Skip to content

LDAP: changing groups for user makes Clickhouse fail to log in #22221

Closed
#24431
Closed
LDAP: changing groups for user makes Clickhouse fail to log in#22221
#24431
Assignees
traceon
Labels
bugConfirmed user-visible misbehaviour in official releasecomp-rbacAuthorization: roles, grants, quotas, row-level security, access checks.st-need-infoWe need extra data to continue (waiting for response). Either some details or a repro of the issue.
@Blackmorse

Description

@Blackmorse
Blackmorse
opened on Mar 28, 2021

Describe the bug
Clickhouse fails to log users after changing groups at LDAP for one user

Does it reproduce on recent release?
I've checked It on 21.2.5.5 and 21.3.4.25

How to reproduce
E.g. there is LDAP user user_1 and there are two LDAP groups role_1 and role_2, which are mapped to the Clickhouse roles with the same names.
At the beginning user_1 is only at role_1 group

  1. Log user_1 in by clickhouse-client and check grants:
SHOW GRANTS

┌─GRANTS─────────────────────────────────────────┐
│ GRANT role1 TO user_1 │
└────────────────────────────────────────────────┘
  1. Exclude user_1 from role_1 and assign him to the role_2 group
  2. Try to log him in by clickhouse-client again. Login process hangs forever. Also other users can't log in too.

Expected behavior
User will have updated grants after the re-login

Error message and/or stacktrace
I found no logs for that :(

Additional context
Clickhouse on CentOS, freeipa as a LDAP

Metadata

Metadata

Assignees

Labels

bugConfirmed user-visible misbehaviour in official releasecomp-rbacAuthorization: roles, grants, quotas, row-level security, access checks.st-need-infoWe need extra data to continue (waiting for response). Either some details or a repro of the issue.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions