From 93020fce3fbba1325de54ac9e59ad097b46d7137 Mon Sep 17 00:00:00 2001 From: BayoNet Date: Thu, 6 Jun 2019 02:43:12 +0300 Subject: [PATCH] DOCAPI-6425: Security settings (#5490) --- docs/en/operations/settings/settings_users.md | 129 ++++++++++++++++++ .../example_datasets/ontime.md | 10 +- .../example_datasets/ontime.md | 10 +- docs/toc_en.yml | 1 + .../example_datasets/ontime.md | 10 +- 5 files changed, 145 insertions(+), 15 deletions(-) create mode 100644 docs/en/operations/settings/settings_users.md diff --git a/docs/en/operations/settings/settings_users.md b/docs/en/operations/settings/settings_users.md new file mode 100644 index 0000000000..1b8cb640a9 --- /dev/null +++ b/docs/en/operations/settings/settings_users.md @@ -0,0 +1,129 @@ +# User settings + +The `users` section of the `user.xml` configuration file contains settings for users. + +Structure of the `users` section: + +``` + + + + + + + + + + + profile_name + + default + + + + + expression + + + + + + +``` + +### user_name/password + +Password could be specified in plaintext or in SHA256 (hex format). + +- To specify password in plaintext (**not recommended**), place it in a `password` element. + + For example, `qwerty`. Password can be empty. + +- To specify SHA256 hash of a password, place it in a `password_sha256_hex` element. + + For example, `65e84be33532fb784c48129675f9eff3a682b27168c0ea744b2cf58ee02337c5`. + + Example of how to generate password from shell: + + ``` + PASSWORD=$(base64 < /dev/urandom | head -c8); echo "$PASSWORD"; echo -n "$PASSWORD" | sha256sum | tr -d '-' + ``` + + The first line of the result is the password. The second line is the corresponding SHA256 hash. + + +### user_name/networks + +List of networks which the user can connect to ClickHouse server from. + +Each element of list has one of the following forms: + +- `` — IP-address or a network mask. + + Examples: `213.180.204.3`, `10.0.0.1/8`, `10.0.0.1/255.255.255.0`, `2a02:6b8::3`, `2a02:6b8::3/64`, `2a02:6b8::3/ffff:ffff:ffff:ffff::`. + +- `` — Hostname. + + Example: `server01.yandex.ru`. + + To check access, DNS query is performed, and all returned IP-addresses are compared to peer address. + +- `` — Regular expression for hostnames. + + Example, `^server\d\d-\d\d-\d\.yandex\.ru$` + + To check access, [DNS PTR query](https://en.wikipedia.org/wiki/Reverse_DNS_lookup) is performed for peer address and then regexp is applied. Then, for result of PTR query, another DNS query is performed and all received addresses compared to peer address. Strongly recommended that regexp is ends with $ + +All results of DNS requests are cached till server restart. + +**Examples** + +To open access for user from any network, specify: + +``` +::/0 +``` + +!!! warning "Warning" + It's insecure to open access from any network, unless you have a firewall properly configured or server is not directly connected to Internet. + + +To open access only from localhost, specify: + +``` +::1 +127.0.0.1 +``` + +### user_name/profile + +You can assign a settings profile for the user. Settings profiles are configured in a separate section of the `users.xml` file. For more information see the [Profiles of Settings](settings_profiles.md). + +### user_name/quota + +Quotas allow you to limit resource usage over a period of time, or track the use of resources. Quotas are configured in the `quotas` +section of the `users.xml` configuration file. + +You can assign a quotas set for the user. For the detailed description of quotas configuration see the [Quotas](../quotas.md#quotas) section. + +### user_name/databases + +In this section you can you can limit rows that are returned by ClickHouse for `SELECT` queries of current user, thus implementing basic row level security. + +**Example** + +The following configuration sets that the user `user1` can see only the rows of `table1` as a result of `SELECT` query where the value of field `id` equals to 1000. + +``` + + + + + id = 1000 + + + + +``` + +The `filter` can be any expression resulting with the [UInt8](../../data_types/int_uint.md)-typed value. It usually contains comparisons and logical operators. Rows from `database_name.table1` where filter results to 0 are not returned for this user. The filtering is incompatible with `PREWHERE` operations and disables `WHERE→PREWHERE` optimization. diff --git a/docs/fa/getting_started/example_datasets/ontime.md b/docs/fa/getting_started/example_datasets/ontime.md index 0c3b8c1f8e..b322fd97a8 100644 --- a/docs/fa/getting_started/example_datasets/ontime.md +++ b/docs/fa/getting_started/example_datasets/ontime.md @@ -207,7 +207,7 @@ Q5. درصد تاخیر ها براساس carrier در سال 2007 ``` sql -SELECT Carrier, c, c2, c*1000/c2 as c3 +SELECT Carrier, c, c2, c*100/c2 as c3 FROM ( SELECT @@ -237,7 +237,7 @@ ORDER BY c3 DESC; ``` sql -SELECT Carrier, avg(DepDelay > 10) * 1000 AS c3 FROM ontime WHERE Year = 2007 GROUP BY Carrier ORDER BY Carrier +SELECT Carrier, avg(DepDelay > 10) * 100 AS c3 FROM ontime WHERE Year = 2007 GROUP BY Carrier ORDER BY Carrier ```
@@ -247,7 +247,7 @@ Q6. مانند query قبلی اما برای طیف وسیعی از سال ها
``` sql -SELECT Carrier, c, c2, c*1000/c2 as c3 +SELECT Carrier, c, c2, c*100/c2 as c3 FROM ( SELECT @@ -277,7 +277,7 @@ ORDER BY c3 DESC; ``` sql -SELECT Carrier, avg(DepDelay > 10) * 1000 AS c3 FROM ontime WHERE Year >= 2000 AND Year <= 2008 GROUP BY Carrier ORDER BY Carrier +SELECT Carrier, avg(DepDelay > 10) * 100 AS c3 FROM ontime WHERE Year >= 2000 AND Year <= 2008 GROUP BY Carrier ORDER BY Carrier ```
@@ -292,7 +292,7 @@ FROM ( select Year, - count(*)*1000 as c1 + count(*)*100 as c1 from ontime WHERE DepDelay>10 GROUP BY Year diff --git a/docs/ru/getting_started/example_datasets/ontime.md b/docs/ru/getting_started/example_datasets/ontime.md index dfdcd4895d..27c8a58dd2 100644 --- a/docs/ru/getting_started/example_datasets/ontime.md +++ b/docs/ru/getting_started/example_datasets/ontime.md @@ -193,7 +193,7 @@ SELECT Carrier, count(*) FROM ontime WHERE DepDelay>10 AND Year = 2007 GROUP BY Q5. Процент задержек по перевозчикам за 2007 год ``` sql -SELECT Carrier, c, c2, c*1000/c2 as c3 +SELECT Carrier, c, c2, c*100/c2 as c3 FROM ( SELECT @@ -219,13 +219,13 @@ ORDER BY c3 DESC; Более оптимальная версия того же запроса: ``` sql -SELECT Carrier, avg(DepDelay > 10) * 1000 AS c3 FROM ontime WHERE Year = 2007 GROUP BY Carrier ORDER BY Carrier +SELECT Carrier, avg(DepDelay > 10) * 100 AS c3 FROM ontime WHERE Year = 2007 GROUP BY Carrier ORDER BY Carrier ``` Q6. Предыдущий запрос за более широкий диапазон лет, 2000-2008 ``` sql -SELECT Carrier, c, c2, c*1000/c2 as c3 +SELECT Carrier, c, c2, c*100/c2 as c3 FROM ( SELECT @@ -251,7 +251,7 @@ ORDER BY c3 DESC; Более оптимальная версия того же запроса: ``` sql -SELECT Carrier, avg(DepDelay > 10) * 1000 AS c3 FROM ontime WHERE Year >= 2000 AND Year <= 2008 GROUP BY Carrier ORDER BY Carrier +SELECT Carrier, avg(DepDelay > 10) * 100 AS c3 FROM ontime WHERE Year >= 2000 AND Year <= 2008 GROUP BY Carrier ORDER BY Carrier ``` Q7. Процент полетов, задержанных на более 10 минут, в разбивке по годам @@ -262,7 +262,7 @@ FROM ( select Year, - count(*)*1000 as c1 + count(*)*100 as c1 from ontime WHERE DepDelay>10 GROUP BY Year diff --git a/docs/toc_en.yml b/docs/toc_en.yml index 310e95210f..9a4d0bb39e 100644 --- a/docs/toc_en.yml +++ b/docs/toc_en.yml @@ -186,6 +186,7 @@ nav: - 'Restrictions on Query Complexity': 'operations/settings/query_complexity.md' - 'Settings': 'operations/settings/settings.md' - 'Settings Profiles': 'operations/settings/settings_profiles.md' + - 'User Settings': 'operations/settings/settings_users.md' - 'Utilities': - 'Overview': 'operations/utils/index.md' - 'clickhouse-copier': 'operations/utils/clickhouse-copier.md' diff --git a/docs/zh/getting_started/example_datasets/ontime.md b/docs/zh/getting_started/example_datasets/ontime.md index 977abcedfc..ed81e2459e 100644 --- a/docs/zh/getting_started/example_datasets/ontime.md +++ b/docs/zh/getting_started/example_datasets/ontime.md @@ -172,7 +172,7 @@ SELECT Carrier, count(*) FROM ontime WHERE DepDelay>10 AND Year = 2007 GROUP BY Q5. 查询2007年各航空公司延误超过10分钟以上的百分比 ```sql -SELECT Carrier, c, c2, c*1000/c2 as c3 +SELECT Carrier, c, c2, c*100/c2 as c3 FROM ( SELECT @@ -198,13 +198,13 @@ ORDER BY c3 DESC; 更好的查询版本: ```sql -SELECT Carrier, avg(DepDelay > 10) * 1000 AS c3 FROM ontime WHERE Year = 2007 GROUP BY Carrier ORDER BY Carrier +SELECT Carrier, avg(DepDelay > 10) * 100 AS c3 FROM ontime WHERE Year = 2007 GROUP BY Carrier ORDER BY Carrier ``` Q6. 同上一个查询一致,只是查询范围扩大到2000年到2008年 ```sql -SELECT Carrier, c, c2, c*1000/c2 as c3 +SELECT Carrier, c, c2, c*100/c2 as c3 FROM ( SELECT @@ -230,7 +230,7 @@ ORDER BY c3 DESC; 更好的查询版本: ```sql -SELECT Carrier, avg(DepDelay > 10) * 1000 AS c3 FROM ontime WHERE Year >= 2000 AND Year <= 2008 GROUP BY Carrier ORDER BY Carrier +SELECT Carrier, avg(DepDelay > 10) * 100 AS c3 FROM ontime WHERE Year >= 2000 AND Year <= 2008 GROUP BY Carrier ORDER BY Carrier ``` Q7. 每年航班延误超过10分钟的百分比 @@ -241,7 +241,7 @@ FROM ( select Year, - count(*)*1000 as c1 + count(*)*100 as c1 from ontime WHERE DepDelay>10 GROUP BY Year -- GitLab