Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TLS client authentication does not work over HTTPS #1273

Closed
9 tasks
ekpdt opened this issue Apr 12, 2024 · 1 comment
Closed
9 tasks

TLS client authentication does not work over HTTPS #1273

ekpdt opened this issue Apr 12, 2024 · 1 comment
Labels
enhancement good first issue

Comments

@ekpdt
Copy link

ekpdt commented Apr 12, 2024

Observed

  1. Create a https port on the ClickHouse server
  2. Create a user identified by ssl_certificate
  3. Attempt to log in with that user via clickhouse-go
  4. Authentication fails

Expected behaviour

Authentication should succeed.

Diagnosis

ClickHouse expects the X-ClickHouse-SSL-Certificate-Auth header https://github.com/ClickHouse/ClickHouse/blob/6fa57b9d7d1df3db81d4adfd0ad5b238301c2530/src/Server/HTTPHandler.cpp#L359
but clickhouse-go does not set it

clickhouse-go/conn_http.go

Line 163 in 06a4c43

headers["X-ClickHouse-Key"] = opt.Auth.Password

Therefore, ClickHouse attempts password authentication and fails.

Code example

Create a tls.Config.Certificates containing the client cert as done here:
https://github.com/grafana/clickhouse-datasource/blob/fe4bc357b62f015944bacb72acd64460b1f624b7/pkg/plugin/driver.go#L52

Error log

clickhouse 2024.04.05 17:34:41.706636 [ 24887 ] {} <Error> Access(user directories): from: 172.30.54.128, user: foo_user: Authentication failed: Code: 36. DB::Exception: Credentials required. (BAD_ARGUMENTS), Stack trace (when copying this mess
age, always include the lines below):                                                                                                                                                                                                               
clickhouse                                                                                                                                                                                                                                          
clickhouse 0. DB::Exception::Exception(DB::Exception::MessageMasked&&, int, bool) @ 0x000000000c7faf9b in /usr/bin/clickhouse                                                                                                                       
clickhouse 1. DB::Authentication::Require<DB::BasicCredentials>::Require(String const&) @ 0x00000000103479f1 in /usr/bin/clickhouse                                                                                                                 
clickhouse 2. DB::Authentication::areCredentialsValid(DB::Credentials const&, DB::AuthenticationData const&, DB::ExternalAuthenticators const&, DB::SettingsChanges&) @ 0x0000000010347814 in /usr/bin/clickhouse                                   
clickhouse 3. DB::IAccessStorage::authenticateImpl(DB::Credentials const&, Poco::Net::IPAddress const&, DB::ExternalAuthenticators const&, bool, bool, bool) const @ 0x00000000103428d7 in /usr/bin/clickhouse                                      
clickhouse 4. DB::MultipleAccessStorage::authenticateImpl(DB::Credentials const&, Poco::Net::IPAddress const&, DB::ExternalAuthenticators const&, bool, bool, bool) const @ 0x000000001037986a in /usr/bin/clickhouse                               
clickhouse 5. DB::AccessControl::authenticate(DB::Credentials const&, Poco::Net::IPAddress const&) const @ 0x00000000102b4980 in /usr/bin/clickhouse                                                                                                
clickhouse 6. DB::Session::authenticate(DB::Credentials const&, Poco::Net::SocketAddress const&) @ 0x000000001169d1e3 in /usr/bin/clickhouse                                                                                                        
clickhouse 7. DB::HTTPHandler::authenticateUser(DB::HTTPServerRequest&, DB::HTMLForm&, DB::HTTPServerResponse&) @ 0x00000000128a6c61 in /usr/bin/clickhouse                                                                                         
clickhouse 8. DB::HTTPHandler::processQuery(DB::HTTPServerRequest&, DB::HTMLForm&, DB::HTTPServerResponse&, DB::HTTPHandler::Output&, std::optional<DB::CurrentThread::QueryScope>&, StrongTypedef<unsigned long, ProfileEvents::EventTag> const&) @
 0x00000000128a84e1 in /usr/bin/clickhouse                                                                                                                                                                                                          
clickhouse 9. DB::HTTPHandler::handleRequest(DB::HTTPServerRequest&, DB::HTTPServerResponse&, StrongTypedef<unsigned long, ProfileEvents::EventTag> const&) @ 0x00000000128b0ad0 in /usr/bin/clickhouse                                             
clickhouse 10. DB::HTTPServerConnection::run() @ 0x000000001292ec7a in /usr/bin/clickhouse                                                                                                                                                          
clickhouse 11. Poco::Net::TCPServerConnection::start() @ 0x0000000015398172 in /usr/bin/clickhouse                                                                                                                                                  
clickhouse 12. Poco::Net::TCPServerDispatcher::run() @ 0x0000000015398f71 in /usr/bin/clickhouse                                                                                                                                                    
clickhouse 13. Poco::PooledThread::run() @ 0x0000000015491747 in /usr/bin/clickhouse                                                                                                                                                                
clickhouse 14. Poco::ThreadImpl::runnableEntry(void*) @ 0x000000001548fd7d in /usr/bin/clickhouse                                                                                                                                                   
clickhouse 15. ? @ 0x00007f3e650fc609                                                                                                                                                                                                               
clickhouse 16. ? @ 0x00007f3e65021353                                                                                                                                                                                                               
clickhouse  (version 24.1.5.6 (official build))                                                                                                                                                                                                     
clickhouse 2024.04.05 17:34:41.706760 [ 24887 ] {} <Error> DynamicQueryHandler: Code: 516. DB::Exception: foo_user: Authentication failed: password is incorrect, or there is no user with such name. (AUTHENTICATION_FAILED), Stack trace (when cop
ying this message, always include the lines below):                                                                                                                                                                                                 
clickhouse                                                                                                                                                                                                                                          
clickhouse 0. DB::Exception::Exception(DB::Exception::MessageMasked&&, int, bool) @ 0x000000000c7faf9b in /usr/bin/clickhouse                                                                                                                       
clickhouse 1. DB::Exception::Exception(PreformattedMessage&&, int) @ 0x00000000072fffcc in /usr/bin/clickhouse                                                                                                                                      
clickhouse 2. DB::AccessControl::authenticate(DB::Credentials const&, Poco::Net::IPAddress const&) const @ 0x00000000102b4c54 in /usr/bin/clickhouse                                                                                                
clickhouse 3. DB::Session::authenticate(DB::Credentials const&, Poco::Net::SocketAddress const&) @ 0x000000001169d1e3 in /usr/bin/clickhouse                                                                                                        
clickhouse 4. DB::HTTPHandler::authenticateUser(DB::HTTPServerRequest&, DB::HTMLForm&, DB::HTTPServerResponse&) @ 0x00000000128a6c61 in /usr/bin/clickhouse                                                                                         
clickhouse 5. DB::HTTPHandler::processQuery(DB::HTTPServerRequest&, DB::HTMLForm&, DB::HTTPServerResponse&, DB::HTTPHandler::Output&, std::optional<DB::CurrentThread::QueryScope>&, StrongTypedef<unsigned long, ProfileEvents::EventTag> const&) @
 0x00000000128a84e1 in /usr/bin/clickhouse                                                                                                                                                                                                          
clickhouse 6. DB::HTTPHandler::handleRequest(DB::HTTPServerRequest&, DB::HTTPServerResponse&, StrongTypedef<unsigned long, ProfileEvents::EventTag> const&) @ 0x00000000128b0ad0 in /usr/bin/clickhouse                                             
clickhouse 7. DB::HTTPServerConnection::run() @ 0x000000001292ec7a in /usr/bin/clickhouse                                                                                                                                                           
clickhouse 8. Poco::Net::TCPServerConnection::start() @ 0x0000000015398172 in /usr/bin/clickhouse                                                                                                                                                   
clickhouse 9. Poco::Net::TCPServerDispatcher::run() @ 0x0000000015398f71 in /usr/bin/clickhouse                                                                                                                                                     
clickhouse 10. Poco::PooledThread::run() @ 0x0000000015491747 in /usr/bin/clickhouse                                                                                                                                                                
clickhouse 11. Poco::ThreadImpl::runnableEntry(void*) @ 0x000000001548fd7d in /usr/bin/clickhouse                                                                                                                                                   
clickhouse 12. ? @ 0x00007f3e650fc609                                                                                                                                                                                                               
clickhouse 13. ? @ 0x00007f3e65021353                                                                                                                                                                                                               
clickhouse  (version 24.1.5.6 (official build))

Details

Environment

  • clickhouse-go version: v2.21.1
  • Interface: database/sql compatible driver
  • Go version: 1.21
  • Operating system: Linux
  • ClickHouse version: 24.1
  • Is it a ClickHouse Cloud? N
  • ClickHouse Server non-default settings, if any: N
  • CREATE TABLE statements for tables involved: N/A
  • Sample data for all these tables, use clickhouse-obfuscator if necessary: N/A
@gogingersnap777 gogingersnap777 mentioned this issue May 30, 2024
Merged
@gogingersnap777
Copy link
Contributor

@jkaflik I believe the linked PR removes the unnecessary checks.

@jkaflik jkaflik closed this as completed Aug 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement good first issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jkaflik @ekpdt @gogingersnap777