-
Notifications
You must be signed in to change notification settings - Fork 120
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix basic auth #349
Fix basic auth #349
Conversation
thanks a lot for your contribution |
@@ -45,6 +45,7 @@ func (client *ClickHouseClient) Query(query string) (*Response, error) { | |||
|
|||
if client.settings.Instance.BasicAuthEnabled { | |||
password, _ := client.settings.Instance.DecryptedSecureJSONData["basicAuthPassword"] | |||
req.SetBasicAuth(client.settings.Instance.BasicAuthUser, password) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Slach in the scenario mentioned regarding a proxy, shouldn't X-ClickHouse-User
and password be set from the header config parameter? That way the basic auth could be a different value than the click house user and password?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i think it should resolve during implements #348
Hi again, This actually didn't fix my issue :) Maybe my setup is a bit weird, and perhaps it would make more sense to to the authentication in clickhouse instead of in nginx. However, the documentation (https://clickhouse.tech/docs/en/interfaces/http/#default-database) says that the password should be passed in one of three ways :-) Doesn't it make more sense to just use standard basic auth and not the special headers? What do you think? Thanks, |
@carlanton do you have |
works fine, so you can pass headers + basic auth to clickhouse server |
This works:
This does not:
Nginx cleans the basic auth header (ie. |
Could you try to check authorization headers directly to clickhouse?
|
User
Interesting enough, basic auth behaves differently:
|
please use ``
|
Ah, right sorry. Now I get the same behavior for basic auth and header auth (without nginx). And again, the user
Thanks! |
ok. let's complete figure out |
My setup looks like this:
Nginx is configured to require a valid user and password (basic auth) for all requests. The config looks something like this:
Clickhouse has only the So basically, nginx is responsible for all authentication. The problem with the current implementation (setting Authentication header and X-ClickHouse-User/Key) is that while nginx will accept the user and send the request to further, Clickhouse will deny access since that user doesn't exist (the only user is This may not be the most common setup and I should perhaps do the authentication in Clickhouse instead and pass-trough all requests from nginx. Another workaround would be setting However, I think that a better and less confusing option would be to not set X-ClickHouse-User/Key from this plugin when using basic auth. Thanks, |
@carlanton thanks a lot for detailed explanation i remove X-ClickHouse-Key/User headers for Basic Auth method. |
Hi,
I couldn't get basic auth working and found this. I'm using a nginx proxy between grafana and clickhouse that is configured with basic auth.
Cheers,
Anton