通过配置/etc/clickhouse-server/user.xml来实现;
user.xml如下:
<?xml version="1.0"?>
<yandex>
<!-- Profiles of settings. 一个Profile就是一堆配置(settings)的集合-->
<profiles>
<!-- default组是必须的 -->
<default>
<!-- 副本之间负载均衡的配置,可选项有random,nearest_hostname,in_order,first_or_random -->
<load_balancing>nearest_hostname</load_balancing>
</default>
<!-- readonly组 -->
<readonly>
<readonly>1</readonly>
</readonly>
</profiles>
<!-- Users and ACL. -->
<users>
<!-- If user name was not specified, 'default' user is used. -->
<default>
<!-- Password could be specified in plaintext or in SHA256 (in hex format).
If you want to specify password in plaintext (not recommended), place it in 'password' element.
Example: <password>qwerty</password>.
Password could be empty.
If you want to specify SHA256, place it in 'password_sha256_hex' element.
Example: <password_sha256_hex>65e84be33532fb784c48129675f9eff3a682b27168c0ea744b2cf58ee02337c5</password_sha256_hex>
Restrictions of SHA256: impossibility to connect to ClickHouse using MySQL JS client (as of July 2019).
If you want to specify double SHA1, place it in 'password_double_sha1_hex' element.
Example: <password_double_sha1_hex>e395796d6546b1b65db9d665cd43f0e858dd4303</password_double_sha1_hex>
How to generate decent password:
Execute: PASSWORD=$(base64 < /dev/urandom | head -c8); echo "$PASSWORD"; echo -n "$PASSWORD" | sha256sum | tr -d '-'
In first line will be password and in second - corresponding SHA256.
How to generate double SHA1:
Execute: PASSWORD=$(base64 < /dev/urandom | head -c8); echo "$PASSWORD"; echo -n "$PASSWORD" | openssl dgst -sha1 -binary | openssl dgst -sha1
In first line will be password and in second - corresponding double SHA1.
-->
<!-- 这里采用sha256加密,密码是这样生成的:PASSWORD=CN66law123; echo "$PASSWORD"; echo -n "$PASSWORD" | sha256sum | tr -d '-' . -->
<password_sha256_hex>00859685e837c06a9172f39479ab7eb7c5d4a12fc5fa30929a197c172fd84b27</password_sha256_hex>
<!-- List of networks with open access.
To open access from everywhere, specify:
<ip>::/0</ip>
To open access only from localhost, specify:
<ip>::1</ip>
<ip>127.0.0.1</ip>
Each element of list has one of the following forms:
<ip> IP-address or network mask. Examples: 213.180.204.3 or 10.0.0.1/8 or 10.0.0.1/255.255.255.0
2a02:6b8::3 or 2a02:6b8::3/64 or 2a02:6b8::3/ffff:ffff:ffff:ffff::.
<host> Hostname. Example: server01.yandex.ru.
To check access, DNS query is performed, and all received addresses compared to peer address.
<host_regexp> Regular expression for host names. Example, ^server\d\d-\d\d-\d\.yandex\.ru$
To check access, DNS PTR query is performed for peer address and then regexp is applied.
Then, for result of PTR query, another DNS query is performed and all received addresses compared to peer address.
Strongly recommended that regexp is ends with $
All results of DNS requests are cached till server restart.
-->
<networks incl="networks" replace="replace">
<ip>::/0</ip>
</networks>
<!-- Settings profile for user. -->
<profile>default</profile>
<!-- Quota for user. -->
<quota>default</quota>
<!-- For testing the table filters -->
<databases>
<test>
<!-- Simple expression filter -->
<filtered_table1>
<filter>a = 1</filter>
</filtered_table1>
<!-- Complex expression filter -->
<filtered_table2>
<filter>a + b < 1 or c - d > 5</filter>
</filtered_table2>
<!-- Filter with ALIAS column -->
<filtered_table3>
<filter>c = 1</filter>
</filtered_table3>
</test>
</databases>
</default>
<!-- Example of user with readonly access. -->
<readonly>
<password></password>
<networks incl="networks" replace="replace">
<ip>::1</ip>
<ip>127.0.0.1</ip>
</networks>
<profile>readonly</profile>
<quota>default</quota>
</readonly>
</users>
<!-- Quotas. -->
<quotas>
<!-- Name of quota. -->
<default>
<!-- Limits for time interval. You could specify many intervals with different limits. -->
<interval>
<!-- Length of interval. -->
<duration>3600</duration>
<!-- No limits. Just calculate resource usage for time interval. -->
<queries>0</queries>
<errors>0</errors>
<result_rows>0</result_rows>
<read_rows>0</read_rows>
<execution_time>0</execution_time>
</interval>
</default>
</quotas>
</yandex>
distribute engine 的问题
配置了ACL以后,访问分布式表会出问题:
【报错】
DB::Exception: Received from ch102:9000. DB::Exception: Password required for user default.
DB::Exception: Received from ch102:9000. DB::Exception: Password required for user default.
这是因为分片之间没有配置密码:
vi metrica.xml 给每个分片指明同步账号default和密码。
只不过我尝试了用加密的密码<password_sha256_hex>没有任何效果。所以还是采用明文的方式。
<!-- 集群配置 -->
<clickhouse_remote_servers>
<cluster_3s_1r>
<!-- 数据分片1 -->
<shard>
<internal_replication>false</internal_replication>
<replica>
<host>ch100</host>
<port>9000</port>
<user>default</user>
<password>密码</password>
<password_sha256_hex>00859685e837c06a9172f39479ab7eb7c5d4a12fc5fa30929a197c172fd84b27</password_sha256_hex>
</replica>
</shard>
<!-- 数据分片2 -->
<shard>
<internal_replication>false</internal_replication>
<replica>
<host>ch101</host>
<port>9000</port>
<user>default</user>
<password>密码</password>
<password_sha256_hex>00859685e837c06a9172f39479ab7eb7c5d4a12fc5fa30929a197c172fd84b27</password_sha256_hex>
</replica>
</shard>
<!-- 数据分片3 -->
<shard>
<internal_replication>false</internal_replication>
<replica>
<host>ch102</host>
<port>9000</port>
<user>default</user>
<password>密码</password>
<password_sha256_hex>00859685e837c06a9172f39479ab7eb7c5d4a12fc5fa30929a197c172fd84b27</password_sha256_hex>
</replica>
</shard>
</cluster_3s_1r>
</clickhouse_remote_servers>
