Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dictionary password handling issue on cluster rescale #1603

Open
realyota opened this issue Dec 23, 2024 · 1 comment
Open

Dictionary password handling issue on cluster rescale #1603

realyota opened this issue Dec 23, 2024 · 1 comment

Comments

@realyota
Copy link
Contributor

realyota commented Dec 23, 2024

Description

In ClickHouse Operator version 0.24.2, after adding shards or replicas (rescaling), the dictionaries created in the cluster have their password field replaced with [HIDDEN] string. This behavior results in authentication errors when the dictionary relies on specific credentials, disrupting its functionality.

Steps to reproduce

yaml file:

apiVersion: "clickhouse.altinity.com/v1"
kind: "ClickHouseInstallation"
metadata:
  name: "simple"
spec:
  configuration:
    clusters:
      - name: "test"
        layout:
          shardsCount: 1
          replicasCount: 1

Create DDL:

CREATE USER test IDENTIFIED WITH plaintext_password BY 'test';

CREATE TABLE default.dates
(
    `id` UInt64,
    `date` Date
)
ENGINE = MergeTree
ORDER BY id
SETTINGS index_granularity = 8192;

CREATE DICTIONARY default.dates_dict
(
    `id` UInt64,
    `date` DATE
)
PRIMARY KEY id
SOURCE(CLICKHOUSE(TABLE 'dates' USER 'test' PASSWORD 'test'))
LIFETIME(MIN 0 MAX 43200)
LAYOUT(COMPLEX_KEY_HASHED)

Increase shard/replica count in yaml file and apply it. New nodes will have created sql dictionary files with content:

-- cat /var/lib/clickhouse/metadata/default/dates_dict.sql

 CREATE DICTIONARY default.dates_dict
(
    `id` UInt64,
    `date` DATE
)
PRIMARY KEY id
SOURCE(CLICKHOUSE(TABLE 'dates' USER 'test' PASSWORD '[HIDDEN]')) -- this is wrong
LIFETIME(MIN 0 MAX 43200)
LAYOUT(COMPLEX_KEY_HASHED)

Probably same will happen to named collections.

Proposed workaround

clickhouse_operator user by default needs to have:

show_named_collections_secrets
format_display_secrets_in_show_and_select 

also, server setting needs to be enabled by default:

display_secrets_in_show_and_select

Should be fine from security side - only users with format_display_secrets_in_show_and_select enabled will see passwords in SHOW statements.

@realyota
Copy link
Contributor Author

realyota commented Dec 23, 2024

Current W/A:

Setting display_secrets_in_show_and_select was added in 23.5 so it applies only to 23.5+:

apiVersion: "clickhouse.altinity.com/v1"
kind: "ClickHouseInstallation"
metadata:
  name: "simple"
spec:
  configuration:
    settings:
      display_secrets_in_show_and_select: 1
    users:
      clickhouse_operator/format_display_secret_in_show_and_select: 1
....

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant