Make queries using a specific role or user's applicable row policies and grants

[ekpdt]

Use case

When data entitlements are encoded into CH using grants, roles, and row policies, it is sometimes infeasible to reimplement the same logic in a web service that serves that data to users within the organization. CH should be the source of truth for data access. For instance, consider sales business intelligence app built on top of CH. If certain sales people are each entitled to see only certain subsets of data, it is easier to encode their privileges in CH and rely on the database to enforce those roles rather than encoding them in the application. This is especially true if the organization develops several such "data" applications.

Describe the solution you'd like

1. User ekpdt makes an authenticated request to a web service that provides real time analytics
2. The web service, under its service user webapp, runs a SELECT query against a table, view, or materialized view to satisfy ekpdt's request.
3. Service user webapp has the IMPERSONATE privilege and tags its SELECT statement with SETTINGS impersonate='ekpdt'
4. CH evaluates the query by applying the row policies and grants applicable to ekpdt

Describe alternatives you've considered

The remote() table function is an option, but this forces the web service to know the end user's password. remote() also does not use a connection pool.

Additional context

There was a similar request here at #9751 to support proper row policies and usage accounts for distributed queries.

[filimonov]

Mechanics of the Proposed Feature

To implement this feature, several changes would be necessary:

1. New Type of Grant: Introduce a GRANT IMPERSONATE ON USER::TargetPrincipal TO GranteePrincipal. This grant differs from existing grants, which are typically applied to databases and tables, not users. Not straight-forward.

2. Serialization/Deserialization: The new grant must be correctly serialized/deserialized and displayed in system.grants or via SHOW GRANTS.

3. New Setting (execute_as): Introduce a new setting, execute_as, which would be empty by default.

4. Grant Check Mechanism:

   • When the execute_as setting is used, CH should first check if the IMPERSONATE grant is allowed.
   • If allowed, the effective user is switched (possibly by cloning the context with the new user), and all further grants are evaluated in this new context.
   • The new context should respect all associated permissions, such as default settings, quotas, row policies, and grants.
   • Special attention should be given to handling session-specific objects like temporary tables and settings.

Considerations and Edge Cases

• Reverting the Setting: If the execute_as setting is used within a session, it should be clear whether or not it can be reverted. Commands executed after the setting change would be under the impersonated user’s context.

• Context Persistence: Ensure that the subcontext created for the impersonated user does not inadvertently persist beyond the intended scope. Any changes made in the "child" session (the impersonated user context) should not impact the "parent" session unless explicitly allowed.

• Session Persistence Logic: Consider whether session persistence logic (e.g., session ID for the parent and child contexts) is necessary, similar to the session cookies used in Microsoft SQL Server's EXECUTE AS (see MS SQL documentation).

• Impact on Parent Session: Decide whether changes made in the "child" session should have any impact on the "parent" session, particularly in the context of distributed queries.

[filimonov]

See also https://dev.mysql.com/doc/refman/8.4/en/proxy-users.html

Settings are not nice here because the user can try to push a different setting and try to get the privilegues of the other one.

So rather should be the connection setting (like header etc).

[shiyer7474]

Thank you @ekpdt and @filimonov for such clear communication on a vital security feature! Based on my past experience on this, I am just writing a few thoughts before moving forward. This feature typically targets 2 use-cases -

1. Database side visibility of the end-user - Specifically in access logs and database audit logs, customers require the real end-user like 'ekpdt' to be visible for regulatory purposes. Applications may have 10000's of end-users externally authenticated by stuff like SSO/IAM and it is a severe overhead to create/manage corresponding end-users in the database as database accounts. In case of Clickhouse, this will be visibility of 'ekpdt' inside system.session_log, system.query_log and any other or future data collection mechanism for an auditing feature. Note again: 'ekpdt' is not a database user, and application accesses Clickhouse via 'webapp' account.
2. End-user authenticated externally but database access policies managed inside database - Well explained in the first 2 comments in this ticket. This implies that ''ekpdt' cannot independently logon to the database once the end-user account has been marked for impersonate access (or proxy access). All visibility related aspects stated in point 1 apply and are inherent because 'ekpdt' is the user of the database session.

I recommend we use more common term "PROXY" in place of "IMPERSONATE". There could be a few client side impacts if protocol/message changes are required and certainly impact on client side connection pooling needs to be detailed. I also propose that the feature implementation should also enable usecase 1 above.

[ekpdt]

@shiyer7474

Database side visibility of the end-user

I think this is a different feature than what I've proposed. The whole point of my proposal is to allow one database user to interact with the database as if it's a second user. The goal is to use that second user's privileges. If the end-user is not a database user, that's completely moot. It's a totally different feature and probably belongs in a separate ticket.

End-user authenticated externally but database access policies managed inside database...This implies that ''ekpdt' cannot independently logon to the database once the end-user account has been marked for impersonate access (or proxy access)

I did not mean to imply that the end user (who is also a database user) should not be able to log in. I think that's orthogonal to this feature request as well. If you don't want to allow a user to log in, mark their credentials as invalid.

[shiyer7474]

It's a totally different feature and probably belongs in a separate ticket

Sure, I will not mix the 2 in this ticket.

If you don't want to allow a user to log in, mark their credentials as invalid.

Right, let me check on that.

Settings are not nice here because the user can try to push a different setting and try to get the privilegues of the other one.

We can discuss, but settings or an explicit SQL like 'SET ROLE PROXY TO enduser1' should be fine. Once the session has been impersonated as enduser1, a malicious user trying set execute_as = 'enduser2' in the same session will fail because enduser1 will not have impersonate/proxy privileges on enduser2.

[shiyer7474]

I am consolidating the above messages in the short note below and this will be the spec for the PR. I will seek out review on this note.

1. Add new grant : GRANT IMPERSONATE | PROXY ON joe TO serviceuser

   • WITH GRANT OPTION is not supported for impersonate
   • Corresponding revoke - REVOKE IMPERSONATE | PROXY FROM serviceuser ON joe
   • Can opt for keyword IMPERSONATE or PROXY depending on feedback.
   • Recommend 'serviceuser' to hold basic CREATE SESSION privileges only
   • Recommend 'joe' credentials to be locked/undisclosed so that direct database login as 'joe' is not possible

2. Add new SQL : EXECUTE AS joe

   • A 'serviceuser' authenticated session can run 'EXECUTE AS joe' immediately after authentication.
   • 'serviceuser' must hold IMPERSONATE | PROXY privileges
   • After EXECUTE AS, session will run only with privileges of 'joe', session's settings & quotas will be of 'joe'
   • currentUser(), user() functions will return 'joe'
   • 'user' column of system.query_log will be populated 'joe'
   • Add a new function authUser() that returns 'serviceuser'
   • Add new column auth_user to system.session_log and system.query_log and populate it as 'serviceuser'
   • There is no 'REVERT' option, the session should just be terminated after work as 'joe' is over

3. Add a new setting 'allow_impersonate' as a knob to turn ON/OFF the feature. Setting is OFF by default.

4. No impact on distributed query

5. Based on feedback, ability for the proxied session to inherit 'serviceuser' privileges also can be provided. This will help usecases where applications just use a superuser/appadmin account for all database access, but would like end-to-end real user visibility for auditing : GRANT IMPERSONATE | PROXY ON joe TO serviceuser [WITH INHERIT]

[shiyer7474]

@alexey-milovidov

Please review the note in the previous comment and earlier comments and provide your inputs on this feature! A working implementation is uploaded for a quick check of the scope/nature of changes (not ready for formal review!) :

shiyer7474@a5ad25b

[shiyer7474]

@alexey-milovidov Kind ping, please review and provide initial feedback, thanks!

[shiyer7474]

Meanwhile, I will continue work on the PR and see if I run into any unknowns.

[wtao54101]

@ekpdt Hello, I would like to know how you will solve the problem you described?

[ekpdt]

@wtao54101 I made a feature request. It has not been implemented.