Merge pull request #54737 from arenadata/ADQM-1150

Added maximum sequential login failures to the quota.
ClickHouse · Jan 31, 2024 · a193e01 · a193e01
2 parents 3cc43c4 + 076fb1d
commit a193e01
Show file tree

Hide file tree

Showing 23 changed files with 347 additions and 60 deletions.
diff --git a/docs/en/operations/system-tables/quota_usage.md b/docs/en/operations/system-tables/quota_usage.md
@@ -25,6 +25,8 @@ Columns:
 - `max_read_rows` ([Nullable](../../sql-reference/data-types/nullable.md)([UInt64](../../sql-reference/data-types/int-uint.md))) — Maximum number of rows read from all tables and table functions participated in queries.
 - `read_bytes` ([Nullable](../../sql-reference/data-types/nullable.md)([UInt64](../../sql-reference/data-types/int-uint.md))) — The total number of bytes read from all tables and table functions participated in queries.
 - `max_read_bytes` ([Nullable](../../sql-reference/data-types/nullable.md)([UInt64](../../sql-reference/data-types/int-uint.md))) — Maximum of bytes read from all tables and table functions.
+- `failed_sequential_authentications` ([Nullable](../../sql-reference/data-types/nullable.md)([UInt64](../../sql-reference/data-types/float.md))) — The total count of sequential authentication failures. If the user entered the correct password before exceed `failed_sequential_authentications` threshold then the counter will be reset.
+- `max_failed_sequential_authentications` ([Nullable](../../sql-reference/data-types/nullable.md)([UInt64](../../sql-reference/data-types/float.md))) — Maximum count of sequential authentication failures.
 - `execution_time` ([Nullable](../../sql-reference/data-types/nullable.md)([Float64](../../sql-reference/data-types/float.md))) — The total query execution time, in seconds (wall time).
 - `max_execution_time` ([Nullable](../../sql-reference/data-types/nullable.md)([Float64](../../sql-reference/data-types/float.md))) — Maximum of query execution time.
 

diff --git a/docs/en/operations/system-tables/quotas_usage.md b/docs/en/operations/system-tables/quotas_usage.md
@@ -28,8 +28,10 @@ Columns:
 - `max_read_rows` ([Nullable](../../sql-reference/data-types/nullable.md)([UInt64](../../sql-reference/data-types/int-uint.md))) — Maximum number of rows read from all tables and table functions participated in queries.
 - `read_bytes` ([Nullable](../../sql-reference/data-types/nullable.md)([UInt64](../../sql-reference/data-types/int-uint.md))) — The total number of bytes read from all tables and table functions participated in queries.
 - `max_read_bytes` ([Nullable](../../sql-reference/data-types/nullable.md)([UInt64](../../sql-reference/data-types/int-uint.md))) — Maximum of bytes read from all tables and table functions.
-- `execution_time` ([Nullable](../../sql-reference/data-types/nullable.md)([Float64](../../sql-reference/data-types/float.md))) — The total query execution time, in seconds (wall time).
-- `max_execution_time` ([Nullable](../../sql-reference/data-types/nullable.md)([Float64](../../sql-reference/data-types/float.md))) — Maximum of query execution time.
+- `failed_sequential_authentications` ([Nullable](../../sql-reference/data-types/nullable.md)([Float64](../../sql-reference/data-types/float.md))) — The total count of sequential authentication failures. If the user entered the correct password before exceed `failed_sequential_authentications` threshold then the counter will be reset.
+- `max_failed_sequential_authentications` ([Nullable](../../sql-reference/data-types/nullable.md)([Float64](../../sql-reference/data-types/float.md))) — Maximum count of sequential authentication failures.
+- `execution_time` ([Nullable](../../sql-reference/data-types/nullable.md)([UInt64](../../sql-reference/data-types/float.md))) — The total query execution time, in seconds (wall time).
+- `max_execution_time` ([Nullable](../../sql-reference/data-types/nullable.md)([UInt64](../../sql-reference/data-types/float.md))) — Maximum of query execution time.
 
 ## See Also {#see-also}
 

diff --git a/docs/en/sql-reference/statements/create/quota.md b/docs/en/sql-reference/statements/create/quota.md
@@ -21,7 +21,7 @@ CREATE QUOTA [IF NOT EXISTS | OR REPLACE] name [ON CLUSTER cluster_name]
 
 Keys `user_name`, `ip_address`, `client_key`, `client_key, user_name` and `client_key, ip_address` correspond to the fields in the [system.quotas](../../../operations/system-tables/quotas.md) table.
 
-Parameters `queries`, `query_selects`, `query_inserts`, `errors`, `result_rows`, `result_bytes`, `read_rows`, `read_bytes`, `execution_time` correspond to the fields in the [system.quotas_usage](../../../operations/system-tables/quotas_usage.md) table.
+Parameters `queries`, `query_selects`, `query_inserts`, `errors`, `result_rows`, `result_bytes`, `read_rows`, `read_bytes`, `execution_time`, `failed_sequential_authentications` correspond to the fields in the [system.quotas_usage](../../../operations/system-tables/quotas_usage.md) table.
 
 `ON CLUSTER` clause allows creating quotas on a cluster, see [Distributed DDL](../../../sql-reference/distributed-ddl.md).
 

diff --git a/docs/ru/operations/system-tables/quota_usage.md b/docs/ru/operations/system-tables/quota_usage.md
@@ -26,8 +26,11 @@ slug: /ru/operations/system-tables/quota_usage
 -   `max_read_rows` ([Nullable](../../sql-reference/data-types/nullable.md)([UInt64](../../sql-reference/data-types/int-uint.md))) — максимальное количество строк, считываемых из всех таблиц и табличных функций, участвующих в запросах.
 -   `read_bytes` ([Nullable](../../sql-reference/data-types/nullable.md)([UInt64](../../sql-reference/data-types/int-uint.md))) — общее количество байт, считанных из всех таблиц и табличных функций, участвующих в запросах.
 -   `max_read_bytes` ([Nullable](../../sql-reference/data-types/nullable.md)([UInt64](../../sql-reference/data-types/int-uint.md))) — максимальное количество байт, считываемых из всех таблиц и табличных функций.
--   `execution_time` ([Nullable](../../sql-reference/data-types/nullable.md)([Float64](../../sql-reference/data-types/float.md))) — общее время выполнения запроса, в секундах.
--   `max_execution_time` ([Nullable](../../sql-reference/data-types/nullable.md)([Float64](../../sql-reference/data-types/float.md))) — максимальное время выполнения запроса.
+- `failed_sequential_authentications` ([Nullable](../../sql-reference/data-types/nullable.md)([Float64](../../sql-reference/data-types/float.md))) — Общее количество неудачных попыток подряд ввести пароль. Если пользователь ввел верный пароль до преодоления порогового значения `max_failed_sequential_authentications` то счетчик неудачных попыток будет сброшен.
+- `max_failed_sequential_authentications` ([Nullable](../../sql-reference/data-types/nullable.md)([Float64](../../sql-reference/data-types/float.md))) — Максимальное количество неудачных попыток подряд ввести пароль.
+-   `execution_time` ([Nullable](../../sql-reference/data-types/nullable.md)([UInt64](../../sql-reference/data-types/float.md))) — общее время выполнения запроса, в секундах.
+-   `max_execution_time` ([Nullable](../../sql-reference/data-types/nullable.md)([UInt64](../../sql-reference/data-types/float.md))) — максимальное время выполнения запроса.
+
 
 ## Смотрите также {#see-also}
 

diff --git a/docs/ru/operations/system-tables/quotas_usage.md b/docs/ru/operations/system-tables/quotas_usage.md
@@ -29,9 +29,10 @@ slug: /ru/operations/system-tables/quotas_usage
 -   `max_read_rows` ([Nullable](../../sql-reference/data-types/nullable.md)([UInt64](../../sql-reference/data-types/int-uint.md))) — максимальное количество строк, считываемых из всех таблиц и табличных функций, участвующих в запросах.
 -   `read_bytes` ([Nullable](../../sql-reference/data-types/nullable.md)([UInt64](../../sql-reference/data-types/int-uint.md))) — общее количество байт, считанных из всех таблиц и табличных функций, участвующих в запросах.
 -   `max_read_bytes` ([Nullable](../../sql-reference/data-types/nullable.md)([UInt64](../../sql-reference/data-types/int-uint.md))) — максимальное количество байт, считываемых из всех таблиц и табличных функций.
+- `failed_sequential_authentications` ([Nullable](../../sql-reference/data-types/nullable.md)([UInt64](../../sql-reference/data-types/float.md))) — Общее количество неудачных попыток подряд ввести пароль. Если пользователь ввел верный пароль до преодоления порогового значения `max_failed_sequential_authentications` то счетчик неудачных попыток будет сброшен.
+- `max_failed_sequential_authentications` ([Nullable](../../sql-reference/data-types/nullable.md)([UInt64](../../sql-reference/data-types/float.md))) — Максимальное количество неудачных попыток подряд ввести пароль.
 -   `execution_time` ([Nullable](../../sql-reference/data-types/nullable.md)([Float64](../../sql-reference/data-types/float.md))) — общее время выполнения запроса, в секундах.
 -   `max_execution_time` ([Nullable](../../sql-reference/data-types/nullable.md)([Float64](../../sql-reference/data-types/float.md))) — максимальное время выполнения запроса.
-
 ## Смотрите также {#see-also}
 
 -   [SHOW QUOTA](../../sql-reference/statements/show.md#show-quota-statement)
diff --git a/docs/ru/sql-reference/statements/alter/quota.md b/docs/ru/sql-reference/statements/alter/quota.md
@@ -22,7 +22,7 @@ ALTER QUOTA [IF EXISTS] name [ON CLUSTER cluster_name]
 
 Ключи `user_name`, `ip_address`, `client_key`, `client_key, user_name` и `client_key, ip_address` соответствуют полям таблицы [system.quotas](../../../operations/system-tables/quotas.md).
 
-Параметры `queries`, `query_selects`, `query_inserts`, `errors`, `result_rows`, `result_bytes`, `read_rows`, `read_bytes`, `execution_time` соответствуют полям таблицы [system.quotas_usage](../../../operations/system-tables/quotas_usage.md).
+Параметры `queries`, `query_selects`, `query_inserts`, `errors`, `result_rows`, `result_bytes`, `read_rows`, `read_bytes`, `execution_time`, `failed_sequential_authentications` соответствуют полям таблицы [system.quotas_usage](../../../operations/system-tables/quotas_usage.md).
 
 В секции `ON CLUSTER` можно указать кластеры, на которых создается квота, см. [Распределенные DDL запросы](../../../sql-reference/distributed-ddl.md).
 

diff --git a/docs/ru/sql-reference/statements/create/quota.md b/docs/ru/sql-reference/statements/create/quota.md
@@ -20,7 +20,7 @@ CREATE QUOTA [IF NOT EXISTS | OR REPLACE] name [ON CLUSTER cluster_name]
 ```
 Ключи `user_name`, `ip_address`, `client_key`, `client_key, user_name` и `client_key, ip_address` соответствуют полям таблицы [system.quotas](../../../operations/system-tables/quotas.md).
 
-Параметры `queries`, `query_selects`, `query_inserts`, `errors`, `result_rows`, `result_bytes`, `read_rows`, `read_bytes`, `execution_time` соответствуют полям таблицы [system.quotas_usage](../../../operations/system-tables/quotas_usage.md).
+Параметры `queries`, `query_selects`, `query_inserts`, `errors`, `result_rows`, `result_bytes`, `read_rows`, `read_bytes`, `execution_time`, `failed_sequential_authentications` соответствуют полям таблицы [system.quotas_usage](../../../operations/system-tables/quotas_usage.md).
 
 В секции `ON CLUSTER` можно указать кластеры, на которых создается квота, см. [Распределенные DDL запросы](../../../sql-reference/distributed-ddl.md).
 

diff --git a/src/Access/AccessControl.cpp b/src/Access/AccessControl.cpp
@@ -559,12 +559,33 @@ AccessChangesNotifier & AccessControl::getChangesNotifier()
 }
 
 
-AuthResult AccessControl::authenticate(const Credentials & credentials, const Poco::Net::IPAddress & address) const
+AuthResult AccessControl::authenticate(const Credentials & credentials, const Poco::Net::IPAddress & address, const String & forwarded_address) const
 {
+    // NOTE: In the case where the user has never been logged in using LDAP,
+    // Then user_id is not generated, and the authentication quota will always be nullptr.
+    auto authentication_quota = getAuthenticationQuota(credentials.getUserName(), address, forwarded_address);
+    if (authentication_quota)
+    {
+        /// Reserve a single try from the quota to check whether we have another authentication try.
+        /// This is required for correct behavior in this situation:
+        /// User has 1 login failures quota.
+        /// * At the first login with an invalid password: Increase the quota counter. 1 (used) > 1 (max) is false.
+        ///   Then try to authenticate the user and throw an AUTHENTICATION_FAILED error.
+        /// * In case of the second try: increase quota counter, 2 (used) > 1 (max), then throw QUOTA_EXCEED
+        ///   and don't let the user authenticate.
+        ///
+        /// The authentication failures counter will be reset after successful authentication.
+        authentication_quota->used(QuotaType::FAILED_SEQUENTIAL_AUTHENTICATIONS, 1);
+    }
+
     try
     {
-        return MultipleAccessStorage::authenticate(credentials, address, *external_authenticators, allow_no_password,
-                                                   allow_plaintext_password);
+        const auto auth_result = MultipleAccessStorage::authenticate(credentials, address, *external_authenticators, allow_no_password,
+                                                                     allow_plaintext_password);
+        if (authentication_quota)
+            authentication_quota->reset(QuotaType::FAILED_SEQUENTIAL_AUTHENTICATIONS);
+
+        return auth_result;
     }
     catch (...)
     {
@@ -763,7 +784,34 @@ std::shared_ptr<const EnabledQuota> AccessControl::getEnabledQuota(
     const String & forwarded_address,
     const String & custom_quota_key) const
 {
-    return quota_cache->getEnabledQuota(user_id, user_name, enabled_roles, address, forwarded_address, custom_quota_key);
+    return quota_cache->getEnabledQuota(user_id, user_name, enabled_roles, address, forwarded_address, custom_quota_key, true);
+}
+
+std::shared_ptr<const EnabledQuota> AccessControl::getAuthenticationQuota(
+    const String & user_name, const Poco::Net::IPAddress & address, const std::string & forwarded_address) const
+{
+    auto user_id = find<User>(user_name);
+    UserPtr user;
+    if (user_id && (user = tryRead<User>(*user_id)))
+    {
+        const auto new_current_roles = user->granted_roles.findGranted(user->default_roles);
+        const auto roles_info = getEnabledRolesInfo(new_current_roles, {});
+
+        // client_key is not received at the moment of authentication during TCP connection
+        // if key type is set to QuotaKeyType::CLIENT_KEY
+        // QuotaCache::QuotaInfo::calculateKey will throw exception without throw_if_client_key_empty = false
+        String quota_key;
+        bool throw_if_client_key_empty = false;
+        return quota_cache->getEnabledQuota(*user_id,
+                                            user->getName(),
+                                            roles_info->enabled_roles,
+                                            address,
+                                            forwarded_address,
+                                            quota_key,
+                                            throw_if_client_key_empty);
+    }
+    else
+        return nullptr;
 }
 
 

diff --git a/src/Access/AccessControl.h b/src/Access/AccessControl.h
@@ -118,7 +118,7 @@ class AccessControl : public MultipleAccessStorage
     scope_guard subscribeForChanges(const UUID & id, const OnChangedHandler & handler) const;
     scope_guard subscribeForChanges(const std::vector<UUID> & ids, const OnChangedHandler & handler) const;
 
-    AuthResult authenticate(const Credentials & credentials, const Poco::Net::IPAddress & address) const;
+    AuthResult authenticate(const Credentials & credentials, const Poco::Net::IPAddress & address, const String & forwarded_address) const;
 
     /// Makes a backup of access entities.
     void restoreFromBackup(RestorerFromBackup & restorer) override;
@@ -206,6 +206,11 @@ class AccessControl : public MultipleAccessStorage
         const String & forwarded_address,
         const String & custom_quota_key) const;
 
+    std::shared_ptr<const EnabledQuota> getAuthenticationQuota(
+        const String & user_name,
+        const Poco::Net::IPAddress & address,
+        const std::string & forwarded_address) const;
+
     std::vector<QuotaUsage> getAllQuotasUsage() const;
 
     std::shared_ptr<const EnabledSettings> getEnabledSettings(

diff --git a/src/Access/Common/QuotaDefs.cpp b/src/Access/Common/QuotaDefs.cpp
@@ -111,6 +111,11 @@ const QuotaTypeInfo & QuotaTypeInfo::get(QuotaType type)
             static const auto info = make_info("WRITTEN_BYTES", 1);
             return info;
         }
+        case QuotaType::FAILED_SEQUENTIAL_AUTHENTICATIONS:
+        {
+            static const auto info = make_info("FAILED_SEQUENTIAL_AUTHENTICATIONS", 1);
+            return info;
+        }
         case QuotaType::MAX: break;
     }
     throw Exception(ErrorCodes::LOGICAL_ERROR, "Unexpected quota type: {}", static_cast<int>(type));

diff --git a/src/Access/Common/QuotaDefs.h b/src/Access/Common/QuotaDefs.h
@@ -11,16 +11,17 @@ using QuotaValue = UInt64;
 /// Kinds of resource what we wish to quota.
 enum class QuotaType
 {
-    QUERIES,        /// Number of queries.
-    QUERY_SELECTS,  /// Number of select queries.
-    QUERY_INSERTS,  /// Number of insert queries.
-    ERRORS,         /// Number of queries with exceptions.
-    RESULT_ROWS,    /// Number of rows returned as result.
-    RESULT_BYTES,   /// Number of bytes returned as result.
-    READ_ROWS,      /// Number of rows read from tables.
-    READ_BYTES,     /// Number of bytes read from tables.
-    EXECUTION_TIME, /// Total amount of query execution time in nanoseconds.
-    WRITTEN_BYTES,  /// Number of bytes written to tables.
+    QUERIES,                                /// Number of queries.
+    QUERY_SELECTS,                          /// Number of select queries.
+    QUERY_INSERTS,                          /// Number of insert queries.
+    ERRORS,                                 /// Number of queries with exceptions.
+    RESULT_ROWS,                            /// Number of rows returned as result.
+    RESULT_BYTES,                           /// Number of bytes returned as result.
+    READ_ROWS,                              /// Number of rows read from tables.
+    READ_BYTES,                             /// Number of bytes read from tables.
+    EXECUTION_TIME,                         /// Total amount of query execution time in nanoseconds.
+    WRITTEN_BYTES,                          /// Number of bytes written to tables.
+    FAILED_SEQUENTIAL_AUTHENTICATIONS,      /// Number of recent failed authentications.
 
     MAX
 };

diff --git a/src/Access/EnabledQuota.cpp b/src/Access/EnabledQuota.cpp
@@ -105,6 +105,16 @@ struct EnabledQuota::Impl
         std::uniform_int_distribution<Int64> distribution{0, count - 1};
         return std::chrono::system_clock::duration(distribution(thread_local_rng));
     }
+
+    static void resetQuotaValue(const Intervals & intervals, QuotaType quota_type, QuotaValue value, std::chrono::system_clock::time_point current_time)
+    {
+        const auto quota_type_i = static_cast<size_t>(quota_type);
+        for (const auto & interval : intervals.intervals)
+        {
+            interval.used[quota_type_i] = value;
+            interval.getEndOfInterval(current_time);
+        }
+    }
 };
 
 
@@ -285,6 +295,12 @@ void EnabledQuota::checkExceeded(QuotaType quota_type) const
 }
 
 
+void EnabledQuota::reset(QuotaType quota_type) const
+{
+    const auto loaded = intervals.load();
+    Impl::resetQuotaValue(*loaded, quota_type, 0, std::chrono::system_clock::now());
+}
+
 std::optional<QuotaUsage> EnabledQuota::getUsage() const
 {
     auto loaded = intervals.load();

diff --git a/src/Access/EnabledQuota.h b/src/Access/EnabledQuota.h
@@ -52,6 +52,8 @@ class EnabledQuota : public boost::noncopyable
     void checkExceeded() const;
     void checkExceeded(QuotaType quota_type) const;
 
+    void reset(QuotaType quota_type) const;
+
     /// Returns the information about quota consumption.
     std::optional<QuotaUsage> getUsage() const;