Help Center/ MapReduce Service/ User Guide (Ankara Region)/ FusionInsight Manager Operation Guide/ Security Management/ Security Hardening/ ClickHouse Security Hardening
Updated on 2024-11-29 GMT+08:00
View PDF
Share

ClickHouse Security Hardening

Authentication and Encryption

The authentication system of ClickHouse is as follows:

Figure 1 ClickHouse system authentication mode
  • The normal mode does not require authentication. You can use the built-in default user to log in to the system without authentication.
  • The kinit authentication mode of the client in security mode uses the sasl authentication mode. The implementation principle is as follows:

  • The client in security mode is compatible with the community version. Kerberos authentication is performed only on the server.

  • ClickHouse supports permission management for the following objects:

    Resource

    Permission

    Database

    CREATE

    Table/View

    SELECT/INSERT

    Admin

    ALL

ClickHouse does not support disabling security authentication on a cluster in security mode.

Encrypted Channel

ClickHouse enhances usability based on the open-source community version. By default, clusters in security mode use TCP and HTTP channels encrypted by OpenSSL.

Security Hardening

  • Encoding rules

    Description: The same encoding mode is used on the web service client and server to prevent garbled characters and to implement input verification.

    Security hardening: Response messages of web servers are encoded using UTF-8.

  • IP address whitelist filtering supported for management users

    Description: IP address whitelist filtering is used to prevent unauthorized clients from logging in to the system.

    Security hardening: External nodes are not allowed to access the ClickHouse client as a management user.

  • URL injection attack

    Description: A customized UI of data migration is used to prevent URL injection attacks.

    Security hardening: URL and path validity checks are implemented.

  • SQL injection attack

    Description: ClickHouse prevents SQL injection attacks.

    Security hardening: SQL statements are precompiled.

  • Log injection attack

    Description: Log injection must be prevented to avoid security information leakage.

    Security hardening: Privacy information is encrypted to prevent sensitive stack information from being recorded in logs.

  • DDoS attack

    Description: ClickHouse prevents service interruption or exceptions caused by DDoS attacks.

    Security hardening: The number of connections is configurable. The default value is 4096.

  • Anti-repudiation

    Description: Audit logs are recorded.

    Security hardening: DDL operations such as write, permission granting and revoking, and data migration are audited.

Parent topic: Security Hardening