User Configuration about clickhouse-operator HOT 11 CLOSED

@whelan9453, thanks, I see a problem. Will provide a fixed version on Wed. Until then please avoid using sha256 for default user.

from clickhouse-operator.

Hi @whelan9453, you can not specify password_sha256_hex for the default user. This is current known issue.

Also, try the latest version 0.8.0 -- it has some security features built in, including automatic hashing of passwords -- you can define password in plain in YAML, and operator will hash it and store password_sha256_hex automatically.

from clickhouse-operator.

Hi @whelan9453 , I have just patched the latest release to support sha256 for default user, so your example should work "as is".

from clickhouse-operator.

Hi @alex-zaitsev
Thank you! I'll try again with password_sha256_hex of the default user.

One quick question: I use the command kubectl apply -f myinstallation.yaml to deploy and update the ClickHouseInstallation resource. Is that the right way to deploy? (Because sometimes the new configuration seems not valid)

from clickhouse-operator.

Hi @whelan9453 , sure, kubectl apply -f is the right way. What do you mean by not valid configuration?

from clickhouse-operator.

Sometimes after I ran the kubectl apply command, the configuration XML files would stay unchanged. Another time the configuration XML files are changed, but the password remains old ones.

You can see my sample codes above that user admin and user default can log in with the same password even though the password_sha256_hex in the user.xml is different.

from clickhouse-operator.

@whelan9453 , it may happen if operator can not apply the configuration. For example, if you have broken configuration operator will automatically rollback to the previous one. Unfortunately, it is not visible enough (kubectl apply always succeeds).

I think in your example you had different yaml before, and after making changes ClickHouse could not start. That's why you see old passwords and test user.

You can check events that operator log to ClickHouseInstallation object to see if there is anything there:

kubectl describe chi test -n

from clickhouse-operator.

Hi @whelan9453 , I have just patched the latest release to support sha256 for default user, so your example should work "as is."

Hi @alex-zaitsev
I just tried the latest release and saw there's a <password remove="1"></password> in the password section, and things were looking okay.

However, after I did some changes to my clickhouse-installation.yaml file and run kubectl apply -f clickhouse-installation.yaml again, the <password remove="1"></password> was gone missing and the error message came out like this.

2020.01.06 01:47:47.783826 [ 1 ] {} <Information> Application: Shutting down storages.
2020.01.06 01:47:47.783855 [ 1 ] {} <Debug> Application: Shutted down storages.
2020.01.06 01:47:47.784261 [ 1 ] {} <Debug> Application: Destroyed global context.
2020.01.06 01:47:47.788275 [ 1 ] {} <Error> Application: DB::Exception: Both fields 'password' and 'password_sha256_hex' are specified for user default. Must be only one of them.
2020.01.06 01:47:47.788324 [ 1 ] {} <Information> Application: shutting down
2020.01.06 01:47:47.788348 [ 1 ] {} <Debug> Application: Uninitializing subsystem: Logging Subsystem
2020.01.06 01:47:47.789385 [ 2 ] {} <Information> BaseDaemon: Stop SignalListener thread

I can reproduce this error by deleting all resources and applying it again.

from clickhouse-operator.

@whelan9453 , I've just uploaded the fix. Just re-install the operator to try it out.

from clickhouse-operator.

@whelan9453, could you confirm the latest version works for you?

from clickhouse-operator.

@alex-zaitsev
I've tried this part, and it looks fine.
Thanks!

from clickhouse-operator.