28 KiB
SRS-014 ClickHouse LDAP Role Mapping
Software Requirements Specification
Table of Contents
- 1 Revision History
- 2 Introduction
- 3 Terminology
- 3.1 LDAP
- 4 Requirements
- 4.1 General
- 4.2 Mapped Role Names
- 4.3 Multiple Roles
- 4.4 LDAP Groups
- 4.5 RBAC Roles
- 4.5.1 RQ.SRS-014.LDAP.RoleMapping.RBAC.Role.NotPresent
- 4.5.2 RQ.SRS-014.LDAP.RoleMapping.RBAC.Role.Added
- 4.5.3 RQ.SRS-014.LDAP.RoleMapping.RBAC.Role.Removed
- 4.5.4 RQ.SRS-014.LDAP.RoleMapping.RBAC.Role.Readded
- 4.5.5 RQ.SRS-014.LDAP.RoleMapping.RBAC.Role.RemovedAndAdded.Parallel
- 4.5.6 RQ.SRS-014.LDAP.RoleMapping.RBAC.Role.New
- 4.5.7 RQ.SRS-014.LDAP.RoleMapping.RBAC.Role.NewPrivilege
- 4.5.8 RQ.SRS-014.LDAP.RoleMapping.RBAC.Role.RemovedPrivilege
- 4.6 Authentication
- 4.6.1 RQ.SRS-014.LDAP.RoleMapping.Authentication.Parallel
- 4.6.2 RQ.SRS-014.LDAP.RoleMapping.Authentication.Parallel.ValidAndInvalid
- 4.6.3 RQ.SRS-014.LDAP.RoleMapping.Authentication.Parallel.MultipleServers
- 4.6.4 RQ.SRS-014.LDAP.RoleMapping.Authentication.Parallel.LocalOnly
- 4.6.5 RQ.SRS-014.LDAP.RoleMapping.Authentication.Parallel.LocalAndMultipleLDAP
- 4.6.6 RQ.SRS-014.LDAP.RoleMapping.Authentication.Parallel.SameUser
- 4.7 Server Configuration
- 4.7.1 BindDN Parameter
- 4.7.2 User DN Detection
- 4.7.2.1 RQ.SRS-014.LDAP.RoleMapping.Configuration.Server.UserDNDetection
- 4.7.2.2 RQ.SRS-014.LDAP.RoleMapping.Configuration.Server.UserDNDetection.BaseDN
- 4.7.2.3 RQ.SRS-014.LDAP.RoleMapping.Configuration.Server.UserDNDetection.Scope
- 4.7.2.4 RQ.SRS-014.LDAP.RoleMapping.Configuration.Server.UserDNDetection.SearchFilter
- 4.8 External User Directory Configuration
- 4.8.1 Syntax
- 4.8.2 Special Characters Escaping
- 4.8.3 Multiple Sections
- 4.8.4 BaseDN Parameter
- 4.8.5 Attribute Parameter
- 4.8.6 Scope Parameter
- 4.8.6.1 RQ.SRS-014.LDAP.RoleMapping.Configuration.UserDirectory.RoleMapping.Scope
- 4.8.6.2 RQ.SRS-014.LDAP.RoleMapping.Configuration.UserDirectory.RoleMapping.Scope.Value.Base
- 4.8.6.3 RQ.SRS-014.LDAP.RoleMapping.Configuration.UserDirectory.RoleMapping.Scope.Value.OneLevel
- 4.8.6.4 RQ.SRS-014.LDAP.RoleMapping.Configuration.UserDirectory.RoleMapping.Scope.Value.Children
- 4.8.6.5 RQ.SRS-014.LDAP.RoleMapping.Configuration.UserDirectory.RoleMapping.Scope.Value.Subtree
- 4.8.6.6 RQ.SRS-014.LDAP.RoleMapping.Configuration.UserDirectory.RoleMapping.Scope.Value.Default
- 4.8.7 Search Filter Parameter
- 4.8.8 Prefix Parameter
- 4.8.8.1 RQ.SRS-014.LDAP.RoleMapping.Configuration.UserDirectory.RoleMapping.Prefix
- 4.8.8.2 RQ.SRS-014.LDAP.RoleMapping.Configuration.UserDirectory.RoleMapping.Prefix.Default
- 4.8.8.3 RQ.SRS-014.LDAP.RoleMapping.Configuration.UserDirectory.RoleMapping.Prefix.WithUTF8Characters
- 4.8.8.4 RQ.SRS-014.LDAP.RoleMapping.Configuration.UserDirectory.RoleMapping.Prefix.WithSpecialXMLCharacters
- 4.8.8.5 RQ.SRS-014.LDAP.RoleMapping.Configuration.UserDirectory.RoleMapping.Prefix.WithSpecialRegexCharacters
- 5 References
Revision History
This document is stored in an electronic form using Git source control management software hosted in a GitHub Repository. All the updates are tracked using the Revision History.
Introduction
The SRS-007 ClickHouse Authentication of Users via LDAP added support for authenticating users using an LDAP server and the SRS-009 ClickHouse LDAP External User Directory added support for authenticating users using an LDAP external user directory.
This requirements specification adds additional functionality for mapping LDAP groups to the corresponding ClickHouse RBAC roles when LDAP external user directory is configured. This functionality will enable easier access management for LDAP authenticated users as the privileges granted by the roles can be granted or revoked by granting or revoking a corresponding LDAP group to one or more LDAP users.
For the use case when only LDAP user authentication is used, the roles can be managed using RBAC in the same way as for non-LDAP authenticated users.
Terminology
LDAP
- Lightweight Directory Access Protocol
Requirements
General
RQ.SRS-014.LDAP.RoleMapping
version: 1.0
ClickHouse SHALL support mapping of LDAP groups to RBAC roles for users authenticated using LDAP external user directory.
RQ.SRS-014.LDAP.RoleMapping.WithFixedRoles
version: 1.0
ClickHouse SHALL support mapping of LDAP groups to RBAC roles
for users authenticated using LDAP external user directory when
one or more roles are specified in the <roles>
section.
RQ.SRS-014.LDAP.RoleMapping.Search
version: 1.0
ClickHouse SHALL perform search on the LDAP server and map the results to RBAC role names
when authenticating users using the LDAP external user directory if the <role_mapping>
section is configured
as part of the LDAP external user directory. The matched roles SHALL be assigned to the user.
Mapped Role Names
RQ.SRS-014.LDAP.RoleMapping.Map.Role.Name.WithUTF8Characters
version: 1.0
ClickHouse SHALL support mapping LDAP search results for users authenticated using LDAP external user directory to an RBAC role that contains UTF-8 characters.
RQ.SRS-014.LDAP.RoleMapping.Map.Role.Name.Long
version: 1.0
ClickHouse SHALL support mapping LDAP search results for users authenticated using LDAP external user directory to an RBAC role that has a name with more than 128 characters.
RQ.SRS-014.LDAP.RoleMapping.Map.Role.Name.WithSpecialXMLCharacters
version: 1.0
ClickHouse SHALL support mapping LDAP search results for users authenticated using LDAP external user directory to an RBAC role that has a name that contains special characters that need to be escaped in XML.
RQ.SRS-014.LDAP.RoleMapping.Map.Role.Name.WithSpecialRegexCharacters
version: 1.0
ClickHouse SHALL support mapping LDAP search results for users authenticated using LDAP external user directory to an RBAC role that has a name that contains special characters that need to be escaped in regex.
Multiple Roles
RQ.SRS-014.LDAP.RoleMapping.Map.MultipleRoles
version: 1.0
ClickHouse SHALL support mapping one or more LDAP search results for users authenticated using LDAP external user directory to one or more RBAC role.
LDAP Groups
RQ.SRS-014.LDAP.RoleMapping.LDAP.Group.Removed
version: 1.0
ClickHouse SHALL not assign RBAC role(s) for any users authenticated using LDAP external user directory if the corresponding LDAP group(s) that map those role(s) are removed. Any users that have active sessions SHALL still have privileges provided by the role(s) until the next time they are authenticated.
RQ.SRS-014.LDAP.RoleMapping.LDAP.Group.RemovedAndAdded.Parallel
version: 1.0
ClickHouse SHALL support authenticating users using LDAP external user directory when LDAP groups are removed and added at the same time as LDAP user authentications are performed in parallel.
RQ.SRS-014.LDAP.RoleMapping.LDAP.Group.UserRemoved
version: 1.0
ClickHouse SHALL not assign RBAC role(s) for the user authenticated using LDAP external user directory if the user has been removed from the corresponding LDAP group(s) that map those role(s). Any active user sessions SHALL have privileges provided by the role(s) until the next time the user is authenticated.
RQ.SRS-014.LDAP.RoleMapping.LDAP.Group.UserRemovedAndAdded.Parallel
version: 1.0
ClickHouse SHALL support authenticating users using LDAP external user directory when LDAP users are added and removed from LDAP groups used to map to RBAC roles at the same time as LDAP user authentications are performed in parallel.
RBAC Roles
RQ.SRS-014.LDAP.RoleMapping.RBAC.Role.NotPresent
version: 1.0
ClickHouse SHALL not reject authentication attempt using LDAP external user directory if any of the roles that are are mapped from LDAP but are not present locally.
RQ.SRS-014.LDAP.RoleMapping.RBAC.Role.Added
version: 1.0
ClickHouse SHALL add the privileges provided by the LDAP mapped role when the role is not present during user authentication using LDAP external user directory as soon as the role is added.
RQ.SRS-014.LDAP.RoleMapping.RBAC.Role.Removed
version: 1.0
ClickHouse SHALL remove the privileges provided by the role from all the users authenticated using LDAP external user directory if the RBAC role that was mapped as a result of LDAP search is removed.
RQ.SRS-014.LDAP.RoleMapping.RBAC.Role.Readded
version: 1.0
ClickHouse SHALL reassign the RBAC role and add all the privileges provided by the role when it is re-added after removal for all LDAP users authenticated using external user directory for any role that was mapped as a result of LDAP search.
RQ.SRS-014.LDAP.RoleMapping.RBAC.Role.RemovedAndAdded.Parallel
version: 1.0
ClickHouse SHALL support authenticating users using LDAP external user directory when RBAC roles that are mapped by LDAP groups are added and removed at the same time as LDAP user authentications are performed in parallel.
RQ.SRS-014.LDAP.RoleMapping.RBAC.Role.New
version: 1.0
ClickHouse SHALL not allow any new roles to be assigned to any users authenticated using LDAP external user directory unless the role is specified in the configuration of the external user directory or was mapped as a result of LDAP search.
RQ.SRS-014.LDAP.RoleMapping.RBAC.Role.NewPrivilege
version: 1.0
ClickHouse SHALL add new privilege to all the users authenticated using LDAP external user directory when new privilege is added to one of the roles that were mapped as a result of LDAP search.
RQ.SRS-014.LDAP.RoleMapping.RBAC.Role.RemovedPrivilege
version: 1.0
ClickHouse SHALL remove privilege from all the users authenticated using LDAP external user directory when the privilege that was provided by the mapped role is removed from all the roles that were mapped as a result of LDAP search.
Authentication
RQ.SRS-014.LDAP.RoleMapping.Authentication.Parallel
version: 1.0
ClickHouse SHALL support parallel authentication of users using LDAP server when using LDAP external user directory that has role mapping enabled.
RQ.SRS-014.LDAP.RoleMapping.Authentication.Parallel.ValidAndInvalid
version: 1.0
ClickHouse SHALL support authentication of valid users and prohibit authentication of invalid users using LDAP server in parallel without having invalid attempts affecting valid authentications when using LDAP external user directory that has role mapping enabled.
RQ.SRS-014.LDAP.RoleMapping.Authentication.Parallel.MultipleServers
version: 1.0
ClickHouse SHALL support parallel authentication of external LDAP users authenticated using multiple LDAP external user directories that have role mapping enabled.
RQ.SRS-014.LDAP.RoleMapping.Authentication.Parallel.LocalOnly
version: 1.0
ClickHouse SHALL support parallel authentication of users defined only locally when one or more LDAP external user directories with role mapping are specified in the configuration file.
RQ.SRS-014.LDAP.RoleMapping.Authentication.Parallel.LocalAndMultipleLDAP
version: 1.0
ClickHouse SHALL support parallel authentication of local and external LDAP users authenticated using multiple LDAP external user directories with role mapping enabled.
RQ.SRS-014.LDAP.RoleMapping.Authentication.Parallel.SameUser
version: 1.0
ClickHouse SHALL support parallel authentication of the same external LDAP user authenticated using the same LDAP external user directory with role mapping enabled.
Server Configuration
BindDN Parameter
RQ.SRS-014.LDAP.RoleMapping.Configuration.Server.BindDN
version: 1.0
ClickHouse SHALL support the <bind_dn>
parameter in the <ldap_servers><server_name>
section
of the config.xml
that SHALL be used to construct the DN
to bind to.
The resulting DN
SHALL be constructed by replacing all {user_name}
substrings of the template
with the actual user name during each authentication attempt.
For example,
<yandex>
<ldap_servers>
<my_ldap_server>
<!-- ... -->
<bind_dn>uid={user_name},ou=users,dc=example,dc=com</bind_dn>
<!-- ... -->
</my_ldap_server>
</ldap_servers>
</yandex>
RQ.SRS-014.LDAP.RoleMapping.Configuration.Server.BindDN.ConflictWith.AuthDN
version: 1.0
ClickHouse SHALL return an error if both <bind_dn>
and <auth_dn_prefix>
or <auth_dn_suffix>
parameters
are specified as part of LDAP server description in the <ldap_servers>
section of the config.xml
.
User DN Detection
RQ.SRS-014.LDAP.RoleMapping.Configuration.Server.UserDNDetection
version: 1.0
ClickHouse SHALL support the user_dn_detection
sub-section in the <ldap_servers><server_name>
section
of the config.xml
that SHALL be used to enable detecting the actual user DN of the bound user.
RQ.SRS-014.LDAP.RoleMapping.Configuration.Server.UserDNDetection.BaseDN
version: 1.0
ClickHouse SHALL support base_dn
parameter in the user_dn_detection
sub-section in the
<ldap_servers><server_name>
section of the config.xml
that SHALL specify how
to construct the base DN for the LDAP search to detect the actual user DN.
For example,
<user_dn_detection>
...
<base_dn>CN=Users,DC=example,DC=com</base_dn>
</user_dn_detection>
RQ.SRS-014.LDAP.RoleMapping.Configuration.Server.UserDNDetection.Scope
version: 1.0
ClickHouse SHALL support scope
parameter in the user_dn_detection
sub-section in the
<ldap_servers><server_name>
section of the config.xml
that SHALL the scope of the
LDAP search to detect the actual user DN. The scope
parameter SHALL support the following values
base
one_level
children
subtree
For example,
<user_dn_detection>
...
<scope>one_level</scope>
</user_dn_detection>
RQ.SRS-014.LDAP.RoleMapping.Configuration.Server.UserDNDetection.SearchFilter
version: 1.0
ClickHouse SHALL support search_filter
parameter in the user_dn_detection
sub-section in the
<ldap_servers><server_name>
section of the config.xml
that SHALL specify the LDAP search
filter used to detect the actual user DN.
For example,
<user_dn_detection>
...
<search_filter>(&(objectClass=user)(sAMAccountName={user_name}))</search_filter>
</user_dn_detection>
External User Directory Configuration
Syntax
RQ.SRS-014.LDAP.RoleMapping.Configuration.UserDirectory.RoleMapping.Syntax
version: 1.0
ClickHouse SHALL support the role_mapping
sub-section in the <user_directories><ldap>
section
of the config.xml
.
For example,
<yandex>
<user_directories>
<ldap>
<!-- ... -->
<role_mapping>
<base_dn>ou=groups,dc=example,dc=com</base_dn>
<attribute>cn</attribute>
<scope>subtree</scope>
<search_filter>(&(objectClass=groupOfNames)(member={bind_dn}))</search_filter>
<prefix>clickhouse_</prefix>
</role_mapping>
</ldap>
</user_directories>
</yandex>
Special Characters Escaping
RQ.SRS-014.LDAP.RoleMapping.Configuration.UserDirectory.RoleMapping.SpecialCharactersEscaping
version: 1.0
ClickHouse SHALL support properly escaped special XML characters that can be present
as part of the values for different configuration parameters inside the
<user_directories><ldap><role_mapping>
section of the config.xml
such as
<search_filter>
parameter<prefix>
parameter
Multiple Sections
RQ.SRS-014.LDAP.RoleMapping.Configuration.UserDirectory.RoleMapping.MultipleSections
version: 1.0
ClickHouse SHALL support multiple <role_mapping>
sections defined inside the same <user_directories><ldap>
section
of the config.xml
and all of the <role_mapping>
sections SHALL be applied.
RQ.SRS-014.LDAP.RoleMapping.Configuration.UserDirectory.RoleMapping.MultipleSections.IdenticalParameters
version: 1.0
ClickHouse SHALL not duplicate mapped roles when multiple <role_mapping>
sections
with identical parameters are defined inside the <user_directories><ldap>
section
of the config.xml
.
BaseDN Parameter
RQ.SRS-014.LDAP.RoleMapping.Configuration.UserDirectory.RoleMapping.BaseDN
version: 1.0
ClickHouse SHALL support the <base_dn>
parameter in the <user_directories><ldap><role_mapping>
section
of the config.xml
that SHALL specify the template to be used to construct the base DN
for the LDAP search.
The resulting DN
SHALL be constructed by replacing all the {user_name}
, {bind_dn}
, and user_dn
substrings of
the template with the actual user name and bind DN
during each LDAP search.
Attribute Parameter
RQ.SRS-014.LDAP.RoleMapping.Configuration.UserDirectory.RoleMapping.Attribute
version: 1.0
ClickHouse SHALL support the <attribute>
parameter in the <user_directories><ldap><role_mapping>
section of
the config.xml
that SHALL specify the name of the attribute whose values SHALL be returned by the LDAP search.
Scope Parameter
RQ.SRS-014.LDAP.RoleMapping.Configuration.UserDirectory.RoleMapping.Scope
version: 1.0
ClickHouse SHALL support the <scope>
parameter in the <user_directories><ldap><role_mapping>
section of
the config.xml
that SHALL define the scope of the LDAP search as defined
by the https://ldapwiki.com/wiki/LDAP%20Search%20Scopes.
RQ.SRS-014.LDAP.RoleMapping.Configuration.UserDirectory.RoleMapping.Scope.Value.Base
version: 1.0
ClickHouse SHALL support the base
value for the the <scope>
parameter in the
<user_directories><ldap><role_mapping>
section of the config.xml
that SHALL
limit the scope as specified by the https://ldapwiki.com/wiki/BaseObject.
RQ.SRS-014.LDAP.RoleMapping.Configuration.UserDirectory.RoleMapping.Scope.Value.OneLevel
version: 1.0
ClickHouse SHALL support the one_level
value for the the <scope>
parameter in the
<user_directories><ldap><role_mapping>
section of the config.xml
that SHALL
limit the scope as specified by the https://ldapwiki.com/wiki/SingleLevel.
RQ.SRS-014.LDAP.RoleMapping.Configuration.UserDirectory.RoleMapping.Scope.Value.Children
version: 1.0
ClickHouse SHALL support the children
value for the the <scope>
parameter in the
<user_directories><ldap><role_mapping>
section of the config.xml
that SHALL
limit the scope as specified by the https://ldapwiki.com/wiki/SubordinateSubtree.
RQ.SRS-014.LDAP.RoleMapping.Configuration.UserDirectory.RoleMapping.Scope.Value.Subtree
version: 1.0
ClickHouse SHALL support the children
value for the the <scope>
parameter in the
<user_directories><ldap><role_mapping>
section of the config.xml
that SHALL
limit the scope as specified by the https://ldapwiki.com/wiki/WholeSubtree.
RQ.SRS-014.LDAP.RoleMapping.Configuration.UserDirectory.RoleMapping.Scope.Value.Default
version: 1.0
ClickHouse SHALL support the subtree
as the default value for the the <scope>
parameter in the
<user_directories><ldap><role_mapping>
section of the config.xml
when the <scope>
parameter is not specified.
Search Filter Parameter
RQ.SRS-014.LDAP.RoleMapping.Configuration.UserDirectory.RoleMapping.SearchFilter
version: 1.0
ClickHouse SHALL support the <search_filter>
parameter in the <user_directories><ldap><role_mapping>
section of the config.xml
that SHALL specify the template used to construct
the LDAP filter for the search.
The resulting filter SHALL be constructed by replacing all {user_name}
, {bind_dn}
, {base_dn}
, and {user_dn}
substrings
of the template with the actual user name, bind DN
, and base DN
during each the LDAP search.
Prefix Parameter
RQ.SRS-014.LDAP.RoleMapping.Configuration.UserDirectory.RoleMapping.Prefix
version: 1.0
ClickHouse SHALL support the <prefix>
parameter in the <user directories><ldap><role_mapping>
section of the config.xml
that SHALL be expected to be in front of each string in
the original list of strings returned by the LDAP search.
Prefix SHALL be removed from the original strings and resulting strings SHALL be treated as RBAC role names.
RQ.SRS-014.LDAP.RoleMapping.Configuration.UserDirectory.RoleMapping.Prefix.Default
version: 1.0
ClickHouse SHALL support empty string as the default value of the <prefix>
parameter in
the <user directories><ldap><role_mapping>
section of the config.xml
.
RQ.SRS-014.LDAP.RoleMapping.Configuration.UserDirectory.RoleMapping.Prefix.WithUTF8Characters
version: 1.0
ClickHouse SHALL support UTF8 characters as the value of the <prefix>
parameter in
the <user directories><ldap><role_mapping>
section of the config.xml
.
RQ.SRS-014.LDAP.RoleMapping.Configuration.UserDirectory.RoleMapping.Prefix.WithSpecialXMLCharacters
version: 1.0
ClickHouse SHALL support XML special characters as the value of the <prefix>
parameter in
the <user directories><ldap><role_mapping>
section of the config.xml
.
RQ.SRS-014.LDAP.RoleMapping.Configuration.UserDirectory.RoleMapping.Prefix.WithSpecialRegexCharacters
version: 1.0
ClickHouse SHALL support regex special characters as the value of the <prefix>
parameter in
the <user directories><ldap><role_mapping>
section of the config.xml
.
References
- Access Control and Account Management: https://clickhouse.tech/docs/en/operations/access-rights/
- LDAP: https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol
- ClickHouse: https://clickhouse.tech
- GitHub Repository: https://github.com/ClickHouse/ClickHouse/blob/master/tests/testflows/ldap/role_mapping/requirements/requirements.md
- Revision History: https://github.com/ClickHouse/ClickHouse/commits/master/tests/testflows/ldap/role_mapping/requirements/requirements.md
- Git: https://git-scm.com/