You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In ClickHouse Operator version 0.24.2, after adding shards or replicas (rescaling), the dictionaries created in the cluster have their password field replaced with [HIDDEN] string. This behavior results in authentication errors when the dictionary relies on specific credentials, disrupting its functionality.
CREATE USER test IDENTIFIED WITH plaintext_password BY 'test';
CREATE TABLE default.dates
(
`id` UInt64,
`date` Date
)
ENGINE = MergeTree
ORDER BY id
SETTINGS index_granularity = 8192;
CREATE DICTIONARY default.dates_dict
(
`id` UInt64,
`date` DATE
)
PRIMARY KEY id
SOURCE(CLICKHOUSE(TABLE 'dates' USER 'test' PASSWORD 'test'))
LIFETIME(MIN 0 MAX 43200)
LAYOUT(COMPLEX_KEY_HASHED)
Increase shard/replica count in yaml file and apply it. New nodes will have created sql dictionary files with content:
-- cat /var/lib/clickhouse/metadata/default/dates_dict.sql
CREATE DICTIONARY default.dates_dict
(
`id` UInt64,
`date` DATE
)
PRIMARY KEY id
SOURCE(CLICKHOUSE(TABLE 'dates' USER 'test' PASSWORD '[HIDDEN]')) -- this is wrong
LIFETIME(MIN 0 MAX 43200)
LAYOUT(COMPLEX_KEY_HASHED)
Probably same will happen to named collections.
Proposed workaround
clickhouse_operator user by default needs to have:
Description
In ClickHouse Operator version 0.24.2, after adding shards or replicas (rescaling), the dictionaries created in the cluster have their password field replaced with
[HIDDEN]
string. This behavior results in authentication errors when the dictionary relies on specific credentials, disrupting its functionality.Steps to reproduce
yaml file:
Create DDL:
Increase shard/replica count in yaml file and apply it. New nodes will have created sql dictionary files with content:
Probably same will happen to named collections.
Proposed workaround
clickhouse_operator
user by default needs to have:also, server setting needs to be enabled by default:
Should be fine from security side - only users with
format_display_secrets_in_show_and_select
enabled will see passwords in SHOW statements.The text was updated successfully, but these errors were encountered: