In this lesson we will:
- Lesson contents 1
- Lesson contents 2
- Lesson contents 3
It is important to correctly secure your ClickHouse instance. In ClickHouse, this needs to happen in multiple ways and locations.
The first thing to do is to lock down access to your ClickHouse instance. This includes having it listening on the correct host adapter and the desired ports.
When we start ClickHouse, you can also choose which network IP address to bind to. If you only want to expose your ClickHouse instance to an internal subnet or even for purely local access then you can bind to the correct IP address:
ClickHouse ports are configured in the server.xml file. A quick win might be to change your API port to something unknown, and to disable the HTTP API if you don't plan on using it.
In order to log into ClickHouse your users need a username and password.
By default, ClickHouse comes with a user named default, but it is of course very bad practice to use this for your day to day activities with ClickHouse. Instead, best practice is of course to issue all users with their own username and password.
create user if not exists benjaminwootton identified with plaintext_password by 'password321';
We will demonstrate how users are administered in a subsquent lesson.
It is possible to set minimum requirements for passwords, and to ensure that passwords are expired automatically and need to reset on a schedule:
It is possible to limit the IP addresses from which users can connect. This can also be specified at user creation time:
create user if not exists benjaminwootton identified with plaintext_password by 'password321' host ip '192.168.0.0/16';
ClickHouse incorporates a role based access control system where we can say which users can access which data. We cover this in more detail later in this course.
ClickHouse incorproates options to encrypt data in flight and data at rest. We cover this in more detail later in this course.
We should also secure network communications within ClickHouse, both within the cluster and between the client and cluster.