Small updates to helpers/cluster.py. Updating link in the ldap/authentication/requirements/requirements.md.
24 KiB
SRS-007 ClickHouse Authentication of Users via LDAP
Table of Contents
- 1 Revision History
- 2 Introduction
- 3 Terminology
- 4 Requirements
- 4.1 Generic
- 4.1.1 RQ.SRS-007.LDAP.Authentication
- 4.1.2 RQ.SRS-007.LDAP.Authentication.MultipleServers
- 4.1.3 RQ.SRS-007.LDAP.Authentication.Protocol.PlainText
- 4.1.4 RQ.SRS-007.LDAP.Authentication.Protocol.TLS
- 4.1.5 RQ.SRS-007.LDAP.Authentication.Protocol.StartTLS
- 4.1.6 RQ.SRS-007.LDAP.Authentication.TLS.Certificate.Validation
- 4.1.7 RQ.SRS-007.LDAP.Authentication.TLS.Certificate.SelfSigned
- 4.1.8 RQ.SRS-007.LDAP.Authentication.TLS.Certificate.SpecificCertificationAuthority
- 4.1.9 RQ.SRS-007.LDAP.Server.Configuration.Invalid
- 4.1.10 RQ.SRS-007.LDAP.User.Configuration.Invalid
- 4.1.11 RQ.SRS-007.LDAP.Authentication.Mechanism.Anonymous
- 4.1.12 RQ.SRS-007.LDAP.Authentication.Mechanism.Unauthenticated
- 4.1.13 RQ.SRS-007.LDAP.Authentication.Mechanism.NamePassword
- 4.1.14 RQ.SRS-007.LDAP.Authentication.Valid
- 4.1.15 RQ.SRS-007.LDAP.Authentication.Invalid
- 4.1.16 RQ.SRS-007.LDAP.Authentication.Invalid.DeletedUser
- 4.1.17 RQ.SRS-007.LDAP.Authentication.UsernameChanged
- 4.1.18 RQ.SRS-007.LDAP.Authentication.PasswordChanged
- 4.1.19 RQ.SRS-007.LDAP.Authentication.LDAPServerRestart
- 4.1.20 RQ.SRS-007.LDAP.Authentication.ClickHouseServerRestart
- 4.1.21 RQ.SRS-007.LDAP.Authentication.Parallel
- 4.1.22 RQ.SRS-007.LDAP.Authentication.Parallel.ValidAndInvalid
- 4.2 Specific
- 4.2.1 RQ.SRS-007.LDAP.UnreachableServer
- 4.2.2 RQ.SRS-007.LDAP.Configuration.Server.Name
- 4.2.3 RQ.SRS-007.LDAP.Configuration.Server.Host
- 4.2.4 RQ.SRS-007.LDAP.Configuration.Server.Port
- 4.2.5 RQ.SRS-007.LDAP.Configuration.Server.Port.Default
- 4.2.6 RQ.SRS-007.LDAP.Configuration.Server.AuthDN.Prefix
- 4.2.7 RQ.SRS-007.LDAP.Configuration.Server.AuthDN.Suffix
- 4.2.8 RQ.SRS-007.LDAP.Configuration.Server.AuthDN.Value
- 4.2.9 RQ.SRS-007.LDAP.Configuration.Server.EnableTLS
- 4.2.10 RQ.SRS-007.LDAP.Configuration.Server.EnableTLS.Options.Default
- 4.2.11 RQ.SRS-007.LDAP.Configuration.Server.EnableTLS.Options.No
- 4.2.12 RQ.SRS-007.LDAP.Configuration.Server.EnableTLS.Options.Yes
- 4.2.13 RQ.SRS-007.LDAP.Configuration.Server.EnableTLS.Options.StartTLS
- 4.2.14 RQ.SRS-007.LDAP.Configuration.Server.TLSMinimumProtocolVersion
- 4.2.15 RQ.SRS-007.LDAP.Configuration.Server.TLSMinimumProtocolVersion.Values
- 4.2.16 RQ.SRS-007.LDAP.Configuration.Server.TLSMinimumProtocolVersion.Default
- 4.2.17 RQ.SRS-007.LDAP.Configuration.Server.TLSRequireCert
- 4.2.18 RQ.SRS-007.LDAP.Configuration.Server.TLSRequireCert.Options.Default
- 4.2.19 RQ.SRS-007.LDAP.Configuration.Server.TLSRequireCert.Options.Demand
- 4.2.20 RQ.SRS-007.LDAP.Configuration.Server.TLSRequireCert.Options.Allow
- 4.2.21 RQ.SRS-007.LDAP.Configuration.Server.TLSRequireCert.Options.Try
- 4.2.22 RQ.SRS-007.LDAP.Configuration.Server.TLSRequireCert.Options.Never
- 4.2.23 RQ.SRS-007.LDAP.Configuration.Server.TLSCertFile
- 4.2.24 RQ.SRS-007.LDAP.Configuration.Server.TLSKeyFile
- 4.2.25 RQ.SRS-007.LDAP.Configuration.Server.TLSCACertDir
- 4.2.26 RQ.SRS-007.LDAP.Configuration.Server.TLSCACertFile
- 4.2.27 RQ.SRS-007.LDAP.Configuration.Server.TLSCipherSuite
- 4.2.28 RQ.SRS-007.LDAP.Configuration.Server.Syntax
- 4.2.29 RQ.SRS-007.LDAP.Configuration.User.RBAC
- 4.2.30 RQ.SRS-007.LDAP.Configuration.User.Syntax
- 4.2.31 RQ.SRS-007.LDAP.Configuration.User.Name.Empty
- 4.2.32 RQ.SRS-007.LDAP.Configuration.User.BothPasswordAndLDAP
- 4.2.33 RQ.SRS-007.LDAP.Configuration.User.LDAP.InvalidServerName.NotDefined
- 4.2.34 RQ.SRS-007.LDAP.Configuration.User.LDAP.InvalidServerName.Empty
- 4.2.35 RQ.SRS-007.LDAP.Configuration.User.OnlyOneServer
- 4.2.36 RQ.SRS-007.LDAP.Configuration.User.Name.Long
- 4.2.37 RQ.SRS-007.LDAP.Configuration.User.Name.UTF8
- 4.2.38 RQ.SRS-007.LDAP.Authentication.Username.Empty
- 4.2.39 RQ.SRS-007.LDAP.Authentication.Username.Long
- 4.2.40 RQ.SRS-007.LDAP.Authentication.Username.UTF8
- 4.2.41 RQ.SRS-007.LDAP.Authentication.Password.Empty
- 4.2.42 RQ.SRS-007.LDAP.Authentication.Password.Long
- 4.2.43 RQ.SRS-007.LDAP.Authentication.Password.UTF8
- 4.1 Generic
- 5 References
Revision History
This document is stored in an electronic form using Git source control management software hosted in a GitHub Repository. All the updates are tracked using the Git's Revision History.
Introduction
ClickHouse currently does not have any integration with LDAP. As the initial step in integrating with LDAP this software requirements specification covers only the requirements to enable authentication of users using an LDAP server.
Terminology
Requirements
Generic
RQ.SRS-007.LDAP.Authentication
version: 1.0
ClickHouse SHALL support user authentication via an LDAP server.
RQ.SRS-007.LDAP.Authentication.MultipleServers
version: 1.0
ClickHouse SHALL support specifying multiple LDAP servers that can be used to authenticate users.
RQ.SRS-007.LDAP.Authentication.Protocol.PlainText
version: 1.0
ClickHouse SHALL support user authentication using plain text ldap://
non secure protocol.
RQ.SRS-007.LDAP.Authentication.Protocol.TLS
version: 1.0
ClickHouse SHALL support user authentication using SSL/TLS
ldaps://
secure protocol.
RQ.SRS-007.LDAP.Authentication.Protocol.StartTLS
version: 1.0
ClickHouse SHALL support user authentication using legacy StartTLS
protocol which is a
plain text ldap://
protocol that is upgraded to TLS.
RQ.SRS-007.LDAP.Authentication.TLS.Certificate.Validation
version: 1.0
ClickHouse SHALL support certificate validation used for TLS connections.
RQ.SRS-007.LDAP.Authentication.TLS.Certificate.SelfSigned
version: 1.0
ClickHouse SHALL support self-signed certificates for TLS connections.
RQ.SRS-007.LDAP.Authentication.TLS.Certificate.SpecificCertificationAuthority
version: 1.0
ClickHouse SHALL support certificates signed by specific Certification Authority for TLS connections.
RQ.SRS-007.LDAP.Server.Configuration.Invalid
version: 1.0
ClickHouse SHALL return an error and prohibit user login if LDAP server configuration is not valid.
RQ.SRS-007.LDAP.User.Configuration.Invalid
version: 1.0
ClickHouse SHALL return an error and prohibit user login if user configuration is not valid.
RQ.SRS-007.LDAP.Authentication.Mechanism.Anonymous
version: 1.0
ClickHouse SHALL return an error and prohibit authentication using Anonymous Authentication Mechanism of Simple Bind authentication mechanism.
RQ.SRS-007.LDAP.Authentication.Mechanism.Unauthenticated
version: 1.0
ClickHouse SHALL return an error and prohibit authentication using Unauthenticated Authentication Mechanism of Simple Bind authentication mechanism.
RQ.SRS-007.LDAP.Authentication.Mechanism.NamePassword
version: 1.0
ClickHouse SHALL allow authentication using only Name/Password Authentication Mechanism of Simple Bind authentication mechanism.
RQ.SRS-007.LDAP.Authentication.Valid
version: 1.0
ClickHouse SHALL only allow user authentication using LDAP server if and only if user name and password match LDAP server records for the user.
RQ.SRS-007.LDAP.Authentication.Invalid
version: 1.0
ClickHouse SHALL return an error and prohibit authentication if either user name or password do not match LDAP server records for the user.
RQ.SRS-007.LDAP.Authentication.Invalid.DeletedUser
version: 1.0
ClickHouse SHALL return an error and prohibit authentication if the user has been deleted from the LDAP server.
RQ.SRS-007.LDAP.Authentication.UsernameChanged
version: 1.0
ClickHouse SHALL return an error and prohibit authentication if the username is changed on the LDAP server.
RQ.SRS-007.LDAP.Authentication.PasswordChanged
version: 1.0
ClickHouse SHALL return an error and prohibit authentication if the password for the user is changed on the LDAP server.
RQ.SRS-007.LDAP.Authentication.LDAPServerRestart
version: 1.0
ClickHouse SHALL support authenticating users after LDAP server is restarted.
RQ.SRS-007.LDAP.Authentication.ClickHouseServerRestart
version: 1.0
ClickHouse SHALL support authenticating users after server is restarted.
RQ.SRS-007.LDAP.Authentication.Parallel
version: 1.0
ClickHouse SHALL support parallel authentication of users using LDAP server.
RQ.SRS-007.LDAP.Authentication.Parallel.ValidAndInvalid
version: 1.0
ClickHouse SHALL support authentication of valid users and prohibit authentication of invalid users using LDAP server in parallel without having invalid attempts affecting valid authentications.
Specific
RQ.SRS-007.LDAP.UnreachableServer
version: 1.0
ClickHouse SHALL return an error and prohibit user login if LDAP server is unreachable.
RQ.SRS-007.LDAP.Configuration.Server.Name
version: 1.0
ClickHouse SHALL not support empty string as a server name.
RQ.SRS-007.LDAP.Configuration.Server.Host
version: 1.0
ClickHouse SHALL support <host>
parameter to specify LDAP
server hostname or IP, this parameter SHALL be mandatory and SHALL not be empty.
RQ.SRS-007.LDAP.Configuration.Server.Port
version: 1.0
ClickHouse SHALL support <port>
parameter to specify LDAP server port.
RQ.SRS-007.LDAP.Configuration.Server.Port.Default
version: 1.0
ClickHouse SHALL use default port number 636
if enable_tls
is set to yes
or 389
otherwise.
RQ.SRS-007.LDAP.Configuration.Server.AuthDN.Prefix
version: 1.0
ClickHouse SHALL support <auth_dn_prefix>
parameter to specify the prefix
of value used to construct the DN to bound to during authentication via LDAP server.
RQ.SRS-007.LDAP.Configuration.Server.AuthDN.Suffix
version: 1.0
ClickHouse SHALL support <auth_dn_suffix>
parameter to specify the suffix
of value used to construct the DN to bound to during authentication via LDAP server.
RQ.SRS-007.LDAP.Configuration.Server.AuthDN.Value
version: 1.0
ClickHouse SHALL construct DN as auth_dn_prefix + escape(user_name) + auth_dn_suffix
string.
This implies that auth_dn_suffix should usually have comma ',' as its first non-space character.
RQ.SRS-007.LDAP.Configuration.Server.EnableTLS
version: 1.0
ClickHouse SHALL support <enable_tls>
parameter to trigger the use of secure connection to the LDAP server.
RQ.SRS-007.LDAP.Configuration.Server.EnableTLS.Options.Default
version: 1.0
ClickHouse SHALL use yes
value as the default for <enable_tls>
parameter
to enable SSL/TLS ldaps://
protocol.
RQ.SRS-007.LDAP.Configuration.Server.EnableTLS.Options.No
version: 1.0
ClickHouse SHALL support specifying no
as the value of <enable_tls>
parameter to enable
plain text ldap://
protocol.
RQ.SRS-007.LDAP.Configuration.Server.EnableTLS.Options.Yes
version: 1.0
ClickHouse SHALL support specifying yes
as the value of <enable_tls>
parameter to enable
SSL/TLS ldaps://
protocol.
RQ.SRS-007.LDAP.Configuration.Server.EnableTLS.Options.StartTLS
version: 1.0
ClickHouse SHALL support specifying starttls
as the value of <enable_tls>
parameter to enable
legacy StartTLS
protocol that used plain text ldap://
protocol, upgraded to TLS.
RQ.SRS-007.LDAP.Configuration.Server.TLSMinimumProtocolVersion
version: 1.0
ClickHouse SHALL support <tls_minimum_protocol_version>
parameter to specify
the minimum protocol version of SSL/TLS.
RQ.SRS-007.LDAP.Configuration.Server.TLSMinimumProtocolVersion.Values
version: 1.0
ClickHouse SHALL support specifying ssl2
, ssl3
, tls1.0
, tls1.1
, and tls1.2
as a value of the <tls_minimum_protocol_version>
parameter.
RQ.SRS-007.LDAP.Configuration.Server.TLSMinimumProtocolVersion.Default
version: 1.0
ClickHouse SHALL set tls1.2
as the default value of the <tls_minimum_protocol_version>
parameter.
RQ.SRS-007.LDAP.Configuration.Server.TLSRequireCert
version: 1.0
ClickHouse SHALL support <tls_require_cert>
parameter to specify TLS peer
certificate verification behavior.
RQ.SRS-007.LDAP.Configuration.Server.TLSRequireCert.Options.Default
version: 1.0
ClickHouse SHALL use demand
value as the default for the <tls_require_cert>
parameter.
RQ.SRS-007.LDAP.Configuration.Server.TLSRequireCert.Options.Demand
version: 1.0
ClickHouse SHALL support specifying demand
as the value of <tls_require_cert>
parameter to
enable requesting of client certificate. If no certificate is provided, or a bad certificate is
provided, the session SHALL be immediately terminated.
RQ.SRS-007.LDAP.Configuration.Server.TLSRequireCert.Options.Allow
version: 1.0
ClickHouse SHALL support specifying allow
as the value of <tls_require_cert>
parameter to
enable requesting of client certificate. If no
certificate is provided, the session SHALL proceed normally.
If a bad certificate is provided, it SHALL be ignored and the session SHALL proceed normally.
RQ.SRS-007.LDAP.Configuration.Server.TLSRequireCert.Options.Try
version: 1.0
ClickHouse SHALL support specifying try
as the value of <tls_require_cert>
parameter to
enable requesting of client certificate. If no certificate is provided, the session
SHALL proceed normally. If a bad certificate is provided, the session SHALL be
immediately terminated.
RQ.SRS-007.LDAP.Configuration.Server.TLSRequireCert.Options.Never
version: 1.0
ClickHouse SHALL support specifying never
as the value of <tls_require_cert>
parameter to
disable requesting of client certificate.
RQ.SRS-007.LDAP.Configuration.Server.TLSCertFile
version: 1.0
ClickHouse SHALL support <tls_cert_file>
to specify the path to certificate file used by
ClickHouse to establish connection with the LDAP server.
RQ.SRS-007.LDAP.Configuration.Server.TLSKeyFile
version: 1.0
ClickHouse SHALL support <tls_key_file>
to specify the path to key file for the certificate
specified by the <tls_cert_file>
parameter.
RQ.SRS-007.LDAP.Configuration.Server.TLSCACertDir
version: 1.0
ClickHouse SHALL support <tls_ca_cert_dir>
parameter to specify to a path to
the directory containing CA certificates used to verify certificates provided by the LDAP server.
RQ.SRS-007.LDAP.Configuration.Server.TLSCACertFile
version: 1.0
ClickHouse SHALL support <tls_ca_cert_file>
parameter to specify a path to a specific
CA certificate file used to verify certificates provided by the LDAP server.
RQ.SRS-007.LDAP.Configuration.Server.TLSCipherSuite
version: 1.0
ClickHouse SHALL support tls_cipher_suite
parameter to specify allowed cipher suites.
The value SHALL use the same format as the ciphersuites
in the OpenSSL Ciphers.
For example,
<tls_cipher_suite>ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:AES256-GCM-SHA384</tls_cipher_suite>
The available suites SHALL depend on the OpenSSL library version and variant used to build ClickHouse and therefore might change.
RQ.SRS-007.LDAP.Configuration.Server.Syntax
version: 1.0
ClickHouse SHALL support the following example syntax to create an entry for an LDAP server inside the config.xml
configuration file or of any configuration file inside the config.d
directory.
<yandex>
<my_ldap_server>
<host>localhost</host>
<port>636</port>
<auth_dn_prefix>cn=</auth_dn_prefix>
<auth_dn_suffix>, ou=users, dc=example, dc=com</auth_dn_suffix>
<enable_tls>yes</enable_tls>
<tls_minimum_protocol_version>tls1.2</tls_minimum_protocol_version>
<tls_require_cert>demand</tls_require_cert>
<tls_cert_file>/path/to/tls_cert_file</tls_cert_file>
<tls_key_file>/path/to/tls_key_file</tls_key_file>
<tls_ca_cert_file>/path/to/tls_ca_cert_file</tls_ca_cert_file>
<tls_ca_cert_dir>/path/to/tls_ca_cert_dir</tls_ca_cert_dir>
<tls_cipher_suite>ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:AES256-GCM-SHA384</tls_cipher_suite>
</my_ldap_server>
</yandex>
RQ.SRS-007.LDAP.Configuration.User.RBAC
version: 1.0
ClickHouse SHALL support creating users identified using an LDAP server using the following RBAC command
CREATE USER name IDENTIFIED WITH ldap_server BY 'server_name'
RQ.SRS-007.LDAP.Configuration.User.Syntax
version: 1.0
ClickHouse SHALL support the following example syntax to create a user that is authenticated using
an LDAP server inside the users.xml
file or any configuration file inside the users.d
directory.
<yandex>
<users>
<user_name>
<ldap>
<server>my_ldap_server</server>
</ldap>
</user_name>
</users>
</yandex>
RQ.SRS-007.LDAP.Configuration.User.Name.Empty
version: 1.0
ClickHouse SHALL not support empty string as a user name.
RQ.SRS-007.LDAP.Configuration.User.BothPasswordAndLDAP
version: 1.0
ClickHouse SHALL throw an error if <ldap>
is specified for the user and at the same
time user configuration contains any of the <password*>
entries.
RQ.SRS-007.LDAP.Configuration.User.LDAP.InvalidServerName.NotDefined
version: 1.0
ClickHouse SHALL throw an error during any authentification attempt
if the name of the LDAP server used inside the <ldap>
entry
is not defined in the <ldap_servers>
section.
RQ.SRS-007.LDAP.Configuration.User.LDAP.InvalidServerName.Empty
version: 1.0
ClickHouse SHALL throw an error during any authentification attempt
if the name of the LDAP server used inside the <ldap>
entry
is empty.
RQ.SRS-007.LDAP.Configuration.User.OnlyOneServer
version: 1.0
ClickHouse SHALL support specifying only one LDAP server for a given user.
RQ.SRS-007.LDAP.Configuration.User.Name.Long
version: 1.0
ClickHouse SHALL support long user names of at least 256 bytes to specify users that can be authenticated using an LDAP server.
RQ.SRS-007.LDAP.Configuration.User.Name.UTF8
version: 1.0
ClickHouse SHALL support user names that contain UTF-8 characters.
RQ.SRS-007.LDAP.Authentication.Username.Empty
version: 1.0
ClickHouse SHALL not support authenticating users with empty username.
RQ.SRS-007.LDAP.Authentication.Username.Long
version: 1.0
ClickHouse SHALL support authenticating users with a long username of at least 256 bytes.
RQ.SRS-007.LDAP.Authentication.Username.UTF8
version: 1.0
ClickHouse SHALL support authentication users with a username that contains UTF-8 characters.
RQ.SRS-007.LDAP.Authentication.Password.Empty
version: 1.0
ClickHouse SHALL not support authenticating users with empty passwords even if an empty password is valid for the user and is allowed by the LDAP server.
RQ.SRS-007.LDAP.Authentication.Password.Long
version: 1.0
ClickHouse SHALL support long password of at least 256 bytes that can be used to authenticate users using an LDAP server.
RQ.SRS-007.LDAP.Authentication.Password.UTF8
version: 1.0
ClickHouse SHALL support UTF-8 characters in passwords used to authenticate users using an LDAP server.
References
- ClickHouse: https://clickhouse.tech