Authenticate users with wildcard names #78065
Description
Company or project name
ClickHouse
Use case
Accept users with an arbitrary external name and map them to a single user inside ClickHouse.
The external user name can then be used as a quota key, will be logged in the query_log, and shown in the process list.
Describe the solution you'd like
CREATE USER play MATCH '.+' IDENTIFIED WITH ssh_key_server BY URL 'https://github.com/{external_name}.keys'
Add a new section MATCH 'regexp' to the CREATE USER statement.
In the authentication phase, if no other user is found, we try to match all regular expressions for the users with MATCH statements, on the provided user name.
The regular expression is not anchored. The regular expression can contain a single subpattern, and it will extract the string, which is "external name". If there are no subpatterns, the whole regular expression extracts the "external name". For example, if I provided github:alexey-milovidov as the user name, MATCH '^github:(.+)$' will extract the alexey-milovidov substring and treat it as "external name".
Add a new authentication method, ssh_key_server. It requires a URL, which can contain a substitution, {external_name}. The external name will be URL-encoded and substituted into the URL. Then this URL will be requested, and the result will be interpreted as an SSH key, e.g.:
$ curl https://github.com/alexey-milovidov.keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDpLXuIqHzvviq3+iWmg35OV0U4xMsa6U1yY7ZHkD6kBvlxwv/N7eu3/yz27MEHhZIxdn4DFel3Jq6n1TQ4gNicjm+rQe/64O9tgF3RYmnQ3WLMTUnmxSEGTb9rRjisxUaooO+qs3wYIWxEMG4UWrZNLjQ9mcUIkYYOm/tOkW0CKatd3YaBnEEkv17YwQgCZz6b+v+pKZZ1utP8PX5Mk8YWH8FewL3jZfvVK//CB0ls1MK8gCienySm+KRT4gin3JG2vhaxYOsvj2IvXNwVvChQnjboDH/UyfySUZnszLKW2XkqNLx6h/c0eyoMj0qewo1zsNVpldiQFvkFoyfKxDipDEzhnuktRZDgitqotIzrusezYmPFI/vPCtZMDxkrEfYDqQEBZLmbmxqg1nkvwk04ECUvxvIoo8dK0HhTqrdiKPaY/YLCUjUXEwwsHK5Sx8KEtqsMzgR+NGhv+Nu8oh3ByrrTVUzvwu1IEJIeFfG4SFME6Je28pz7q8NL6RzCfP/MAzp2AfvJp8yxsGXgyUOvnLvWucWohje0QnOHd6nXeNnoI8Tch94sV142c0Quf+snga0cj+wrjyYOVZpWjJ5gHUEyxMpo7kheFLSPupFjUUR8sTlcBDIPXHlcTwpKdM51ZmxE5DLPbdDAm528cTpLxfLOI5+nsLqIjCBQQezsAQ==
Describe alternatives you've considered
No response
Additional context
As a trivial example, it can allow authentication of any user with no password:
CREATE USER test MATCH '.+' IDENTIFIED WITH no_password
We can also introduce the notion of post-auth scripts, for example - to automatically do CREATE DATABASE IF NOT EXISTS and GRANT access to it for a user.