-
Notifications
You must be signed in to change notification settings - Fork 6.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Do not allow to reuse previous credentials in case of inter-server secret #29060
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
robot-clickhouse
added
the
pr-bugfix
Pull request with bugfix, not backported by default
label
Sep 15, 2021
Cc: @vitlibar |
azat
force-pushed
the
inter-server-secret-auth-fix
branch
from
September 17, 2021 19:07
125808b
to
7f1160c
Compare
@alexey-milovidov maybe you can take a look? (or ping @vitlibar somehow / or at least assign the PR to him) |
@vitlibar can you please take a look? |
vitlibar
reviewed
Sep 27, 2021
azat
force-pushed
the
inter-server-secret-auth-fix
branch
from
September 27, 2021 20:51
7f1160c
to
1127bcd
Compare
|
azat
force-pushed
the
inter-server-secret-auth-fix
branch
2 times, most recently
from
September 28, 2021 06:09
4bf96c8
to
7599b42
Compare
vitlibar
reviewed
Sep 28, 2021
azat
force-pushed
the
inter-server-secret-auth-fix
branch
2 times, most recently
from
September 28, 2021 19:48
c78a077
to
770e096
Compare
@alesapin can you take a look at CI? Looks like it's hanged? |
vitlibar
reviewed
Sep 29, 2021
azat
force-pushed
the
inter-server-secret-auth-fix
branch
4 times, most recently
from
September 30, 2021 08:16
db3bed5
to
c087fc0
Compare
Can someone add |
azat
force-pushed
the
inter-server-secret-auth-fix
branch
2 times, most recently
from
September 30, 2021 21:46
7d95e09
to
72ac401
Compare
vitlibar
approved these changes
Sep 30, 2021
v2: ensure that the test fails with the version w/o fix v3: force connect by modifying config and reload it v4: add comments
…cret Before this patch INSERT via Buffer/Kafka may re-use previously set user for that connection, while this is not correct, it should reset the user, and use global context. Note, before [1] there was a fallback to default user, but that code had been removed, and now it got back. [1]: 0159c74 ("Secure inter-cluster query execution (with initial_user as current query user) [v3]") Also note, that context for Buffer table (and others) cannot be changed, since they don't have any user only profile. I've tested this patch manually using the following: create table dist (key Int) engine=Distributed(test_cluster_two_shards_secure, default, data, key); create table buffer (key Int) engine=Buffer(default, dist, 1, 0, 0, 0, 0, 0, 0); create table data (key Int) engine=Memory(); # to start the connection with readonly user $ clickhouse-client --user readonly -q 'select * from dist' $ clickhouse-client -q 'insert into buffer values (1)' # before this patch this produces errors like: # 2021.09.27 23:46:48.384920 [ 19474 ] {} <Error> default.dist.DirectoryMonitor: Code: 164. DB::Exception: Received from 127.0.0.2:9000. DB::Exception: readonly: Cannot execute query in readonly mode. Stack trace: v2: reset the authentication instead of using default user (as suggested by @vitlibar) v3: reset Session::user and introduce ClientInfo::resetAuthentication (as suggested by @vitlibar) v4: reset the session every time in interserver mode (suggested by @vitlibar)
…RSERVER In this case there there can be no user. CI report [1]: Address: 0x1f Access: read. Address not mapped to object. Stack trace: 0x24494b2f 0x244784c6 0x260fe1af 0x260ed672 0x260ddffa 0x26104880 0x2d62f3af 0x2d6300a1 0x2d926666 0x2d91fb7a 0x7f8bcea3c609 0x7f8bce963293 3.1. inlined from ./obj-x86_64-linux-gnu/../contrib/libcxx/include/string:0: std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >::operator=(std::__1::basic_string> 3. ../src/Interpreters/SessionLog.cpp:216: DB::SessionLog::addLoginSuccess(StrongTypedef<wide::integer<128ul, unsigned int>, DB::UUIDTag> const&, std::__1::optional<std::__1::basic_string<char, st> 4. ./obj-x86_64-linux-gnu/../src/Interpreters/Session.cpp:0: DB::Session::makeQueryContextImpl(DB::ClientInfo const*, DB::ClientInfo*) const @ 0x244784c6 in /usr/bin/clickhouse 5.1. inlined from ./obj-x86_64-linux-gnu/../contrib/libcxx/include/memory:3299: std::__1::shared_ptr<DB::Context>::swap(std::__1::shared_ptr<DB::Context>&) 5.2. inlined from ../contrib/libcxx/include/memory:3243: std::__1::shared_ptr<DB::Context>::operator=(std::__1::shared_ptr<DB::Context>&&) 5. ../src/Server/TCPHandler.cpp:1208: DB::TCPHandler::receiveQuery() @ 0x260fe1af in /usr/bin/clickhouse 6. ./obj-x86_64-linux-gnu/../src/Server/TCPHandler.cpp:0: DB::TCPHandler::receivePacket() @ 0x260ed672 in /usr/bin/clickhouse 7. ./obj-x86_64-linux-gnu/../src/Server/TCPHandler.cpp:0: DB::TCPHandler::runImpl() @ 0x260ddffa in /usr/bin/clickhouse 8. ./obj-x86_64-linux-gnu/../src/Server/TCPHandler.cpp:1643: DB::TCPHandler::run() @ 0x26104880 in /usr/bin/clickhouse [1]: https://clickhouse-test-reports.s3.yandex.net/29060/c087fc0ed5fbea133eb3dc3a64b8db93a81d0ece/integration_tests_flaky_check_(asan).html#fail1
azat
force-pushed
the
inter-server-secret-auth-fix
branch
from
September 30, 2021 22:13
72ac401
to
91f6cf4
Compare
Hunged? |
This was referenced Oct 1, 2021
robot-clickhouse
pushed a commit
that referenced
this pull request
Oct 6, 2021
…in case of inter-server secret
robot-clickhouse
pushed a commit
that referenced
this pull request
Oct 6, 2021
…n case of inter-server secret
vitlibar
pushed a commit
that referenced
this pull request
Oct 12, 2021
Backport #29060 to 21.10: Do not allow to reuse previous credentials in case of inter-server secret
vitlibar
pushed a commit
that referenced
this pull request
Oct 13, 2021
Backport #29060 to 21.9: Do not allow to reuse previous credentials in case of inter-server secret
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Changelog category (leave one):
Changelog entry (a user-readable short description of the changes that goes to CHANGELOG.md):
Do not allow to reuse previous credentials in case of inter-server secret (Before INSERT via Buffer/Kafka to Distributed table with interserver secret configured for that cluster, may re-use previously set user for that connection)
Fixes: #13156