SlideShare a Scribd company logo

ClickHouse Defense Against the Dark Arts - Intro to Security and Privacy

Altinity Ltd
Altinity Ltd

Presentation slide for Altinity webcast held on January 27, 2021.

Software
1 of 43
Download to read offline
ClickHouse Defense Against the Dark Arts Intro to Security and Privacy Altinity Engineering Team 1
Presenter Bios and Altinity Introduction The #1 enterprise ClickHouse provider. Now offering Altinity.Cloud Major committer and community sponsor for ClickHouse in US/EU Robert Hodges - Altinity CEO 30+ years on DBMS plus virtualization and security. ClickHouse is DBMS #20 Alexander Zaitsev - Altinity CTO Altinity founder with decades of expertise on petabyte-scale analytic systems
Altinity contributions on security and privacy ● Completed work ○ Log query masking (implementation and testing) ○ AES encryption functions (implementation and testing) ○ RBAC (testing) ○ LDAP user authentication (implementation and testing) ○ LDAP role mapping (implementation and testing) ● In-flight work ○ Server-side Kerberos support (implementation and testing) ○ BoringSSL encryption (testing) ○ Lightweight DELETE/UPDATE (implementation and testing) ○ Audit trail (implementation and testing) ● Roadmap ○ Trusted builds, FedRAMP/FIPS compliance, transparent data encryption 3
Introducing ClickHouse
Single binary Understands SQL Runs on bare metal to cloud Stores data in columns Parallel and vectorized execution Scales to many petabytes Is Open source (Apache 2.0) ClickHouse is an open source data warehouse ClickHouse Server a b c d And it’s really fast! ClickHouse Server a b c d ClickHouse Server a b c d ClickHouse Server a b c d
But...It’s not enough to be fast Security Privacy Protecting ClickHouse and data within it from internal and external attacks Building applications that comply with standards for protecting user data
Securing ClickHouse Servers
Topics for securing servers ● Setting up users ● Authorizing access to resources ● Encrypting in-flight communications ● Encrypting data at rest ● Preventing data leakage ● Securing your ClickHouse host 8
“Classic” user definition with XML 9 demo.xml <yandex> <users> <demo> … </demo> </users> </yandex> my_quota.xml <yandex> <quotas> <my_quota> … </my_quota> </quotas> </yandex> my profile.xml <yandex> <profiles> <my_profile> … </my_profile> </profiles> </yandex> DBMS user Config settings and resource limits Usage quotas /etc/clickhouse-server/users.d/
Defining a root user 10 <users> <root> <password_sha256_hex>2bb80...7a25b</password_sha256_hex> <networks> <ip>127.0.0.1</ip> </networks> <profile>default</profile> <quota>default</quota> <access_management>1</access_management> </root> </users> Localhost login only Can create users and grant rights with RBAC
Tips for defining users 11 Generating passwords -- don’t forget ‘-n’ echo -n "secret" | sha256sum | tr -d '-' Network masks: <networks> <ip>127.0.0.1</ip> <ip>192.168.128.1/24</ip> <host>logos2</host> <host_regexp>^logos[1234]$</host_regexp> </networks> Localhost only Allow from subnet Allow from host Allow from logos1, logos2, logos3, logos4
Wouldn’t this be better in SQL? 12 Yes! Here’s what you can do as of ClickHouse version 20.5 -- Create a read-only user that can only access default db. CREATE USER IF NOT EXISTS read_only IDENTIFIED WITH SHA256_PASSWORD BY 'secret' HOST IP '192.168.128.1/24' SETTINGS readonly=1; REVOKE ALL ON *.* FROM read_only; CREATE ROLE select_on_default; GRANT SELECT ON default.* TO select_on_default; GRANT select_on_default TO read_only;
RBAC grants/revokes are very granular ● Tables: CREATE, INSERT, ALTER, DELETE, SELECT, TRUNCATE, OPTIMIZE, DROP... ● Database: CREATE, DROP, SHOW ● Access management: USER, ROLE, POLICY, ROW POLICY, QUOTA, PROFILE, ... ● SYSTEM commands: SHUTDOWN, DROP CACHE, RELOAD, ... 13
What happens when you create a user? 14 CREATE USER IF NOT EXISTS readonly IDENTIFIED WITH SHA256_PASSWORD BY 'secret' HOST IP '192.168.128.1/24' SETTINGS readonly=1; 14 ClickHouse Server ATTACH USER read_only IDENTIFIED WITH sha256_hash BY '2BB80...7A25B' HOST IP '192.168.128.0/24' SETTINGS readonly = 1; /var/lib/clickhouse/access/ 5b49c973-124c-4cae-f1e8-14e0644abe91.sql
LDAP authentication is available since 20.8 15 CREATE USER IF NOT EXISTS ldap_user IDENTIFIED WITH ldap_server BY 'ldap_local' HOST ANY LDAP server name in config.xml Note: keyword will change to ‘ldap’ when Kerberos support is added
LDAP authentication flow 16 ClickHouse Server 16 LDAP Server config.xml <yandex> <ldap_servers> <ldap_local> <host>ldap-01</host> … </ldap_local> ... uid=ldap_user,ou=user s,dc=example,dc=com => userPassword: secret clickhouse-client --user=ldap_user --password=secret
In-flight connections: attack surfaces 17 ClickHouse Server :8123 :8443 :9000 :9440 :9004 :9009 :9010 :9005 :9011 :9100 Encrypted Non-encrypted HTTP Client Native TCP Client MySQL Client PostgreSQL Client :9363 Native Client via PROXYv1 gRPC Client Prometheus Metrics Exporter ClickHouse Server (Fetching parts for replication) Disabled by default
Steps to protect in-flight connections 1. Turn off all unused ports 2. Enable TLS encryption for native TCP and HTTP clients ○ Disable unencrypted ports 3. For clusters: ○ Switch to TLS on interserver communications ○ Define user for remote calls 18
Turning off unused ports 19 19 ... <mysql_port>9004</mysql_port> ... <interserver_http_port>9009</interserver_http_port> /etc/clickhouse-server/config.xml ... <!-- <mysql_port>9004</mysql_port> --> ... <!-- <interserver_http_port>9009</interserver_http_port> -->
Enabling TLS client connections 20 20 <!-- <http_port>8123</http_port> --> <!-- <tcp_port>9000</tcp_port> --> ... <https_port>8443</https_port> <tcp_port_secure>9440</tcp_port_secure> ... <openSSL> <server> <certificateFile>/etc/clickhouse-server/server.crt</certificateFile> <privateKeyFile>/etc/clickhouse-server/server.key</privateKeyFile> <dhParamsFile>/etc/clickhouse-server/dhparam.pem</dhParamsFile> ... /etc/clickhouse-server/config.xml
Options for ClickHouse server certificates 21 21 Certificate from a public CA like Let’s Encrypt Certificate from your own internal CA Self-signed certificate Ideal for external services or services with clients you don’t control Ideal for internal services where you control the clients and their operating environment Useful for testing. Never use this approach for real data. For more information: https://altinity.com/blog/2019/3/5/clickhouse-networking-part-2
Tips and gotchas for TLS encryption 1. Connection credentials are transmitted in the clear unless you enable TLS! 2. Certificates from non-public CAs require different steps for each app type export NODE_EXTRA_CA_CERTS=/etc/ssl/certs/my.root.ca.pem node my-tls-enabled-client.js 3. Internal root CAs require proper security hygiene to maintain 4. Check ports to make sure you enabled/disabled correctly sudo netstat -lntp |grep clickhouse tcp6 0 0 :::8443 :::* LISTEN 7768/clickhouse-ser tcp6 0 0 :::9440 :::* LISTEN 7768/clickhouse-ser tcp6 0 0 :::9010 :::* LISTEN 7768/clickhouse-ser 22
23 Encrypting ClickHouse cluster traffic 23 ClickHouse logos1 :9440 :9010 ClickHouse logos2 :9440 :9010 ClickHouse logos2 :9440 :9010 ClickHouse logos4 :9440 :9010
Create a user for distributed queries 24 CREATE USER IF NOT EXISTS internal ON CLUSTER 'my_cluster' IDENTIFIED WITH NO_PASSWORD HOST REGEXP '^logos[1234]$' Network mask restricts user to within cluster
Enable TLS for interserver replication 25 25 <yandex> <!-- <interserver_http_port>9009</interserver_http_port> --> <interserver_https_port>9010</interserver_https_port> --> ... <interserver_http_credentials> <user>internal</user> <password></password> </interserver_http_credentials> /etc/clickhouse-server/config.xml Secure interserver port Enable interserver auth
TLS connections for distributed queries 26 26 <yandex> <remote_servers> <my_cluster> <shard> <internal_replication>true</internal_replication> <replica> <host>logos1</host> <port>9440</port> <secure>1</secure> <user>internal</port> </replica> ... </shard> /etc/clickhouse-server/config.d/remote_servers.xml Secure port and TLS User with no password
New in ClickHouse 20.10+ (preferred way) 27 27 <yandex> <remote_servers> <my_cluster> <shard> <secret>shared secret text</secret> <internal_replication>true</internal_replication> <replica> <host>logos1</host> <port>9440</port> <secure>1</secure> </replica> ... </shard> /etc/clickhouse-server/config.d/remote_servers.xml Secure port and TLS (as before) Use initial user across servers; authenticate with secret (https://github.com/ClickHouse/ClickHouse/pull/13156)
Encryption at-rest, option 1: file system File system encryption is the simplest path to global at-rest encryption. Some of our favorite options: 1. LUKS (Linux Unified Key Setup) -- Encrypt local volume using DMCrypt 2. Cloud block storage encryption -- Use public cloud automatic encryption a. Example: Amazon EBS encryption 3. Kubernetes storage provider encryption -- Enable encryption in StorageClass if supported. a. Example: AWS EBS provider encrypted: “true” option 28
Encryption at-rest, option 2: AES functions Starting in 20.11 these can be used to protect data at level of individual columns. encrypt(mode, plaintext, key, [iv, aad]) decrypt(mode, ciphertext, key, [iv, aad]) aes_encrypt_mysql(mode, plaintext, key, [iv])* aes_decrypt_mysql(mode, ciphertext, key, [iv])* Key management is responsibility of applications (for now) *Compatible with MySQL AES functions 29
Examples of AES functions in use WITH unhex('658bb26de6f8a069a3520293a572078f') AS key SELECT hex(encrypt('aes-128-cbc', 'Hello world', key)) AS encrypted ┌─encrypted────────────────────────┐ │ 46924AC12F4915F2EEF3170B81A1167E │ └──────────────────────────────────┘ WITH unhex('658bb26de6f8a069a3520293a572078f') AS key SELECT decrypt('aes-128-cbc', unhex('46924AC12F4915F2EEF3170B81A1167E'), key) AS plaintext ┌─plaintext───┐ │ Hello world │ └─────────────┘ 30 Important pro tip: test performance!!!
Avoiding data leakage with query masking ClickHouse log entry for our query examples: 2021.01.26 19:11:23.526691 [ 1652 ] {4e196dfa-dd65-4cba-983b-d6bb2c3df7c8} <Debug> executeQuery: (from [::ffff:127.0.0.1]:54536, using production parser) WITH unhex('658bb26de6f8a069a3520293a572078f') AS key SELECT decrypt(???), key) AS plaintext 31 Sensitive arguments are gone!!! Hey, that’s an AES key!
How to make queries “disappear” from logs 32 <query_masking_rules> <rule> <name>hide encrypt/decrypt arguments</name> <regexp> ((?:aes_)?(?:encrypt|decrypt)(?:_mysql)?)s*(s*(?:'(?: '|.)+'|.*?)s*) </regexp> <!-- or more secure, but also more invasive: (aes_w+)s*(.*) --> <replace>1(???)</replace> </rule> </query_masking_rules> /etc/clickhouse-server/config.xml
Final tips: host-level security 1. ClickHouse runs as clickhouse user (root access not required) 2. Protect directories containing data and credentials a. /etc/clickhouse-server -- Credentials b. /var/lib/clickhouse -- Data and (new!) credentials c. /var/log/clickhouse-server -- Logs, SQL queries may be exposed 3. Protect the network around ClickHouse a. Load balancers, firewalls b. Make server network non-routable to outsiders as far as possible 33
Building Privacy-aware Applications
Multi-tenancy models 35 Model How it works Shared resources Dedicated Installation Separate ClickHouse per tenant Network? Dedicated Cluster Set of shards and replicas per tenant ZooKeeper, configuration files, network Dedicated Databases Separate database per tenant ZooKeeper, ClickHouse hosts, configuration, network Dedicated Tables Separate table(s) per tenant ZooKeeper, ClickHouse hosts, configuration, network Shared Tables Tenant data inhabits shared tables. Each row has a tenant key ZooKeeper, ClickHouse hosts, tables, configuration, network
Restricting user access in shared clusters Using configuration in users.xml: 36 <yandex> <users> <demo> <allow_databases> <database>demo</database> </allow_databases> </demo> </users> GRANT SELECT ON demo.* TO demo GRANT SELECT ON customers.demo2_table TO demo2 Using RBAC: Restrict access to DB Restrict access to a table
Row-level access control Using configuration in users.xml: 37 <yandex> <users> <demo> <databases> <default> <my_table> <filter>user_id='demo'</filter> </my_table> </default> </databases> </demo> </users> CREATE ROW POLICY filter ON default.my_table FOR SELECT USING user_id='demo' TO demo Using RBAC: Restrict access to rows
DELETE tenant data efficiently Efficient if partition is dropped fully ALTER TABLE DROP PARTITION ● Database or table per tenant -- easy to drop, but does not scale well beyond dozens or low hundreds ● Partition per tenant -- easy to drop, scales to 1000s, row-level security required ● All shared -- expensive to drop (ALTER TABLE DELETE), scales well ○ ALTER TABLE DELETE IN PARTITION-- available in 20.12 ○ Lightweight DELETEs in 2021 roadmap 38
Data retention options CREATE TABLE ( ... ) Engine = MergeTree ... ● TTL DELETE toStartOfMonth(date) + interval 1 month -- efficient with monthly partitioning ● TTL DELETE date + ttl_days_to_keep -- efficient with daily partitioning ● TTL DELETE date + dictGet(‘tenant_ttl’, ‘ttl_days’, tenant_id) -- configure externally ● TTL DELETE WHERE -- arbitrary expression ● ttl_only_drop_parts=1 (default 0) -- make sure no expensive operations ● Column TTLs: customer_id UUID TTL date + interval 1 month 39
Other things to consider in app design ● System.query_log, system.text_log, system.processes access ● Encrypting sensitive data with AES functions ○ “Losing” keys as a way of deleting data ● Constraints on settings: ○ https://clickhouse.tech/docs/en/operations/settings/constraints-on-settings/ ● Secrets management ○ Currently an application responsibility ○ In roadmap (“Transparent data encryption”) 40
Wrap-Up
Summary ● ClickHouse security advanced rapidly in 2020 ○ RBAC, LDAP authentication, AES encryption ● Rich feature set to secure data in-flight and at-rest ● Privacy is a property of application design ● Major improvements on tap in 2021 ○ Already merged: BoringSSL for TLS, LDAP role mapping ○ In progress: Kerberos, lightweight DELETE/UPDATE 42
Thank you! Contact us to discuss ClickHouse security needs ClickHouse: https://github.com/ClickHouse/ ClickHouse Altinity Blog: https://altinity.com/blog Contact: info@altinity.com 43

Recommended

All about Zookeeper and ClickHouse Keeper.pdf
All about Zookeeper and ClickHouse Keeper.pdfAll about Zookeeper and ClickHouse Keeper.pdf
All about Zookeeper and ClickHouse Keeper.pdfAltinity Ltd
 
ClickHouse on Kubernetes, by Alexander Zaitsev, Altinity CTO
ClickHouse on Kubernetes, by Alexander Zaitsev, Altinity CTOClickHouse on Kubernetes, by Alexander Zaitsev, Altinity CTO
ClickHouse on Kubernetes, by Alexander Zaitsev, Altinity CTOAltinity Ltd
 
ClickHouse Materialized Views: The Magic Continues
ClickHouse Materialized Views: The Magic ContinuesClickHouse Materialized Views: The Magic Continues
ClickHouse Materialized Views: The Magic ContinuesAltinity Ltd
 
Building ClickHouse and Making Your First Contribution: A Tutorial_06.10.2021
Building ClickHouse and Making Your First Contribution: A Tutorial_06.10.2021Building ClickHouse and Making Your First Contribution: A Tutorial_06.10.2021
Building ClickHouse and Making Your First Contribution: A Tutorial_06.10.2021Altinity Ltd
 
ClickHouse Keeper
ClickHouse KeeperClickHouse Keeper
ClickHouse KeeperAltinity Ltd
 
Tricks every ClickHouse designer should know, by Robert Hodges, Altinity CEO
Tricks every ClickHouse designer should know, by Robert Hodges, Altinity CEOTricks every ClickHouse designer should know, by Robert Hodges, Altinity CEO
Tricks every ClickHouse designer should know, by Robert Hodges, Altinity CEOAltinity Ltd
 
ClickHouse tips and tricks. Webinar slides. By Robert Hodges, Altinity CEO
ClickHouse tips and tricks. Webinar slides. By Robert Hodges, Altinity CEOClickHouse tips and tricks. Webinar slides. By Robert Hodges, Altinity CEO
ClickHouse tips and tricks. Webinar slides. By Robert Hodges, Altinity CEOAltinity Ltd
 
Fast Insight from Fast Data: Integrating ClickHouse and Apache Kafka
Fast Insight from Fast Data: Integrating ClickHouse and Apache KafkaFast Insight from Fast Data: Integrating ClickHouse and Apache Kafka
Fast Insight from Fast Data: Integrating ClickHouse and Apache KafkaAltinity Ltd
 

Recommended

All about Zookeeper and ClickHouse Keeper.pdf
All about Zookeeper and ClickHouse Keeper.pdfAll about Zookeeper and ClickHouse Keeper.pdf
All about Zookeeper and ClickHouse Keeper.pdfAltinity Ltd
 
ClickHouse on Kubernetes, by Alexander Zaitsev, Altinity CTO
ClickHouse on Kubernetes, by Alexander Zaitsev, Altinity CTOClickHouse on Kubernetes, by Alexander Zaitsev, Altinity CTO
ClickHouse on Kubernetes, by Alexander Zaitsev, Altinity CTOAltinity Ltd
 
ClickHouse Materialized Views: The Magic Continues
ClickHouse Materialized Views: The Magic ContinuesClickHouse Materialized Views: The Magic Continues
ClickHouse Materialized Views: The Magic ContinuesAltinity Ltd
 
Building ClickHouse and Making Your First Contribution: A Tutorial_06.10.2021
Building ClickHouse and Making Your First Contribution: A Tutorial_06.10.2021Building ClickHouse and Making Your First Contribution: A Tutorial_06.10.2021
Building ClickHouse and Making Your First Contribution: A Tutorial_06.10.2021Altinity Ltd
 
ClickHouse Keeper
ClickHouse KeeperClickHouse Keeper
ClickHouse KeeperAltinity Ltd
 
Tricks every ClickHouse designer should know, by Robert Hodges, Altinity CEO
Tricks every ClickHouse designer should know, by Robert Hodges, Altinity CEOTricks every ClickHouse designer should know, by Robert Hodges, Altinity CEO
Tricks every ClickHouse designer should know, by Robert Hodges, Altinity CEOAltinity Ltd
 
ClickHouse tips and tricks. Webinar slides. By Robert Hodges, Altinity CEO
ClickHouse tips and tricks. Webinar slides. By Robert Hodges, Altinity CEOClickHouse tips and tricks. Webinar slides. By Robert Hodges, Altinity CEO
ClickHouse tips and tricks. Webinar slides. By Robert Hodges, Altinity CEOAltinity Ltd
 
Fast Insight from Fast Data: Integrating ClickHouse and Apache Kafka
Fast Insight from Fast Data: Integrating ClickHouse and Apache KafkaFast Insight from Fast Data: Integrating ClickHouse and Apache Kafka
Fast Insight from Fast Data: Integrating ClickHouse and Apache KafkaAltinity Ltd
 
Adventures with the ClickHouse ReplacingMergeTree Engine
Adventures with the ClickHouse ReplacingMergeTree EngineAdventures with the ClickHouse ReplacingMergeTree Engine
Adventures with the ClickHouse ReplacingMergeTree EngineAltinity Ltd
 
ClickHouse materialized views - a secret weapon for high performance analytic...
ClickHouse materialized views - a secret weapon for high performance analytic...ClickHouse materialized views - a secret weapon for high performance analytic...
ClickHouse materialized views - a secret weapon for high performance analytic...Altinity Ltd
 
Webinar: Strength in Numbers: Introduction to ClickHouse Cluster Performance
Webinar: Strength in Numbers: Introduction to ClickHouse Cluster PerformanceWebinar: Strength in Numbers: Introduction to ClickHouse Cluster Performance
Webinar: Strength in Numbers: Introduction to ClickHouse Cluster PerformanceAltinity Ltd
 
A Fast Intro to Fast Query with ClickHouse, by Robert Hodges
A Fast Intro to Fast Query with ClickHouse, by Robert HodgesA Fast Intro to Fast Query with ClickHouse, by Robert Hodges
A Fast Intro to Fast Query with ClickHouse, by Robert HodgesAltinity Ltd
 
A day in the life of a click house query
A day in the life of a click house queryA day in the life of a click house query
A day in the life of a click house queryCristinaMunteanu43
 
MySQL Performance Schema in Action
MySQL Performance Schema in ActionMySQL Performance Schema in Action
MySQL Performance Schema in ActionSveta Smirnova
 
ProxySQL at Scale on AWS.pdf
ProxySQL at Scale on AWS.pdfProxySQL at Scale on AWS.pdf
ProxySQL at Scale on AWS.pdfAleksandr Kuzminsky
 
Clickhouse Capacity Planning for OLAP Workloads, Mik Kocikowski of CloudFlare
Clickhouse Capacity Planning for OLAP Workloads, Mik Kocikowski of CloudFlareClickhouse Capacity Planning for OLAP Workloads, Mik Kocikowski of CloudFlare
Clickhouse Capacity Planning for OLAP Workloads, Mik Kocikowski of CloudFlareAltinity Ltd
 
ClickHouse Introduction by Alexander Zaitsev, Altinity CTO
ClickHouse Introduction by Alexander Zaitsev, Altinity CTOClickHouse Introduction by Alexander Zaitsev, Altinity CTO
ClickHouse Introduction by Alexander Zaitsev, Altinity CTOAltinity Ltd
 
ClickHouse Deep Dive, by Aleksei Milovidov
ClickHouse Deep Dive, by Aleksei MilovidovClickHouse Deep Dive, by Aleksei Milovidov
ClickHouse Deep Dive, by Aleksei MilovidovAltinity Ltd
 
Node.js middleware: Never again!
Node.js middleware: Never again!Node.js middleware: Never again!
Node.js middleware: Never again!Timur Shemsedinov
 
MySQL Timeout Variables Explained
MySQL Timeout Variables Explained MySQL Timeout Variables Explained
MySQL Timeout Variables Explained Mydbops
 
Optimizing Kubernetes Resource Requests/Limits for Cost-Efficiency and Latenc...
Optimizing Kubernetes Resource Requests/Limits for Cost-Efficiency and Latenc...Optimizing Kubernetes Resource Requests/Limits for Cost-Efficiency and Latenc...
Optimizing Kubernetes Resource Requests/Limits for Cost-Efficiency and Latenc...Henning Jacobs
 
MySQL Parallel Replication by Booking.com
MySQL Parallel Replication by Booking.comMySQL Parallel Replication by Booking.com
MySQL Parallel Replication by Booking.comJean-François Gagné
 
ClickHouse and the Magic of Materialized Views, By Robert Hodges and Altinity...
ClickHouse and the Magic of Materialized Views, By Robert Hodges and Altinity...ClickHouse and the Magic of Materialized Views, By Robert Hodges and Altinity...
ClickHouse and the Magic of Materialized Views, By Robert Hodges and Altinity...Altinity Ltd
 
PostgreSQL Replication Tutorial
PostgreSQL Replication TutorialPostgreSQL Replication Tutorial
PostgreSQL Replication TutorialHans-Jürgen Schönig
 
Data warehouse on Kubernetes - gentle intro to Clickhouse Operator, by Robert...
Data warehouse on Kubernetes - gentle intro to Clickhouse Operator, by Robert...Data warehouse on Kubernetes - gentle intro to Clickhouse Operator, by Robert...
Data warehouse on Kubernetes - gentle intro to Clickhouse Operator, by Robert...Altinity Ltd
 
LISA2019 Linux Systems Performance
LISA2019 Linux Systems PerformanceLISA2019 Linux Systems Performance
LISA2019 Linux Systems PerformanceBrendan Gregg
 
Analytics at Speed: Introduction to ClickHouse and Common Use Cases. By Mikha...
Analytics at Speed: Introduction to ClickHouse and Common Use Cases. By Mikha...Analytics at Speed: Introduction to ClickHouse and Common Use Cases. By Mikha...
Analytics at Speed: Introduction to ClickHouse and Common Use Cases. By Mikha...Altinity Ltd
 
The Proxy Wars - MySQL Router, ProxySQL, MariaDB MaxScale
The Proxy Wars - MySQL Router, ProxySQL, MariaDB MaxScaleThe Proxy Wars - MySQL Router, ProxySQL, MariaDB MaxScale
The Proxy Wars - MySQL Router, ProxySQL, MariaDB MaxScaleColin Charles
 
Tutorial mikrotik step by step
Tutorial mikrotik step by stepTutorial mikrotik step by step
Tutorial mikrotik step by stepDewa Ketut Setiawan
 
Dns protocol design attacks and security
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and securityMichael Earls
 

More Related Content

What's hot

Adventures with the ClickHouse ReplacingMergeTree Engine
Adventures with the ClickHouse ReplacingMergeTree EngineAdventures with the ClickHouse ReplacingMergeTree Engine
Adventures with the ClickHouse ReplacingMergeTree EngineAltinity Ltd
 
ClickHouse materialized views - a secret weapon for high performance analytic...
ClickHouse materialized views - a secret weapon for high performance analytic...ClickHouse materialized views - a secret weapon for high performance analytic...
ClickHouse materialized views - a secret weapon for high performance analytic...Altinity Ltd
 
Webinar: Strength in Numbers: Introduction to ClickHouse Cluster Performance
Webinar: Strength in Numbers: Introduction to ClickHouse Cluster PerformanceWebinar: Strength in Numbers: Introduction to ClickHouse Cluster Performance
Webinar: Strength in Numbers: Introduction to ClickHouse Cluster PerformanceAltinity Ltd
 
A Fast Intro to Fast Query with ClickHouse, by Robert Hodges
A Fast Intro to Fast Query with ClickHouse, by Robert HodgesA Fast Intro to Fast Query with ClickHouse, by Robert Hodges
A Fast Intro to Fast Query with ClickHouse, by Robert HodgesAltinity Ltd
 
A day in the life of a click house query
A day in the life of a click house queryA day in the life of a click house query
A day in the life of a click house queryCristinaMunteanu43
 
MySQL Performance Schema in Action
MySQL Performance Schema in ActionMySQL Performance Schema in Action
MySQL Performance Schema in ActionSveta Smirnova
 
Clickhouse Capacity Planning for OLAP Workloads, Mik Kocikowski of CloudFlare
Clickhouse Capacity Planning for OLAP Workloads, Mik Kocikowski of CloudFlareClickhouse Capacity Planning for OLAP Workloads, Mik Kocikowski of CloudFlare
Clickhouse Capacity Planning for OLAP Workloads, Mik Kocikowski of CloudFlareAltinity Ltd
 
ClickHouse Introduction by Alexander Zaitsev, Altinity CTO
ClickHouse Introduction by Alexander Zaitsev, Altinity CTOClickHouse Introduction by Alexander Zaitsev, Altinity CTO
ClickHouse Introduction by Alexander Zaitsev, Altinity CTOAltinity Ltd
 
ClickHouse Deep Dive, by Aleksei Milovidov
ClickHouse Deep Dive, by Aleksei MilovidovClickHouse Deep Dive, by Aleksei Milovidov
ClickHouse Deep Dive, by Aleksei MilovidovAltinity Ltd
 
Node.js middleware: Never again!
Node.js middleware: Never again!Node.js middleware: Never again!
Node.js middleware: Never again!Timur Shemsedinov
 
MySQL Timeout Variables Explained
MySQL Timeout Variables Explained MySQL Timeout Variables Explained
MySQL Timeout Variables Explained Mydbops
 
Optimizing Kubernetes Resource Requests/Limits for Cost-Efficiency and Latenc...
Optimizing Kubernetes Resource Requests/Limits for Cost-Efficiency and Latenc...Optimizing Kubernetes Resource Requests/Limits for Cost-Efficiency and Latenc...
Optimizing Kubernetes Resource Requests/Limits for Cost-Efficiency and Latenc...Henning Jacobs
 
MySQL Parallel Replication by Booking.com
MySQL Parallel Replication by Booking.comMySQL Parallel Replication by Booking.com
MySQL Parallel Replication by Booking.comJean-François Gagné
 
ClickHouse and the Magic of Materialized Views, By Robert Hodges and Altinity...
ClickHouse and the Magic of Materialized Views, By Robert Hodges and Altinity...ClickHouse and the Magic of Materialized Views, By Robert Hodges and Altinity...
ClickHouse and the Magic of Materialized Views, By Robert Hodges and Altinity...Altinity Ltd
 
Data warehouse on Kubernetes - gentle intro to Clickhouse Operator, by Robert...
Data warehouse on Kubernetes - gentle intro to Clickhouse Operator, by Robert...Data warehouse on Kubernetes - gentle intro to Clickhouse Operator, by Robert...
Data warehouse on Kubernetes - gentle intro to Clickhouse Operator, by Robert...Altinity Ltd
 
LISA2019 Linux Systems Performance
LISA2019 Linux Systems PerformanceLISA2019 Linux Systems Performance
LISA2019 Linux Systems PerformanceBrendan Gregg
 
Analytics at Speed: Introduction to ClickHouse and Common Use Cases. By Mikha...
Analytics at Speed: Introduction to ClickHouse and Common Use Cases. By Mikha...Analytics at Speed: Introduction to ClickHouse and Common Use Cases. By Mikha...
Analytics at Speed: Introduction to ClickHouse and Common Use Cases. By Mikha...Altinity Ltd
 
The Proxy Wars - MySQL Router, ProxySQL, MariaDB MaxScale
The Proxy Wars - MySQL Router, ProxySQL, MariaDB MaxScaleThe Proxy Wars - MySQL Router, ProxySQL, MariaDB MaxScale
The Proxy Wars - MySQL Router, ProxySQL, MariaDB MaxScaleColin Charles
 

What's hot (20)

Adventures with the ClickHouse ReplacingMergeTree Engine
Adventures with the ClickHouse ReplacingMergeTree EngineAdventures with the ClickHouse ReplacingMergeTree Engine
Adventures with the ClickHouse ReplacingMergeTree Engine
 
ClickHouse materialized views - a secret weapon for high performance analytic...
ClickHouse materialized views - a secret weapon for high performance analytic...ClickHouse materialized views - a secret weapon for high performance analytic...
ClickHouse materialized views - a secret weapon for high performance analytic...
 
Webinar: Strength in Numbers: Introduction to ClickHouse Cluster Performance
Webinar: Strength in Numbers: Introduction to ClickHouse Cluster PerformanceWebinar: Strength in Numbers: Introduction to ClickHouse Cluster Performance
Webinar: Strength in Numbers: Introduction to ClickHouse Cluster Performance
 
A Fast Intro to Fast Query with ClickHouse, by Robert Hodges
A Fast Intro to Fast Query with ClickHouse, by Robert HodgesA Fast Intro to Fast Query with ClickHouse, by Robert Hodges
A Fast Intro to Fast Query with ClickHouse, by Robert Hodges
 
A day in the life of a click house query
A day in the life of a click house queryA day in the life of a click house query
A day in the life of a click house query
 
MySQL Performance Schema in Action
MySQL Performance Schema in ActionMySQL Performance Schema in Action
MySQL Performance Schema in Action
 
ProxySQL at Scale on AWS.pdf
ProxySQL at Scale on AWS.pdfProxySQL at Scale on AWS.pdf
ProxySQL at Scale on AWS.pdf
 
Clickhouse Capacity Planning for OLAP Workloads, Mik Kocikowski of CloudFlare
Clickhouse Capacity Planning for OLAP Workloads, Mik Kocikowski of CloudFlareClickhouse Capacity Planning for OLAP Workloads, Mik Kocikowski of CloudFlare
Clickhouse Capacity Planning for OLAP Workloads, Mik Kocikowski of CloudFlare
 
ClickHouse Introduction by Alexander Zaitsev, Altinity CTO
ClickHouse Introduction by Alexander Zaitsev, Altinity CTOClickHouse Introduction by Alexander Zaitsev, Altinity CTO
ClickHouse Introduction by Alexander Zaitsev, Altinity CTO
 
ClickHouse Deep Dive, by Aleksei Milovidov
ClickHouse Deep Dive, by Aleksei MilovidovClickHouse Deep Dive, by Aleksei Milovidov
ClickHouse Deep Dive, by Aleksei Milovidov
 
Node.js middleware: Never again!
Node.js middleware: Never again!Node.js middleware: Never again!
Node.js middleware: Never again!
 
MySQL Timeout Variables Explained
MySQL Timeout Variables Explained MySQL Timeout Variables Explained
MySQL Timeout Variables Explained
 
Optimizing Kubernetes Resource Requests/Limits for Cost-Efficiency and Latenc...
Optimizing Kubernetes Resource Requests/Limits for Cost-Efficiency and Latenc...Optimizing Kubernetes Resource Requests/Limits for Cost-Efficiency and Latenc...
Optimizing Kubernetes Resource Requests/Limits for Cost-Efficiency and Latenc...
 
MySQL Parallel Replication by Booking.com
MySQL Parallel Replication by Booking.comMySQL Parallel Replication by Booking.com
MySQL Parallel Replication by Booking.com
 
ClickHouse and the Magic of Materialized Views, By Robert Hodges and Altinity...
ClickHouse and the Magic of Materialized Views, By Robert Hodges and Altinity...ClickHouse and the Magic of Materialized Views, By Robert Hodges and Altinity...
ClickHouse and the Magic of Materialized Views, By Robert Hodges and Altinity...
 
PostgreSQL Replication Tutorial
PostgreSQL Replication TutorialPostgreSQL Replication Tutorial
PostgreSQL Replication Tutorial
 
Data warehouse on Kubernetes - gentle intro to Clickhouse Operator, by Robert...
Data warehouse on Kubernetes - gentle intro to Clickhouse Operator, by Robert...Data warehouse on Kubernetes - gentle intro to Clickhouse Operator, by Robert...
Data warehouse on Kubernetes - gentle intro to Clickhouse Operator, by Robert...
 
LISA2019 Linux Systems Performance
LISA2019 Linux Systems PerformanceLISA2019 Linux Systems Performance
LISA2019 Linux Systems Performance
 
Analytics at Speed: Introduction to ClickHouse and Common Use Cases. By Mikha...
Analytics at Speed: Introduction to ClickHouse and Common Use Cases. By Mikha...Analytics at Speed: Introduction to ClickHouse and Common Use Cases. By Mikha...
Analytics at Speed: Introduction to ClickHouse and Common Use Cases. By Mikha...
 
The Proxy Wars - MySQL Router, ProxySQL, MariaDB MaxScale
The Proxy Wars - MySQL Router, ProxySQL, MariaDB MaxScaleThe Proxy Wars - MySQL Router, ProxySQL, MariaDB MaxScale
The Proxy Wars - MySQL Router, ProxySQL, MariaDB MaxScale
 

Similar to ClickHouse Defense Against the Dark Arts - Intro to Security and Privacy

Dns protocol design attacks and security
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and securityMichael Earls
 
Enterprise Cloud Security
Enterprise Cloud SecurityEnterprise Cloud Security
Enterprise Cloud SecurityMongoDB
 
Private cloud networking_cloudstack_days_austin
Private cloud networking_cloudstack_days_austinPrivate cloud networking_cloudstack_days_austin
Private cloud networking_cloudstack_days_austinChiradeep Vittal
 
Scalable Socket Server by Aryo
Scalable Socket Server by AryoScalable Socket Server by Aryo
Scalable Socket Server by AryoAgate Studio
 
Zaragoza dev ops-activiti-khd-20181212
Zaragoza dev ops-activiti-khd-20181212Zaragoza dev ops-activiti-khd-20181212
Zaragoza dev ops-activiti-khd-20181212Angel Borroy López
 
Issuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vaultIssuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vaultOlinData
 
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiYossi Sassi
 
17937858 squid-server - [the-xp.blogspot.com]
17937858 squid-server - [the-xp.blogspot.com]17937858 squid-server - [the-xp.blogspot.com]
17937858 squid-server - [the-xp.blogspot.com]Krisman Tarigan
 
Cisco asa firewall command line technical guide
Cisco asa firewall command line technical guideCisco asa firewall command line technical guide
Cisco asa firewall command line technical guideMDEMARCOCCIE
 
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureLow Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureMongoDB
 
Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...
Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...
Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...MongoDB
 
MySQL server security
MySQL server securityMySQL server security
MySQL server securityDamien Seguy
 
Tutorial mikrotik step by step anung muhandanu
Tutorial mikrotik step by step anung muhandanu Tutorial mikrotik step by step anung muhandanu
Tutorial mikrotik step by step anung muhandanu Alessandro De Suoodh
 
Решение Cisco Collaboration Edge
Решение Cisco Collaboration EdgeРешение Cisco Collaboration Edge
Решение Cisco Collaboration EdgeCisco Russia
 
Keep Them out of the Database
Keep Them out of the DatabaseKeep Them out of the Database
Keep Them out of the DatabaseMartin Berger
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applicationsDevnology
 
Why Managed Service Providers Should Embrace Container Technology
Why Managed Service Providers Should Embrace Container TechnologyWhy Managed Service Providers Should Embrace Container Technology
Why Managed Service Providers Should Embrace Container TechnologySagi Brody
 

Similar to ClickHouse Defense Against the Dark Arts - Intro to Security and Privacy (20)

Tutorial mikrotik step by step
Tutorial mikrotik step by stepTutorial mikrotik step by step
Tutorial mikrotik step by step
 
Dns protocol design attacks and security
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and security
 
Enterprise Cloud Security
Enterprise Cloud SecurityEnterprise Cloud Security
Enterprise Cloud Security
 
Private cloud networking_cloudstack_days_austin
Private cloud networking_cloudstack_days_austinPrivate cloud networking_cloudstack_days_austin
Private cloud networking_cloudstack_days_austin
 
Scalable Socket Server by Aryo
Scalable Socket Server by AryoScalable Socket Server by Aryo
Scalable Socket Server by Aryo
 
Zaragoza dev ops-activiti-khd-20181212
Zaragoza dev ops-activiti-khd-20181212Zaragoza dev ops-activiti-khd-20181212
Zaragoza dev ops-activiti-khd-20181212
 
Issuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vaultIssuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vault
 
Squid
SquidSquid
Squid
 
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
 
17937858 squid-server - [the-xp.blogspot.com]
17937858 squid-server - [the-xp.blogspot.com]17937858 squid-server - [the-xp.blogspot.com]
17937858 squid-server - [the-xp.blogspot.com]
 
Cisco asa firewall command line technical guide
Cisco asa firewall command line technical guideCisco asa firewall command line technical guide
Cisco asa firewall command line technical guide
 
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureLow Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
 
FreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerFreeBSD and Hardening Web Server
FreeBSD and Hardening Web Server
 
Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...
Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...
Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...
 
MySQL server security
MySQL server securityMySQL server security
MySQL server security
 
Tutorial mikrotik step by step anung muhandanu
Tutorial mikrotik step by step anung muhandanu Tutorial mikrotik step by step anung muhandanu
Tutorial mikrotik step by step anung muhandanu
 
Решение Cisco Collaboration Edge
Решение Cisco Collaboration EdgeРешение Cisco Collaboration Edge
Решение Cisco Collaboration Edge
 
Keep Them out of the Database
Keep Them out of the DatabaseKeep Them out of the Database
Keep Them out of the Database
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
Why Managed Service Providers Should Embrace Container Technology
Why Managed Service Providers Should Embrace Container TechnologyWhy Managed Service Providers Should Embrace Container Technology
Why Managed Service Providers Should Embrace Container Technology
 

More from Altinity Ltd

Building an Analytic Extension to MySQL with ClickHouse and Open Source.pptx
Building an Analytic Extension to MySQL with ClickHouse and Open Source.pptxBuilding an Analytic Extension to MySQL with ClickHouse and Open Source.pptx
Building an Analytic Extension to MySQL with ClickHouse and Open Source.pptxAltinity Ltd
 
Cloud Native ClickHouse at Scale--Using the Altinity Kubernetes Operator-2022...
Cloud Native ClickHouse at Scale--Using the Altinity Kubernetes Operator-2022...Cloud Native ClickHouse at Scale--Using the Altinity Kubernetes Operator-2022...
Cloud Native ClickHouse at Scale--Using the Altinity Kubernetes Operator-2022...Altinity Ltd
 
Building an Analytic Extension to MySQL with ClickHouse and Open Source
Building an Analytic Extension to MySQL with ClickHouse and Open SourceBuilding an Analytic Extension to MySQL with ClickHouse and Open Source
Building an Analytic Extension to MySQL with ClickHouse and Open SourceAltinity Ltd
 
Fun with ClickHouse Window Functions-2021-08-19.pdf
Fun with ClickHouse Window Functions-2021-08-19.pdfFun with ClickHouse Window Functions-2021-08-19.pdf
Fun with ClickHouse Window Functions-2021-08-19.pdfAltinity Ltd
 
Cloud Native Data Warehouses - Intro to ClickHouse on Kubernetes-2021-07.pdf
Cloud Native Data Warehouses - Intro to ClickHouse on Kubernetes-2021-07.pdfCloud Native Data Warehouses - Intro to ClickHouse on Kubernetes-2021-07.pdf
Cloud Native Data Warehouses - Intro to ClickHouse on Kubernetes-2021-07.pdfAltinity Ltd
 
Building High Performance Apps with Altinity Stable Builds for ClickHouse | A...
Building High Performance Apps with Altinity Stable Builds for ClickHouse | A...Building High Performance Apps with Altinity Stable Builds for ClickHouse | A...
Building High Performance Apps with Altinity Stable Builds for ClickHouse | A...Altinity Ltd
 
Application Monitoring using Open Source - VictoriaMetrics & Altinity ClickHo...
Application Monitoring using Open Source - VictoriaMetrics & Altinity ClickHo...Application Monitoring using Open Source - VictoriaMetrics & Altinity ClickHo...
Application Monitoring using Open Source - VictoriaMetrics & Altinity ClickHo...Altinity Ltd
 
Own your ClickHouse data with Altinity.Cloud Anywhere-2023-01-17.pdf
Own your ClickHouse data with Altinity.Cloud Anywhere-2023-01-17.pdfOwn your ClickHouse data with Altinity.Cloud Anywhere-2023-01-17.pdf
Own your ClickHouse data with Altinity.Cloud Anywhere-2023-01-17.pdfAltinity Ltd
 
ClickHouse ReplacingMergeTree in Telecom Apps
ClickHouse ReplacingMergeTree in Telecom AppsClickHouse ReplacingMergeTree in Telecom Apps
ClickHouse ReplacingMergeTree in Telecom AppsAltinity Ltd
 
Building a Real-Time Analytics Application with Apache Pulsar and Apache Pinot
Building a Real-Time Analytics Application with Apache Pulsar and Apache PinotBuilding a Real-Time Analytics Application with Apache Pulsar and Apache Pinot
Building a Real-Time Analytics Application with Apache Pulsar and Apache PinotAltinity Ltd
 
Altinity Webinar: Introduction to Altinity.Cloud-Platform for Real-Time Data.pdf
Altinity Webinar: Introduction to Altinity.Cloud-Platform for Real-Time Data.pdfAltinity Webinar: Introduction to Altinity.Cloud-Platform for Real-Time Data.pdf
Altinity Webinar: Introduction to Altinity.Cloud-Platform for Real-Time Data.pdfAltinity Ltd
 
OSA Con 2022 - What Data Engineering Can Learn from Frontend Engineering - Pe...
OSA Con 2022 - What Data Engineering Can Learn from Frontend Engineering - Pe...OSA Con 2022 - What Data Engineering Can Learn from Frontend Engineering - Pe...
OSA Con 2022 - What Data Engineering Can Learn from Frontend Engineering - Pe...Altinity Ltd
 
OSA Con 2022 - Welcome to OSA CON Version 2022 - Robert Hodges - Altinity.pdf
OSA Con 2022 - Welcome to OSA CON Version 2022 - Robert Hodges - Altinity.pdfOSA Con 2022 - Welcome to OSA CON Version 2022 - Robert Hodges - Altinity.pdf
OSA Con 2022 - Welcome to OSA CON Version 2022 - Robert Hodges - Altinity.pdfAltinity Ltd
 
OSA Con 2022 - Using ClickHouse Database to Power Analytics and Customer Enga...
OSA Con 2022 - Using ClickHouse Database to Power Analytics and Customer Enga...OSA Con 2022 - Using ClickHouse Database to Power Analytics and Customer Enga...
OSA Con 2022 - Using ClickHouse Database to Power Analytics and Customer Enga...Altinity Ltd
 
OSA Con 2022 - Tips and Tricks to Keep Your Queries under 100ms with ClickHou...
OSA Con 2022 - Tips and Tricks to Keep Your Queries under 100ms with ClickHou...OSA Con 2022 - Tips and Tricks to Keep Your Queries under 100ms with ClickHou...
OSA Con 2022 - Tips and Tricks to Keep Your Queries under 100ms with ClickHou...Altinity Ltd
 
OSA Con 2022 - The Open Source Analytic Universe, Version 2022 - Robert Hodge...
OSA Con 2022 - The Open Source Analytic Universe, Version 2022 - Robert Hodge...OSA Con 2022 - The Open Source Analytic Universe, Version 2022 - Robert Hodge...
OSA Con 2022 - The Open Source Analytic Universe, Version 2022 - Robert Hodge...Altinity Ltd
 
OSA Con 2022 - Switching Jaeger Distributed Tracing to ClickHouse to Enable A...
OSA Con 2022 - Switching Jaeger Distributed Tracing to ClickHouse to Enable A...OSA Con 2022 - Switching Jaeger Distributed Tracing to ClickHouse to Enable A...
OSA Con 2022 - Switching Jaeger Distributed Tracing to ClickHouse to Enable A...Altinity Ltd
 
OSA Con 2022 - Streaming Data Made Easy - Tim Spann & David Kjerrumgaard - St...
OSA Con 2022 - Streaming Data Made Easy - Tim Spann & David Kjerrumgaard - St...OSA Con 2022 - Streaming Data Made Easy - Tim Spann & David Kjerrumgaard - St...
OSA Con 2022 - Streaming Data Made Easy - Tim Spann & David Kjerrumgaard - St...Altinity Ltd
 
OSA Con 2022 - State of Open Source Databases - Peter Zaitsev - Percona.pdf
OSA Con 2022 - State of Open Source Databases - Peter Zaitsev - Percona.pdfOSA Con 2022 - State of Open Source Databases - Peter Zaitsev - Percona.pdf
OSA Con 2022 - State of Open Source Databases - Peter Zaitsev - Percona.pdfAltinity Ltd
 
OSA Con 2022 - Specifics of data analysis in Time Series Databases - Roman Kh...
OSA Con 2022 - Specifics of data analysis in Time Series Databases - Roman Kh...OSA Con 2022 - Specifics of data analysis in Time Series Databases - Roman Kh...
OSA Con 2022 - Specifics of data analysis in Time Series Databases - Roman Kh...Altinity Ltd
 

More from Altinity Ltd (20)

Building an Analytic Extension to MySQL with ClickHouse and Open Source.pptx
Building an Analytic Extension to MySQL with ClickHouse and Open Source.pptxBuilding an Analytic Extension to MySQL with ClickHouse and Open Source.pptx
Building an Analytic Extension to MySQL with ClickHouse and Open Source.pptx
 
Cloud Native ClickHouse at Scale--Using the Altinity Kubernetes Operator-2022...
Cloud Native ClickHouse at Scale--Using the Altinity Kubernetes Operator-2022...Cloud Native ClickHouse at Scale--Using the Altinity Kubernetes Operator-2022...
Cloud Native ClickHouse at Scale--Using the Altinity Kubernetes Operator-2022...
 
Building an Analytic Extension to MySQL with ClickHouse and Open Source
Building an Analytic Extension to MySQL with ClickHouse and Open SourceBuilding an Analytic Extension to MySQL with ClickHouse and Open Source
Building an Analytic Extension to MySQL with ClickHouse and Open Source
 
Fun with ClickHouse Window Functions-2021-08-19.pdf
Fun with ClickHouse Window Functions-2021-08-19.pdfFun with ClickHouse Window Functions-2021-08-19.pdf
Fun with ClickHouse Window Functions-2021-08-19.pdf
 
Cloud Native Data Warehouses - Intro to ClickHouse on Kubernetes-2021-07.pdf
Cloud Native Data Warehouses - Intro to ClickHouse on Kubernetes-2021-07.pdfCloud Native Data Warehouses - Intro to ClickHouse on Kubernetes-2021-07.pdf
Cloud Native Data Warehouses - Intro to ClickHouse on Kubernetes-2021-07.pdf
 
Building High Performance Apps with Altinity Stable Builds for ClickHouse | A...
Building High Performance Apps with Altinity Stable Builds for ClickHouse | A...Building High Performance Apps with Altinity Stable Builds for ClickHouse | A...
Building High Performance Apps with Altinity Stable Builds for ClickHouse | A...
 
Application Monitoring using Open Source - VictoriaMetrics & Altinity ClickHo...
Application Monitoring using Open Source - VictoriaMetrics & Altinity ClickHo...Application Monitoring using Open Source - VictoriaMetrics & Altinity ClickHo...
Application Monitoring using Open Source - VictoriaMetrics & Altinity ClickHo...
 
Own your ClickHouse data with Altinity.Cloud Anywhere-2023-01-17.pdf
Own your ClickHouse data with Altinity.Cloud Anywhere-2023-01-17.pdfOwn your ClickHouse data with Altinity.Cloud Anywhere-2023-01-17.pdf
Own your ClickHouse data with Altinity.Cloud Anywhere-2023-01-17.pdf
 
ClickHouse ReplacingMergeTree in Telecom Apps
ClickHouse ReplacingMergeTree in Telecom AppsClickHouse ReplacingMergeTree in Telecom Apps
ClickHouse ReplacingMergeTree in Telecom Apps
 
Building a Real-Time Analytics Application with Apache Pulsar and Apache Pinot
Building a Real-Time Analytics Application with Apache Pulsar and Apache PinotBuilding a Real-Time Analytics Application with Apache Pulsar and Apache Pinot
Building a Real-Time Analytics Application with Apache Pulsar and Apache Pinot
 
Altinity Webinar: Introduction to Altinity.Cloud-Platform for Real-Time Data.pdf
Altinity Webinar: Introduction to Altinity.Cloud-Platform for Real-Time Data.pdfAltinity Webinar: Introduction to Altinity.Cloud-Platform for Real-Time Data.pdf
Altinity Webinar: Introduction to Altinity.Cloud-Platform for Real-Time Data.pdf
 
OSA Con 2022 - What Data Engineering Can Learn from Frontend Engineering - Pe...
OSA Con 2022 - What Data Engineering Can Learn from Frontend Engineering - Pe...OSA Con 2022 - What Data Engineering Can Learn from Frontend Engineering - Pe...
OSA Con 2022 - What Data Engineering Can Learn from Frontend Engineering - Pe...
 
OSA Con 2022 - Welcome to OSA CON Version 2022 - Robert Hodges - Altinity.pdf
OSA Con 2022 - Welcome to OSA CON Version 2022 - Robert Hodges - Altinity.pdfOSA Con 2022 - Welcome to OSA CON Version 2022 - Robert Hodges - Altinity.pdf
OSA Con 2022 - Welcome to OSA CON Version 2022 - Robert Hodges - Altinity.pdf
 
OSA Con 2022 - Using ClickHouse Database to Power Analytics and Customer Enga...
OSA Con 2022 - Using ClickHouse Database to Power Analytics and Customer Enga...OSA Con 2022 - Using ClickHouse Database to Power Analytics and Customer Enga...
OSA Con 2022 - Using ClickHouse Database to Power Analytics and Customer Enga...
 
OSA Con 2022 - Tips and Tricks to Keep Your Queries under 100ms with ClickHou...
OSA Con 2022 - Tips and Tricks to Keep Your Queries under 100ms with ClickHou...OSA Con 2022 - Tips and Tricks to Keep Your Queries under 100ms with ClickHou...
OSA Con 2022 - Tips and Tricks to Keep Your Queries under 100ms with ClickHou...
 
OSA Con 2022 - The Open Source Analytic Universe, Version 2022 - Robert Hodge...
OSA Con 2022 - The Open Source Analytic Universe, Version 2022 - Robert Hodge...OSA Con 2022 - The Open Source Analytic Universe, Version 2022 - Robert Hodge...
OSA Con 2022 - The Open Source Analytic Universe, Version 2022 - Robert Hodge...
 
OSA Con 2022 - Switching Jaeger Distributed Tracing to ClickHouse to Enable A...
OSA Con 2022 - Switching Jaeger Distributed Tracing to ClickHouse to Enable A...OSA Con 2022 - Switching Jaeger Distributed Tracing to ClickHouse to Enable A...
OSA Con 2022 - Switching Jaeger Distributed Tracing to ClickHouse to Enable A...
 
OSA Con 2022 - Streaming Data Made Easy - Tim Spann & David Kjerrumgaard - St...
OSA Con 2022 - Streaming Data Made Easy - Tim Spann & David Kjerrumgaard - St...OSA Con 2022 - Streaming Data Made Easy - Tim Spann & David Kjerrumgaard - St...
OSA Con 2022 - Streaming Data Made Easy - Tim Spann & David Kjerrumgaard - St...
 
OSA Con 2022 - State of Open Source Databases - Peter Zaitsev - Percona.pdf
OSA Con 2022 - State of Open Source Databases - Peter Zaitsev - Percona.pdfOSA Con 2022 - State of Open Source Databases - Peter Zaitsev - Percona.pdf
OSA Con 2022 - State of Open Source Databases - Peter Zaitsev - Percona.pdf
 
OSA Con 2022 - Specifics of data analysis in Time Series Databases - Roman Kh...
OSA Con 2022 - Specifics of data analysis in Time Series Databases - Roman Kh...OSA Con 2022 - Specifics of data analysis in Time Series Databases - Roman Kh...
OSA Con 2022 - Specifics of data analysis in Time Series Databases - Roman Kh...
 

Recently uploaded

Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesPhilip Schwarz
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfPower Karaoke
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样umasea
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based projectAnoyGreter
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Andreas Granig
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsAhmed Mohamed
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...Christina Lin
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...soniya singh
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024StefanoLambiase
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEEVICTOR MAESTRE RAMIREZ
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 

Recently uploaded (20)

Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a series
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdf
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based project
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML Diagrams
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEE
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 

ClickHouse Defense Against the Dark Arts - Intro to Security and Privacy

  • 1. ClickHouse Defense Against the Dark Arts Intro to Security and Privacy Altinity Engineering Team 1
  • 2. Presenter Bios and Altinity Introduction The #1 enterprise ClickHouse provider. Now offering Altinity.Cloud Major committer and community sponsor for ClickHouse in US/EU Robert Hodges - Altinity CEO 30+ years on DBMS plus virtualization and security. ClickHouse is DBMS #20 Alexander Zaitsev - Altinity CTO Altinity founder with decades of expertise on petabyte-scale analytic systems
  • 3. Altinity contributions on security and privacy ● Completed work ○ Log query masking (implementation and testing) ○ AES encryption functions (implementation and testing) ○ RBAC (testing) ○ LDAP user authentication (implementation and testing) ○ LDAP role mapping (implementation and testing) ● In-flight work ○ Server-side Kerberos support (implementation and testing) ○ BoringSSL encryption (testing) ○ Lightweight DELETE/UPDATE (implementation and testing) ○ Audit trail (implementation and testing) ● Roadmap ○ Trusted builds, FedRAMP/FIPS compliance, transparent data encryption 3
  • 5. Single binary Understands SQL Runs on bare metal to cloud Stores data in columns Parallel and vectorized execution Scales to many petabytes Is Open source (Apache 2.0) ClickHouse is an open source data warehouse ClickHouse Server a b c d And it’s really fast! ClickHouse Server a b c d ClickHouse Server a b c d ClickHouse Server a b c d
  • 6. But...It’s not enough to be fast Security Privacy Protecting ClickHouse and data within it from internal and external attacks Building applications that comply with standards for protecting user data
  • 8. Topics for securing servers ● Setting up users ● Authorizing access to resources ● Encrypting in-flight communications ● Encrypting data at rest ● Preventing data leakage ● Securing your ClickHouse host 8
  • 9. “Classic” user definition with XML 9 demo.xml <yandex> <users> <demo> … </demo> </users> </yandex> my_quota.xml <yandex> <quotas> <my_quota> … </my_quota> </quotas> </yandex> my profile.xml <yandex> <profiles> <my_profile> … </my_profile> </profiles> </yandex> DBMS user Config settings and resource limits Usage quotas /etc/clickhouse-server/users.d/
  • 10. Defining a root user 10 <users> <root> <password_sha256_hex>2bb80...7a25b</password_sha256_hex> <networks> <ip>127.0.0.1</ip> </networks> <profile>default</profile> <quota>default</quota> <access_management>1</access_management> </root> </users> Localhost login only Can create users and grant rights with RBAC
  • 11. Tips for defining users 11 Generating passwords -- don’t forget ‘-n’ echo -n "secret" | sha256sum | tr -d '-' Network masks: <networks> <ip>127.0.0.1</ip> <ip>192.168.128.1/24</ip> <host>logos2</host> <host_regexp>^logos[1234]$</host_regexp> </networks> Localhost only Allow from subnet Allow from host Allow from logos1, logos2, logos3, logos4
  • 12. Wouldn’t this be better in SQL? 12 Yes! Here’s what you can do as of ClickHouse version 20.5 -- Create a read-only user that can only access default db. CREATE USER IF NOT EXISTS read_only IDENTIFIED WITH SHA256_PASSWORD BY 'secret' HOST IP '192.168.128.1/24' SETTINGS readonly=1; REVOKE ALL ON *.* FROM read_only; CREATE ROLE select_on_default; GRANT SELECT ON default.* TO select_on_default; GRANT select_on_default TO read_only;
  • 13. RBAC grants/revokes are very granular ● Tables: CREATE, INSERT, ALTER, DELETE, SELECT, TRUNCATE, OPTIMIZE, DROP... ● Database: CREATE, DROP, SHOW ● Access management: USER, ROLE, POLICY, ROW POLICY, QUOTA, PROFILE, ... ● SYSTEM commands: SHUTDOWN, DROP CACHE, RELOAD, ... 13
  • 14. What happens when you create a user? 14 CREATE USER IF NOT EXISTS readonly IDENTIFIED WITH SHA256_PASSWORD BY 'secret' HOST IP '192.168.128.1/24' SETTINGS readonly=1; 14 ClickHouse Server ATTACH USER read_only IDENTIFIED WITH sha256_hash BY '2BB80...7A25B' HOST IP '192.168.128.0/24' SETTINGS readonly = 1; /var/lib/clickhouse/access/ 5b49c973-124c-4cae-f1e8-14e0644abe91.sql
  • 15. LDAP authentication is available since 20.8 15 CREATE USER IF NOT EXISTS ldap_user IDENTIFIED WITH ldap_server BY 'ldap_local' HOST ANY LDAP server name in config.xml Note: keyword will change to ‘ldap’ when Kerberos support is added
  • 16. LDAP authentication flow 16 ClickHouse Server 16 LDAP Server config.xml <yandex> <ldap_servers> <ldap_local> <host>ldap-01</host> … </ldap_local> ... uid=ldap_user,ou=user s,dc=example,dc=com => userPassword: secret clickhouse-client --user=ldap_user --password=secret
  • 17. In-flight connections: attack surfaces 17 ClickHouse Server :8123 :8443 :9000 :9440 :9004 :9009 :9010 :9005 :9011 :9100 Encrypted Non-encrypted HTTP Client Native TCP Client MySQL Client PostgreSQL Client :9363 Native Client via PROXYv1 gRPC Client Prometheus Metrics Exporter ClickHouse Server (Fetching parts for replication) Disabled by default
  • 18. Steps to protect in-flight connections 1. Turn off all unused ports 2. Enable TLS encryption for native TCP and HTTP clients ○ Disable unencrypted ports 3. For clusters: ○ Switch to TLS on interserver communications ○ Define user for remote calls 18
  • 19. Turning off unused ports 19 19 ... <mysql_port>9004</mysql_port> ... <interserver_http_port>9009</interserver_http_port> /etc/clickhouse-server/config.xml ... <!-- <mysql_port>9004</mysql_port> --> ... <!-- <interserver_http_port>9009</interserver_http_port> -->
  • 20. Enabling TLS client connections 20 20 <!-- <http_port>8123</http_port> --> <!-- <tcp_port>9000</tcp_port> --> ... <https_port>8443</https_port> <tcp_port_secure>9440</tcp_port_secure> ... <openSSL> <server> <certificateFile>/etc/clickhouse-server/server.crt</certificateFile> <privateKeyFile>/etc/clickhouse-server/server.key</privateKeyFile> <dhParamsFile>/etc/clickhouse-server/dhparam.pem</dhParamsFile> ... /etc/clickhouse-server/config.xml
  • 21. Options for ClickHouse server certificates 21 21 Certificate from a public CA like Let’s Encrypt Certificate from your own internal CA Self-signed certificate Ideal for external services or services with clients you don’t control Ideal for internal services where you control the clients and their operating environment Useful for testing. Never use this approach for real data. For more information: https://altinity.com/blog/2019/3/5/clickhouse-networking-part-2
  • 22. Tips and gotchas for TLS encryption 1. Connection credentials are transmitted in the clear unless you enable TLS! 2. Certificates from non-public CAs require different steps for each app type export NODE_EXTRA_CA_CERTS=/etc/ssl/certs/my.root.ca.pem node my-tls-enabled-client.js 3. Internal root CAs require proper security hygiene to maintain 4. Check ports to make sure you enabled/disabled correctly sudo netstat -lntp |grep clickhouse tcp6 0 0 :::8443 :::* LISTEN 7768/clickhouse-ser tcp6 0 0 :::9440 :::* LISTEN 7768/clickhouse-ser tcp6 0 0 :::9010 :::* LISTEN 7768/clickhouse-ser 22
  • 23. 23 Encrypting ClickHouse cluster traffic 23 ClickHouse logos1 :9440 :9010 ClickHouse logos2 :9440 :9010 ClickHouse logos2 :9440 :9010 ClickHouse logos4 :9440 :9010
  • 24. Create a user for distributed queries 24 CREATE USER IF NOT EXISTS internal ON CLUSTER 'my_cluster' IDENTIFIED WITH NO_PASSWORD HOST REGEXP '^logos[1234]$' Network mask restricts user to within cluster
  • 25. Enable TLS for interserver replication 25 25 <yandex> <!-- <interserver_http_port>9009</interserver_http_port> --> <interserver_https_port>9010</interserver_https_port> --> ... <interserver_http_credentials> <user>internal</user> <password></password> </interserver_http_credentials> /etc/clickhouse-server/config.xml Secure interserver port Enable interserver auth
  • 26. TLS connections for distributed queries 26 26 <yandex> <remote_servers> <my_cluster> <shard> <internal_replication>true</internal_replication> <replica> <host>logos1</host> <port>9440</port> <secure>1</secure> <user>internal</port> </replica> ... </shard> /etc/clickhouse-server/config.d/remote_servers.xml Secure port and TLS User with no password
  • 27. New in ClickHouse 20.10+ (preferred way) 27 27 <yandex> <remote_servers> <my_cluster> <shard> <secret>shared secret text</secret> <internal_replication>true</internal_replication> <replica> <host>logos1</host> <port>9440</port> <secure>1</secure> </replica> ... </shard> /etc/clickhouse-server/config.d/remote_servers.xml Secure port and TLS (as before) Use initial user across servers; authenticate with secret (https://github.com/ClickHouse/ClickHouse/pull/13156)
  • 28. Encryption at-rest, option 1: file system File system encryption is the simplest path to global at-rest encryption. Some of our favorite options: 1. LUKS (Linux Unified Key Setup) -- Encrypt local volume using DMCrypt 2. Cloud block storage encryption -- Use public cloud automatic encryption a. Example: Amazon EBS encryption 3. Kubernetes storage provider encryption -- Enable encryption in StorageClass if supported. a. Example: AWS EBS provider encrypted: “true” option 28
  • 29. Encryption at-rest, option 2: AES functions Starting in 20.11 these can be used to protect data at level of individual columns. encrypt(mode, plaintext, key, [iv, aad]) decrypt(mode, ciphertext, key, [iv, aad]) aes_encrypt_mysql(mode, plaintext, key, [iv])* aes_decrypt_mysql(mode, ciphertext, key, [iv])* Key management is responsibility of applications (for now) *Compatible with MySQL AES functions 29
  • 30. Examples of AES functions in use WITH unhex('658bb26de6f8a069a3520293a572078f') AS key SELECT hex(encrypt('aes-128-cbc', 'Hello world', key)) AS encrypted ┌─encrypted────────────────────────┐ │ 46924AC12F4915F2EEF3170B81A1167E │ └──────────────────────────────────┘ WITH unhex('658bb26de6f8a069a3520293a572078f') AS key SELECT decrypt('aes-128-cbc', unhex('46924AC12F4915F2EEF3170B81A1167E'), key) AS plaintext ┌─plaintext───┐ │ Hello world │ └─────────────┘ 30 Important pro tip: test performance!!!
  • 31. Avoiding data leakage with query masking ClickHouse log entry for our query examples: 2021.01.26 19:11:23.526691 [ 1652 ] {4e196dfa-dd65-4cba-983b-d6bb2c3df7c8} <Debug> executeQuery: (from [::ffff:127.0.0.1]:54536, using production parser) WITH unhex('658bb26de6f8a069a3520293a572078f') AS key SELECT decrypt(???), key) AS plaintext 31 Sensitive arguments are gone!!! Hey, that’s an AES key!
  • 32. How to make queries “disappear” from logs 32 <query_masking_rules> <rule> <name>hide encrypt/decrypt arguments</name> <regexp> ((?:aes_)?(?:encrypt|decrypt)(?:_mysql)?)s*(s*(?:'(?: '|.)+'|.*?)s*) </regexp> <!-- or more secure, but also more invasive: (aes_w+)s*(.*) --> <replace>1(???)</replace> </rule> </query_masking_rules> /etc/clickhouse-server/config.xml
  • 33. Final tips: host-level security 1. ClickHouse runs as clickhouse user (root access not required) 2. Protect directories containing data and credentials a. /etc/clickhouse-server -- Credentials b. /var/lib/clickhouse -- Data and (new!) credentials c. /var/log/clickhouse-server -- Logs, SQL queries may be exposed 3. Protect the network around ClickHouse a. Load balancers, firewalls b. Make server network non-routable to outsiders as far as possible 33
  • 35. Multi-tenancy models 35 Model How it works Shared resources Dedicated Installation Separate ClickHouse per tenant Network? Dedicated Cluster Set of shards and replicas per tenant ZooKeeper, configuration files, network Dedicated Databases Separate database per tenant ZooKeeper, ClickHouse hosts, configuration, network Dedicated Tables Separate table(s) per tenant ZooKeeper, ClickHouse hosts, configuration, network Shared Tables Tenant data inhabits shared tables. Each row has a tenant key ZooKeeper, ClickHouse hosts, tables, configuration, network
  • 36. Restricting user access in shared clusters Using configuration in users.xml: 36 <yandex> <users> <demo> <allow_databases> <database>demo</database> </allow_databases> </demo> </users> GRANT SELECT ON demo.* TO demo GRANT SELECT ON customers.demo2_table TO demo2 Using RBAC: Restrict access to DB Restrict access to a table
  • 37. Row-level access control Using configuration in users.xml: 37 <yandex> <users> <demo> <databases> <default> <my_table> <filter>user_id='demo'</filter> </my_table> </default> </databases> </demo> </users> CREATE ROW POLICY filter ON default.my_table FOR SELECT USING user_id='demo' TO demo Using RBAC: Restrict access to rows
  • 38. DELETE tenant data efficiently Efficient if partition is dropped fully ALTER TABLE DROP PARTITION ● Database or table per tenant -- easy to drop, but does not scale well beyond dozens or low hundreds ● Partition per tenant -- easy to drop, scales to 1000s, row-level security required ● All shared -- expensive to drop (ALTER TABLE DELETE), scales well ○ ALTER TABLE DELETE IN PARTITION-- available in 20.12 ○ Lightweight DELETEs in 2021 roadmap 38
  • 39. Data retention options CREATE TABLE ( ... ) Engine = MergeTree ... ● TTL DELETE toStartOfMonth(date) + interval 1 month -- efficient with monthly partitioning ● TTL DELETE date + ttl_days_to_keep -- efficient with daily partitioning ● TTL DELETE date + dictGet(‘tenant_ttl’, ‘ttl_days’, tenant_id) -- configure externally ● TTL DELETE WHERE -- arbitrary expression ● ttl_only_drop_parts=1 (default 0) -- make sure no expensive operations ● Column TTLs: customer_id UUID TTL date + interval 1 month 39
  • 40. Other things to consider in app design ● System.query_log, system.text_log, system.processes access ● Encrypting sensitive data with AES functions ○ “Losing” keys as a way of deleting data ● Constraints on settings: ○ https://clickhouse.tech/docs/en/operations/settings/constraints-on-settings/ ● Secrets management ○ Currently an application responsibility ○ In roadmap (“Transparent data encryption”) 40
  • 42. Summary ● ClickHouse security advanced rapidly in 2020 ○ RBAC, LDAP authentication, AES encryption ● Rich feature set to secure data in-flight and at-rest ● Privacy is a property of application design ● Major improvements on tap in 2021 ○ Already merged: BoringSSL for TLS, LDAP role mapping ○ In progress: Kerberos, lightweight DELETE/UPDATE 42
  • 43. Thank you! Contact us to discuss ClickHouse security needs ClickHouse: https://github.com/ClickHouse/ ClickHouse Altinity Blog: https://altinity.com/blog Contact: info@altinity.com 43