admin user

izadoesdev · izadoesdev · commit 80fa2566391c · 2025-10-17T15:24:09.000+03:00
diff --git a/infra/clickhouse/config.xml b/infra/clickhouse/config.xml
@@ -578,7 +578,7 @@
     <default_password_type>sha256_password</default_password_type>
 
     <!-- Work factor for bcrypt_password authentication type -->
-    <bcrypt_workfactor>12</bcrypt_workfactor>
+    <bcrypt_workfactor>12</bcrypt_workfactor>   
 
     <!-- Complexity requirements for user passwords.
          Note: ClickHouse Cloud https://clickhouse.com/cloud is always configured for strong passwords.
diff --git a/infra/clickhouse/docker-compose.yml b/infra/clickhouse/docker-compose.yml
@@ -12,10 +12,6 @@ services:
       - ./config.xml:/etc/clickhouse-server/config.xml:ro
       - ./users.xml:/etc/clickhouse-server/users.xml:ro
       - ./flags:/var/lib/clickhouse/flags
-    environment:
-      CLICKHOUSE_DB: default
-      CLICKHOUSE_USER: default
-      CLICKHOUSE_PASSWORD: "analyticsarecool"
     ulimits:
       nofile:
         soft: 262144
diff --git a/infra/clickhouse/users.xml b/infra/clickhouse/users.xml
@@ -18,63 +18,7 @@
     <users>
         <!-- If user name was not specified, 'default' user is used. -->
         <default>
-            <!-- See also the files in users.d directory where the password can be overridden.
-
-                 Password could be specified in plaintext or in SHA256 (in hex format).
-
-                 If you want to specify password in plaintext (not recommended), place it in 'password' element.
-                 Example: <password>qwerty</password>.
-                 Password could be empty.
-
-                 If you want to specify SHA256, place it in 'password_sha256_hex' element.
-                 Example: <password_sha256_hex>65e84be33532fb784c48129675f9eff3a682b27168c0ea744b2cf58ee02337c5</password_sha256_hex>
-                 Restrictions of SHA256: impossibility to connect to ClickHouse using MySQL JS client (as of July 2019).
-
-                 If you want to specify double SHA1, place it in 'password_double_sha1_hex' element.
-                 Example: <password_double_sha1_hex>e395796d6546b1b65db9d665cd43f0e858dd4303</password_double_sha1_hex>
-
-                 If you want to specify a previously defined LDAP server (see 'ldap_servers' in the main config) for authentication,
-                  place its name in 'server' element inside 'ldap' element.
-                 Example: <ldap><server>my_ldap_server</server></ldap>
-
-                 If you want to authenticate the user via Kerberos (assuming Kerberos is enabled, see 'kerberos' in the main config),
-                  place 'kerberos' element instead of 'password' (and similar) elements.
-                 The name part of the canonical principal name of the initiator must match the user name for authentication to succeed.
-                 You can also place 'realm' element inside 'kerberos' element to further restrict authentication to only those requests
-                  whose initiator's realm matches it.
-                 Example: <kerberos />
-                 Example: <kerberos><realm>EXAMPLE.COM</realm></kerberos>
-
-                 How to generate decent password:
-                 Execute: PASSWORD=$(base64 < /dev/urandom | head -c8); echo "$PASSWORD"; echo -n "$PASSWORD" | sha256sum | tr -d '-'
-                 In first line will be password and in second - corresponding SHA256.
-
-                 How to generate double SHA1:
-                 Execute: PASSWORD=$(base64 < /dev/urandom | head -c8); echo "$PASSWORD"; echo -n "$PASSWORD" | sha1sum | tr -d '-' | xxd -r -p | sha1sum | tr -d '-'
-                 In first line will be password and in second - corresponding double SHA1.
-            -->
             <password></password>
-
-            <!-- List of networks with open access.
-
-                 To open access from everywhere, specify:
-                    <ip>::/0</ip>
-
-                 To open access only from localhost, specify:
-                    <ip>::1</ip>
-                    <ip>127.0.0.1</ip>
-
-                 Each element of list has one of the following forms:
-                 <ip> IP-address or network mask. Examples: 213.180.204.3 or 10.0.0.1/8 or 10.0.0.1/255.255.255.0
-                     2a02:6b8::3 or 2a02:6b8::3/64 or 2a02:6b8::3/ffff:ffff:ffff:ffff::.
-                 <host> Hostname. Example: server01.clickhouse.com.
-                     To check access, DNS query is performed, and all received addresses compared to peer address.
-                 <host_regexp> Regular expression for host names. Example, ^server\d\d-\d\d-\d\.clickhouse\.com$
-                     To check access, DNS PTR query is performed for peer address and then regexp is applied.
-                     Then, for result of PTR query, another DNS query is performed and all received addresses compared to peer address.
-                     Strongly recommended that regexp is ends with $
-                 All results of DNS requests are cached till server restart.
-            -->
             <networks>
                 <ip>::/0</ip>
             </networks>
@@ -96,6 +40,21 @@
                 <query>GRANT ALL ON *.*</query>
             </grants>
         </default>
+
+        <admin>
+            <password>StrongPassword123</password>
+            <networks>
+                <ip>::/0</ip>
+            </networks>
+            <profile>default</profile>
+            <quota>default</quota>
+            <access_management>1</access_management>
+            <named_collection_control>1</named_collection_control>
+            <grants>
+                <query>GRANT ALL ON *.* TO admin</query>
+            </grants>
+        </admin>
+        
     </users>
 
     <!-- Quotas. -->
