ContentSquare / chproxy

Open-Source ClickHouse http proxy and load balancer
https://www.chproxy.org/
MIT License
1.29k stars 259 forks source link

[Feature] Configuration option to allow passing all query parameters #338

Open genzgd opened 1 year ago

genzgd commented 1 year ago

Is your feature request related to a problem? Please describe. Currently CHProxy severely restricts the query parameters that can be passed to ClickHouse server for "security reasons". This was the source of a major incompatibility with the official Python client (https://github.com/ClickHouse/clickhouse-connect/issues/191), and also cripples a lot of other behavior for HTTP based ClickHouse clients. The workaround by changing settings at the user/params_group level is somewhat clunky and incomplete.

This sort of security issue seems better handled at the client and not the proxy level in any case.

Describe the solution you'd like Checking the allowed parameters list here should be optional and controlled by a configuration setting.

Describe alternatives you've considered Setting user level parameters in parameter groups is insufficient, since it reduces flexibility and doesn't work with, for example, query parameters used for ClickHouse server side binding. Another possibility might be adding another configuration option to dynamically add to the "allowed parameter names", but this again adds additional complexity and overhead with little apparently "security" benefit.

mga-chka commented 1 year ago

Hi, we've discussed a bit with the maintainers. Since we're not the original maintainers, it's difficult to know all the reasons behind this limitation. But, we know that with the current codebase, if we allow people to put the parameters they want, it could mess with the caching mechanism and people might get results they don't expect. Indeed, the key used to store the result of the query is based on the query and specific params, cf https://github.com/ContentSquare/chproxy/blob/master/cache/key.go#L61. If we let people add the param they want, they could create a situation were:

It will take time to see if there are other side effects with the params and if we can avoid the issue with the cache by reworking the way the key is generated.

In the meantime, if the topic is urging, you can create a PR by adding an allow_unsafe_params field in the config (default value to false) to bypass this behavior.

genzgd commented 1 year ago

Thanks for looking into it! I understand the cache key concern and I'm not sure what the right balance is without adding a lot of complexity. I'll see about doing a fairly simple PR as you suggested for allow_unsafe_params.

mga-chka commented 1 year ago

one advice, you should wait before the PR https://github.com/ContentSquare/chproxy/pull/330 is merged (should be merge in max a few days) because it will be in conflict with some parts of the code you need to modify

Blokje5 commented 1 year ago

FYI: I have merged #330 so this should no longer block you.

ingvar89 commented 3 months ago

Hi! @genzgd @mga-chka please tell me if you do some PR with allow_unsafe_params? Because I have the same behaviour and this is very blocking part of my flow. Thx in advance

genzgd commented 3 months ago

@ingvar89 Unfortunately I've not had the time to implement anything like that.

ingvar89 commented 3 months ago

@ingvar89 Unfortunately I've not had the time to implement anything like that.

Okay, I understand, very sad( Thank you for your reply!