map external users to profile

Author: zvonand

docs/en/operations/external-authenticators/tokens.md

@@ -234,6 +234,7 @@ All this implies that the SQL-driven [Access Control and Account Management](/do
             <common_roles>
                 <token_test_role_1 />
             </common_roles>
+            <default_profile>my_profile</default_profile>
             <roles_filter>
                 \bclickhouse-[a-zA-Z0-9]+\b
             </roles_filter>
@@ -251,5 +252,6 @@ For now, no more than one `token` section can be defined inside `user_directorie
 
 - `processor` — Name of one of processors defined in `token_processors` config section described above. This parameter is mandatory and cannot be empty.
 - `common_roles` — Section with a list of locally defined roles that will be assigned to each user retrieved from the IdP. Optional.
+- `default_profile` — Name of a locally defined settings profile that will be assigned to each user retrieved from the IdP. If the profile does not exist, a warning will be logged and the user will be created without a profile. Optional.
 - `roles_filter` — Regex string for groups filtering. Only groups matching this regex will be mapped to roles. Optional.
 - `roles_transform` — Sed-style transform pattern to apply to group names before mapping to roles. Format: `s/pattern/replacement/flags`. The `g` flag applies the replacement globally (all occurrences). Example: `s/-/_/g` converts `clickhouse-grp-dba` to `clickhouse_grp_dba`. Optional.

src/Access/TokenAccessStorage.cpp

@@ -3,6 +3,7 @@
 #include <Access/ExternalAuthenticators.h>
 #include <Access/User.h>
 #include <Access/Role.h>
+#include <Access/SettingsProfile.h>
 #include <Access/Credentials.h>
 #include <Common/Exception.h>
 #include <Common/logger_useful.h>
@@ -161,6 +162,9 @@ TokenAccessStorage::TokenAccessStorage(const String & storage_name_, AccessContr
     }
     common_role_names.swap(common_roles_cfg);
 
+    if (config.has(prefix_str + "default_profile"))
+        default_profile_name = config.getString(prefix_str + "default_profile");
+
     user_external_roles.clear();
     users_per_roles.clear();
     roles_per_users.clear();
@@ -426,6 +430,42 @@ void TokenAccessStorage::assignRolesNoLock(User & user, const std::set<String> &
     user_external_roles[user_name] = external_roles;
 }
 
+void TokenAccessStorage::assignProfileNoLock(User & user) const
+{
+    if (default_profile_name.empty())
+        return;
+
+    const auto & user_name = user.getName();
+    auto & settings = user.settings;
+
+    // Look up the profile ID once
+    const auto profile_id = access_control.find<SettingsProfile>(default_profile_name);
+    if (!profile_id)
+    {
+        LOG_TRACE(getLogger(), "Did not assign profile '{}' to user '{}': profile not found", default_profile_name, user_name);
+        return;
+    }
+
+    // Check if profile is already assigned
+    bool profile_already_assigned = false;
+    for (const auto & element : settings)
+    {
+        if (element.parent_profile.has_value() && element.parent_profile == *profile_id)
+        {
+            profile_already_assigned = true;
+            break;
+        }
+    }
+
+    if (!profile_already_assigned)
+    {
+        SettingsProfileElement profile_element;
+        profile_element.parent_profile = *profile_id;
+        settings.push_back(std::move(profile_element));
+        LOG_TRACE(getLogger(), "Assigned profile '{}' to user '{}'", default_profile_name, user_name);
+    }
+}
+
 void TokenAccessStorage::updateAssignedRolesNoLock(const UUID & id, const String & user_name, const std::set<String> & external_roles) const
 {
     // Map and grant the roles from scratch only if the list of external role has changed.
@@ -521,12 +561,25 @@ std::optional<AuthResult> TokenAccessStorage::authenticateImpl(
     if (new_user)
     {
         assignRolesNoLock(*new_user, external_roles);
+        assignProfileNoLock(*new_user);
         id = memory_storage.insert(new_user);
     }
     else
     {
         // Just in case external_roles are changed.
         updateAssignedRolesNoLock(*id, user->getName(), external_roles);
+
+        // Also update profile if needed
+        memory_storage.update(*id, [this] (const AccessEntityPtr & entity_, const UUID &) -> AccessEntityPtr
+        {
+            if (auto user_entity = typeid_cast<std::shared_ptr<const User>>(entity_))
+            {
+                auto changed_user = typeid_cast<std::shared_ptr<User>>(user_entity->clone());
+                assignProfileNoLock(*changed_user);
+                return changed_user;
+            }
+            return entity_;
+        });
     }
 
     if (id)

src/Access/TokenAccessStorage.h

@@ -2,6 +2,7 @@
 
 #include <Access/MemoryAccessStorage.h>
 #include <Access/Credentials.h>
+#include <Access/SettingsProfile.h>
 #include <Common/re2.h>
 #include <base/types.h>
 #include <base/scope_guard.h>
@@ -53,6 +54,7 @@ class TokenAccessStorage : public IAccessStorage
     bool roles_transform_global = false;
 
     std::set<String> common_role_names;                         // role name that should be granted to all users at all times
+    String default_profile_name;                                // settings profile name that should be assigned to all users
     mutable std::map<String, std::set<String>> user_external_roles;
     mutable std::map<String, std::set<String>> users_per_roles; // role name -> user names (...it should be granted to; may but don't have to exist for common roles)
     mutable std::map<String, std::set<String>> roles_per_users; // user name -> role names (...that should be granted to it; may but don't have to include common roles)
@@ -67,6 +69,7 @@ class TokenAccessStorage : public IAccessStorage
 
     void applyRoleChangeNoLock(bool grant, const UUID & role_id, const String & role_name);
     void assignRolesNoLock(User & user, const std::set<String> & external_roles) const;
+    void assignProfileNoLock(User & user) const;
     void updateAssignedRolesNoLock(const UUID & id, const String & user_name, const std::set<String> & external_roles) const;
 
 protected: