Skip to content

Passing external user roles from query originator to other nodes#70332

Merged
pufit merged 7 commits intoClickHouse:masterfrom
zvonand:ldap-remote-roles
Nov 19, 2024
Merged

Passing external user roles from query originator to other nodes#70332
pufit merged 7 commits intoClickHouse:masterfrom
zvonand:ldap-remote-roles

Conversation

@zvonand
Copy link
Contributor

@zvonand zvonand commented Oct 3, 2024
edited
Loading

Revive #42537. Closes #34130

Protocol version number to be reviewed right before merge

Changelog category (leave one):

  • New Feature

Changelog entry (a user-readable short description of the changes that goes to CHANGELOG.md):

Push external user roles from query originator to other nodes in cluster. Helpful when only originator has access to the external authenticator (like LDAP).

CI Settings (Only check the boxes if you know what you are doing):

  • Allow: All Required Checks
  • Allow: Stateless tests
  • Allow: Stateful tests
  • Allow: Integration Tests
  • Allow: Performance tests
  • Allow: All Builds
  • Allow: batch 1, 2 for multi-batch jobs
  • Allow: batch 3, 4, 5, 6 for multi-batch jobs
  • Exclude: Style check
  • Exclude: Fast test
  • Exclude: All with ASAN
  • Exclude: All with TSAN, MSAN, UBSAN, Coverage
  • Exclude: All with aarch64, release, debug
  • Run only fuzzers related jobs (libFuzzer fuzzers, AST fuzzers, etc.)
  • Exclude: AST fuzzers
  • Do not test
  • Woolen Wolfdog
  • Upload binaries for special builds
  • Disable merge-commit
  • Disable CI cache

@zvonand zvonand mentioned this pull request Oct 3, 2024
Closed
@pufit pufit self-assigned this Oct 4, 2024
@pufit pufit added the can be tested Allows running workflows for external contributors label Oct 4, 2024
pufit
pufit reviewed Oct 4, 2024
View reviewed changes
@robot-ch-test-poll1 robot-ch-test-poll1 added the pr-feature Pull request with new product feature label Oct 4, 2024
@robot-ch-test-poll3
Copy link
Contributor

robot-ch-test-poll3 commented Oct 4, 2024
edited by robot-ch-test-poll
Loading

This is an automated comment for commit e785bb9 with description of existing statuses. It's updated for the latest CI running

✅ Click here to open a full report in a separate page

Successful checks
Check nameDescriptionStatus
AST fuzzerRuns randomly generated queries to catch program errors. The build type is optionally given in parenthesis. If it fails, ask a maintainer for help✅ success
BuildsThere's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS✅ success
ClickBenchRuns [ClickBench](https://github.com/ClickHouse/ClickBench/) with instant-attach table✅ success
Compatibility checkChecks that clickhouse binary runs on distributions with old libc versions. If it fails, ask a maintainer for help✅ success
Docker keeper imageThe check to build and optionally push the mentioned image to docker hub✅ success
Docker server imageThe check to build and optionally push the mentioned image to docker hub✅ success
Docs checkBuilds and tests the documentation✅ success
Fast testNormally this is the first check that is ran for a PR. It builds ClickHouse and runs most of stateless functional tests, omitting some. If it fails, further checks are not started until it is fixed. Look at the report to see which tests fail, then reproduce the failure locally as described here✅ success
Flaky testsChecks if new added or modified tests are flaky by running them repeatedly, in parallel, with more randomization. Functional tests are run 100 times with address sanitizer, and additional randomization of thread scheduling. Integration tests are run up to 10 times. If at least once a new test has failed, or was too long, this check will be red. We don't allow flaky tests, read the doc✅ success
Install packagesChecks that the built packages are installable in a clear environment✅ success
Integration testsThe integration tests report. In parenthesis the package type is given, and in square brackets are the optional part/total tests✅ success
Performance ComparisonMeasure changes in query performance. The performance test report is described in detail here. In square brackets are the optional part/total tests✅ success
Stateful testsRuns stateful functional tests for ClickHouse binaries built in various configurations -- release, debug, with sanitizers, etc✅ success
Stateless testsRuns stateless functional tests for ClickHouse binaries built in various configurations -- release, debug, with sanitizers, etc✅ success
Stress testRuns stateless functional tests concurrently from several clients to detect concurrency-related errors✅ success
Style checkRuns a set of checks to keep the code style clean. If some of tests failed, see the related log from the report✅ success
Unit testsRuns the unit tests for different release types✅ success
Upgrade checkRuns stress tests on server version from last release and then tries to upgrade it to the version from the PR. It checks if the new server can successfully startup without any errors, crashes or sanitizer asserts✅ success

@zvonand zvonand force-pushed the ldap-remote-roles branch 21 times, most recently from ade231c to 0350d19 Compare October 9, 2024 19:22
@alexey-milovidov
Copy link
Member

alexey-milovidov commented Oct 15, 2024

@zvonand a test for LDAP has failed: https://s3.amazonaws.com/clickhouse-test-reports/70660/75916285535e3855b62ed481661613e3eef2fbe0/integration_tests__aarch64__[5_6].html

@zvonand

This comment was marked as outdated.

Sign in to view
@zvonand
Copy link
Contributor Author

zvonand commented Nov 19, 2024

@pufit the only fail is CH Inc sync -- I have no power here

@pufit pufit added this pull request to the merge queue Nov 19, 2024
Merged via the queue into ClickHouse:master with commit 07be02d Nov 19, 2024
@robot-ch-test-poll1 robot-ch-test-poll1 added the pr-synced-to-cloud The PR is synced to the cloud repo label Nov 20, 2024
@zvonand zvonand deleted the ldap-remote-roles branch November 20, 2024 14:41
zvonand pushed a commit to Altinity/ClickHouse that referenced this pull request Dec 3, 2024
@pufit @zvonand
Merge pull request ClickHouse#70332 from zvonand/ldap-remote-roles
1978381 
Passing external user roles from query originator to other nodes
@zvonand zvonand mentioned this pull request Dec 3, 2024
Merged
zvonand pushed a commit to Altinity/ClickHouse that referenced this pull request Dec 3, 2024
@pufit @zvonand
Merge pull request ClickHouse#70332 from zvonand/ldap-remote-roles
907cde4 
Passing external user roles from query originator to other nodes
@Algunenano Algunenano mentioned this pull request Dec 3, 2024
Closed
Algunenano
Algunenano reviewed Dec 3, 2024
View reviewed changes
src/Core/SettingsChangesHistory.cpp
{"filesystem_cache_prefer_bigger_buffer_size", true, true, "New setting"},
{"read_in_order_use_virtual_row", false, false, "Use virtual row while reading in order of primary key or its monotonic function fashion. It is useful when searching over multiple parts as only relevant ones are touched."},
{"filesystem_cache_boundary_alignment", 0, 0, "New setting"},
{"push_external_roles_in_interserver_queries", false, false, "New setting."},
Copy link
Member

@Algunenano Algunenano Dec 3, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This does not match the default value in Settings.cpp.

zvonand pushed a commit to Altinity/ClickHouse that referenced this pull request Dec 13, 2024
@pufit @zvonand
Merge pull request ClickHouse#70332 from zvonand/ldap-remote-roles
70d5bb2 
Passing external user roles from query originator to other nodes
zvonand pushed a commit to Altinity/ClickHouse that referenced this pull request Dec 17, 2024
@pufit @zvonand
Merge pull request ClickHouse#70332 from zvonand/ldap-remote-roles
611d1d4 
Passing external user roles from query originator to other nodes
Enmk pushed a commit to Altinity/ClickHouse that referenced this pull request Dec 22, 2024
@pufit @Enmk
Merge pull request ClickHouse#70332 from zvonand/ldap-remote-roles
cc34cd2 
Passing external user roles from query originator to other nodes
Enmk added a commit to Altinity/ClickHouse that referenced this pull request Jan 21, 2025
@Enmk
Merge pull request #542 from Altinity/backports/24.8/remote-roles-push
821803e 
24.8 Backport of ClickHouse#70332 - Passing external user roles from query originator to other nodes
@Enmk Enmk mentioned this pull request Jan 21, 2025
Merged
@Enmk Enmk mentioned this pull request Jan 28, 2025
Merged
This was referenced Feb 18, 2025
Closed
Merged
@pavel2619
Copy link

pavel2619 commented Apr 7, 2025

Good afternoon!
Is there a mistake in transferring external roles here?
src/Interpreters/Context.cpp

void Context::setExternalRolesWithLock(const std::vector & new_external_roles, const std::lock_guard &)
{
if (!new_external_roles.empty())
{
if (current_roles)
current_roles->insert(current_roles->end(), new_external_roles.begin(), new_external_roles.end());
else
current_roles = std::make_shared<std::vector>(new_external_roles);
need_recalculate_access = true;
}
}
maybe there should be external_roles instead of current_roles?

I replaced and rebuilt clickhouse and this functionality is working and roles were transferred when querying the distributed table

@UnamedRus UnamedRus mentioned this pull request Apr 7, 2025
Closed
@zvonand zvonand mentioned this pull request Apr 14, 2025
Merged
1 task
@zvonand zvonand changed the title Passing external user roles from query originator to other nodes Passing external user roles from query originator to other nodes (and better test) Apr 14, 2025
@zvonand zvonand changed the title Passing external user roles from query originator to other nodes (and better test) Passing external user roles from query originator to other nodes Apr 14, 2025
@zvonand zvonand mentioned this pull request Apr 16, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Algunenano Algunenano Algunenano left review comments

@pufit pufit pufit approved these changes

Assignees

@pufit pufit

Labels

can be tested Allows running workflows for external contributors pr-feature Pull request with new product feature pr-synced-to-cloud The PR is synced to the cloud repo

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

LDAP: authentication with configured role mapping fails on a cluster with a secret

7 participants

@zvonand @robot-ch-test-poll3 @alexey-milovidov @pavel2619 @Algunenano @pufit @robot-ch-test-poll1