New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
password of default user is not propagated to shards #265
Comments
Good catch, @ralfbecher. The common practice is to keep default user with no password BUT limited to cluster nodes only and only used for inter-cluster communication. This is how operator deploys default configuration. I agree that operator should automatically propagate password to remote_servers, but it creates a extra security vulnerability, since password in remote_servers can not be masked/hashed, unlike user definition. Probably we should forbid changing default user password and network settings at all. |
Then you could add the functionality of hashed password to remote_servers... |
@ralfbecher , unfortunately, ClickHouse needs a real password in order to connect to other servers, hashed password can not work. So either we tolerate plain passwords in remote_servers, or do not need any passwords here at all and rely on network security. |
Hello, everyone. There is little workaround for this problem - you can use networks access list to avoid password.
|
ClickHouse/ClickHouse#13156 added
|
Hi,
when creating a cluster where the password of default user is set in the manifest, it will not be propagated to remote_servers.xml. This leads to errors using umbrella tables:
From this example: https://github.com/Altinity/clickhouse-operator/blob/master/docs/replication_setup.md
Code: 194, e.displayText() = DB::Exception: Received from chi-test-cho-with-shards-simple-1-0:9000. DB::Exception: Password required for user default. (version 20.1.4.14 (official build))
This is my manifest file:
I think I could insert user/password manually but am applied change in manifest will remove it again.
The text was updated successfully, but these errors were encountered: