Backport #94617 to 25.11: Fix permission issues in BACKUP/RESTORE operations

robot-clickhouse · robot-clickhouse · commit 45d7b7b53c23 · 2026-01-22T10:18:20.000Z
diff --git a/src/Backups/BackupsWorker.cpp b/src/Backups/BackupsWorker.cpp
@@ -61,6 +61,7 @@ namespace DB
 
 namespace Setting
 {
+    extern const SettingsUInt64 readonly;
     extern const SettingsBool s3_disable_checksum;
 }
 
@@ -71,6 +72,7 @@ namespace ServerSetting
 
 namespace ErrorCodes
 {
+    extern const int ACCESS_DENIED;
     extern const int BAD_ARGUMENTS;
     extern const int LOGICAL_ERROR;
     extern const int QUERY_WAS_CANCELLED;
@@ -390,6 +392,12 @@ struct BackupsWorker::BackupStarter
         backup_info = BackupInfo::fromAST(*backup_query->backup_name);
         backup_name_for_logging = backup_info.toStringForLogging();
         is_internal_backup = backup_settings.internal;
+
+        /// The "internal" option can only be used by a query that was initiated by another query (e.g., ON CLUSTER query).
+        /// It should not be allowed for an initial query explicitly specified by a user.
+        if (is_internal_backup && (query_context->getClientInfo().query_kind == ClientInfo::QueryKind::INITIAL_QUERY))
+            throw Exception(ErrorCodes::ACCESS_DENIED, "Setting 'internal' cannot be set explicitly");
+
         on_cluster = !backup_query->cluster.empty() || is_internal_backup;
 
         if (!backup_settings.backup_uuid)
@@ -462,14 +470,25 @@ struct BackupsWorker::BackupStarter
             cluster = backup_context->getCluster(backup_query->cluster);
             backup_settings.cluster_host_ids = cluster->getHostIDs();
         }
+
+        /// Check access rights before opening the backup destination (e.g., S3).
+        /// This ensures we fail fast with a proper ACCESS_DENIED error instead of trying to connect to external storage first.
+        /// For ON CLUSTER queries, access rights are checked in executeDDLQueryOnCluster() before distributing the query.
+        if (!on_cluster)
+        {
+            backup_query->setCurrentDatabase(backup_context->getCurrentDatabase());
+            auto required_access = BackupUtils::getRequiredAccessToBackup(backup_query->elements);
+            query_context->checkAccess(required_access);
+        }
+
         chassert(backup_settings.data_file_name_prefix_length);
         backup_coordination = backups_worker.makeBackupCoordination(on_cluster, backup_settings, backup_context);
         backup_coordination->startup();
 
         chassert(!backup);
         backup = backups_worker.openBackupForWriting(backup_info, backup_settings, backup_coordination, backup_context);
 
-        backups_worker.doBackup(backup, backup_query, backup_id, backup_settings, backup_coordination, backup_context, query_context,
+        backups_worker.doBackup(backup, backup_query, backup_id, backup_settings, backup_coordination, backup_context,
                                 on_cluster, cluster);
 
         if (!is_internal_backup)
@@ -621,7 +640,6 @@ void BackupsWorker::doBackup(
     const BackupSettings & backup_settings,
     std::shared_ptr<IBackupCoordination> backup_coordination,
     ContextMutablePtr context,
-    const ContextPtr & query_context,
     bool on_cluster,
     const ClusterPtr & cluster)
 {
@@ -636,17 +654,13 @@ void BackupsWorker::doBackup(
 
     bool is_internal_backup = backup_settings.internal;
 
-    /// Checks access rights if this is not ON CLUSTER query.
-    /// (If this is ON CLUSTER query executeDDLQueryOnCluster() will check access rights later.)
-    auto required_access = BackupUtils::getRequiredAccessToBackup(backup_query->elements);
-    if (!on_cluster)
-        query_context->checkAccess(required_access);
-
     maybeSleepForTesting();
 
     /// Write the backup.
     if (on_cluster && !is_internal_backup)
     {
+        auto required_access = BackupUtils::getRequiredAccessToBackup(backup_query->elements);
+
         /// Send the BACKUP query to other hosts.
         backup_settings.copySettingsToQuery(*backup_query);
         sendQueryToOtherHosts(*backup_query, cluster, backup_settings.shard_num, backup_settings.replica_num,
@@ -847,6 +861,19 @@ struct BackupsWorker::RestoreStarter
         backup_info = BackupInfo::fromAST(*restore_query->backup_name);
         backup_name_for_logging = backup_info.toStringForLogging();
         is_internal_restore = restore_settings.internal;
+
+        /// The "internal" option can only be used by a query that was initiated by another query (e.g., ON CLUSTER query).
+        /// It should not be allowed for an initial query explicitly specified by a user.
+        if (is_internal_restore && (query_context->getClientInfo().query_kind == ClientInfo::QueryKind::INITIAL_QUERY))
+            throw Exception(ErrorCodes::ACCESS_DENIED, "Setting 'internal' cannot be set explicitly");
+
+        /// RESTORE is a write operation, it should be forbidden in strict readonly mode (readonly=1).
+        /// Note: readonly=2 allows changing settings but still restricts writes - however it's set automatically
+        /// by the HTTP interface for GET requests (to protect against accidental writes), so we only block readonly=1
+        /// which is explicitly set by the user to enforce read-only mode.
+        if (query_context->getSettingsRef()[Setting::readonly] == 1)
+            throw Exception(ErrorCodes::ACCESS_DENIED, "Cannot execute RESTORE in readonly mode");
+
         on_cluster = !restore_query->cluster.empty() || is_internal_restore;
 
         if (!restore_settings.restore_uuid)
diff --git a/src/Backups/BackupsWorker.h b/src/Backups/BackupsWorker.h
@@ -89,7 +89,6 @@ class BackupsWorker
         const BackupSettings & backup_settings,
         std::shared_ptr<IBackupCoordination> backup_coordination,
         ContextMutablePtr context,
-        const ContextPtr & query_context,
         bool on_cluster,
         const ClusterPtr & cluster);
 
diff --git a/tests/queries/0_stateless/03799_backup_restore_security.reference b/tests/queries/0_stateless/03799_backup_restore_security.reference
@@ -0,0 +1,2 @@
+Test 1 OK
+0
diff --git a/tests/queries/0_stateless/03799_backup_restore_security.sh b/tests/queries/0_stateless/03799_backup_restore_security.sh
@@ -0,0 +1,64 @@
+#!/usr/bin/env bash
+
+# Test for security fixes related to BACKUP and RESTORE operations:
+# 1. RESTORE should be forbidden in readonly mode
+# 2. The 'internal' setting should not be allowed for initial queries
+# 3. Permission check should happen before backup destination is opened (e.g., S3 connection)
+#
+# All tests use fake S3 URLs with invalid credentials. Since all security checks happen
+# before any connection attempt, we should always get ACCESS_DENIED errors, not S3 errors.
+# We set backup_restore_s3_retry_attempts=0 to avoid retries on connection failure
+# when running against a version without the fix.
+
+CURDIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)
+# shellcheck source=../shell_config.sh
+. "$CURDIR"/../shell_config.sh
+
+backup_name="${CLICKHOUSE_DATABASE}_03799_backup_security"
+user_name="test_03799_user_${CLICKHOUSE_DATABASE}"
+
+function cleanup()
+{
+    $CLICKHOUSE_CLIENT -q "DROP TABLE IF EXISTS test_backup_security"
+    $CLICKHOUSE_CLIENT -q "DROP TABLE IF EXISTS test_restored"
+    $CLICKHOUSE_CLIENT -q "DROP USER IF EXISTS $user_name"
+}
+trap cleanup EXIT
+
+$CLICKHOUSE_CLIENT -q "
+DROP TABLE IF EXISTS test_backup_security;
+CREATE TABLE test_backup_security (id Int32) ENGINE=MergeTree() ORDER BY id;
+INSERT INTO test_backup_security VALUES (1), (2), (3);
+"
+
+# Test 1: RESTORE should be forbidden in readonly mode
+# The readonly check happens before any backup destination is accessed.
+# We use CLICKHOUSE_CLIENT_BINARY directly to avoid test framework injecting settings that conflict with readonly mode.
+$CLICKHOUSE_CLIENT --readonly=1 --backup_restore_s3_retry_attempts=0 -q "RESTORE TABLE test_backup_security AS test_restored FROM S3('http://localhost:11111/test/backups/${backup_name}', 'INVALID_ACCESS_KEY', 'INVALID_SECRET')" 2>&1 | grep -q "ACCESS_DENIED" && echo "Test 1 OK" || echo "Test 1 FAIL"
+# Verify that the table was not created
+$CLICKHOUSE_CLIENT -q "SELECT count() FROM system.tables WHERE database = currentDatabase() AND name = 'test_restored'"
+
+# Test 2: The 'internal' setting should not be allowed for initial BACKUP query
+# This check happens before any connection attempt.
+$CLICKHOUSE_CLIENT -m -q "
+BACKUP TABLE test_backup_security TO S3('http://localhost:11111/test/backups/${backup_name}_internal', 'INVALID_ACCESS_KEY', 'INVALID_SECRET') SETTINGS internal=1, backup_restore_s3_retry_attempts=0; -- { serverError ACCESS_DENIED }
+"
+
+# Test 3: The 'internal' setting should not be allowed for initial RESTORE query
+# This check happens before any connection attempt.
+$CLICKHOUSE_CLIENT -m -q "
+RESTORE TABLE test_backup_security AS test_restored FROM S3('http://localhost:11111/test/backups/${backup_name}', 'INVALID_ACCESS_KEY', 'INVALID_SECRET') SETTINGS internal=1, backup_restore_s3_retry_attempts=0; -- { serverError ACCESS_DENIED }
+"
+
+# Test 4: User without BACKUP permission should get ACCESS_DENIED (not S3_ERROR)
+# This tests that permission check happens before opening backup destination.
+# We use S3 with invalid credentials - if we get ACCESS_DENIED instead of S3_ERROR,
+# it proves the permission check happens before attempting to connect to S3.
+$CLICKHOUSE_CLIENT -q "DROP USER IF EXISTS $user_name"
+$CLICKHOUSE_CLIENT -q "CREATE USER $user_name"
+$CLICKHOUSE_CLIENT -q "GRANT SELECT ON ${CLICKHOUSE_DATABASE}.test_backup_security TO $user_name"
+# User has SELECT but not BACKUP permission - should get ACCESS_DENIED, not S3_ERROR
+$CLICKHOUSE_CLIENT --user=$user_name -m -q "
+BACKUP TABLE test_backup_security TO S3('http://localhost:11111/test/backups/${CLICKHOUSE_DATABASE}/no_permission_backup', 'INVALID_ACCESS_KEY', 'INVALID_SECRET') SETTINGS backup_restore_s3_retry_attempts=0; -- { serverError ACCESS_DENIED }
+"
+$CLICKHOUSE_CLIENT -q "DROP USER IF EXISTS $user_name"
