Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update rbac.md #65

Merged
merged 1 commit into from
Jan 31, 2024
Merged

Update rbac.md #65

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 1 addition & 15 deletions content/en/altinity-kb-setup-and-maintenance/rbac.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,13 +70,7 @@ As `default` is used for many internal and background operations, so it is not c

## replication user

The replication user is usually `default`. **There is no need to create this user unless you know what you're doing** because you need an specific user for replication. Ports 9009 and 9010(tls) provide low-level data access between servers.This ports should not be accessible from untrusted networks. You can specify credentials for authenthication between replicas. This is required when `interserver_https_port` is accessible from untrusted networks. You can do so creating a user with the `default` profile:

```sql
CREATE USER replication IDENTIFIED WITH sha256_password BY 'password' SETTINGS PROFILE 'default'
```

After this assign this user to the interserver credentials:
The replication user is defined by `interserver_http_credential` tag. **If this tag is ommited then authentication is not used during replication.** Ports 9009 and 9010(tls) provide low-level data access between servers. This ports should not be accessible from untrusted networks. You can specify credentials for authenthication between replicas. This is required when `interserver_https_port` is accessible from untrusted networks. You can do so by defining user and password to the interserver credentials. Then replication protocol will use basic access authentication when connecting by HTTP/HTTPS to other replicas:

```xml
<interserver_http_credentials>
Expand All @@ -85,14 +79,6 @@ After this assign this user to the interserver credentials:
</interserver_http_credentials>
```

We also can use sha256 passwords like this:

```xml
<password_sha256_hex>65e84be33532fb784c48129675f9eff3a682b27168c0ea744b2cf58ee02337c5</password_sha256_hex>
```

When the `CREATE USER` query is executed in the `clickhouse-client` it will echo the `sha256` digest to copy it wherever you need

## Create users and roles

Now we can setup users/roles using a generic best-practice approach for RBAC from other databases, like using roles, granting permissions to roles, creating users for different applications, etc...
Expand Down
Loading