Add security hardening documentation to README.md

Add security hardening documentation. Provides the ability to enforce better security practices for network encryption and secret/credential based access for zookeeper, data replication and distributed queries. Change-Id: I5dc416ee5c48123af27cf405adf7a877aa2e6204
AlexeySetevoi · Apr 1, 2022 · 3509f0c · 3509f0c
1 parent 9c6f88e
commit 3509f0c
Showing 1 changed file with 66 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -300,6 +300,7 @@ Including an example of how to use your role (for instance, with variables passe
     roles:
       - ansible-clickhouse
 ```
+
 To generate macros: in file host_vars\db_host_1.yml
 ```yaml
 clickhouse_macros:
@@ -308,6 +309,71 @@ clickhouse_macros:
   replica: "db_host_1"
 ```
 
+Security harden the cluster. You can configure the cluster with extra settings
+which enables
+- HTTPS port
+- TLS Encrypted TCP port
+- HTTPS for data replication
+- Credentials for data replication
+- Secret validation for distributed queries
+- ZooKeeper ACL
+```yaml
+- hosts: clickhouse_cluster
+  become: true
+  roles:
+    - ansible-clickhouse
+  vars:
+    # HTTPS instead of normal HTTP
+    clickhouse_https_port: 8443
+    # TLS encryption for the native TCP protocol (needs `clickhouse-client --secure`)
+    clickhouse_tcp_secure_port: 9440
+    # TLS encryption between nodes in cluster
+    clickhouse_interserver_https: 9010
+    # Credentials used to authenticate nodes during data replication
+    clickhouse_interserver_http_credentials:
+      user: "internal"
+      password: "supersecretstring"
+    # Secret used to validate nodes in cluster for distributed queries
+    clickhouse_distributed_secret: "supersecretstring2"
+    # Password protect zookeeper paths used by ClickHouse
+    clickhouse_zookeeper_identity:
+      user: "zoo_user"
+      password: "secretzoostring"
+    # OpenSSL settings
+    clickhouse_ssl_server:
+      certificate_file: "/etc/clickhouse-server/server.crt"
+      private_key_file: "/etc/clickhouse-server/server.key"
+      dh_params_file: "/etc/clickhouse-server/dhparam.pem"
+      verification_mode: "none"
+      load_default_ca_file: "true"
+      cache_sessions: "true"
+      disable_protocols: "sslv2,sslv3"
+      prefer_server_ciphers: "true"
+    clickhouse_clusters:
+      your_cluster_name:
+        shard_1:
+          - host: "db_host_1"
+            port: 9440
+            secure: true
+          - host: "db_host_2"
+            port: 9440
+            secure: true
+        shard_2:
+          - host: "db_host_3"
+            port: 9440
+            secure: true
+          - host: "db_host_4"
+            port: 9440
+            secure: true
+    clickhouse_zookeeper_nodes:
+      - host: "zoo_host_1"
+        port: 2181
+      - host: "zoo_host_2"
+        port: 2181
+      - host: "zoo_host_3"
+        port: 2181
+```
+
 F: You can call separately stages(from playbook, external role etc.):
 
 Tag | Action