This repository has been archived by the owner on Feb 6, 2024. It is now read-only.
Allow deployment of cluster with security hardening configuration #90
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Change-Id: I3aae090964f16951b94e8fabb7c38ef9696fee0d
Change-Id: If67c83e1060b73e2a1feaf4c59e233d0360b7970
Add the ability to configure the cluster so that internal communication is encrypted and password-protected. Change-Id: If40cf4fe4075f870e725c73e7af7930f3c987dc9
ClickHouse has the ability to set ZooKeeper access control to the nodes it is using. This provides additional layer of security since it makes sure that the zookeeper nodes used by clickhouse is password protected and cannot be modified by anyone else. Change-Id: I28cf5ea07d1264befb3628fb38a372c7ce2b8552
AntonFriberg
force-pushed
the
allow-secure-setup
branch
from
c86effa to
3509f0c
Compare
If user configures secure tcp port it would be best to check connection using the secure port. Also communicate with the database on the secure connection to make sure it works. Change-Id: I8efe34b5279d63438a290e9a3919d5afbef01800
Add security hardening documentation. Provides the ability to enforce better security practices for network encryption and secret/credential based access for zookeeper, data replication and distributed queries. Change-Id: I5dc416ee5c48123af27cf405adf7a877aa2e6204
AntonFriberg
force-pushed
the
allow-secure-setup
branch
from
3509f0c to
093476d
Compare
|
@AntonFriberg Is it finished? Can I review it? |
|
Yes, please do! |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Provides the ability to set up ClickHouse according to normal security hardening recommendations.
It provides
It is important to note though that this is a bit opinionated in a couple of ways. First, it will not configure normal HTTP or TCP (in
config.d/config.xml) if HTTPS and secure TCP are configured. However, I do not go in and remove the default http_port and tcp_port configuration in the globalconfig.xmlwhich means that the default HTTP and TCP ports will still be exposed due to how the configuration is applied (on top of the default configuration). However, for internal replication, we need to go in and remove the default string from the global config simply because this will conflict with the internal_https configuration.In my own deployment, I go even further and remove the normal HTTP and TCP configuration from the global
config.xml. Perhaps that would be nice to include as well? It depends on what you would like and what the users would expect.