Skip to content

Some fixes for LDAP#68355

Merged
Algunenano merged 4 commits intoClickHouse:masterfrom
zvonand:tryfix-65762-again
Sep 20, 2024
Merged

Some fixes for LDAP#68355
Algunenano merged 4 commits intoClickHouse:masterfrom
zvonand:tryfix-65762-again

Conversation

@zvonand
Copy link
Contributor

@zvonand zvonand commented Aug 14, 2024
edited
Loading

Fix heap-use-after-free on DROP of LDAP-related roles (e.g. https://s3.amazonaws.com/clickhouse-test-reports/68355/80b28e33bb3d9fa3e1bbc2b1867086d8cc0a0a70/integration_tests__asan__old_analyzer__[4_6]//home/ubuntu/actions-runner/_work/_temp/test/output_dir/integration_run_parallel1_0.log)

Add missing depends_on in attempt to fix occasional fails of test_ldap_external_user_directory.

Closes #69555, maybe closes #65762

Changelog category (leave one):

  • Critical Bug Fix (crash, LOGICAL_ERROR, data loss, RBAC)

Changelog entry (a user-readable short description of the changes that goes to CHANGELOG.md):

Fix crash on drop or rename a role that is used in LDAP external user directory

CI Settings (Only check the boxes if you know what you are doing):

  • Allow: All Required Checks
  • Allow: Stateless tests
  • Allow: Stateful tests
  • Allow: Integration Tests
  • Allow: Performance tests
  • Allow: All Builds
  • Allow: batch 1, 2 for multi-batch jobs
  • Allow: batch 3, 4, 5, 6 for multi-batch jobs
  • Exclude: Style check
  • Exclude: Fast test
  • Exclude: All with ASAN
  • Exclude: All with TSAN, MSAN, UBSAN, Coverage
  • Exclude: All with aarch64, release, debug
  • Run only fuzzers related jobs (libFuzzer fuzzers, AST fuzzers, etc.)
  • Exclude: AST fuzzers
  • Do not test
  • Woolen Wolfdog
  • Upload binaries for special builds
  • Disable merge-commit
  • Disable CI cache

@zvonand zvonand marked this pull request as draft August 14, 2024 15:36
@alexey-milovidov alexey-milovidov added 🍃 green ci 🌿 Fixing flaky tests in CI can be tested Allows running workflows for external contributors labels Aug 14, 2024
@robot-clickhouse robot-clickhouse added the pr-not-for-changelog This PR should not be mentioned in the changelog label Aug 16, 2024
@robot-clickhouse-ci-2
Copy link
Contributor

robot-clickhouse-ci-2 commented Aug 16, 2024
edited by robot-ch-test-poll4
Loading

This is an automated comment for commit 68b1e3c with description of existing statuses. It's updated for the latest CI running

✅ Click here to open a full report in a separate page

Successful checks
Check nameDescriptionStatus
AST fuzzerRuns randomly generated queries to catch program errors. The build type is optionally given in parenthesis. If it fails, ask a maintainer for help✅ success
BuildsThere's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS✅ success
ClickBenchRuns [ClickBench](https://github.com/ClickHouse/ClickBench/) with instant-attach table✅ success
Compatibility checkChecks that clickhouse binary runs on distributions with old libc versions. If it fails, ask a maintainer for help✅ success
Docker keeper imageThe check to build and optionally push the mentioned image to docker hub✅ success
Docker server imageThe check to build and optionally push the mentioned image to docker hub✅ success
Docs checkBuilds and tests the documentation✅ success
Fast testNormally this is the first check that is ran for a PR. It builds ClickHouse and runs most of stateless functional tests, omitting some. If it fails, further checks are not started until it is fixed. Look at the report to see which tests fail, then reproduce the failure locally as described here✅ success
Flaky testsChecks if new added or modified tests are flaky by running them repeatedly, in parallel, with more randomization. Functional tests are run 100 times with address sanitizer, and additional randomization of thread scheduling. Integration tests are run up to 10 times. If at least once a new test has failed, or was too long, this check will be red. We don't allow flaky tests, read the doc✅ success
Install packagesChecks that the built packages are installable in a clear environment✅ success
Integration testsThe integration tests report. In parenthesis the package type is given, and in square brackets are the optional part/total tests✅ success
Performance ComparisonMeasure changes in query performance. The performance test report is described in detail here. In square brackets are the optional part/total tests✅ success
Stateful testsRuns stateful functional tests for ClickHouse binaries built in various configurations -- release, debug, with sanitizers, etc✅ success
Stateless testsRuns stateless functional tests for ClickHouse binaries built in various configurations -- release, debug, with sanitizers, etc✅ success
Stress testRuns stateless functional tests concurrently from several clients to detect concurrency-related errors✅ success
Style checkRuns a set of checks to keep the code style clean. If some of tests failed, see the related log from the report✅ success
Unit testsRuns the unit tests for different release types✅ success
Upgrade checkRuns stress tests on server version from last release and then tries to upgrade it to the version from the PR. It checks if the new server can successfully startup without any errors, crashes or sanitizer asserts✅ success

@zvonand

This comment was marked as outdated.

Sign in to view
@zvonand zvonand force-pushed the tryfix-65762-again branch from dd275c8 to 962c6b2 Compare August 21, 2024 09:55
@zvonand

This comment was marked as outdated.

Sign in to view
@zvonand zvonand mentioned this pull request Aug 26, 2024
Merged
19 tasks
@zvonand zvonand changed the title Try to fix test_ldap_external_user_directory once more Some fixes for LDAP Aug 27, 2024
@zvonand zvonand force-pushed the tryfix-65762-again branch 3 times, most recently from d86b57d to bd38217 Compare September 3, 2024 09:59
@zvonand zvonand force-pushed the tryfix-65762-again branch 4 times, most recently from fdfbd52 to 138de00 Compare September 16, 2024 15:49
@zvonand
wait for ldap on cluster sturtup
80b28e3 
re-run CI

proper cleanup in test
@zvonand zvonand force-pushed the tryfix-65762-again branch 3 times, most recently from 36cb0d8 to 80b28e3 Compare September 18, 2024 13:16
@zvonand zvonand marked this pull request as ready for review September 19, 2024 05:51
@zvonand
Copy link
Contributor Author

zvonand commented Sep 19, 2024
edited
Loading

@alexey-milovidov it makes CI better, fixes a bug and the CI is green 😀
could anyone please take a look?

@Algunenano Algunenano self-assigned this Sep 19, 2024
@zvonand
Copy link
Contributor Author

zvonand commented Sep 19, 2024
edited
Loading

Looks related to #69555, but needs a closer look whether it fixes it

I saw similar behavior on drop role

Algunenano
Algunenano reviewed Sep 19, 2024
View reviewed changes
src/Access/LDAPAccessStorage.cpp
@@ -128,7 +128,7 @@ void LDAPAccessStorage::processRoleChange(const UUID & id, const AccessEntityPtr
{
if (it != granted_role_names.end()) // Removed a granted role.
{
Copy link
Member

@Algunenano Algunenano Sep 19, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A comment with an explanation would be nice. The problem is that it->second is a reference to an object held by granted_role_names. Then in applyRoleChangeNoLock we first remove the object from granted_role_names, then try to remove the name from granted_role_ids but we are using the reference that has been just destroyed.

This problem also happens a few lines above with RENAME (L118), which should be adjusted too.

It seems this API is really error prone. Could we improve it instead?

Copy link
Contributor Author

@zvonand zvonand Sep 19, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems this API is really error prone

What API do you mean?

Copy link
Member

@Algunenano Algunenano Sep 19, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I mean the function definition (void LDAPAccessStorage::applyRoleChangeNoLock(bool grant, const UUID & role_id, const String & role_name)) and how it's used to remove roles. You need to know exactly how things are destroyed and how to manage the lifetime of the iterator, which seems suboptimal.

Copy link
Contributor Author

@zvonand zvonand Sep 19, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're right, pushed an update

@Algunenano Algunenano mentioned this pull request Sep 19, 2024
Closed
@Algunenano Algunenano added pr-critical-bugfix and removed pr-not-for-changelog This PR should not be mentioned in the changelog labels Sep 19, 2024
@zvonand
Copy link
Contributor Author

zvonand commented Sep 20, 2024

@Algunenano tests are all green

@Algunenano Algunenano added this pull request to the merge queue Sep 20, 2024
Merged via the queue into ClickHouse:master with commit 993888e Sep 20, 2024
@robot-clickhouse robot-clickhouse added the pr-synced-to-cloud The PR is synced to the cloud repo label Sep 20, 2024
@zvonand zvonand deleted the tryfix-65762-again branch September 20, 2024 09:49
@antaljanosbenjamin antaljanosbenjamin mentioned this pull request Oct 4, 2024
Closed
zvonand pushed a commit to Altinity/ClickHouse that referenced this pull request Dec 13, 2024
@Algunenano @zvonand
Merge pull request ClickHouse#68355 from zvonand/tryfix-65762-again
d7476e0 
Some fixes for LDAP
zvonand pushed a commit to Altinity/ClickHouse that referenced this pull request Dec 13, 2024
@Algunenano @zvonand
Merge pull request ClickHouse#68355 from zvonand/tryfix-65762-again
d3dedac 
Some fixes for LDAP
zvonand pushed a commit to Altinity/ClickHouse that referenced this pull request Dec 17, 2024
@Algunenano @zvonand
Merge pull request ClickHouse#68355 from zvonand/tryfix-65762-again
19481de 
Some fixes for LDAP
@zvonand zvonand mentioned this pull request Dec 19, 2024
Merged
Enmk pushed a commit to Altinity/ClickHouse that referenced this pull request Dec 22, 2024
@Algunenano @Enmk
Merge pull request ClickHouse#68355 from zvonand/tryfix-65762-again
2c94409 
Some fixes for LDAP
This was referenced Jan 24, 2025
Merged
Merged
This was referenced Feb 18, 2025
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Algunenano Algunenano Algunenano left review comments

Assignees

@Algunenano Algunenano

Labels

can be tested Allows running workflows for external contributors 🍃 green ci 🌿 Fixing flaky tests in CI pr-critical-bugfix pr-synced-to-cloud The PR is synced to the cloud repo

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Crash with ldap on 24.8.4.13 (current latest) Tests test_ldap_external_user_directory occasionally flaky

5 participants

@zvonand @robot-clickhouse-ci-2 @Algunenano @alexey-milovidov @robot-clickhouse