[CANCELED] Ability to preserve user for distributed queries#11391
[CANCELED] Ability to preserve user for distributed queries#11391azat wants to merge 4 commits intoClickHouse:masterfrom
Conversation
64e2cf4 to
586c3b3
Compare
|
It doesn't look good in some cases.
Also, it's won't work, if we implement any other authentication options. So it may be a temporary solution for now. My suggestion is to put this behavior behind config option like |
abyss7
left a comment
There was a problem hiding this comment.
Put the new behavior under some config option.
abyss7
left a comment
There was a problem hiding this comment.
Also you should make sure, that a raw password isn't stored in RAM on the long-term basis, i.e. it should be sent to remote and then erased immediately from memory.
This PR does not changes this, am I missing something?
Agree, backward compatibility should be defined.
Yes, and like @filimonov noted that there can be some issues for kerberos/LDAP (since they requires some keys IIRC).
But it is already stored in the Actually there is another way to go, suggested by @filimonov in #9751 |
Yes, but AFAIK current implementation never re-sends passwords.
Actually yes, so it's not getting worse.
Do you plan to continue this PR anyway, or will postpone it? |
Sure, I will continue (marked as draft to avoid attracting extra attention until it will be reworked/fixed) Right now I have two options:
Proxy user does not have mentioned limitations, but it looks a little bit oversized for this kind of support, I guess I will try it and see how it will looks eventually |
Actually the same thing is used in |
| /// A: Don't think so, since the user should be same for subsequent queries. | ||
| if (current_user != new_current_user) | ||
| { | ||
| current_user = new_current_user; |
There was a problem hiding this comment.
Also this is not the only place where the connection will be established, another one in ConnectionPoolWithFailover->getServerRevision, and during this it may use stalled current_user user
(gdb) bt
0 DB::Connection::connect (this=0x7f7b09ab1118, timeouts=...) at ../src/Client/Connection.cpp:89
1 0x000000000e219675 in DB::Connection::getServerRevision (this=0x7f7b09ab1118, timeouts=...) at ../src/Client/Connection.cpp:286
2 0x000000000e22fac3 in DB::ConnectionPoolWithFailover::tryGetEntry (this=0x7f791fcff258, pool=..., timeouts=..., fail_message=...,
settings=0x7f74adecf3b0, table_to_check=0x7f787e5b4bb0) at ../src/Client/ConnectionPoolWithFailover.cpp:232
3 0x000000000e230856 in DB::ConnectionPoolWithFailover::<>::operator() () at ../src/Client/ConnectionPoolWithFailover.cpp:153
...
9 std::__1::function<PoolWithFailoverBase<DB::IConnectionPool>::TryResult ()>::operator()() const () at ../contrib/libcxx/include/functional:2473
10 PoolWithFailoverBase<DB::IConnectionPool>::getMany() () at ../src/Common/PoolWithFailoverBase.h:225
11 0x000000000e230b8b in DB::ConnectionPoolWithFailover::getManyImpl() () at ../src/Client/ConnectionPoolWithFailover.cpp:211
12 0x000000000e23129f in DB::ConnectionPoolWithFailover::getManyChecked () at ../src/Client/ConnectionPoolWithFailover.cpp:156
13 0x000000000d6759b3 in DB::RemoteQueryExecutor::<lambda()>::operator() () at ../src/Interpreters/StorageID.h:77
...
20 DB::RemoteQueryExecutor::sendQuery (this=0x7f74adecf020) at ../src/DataStreams/RemoteQueryExecutor.cpp:149
...
46 0x00007f7b22308fb7 in start_thread (arg=<optimized out>) at pthread_create.c:486
Changelog category (leave one):
Changelog entry (a user-readable short description of the changes that goes to CHANGELOG.md):
Preserve initial_user for Distributed queries if user was not specified in remote_servers
Fixes: #6843