Skip to content

Commit

Permalink
Update rbac.md
Browse files Browse the repository at this point in the history 
replication user section update
  • Loading branch information
@realyota
realyota authored Jan 31, 2024
1 parent 1b0a47d commit 4d9c3d1
Showing 1 changed file with 1 addition and 15 deletions.
16 changes: 1 addition & 15 deletions content/en/altinity-kb-setup-and-maintenance/rbac.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -70,13 +70,7 @@ As `default` is used for many internal and background operations, so it is not c

## replication user

The replication user is usually `default`. **There is no need to create this user unless you know what you're doing** because you need an specific user for replication. Ports 9009 and 9010(tls) provide low-level data access between servers.This ports should not be accessible from untrusted networks. You can specify credentials for authenthication between replicas. This is required when `interserver_https_port` is accessible from untrusted networks. You can do so creating a user with the `default` profile:

```sql
CREATE USER replication IDENTIFIED WITH sha256_password BY 'password' SETTINGS PROFILE 'default'
```

After this assign this user to the interserver credentials:
The replication user is defined by `interserver_http_credential` tag. **If this tag is ommited then authentication is not used during replication.** Ports 9009 and 9010(tls) provide low-level data access between servers. This ports should not be accessible from untrusted networks. You can specify credentials for authenthication between replicas. This is required when `interserver_https_port` is accessible from untrusted networks. You can do so by defining user and password to the interserver credentials. Then replication protocol will use basic access authentication when connecting by HTTP/HTTPS to other replicas:

```xml
<interserver_http_credentials>
Expand All @@ -85,14 +79,6 @@ After this assign this user to the interserver credentials:
</interserver_http_credentials>
```

We also can use sha256 passwords like this:

```xml
<password_sha256_hex>65e84be33532fb784c48129675f9eff3a682b27168c0ea744b2cf58ee02337c5</password_sha256_hex>
```

When the `CREATE USER` query is executed in the `clickhouse-client` it will echo the `sha256` digest to copy it wherever you need

## Create users and roles

Now we can setup users/roles using a generic best-practice approach for RBAC from other databases, like using roles, granting permissions to roles, creating users for different applications, etc...
Expand Down

0 comments on commit 4d9c3d1

Please sign in to comment.