-
Notifications
You must be signed in to change notification settings - Fork 0
Disable Plaintext password Test Plan
Overview
Existing Usecases
Existing issues or blocks
Test process
Manual testing
Functional test
Performance test
Integration Tests
Stress test
Test Cases
1 CREATE user as a default user IDENTIFIED with plaintext password
2 CREATE user as a different user(Clickhouse-admin) IDENTIFIED with plaintext password
3 CREATE User IDENTIFIED with no_password )
4 CREATE User IDENTIFIED with sha256_password
5 CREATE User IDENTIFIED with sha256_hash
6 CREATE User IDENTIFIED with double_sha1_password
7 CREATE User IDENTIFIED with double_sha1_hash
8 ALTER user as a default user IDENTIFIED WITH plaintext password
9 ALTER user as a other user(clickhouse admin) IDENTIFIED with plaintext password
10 CREATE User with default role
1. Command-Line Client Interface
This is the test plan for the feature of disable plaintext password as described in the [issue #33953]. (https://github.com/ClickHouse/ClickHouse/issues/33953). The new config setting in server configuration is added <enable_plaintext_password> to on/off use of plaintext passwords at user level. The default value of this config property is 1 i.e. the plaintext passwords are allowed in clickhouse user configuration.
The test cases and SQLs are based on the description of the issue #33953 and existing clickhouse behaviour.
Suggested 3 options of syntax for ALTER/CREATE user with plaintext password.
CREATE USER [IF NOT EXISTS | OR REPLACE] name1 [ON CLUSTER cluster_name1] [, name2 [ON CLUSTER cluster_name2] ...] [NOT IDENTIFIED | IDENTIFIED {[WITH {no_password | plaintext_password | sha256_password | sha256_hash | double_sha1_password | double_sha1_hash}] BY {'password' | 'hash'}}]
ALTER USER [IF NOT EXISTS | OR REPLACE] name1 [ON CLUSTER cluster_name1] [, name2 [ON CLUSTER cluster_name2] ...] [NOT IDENTIFIED | IDENTIFIED {[WITH {no_password | plaintext_password | sha256_password | sha256_hash | double_sha1_password | double_sha1_hash}] BY {'password' | 'hash'}}]
CREATE USER john DEFAULT ROLE role1, role2;
Described in this issue: Issue.
Use manual test to verify CREATE/ALTER user via SQL and configuration files.
Start clickhouse server and clickhouse client
Change directory to programs/clickhouse-server and run it with ./clickhouse-server.
Run programs/clickhouse-client/clickhouse-client. (in another terminal)
Run SQLs in the test cases in the client, check the correctness.
If the expected result of a test is a server error. use the following format:
Each functional test sends one or multiple queries to the running ClickHouse server and compares the result with reference.
Testing a Distributed Query will be added if necessary.
To be added if necessary.
To be added if necessary.
To be added if necessary.
The test cases are created to cover as much as possible according to the description. The below test cases should be testes in both scenario.
- Clickhouse-server with property setting set to <enable_plaintext_password>0</enable_plaintext_password> in config.xml
- Clickhouse-server with property setting set to <enable_plaintext_password>1</enable_plaintext_password> in config.xml which is default value.
The below testcase should fail with valid error.
CREATE USER mira HOST IP '127.0.0.1' IDENTIFIED WITH plaintext_password BY 'qwerty';
The below testcase should fail with valid error. Open clickhouse-client session as different user than default by ./clickhouse-client -u $USERNAME
CREATE USER mira HOST IP '127.0.0.1' IDENTIFIED WITH plaintext_password BY 'qwerty';
User mira should be created.
`CREATE USER mira HOST IP '127.0.0.1' IDENTIFIED WITH no_password;`
`CREATE USER u4_01292 IDENTIFIED WITH sha256_password BY 'qwe123';`
`CREATE USER u5_01292 IDENTIFIED WITH sha256_hash BY '18138372FAD4B94533CD4881F03DC6C69296DD897234E0CEE83F727E2E6B1F63';`
CREATE USER u6_01292 IDENTIFIED WITH double_sha1_password BY 'qwe123';
CREATE USER u7_01292 IDENTIFIED WITH double_sha1_hash BY '8DCDD69CE7D121DE8013062AEAEB2A148910D50E';
Error is expected.
CREATE USER u4_01292 IDENTIFIED WITH plaintext_password BY 'qwe';
Open clickhouse-client session with user other than default by command `programs/server/clickhouse-client -u $USERNAME`
`CREATE USER u4_01292 IDENTIFIED WITH plaintext_password BY 'qwe';`
`CREATE USER john DEFAULT ROLE ALL;`
The command-Line client can be connected by executing binary exist in programs/server/clickhouse-client -u $USERNAME.
ClickHouse Allows to create user with Configuration files.
Set the property <allow_plaintext_password>0</allow_plaintext-password> in config.xml and configure user in user.xml identified with
-
CREATE user IDENTIFIED WITH plaintext password
-
CREATE user without plaintext password Clickhouse-server should not come up and throw exception with valid message.
Execute above SQL queries with http interface. Substitute above SQL queries in to below statement and execute.
$ echo "<SQL QUERY>" | curl 'http://localhost:8123/?query=SEL' --data-binary @-
Connect to MYSQL interface with mysql --protocol tcp -u default -P 9004
Execute same SQL commands with this interface.