我们安装好Click house后都是通过default用户登录,如果想自己实现自定义的用户权限控制管理就要详细读懂users.xml文档,我翻译出来了:
<users>
<!-- If user name was not specified, 'default' user is used.如果用户名没有特别指定,默认使用default用户 -->
<default>
<!-- Password Could be specified in plaintext or in SHA256 (in hex format).密码可以明文形式指定或者使用SHA256加密形式
If you want to specify password in plaintext (not recommended), place it in 'password' element.
如果你自定义明文密码,写在password标签中间即可
Example 例如: <password>qwerty</password>.
Password Could be empty. 密码可以为空
If you want to specify SHA256, place it in 'password_sha256_hex' element.
如果你想使用SHA256加密形式,把加密后的密码放在password_sha256_hex标签中间
Example例子: <password_sha256_hex>65e84be33532fb784c48129675f9eff3a682b27168c0ea744b2cf58ee02337c5</password_sha256_hex>
Restrictions of SHA256: impossibility to connect to ClickHouse using MysqL JS client (as of July 2019).
SHA256的限制:无法使用MysqL JS客户端连接到ClickHouse
If you want to specify double SHA1, place it in 'password_double_sha1_hex' element.
如果你想自定义双重SHA1加密,把密码放在password_double_sha1_hex标签中间即可
Example例子: <password_double_sha1_hex>e395796d6546b1b65db9d665cd43f0e858dd4303</password_double_sha1_hex>
If you want to specify a prevIoUsly defined LDAP server (see 'ldap_servers' in main config) for authentication, place its name in 'server' element inside 'ldap' element.
如果你想指定提前定义好的轻量级目录访问协议(LDAP,请参阅住配置中的LDAP服务)服务来进行授权和验证,把名称放在 <ldap><server>两个标签中间
Example例如: <ldap><server>my_ldap_server</server></ldap>
How to generate decent password: 如何生成符合规则的密码
Execute执行: PASSWORD=$(base64 < /dev/urandom | head -c8); echo "$PASSWORD"; echo -n "$PASSWORD" | sha256sum | tr -d '-'
In first line will be password and in second - corresponding SHA256.第一行是密码,第二行是对应的SHA256加密后的
How to generate double SHA1:如何生成双重SHA1加密
Execute执行: PASSWORD=$(base64 < /dev/urandom | head -c8); echo "$PASSWORD"; echo -n "$PASSWORD" | sha1sum | tr -d '-' | xxd -r -p | sha1sum | tr -d '-'
In first line will be password and in second - corresponding double SHA1.第一行是密码,第二行是对应的双重SHA1加密后的
-->
<password>123456</password>
<!-- List of networks with open access.网络连接开放列表
To open access from everywhere, specify: 开放所有链接,定义:
<ip>::/0</ip>
To open access only from localhost, specify: 只对本地连接开放,定义:
<ip>::1</ip>
<ip>127.0.0.1</ip>
Each element of list has one of the following forms: 列表的每个标签都具有以下格式:
<ip> IP-address or network mask IP地址或者子网掩码. Examples: 213.180.204.3 or 10.0.0.1/8 or 10.0.0.1/255.255.255.0
2a02:6b8::3 or 2a02:6b8::3/64 or 2a02:6b8::3/ffff:ffff:ffff:ffff::.
<host> Hostname. Example: server01.yandex.ru. 主机名称,例如:(配置你自己的主机名称)
To check access, DNS query is performed, and all received addresses compared to peer address.
<host_regexp> Regular expression for host names. Example, ^server\d\d-\d\d-\d\.yandex\.ru$
To check access, DNS PTR query is performed for peer address and then regexp is applied.
为了检查访问,执行DNS查询,并将所有接收到的地址与对等地址进行比较
Then, for result of PTR query, another DNS query is performed and all received addresses compared to peer address.
然后,对于PTR查询的结果,执行另一个DNS查询,并将所有接收到的地址与对等地址进行比较
Strongly recommended that regexp is ends with $ 强烈建议regexp以$结尾
All results of DNS requests are cached till server restart. 所有的DNS请求解析结果都会被缓存起来直到下一次click house服务重启
-->
<networks incl="networks" replace="replace">
<ip>::/0</ip>
</networks>
<!-- Settings profile for user. -->
<profile>default</profile>
<!-- Quota for user. -->
<quota>default</quota>
<!-- User can create other users and grant rights to them. 用户可以创建其他用户并且授予权限 1 启动 0 禁止—>
<!-- <access_management>1</access_management> -->
</default>
<!-- 自定义用户 :密码123456,允许所有外部链接,连接数据库test,只读权限, 配额使用默认配额信息—>
<jojo>
<password>123456</password>
<networks incl="networks" replace="replace">
<ip>::/0</ip>
</networks>
<allow_databases>
<databse>test</database>
</allow_databases>
<profile>readonly</profile>
<quota>default</quota>
</jojo>
</users>
配置文件说得很详细了,仔细看都能看懂,可以看到我自己配了个只读权限的jojo用户。如果是读写都开放那就是:改成default,还能通过
id >= 500 ###### 限制查询条件和限制查询范围 ###### 改完配置文件一定要重启!!不然直接登录会出现: DB::Exception: Received from 127.0.0.1:9000. DB::Exception: jojo: Authentication Failed: password is incorrect or there is no user with such name.
该配置文件最好复制default的改,自己写很容易出问题,老是说漏一个标签,但是检查又检查不出来。重启失败,第一件事不是去找组长或者求人,而是应该看错误日志输出,具体解决方案可以看:https://blog.csdn.net/whiteBearClimb/article/details/110952408
报错:
2020.12.10 10:42:37.155639 [ 117297 ] {} <Error> Configreloader: Error loading config from '/etc/clickhouse-server/users.xml': Poco::Exception. Code: 1000, e.code() = 0, e.displayText() = SAXParseException: Tag mismatch in '/etc/clickhouse-server/users.xml', line 100 column 17, Stack trace (when copying this message, always include the lines below):
server/users.xml', line 100 column 17
2020.12.10 10:51:11.355092 [ 77357 ] {} <Error> Application: SAXParseException: Tag mismatch in '/etc/clickhouse-server/users.xml', line 100 column 17
2020.12.10 10:51:41.612965 [ 77502 ] {} <Error> Application: SAXParseException: Tag mismatch in '/etc/clickhouse-server/users.xml', line 100 column 17
2020.12.10 10:52:11.855936 [ 77586 ] {} <Error> Application: SAXParseException: Tag mismatch in '/etc/clickhouse-server/users.xml', line 100 column 17
2020.12.10 10:52:42.105438 [ 77790 ] {} <Error> Application: SAXParseException: Tag mismatch in '/etc/clickhouse-server/users.xml', line 100 column 17
2020.12.10 10:53:12.368823 [ 77869 ] {} <Error> Application: SAXParseException: Tag mismatch in '/etc/clickhouse-server/users.xml', line 100 column 17
2020.12.10 10:53:42.612247 [ 78011 ] {} <Error> Application: SAXParseException: Tag mismatch in '/etc/clickhouse-server/users.xml', line 100 column 17
2020.12.10 10:54:12.859283 [ 78169 ] {} <Error> Application: SAXParseException: Tag mismatch in '/etc/clickhouse-server/users.xml', line 100 column 23
2020.12.10 10:54:43.115143 [ 78321 ] {} <Error> Application: SAXParseException: Tag mismatch in '/etc/clickhouse-server/users.xml', line 100 column 23
反正,不要手打,好像顺序问题也会导致这个问题~~
关于SHA加密,如果你电脑按照它说的输入却没有出现密码和加密后的密码的话,报错:
-bash: sha256sum: command not found
-bash: sha1sum: command not found
那就装一下:
Mac系统安装方式:brew install coreutils
Linux系统安装:yum install perl-Digest-SHA
装完之后再执行(记得是把下面长串贴到users.xml里面):
测试阶段:我的jojo用户是readonly,那就肯定是不能create database 或者table的,测试一下
先登录:clickhouse-client -u jojo -h 127.0.0.1 --password 123456
切换回default用户:
成功~~~剩下的登录限制,查询限制,连接限制,都可以自己DIY玩一下,都是OK的~
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。
