Impersonate users in cluster

[filimonov]

Given:

1. cluster configuration with have extra flag <impersonate_users>1</impersonate_users>
2. default user has a special impersonate permission

Scenario:

1. user filimonov connect to server A and run a query on Distributed table.
2. server A connects to server B & server C with its own credentials (let's say as user 'default')
3. the query send from server A to other servers have an extra setting: SELECT ... SETTINGS user='filimonov' (because of <impersonate_users>1</impersonate_users>)
4. Target server dynamically change the default user to filimonov (because it allowed by impersonate permission).
5. all user restrictions for filimonov user are applied (row-based security, allow databases, etc).

Later extra scenarios like "execute particular matview as user XXX" can be added.

Inspired by

• https://docs.microsoft.com/en-us/dotnet/framework/data/adonet/sql/customizing-permissions-with-impersonation-in-sql-server
• https://docs.microsoft.com/en-us/sql/t-sql/statements/execute-as-transact-sql?view=sql-server-ver15
• sudo :)

Allows to solve the following issues:

1. using interserver connection pool w/o reconnects
2. one-time user authentication (no need to store / pass / rerequest authentication information to pass forward)

Related: #6843 #8926

[azat]

Refs:

• https://dev.mysql.com/doc/refman/8.0/en/proxy-users.html
• https://www.postgresql.org/docs/10/sql-set-session-authorization.html

[wtao54101]

Hello, I would like to ask if this feature is online? Also, how to configure this parameter? I did not find any introduction in the official documentation.

[azat]

There is no impersonate supports for users actually, but, you can preserve current user for distributed queries, for this, you need to configure secret inside cluster (on all nodes it should be the same), that way ClickHouse can know that the environment is trusted and authentication can be simplified and the user preserved.

[azat]

Some documentation is available here - https://clickhouse.com/docs/engines/table-engines/special/distributed#distributed-clusters

Look for <secret></secret>

[wtao54101]

Um, okay, do you know of any alternative solutions? We currently need to expose CRM data to different users based on different permissions, but if everyone links to ClickHouse, it will cause too many links.