-
Notifications
You must be signed in to change notification settings - Fork 6.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add role
query parameter to the HTTP interface
#62669
Merged
vitlibar
merged 13 commits into
ClickHouse:master
from
slvrtrn:http-interface-role-query-param
Apr 17, 2024
Merged
Changes from 10 commits
Commits
Show all changes
13 commits
Select commit
Hold shift + click to select a range
098cc92
Add role query param to the HTTP interface
slvrtrn d8fca3b
Merge remote-tracking branch 'origin' into http-interface-role-query-…
slvrtrn 3611415
Add tests for the role query parameter
slvrtrn 05327c5
Add test number prefix to the role param tests
slvrtrn 2134b74
Add HTTP interface docs
slvrtrn 9889109
Fix tests, fix error message
slvrtrn ddecb0e
Fix permissions issue
slvrtrn f4af7e1
Merge remote-tracking branch 'origin' into http-interface-role-query-…
slvrtrn bb6d5d8
Support multiple roles via HTTP, update tests
slvrtrn 665b191
Update HTTP docs
slvrtrn fd81810
Use SET_NON_GRANTED_ROLE error code instead of ACCESS_DENIED
slvrtrn 0718a31
Add NameValueCollection::getAll method
slvrtrn d9fd79e
Drop test role, disable parallel execution for 03096_role
slvrtrn File filter
Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
39 changes: 39 additions & 0 deletions
39
tests/queries/0_stateless/03096_http_interface_role_query_param.reference
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
### Shows the default role when there are no role parameters | ||
03096_role_query_param_role_enabled_by_default | ||
### Shows a single role from the query parameters | ||
03096_role_query_param_role1 | ||
### Shows multiple roles from the query parameters | ||
03096_role_query_param_role1 | ||
03096_role_query_param_role2 | ||
### Sets the default role alongside with another granted one | ||
03096_role_query_param_role1 | ||
03096_role_query_param_role_enabled_by_default | ||
### Sets a role with special characters in the name | ||
03096_role_query_param_@!\\$ | ||
### Sets a role with special characters in the name with another granted role | ||
03096_role_query_param_@!\\$ | ||
03096_role_query_param_role1 | ||
### Sets a role once when it's present in the query parameters multiple times | ||
03096_role_query_param_role1 | ||
### Sets a role when there are other parameters in the query (before the role parameter) | ||
03096_role_query_param_role1 | ||
max_result_rows 42 | ||
### Sets a role when there are other parameters in the query (after the role parameter) | ||
03096_role_query_param_role1 | ||
max_result_rows 42 | ||
### Sets multiple roles when there are other parameters in the query | ||
03096_role_query_param_role1 | ||
03096_role_query_param_role2 | ||
max_result_rows 42 | ||
### Cannot set a role that is not granted to the user (single parameter) | ||
Code: 497 | ||
ACCESS_DENIED | ||
### Cannot set a role that is not granted to the user (multiple parameters) | ||
Code: 497 | ||
ACCESS_DENIED | ||
### Cannot set a role that does not exist (single parameter) | ||
Code: 511 | ||
UNKNOWN_ROLE | ||
### Cannot set a role that does not exist (multiple parameters) | ||
Code: 511 | ||
UNKNOWN_ROLE |
102 changes: 102 additions & 0 deletions
102
tests/queries/0_stateless/03096_http_interface_role_query_param.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,102 @@ | ||
#!/usr/bin/env bash | ||
|
||
CUR_DIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd) | ||
# shellcheck source=../shell_config.sh | ||
. "$CUR_DIR"/../shell_config.sh | ||
|
||
TEST_USER="03096_role_query_param_user" | ||
TEST_USER_AUTH="$TEST_USER:" | ||
|
||
TEST_ROLE1="03096_role_query_param_role1" | ||
TEST_ROLE2="03096_role_query_param_role2" | ||
TEST_ROLE_ENABLED_BY_DEFAULT="03096_role_query_param_role_enabled_by_default" | ||
TEST_ROLE_NOT_GRANTED="03096_role_query_param_role_not_granted" | ||
TEST_ROLE_SPECIAL_CHARS="\`03096_role_query_param_@!\\$\`" # = CREATE ROLE `03096_role_query_param_@!\$` | ||
TEST_ROLE_SPECIAL_CHARS_URLENCODED="03096_role_query_param_%40!%5C%24" | ||
|
||
CHANGED_SETTING_NAME="max_result_rows" | ||
CHANGED_SETTING_VALUE="42" | ||
|
||
SHOW_CURRENT_ROLES_QUERY="SELECT role_name FROM system.current_roles ORDER BY role_name ASC" | ||
SHOW_CHANGED_SETTINGS_QUERY="SELECT name, value FROM system.settings WHERE changed = 1 AND name = '$CHANGED_SETTING_NAME' ORDER BY name ASC" | ||
|
||
$CLICKHOUSE_CLIENT -n --query " | ||
DROP USER IF EXISTS $TEST_USER; | ||
DROP ROLE IF EXISTS $TEST_ROLE1; | ||
DROP ROLE IF EXISTS $TEST_ROLE2; | ||
DROP ROLE IF EXISTS $TEST_ROLE_ENABLED_BY_DEFAULT; | ||
DROP ROLE IF EXISTS $TEST_ROLE_NOT_GRANTED; | ||
DROP ROLE IF EXISTS $TEST_ROLE_SPECIAL_CHARS; | ||
CREATE USER $TEST_USER NOT IDENTIFIED; | ||
CREATE ROLE $TEST_ROLE_ENABLED_BY_DEFAULT; | ||
GRANT $TEST_ROLE_ENABLED_BY_DEFAULT TO $TEST_USER; | ||
SET DEFAULT ROLE $TEST_ROLE_ENABLED_BY_DEFAULT TO $TEST_USER; | ||
CREATE ROLE $TEST_ROLE1; | ||
GRANT $TEST_ROLE1 TO $TEST_USER; | ||
CREATE ROLE $TEST_ROLE2; | ||
GRANT $TEST_ROLE2 TO $TEST_USER; | ||
CREATE ROLE $TEST_ROLE_SPECIAL_CHARS; | ||
GRANT $TEST_ROLE_SPECIAL_CHARS TO $TEST_USER; | ||
CREATE ROLE $TEST_ROLE_NOT_GRANTED; | ||
" | ||
|
||
echo "### Shows the default role when there are no role parameters" | ||
$CLICKHOUSE_CURL -u $TEST_USER_AUTH -sS "$CLICKHOUSE_URL" --data-binary "$SHOW_CURRENT_ROLES_QUERY" | ||
|
||
echo "### Shows a single role from the query parameters" | ||
$CLICKHOUSE_CURL -u $TEST_USER_AUTH -sS "$CLICKHOUSE_URL&role=$TEST_ROLE1" --data-binary "$SHOW_CURRENT_ROLES_QUERY" | ||
|
||
echo "### Shows multiple roles from the query parameters" | ||
$CLICKHOUSE_CURL -u $TEST_USER_AUTH -sS "$CLICKHOUSE_URL&role=$TEST_ROLE1&role=$TEST_ROLE2" --data-binary "$SHOW_CURRENT_ROLES_QUERY" | ||
|
||
echo "### Sets the default role alongside with another granted one" | ||
$CLICKHOUSE_CURL -u $TEST_USER_AUTH -sS "$CLICKHOUSE_URL&role=$TEST_ROLE_ENABLED_BY_DEFAULT&role=$TEST_ROLE1" --data-binary "$SHOW_CURRENT_ROLES_QUERY" | ||
|
||
echo "### Sets a role with special characters in the name" | ||
$CLICKHOUSE_CURL -u $TEST_USER_AUTH -sS "$CLICKHOUSE_URL&role=$TEST_ROLE_SPECIAL_CHARS_URLENCODED" --data-binary "$SHOW_CURRENT_ROLES_QUERY" | ||
|
||
echo "### Sets a role with special characters in the name with another granted role" | ||
$CLICKHOUSE_CURL -u $TEST_USER_AUTH -sS "$CLICKHOUSE_URL&role=$TEST_ROLE_SPECIAL_CHARS_URLENCODED&role=$TEST_ROLE1" --data-binary "$SHOW_CURRENT_ROLES_QUERY" | ||
|
||
echo "### Sets a role once when it's present in the query parameters multiple times" | ||
$CLICKHOUSE_CURL -u $TEST_USER_AUTH -sS "$CLICKHOUSE_URL&role=$TEST_ROLE1&role=$TEST_ROLE1" --data-binary "$SHOW_CURRENT_ROLES_QUERY" | ||
|
||
echo "### Sets a role when there are other parameters in the query (before the role parameter)" | ||
$CLICKHOUSE_CURL -u $TEST_USER_AUTH -sS "$CLICKHOUSE_URL&$CHANGED_SETTING_NAME=$CHANGED_SETTING_VALUE&role=$TEST_ROLE1" --data-binary "$SHOW_CURRENT_ROLES_QUERY" | ||
$CLICKHOUSE_CURL -u $TEST_USER_AUTH -sS "$CLICKHOUSE_URL&$CHANGED_SETTING_NAME=$CHANGED_SETTING_VALUE&role=$TEST_ROLE1" --data-binary "$SHOW_CHANGED_SETTINGS_QUERY" | ||
|
||
echo "### Sets a role when there are other parameters in the query (after the role parameter)" | ||
$CLICKHOUSE_CURL -u $TEST_USER_AUTH -sS "$CLICKHOUSE_URL&role=$TEST_ROLE1&$CHANGED_SETTING_NAME=$CHANGED_SETTING_VALUE" --data-binary "$SHOW_CURRENT_ROLES_QUERY" | ||
$CLICKHOUSE_CURL -u $TEST_USER_AUTH -sS "$CLICKHOUSE_URL&role=$TEST_ROLE1&$CHANGED_SETTING_NAME=$CHANGED_SETTING_VALUE" --data-binary "$SHOW_CHANGED_SETTINGS_QUERY" | ||
|
||
echo "### Sets multiple roles when there are other parameters in the query" | ||
$CLICKHOUSE_CURL -u $TEST_USER_AUTH -sS "$CLICKHOUSE_URL&role=$TEST_ROLE1&$CHANGED_SETTING_NAME=$CHANGED_SETTING_VALUE&role=$TEST_ROLE2" --data-binary "$SHOW_CURRENT_ROLES_QUERY" | ||
$CLICKHOUSE_CURL -u $TEST_USER_AUTH -sS "$CLICKHOUSE_URL&role=$TEST_ROLE1&$CHANGED_SETTING_NAME=$CHANGED_SETTING_VALUE&role=$TEST_ROLE2" --data-binary "$SHOW_CHANGED_SETTINGS_QUERY" | ||
|
||
echo "### Cannot set a role that is not granted to the user (single parameter)" | ||
OUT=$($CLICKHOUSE_CURL -u $TEST_USER_AUTH -sS "$CLICKHOUSE_URL&role=$TEST_ROLE_NOT_GRANTED" --data-binary "$SHOW_CURRENT_ROLES_QUERY") | ||
echo -ne $OUT | grep -o "Code: 497" || echo "expected code 497, got: $OUT" | ||
echo -ne $OUT | grep -o "ACCESS_DENIED" || echo "expected ACCESS_DENIED error, got: $OUT" | ||
|
||
echo "### Cannot set a role that is not granted to the user (multiple parameters)" | ||
OUT=$($CLICKHOUSE_CURL -u $TEST_USER_AUTH -sS "$CLICKHOUSE_URL&role=$TEST_ROLE1&role=$TEST_ROLE_NOT_GRANTED" --data-binary "$SHOW_CURRENT_ROLES_QUERY") | ||
echo -ne $OUT | grep -o "Code: 497" || echo "expected code 497, got: $OUT" | ||
echo -ne $OUT | grep -o "ACCESS_DENIED" || echo "expected ACCESS_DENIED error, got: $OUT" | ||
|
||
echo "### Cannot set a role that does not exist (single parameter)" | ||
OUT=$($CLICKHOUSE_CURL -u $TEST_USER_AUTH -sS "$CLICKHOUSE_URL&role=aaaaaaaaaaa" --data-binary "$SHOW_CURRENT_ROLES_QUERY") | ||
echo -ne $OUT | grep -o "Code: 511" || echo "expected code 511, got: $OUT" | ||
echo -ne $OUT | grep -o "UNKNOWN_ROLE" || echo "expected UNKNOWN_ROLE error, got: $OUT" | ||
|
||
echo "### Cannot set a role that does not exist (multiple parameters)" | ||
OUT=$($CLICKHOUSE_CURL -u $TEST_USER_AUTH -sS "$CLICKHOUSE_URL&role=$TEST_ROLE1&role=aaaaaaaaaaa" --data-binary "$SHOW_CURRENT_ROLES_QUERY") | ||
echo -ne $OUT | grep -o "Code: 511" || echo "expected code 511, got: $OUT" | ||
echo -ne $OUT | grep -o "UNKNOWN_ROLE" || echo "expected UNKNOWN_ROLE error, got: $OUT" | ||
|
||
$CLICKHOUSE_CLIENT -n --query " | ||
DROP USER $TEST_USER; | ||
DROP ROLE $TEST_ROLE1; | ||
DROP ROLE $TEST_ROLE_ENABLED_BY_DEFAULT; | ||
DROP ROLE $TEST_ROLE_NOT_GRANTED; | ||
DROP ROLE $TEST_ROLE_SPECIAL_CHARS; | ||
" |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's move this algorithm extracting multiple values of a parameter to the class of
params
.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@vitlibar, this is coming from Poco, namely,
Poco::ListMap
, if I am not mistaken; is it OK to add it there? I assume it is since it is included in the CH source code and not as a contrib module.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added a new
NameValueCollection::getAll
method to extract all the parameters. It might be useful in the future.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well, I thought about modifying
DB::HTMLForm
actually, but probably modifyingNameValueCollection
is also ok.