Course Overview
Securing ClickHouse and Role Based Access Control

Securing Your ClickHouse Instance

Lesson #1

In this lesson we will:

  • Lesson contents 1
  • Lesson contents 2
  • Lesson contents 3

Securing Your ClickHouse Instance

It is important to correctly secure your ClickHouse instance. In ClickHouse, this needs to happen in multiple ways and locations.

Securing Network Connectivity

The first thing to do is to lock down access to your ClickHouse instance. This includes having it listening on the correct host adapter and the desired ports.

When we start ClickHouse, you can also choose which network IP address to bind to. If you only want to expose your ClickHouse instance to an internal subnet or even for purely local access then you can bind to the correct IP address:

ClickHouse ports are configured in the server.xml file. A quick win might be to change your API port to something unknown, and to disable the HTTP API if you don't plan on using it.

Usernames and Passwords

In order to log into ClickHouse your users need a username and password.

By default, ClickHouse comes with a user named default, but it is of course very bad practice to use this for your day to day activities with ClickHouse. Instead, best practice is of course to issue all users with their own username and password.

create user if not exists benjaminwootton identified with plaintext_password by 'password321';

We will demonstrate how users are administered in a subsquent lesson.

Password Policies

It is possible to set minimum requirements for passwords, and to ensure that passwords are expired automatically and need to reset on a schedule:

IP Whitelisting

It is possible to limit the IP addresses from which users can connect. This can also be specified at user creation time:

create user if not exists benjaminwootton
identified with plaintext_password by 'password321' host ip '192.168.0.0/16';

Role Based Access Control

ClickHouse incorporates a role based access control system where we can say which users can access which data. We cover this in more detail later in this course.

Encrypting Data

ClickHouse incorproates options to encrypt data in flight and data at rest. We cover this in more detail later in this course.

Encrypting Network Communications

We should also secure network communications within ClickHouse, both within the cluster and between the client and cluster.

Next Lesson:
01

Administering Users

In this lesson we will learn how to administer user accounts and their associated passwords.

0h 10m




Work With The Experts In Real-Time Analytics & AI

we help enterprise organisations deploy powerful real-time Data, Analytics and AI solutions based on ClickHouse, the worlds fastest open-source database.

Join our mailing list for regular insights:

We help enterprise organisations deploy advanced data, analytics and AI enabled systems based on modern cloud-native technology.

© 2024 Ensemble. All Rights Reserved.