diff --git a/docker/clickhouse/users-dev.xml b/docker/clickhouse/users-dev.xml
index ed8089e479eea..dd6e54d7c5de3 100644
--- a/docker/clickhouse/users-dev.xml
+++ b/docker/clickhouse/users-dev.xml
@@ -15,8 +15,7 @@
with minimum number of different symbols between replica's hostname and local hostname
(Hamming distance).
in_order - first live replica is chosen in specified order.
- first_or_random - if first replica one has higher number of errors, pick a random one from replicas
- with minimum number of errors.
+ first_or_random - if first replica one has higher number of errors, pick a random one from replicas with minimum number of errors.
-->
random
@@ -24,8 +23,6 @@
50
- 0
-
@@ -48,39 +45,30 @@
Password could be empty.
If you want to specify SHA256, place it in 'password_sha256_hex' element.
- Example:
- 65e84be33532fb784c48129675f9eff3a682b27168c0ea744b2cf58ee02337c5
- Restrictions of SHA256: impossibility to connect to ClickHouse using MySQL JS client (as of July
- 2019).
+ Example: 65e84be33532fb784c48129675f9eff3a682b27168c0ea744b2cf58ee02337c5
+ Restrictions of SHA256: impossibility to connect to ClickHouse using MySQL JS client (as of July 2019).
If you want to specify double SHA1, place it in 'password_double_sha1_hex' element.
- Example:
- e395796d6546b1b65db9d665cd43f0e858dd4303
+ Example: e395796d6546b1b65db9d665cd43f0e858dd4303
- If you want to specify a previously defined LDAP server (see 'ldap_servers' in the main config) for
- authentication,
+ If you want to specify a previously defined LDAP server (see 'ldap_servers' in the main config) for authentication,
place its name in 'server' element inside 'ldap' element.
Example: my_ldap_server
- If you want to authenticate the user via Kerberos (assuming Kerberos is enabled, see 'kerberos' in
- the main config),
+ If you want to authenticate the user via Kerberos (assuming Kerberos is enabled, see 'kerberos' in the main config),
place 'kerberos' element instead of 'password' (and similar) elements.
- The name part of the canonical principal name of the initiator must match the user name for
- authentication to succeed.
- You can also place 'realm' element inside 'kerberos' element to further restrict authentication to
- only those requests
+ The name part of the canonical principal name of the initiator must match the user name for authentication to succeed.
+ You can also place 'realm' element inside 'kerberos' element to further restrict authentication to only those requests
whose initiator's realm matches it.
Example:
Example: EXAMPLE.COM
How to generate decent password:
- Execute: PASSWORD=$(base64 < /dev/urandom | head -c8); echo "$PASSWORD"; echo -n "$PASSWORD" |
- sha256sum | tr -d '-'
+ Execute: PASSWORD=$(base64 < /dev/urandom | head -c8); echo "$PASSWORD"; echo -n "$PASSWORD" | sha256sum | tr -d '-'
In first line will be password and in second - corresponding SHA256.
How to generate double SHA1:
- Execute: PASSWORD=$(base64 < /dev/urandom | head -c8); echo "$PASSWORD"; echo -n "$PASSWORD" |
- sha1sum | tr -d '-' | xxd -r -p | sha1sum | tr -d '-'
+ Execute: PASSWORD=$(base64 < /dev/urandom | head -c8); echo "$PASSWORD"; echo -n "$PASSWORD" | sha1sum | tr -d '-' | xxd -r -p | sha1sum | tr -d '-'
In first line will be password and in second - corresponding double SHA1.
-->
@@ -101,8 +89,7 @@
To check access, DNS query is performed, and all received addresses compared to peer address.
Regular expression for host names. Example, ^server\d\d-\d\d-\d\.yandex\.ru$
To check access, DNS PTR query is performed for peer address and then regexp is applied.
- Then, for result of PTR query, another DNS query is performed and all received addresses compared
- to peer address.
+ Then, for result of PTR query, another DNS query is performed and all received addresses compared to peer address.
Strongly recommended that regexp is ends with $
All results of DNS requests are cached till server restart.
-->
@@ -139,4 +126,4 @@
-
\ No newline at end of file
+
diff --git a/docker/clickhouse/users.xml b/docker/clickhouse/users.xml
index d9be644f1869e..49ac9f73e0de5 100644
--- a/docker/clickhouse/users.xml
+++ b/docker/clickhouse/users.xml
@@ -15,15 +15,12 @@
with minimum number of different symbols between replica's hostname and local hostname
(Hamming distance).
in_order - first live replica is chosen in specified order.
- first_or_random - if first replica one has higher number of errors, pick a random one from replicas
- with minimum number of errors.
+ first_or_random - if first replica one has higher number of errors, pick a random one from replicas with minimum number of errors.
-->
random
1
- 0
-
@@ -46,39 +43,30 @@
Password could be empty.
If you want to specify SHA256, place it in 'password_sha256_hex' element.
- Example:
- 65e84be33532fb784c48129675f9eff3a682b27168c0ea744b2cf58ee02337c5
- Restrictions of SHA256: impossibility to connect to ClickHouse using MySQL JS client (as of July
- 2019).
+ Example: 65e84be33532fb784c48129675f9eff3a682b27168c0ea744b2cf58ee02337c5
+ Restrictions of SHA256: impossibility to connect to ClickHouse using MySQL JS client (as of July 2019).
If you want to specify double SHA1, place it in 'password_double_sha1_hex' element.
- Example:
- e395796d6546b1b65db9d665cd43f0e858dd4303
+ Example: e395796d6546b1b65db9d665cd43f0e858dd4303
- If you want to specify a previously defined LDAP server (see 'ldap_servers' in the main config) for
- authentication,
+ If you want to specify a previously defined LDAP server (see 'ldap_servers' in the main config) for authentication,
place its name in 'server' element inside 'ldap' element.
Example: my_ldap_server
- If you want to authenticate the user via Kerberos (assuming Kerberos is enabled, see 'kerberos' in
- the main config),
+ If you want to authenticate the user via Kerberos (assuming Kerberos is enabled, see 'kerberos' in the main config),
place 'kerberos' element instead of 'password' (and similar) elements.
- The name part of the canonical principal name of the initiator must match the user name for
- authentication to succeed.
- You can also place 'realm' element inside 'kerberos' element to further restrict authentication to
- only those requests
+ The name part of the canonical principal name of the initiator must match the user name for authentication to succeed.
+ You can also place 'realm' element inside 'kerberos' element to further restrict authentication to only those requests
whose initiator's realm matches it.
Example:
Example: EXAMPLE.COM
How to generate decent password:
- Execute: PASSWORD=$(base64 < /dev/urandom | head -c8); echo "$PASSWORD"; echo -n "$PASSWORD" |
- sha256sum | tr -d '-'
+ Execute: PASSWORD=$(base64 < /dev/urandom | head -c8); echo "$PASSWORD"; echo -n "$PASSWORD" | sha256sum | tr -d '-'
In first line will be password and in second - corresponding SHA256.
How to generate double SHA1:
- Execute: PASSWORD=$(base64 < /dev/urandom | head -c8); echo "$PASSWORD"; echo -n "$PASSWORD" |
- sha1sum | tr -d '-' | xxd -r -p | sha1sum | tr -d '-'
+ Execute: PASSWORD=$(base64 < /dev/urandom | head -c8); echo "$PASSWORD"; echo -n "$PASSWORD" | sha1sum | tr -d '-' | xxd -r -p | sha1sum | tr -d '-'
In first line will be password and in second - corresponding double SHA1.
-->
@@ -99,8 +87,7 @@
To check access, DNS query is performed, and all received addresses compared to peer address.
Regular expression for host names. Example, ^server\d\d-\d\d-\d\.yandex\.ru$
To check access, DNS PTR query is performed for peer address and then regexp is applied.
- Then, for result of PTR query, another DNS query is performed and all received addresses compared
- to peer address.
+ Then, for result of PTR query, another DNS query is performed and all received addresses compared to peer address.
Strongly recommended that regexp is ends with $
All results of DNS requests are cached till server restart.
-->
@@ -137,4 +124,4 @@
-
\ No newline at end of file
+