New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added maximum sequential login failures to the quota. #54737
Conversation
src/Access/IAccessStorage.cpp
Outdated
auto new_current_roles = user->granted_roles.findGranted(user->default_roles); | ||
const auto & access = Context::getGlobalContextInstance()->getAccessControl(); | ||
auto roles_info = access.getEnabledRolesInfo(new_current_roles, {}); | ||
const std::string custom_quota_key = ""; // TODO: Where do we get it? | ||
|
||
assert(assert); | ||
auto enabled_quota = access.getEnabledQuota(*id, | ||
credentials.getUserName(), | ||
roles_info->enabled_roles, | ||
address, | ||
forwarded_address, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How can I get a quota key from the TCP client here?
At the moment of the authentication, we have not received client_key (quota_key) from the client.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I created a function getting quota for authentication with constant
quota key :
std::shared_ptr<const EnabledQuota> getAuthenticationQuota(UUID user_id,
const UserPtr & user,
const Poco::Net::IPAddress & address,
const std::string & forwarded_address)
{
/// During authentication process, client_key is not received from TCP client,
/// Use predefined authentication quota key and always receive the save Interval object
/// to avoid throwing exceptions in case of QuotaKeyType::CLIENT_KEY key type.
constexpr auto AUTHENTICATION_QUOTA_KEY = "_AUTHENTICATION_QUOTA_KEY_";
auto new_current_roles = user->granted_roles.findGranted(user->default_roles);
const auto & access = Context::getGlobalContextInstance()->getAccessControl();
auto roles_info = access.getEnabledRolesInfo(new_current_roles, {});
auto enabled_quota = access.getEnabledQuota(user_id,
user->getName(),
roles_info->enabled_roles,
address,
forwarded_address,
AUTHENTICATION_QUOTA_KEY);
return enabled_quota;
}
This solution will ignore the futher quota received by TCP connection. This solution will work with QuotaKeyType::CLIENT_KEY
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
_AUTHENTICATION_QUOTA_KEY_
it looks too scary; we shouldn't have it in the code...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good day, Alexey
I updated the code. Now it does not have conflicts and _AUTHENTICATION_QUOTA_KEY_
,
but still we have to provide quota_key to the AccessControl::getEnabledQuota
, during TCP connection, quota_key (i.e client_key) is sent after authentication, but failed login attempt count should be checked before authentication is finished, so we can't get quota key from the user.
Without anything passed to the quota, we will get an exception in case of QuotaKeyType::CLIENT_KEY
from this code:
String QuotaCache::QuotaInfo::calculateKey(const EnabledQuota & enabled) const
{
...
throw Exception(
ErrorCodes::QUOTA_REQUIRES_CLIENT_KEY,
"Quota {} (for user {}) requires a client supplied key.",
quota->getName(),
params.user_name);
...
}
As a workaround, I added a parameter throw_if_client_key_empty
for the authentication quota case.
String QuotaCache::QuotaInfo::calculateKey(const EnabledQuota & enabled, bool throw_if_client_key_empty) const
{
...
if (throw_if_client_key_empty)
throw Exception(
ErrorCodes::QUOTA_REQUIRES_CLIENT_KEY,
"Quota {} (for user {}) requires a client supplied key.",
quota->getName(),
params.user_name);
...
}
The issue is solved, but I'm not sure that this solution is good enough.
Please advise me if you have a better idea of how to solve this.
8b2e85f
to
caefa19
Compare
Good day everyone! Please assign a reviewer to this pull request and add a label can be tested. Please also keep in mind these features comming from these changes: |
I reviewed it and found the code somewhat scary... |
src/Access/IAccessStorage.cpp
Outdated
constexpr auto AUTHENTICATION_QUOTA_KEY = "_AUTHENTICATION_QUOTA_KEY_"; | ||
const auto new_current_roles = user->granted_roles.findGranted(user->default_roles); | ||
const auto & access = Context::getGlobalContextInstance()->getAccessControl(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Scary in this line.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@alexey-milovidov I discussed with @Demilivor the line No 57 is really scary. It should to be refactored.
It seems like many parts of code related to quotas were changed during the past 3 months. We probably need more guidance about core ClickHouse, Inc developers about implementation of the "maximum sequential login failures" feature.
Right now @Demilivor was on another project but he will return back on this PR after we discuss it with our management. The task is actual for our company.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I moved this code to another place, and now my code does not call Context::getGlobalContextInstance()->getAccessControl()
@rschu1ze and @tavplubix could you set The PR was created in September 2023 and we restarted to work on it. I see in git history that @pufit, @kitaisreal, @yakov-olkhovskiy and @vitlibar also worked on AccessControl/quotas. We need some guidance to finally implement this feature. We may do complete refactoring or implement new approach from scratch if you suggest so. For example, we consider creation of new system table |
This is an automated comment for commit 076fb1d with description of existing statuses. It's updated for the latest CI running ❌ Click here to open a full report in a separate page Successful checks
|
src/Access/AccessControl.cpp
Outdated
{ | ||
try | ||
{ | ||
return MultipleAccessStorage::authenticate(credentials, address, *external_authenticators, allow_no_password, | ||
allow_plaintext_password); | ||
const auto auth_result = MultipleAccessStorage::authenticate(credentials, address, *external_authenticators, allow_no_password, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's not quite logically correct to always try to authenticate even if the quota is already exceeded. Also IAccessStorage::authenticate()
can do some complex stuff, like connecting to another server. I think it's better to check the quota first, then call MultipleAccessStorage::authenticate()
, and then reset the quota counter if everything is ok.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would agree with you, but how do we get the quota without user_id
? Do you know a way to get the user_id
and quota for an authenticated user?
Now AuthResult returns user_id even if user is exist and user_id is read but authentication is failed (password is incorrect)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you know a way to get the user_id?
auto user_id = find<User>(credentials.getUserName())
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, If that will also work with users authenticated using LDAP, then we can avoid modification of AuthResult, I will try to implement that way
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If that will also work with users authenticated using LDAP
Well, LDAPAccessStorage::find<User>(credentials.getUserName())
returns nullopt if that user has not logged in before since the server started. So we cannot check the quota this time. But since it's the first time the quota must not be already exceeded. And when the same user logs in again later, find<User>(credentials.getUserName())
will return a valid user_id
, so the quota can be checked.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems for a user who has never logged in successfully using LDAP the quota won't work. Because with only failed attempts LDAPAccessStorage::authenticate()
will never assign user_id
to that user and we can't check the quota.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I changed the code according to the suggestion to use find<User>
. And I added a comment for specific LDAP case.
@vitlibar Do you more suggestions to this PR? I see the performance degradation. If needed we may add a new option for config.xml file or users.xml (profile-based option?) file: <enable_failed_sequential_authentications>false</enable_failed_sequential_authentications> So it will be I also discussed with management: partial LDAP support is OK for us. In future in addition to this approach it could be possible to implement other approaches (and corresponding new options to enable these approaches). |
src/Access/AccessControl.cpp
Outdated
{ | ||
std::shared_ptr<const EnabledQuota> authentication_quota; | ||
try |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This function looks a bit too much complicated now. It's not necessary to check the quota twice (in checkExceeded
and in used
), the first checkExceeded
should be enough. I believe this function can be written in a less complicated way:
auto authentication_quota = getAuthenticationQuota(credentials.getUserName());
if (authentication_quota)
checkAuthenticationQuota(*authentication_quota, credentials.getUserName()); /// throws QUOTA_EXCEEDED with user_name if exceeded
AuthResult auth_result;
try
{
auth_result = MultipleAccessStorage::authenticate(...);
}
catch (...)
{
tryLogCurrentException();
if (authentication_quota)
authentication_quota->used(... /* check_exceeded */ false); /// already checked before
throw ErrorCodes::AUTHENTICATION_FAILED
}
if (authentication_quota)
authentication_quota->reset(QuotaType::FAILED_SEQUENTIAL_AUTHENTICATIONS);
return auth_result;
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the suggestion!
Let's imagine the situation without
checking quota->used(throw_exception = true)
:
We have a quota with FAILED_SEQUENTIAL_AUTHENTICATIONS = 1.
The user tries to login with the wrong password the first time:
* Call check_exceed
(0 > 1 - FALSE)
* throw AUTHENTICATION_FAILED
error (used_tries
becomes 1)
The user tries to login with the wrong password the second time:
* Call check_exceed (1 > 1 - FALSE)
* throw AUTHENTICATION_FAILED
error from throw ErrorCodes::AUTHENTICATION_FAILED
(used_tries
becomes 2) // <<-- This looks like the wrong behavior for me. I would desire to see the 'QUOTA_EXCEED' error here.
So the line:
if (authentication_quota)
authentication_quota->used(... /* check_exceeded */ false);
It looks more correct if check_exceeded
will be true
. Then the sequence will be:
The user tries to login with the wrong password the first time:
* Call check_exceed
(0 > 1 - FALSE)
* throw AUTHENTICATION_FAILED
error (used_tries
becomes 1)
The user tries to login with the wrong password the second time:
* Call check_exceed (1 > 1 - FALSE)
* throw QUOTA_EXCEED
from authentication_quota->used(... /* check_exceeded */ true);
(used_tries
becomes 2)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Though it looks a bit strange that with FAILED_SEQUENTIAL_AUTHENTICATIONS = 1
we allow two login attempts. And there is no way to allow only one login attempt.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't like it either, but it's a feature of quotas where the condition is violated when used > max.
In this specific case, the condition used >= max
would look better from the user's perspective. I would change a code inside EnabledQuota.cpp
in these lines:
ClickHouse/src/Access/EnabledQuota.cpp
Lines 56 to 66 in dfc761c
if (used > max) | |
{ | |
bool counters_were_reset = false; | |
auto end_of_interval = interval.getEndOfInterval(current_time, counters_were_reset); | |
if (counters_were_reset) | |
used = (interval.used[quota_type_i] += value); | |
if (check_exceeded && (used > max)) | |
throwQuotaExceed(user_name, intervals.quota_name, quota_type, used, max, interval.duration, end_of_interval); | |
} | |
} |
ClickHouse/src/Access/EnabledQuota.cpp
Lines 83 to 89 in dfc761c
if (used > max) | |
{ | |
bool counters_were_reset = false; | |
auto end_of_interval = interval.getEndOfInterval(current_time, counters_were_reset); | |
if (!counters_were_reset) | |
throwQuotaExceed(user_name, intervals.quota_name, quota_type, used, max, interval.duration, end_of_interval); | |
} |
Instead we can use different conditions depending on QuotaType quota_type
like:
static bool compareQuotaValue(QuotaValue used, QuotaValue max, QuotaType quota_type)
{
return quota_type == QuotaType::FAILED_SEQUENTIAL_AUTHENTICATIONS ? used >= max : used > max;
}
and use CompareQuotaValue(used, max, quota_type)
instead of just used > max
.
But I need the confirmation that making such change satisfies ClickHouse.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Now the code works as you proposed but with authentication_quota->used(... /* check_exceeded */ true);
The default-generated exception from authentication_quota->checkExceed(...)
already contains the user name
:
Code: 201. DB::Exception: Received from localhost:9000. DB::Exception: Quota for user `2884_user_579116` for 3155695200s has been exceeded: failed_sequential_authentications = 2/1. Interval will end at 2069-12-31 06:00:00. Name of quota template: `2884_quota_579116`. (QUOTA_EXCEEDED)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
and use CompareQuotaValue(used, max, quota_type) instead of just used > max.
But I need the confirmation that making such change satisfies ClickHouse.
I have another idea: let's just remove the call authentication_quota->used()
after catch (...)
and call it at the beginning instead of checkExceeded()
:
auto authentication_quota = getAuthenticationQuota(credentials.getUserName());
if (authentication_quota)
authentication_quota->used(FAILED_SEQUENTIAL_AUTHENTICATIONS, 1);
try
{
auto auth_result = MultipleAccessStorage::authenticate(...);
if (authentication_quota)
authentication_quota->reset(QuotaType::FAILED_SEQUENTIAL_AUTHENTICATIONS);
return auth_result;
}
catch (...)
{
tryLogCurrentException();
throw ErrorCodes::AUTHENTICATION_FAILED
}
This way is not very intuitive however it seems it will work exactly as we want it to work. And it's also shorter.
We need a comment for used()
here though with a detailed description. About that we increase the counter of authentication failures in the beginning and reset it after a successful authentication. And we do that because if we don't have quota for a failed authentication then we shouldn't try to authenticate at all.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The implementation variant you suggested will work with this feature:
authentication_quota->used
will increase the failed authentication counter even if the quota was already exceeded; that looks fine for me.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Code is updated,
Now it works as desired.
Added maximum sequential login failures to the quota.
Related to #54450
Changelog category (leave one):
Changelog entry (a user-readable short description of the changes that goes to CHANGELOG.md):
Added maximum sequential login failures to the quota.
Documentation entry for user-facing changes