|
1 | 1 | <clickhouse> |
2 | | - <!-- See also the files in users.d directory where the settings can be overridden. --> |
3 | | - |
4 | | - <!-- Profiles of settings. --> |
5 | 2 | <profiles> |
6 | | - <!-- Default settings. --> |
7 | 3 | <default> |
8 | | - <allow_experimental_analyzer>0</allow_experimental_analyzer> |
9 | 4 | </default> |
10 | 5 |
|
11 | | - <!-- Profile that allows only read queries. --> |
12 | 6 | <readonly> |
13 | 7 | <readonly>1</readonly> |
14 | 8 | </readonly> |
15 | 9 | </profiles> |
16 | 10 |
|
17 | | - <!-- Users and ACL. --> |
18 | 11 | <users> |
19 | | - <!-- If user name was not specified, 'default' user is used. --> |
20 | 12 | <default> |
21 | | - <!-- See also the files in users.d directory where the password can be overridden. |
22 | | - Password could be specified in plaintext or in SHA256 (in hex format). |
23 | | - If you want to specify password in plaintext (not recommended), place it in 'password' element. |
24 | | - Example: <password>qwerty</password>. |
25 | | - Password could be empty. |
26 | | - If you want to specify SHA256, place it in 'password_sha256_hex' element. |
27 | | - Example: <password_sha256_hex>65e84be33532fb784c48129675f9eff3a682b27168c0ea744b2cf58ee02337c5</password_sha256_hex> |
28 | | - Restrictions of SHA256: impossibility to connect to ClickHouse using MySQL JS client (as of July 2019). |
29 | | - If you want to specify double SHA1, place it in 'password_double_sha1_hex' element. |
30 | | - Example: <password_double_sha1_hex>e395796d6546b1b65db9d665cd43f0e858dd4303</password_double_sha1_hex> |
31 | | - If you want to specify a previously defined LDAP server (see 'ldap_servers' in the main config) for authentication, |
32 | | - place its name in 'server' element inside 'ldap' element. |
33 | | - Example: <ldap><server>my_ldap_server</server></ldap> |
34 | | - If you want to authenticate the user via Kerberos (assuming Kerberos is enabled, see 'kerberos' in the main config), |
35 | | - place 'kerberos' element instead of 'password' (and similar) elements. |
36 | | - The name part of the canonical principal name of the initiator must match the user name for authentication to succeed. |
37 | | - You can also place 'realm' element inside 'kerberos' element to further restrict authentication to only those requests |
38 | | - whose initiator's realm matches it. |
39 | | - Example: <kerberos /> |
40 | | - Example: <kerberos><realm>EXAMPLE.COM</realm></kerberos> |
41 | | - How to generate decent password: |
42 | | - Execute: PASSWORD=$(base64 < /dev/urandom | head -c8); echo "$PASSWORD"; echo -n "$PASSWORD" | sha256sum | tr -d '-' |
43 | | - In first line will be password and in second - corresponding SHA256. |
44 | | - How to generate double SHA1: |
45 | | - Execute: PASSWORD=$(base64 < /dev/urandom | head -c8); echo "$PASSWORD"; echo -n "$PASSWORD" | sha1sum | tr -d '-' | xxd -r -p | sha1sum | tr -d '-' |
46 | | - In first line will be password and in second - corresponding double SHA1. |
47 | | - --> |
48 | 13 | <password></password> |
49 | | - |
50 | | - <!-- List of networks with open access. |
51 | | - To open access from everywhere, specify: |
52 | | - <ip>::/0</ip> |
53 | | - To open access only from localhost, specify: |
54 | | - <ip>::1</ip> |
55 | | - <ip>127.0.0.1</ip> |
56 | | - Each element of list has one of the following forms: |
57 | | - <ip> IP-address or network mask. Examples: 213.180.204.3 or 10.0.0.1/8 or 10.0.0.1/255.255.255.0 |
58 | | - 2a02:6b8::3 or 2a02:6b8::3/64 or 2a02:6b8::3/ffff:ffff:ffff:ffff::. |
59 | | - <host> Hostname. Example: server01.clickhouse.com. |
60 | | - To check access, DNS query is performed, and all received addresses compared to peer address. |
61 | | - <host_regexp> Regular expression for host names. Example, ^server\d\d-\d\d-\d\.clickhouse\.com$ |
62 | | - To check access, DNS PTR query is performed for peer address and then regexp is applied. |
63 | | - Then, for result of PTR query, another DNS query is performed and all received addresses compared to peer address. |
64 | | - Strongly recommended that regexp is ends with $ |
65 | | - All results of DNS requests are cached till server restart. |
66 | | - --> |
67 | 14 | <networks> |
68 | 15 | <ip>::/0</ip> |
69 | 16 | </networks> |
70 | | - |
71 | | - <!-- Settings profile for user. --> |
72 | 17 | <profile>default</profile> |
73 | | - |
74 | | - <!-- Quota for user. --> |
75 | 18 | <quota>default</quota> |
76 | | - |
77 | | - <!-- User can create other users and grant rights to them. --> |
78 | 19 | <access_management>1</access_management> |
79 | | - |
80 | | - <!-- User can manipulate named collections. --> |
81 | 20 | <named_collection_control>1</named_collection_control> |
82 | | - |
83 | | - <!-- User permissions can be granted here --> |
84 | | - <!-- |
85 | | - <grants> |
86 | | - <query>GRANT ALL ON *.*</query> |
87 | | - </grants> |
88 | | - --> |
89 | 21 | </default> |
90 | 22 | </users> |
91 | 23 |
|
92 | | - <!-- Quotas. --> |
93 | 24 | <quotas> |
94 | | - <!-- Name of quota. --> |
95 | 25 | <default> |
96 | | - <!-- Limits for time interval. You could specify many intervals with different limits. --> |
97 | 26 | <interval> |
98 | | - <!-- Length of interval. --> |
99 | 27 | <duration>3600</duration> |
100 | | - |
101 | | - <!-- No limits. Just calculate resource usage for time interval. --> |
102 | 28 | <queries>0</queries> |
103 | 29 | <errors>0</errors> |
104 | 30 | <result_rows>0</result_rows> |
|
0 commit comments