Commit Graph

56 Commits

Author SHA1 Message Date
Aleksei Filatov
0a1f3f205c
Add external HTTP Basic authenticator (#55199) 2023-10-20 19:24:19 +02:00
Robert Schulze
583d9b33f0
Merge pull request #51446 from rschu1ze/recfgable-caches
Runtime-reconfigurable cache sizes
2023-08-21 23:27:21 +02:00
Robert Schulze
8cbf626d0f
Cosmetics 2023-08-21 14:08:44 +00:00
Alexander Tokmakov
334e014c2c Merge branch 'master' into ignore_on_cluster_for_replicated_entity_queries 2023-08-18 17:48:37 +02:00
Aleksei Filatov
4734d416a5 Add settings and processing code 2023-08-03 12:44:44 +03:00
pufit
6f2404b792 Additional info in exception 2023-07-28 22:18:53 -04:00
pufit
9dbb106dc1 Fix tests, docs 2023-07-27 23:37:09 -04:00
pufit
13d9952227 add id to insertImpl 2023-07-27 00:38:51 -04:00
pufit
2a00e2aa6a Implement MOVE query for the access entities. 2023-07-20 22:20:36 -04:00
pufit
77e45e5669 Add DROP ROLE ... FROM and CREATE ROLE ... AT syntax 2023-07-10 20:23:03 -04:00
Alexander Tokmakov
70d1adfe4b
Better formatting for exception messages (#45449)
* save format string for NetException

* format exceptions

* format exceptions 2

* format exceptions 3

* format exceptions 4

* format exceptions 5

* format exceptions 6

* fix

* format exceptions 7

* format exceptions 8

* Update MergeTreeIndexGin.cpp

* Update AggregateFunctionMap.cpp

* Update AggregateFunctionMap.cpp

* fix
2023-01-24 00:13:58 +03:00
Vitaly Baranov
5365b105cc Add SYSTEM RELOAD USERS command. 2022-09-18 12:44:00 +02:00
Vitaly Baranov
e367d96964 Fix style. 2022-06-30 15:10:33 +02:00
Vitaly Baranov
5456bde4a2 Improve gathering metadata for storing ACL in backups. 2022-06-30 09:46:37 +02:00
Robert Schulze
55b39e709d
Merge remote-tracking branch 'origin/master' into clang-tsa 2022-06-20 16:39:32 +02:00
Robert Schulze
5a4f21c50f
Support for Clang Thread Safety Analysis (TSA)
- TSA is a static analyzer build by Google which finds race conditions
  and deadlocks at compile time.

- It works by associating a shared member variable with a
  synchronization primitive that protects it. The compiler can then
  check at each access if proper locking happened before. A good
  introduction are [0] and [1].

- TSA requires some help by the programmer via annotations. Luckily,
  LLVM's libcxx already has annotations for std::mutex, std::lock_guard,
  std::shared_mutex and std::scoped_lock. This commit enables them
  (--> contrib/libcxx-cmake/CMakeLists.txt).

- Further, this commit adds convenience macros for the low-level
  annotations for use in ClickHouse (--> base/defines.h). For
  demonstration, they are leveraged in a few places.

- As we compile with "-Wall -Wextra -Weverything", the required compiler
  flag "-Wthread-safety-analysis" was already enabled. Negative checks
  are an experimental feature of TSA and disabled
  (--> cmake/warnings.cmake). Compile times did not increase noticeably.

- TSA is used in a few places with simple locking. I tried TSA also
  where locking is more complex. The problem was usually that it is
  unclear which data is protected by which lock :-(. But there was
  definitely some weird code where locking looked broken. So there is
  some potential to find bugs.

*** Limitations of TSA besides the ones listed in [1]:

- The programmer needs to know which lock protects which piece of shared
  data. This is not always easy for large classes.

- Two synchronization primitives used in ClickHouse are not annotated in
  libcxx:
  (1) std::unique_lock: A releaseable lock handle often together with
      std::condition_variable, e.g. in solve producer-consumer problems.
  (2) std::recursive_mutex: A re-entrant mutex variant. Its usage can be
      considered a design flaw + typically it is slower than a standard
      mutex. In this commit, one std::recursive_mutex was converted to
      std::mutex and annotated with TSA.

- For free-standing functions (e.g. helper functions) which are passed
  shared data members, it can be tricky to specify the associated lock.
  This is because the annotations use the normal C++ rules for symbol
  resolution.

[0] https://clang.llvm.org/docs/ThreadSafetyAnalysis.html
[1] https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/42958.pdf
2022-06-20 16:13:25 +02:00
Vitaly Baranov
8a7c970ce0 Fix style. 2022-06-19 15:58:26 +02:00
Vitaly Baranov
a0c558a17e Implement backup/restore for ACL system tables (system.users, system.roles, etc.) 2022-06-17 18:14:31 +02:00
Vitaly Baranov
58f4a86ec7 Rework notifications used in access management. 2022-05-21 10:15:39 +02:00
Robert Schulze
118e94523c
Activate clang-tidy warning "readability-container-contains"
This check suggests replacing <Container>.count() by
<Container>.contains() which is more speaking and in case of
multimaps/multisets also faster.
2022-04-18 23:53:11 +02:00
Vitaly Baranov
1eb2e8693e Fix code style and other minor corrections after implementing allow_no_password. 2022-03-14 20:55:34 +01:00
HeenaBansal2009
3ce9397246 Added Suggestions from Code review 2022-03-09 20:35:01 -08:00
Vitaly Baranov
80cdfa5ec6 Fix using multiple LDAP storages in the same config. 2022-01-13 20:01:50 +07:00
Vitaly Baranov
c9b9c90615 Don't throw in unexceptional cases: authenticate(). 2021-12-23 01:17:50 +03:00
Vitaly Baranov
61bfe930db When trying to update readonly and non-readonly access storages in one query, throw after updating non-readonly ones. 2021-12-23 01:17:45 +03:00
Vitaly Baranov
be44743ebe Don't throw in unexceptional cases: update(). 2021-12-20 23:10:46 +03:00
Vitaly Baranov
ed94c640fa Don't throw in unexceptional cases: remove(). 2021-12-20 23:10:43 +03:00
Vitaly Baranov
551fcc55e8 Don't throw in unexceptional cases: insert(). 2021-12-20 23:09:55 +03:00
Vitaly Baranov
8c4e689da3 Don't throw in unexceptional cases: read() & readName() 2021-12-20 21:26:35 +03:00
Vitaly Baranov
a87f0b483e Replace function IAccessStorage::canInsert() with isReadOnly(). 2021-12-20 21:26:35 +03:00
Vitaly Baranov
6721060649 Rename function IAccessStorage::login() -> IAccessStorage::authenticate().
Remove functions IAccessStorage::hasSubscriptionImpl() and IAccessStorage::existsImpl().
2021-12-20 21:26:27 +03:00
Vitaly Baranov
c01d0f95c3 Remove the function IAccessStorage::getIDOfLoggedUser() and move its functionality to login(AlwaysAllowCredentials). 2021-12-20 21:24:38 +03:00
Vitaly Baranov
af56b20da7 Rename IAccessEntity::Type -> AccessEntityType and move it to Access/Common. 2021-11-19 02:48:00 +03:00
Alexey Milovidov
fe6b7c77c7 Rename "common" to "base" 2021-10-02 10:13:14 +03:00
Maksim Kita
67e9b85951 Merge ext into common 2021-06-16 23:28:41 +03:00
Denis Glazachev
290a6d273e
Add Kerberos support for authenticating existing users when accessing over HTTP 2021-03-11 23:41:10 +03:00
Denis Glazachev
555f056a4c Revert "user not found" detection in loginImpl() and getIDOfLoggedUserImpl() 2020-10-06 20:32:06 +04:00
Denis Glazachev
54446eeec6 Use ErrorCodes::UNKNOWN_USER 2020-10-06 20:00:29 +04:00
Denis Glazachev
e2f444ae85 Simplify loginImpl() and getIDOfLoggedUserImpl() 2020-10-06 19:37:35 +04:00
Denis Glazachev
950a07835f Stylistic changes 2020-10-06 19:23:08 +04:00
Denis Glazachev
2fc6a4ea9c Add log_and_mask_exceptions flag to login() 2020-10-05 00:24:09 +04:00
Denis Glazachev
1eb8ecf050 Fix compilation 2020-10-04 23:56:25 +04:00
Denis Glazachev
7f47719768 Refactor exception handling in login() et al.
Simplify LDAPClient and LDAPAccessStorage
2020-10-04 23:55:58 +04:00
Denis Glazachev
00a354cd37 Manually remove storages in reverse order in MultipleAccessStorage d-tor 2020-10-04 22:00:56 +04:00
Denis Glazachev
03481f7a3a Synchronize the code with respect to IAccessStorage::login() functionality 2020-09-21 02:51:38 +04:00
Denis Glazachev
442b1407cf Merge branch 'master' into ldap-any-user-authentication
* master: (375 commits)
  Update type-conversion-functions.md
  Update maxmap.md
  Update maxmap.md
  Update maxmap.md
  Update single_fixed_string_groupby.xml
  Alter remove column properties and TTLs (#14742)
  better fixed string group by support
  Fix incorrect key condition of fixed strings.
  constant output order
  more tests for  #14646
  Maybe fix MSan report in base64
  Proper exception message for wrong number of arguments of CAST
  Added a test
  Fix buffer overflow in "bar" function
  Update convertMySQLDataType.cpp
  Fix clang-tidy
  Remove obsolete code from performance test
  Slightly better code
  Even more
  Even more
  ...

# Conflicts:
#	src/Interpreters/Context.cpp
2020-09-21 00:31:04 +04:00
Vitaly Baranov
dbc837c148 IAccessStorage now can override the login() function. 2020-09-19 01:04:20 +03:00
Denis Glazachev
7ffb618f6e Add missing proper findOrGenerateImpl() implementation to MultipleAccessStorage class 2020-08-28 16:05:08 +04:00
Vitaly Baranov
2909ed1bc0 Better initialization of access storages. Make list of access storages dynamic. 2020-08-16 19:15:34 +03:00
Vitaly Baranov
ad03ff3887 Rename storages users.xml=>users_xml, disk=>local_directory. 2020-08-16 16:42:57 +03:00