Configuring SSL User Certificate for Authentication
This page is not applicable to ClickHouse Cloud. The feature documented here is not available in ClickHouse Cloud services. See the ClickHouse Cloud Compatibility guide for more information.
This guide provides simple and minimal settings to configure authentication with SSL user certificates. The tutorial builds on the Configuring SSL-TLS user guide.
SSL user authentication is supported when using the https or native interfaces only.
It is not currently used in gRPC or PostgreSQL/MySQL emulation ports.
ClickHouse nodes need <verificationMode>strict</verificationMode> set for secure authentication (although relaxed will work for testing purposes).
1. Create SSL user certificates
This example uses self-signed certificates with a self-signed CA. For production environments, create a CSR and submit to your PKI team or certificate provider to obtain a proper certificate.
-
Generate a Certificate Signing Request (CSR) and key. The basic format is the following:
In this example, we'll use this for the domain and user that will be used in this sample environment:
NoteThe CN is arbitrary and any string can be used as an identifier for the certificate. It is used when creating the user in the following steps.
-
Generate and sign the new user certificate that will be used for authentication. The basic format is the following:
In this example, we'll use this for the domain and user that will be used in this sample environment:
2. Create a SQL user and grant permissions
For details on how to enable SQL users and set roles, refer to Defining SQL Users and Roles user guide.
-
Create a SQL user defined to use the certificate authentication:
-
Grant privileges to the new certificate user:
NoteThe user is granted full admin privileges in this exercise for demonstration purposes. Refer to the ClickHouse RBAC documentation for permissions settings.
NoteWe recommend using SQL to define users and roles. However, if you are currently defining users and roles in configuration files, the user will look like:
3. Testing
-
Copy the user certificate, user key and CA certificate to a remote node.
-
Configure OpenSSL in the ClickHouse client config with certificate and paths.
-
Run
clickhouse-client.NoteNote that the password passed to clickhouse-client is ignored when a certificate is specified in the config.
4. Testing HTTP
-
Copy the user certificate, user key and CA certificate to a remote node.
-
Use
curlto test a sample SQL command. The basic format is:For example:
The output will be similar to the following:
NoteNotice that no password was specified, the certificate is used in lieu of a password and is how ClickHouse will authenticate the user.
Summary
This article showed the basics of creating and configuring a user for SSL certificate authentication. This method can be used with clickhouse-client or any clients which support the https interface and where HTTP headers can be set. The generated certificate and key should be kept private and with limited access since the certificate is used to authenticate and authorize the user for operations on the ClickHouse database. Treat the certificate and key as if they were passwords.