Skip to content

Commit ea4d066

Browse files
hagen1778hagen1778
authored
Merge pull request #78 from lalex/header_auth
Allow to auth with the X-ClickHouse-User header
2 parents 7c9a04c + 28a883e commit ea4d066

File tree

3 files changed

+48
-1
lines changed

3 files changed

+48
-1
lines changed

proxy_test.go

Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -349,6 +349,42 @@ func TestReverseProxy_ServeHTTP1(t *testing.T) {
349349
return makeCustomRequest(p, req)
350350
},
351351
},
352+
{
353+
cfg: authCfg,
354+
name: "headers auth ok",
355+
expResponse: okResponse,
356+
expStatusCode: http.StatusOK,
357+
f: func(p *reverseProxy) *http.Response {
358+
req := httptest.NewRequest("POST", fakeServer.URL, nil)
359+
req.Header.Set("X-ClickHouse-User", "foo")
360+
req.Header.Set("X-ClickHouse-Key", "bar")
361+
return makeCustomRequest(p, req)
362+
},
363+
},
364+
{
365+
cfg: authCfg,
366+
name: "header auth wrong name",
367+
expResponse: "invalid username or password for user \"fooo\"",
368+
expStatusCode: http.StatusUnauthorized,
369+
f: func(p *reverseProxy) *http.Response {
370+
req := httptest.NewRequest("POST", fakeServer.URL, nil)
371+
req.Header.Set("X-ClickHouse-User", "fooo")
372+
req.Header.Set("X-ClickHouse-Key", "bar")
373+
return makeCustomRequest(p, req)
374+
},
375+
},
376+
{
377+
cfg: authCfg,
378+
name: "header auth wrong name",
379+
expResponse: "invalid username or password for user \"foo\"",
380+
expStatusCode: http.StatusUnauthorized,
381+
f: func(p *reverseProxy) *http.Response {
382+
req := httptest.NewRequest("POST", fakeServer.URL, nil)
383+
req.Header.Set("X-ClickHouse-User", "foo")
384+
req.Header.Set("X-ClickHouse-Key", "baar")
385+
return makeCustomRequest(p, req)
386+
},
387+
},
352388
}
353389

354390
for _, tc := range testCases {

scope.go

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -355,6 +355,10 @@ func (s *scope) decorateRequest(req *http.Request) (*http.Request, url.Values) {
355355
// Rewrite possible previous Basic Auth and send request
356356
// as cluster user.
357357
req.SetBasicAuth(s.clusterUser.name, s.clusterUser.password)
358+
// Delete possible X-ClickHouse headers,
359+
// it is not allowed to use X-ClickHouse HTTP headers and other authentication methods simultaneously
360+
req.Header.Del("X-ClickHouse-User")
361+
req.Header.Del("X-ClickHouse-Key")
358362

359363
// Send request to the chosen host from cluster.
360364
req.URL.Scheme = s.host.addr.Scheme

utils.go

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -21,8 +21,15 @@ func respondWith(rw http.ResponseWriter, err error, status int) {
2121
}
2222

2323
// getAuth retrieves auth credentials from request
24-
// according to CH documentation @see "http://clickhouse.readthedocs.io/en/latest/reference_en.html#HTTP interface"
24+
// according to CH documentation @see "https://clickhouse.yandex/docs/en/interfaces/http/"
2525
func getAuth(req *http.Request) (string, string) {
26+
// check X-ClickHouse- headers
27+
name := req.Header.Get("X-ClickHouse-User")
28+
pass := req.Header.Get("X-ClickHouse-Key")
29+
if name != "" {
30+
return name, pass
31+
}
32+
// if header is empty - check basicAuth
2633
if name, pass, ok := req.BasicAuth(); ok {
2734
return name, pass
2835
}

0 commit comments

Comments
 (0)