Backport #72759 to 24.11: Fix #72756 (exception in RemoteQueryExecutor when user does not exist locally)

robot-clickhouse · robot-clickhouse · commit f6804a8fb486 · 2024-12-06T19:06:50.000Z
diff --git a/src/Core/SettingsChangesHistory.cpp b/src/Core/SettingsChangesHistory.cpp
@@ -88,7 +88,7 @@ static std::initializer_list<std::pair<ClickHouseVersion, SettingsChangesHistory
             {"read_in_order_use_virtual_row", false, false, "Use virtual row while reading in order of primary key or its monotonic function fashion. It is useful when searching over multiple parts as only relevant ones are touched."},
             {"s3_skip_empty_files", false, true, "We hope it will provide better UX"},
             {"filesystem_cache_boundary_alignment", 0, 0, "New setting"},
-            {"push_external_roles_in_interserver_queries", false, false, "New setting."},
+            {"push_external_roles_in_interserver_queries", false, true, "New setting."},
             {"enable_variant_type", false, false, "Add alias to allow_experimental_variant_type"},
             {"enable_dynamic_type", false, false, "Add alias to allow_experimental_dynamic_type"},
             {"enable_json_type", false, false, "Add alias to allow_experimental_json_type"},
diff --git a/src/QueryPipeline/RemoteQueryExecutor.cpp b/src/QueryPipeline/RemoteQueryExecutor.cpp
@@ -407,7 +407,7 @@ void RemoteQueryExecutor::sendQueryUnlocked(ClientInfo::QueryKind query_kind, As
     std::vector<String> local_granted_roles;
     if (context->getSettingsRef()[Setting::push_external_roles_in_interserver_queries] && !modified_client_info.initial_user.empty())
     {
-        auto user = context->getAccessControl().read<User>(modified_client_info.initial_user, true);
+        auto user = context->getAccessControl().read<User>(modified_client_info.initial_user, false);
         boost::container::flat_set<String> granted_roles;
         if (user)
         {
diff --git a/tests/integration/test_ldap_external_user_directory/test.py b/tests/integration/test_ldap_external_user_directory/test.py
@@ -183,3 +183,24 @@ def test_push_role_to_other_nodes(ldap_cluster):
     instance2.query("DROP ROLE IF EXISTS role_read")
 
     delete_ldap_group(ldap_cluster, group_cn="clickhouse-role_read")
+
+
+def test_remote_query_user_does_not_exist_locally(ldap_cluster):
+    """
+    Check that even if user does not exist locally, using it to execute remote queries is still possible
+    """
+    instance2.query("DROP USER IF EXISTS non_local")
+    instance2.query("DROP TABLE IF EXISTS test_table sync")
+
+    instance2.query("CREATE USER non_local")
+    instance2.query("CREATE TABLE test_table (id Int16) ENGINE=Memory")
+    instance2.query("INSERT INTO test_table VALUES (123)")
+    instance2.query("GRANT SELECT ON default.test_table TO non_local")
+
+    result = instance1.query(
+        "SELECT * FROM remote('instance2', 'default.test_table', 'non_local')"
+    )
+    assert result.strip() == "123"
+
+    instance2.query("DROP USER IF EXISTS non_local")
+    instance2.query("DROP TABLE IF EXISTS test_table SYNC")

Original file line number	Diff line number	Diff line change
`@@ -407,7 +407,7 @@ void RemoteQueryExecutor::sendQueryUnlocked(ClientInfo::QueryKind query_kind, As`
`407`	`407`	`std::vector<String> local_granted_roles;`
`408`	`408`	`if (context->getSettingsRef()[Setting::push_external_roles_in_interserver_queries] && !modified_client_info.initial_user.empty())`
`409`	`409`	`{`
`410`		`- auto user = context->getAccessControl().read<User>(modified_client_info.initial_user, true);`
	`410`	`+ auto user = context->getAccessControl().read<User>(modified_client_info.initial_user, false);`
`411`	`411`	`boost::container::flat_set<String> granted_roles;`
`412`	`412`	`if (user)`
`413`	`413`	`{`