@ -98,15 +98,15 @@ namespace
|
||||
if (ldap_server_name.empty())
|
||||
throw Exception("LDAP server name cannot be empty for user " + user_name + ".", ErrorCodes::BAD_ARGUMENTS);
|
||||
|
||||
user->authentication = Authentication{Authentication::LDAP};
|
||||
user->authentication.setLDAPServerName(ldap_server_name);
|
||||
user->auth_data = AuthenticationData{AuthenticationType::LDAP};
|
||||
user->auth_data.setLDAPServerName(ldap_server_name);
|
||||
}
|
||||
else if (has_kerberos)
|
||||
{
|
||||
const auto realm = config.getString(user_config + ".kerberos.realm", "");
|
||||
|
||||
user->authentication = Authentication{Authentication::KERBEROS};
|
||||
user->authentication.setKerberosRealm(realm);
|
||||
user->auth_data = AuthenticationData{AuthenticationType::KERBEROS};
|
||||
user->auth_data.setKerberosRealm(realm);
|
||||
}
|
||||
|
||||
const auto profile_name_config = user_config + ".profile";
|
||||
|
||||
@ -3,7 +3,7 @@
|
||||
#include <IO/ReadHelpers.h>
|
||||
#include <IO/ReadWriteBufferFromHTTP.h>
|
||||
#include <Interpreters/Context.h>
|
||||
#include <Access/AccessType.h>
|
||||
#include <Access/Common/AccessType.h>
|
||||
#include <Parsers/IdentifierQuotingStyle.h>
|
||||
#include <Poco/Logger.h>
|
||||
#include <Poco/Net/HTTPRequest.h>
|
||||
|
||||
@ -166,6 +166,7 @@ endif()
|
||||
|
||||
target_link_libraries (clickhouse_common_io PRIVATE jemalloc)
|
||||
|
||||
add_subdirectory(Access/Common)
|
||||
add_subdirectory(Common/ZooKeeper)
|
||||
add_subdirectory(Common/Config)
|
||||
|
||||
@ -197,6 +198,7 @@ add_object_library(clickhouse_databases Databases)
|
||||
add_object_library(clickhouse_databases_mysql Databases/MySQL)
|
||||
add_object_library(clickhouse_disks Disks)
|
||||
add_object_library(clickhouse_interpreters Interpreters)
|
||||
add_object_library(clickhouse_interpreters_access Interpreters/Access)
|
||||
add_object_library(clickhouse_interpreters_mysql Interpreters/MySQL)
|
||||
add_object_library(clickhouse_interpreters_clusterproxy Interpreters/ClusterProxy)
|
||||
add_object_library(clickhouse_interpreters_jit Interpreters/JIT)
|
||||
|
||||
@ -825,7 +825,7 @@ public:
|
||||
Messaging::MessageTransport & mt,
|
||||
const Poco::Net::SocketAddress & address) = 0;
|
||||
|
||||
virtual Authentication::Type getType() const = 0;
|
||||
virtual AuthenticationType getType() const = 0;
|
||||
|
||||
virtual ~AuthenticationMethod() = default;
|
||||
};
|
||||
@ -842,9 +842,9 @@ public:
|
||||
return setPassword(user_name, "", session, mt, address);
|
||||
}
|
||||
|
||||
Authentication::Type getType() const override
|
||||
AuthenticationType getType() const override
|
||||
{
|
||||
return Authentication::Type::NO_PASSWORD;
|
||||
return AuthenticationType::NO_PASSWORD;
|
||||
}
|
||||
};
|
||||
|
||||
@ -873,9 +873,9 @@ public:
|
||||
ErrorCodes::UNEXPECTED_PACKET_FROM_CLIENT);
|
||||
}
|
||||
|
||||
Authentication::Type getType() const override
|
||||
AuthenticationType getType() const override
|
||||
{
|
||||
return Authentication::Type::PLAINTEXT_PASSWORD;
|
||||
return AuthenticationType::PLAINTEXT_PASSWORD;
|
||||
}
|
||||
};
|
||||
|
||||
@ -883,7 +883,7 @@ class AuthenticationManager
|
||||
{
|
||||
private:
|
||||
Poco::Logger * log = &Poco::Logger::get("AuthenticationManager");
|
||||
std::unordered_map<Authentication::Type, std::shared_ptr<AuthenticationMethod>> type_to_method = {};
|
||||
std::unordered_map<AuthenticationType, std::shared_ptr<AuthenticationMethod>> type_to_method = {};
|
||||
|
||||
public:
|
||||
AuthenticationManager(const std::vector<std::shared_ptr<AuthenticationMethod>> & auth_methods)
|
||||
@ -900,7 +900,7 @@ public:
|
||||
Messaging::MessageTransport & mt,
|
||||
const Poco::Net::SocketAddress & address)
|
||||
{
|
||||
const Authentication::Type user_auth_type = session.getAuthenticationTypeOrLogInFailure(user_name);
|
||||
const AuthenticationType user_auth_type = session.getAuthenticationTypeOrLogInFailure(user_name);
|
||||
if (type_to_method.find(user_auth_type) != type_to_method.end())
|
||||
{
|
||||
type_to_method[user_auth_type]->authenticate(user_name, session, mt, address);
|
||||
|
||||
@ -21,7 +21,7 @@
|
||||
#include <Columns/ColumnTuple.h>
|
||||
#include <Columns/ColumnNullable.h>
|
||||
|
||||
#include <Access/AccessFlags.h>
|
||||
#include <Access/Common/AccessFlags.h>
|
||||
|
||||
#include <Interpreters/Context.h>
|
||||
#include <Interpreters/ExternalDictionariesLoader.h>
|
||||
|
||||
@ -11,7 +11,7 @@
|
||||
#include <Functions/FunctionFactory.h>
|
||||
#include <IO/WriteBufferFromArena.h>
|
||||
#include <IO/WriteHelpers.h>
|
||||
#include <Access/AccessFlags.h>
|
||||
#include <Access/Common/AccessFlags.h>
|
||||
#include <Interpreters/Context.h>
|
||||
|
||||
#include <mutex>
|
||||
|
||||
@ -6,7 +6,7 @@
|
||||
#include <DataTypes/DataTypeString.h>
|
||||
#include <Functions/IFunction.h>
|
||||
#include <Functions/FunctionFactory.h>
|
||||
#include <Access/AccessFlags.h>
|
||||
#include <Access/Common/AccessFlags.h>
|
||||
#include <Interpreters/Context.h>
|
||||
#include <IO/WriteHelpers.h>
|
||||
|
||||
|
||||
@ -4,7 +4,7 @@
|
||||
#include <Functions/IFunction.h>
|
||||
#include <Functions/FunctionFactory.h>
|
||||
#include <IO/WriteHelpers.h>
|
||||
#include <Access/AccessFlags.h>
|
||||
#include <Access/Common/AccessFlags.h>
|
||||
#include <Interpreters/Context.h>
|
||||
|
||||
|
||||
|
||||
@ -1,10 +1,10 @@
|
||||
#include <Interpreters/InterpreterCreateQuotaQuery.h>
|
||||
#include <Parsers/ASTCreateQuotaQuery.h>
|
||||
#include <Parsers/ASTRolesOrUsersSet.h>
|
||||
#include <Interpreters/Access/InterpreterCreateQuotaQuery.h>
|
||||
#include <Parsers/Access/ASTCreateQuotaQuery.h>
|
||||
#include <Parsers/Access/ASTRolesOrUsersSet.h>
|
||||
#include <Access/AccessControlManager.h>
|
||||
#include <Access/Common/AccessFlags.h>
|
||||
#include <Interpreters/Context.h>
|
||||
#include <Interpreters/executeDDLQueryOnCluster.h>
|
||||
#include <Access/AccessControlManager.h>
|
||||
#include <Access/AccessFlags.h>
|
||||
#include <base/range.h>
|
||||
#include <boost/range/algorithm/find_if.hpp>
|
||||
#include <boost/range/algorithm/upper_bound.hpp>
|
||||
@ -1,9 +1,9 @@
|
||||
#include <Interpreters/InterpreterCreateRoleQuery.h>
|
||||
#include <Parsers/ASTCreateRoleQuery.h>
|
||||
#include <Interpreters/Context.h>
|
||||
#include <Interpreters/executeDDLQueryOnCluster.h>
|
||||
#include <Interpreters/Access/InterpreterCreateRoleQuery.h>
|
||||
#include <Parsers/Access/ASTCreateRoleQuery.h>
|
||||
#include <Access/AccessControlManager.h>
|
||||
#include <Access/Role.h>
|
||||
#include <Interpreters/Context.h>
|
||||
#include <Interpreters/executeDDLQueryOnCluster.h>
|
||||
|
||||
|
||||
namespace DB
|
||||
@ -1,12 +1,12 @@
|
||||
#include <Interpreters/InterpreterCreateRowPolicyQuery.h>
|
||||
#include <Parsers/ASTCreateRowPolicyQuery.h>
|
||||
#include <Parsers/ASTRowPolicyName.h>
|
||||
#include <Parsers/ASTRolesOrUsersSet.h>
|
||||
#include <Interpreters/Access/InterpreterCreateRowPolicyQuery.h>
|
||||
#include <Parsers/Access/ASTCreateRowPolicyQuery.h>
|
||||
#include <Parsers/Access/ASTRowPolicyName.h>
|
||||
#include <Parsers/Access/ASTRolesOrUsersSet.h>
|
||||
#include <Parsers/formatAST.h>
|
||||
#include <Access/AccessControlManager.h>
|
||||
#include <Access/Common/AccessFlags.h>
|
||||
#include <Interpreters/Context.h>
|
||||
#include <Interpreters/executeDDLQueryOnCluster.h>
|
||||
#include <Access/AccessControlManager.h>
|
||||
#include <Access/AccessFlags.h>
|
||||
#include <boost/range/algorithm/sort.hpp>
|
||||
|
||||
|
||||
@ -1,11 +1,11 @@
|
||||
#include <Interpreters/InterpreterCreateSettingsProfileQuery.h>
|
||||
#include <Parsers/ASTCreateSettingsProfileQuery.h>
|
||||
#include <Parsers/ASTRolesOrUsersSet.h>
|
||||
#include <Interpreters/Context.h>
|
||||
#include <Interpreters/executeDDLQueryOnCluster.h>
|
||||
#include <Interpreters/Access/InterpreterCreateSettingsProfileQuery.h>
|
||||
#include <Parsers/Access/ASTCreateSettingsProfileQuery.h>
|
||||
#include <Parsers/Access/ASTRolesOrUsersSet.h>
|
||||
#include <Access/AccessControlManager.h>
|
||||
#include <Access/SettingsProfile.h>
|
||||
#include <Access/AccessFlags.h>
|
||||
#include <Access/Common/AccessFlags.h>
|
||||
#include <Interpreters/Context.h>
|
||||
#include <Interpreters/executeDDLQueryOnCluster.h>
|
||||
|
||||
|
||||
namespace DB
|
||||
@ -1,14 +1,14 @@
|
||||
#include <Interpreters/InterpreterCreateUserQuery.h>
|
||||
#include <Interpreters/Context.h>
|
||||
#include <Interpreters/InterpreterSetRoleQuery.h>
|
||||
#include <Interpreters/executeDDLQueryOnCluster.h>
|
||||
#include <Parsers/ASTCreateUserQuery.h>
|
||||
#include <Parsers/ASTUserNameWithHost.h>
|
||||
#include <Parsers/ASTRolesOrUsersSet.h>
|
||||
#include <Interpreters/Access/InterpreterCreateUserQuery.h>
|
||||
#include <Parsers/Access/ASTCreateUserQuery.h>
|
||||
#include <Parsers/Access/ASTRolesOrUsersSet.h>
|
||||
#include <Parsers/Access/ASTUserNameWithHost.h>
|
||||
#include <Parsers/ASTDatabaseOrNone.h>
|
||||
#include <Access/AccessControlManager.h>
|
||||
#include <Access/User.h>
|
||||
#include <Access/ContextAccess.h>
|
||||
#include <Access/User.h>
|
||||
#include <Interpreters/Access/InterpreterSetRoleQuery.h>
|
||||
#include <Interpreters/Context.h>
|
||||
#include <Interpreters/executeDDLQueryOnCluster.h>
|
||||
#include <boost/range/algorithm/copy.hpp>
|
||||
|
||||
|
||||
@ -31,8 +31,8 @@ namespace
|
||||
else if (query.names->size() == 1)
|
||||
user.setName(query.names->front()->toString());
|
||||
|
||||
if (query.authentication)
|
||||
user.authentication = *query.authentication;
|
||||
if (query.auth_data)
|
||||
user.auth_data = *query.auth_data;
|
||||
|
||||
if (override_name && !override_name->host_pattern.empty())
|
||||
{
|
||||
@ -1,15 +1,15 @@
|
||||
#include <Interpreters/InterpreterDropAccessEntityQuery.h>
|
||||
#include <Parsers/ASTDropAccessEntityQuery.h>
|
||||
#include <Parsers/ASTRowPolicyName.h>
|
||||
#include <Interpreters/Context.h>
|
||||
#include <Interpreters/executeDDLQueryOnCluster.h>
|
||||
#include <Interpreters/Access/InterpreterDropAccessEntityQuery.h>
|
||||
#include <Parsers/Access/ASTDropAccessEntityQuery.h>
|
||||
#include <Parsers/Access/ASTRowPolicyName.h>
|
||||
#include <Access/AccessControlManager.h>
|
||||
#include <Access/AccessFlags.h>
|
||||
#include <Access/Common/AccessFlags.h>
|
||||
#include <Access/User.h>
|
||||
#include <Access/Role.h>
|
||||
#include <Access/Quota.h>
|
||||
#include <Access/RowPolicy.h>
|
||||
#include <Access/SettingsProfile.h>
|
||||
#include <Interpreters/Context.h>
|
||||
#include <Interpreters/executeDDLQueryOnCluster.h>
|
||||
|
||||
|
||||
namespace DB
|
||||
@ -1,14 +1,14 @@
|
||||
#include <Interpreters/InterpreterGrantQuery.h>
|
||||
#include <Interpreters/QueryLog.h>
|
||||
#include <Parsers/ASTGrantQuery.h>
|
||||
#include <Parsers/ASTRolesOrUsersSet.h>
|
||||
#include <Interpreters/Context.h>
|
||||
#include <Interpreters/executeDDLQueryOnCluster.h>
|
||||
#include <Interpreters/Access/InterpreterGrantQuery.h>
|
||||
#include <Parsers/Access/ASTGrantQuery.h>
|
||||
#include <Parsers/Access/ASTRolesOrUsersSet.h>
|
||||
#include <Access/AccessControlManager.h>
|
||||
#include <Access/ContextAccess.h>
|
||||
#include <Access/Role.h>
|
||||
#include <Access/RolesOrUsersSet.h>
|
||||
#include <Access/User.h>
|
||||
#include <Access/Role.h>
|
||||
#include <Interpreters/Context.h>
|
||||
#include <Interpreters/QueryLog.h>
|
||||
#include <Interpreters/executeDDLQueryOnCluster.h>
|
||||
#include <boost/range/algorithm/copy.hpp>
|
||||
#include <boost/range/algorithm/set_algorithm.hpp>
|
||||
|
||||
@ -1,10 +1,10 @@
|
||||
#include <Interpreters/InterpreterSetRoleQuery.h>
|
||||
#include <Parsers/ASTSetRoleQuery.h>
|
||||
#include <Parsers/ASTRolesOrUsersSet.h>
|
||||
#include <Interpreters/Context.h>
|
||||
#include <Interpreters/Access/InterpreterSetRoleQuery.h>
|
||||
#include <Parsers/Access/ASTSetRoleQuery.h>
|
||||
#include <Parsers/Access/ASTRolesOrUsersSet.h>
|
||||
#include <Access/RolesOrUsersSet.h>
|
||||
#include <Access/AccessControlManager.h>
|
||||
#include <Access/User.h>
|
||||
#include <Interpreters/Context.h>
|
||||
|
||||
|
||||
namespace DB
|
||||
@ -1,10 +1,10 @@
|
||||
#include <Interpreters/InterpreterShowAccessEntitiesQuery.h>
|
||||
#include <Parsers/ASTShowAccessEntitiesQuery.h>
|
||||
#include <Interpreters/Access/InterpreterShowAccessEntitiesQuery.h>
|
||||
#include <Parsers/Access/ASTShowAccessEntitiesQuery.h>
|
||||
#include <Parsers/formatAST.h>
|
||||
#include <Interpreters/executeQuery.h>
|
||||
#include <Common/StringUtils/StringUtils.h>
|
||||
#include <Common/quoteString.h>
|
||||
#include <Interpreters/Context.h>
|
||||
#include <Interpreters/executeQuery.h>
|
||||
|
||||
|
||||
namespace DB
|
||||
@ -1,13 +1,13 @@
|
||||
#include <Interpreters/InterpreterShowAccessQuery.h>
|
||||
#include <Interpreters/Access/InterpreterShowAccessQuery.h>
|
||||
|
||||
#include <Parsers/formatAST.h>
|
||||
#include <Interpreters/Context.h>
|
||||
#include <Interpreters/InterpreterShowCreateAccessEntityQuery.h>
|
||||
#include <Interpreters/InterpreterShowGrantsQuery.h>
|
||||
#include <Interpreters/Access/InterpreterShowCreateAccessEntityQuery.h>
|
||||
#include <Interpreters/Access/InterpreterShowGrantsQuery.h>
|
||||
#include <Columns/ColumnString.h>
|
||||
#include <Processors/Sources/SourceFromSingleChunk.h>
|
||||
#include <DataTypes/DataTypeString.h>
|
||||
#include <Access/AccessFlags.h>
|
||||
#include <Access/Common/AccessFlags.h>
|
||||
#include <Access/AccessControlManager.h>
|
||||
#include <base/range.h>
|
||||
#include <boost/range/algorithm/sort.hpp>
|
||||
@ -1,15 +1,14 @@
|
||||
#include <Interpreters/InterpreterShowCreateAccessEntityQuery.h>
|
||||
#include <Interpreters/Context.h>
|
||||
#include <Parsers/ASTCreateUserQuery.h>
|
||||
#include <Parsers/ASTCreateRoleQuery.h>
|
||||
#include <Parsers/ASTCreateQuotaQuery.h>
|
||||
#include <Parsers/ASTCreateRowPolicyQuery.h>
|
||||
#include <Parsers/ASTCreateSettingsProfileQuery.h>
|
||||
#include <Parsers/ASTShowCreateAccessEntityQuery.h>
|
||||
#include <Parsers/ASTUserNameWithHost.h>
|
||||
#include <Parsers/ASTRolesOrUsersSet.h>
|
||||
#include <Parsers/ASTSettingsProfileElement.h>
|
||||
#include <Parsers/ASTRowPolicyName.h>
|
||||
#include <Interpreters/Access/InterpreterShowCreateAccessEntityQuery.h>
|
||||
#include <Parsers/Access/ASTShowCreateAccessEntityQuery.h>
|
||||
#include <Parsers/Access/ASTCreateUserQuery.h>
|
||||
#include <Parsers/Access/ASTCreateRoleQuery.h>
|
||||
#include <Parsers/Access/ASTCreateQuotaQuery.h>
|
||||
#include <Parsers/Access/ASTCreateRowPolicyQuery.h>
|
||||
#include <Parsers/Access/ASTCreateSettingsProfileQuery.h>
|
||||
#include <Parsers/Access/ASTUserNameWithHost.h>
|
||||
#include <Parsers/Access/ASTRolesOrUsersSet.h>
|
||||
#include <Parsers/Access/ASTSettingsProfileElement.h>
|
||||
#include <Parsers/Access/ASTRowPolicyName.h>
|
||||
#include <Parsers/ExpressionListParsers.h>
|
||||
#include <Parsers/formatAST.h>
|
||||
#include <Parsers/parseQuery.h>
|
||||
@ -20,10 +19,11 @@
|
||||
#include <Access/Role.h>
|
||||
#include <Access/SettingsProfile.h>
|
||||
#include <Columns/ColumnString.h>
|
||||
#include <Processors/Sources/SourceFromSingleChunk.h>
|
||||
#include <DataTypes/DataTypeString.h>
|
||||
#include <Common/StringUtils/StringUtils.h>
|
||||
#include <Core/Defines.h>
|
||||
#include <DataTypes/DataTypeString.h>
|
||||
#include <Interpreters/Context.h>
|
||||
#include <Processors/Sources/SourceFromSingleChunk.h>
|
||||
#include <base/range.h>
|
||||
#include <boost/range/algorithm/sort.hpp>
|
||||
|
||||
@ -59,9 +59,9 @@ namespace
|
||||
query->default_roles = user.default_roles.toASTWithNames(*manager);
|
||||
}
|
||||
|
||||
if (user.authentication.getType() != Authentication::NO_PASSWORD)
|
||||
if (user.auth_data.getType() != AuthenticationType::NO_PASSWORD)
|
||||
{
|
||||
query->authentication = user.authentication;
|
||||
query->auth_data = user.auth_data;
|
||||
query->show_password = attach_mode; /// We don't show password unless it's an ATTACH statement.
|
||||
}
|
||||
|
||||
@ -1,16 +1,16 @@
|
||||
#include <Interpreters/InterpreterShowGrantsQuery.h>
|
||||
#include <Parsers/ASTShowGrantsQuery.h>
|
||||
#include <Parsers/ASTGrantQuery.h>
|
||||
#include <Parsers/ASTRolesOrUsersSet.h>
|
||||
#include <Interpreters/Access/InterpreterShowGrantsQuery.h>
|
||||
#include <Parsers/Access/ASTGrantQuery.h>
|
||||
#include <Parsers/Access/ASTRolesOrUsersSet.h>
|
||||
#include <Parsers/Access/ASTShowGrantsQuery.h>
|
||||
#include <Parsers/formatAST.h>
|
||||
#include <Interpreters/Context.h>
|
||||
#include <Columns/ColumnString.h>
|
||||
#include <Processors/Sources/SourceFromSingleChunk.h>
|
||||
#include <DataTypes/DataTypeString.h>
|
||||
#include <Access/AccessControlManager.h>
|
||||
#include <Access/User.h>
|
||||
#include <Access/Role.h>
|
||||
#include <Access/RolesOrUsersSet.h>
|
||||
#include <Access/User.h>
|
||||
#include <Columns/ColumnString.h>
|
||||
#include <DataTypes/DataTypeString.h>
|
||||
#include <Interpreters/Context.h>
|
||||
#include <Processors/Sources/SourceFromSingleChunk.h>
|
||||
#include <boost/range/algorithm/sort.hpp>
|
||||
#include <boost/range/algorithm_ext/push_back.hpp>
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
#include <Interpreters/InterpreterShowPrivilegesQuery.h>
|
||||
#include <Interpreters/Access/InterpreterShowPrivilegesQuery.h>
|
||||
#include <Interpreters/executeQuery.h>
|
||||
|
||||
|
||||
@ -19,7 +19,7 @@
|
||||
#include <Storages/IStorage.h>
|
||||
#include <Common/SipHash.h>
|
||||
#include <Common/FieldVisitorHash.h>
|
||||
#include <Access/AccessFlags.h>
|
||||
#include <Access/Common/AccessFlags.h>
|
||||
#include <Formats/FormatFactory.h>
|
||||
|
||||
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
#include <Interpreters/InterpreterAlterQuery.h>
|
||||
|
||||
#include <Access/AccessRightsElement.h>
|
||||
#include <Access/Common/AccessRightsElement.h>
|
||||
#include <Databases/DatabaseFactory.h>
|
||||
#include <Databases/DatabaseReplicated.h>
|
||||
#include <Databases/IDatabase.h>
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
#include <Interpreters/Context.h>
|
||||
#include <Interpreters/InterpreterCheckQuery.h>
|
||||
#include <Access/AccessFlags.h>
|
||||
#include <Access/Common/AccessFlags.h>
|
||||
#include <Storages/IStorage.h>
|
||||
#include <Parsers/ASTCheckQuery.h>
|
||||
#include <Processors/Sources/SourceFromSingleChunk.h>
|
||||
|
||||
@ -41,7 +41,7 @@
|
||||
#include <Interpreters/InterpreterInsertQuery.h>
|
||||
#include <Interpreters/AddDefaultDatabaseVisitor.h>
|
||||
|
||||
#include <Access/AccessRightsElement.h>
|
||||
#include <Access/Common/AccessRightsElement.h>
|
||||
|
||||
#include <DataTypes/DataTypeFactory.h>
|
||||
#include <DataTypes/NestedUtils.h>
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
#pragma once
|
||||
|
||||
#include <Core/NamesAndAliases.h>
|
||||
#include <Access/AccessRightsElement.h>
|
||||
#include <Access/Common/AccessRightsElement.h>
|
||||
#include <Interpreters/IInterpreter.h>
|
||||
#include <Storages/ColumnsDescription.h>
|
||||
#include <Storages/ConstraintsDescription.h>
|
||||
|
||||
@ -10,7 +10,7 @@
|
||||
#include <Interpreters/Context.h>
|
||||
#include <Interpreters/InterpreterDescribeQuery.h>
|
||||
#include <Interpreters/IdentifierSemantic.h>
|
||||
#include <Access/AccessFlags.h>
|
||||
#include <Access/Common/AccessFlags.h>
|
||||
#include <Parsers/ASTIdentifier.h>
|
||||
#include <Parsers/ASTFunction.h>
|
||||
#include <Parsers/ASTTablesInSelectQuery.h>
|
||||
|
||||
@ -4,7 +4,7 @@
|
||||
#include <Interpreters/InterpreterDropQuery.h>
|
||||
#include <Interpreters/ExternalDictionariesLoader.h>
|
||||
#include <Interpreters/QueryLog.h>
|
||||
#include <Access/AccessRightsElement.h>
|
||||
#include <Access/Common/AccessRightsElement.h>
|
||||
#include <Parsers/ASTDropQuery.h>
|
||||
#include <Storages/IStorage.h>
|
||||
#include <Common/escapeForFileName.h>
|
||||
|
||||
@ -6,7 +6,7 @@
|
||||
#include <Columns/ColumnsNumber.h>
|
||||
#include <Interpreters/Context.h>
|
||||
#include <Interpreters/InterpreterExistsQuery.h>
|
||||
#include <Access/AccessFlags.h>
|
||||
#include <Access/Common/AccessFlags.h>
|
||||
#include <Common/typeid_cast.h>
|
||||
|
||||
namespace DB
|
||||
|
||||
@ -2,17 +2,10 @@
|
||||
#include <Parsers/ASTBackupQuery.h>
|
||||
#include <Parsers/ASTCheckQuery.h>
|
||||
#include <Parsers/ASTCreateQuery.h>
|
||||
#include <Parsers/ASTCreateQuotaQuery.h>
|
||||
#include <Parsers/ASTCreateRoleQuery.h>
|
||||
#include <Parsers/ASTCreateRowPolicyQuery.h>
|
||||
#include <Parsers/ASTCreateSettingsProfileQuery.h>
|
||||
#include <Parsers/ASTCreateUserQuery.h>
|
||||
#include <Parsers/ASTCreateFunctionQuery.h>
|
||||
#include <Parsers/ASTDropAccessEntityQuery.h>
|
||||
#include <Parsers/ASTDropFunctionQuery.h>
|
||||
#include <Parsers/ASTDropQuery.h>
|
||||
#include <Parsers/ASTExplainQuery.h>
|
||||
#include <Parsers/ASTGrantQuery.h>
|
||||
#include <Parsers/ASTInsertQuery.h>
|
||||
#include <Parsers/ASTSelectIntersectExceptQuery.h>
|
||||
#include <Parsers/ASTKillQueryQuery.h>
|
||||
@ -21,12 +14,6 @@
|
||||
#include <Parsers/ASTSelectQuery.h>
|
||||
#include <Parsers/ASTSelectWithUnionQuery.h>
|
||||
#include <Parsers/ASTSetQuery.h>
|
||||
#include <Parsers/ASTSetRoleQuery.h>
|
||||
#include <Parsers/ASTShowAccessEntitiesQuery.h>
|
||||
#include <Parsers/ASTShowAccessQuery.h>
|
||||
#include <Parsers/ASTShowCreateAccessEntityQuery.h>
|
||||
#include <Parsers/ASTShowGrantsQuery.h>
|
||||
#include <Parsers/ASTShowPrivilegesQuery.h>
|
||||
#include <Parsers/ASTShowProcesslistQuery.h>
|
||||
#include <Parsers/ASTShowTablesQuery.h>
|
||||
#include <Parsers/ASTUseQuery.h>
|
||||
@ -34,26 +21,33 @@
|
||||
#include <Parsers/MySQL/ASTCreateQuery.h>
|
||||
#include <Parsers/TablePropertiesQueriesASTs.h>
|
||||
|
||||
#include <Parsers/Access/ASTCreateQuotaQuery.h>
|
||||
#include <Parsers/Access/ASTCreateRoleQuery.h>
|
||||
#include <Parsers/Access/ASTCreateRowPolicyQuery.h>
|
||||
#include <Parsers/Access/ASTCreateSettingsProfileQuery.h>
|
||||
#include <Parsers/Access/ASTCreateUserQuery.h>
|
||||
#include <Parsers/Access/ASTDropAccessEntityQuery.h>
|
||||
#include <Parsers/Access/ASTGrantQuery.h>
|
||||
#include <Parsers/Access/ASTSetRoleQuery.h>
|
||||
#include <Parsers/Access/ASTShowAccessEntitiesQuery.h>
|
||||
#include <Parsers/Access/ASTShowAccessQuery.h>
|
||||
#include <Parsers/Access/ASTShowCreateAccessEntityQuery.h>
|
||||
#include <Parsers/Access/ASTShowGrantsQuery.h>
|
||||
#include <Parsers/Access/ASTShowPrivilegesQuery.h>
|
||||
|
||||
#include <Interpreters/Context.h>
|
||||
#include <Interpreters/InterpreterAlterQuery.h>
|
||||
#include <Interpreters/InterpreterBackupQuery.h>
|
||||
#include <Interpreters/InterpreterCheckQuery.h>
|
||||
#include <Interpreters/InterpreterCreateFunctionQuery.h>
|
||||
#include <Interpreters/InterpreterCreateQuery.h>
|
||||
#include <Interpreters/InterpreterCreateQuotaQuery.h>
|
||||
#include <Interpreters/InterpreterCreateRoleQuery.h>
|
||||
#include <Interpreters/InterpreterCreateRowPolicyQuery.h>
|
||||
#include <Interpreters/InterpreterCreateSettingsProfileQuery.h>
|
||||
#include <Interpreters/InterpreterCreateUserQuery.h>
|
||||
#include <Interpreters/InterpreterDescribeQuery.h>
|
||||
#include <Interpreters/InterpreterDropAccessEntityQuery.h>
|
||||
#include <Interpreters/InterpreterDropFunctionQuery.h>
|
||||
#include <Interpreters/InterpreterDropQuery.h>
|
||||
#include <Interpreters/InterpreterExistsQuery.h>
|
||||
#include <Interpreters/InterpreterExplainQuery.h>
|
||||
#include <Interpreters/InterpreterExternalDDLQuery.h>
|
||||
#include <Interpreters/InterpreterFactory.h>
|
||||
#include <Interpreters/InterpreterGrantQuery.h>
|
||||
#include <Interpreters/InterpreterInsertQuery.h>
|
||||
#include <Interpreters/InterpreterSelectIntersectExceptQuery.h>
|
||||
#include <Interpreters/InterpreterKillQueryQuery.h>
|
||||
@ -62,13 +56,7 @@
|
||||
#include <Interpreters/InterpreterSelectQuery.h>
|
||||
#include <Interpreters/InterpreterSelectWithUnionQuery.h>
|
||||
#include <Interpreters/InterpreterSetQuery.h>
|
||||
#include <Interpreters/InterpreterSetRoleQuery.h>
|
||||
#include <Interpreters/InterpreterShowAccessEntitiesQuery.h>
|
||||
#include <Interpreters/InterpreterShowAccessQuery.h>
|
||||
#include <Interpreters/InterpreterShowCreateAccessEntityQuery.h>
|
||||
#include <Interpreters/InterpreterShowCreateQuery.h>
|
||||
#include <Interpreters/InterpreterShowGrantsQuery.h>
|
||||
#include <Interpreters/InterpreterShowPrivilegesQuery.h>
|
||||
#include <Interpreters/InterpreterShowProcesslistQuery.h>
|
||||
#include <Interpreters/InterpreterShowTablesQuery.h>
|
||||
#include <Interpreters/InterpreterSystemQuery.h>
|
||||
@ -76,6 +64,20 @@
|
||||
#include <Interpreters/InterpreterWatchQuery.h>
|
||||
#include <Interpreters/OpenTelemetrySpanLog.h>
|
||||
|
||||
#include <Interpreters/Access/InterpreterCreateQuotaQuery.h>
|
||||
#include <Interpreters/Access/InterpreterCreateRoleQuery.h>
|
||||
#include <Interpreters/Access/InterpreterCreateRowPolicyQuery.h>
|
||||
#include <Interpreters/Access/InterpreterCreateSettingsProfileQuery.h>
|
||||
#include <Interpreters/Access/InterpreterCreateUserQuery.h>
|
||||
#include <Interpreters/Access/InterpreterDropAccessEntityQuery.h>
|
||||
#include <Interpreters/Access/InterpreterGrantQuery.h>
|
||||
#include <Interpreters/Access/InterpreterSetRoleQuery.h>
|
||||
#include <Interpreters/Access/InterpreterShowAccessEntitiesQuery.h>
|
||||
#include <Interpreters/Access/InterpreterShowAccessQuery.h>
|
||||
#include <Interpreters/Access/InterpreterShowCreateAccessEntityQuery.h>
|
||||
#include <Interpreters/Access/InterpreterShowGrantsQuery.h>
|
||||
#include <Interpreters/Access/InterpreterShowPrivilegesQuery.h>
|
||||
|
||||
#include <Parsers/ASTSystemQuery.h>
|
||||
|
||||
#include <Databases/MySQL/MaterializedMySQLSyncThread.h>
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
#include <Interpreters/InterpreterInsertQuery.h>
|
||||
|
||||
#include <Access/AccessFlags.h>
|
||||
#include <Access/Common/AccessFlags.h>
|
||||
#include <Columns/ColumnNullable.h>
|
||||
#include <Processors/Transforms/buildPushingToViewsChain.h>
|
||||
#include <DataTypes/DataTypeNullable.h>
|
||||
|
||||
@ -3,7 +3,7 @@
|
||||
#include <Interpreters/Context.h>
|
||||
#include <Interpreters/executeDDLQueryOnCluster.h>
|
||||
#include <Interpreters/InterpreterOptimizeQuery.h>
|
||||
#include <Access/AccessRightsElement.h>
|
||||
#include <Access/Common/AccessRightsElement.h>
|
||||
#include <Common/typeid_cast.h>
|
||||
#include <Parsers/ASTExpressionList.h>
|
||||
|
||||
|
||||
@ -5,7 +5,7 @@
|
||||
#include <Storages/IStorage.h>
|
||||
#include <Interpreters/executeDDLQueryOnCluster.h>
|
||||
#include <Interpreters/QueryLog.h>
|
||||
#include <Access/AccessRightsElement.h>
|
||||
#include <Access/Common/AccessRightsElement.h>
|
||||
#include <Common/typeid_cast.h>
|
||||
#include <Databases/DatabaseReplicated.h>
|
||||
|
||||
|
||||
@ -10,7 +10,7 @@
|
||||
#include <Parsers/ExpressionListParsers.h>
|
||||
#include <Parsers/parseQuery.h>
|
||||
|
||||
#include <Access/AccessFlags.h>
|
||||
#include <Access/Common/AccessFlags.h>
|
||||
#include <Access/ContextAccess.h>
|
||||
|
||||
#include <AggregateFunctions/AggregateFunctionCount.h>
|
||||
|
||||
@ -7,7 +7,7 @@
|
||||
#include <DataTypes/DataTypeString.h>
|
||||
#include <Columns/ColumnString.h>
|
||||
#include <Common/typeid_cast.h>
|
||||
#include <Access/AccessFlags.h>
|
||||
#include <Access/Common/AccessFlags.h>
|
||||
#include <Interpreters/Context.h>
|
||||
#include <Interpreters/InterpreterShowCreateQuery.h>
|
||||
#include <Parsers/ASTCreateQuery.h>
|
||||
|
||||
@ -31,7 +31,7 @@
|
||||
#include <Interpreters/ZooKeeperLog.h>
|
||||
#include <Interpreters/JIT/CompiledExpressionCache.h>
|
||||
#include <Access/ContextAccess.h>
|
||||
#include <Access/AllowedClientHosts.h>
|
||||
#include <Access/Common/AllowedClientHosts.h>
|
||||
#include <Databases/IDatabase.h>
|
||||
#include <Disks/DiskRestartProxy.h>
|
||||
#include <Storages/StorageDistributed.h>
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
#include <Parsers/ASTUseQuery.h>
|
||||
#include <Interpreters/Context.h>
|
||||
#include <Interpreters/InterpreterUseQuery.h>
|
||||
#include <Access/AccessFlags.h>
|
||||
#include <Access/Common/AccessFlags.h>
|
||||
#include <Common/typeid_cast.h>
|
||||
|
||||
|
||||
|
||||
@ -14,7 +14,7 @@ limitations under the License. */
|
||||
#include <Parsers/ASTWatchQuery.h>
|
||||
#include <Interpreters/InterpreterWatchQuery.h>
|
||||
#include <Interpreters/Context.h>
|
||||
#include <Access/AccessFlags.h>
|
||||
#include <Access/Common/AccessFlags.h>
|
||||
#include <QueryPipeline/StreamLocalLimits.h>
|
||||
|
||||
|
||||
|
||||
@ -271,12 +271,12 @@ Session::~Session()
|
||||
}
|
||||
}
|
||||
|
||||
Authentication::Type Session::getAuthenticationType(const String & user_name) const
|
||||
AuthenticationType Session::getAuthenticationType(const String & user_name) const
|
||||
{
|
||||
return global_context->getAccessControlManager().read<User>(user_name)->authentication.getType();
|
||||
return global_context->getAccessControlManager().read<User>(user_name)->auth_data.getType();
|
||||
}
|
||||
|
||||
Authentication::Type Session::getAuthenticationTypeOrLogInFailure(const String & user_name) const
|
||||
AuthenticationType Session::getAuthenticationTypeOrLogInFailure(const String & user_name) const
|
||||
{
|
||||
try
|
||||
{
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
#pragma once
|
||||
|
||||
#include <Common/SettingsChanges.h>
|
||||
#include <Access/Authentication.h>
|
||||
#include <Access/Common/AuthenticationData.h>
|
||||
#include <Interpreters/ClientInfo.h>
|
||||
#include <Interpreters/Context_fwd.h>
|
||||
|
||||
@ -14,7 +14,7 @@ namespace Poco::Net { class SocketAddress; }
|
||||
namespace DB
|
||||
{
|
||||
class Credentials;
|
||||
class Authentication;
|
||||
class AuthenticationData;
|
||||
struct NamedSessionData;
|
||||
class NamedSessionsStorage;
|
||||
struct User;
|
||||
@ -41,10 +41,10 @@ public:
|
||||
Session& operator=(const Session &) = delete;
|
||||
|
||||
/// Provides information about the authentication type of a specified user.
|
||||
Authentication::Type getAuthenticationType(const String & user_name) const;
|
||||
AuthenticationType getAuthenticationType(const String & user_name) const;
|
||||
|
||||
/// Same as getAuthenticationType, but adds LoginFailure event in case of error.
|
||||
Authentication::Type getAuthenticationTypeOrLogInFailure(const String & user_name) const;
|
||||
AuthenticationType getAuthenticationTypeOrLogInFailure(const String & user_name) const;
|
||||
|
||||
/// Sets the current user, checks the credentials and that the specified address is allowed to connect from.
|
||||
/// The function throws an exception if there is no such user or password is wrong.
|
||||
|
||||
@ -45,7 +45,7 @@ auto eventTime()
|
||||
return std::make_pair(time_in_seconds(finish_time), time_in_microseconds(finish_time));
|
||||
}
|
||||
|
||||
using AuthType = Authentication::Type;
|
||||
using AuthType = AuthenticationType;
|
||||
using Interface = ClientInfo::Interface;
|
||||
|
||||
void fillColumnArray(const Strings & data, IColumn & column)
|
||||
@ -84,7 +84,7 @@ NamesAndTypesList SessionLogElement::getNamesAndTypes()
|
||||
{"Logout", static_cast<Int8>(SESSION_LOGOUT)}
|
||||
});
|
||||
|
||||
#define AUTH_TYPE_NAME_AND_VALUE(v) std::make_pair(Authentication::TypeInfo::get(v).raw_name, static_cast<Int8>(v))
|
||||
#define AUTH_TYPE_NAME_AND_VALUE(v) std::make_pair(AuthenticationTypeInfo::get(v).raw_name, static_cast<Int8>(v))
|
||||
const auto identified_with_column = std::make_shared<DataTypeEnum8>(
|
||||
DataTypeEnum8::Values
|
||||
{
|
||||
@ -152,7 +152,7 @@ NamesAndTypesList SessionLogElement::getNamesAndTypes()
|
||||
void SessionLogElement::appendToBlock(MutableColumns & columns) const
|
||||
{
|
||||
assert(type >= SESSION_LOGIN_FAILURE && type <= SESSION_LOGOUT);
|
||||
assert(user_identified_with >= Authentication::Type::NO_PASSWORD && user_identified_with <= Authentication::Type::MAX_TYPE);
|
||||
assert(user_identified_with >= AuthenticationType::NO_PASSWORD && user_identified_with <= AuthenticationType::MAX_TYPE);
|
||||
|
||||
size_t i = 0;
|
||||
|
||||
@ -214,8 +214,8 @@ void SessionLog::addLoginSuccess(const UUID & auth_id, std::optional<String> ses
|
||||
{
|
||||
const auto user = access->getUser();
|
||||
log_entry.user = user->getName();
|
||||
log_entry.user_identified_with = user->authentication.getType();
|
||||
log_entry.external_auth_server = user->authentication.getLDAPServerName();
|
||||
log_entry.user_identified_with = user->auth_data.getType();
|
||||
log_entry.external_auth_server = user->auth_data.getLDAPServerName();
|
||||
}
|
||||
|
||||
if (session_id)
|
||||
@ -244,7 +244,7 @@ void SessionLog::addLoginFailure(
|
||||
log_entry.user = user;
|
||||
log_entry.auth_failure_reason = reason.message();
|
||||
log_entry.client_info = info;
|
||||
log_entry.user_identified_with = Authentication::Type::NO_PASSWORD;
|
||||
log_entry.user_identified_with = AuthenticationType::NO_PASSWORD;
|
||||
|
||||
add(log_entry);
|
||||
}
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
|
||||
#include <Interpreters/SystemLog.h>
|
||||
#include <Interpreters/ClientInfo.h>
|
||||
#include <Access/Authentication.h>
|
||||
#include <Access/Common/AuthenticationData.h>
|
||||
|
||||
namespace DB
|
||||
{
|
||||
@ -42,7 +42,7 @@ struct SessionLogElement
|
||||
Decimal64 event_time_microseconds{};
|
||||
|
||||
String user;
|
||||
Authentication::Type user_identified_with = Authentication::Type::NO_PASSWORD;
|
||||
AuthenticationType user_identified_with = AuthenticationType::NO_PASSWORD;
|
||||
String external_auth_server;
|
||||
Strings roles;
|
||||
Strings profiles;
|
||||
|
||||
@ -7,7 +7,7 @@
|
||||
#include <Parsers/ASTQueryWithOnCluster.h>
|
||||
#include <Parsers/ASTAlterQuery.h>
|
||||
#include <Parsers/queryToString.h>
|
||||
#include <Access/AccessRightsElement.h>
|
||||
#include <Access/Common/AccessRightsElement.h>
|
||||
#include <Access/ContextAccess.h>
|
||||
#include <Common/Macros.h>
|
||||
#include <Common/ZooKeeper/ZooKeeper.h>
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#include <Parsers/ASTCreateQuotaQuery.h>
|
||||
#include <Parsers/ASTRolesOrUsersSet.h>
|
||||
#include <Parsers/Access/ASTCreateQuotaQuery.h>
|
||||
#include <Parsers/Access/ASTRolesOrUsersSet.h>
|
||||
#include <Common/quoteString.h>
|
||||
#include <Common/IntervalKind.h>
|
||||
#include <base/range.h>
|
||||
@ -1,5 +1,5 @@
|
||||
#include <Parsers/ASTCreateRoleQuery.h>
|
||||
#include <Parsers/ASTSettingsProfileElement.h>
|
||||
#include <Parsers/Access/ASTCreateRoleQuery.h>
|
||||
#include <Parsers/Access/ASTSettingsProfileElement.h>
|
||||
#include <Common/quoteString.h>
|
||||
#include <IO/Operators.h>
|
||||
|
||||
@ -1,11 +1,11 @@
|
||||
#include <Parsers/ASTCreateRowPolicyQuery.h>
|
||||
#include <Parsers/ASTRowPolicyName.h>
|
||||
#include <Parsers/ASTRolesOrUsersSet.h>
|
||||
#include <Parsers/Access/ASTCreateRowPolicyQuery.h>
|
||||
#include <Parsers/Access/ASTRolesOrUsersSet.h>
|
||||
#include <Parsers/Access/ASTRowPolicyName.h>
|
||||
#include <Parsers/formatAST.h>
|
||||
#include <Common/quoteString.h>
|
||||
#include <IO/Operators.h>
|
||||
#include <base/range.h>
|
||||
#include <boost/range/algorithm/transform.hpp>
|
||||
#include <IO/Operators.h>
|
||||
|
||||
|
||||
namespace DB
|
||||
@ -1,6 +1,6 @@
|
||||
#include <Parsers/ASTCreateSettingsProfileQuery.h>
|
||||
#include <Parsers/ASTSettingsProfileElement.h>
|
||||
#include <Parsers/ASTRolesOrUsersSet.h>
|
||||
#include <Parsers/Access/ASTCreateSettingsProfileQuery.h>
|
||||
#include <Parsers/Access/ASTRolesOrUsersSet.h>
|
||||
#include <Parsers/Access/ASTSettingsProfileElement.h>
|
||||
#include <Common/quoteString.h>
|
||||
#include <IO/Operators.h>
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
#include <Parsers/ASTCreateUserQuery.h>
|
||||
#include <Parsers/ASTUserNameWithHost.h>
|
||||
#include <Parsers/ASTRolesOrUsersSet.h>
|
||||
#include <Parsers/ASTSettingsProfileElement.h>
|
||||
#include <Parsers/Access/ASTCreateUserQuery.h>
|
||||
#include <Parsers/Access/ASTRolesOrUsersSet.h>
|
||||
#include <Parsers/Access/ASTSettingsProfileElement.h>
|
||||
#include <Parsers/Access/ASTUserNameWithHost.h>
|
||||
#include <Common/quoteString.h>
|
||||
#include <IO/Operators.h>
|
||||
|
||||
@ -23,67 +23,67 @@ namespace
|
||||
}
|
||||
|
||||
|
||||
void formatAuthentication(const Authentication & authentication, bool show_password, const IAST::FormatSettings & settings)
|
||||
void formatAuthenticationData(const AuthenticationData & auth_data, bool show_password, const IAST::FormatSettings & settings)
|
||||
{
|
||||
auto authentication_type = authentication.getType();
|
||||
if (authentication_type == Authentication::NO_PASSWORD)
|
||||
auto auth_type = auth_data.getType();
|
||||
if (auth_type == AuthenticationType::NO_PASSWORD)
|
||||
{
|
||||
settings.ostr << (settings.hilite ? IAST::hilite_keyword : "") << " NOT IDENTIFIED"
|
||||
<< (settings.hilite ? IAST::hilite_none : "");
|
||||
return;
|
||||
}
|
||||
|
||||
String authentication_type_name = Authentication::TypeInfo::get(authentication_type).name;
|
||||
String auth_type_name = AuthenticationTypeInfo::get(auth_type).name;
|
||||
String by_keyword = "BY";
|
||||
std::optional<String> by_value;
|
||||
|
||||
if (
|
||||
show_password ||
|
||||
authentication_type == Authentication::LDAP ||
|
||||
authentication_type == Authentication::KERBEROS
|
||||
auth_type == AuthenticationType::LDAP ||
|
||||
auth_type == AuthenticationType::KERBEROS
|
||||
)
|
||||
{
|
||||
switch (authentication_type)
|
||||
switch (auth_type)
|
||||
{
|
||||
case Authentication::PLAINTEXT_PASSWORD:
|
||||
case AuthenticationType::PLAINTEXT_PASSWORD:
|
||||
{
|
||||
by_value = authentication.getPassword();
|
||||
by_value = auth_data.getPassword();
|
||||
break;
|
||||
}
|
||||
case Authentication::SHA256_PASSWORD:
|
||||
case AuthenticationType::SHA256_PASSWORD:
|
||||
{
|
||||
authentication_type_name = "sha256_hash";
|
||||
by_value = authentication.getPasswordHashHex();
|
||||
auth_type_name = "sha256_hash";
|
||||
by_value = auth_data.getPasswordHashHex();
|
||||
break;
|
||||
}
|
||||
case Authentication::DOUBLE_SHA1_PASSWORD:
|
||||
case AuthenticationType::DOUBLE_SHA1_PASSWORD:
|
||||
{
|
||||
authentication_type_name = "double_sha1_hash";
|
||||
by_value = authentication.getPasswordHashHex();
|
||||
auth_type_name = "double_sha1_hash";
|
||||
by_value = auth_data.getPasswordHashHex();
|
||||
break;
|
||||
}
|
||||
case Authentication::LDAP:
|
||||
case AuthenticationType::LDAP:
|
||||
{
|
||||
by_keyword = "SERVER";
|
||||
by_value = authentication.getLDAPServerName();
|
||||
by_value = auth_data.getLDAPServerName();
|
||||
break;
|
||||
}
|
||||
case Authentication::KERBEROS:
|
||||
case AuthenticationType::KERBEROS:
|
||||
{
|
||||
by_keyword = "REALM";
|
||||
const auto & realm = authentication.getKerberosRealm();
|
||||
const auto & realm = auth_data.getKerberosRealm();
|
||||
if (!realm.empty())
|
||||
by_value = realm;
|
||||
break;
|
||||
}
|
||||
|
||||
case Authentication::NO_PASSWORD: [[fallthrough]];
|
||||
case Authentication::MAX_TYPE:
|
||||
throw Exception("AST: Unexpected authentication type " + toString(authentication_type), ErrorCodes::LOGICAL_ERROR);
|
||||
case AuthenticationType::NO_PASSWORD: [[fallthrough]];
|
||||
case AuthenticationType::MAX_TYPE:
|
||||
throw Exception("AST: Unexpected authentication type " + toString(auth_type), ErrorCodes::LOGICAL_ERROR);
|
||||
}
|
||||
}
|
||||
|
||||
settings.ostr << (settings.hilite ? IAST::hilite_keyword : "") << " IDENTIFIED WITH " << authentication_type_name
|
||||
settings.ostr << (settings.hilite ? IAST::hilite_keyword : "") << " IDENTIFIED WITH " << auth_type_name
|
||||
<< (settings.hilite ? IAST::hilite_none : "");
|
||||
|
||||
if (by_value)
|
||||
@ -258,8 +258,8 @@ void ASTCreateUserQuery::formatImpl(const FormatSettings & format, FormatState &
|
||||
if (!new_name.empty())
|
||||
formatRenameTo(new_name, format);
|
||||
|
||||
if (authentication)
|
||||
formatAuthentication(*authentication, show_password, format);
|
||||
if (auth_data)
|
||||
formatAuthenticationData(*auth_data, show_password, format);
|
||||
|
||||
if (hosts)
|
||||
formatHosts(nullptr, *hosts, format);
|
||||
@ -3,8 +3,8 @@
|
||||
#include <Parsers/IAST.h>
|
||||
#include <Parsers/ASTQueryWithOnCluster.h>
|
||||
#include <Parsers/ASTDatabaseOrNone.h>
|
||||
#include <Access/Authentication.h>
|
||||
#include <Access/AllowedClientHosts.h>
|
||||
#include <Access/Common/AuthenticationData.h>
|
||||
#include <Access/Common/AllowedClientHosts.h>
|
||||
|
||||
|
||||
namespace DB
|
||||
@ -44,7 +44,7 @@ public:
|
||||
std::shared_ptr<ASTUserNamesWithHost> names;
|
||||
String new_name;
|
||||
|
||||
std::optional<Authentication> authentication;
|
||||
std::optional<AuthenticationData> auth_data;
|
||||
bool show_password = true; /// formatImpl() will show the password or hash.
|
||||
|
||||
std::optional<AllowedClientHosts> hosts;
|
||||
@ -1,5 +1,5 @@
|
||||
#include <Parsers/ASTDropAccessEntityQuery.h>
|
||||
#include <Parsers/ASTRowPolicyName.h>
|
||||
#include <Parsers/Access/ASTDropAccessEntityQuery.h>
|
||||
#include <Parsers/Access/ASTRowPolicyName.h>
|
||||
#include <Common/quoteString.h>
|
||||
#include <IO/Operators.h>
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#include <Parsers/ASTGrantQuery.h>
|
||||
#include <Parsers/ASTRolesOrUsersSet.h>
|
||||
#include <Parsers/Access/ASTGrantQuery.h>
|
||||
#include <Parsers/Access/ASTRolesOrUsersSet.h>
|
||||
#include <Common/quoteString.h>
|
||||
#include <IO/Operators.h>
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
#pragma once
|
||||
|
||||
#include <Parsers/IAST.h>
|
||||
#include <Access/AccessRightsElement.h>
|
||||
#include <Access/Common/AccessRightsElement.h>
|
||||
#include <Parsers/ASTQueryWithOnCluster.h>
|
||||
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
#include <Parsers/ASTRolesOrUsersSet.h>
|
||||
#include <Parsers/Access/ASTRolesOrUsersSet.h>
|
||||
#include <Common/quoteString.h>
|
||||
#include <IO/Operators.h>
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
#include <Parsers/ASTRowPolicyName.h>
|
||||
#include <Parsers/Access/ASTRowPolicyName.h>
|
||||
#include <IO/Operators.h>
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#include <Parsers/ASTSetRoleQuery.h>
|
||||
#include <Parsers/ASTRolesOrUsersSet.h>
|
||||
#include <Parsers/Access/ASTSetRoleQuery.h>
|
||||
#include <Parsers/Access/ASTRolesOrUsersSet.h>
|
||||
#include <Common/quoteString.h>
|
||||
#include <IO/Operators.h>
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
#include <Parsers/ASTSettingsProfileElement.h>
|
||||
#include <Parsers/Access/ASTSettingsProfileElement.h>
|
||||
#include <Parsers/formatSettingName.h>
|
||||
#include <Common/FieldVisitorToString.h>
|
||||
#include <Common/quoteString.h>
|
||||
@ -1,4 +1,4 @@
|
||||
#include <Parsers/ASTShowAccessEntitiesQuery.h>
|
||||
#include <Parsers/Access/ASTShowAccessEntitiesQuery.h>
|
||||
#include <Common/quoteString.h>
|
||||
#include <IO/Operators.h>
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user