Code cleanups and improvements.

Author: Vitaly Baranov

Diff for: programs/local/LocalServer.cpp

@@ -9,7 +9,6 @@
 #include <Databases/DatabaseMemory.h>
 #include <Storages/System/attachSystemTables.h>
 #include <Interpreters/ProcessList.h>
-#include <Interpreters/Session.h>
 #include <Interpreters/executeQuery.h>
 #include <Interpreters/loadMetadata.h>
 #include <Interpreters/DatabaseCatalog.h>
@@ -377,11 +376,13 @@ void LocalServer::processQueries()
 
     /// we can't mutate global global_context (can lead to races, as it was already passed to some background threads)
     /// so we can't reuse it safely as a query context and need a copy here
-    Session session(global_context, ClientInfo::Interface::TCP);
-    session.setUser("default", "", Poco::Net::SocketAddress{});
+    auto context = Context::createCopy(global_context);
 
-    auto context = session.makeQueryContext("");
+    context->makeSessionContext();
+    context->makeQueryContext();
 
+    context->authenticate("default", "", Poco::Net::SocketAddress{});
+    context->setCurrentQueryId("");
     applyCmdSettings(context);
 
     /// Use the same query_id (and thread group) for all queries

Diff for: programs/server/Server.cpp

@@ -47,13 +47,13 @@
 #include <Interpreters/ExternalDictionariesLoader.h>
 #include <Interpreters/ExternalModelsLoader.h>
 #include <Interpreters/ProcessList.h>
-#include <Interpreters/Session.h>
 #include <Interpreters/loadMetadata.h>
 #include <Interpreters/DatabaseCatalog.h>
 #include <Interpreters/DNSCacheUpdater.h>
 #include <Interpreters/ExternalLoaderXMLConfigRepository.h>
 #include <Interpreters/InterserverCredentials.h>
 #include <Interpreters/JIT/CompiledExpressionCache.h>
+#include <Interpreters/Session.h>
 #include <Access/AccessControlManager.h>
 #include <Storages/StorageReplicatedMergeTree.h>
 #include <Storages/System/attachSystemTables.h>
@@ -1429,7 +1429,7 @@ if (ThreadFuzzer::instance().isEffective())
 
         /// Must be done after initialization of `servers`, because async_metrics will access `servers` variable from its thread.
         async_metrics.start();
-        Session::enableNamedSessions();
+        Session::startupNamedSessions();
 
         {
             String level_str = config().getString("text_log.level", "");

Diff for: src/Access/ContextAccess.h

@@ -70,6 +70,7 @@ class ContextAccess
     /// Returns the current user. The function can return nullptr.
     UserPtr getUser() const;
     String getUserName() const;
+    std::optional<UUID> getUserID() const { return getParams().user_id; }
 
     /// Returns information about current and enabled roles.
     std::shared_ptr<const EnabledRolesInfo> getRolesInfo() const;

Diff for: src/Access/Credentials.h

@@ -26,6 +26,8 @@ class Credentials
     String user_name;
 };
 
+/// Does not check the password/credentials and that the specified host is allowed.
+/// (Used only internally in cluster, if the secret matches)
 class AlwaysAllowCredentials
     : public Credentials
 {

Diff for: src/Bridge/IBridgeHelper.cpp

@@ -5,6 +5,7 @@
 #include <Poco/Net/HTTPRequest.h>
 #include <Poco/URI.h>
 #include <filesystem>
+#include <thread>
 
 namespace fs = std::filesystem;
 

Diff for: src/Core/MySQL/Authentication.cpp

@@ -2,8 +2,6 @@
 #include <Core/MySQL/PacketsConnection.h>
 #include <Poco/RandomStream.h>
 #include <Poco/SHA1Engine.h>
-#include <Access/User.h>
-#include <Access/AccessControlManager.h>
 #include <Interpreters/Session.h>
 
 #include <common/logger_useful.h>
@@ -74,7 +72,7 @@ Native41::Native41(const String & password, const String & auth_plugin_data)
 }
 
 void Native41::authenticate(
-    const String & user_name, std::optional<String> auth_response, Session & session,
+    const String & user_name, Session & session, std::optional<String> auth_response,
     std::shared_ptr<PacketEndpoint> packet_endpoint, bool, const Poco::Net::SocketAddress & address)
 {
     if (!auth_response)
@@ -87,7 +85,7 @@ void Native41::authenticate(
 
     if (auth_response->empty())
     {
-        session.setUser(user_name, "", address);
+        session.authenticate(user_name, "", address);
         return;
     }
 
@@ -97,9 +95,7 @@ void Native41::authenticate(
                 + " bytes, received: " + std::to_string(auth_response->size()) + " bytes.",
             ErrorCodes::UNKNOWN_EXCEPTION);
 
-    const auto user_authentication = session.getUserAuthentication(user_name);
-
-    Poco::SHA1Engine::Digest double_sha1_value = user_authentication.getPasswordDoubleSHA1();
+    Poco::SHA1Engine::Digest double_sha1_value = session.getPasswordDoubleSHA1(user_name);
     assert(double_sha1_value.size() == Poco::SHA1Engine::DIGEST_SIZE);
 
     Poco::SHA1Engine engine;
@@ -112,7 +108,7 @@ void Native41::authenticate(
     {
         password_sha1[i] = digest[i] ^ static_cast<unsigned char>((*auth_response)[i]);
     }
-    session.setUser(user_name, password_sha1, address);
+    session.authenticate(user_name, password_sha1, address);
 }
 
 #if USE_SSL
@@ -137,7 +133,7 @@ Sha256Password::Sha256Password(RSA & public_key_, RSA & private_key_, Poco::Logg
 }
 
 void Sha256Password::authenticate(
-    const String & user_name, std::optional<String> auth_response, Session & session,
+    const String & user_name, Session & session, std::optional<String> auth_response,
     std::shared_ptr<PacketEndpoint> packet_endpoint, bool is_secure_connection, const Poco::Net::SocketAddress & address)
 {
     if (!auth_response)
@@ -232,7 +228,7 @@ void Sha256Password::authenticate(
         password.pop_back();
     }
 
-    session.setUser(user_name, password, address);
+    session.authenticate(user_name, password, address);
 }
 
 #endif

Diff for: src/Core/MySQL/Authentication.h

@@ -15,6 +15,7 @@
 
 namespace DB
 {
+class Session;
 
 namespace MySQLProtocol
 {
@@ -32,7 +33,7 @@ class IPlugin
     virtual String getAuthPluginData() = 0;
 
     virtual void authenticate(
-        const String & user_name, std::optional<String> auth_response, Session & session,
+        const String & user_name, Session & session, std::optional<String> auth_response,
         std::shared_ptr<PacketEndpoint> packet_endpoint, bool is_secure_connection, const Poco::Net::SocketAddress & address) = 0;
 };
 
@@ -49,7 +50,7 @@ class Native41 : public IPlugin
     String getAuthPluginData() override { return scramble; }
 
     void authenticate(
-        const String & user_name, std::optional<String> auth_response, Session & session,
+        const String & user_name, Session & session, std::optional<String> auth_response,
         std::shared_ptr<PacketEndpoint> packet_endpoint, bool /* is_secure_connection */, const Poco::Net::SocketAddress & address) override;
 
 private:
@@ -69,7 +70,7 @@ class Sha256Password : public IPlugin
     String getAuthPluginData() override { return scramble; }
 
     void authenticate(
-        const String & user_name, std::optional<String> auth_response, Session & session,
+        const String & user_name, Session & session, std::optional<String> auth_response,
         std::shared_ptr<PacketEndpoint> packet_endpoint, bool is_secure_connection, const Poco::Net::SocketAddress & address) override;
 
 private:

Diff for: src/Core/PostgreSQLProtocol.h

@@ -1,14 +1,11 @@
 #pragma once
 
-#include <Access/AccessControlManager.h>
-#include <Access/User.h>
 #include <functional>
-#include <Interpreters/Session.h>
-#include <Interpreters/Context.h>
 #include <IO/ReadBuffer.h>
 #include <IO/ReadHelpers.h>
 #include <IO/WriteBuffer.h>
 #include <IO/WriteHelpers.h>
+#include <Interpreters/Session.h>
 #include <common/logger_useful.h>
 #include <Poco/Format.h>
 #include <Poco/RegularExpression.h>
@@ -808,8 +805,9 @@ class AuthenticationMethod
         Messaging::MessageTransport & mt,
         const Poco::Net::SocketAddress & address)
     {
-        try {
-            session.setUser(user_name, password, address);
+        try
+        {
+            session.authenticate(user_name, password, address);
         }
         catch (const Exception &)
         {
@@ -841,7 +839,7 @@ class NoPasswordAuth : public AuthenticationMethod
         Messaging::MessageTransport & mt,
         const Poco::Net::SocketAddress & address) override
     {
-        setPassword(user_name, "", session, mt, address);
+        return setPassword(user_name, "", session, mt, address);
     }
 
     Authentication::Type getType() const override
@@ -865,7 +863,7 @@ class CleartextPasswordAuth : public AuthenticationMethod
         if (type == Messaging::FrontMessageType::PASSWORD_MESSAGE)
         {
             std::unique_ptr<Messaging::PasswordMessage> password = mt.receive<Messaging::PasswordMessage>();
-            setPassword(user_name, password->password, session, mt, address);
+            return setPassword(user_name, password->password, session, mt, address);
         }
         else
             throw Exception(
@@ -902,16 +900,7 @@ class AuthenticationManager
         Messaging::MessageTransport & mt,
         const Poco::Net::SocketAddress & address)
     {
-        Authentication::Type user_auth_type;
-        try
-        {
-            user_auth_type = session.getUserAuthentication(user_name).getType();
-        }
-        catch (const std::exception & e)
-        {
-            session.onLogInFailure(user_name, e);
-            throw;
-        }
+        Authentication::Type user_auth_type = session.getAuthenticationType(user_name);
 
         if (type_to_method.find(user_auth_type) != type_to_method.end())
         {

Diff for: src/Dictionaries/ClickHouseDictionarySource.cpp

@@ -255,7 +255,7 @@ void registerDictionarySourceClickHouse(DictionarySourceFactory & factory)
         /// We should set user info even for the case when the dictionary is loaded in-process (without TCP communication).
         if (configuration.is_local)
         {
-            context_copy->setUser(configuration.user, configuration.password, Poco::Net::SocketAddress("127.0.0.1", 0));
+            context_copy->authenticate(configuration.user, configuration.password, Poco::Net::SocketAddress("127.0.0.1", 0));
             context_copy = copyContextAndApplySettings(config_prefix, context_copy, config);
         }
 

Diff for: src/IO/ReadBufferFromFileDescriptor.cpp

@@ -12,6 +12,7 @@
 #include <Common/UnicodeBar.h>
 #include <Common/TerminalSize.h>
 #include <IO/Operators.h>
+#include <IO/Progress.h>
 
 
 namespace ProfileEvents

Diff for: src/Interpreters/Context.cpp

@@ -588,61 +588,52 @@ ConfigurationPtr Context::getUsersConfig()
 }
 
 
-void Context::setUser(const Credentials & credentials, const Poco::Net::SocketAddress & address)
+void Context::authenticate(const String & name, const String & password, const Poco::Net::SocketAddress & address)
 {
-    auto lock = getLock();
+    authenticate(BasicCredentials(name, password), address);
+}
+
+void Context::authenticate(const Credentials & credentials, const Poco::Net::SocketAddress & address)
+{
+    auto authenticated_user_id = getAccessControlManager().login(credentials, address.host());
 
     client_info.current_user = credentials.getUserName();
     client_info.current_address = address;
 
 #if defined(ARCADIA_BUILD)
     /// This is harmful field that is used only in foreign "Arcadia" build.
-    client_info.current_password.clear();
     if (const auto * basic_credentials = dynamic_cast<const BasicCredentials *>(&credentials))
         client_info.current_password = basic_credentials->getPassword();
 #endif
 
-    /// Find a user with such name and check the credentials.
-    auto new_user_id = getAccessControlManager().login(credentials, address.host());
-    auto new_access = getAccessControlManager().getContextAccess(
-        new_user_id, /* current_roles = */ {}, /* use_default_roles = */ true,
-        settings, current_database, client_info);
+    setUser(authenticated_user_id);
+}
+
+void Context::setUser(const UUID & user_id_)
+{
+    auto lock = getLock();
 
-    user_id = new_user_id;
-    access = std::move(new_access);
+    user_id = user_id_;
+
+    access = getAccessControlManager().getContextAccess(
+        user_id_, /* current_roles = */ {}, /* use_default_roles = */ true, settings, current_database, client_info);
 
     auto user = access->getUser();
     current_roles = std::make_shared<std::vector<UUID>>(user->granted_roles.findGranted(user->default_roles));
 
-    if (!user->default_database.empty())
-        setCurrentDatabase(user->default_database);
-
     auto default_profile_info = access->getDefaultProfileInfo();
     settings_constraints_and_current_profiles = default_profile_info->getConstraintsAndProfileIDs();
     applySettingsChanges(default_profile_info->settings);
-}
 
-void Context::setUser(const String & name, const String & password, const Poco::Net::SocketAddress & address)
-{
-    setUser(BasicCredentials(name, password), address);
-}
-
-void Context::setUserWithoutCheckingPassword(const String & name, const Poco::Net::SocketAddress & address)
-{
-    setUser(AlwaysAllowCredentials(name), address);
+    if (!user->default_database.empty())
+        setCurrentDatabase(user->default_database);
 }
 
 std::shared_ptr<const User> Context::getUser() const
 {
     return getAccess()->getUser();
 }
 
-void Context::setQuotaKey(String quota_key_)
-{
-    auto lock = getLock();
-    client_info.quota_key = std::move(quota_key_);
-}
-
 String Context::getUserName() const
 {
     return getAccess()->getUserName();
@@ -655,6 +646,13 @@ std::optional<UUID> Context::getUserID() const
 }
 
 
+void Context::setQuotaKey(String quota_key_)
+{
+    auto lock = getLock();
+    client_info.quota_key = std::move(quota_key_);
+}
+
+
 void Context::setCurrentRoles(const std::vector<UUID> & current_roles_)
 {
     auto lock = getLock();
@@ -736,10 +734,13 @@ ASTPtr Context::getRowPolicyCondition(const String & database, const String & ta
 void Context::setInitialRowPolicy()
 {
     auto lock = getLock();
-    auto initial_user_id = getAccessControlManager().find<User>(client_info.initial_user);
     initial_row_policy = nullptr;
-    if (initial_user_id)
-        initial_row_policy = getAccessControlManager().getEnabledRowPolicies(*initial_user_id, {});
+    if (client_info.initial_user == client_info.current_user)
+        return;
+    auto initial_user_id = getAccessControlManager().find<User>(client_info.initial_user);
+    if (!initial_user_id)
+        return;
+    initial_row_policy = getAccessControlManager().getEnabledRowPolicies(*initial_user_id, {});
 }
 
 
@@ -1180,6 +1181,9 @@ void Context::setCurrentQueryId(const String & query_id)
     }
 
     client_info.current_query_id = query_id_to_set;
+
+    if (client_info.query_kind == ClientInfo::QueryKind::INITIAL_QUERY)
+        client_info.initial_query_id = client_info.current_query_id;
 }
 
 void Context::killCurrentQuery()