Comments (6)
gyrter
commented on June 7, 2024
4
Hello, everyone. There is little workaround for this problem - you can use networks access list to avoid password.
For example:
users:
default/networks/host_regexp:
- ^chi-cluster-cluster-\d-\d.*$
- ^chi-cluster-cluster-\d-\d-\d\..*$
default/networks/ip:
- "::1"
- "127.0.0.1"
default/profile: default
default/quota: default
default/connect_timeout_with_failover_ms: 1000```
from clickhouse-operator.
alex-zaitsev
commented on June 7, 2024
Good catch, @ralfbecher.
The common practice is to keep default user with no password BUT limited to cluster nodes only and only used for inter-cluster communication. This is how operator deploys default configuration.
I agree that operator should automatically propagate password to remote_servers, but it creates a extra security vulnerability, since password in remote_servers can not be masked/hashed, unlike user definition.
Probably we should forbid changing default user password and network settings at all.
from clickhouse-operator.
ralfbecher
commented on June 7, 2024
Then you could add the functionality of hashed password to remote_servers...
from clickhouse-operator.
alex-zaitsev
commented on June 7, 2024
@ralfbecher , unfortunately, ClickHouse needs a real password in order to connect to other servers, hashed password can not work. So either we tolerate plain passwords in remote_servers, or do not need any passwords here at all and rely on network security.
from clickhouse-operator.
yuzhichang
commented on June 7, 2024
ClickHouse/ClickHouse#13156 added secure inter-cluster query execution to v20.10.3.30+.
For each cluster in the metrika.xml, add an non-empty secret tag. This indicates clickhouse to use current query user to do remote queries.
<remote_servers>
<abc>
<secret>foo</secret>
<shard>
<internal_replication>true</internal_replication>
<replica>
<host>192.168.101.106</host>
<port>9000</port>
</replica>
<replica>
<host>192.168.101.108</host>
<port>9000</port>
</replica>
</shard>
<shard>
<internal_replication>true</internal_replication>
<replica>
<host>192.168.101.110</host>
<port>9000</port>
</replica>
<replica>
<host>192.168.102.114</host>
<port>9000</port>
</replica>
</shard>
</abc>
</remote_servers>
from clickhouse-operator.
alex-zaitsev
commented on June 7, 2024
https://github.com/Altinity/clickhouse-operator/blob/master/docs/security_hardening.md
cc @ralfbecher
from clickhouse-operator.
Related Issues (20)
- CHK example chk-examples/02-extended-3-nodes.yam doesn't work HOT 3
- Apply clickhouse-operator-install-bundle config changed,But the statefulset pods are not created with new config HOT 4
- Dashboard for ClickHouse Keeper HOT 1
- Intermittent errors: unable to decode an event from the watch stream: http2: client connection lost
- Restore selected single table HOT 8
- Configure volumeClaimTemplates.reclaimPolicy in clickhouse keeper
- Max Replica Delay after upgrade to 23.8 HOT 12
- ClickHouse disk type with first upper letter HOT 4
- The generated CRD yaml can't pass `kubeconform -ignore-missing-schemas -strict` HOT 1
- Operator hammers the Kubernetes api-server on Clickhouse Keeper resource
- Grant ROLE to user created with operator HOT 1
- Clickhouse operator Logs Security issue : Password hash data getting printed in logs HOT 1
- 0.24.0 version of the operator is very confusing HOT 1
- How to install the operator in a custom namespace and watch for changes in all namespaces. HOT 1
- Adding an invalid label causes whole cluster to be removed HOT 4
- Buggy manual keeper setup config HOT 5
- How to run an operator only in namespace mode? HOT 3
- [feature request] Ability to deploy an operator with permissions only at the namespace level
- clickhouse operator fails to update pod labels on existing clichouse-keeper cluster
- set memory limits on clickhouse HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from clickhouse-operator.