thevar1able/ClickHouse
1
0
Fork 0
mirror of https://github.com/ClickHouse/ClickHouse.git synced 2024-09-21 09:10:48 +00:00
Code Issues Packages Projects Releases Wiki Activity
120,067 Commits 8,936 Branches 1,766 Tags 2 GiB
dba7a0dffc
Commit Graph

20 Commits

Author SHA1 Message Date
Azat Khuzhin
bcf381c5ae Reimplement interserver mode to avoid replay attacks 
Prevous implementation (DBMS_MIN_REVISION_WITH_INTERSERVER_SECRET)
accepts the salt from the client, which make it useless.

Reimplement the protocol to send the salt by the server and use it in
the client instead.

Signed-off-by: Azat Khuzhin <a.khuzhin@semrush.com>
 2023-03-15 08:28:43 +01:00
Alexey Milovidov
b42d26acfe Remove one line from XML, because we do not care 2022-08-28 02:44:02 +02:00
Alexander Tokmakov
19afeda4b1 fix style 2022-05-18 14:23:52 +02:00
Alexander Tokmakov
dea39d8175 fix some trash 2022-05-17 18:22:52 +02:00
Alexey Milovidov
19a8207ab7 Debug integration tests 2022-04-18 00:16:53 +02:00
Mikhail f. Shiryaev
e6f5a3f98b
Apply black formatter to all *.py files in the repo 2022-03-22 17:39:58 +01:00
Azat Khuzhin
5472aef084 Fix current_user/current_address for interserver mode 
Before this patch current_user/current_address will be preserved from
the previous query.

Signed-off-by: Azat Khuzhin <a.khuzhin@semrush.com>
 2022-02-02 17:44:19 +03:00
Vitaly Baranov
27f6d5864d
Merge pull request #29060 from azat/inter-server-secret-auth-fix 
Do not allow to reuse previous credentials in case of inter-server secret
 2021-10-01 20:44:48 +03:00
Azat Khuzhin
1af02f02bd Add a test for INSERT w/o user in interserver mode 
v2: ensure that the test fails with the version w/o fix
v3: force connect by modifying config and reload it
v4: add comments
 2021-10-01 01:13:08 +03:00
Alexey Milovidov
e513a5db32 Change <yandex> to <clickhouse> in configs 2021-09-20 01:38:53 +03:00
alexey-milovidov
0c70b06960
Merge branch 'master' into system-querylog-map 2021-03-31 04:54:30 +03:00
alesapin
1b0a9461f0 Fix more tests 2021-03-26 18:30:35 +03:00
sundy-li
76da6014d2 Update more integration tests2 2021-01-21 16:36:13 +08:00
sundy-li
ca039f5219 Update more integration tests 2021-01-21 14:55:13 +08:00
sundy-li
3b62c5b50b Fix test 2021-01-06 07:26:16 +00:00
sundy-li
3dda607059 Update tests 2021-01-05 11:22:53 +00:00
Azat Khuzhin
84583faa43 Fix test_distributed_inter_server_secret under ASAN 
And also cover both cases:
- settings from DDL
- settings from TCP protocol
 2020-10-03 11:16:31 +03:00
Azat Khuzhin
f25c1742b8 Pass through *_for_user settings via Distributed with cluster-secure 
In cluster-secure case the user on shards (remote) is equal to the user
on the initiator, so those settings can be safely applied.
 2020-10-03 02:04:47 +03:00
Azat Khuzhin
9cb3c743bd
Convert to python3 (#15007) 2020-10-02 19:54:07 +03:00
Azat Khuzhin
0159c74f21 Secure inter-cluster query execution (with initial_user as current query user) [v3] 
Add inter-server cluster secret, it is used for Distributed queries
inside cluster, you can configure in the configuration file:

  <remote_servers>
      <logs>
          <shard>
              <secret>foobar</secret> <!-- empty -- works as before -->
              ...
          </shard>
      </logs>
  </remote_servers>

And this will allow clickhouse to make sure that the query was not
faked, and was issued from the node that knows the secret. And since
trust appeared it can use initial_user for query execution, this will
apply correct *_for_user (since with inter-server secret enabled, the
query will be executed from the same user on the shards as on initator,
unlike "default" user w/o it).

v2: Change user to the initial_user for Distributed queries if secret match
v3: Add Protocol::Cluster package
v4: Drop Protocol::Cluster and use plain Protocol::Hello + user marker
v5: Do not use user from Hello for cluster-secure (superfluous)
 2020-09-15 01:36:28 +03:00