clickhouse-operator
clickhouse-operator copied to clipboard
Published
20 hours ago •
Altinity
Altinity
Missing or Incorrect Authentication Configuration for ldap_user in ClickHouse
An error occurs when parsing the ldap_user configuration in the ClickHouse users.xml file. The error indicates that an authentication method is not properly specified for the user, even though the configuration appears to include the required ldap authentication type.
Error Details:
Error: <Error> Application: Code: 36. DB::Exception: Either 'password' or 'password_sha256_hex' or 'password_double_sha1_hex' or 'no_password' or 'ldap' or 'kerberos' or 'ssl_certificates' or 'ssh_keys' or 'http_authentication' must be specified for user ldap_user.: while parsing user 'ldap_user' in users configuration file: while loading configuration file '/etc/clickhouse-server/users.xml'. (BAD_ARGUMENTS)
ldap_user in the users.xml
<ldap_user>
<networks>
<ip>0.0.0.0/0</ip>
<ip>::/0</ip>
</networks>
<authentication>
<type>ldap</type>
<server>kiba_ldap</server> <!-- This must match the LDAP server name in 04-ldap-config.xml -->
</authentication>
<profile>default</profile>
<quota>default</quota>
</ldap_user>
LDAP server configuration is defined in 04-ldap-config.xml:
<ldap_servers>
<kiba_ldap>
<host>test.rmb-adtest.jp</host>
<port>389</port>
<bind_dn>CN=svc.yugabyte-a,OU=Users,OU=JP,OU=APAC,OU=Earth,DC=test,DC=rmb-adtest,DC=jp</bind_dn>
<bind_password>xxxxxxx</bind_password>
<search_base>OU=JP,OU=APAC,OU=Earth,DC=test,DC=rmb-adtest,DC=jp</search_base>
<search_filter>(cn={user})</search_filter>
<enable_tls>false</enable_tls>
</kiba_ldap>
</ldap_servers>
Expected Behavior:
The ClickHouse server should start without errors, and the ldap_user should authenticate using the specified LDAP server configuration.
could you share
kind: ClickHouseInstallation manifest without sensitive credentials?
@Slach ClickHouse Installation Manifest
apiVersion: "clickhouse.altinity.com/v1"
kind: "ClickHouseInstallation"
metadata:
name: "cliff"
spec:
defaults:
templates:
podTemplate: pod-template-with-volumes-shard
serviceTemplate: chi-service-template
configuration:
zookeeper:
nodes:
- host: zookeeper-0.zookeepers.cmass-1c
port: 2181
- host: zookeeper-1.zookeepers.cmass-1c
port: 2181
- host: zookeeper-2.zookeepers.cmass-1c
port: 2181
settings:
remote_servers/all-replicated/secret: cliff
remote_servers/all-sharded/secret: cliff
remote_servers/cliffcluster/secret: cliff
remote_servers/all-replicated/secret: distributed
remote_servers/all-sharded/secret: distributed
remote_servers/cliffcluster/secret: distributed
remote_servers/all-replicated/secret: default
remote_servers/all-sharded/secret: default
remote_servers/cliffcluster/secret: default
disable_internal_dns_cache: 1
users:
# test user has 'password' specified, while admin user has 'password_sha256_hex' specified
default/networks/ip:
- "0.0.0.0/0"
- "::/0"
admin/password: xxxxxxx
admin/access_management: 1
admin/networks/ip:
- "0.0.0.0/0"
- "::/0"
clusters:
- name: "cliffcluster"
layout:
shards:
- name: shard0
replicasCount: 1
templates:
podTemplate: pod-template-with-volumes-shard
replicas:
- name: replica0-shard0
- name: replica1-shard0
templates:
podTemplate: pod-template-with-volumes-replica
# - name: shard1
# replicasCount: 1
# templates:
# podTemplate: pod-template-with-volumes-shard
# replicas:
# - name: replica0-shard1
# - name: replica1-shard1
# templates:
# podTemplate: pod-template-with-volumes-replica
# - name: shard2
# replicasCount: 2
# templates:
# podTemplate: pod-template-with-volumes-shard
# replicas:
# - name: replica0-shard2
# - name: replica1-shard2
# templates:
# podTemplate: pod-template-with-volumes-replica
templates:
podTemplates:
- name: pod-template-with-volumes-shard
spec:
# affinity:
# nodeAffinity:
# requiredDuringSchedulingIgnoredDuringExecution:
# nodeSelectorTerms:
# - matchExpressions:
# - key: Name
# operator: In
# values:
# - clickhouse-dev
# tolerations:
# - key: "High"
# operator: "Equal"
# value: "high-click"
# effect: "NoSchedule"
containers:
- name: clickhouse
image: clickhouse-server:24.4.2-alpine
imagePullPolicy: Always
resources:
requests:
memory: "8Gi"
cpu: "4"
limits:
memory: "8Gi"
cpu: "4"
volumeMounts:
- name: clickhouse-storage-template
mountPath: /var/lib/clickhouse
- name: clickhouse-storage-template-1
mountPath: /var/lib/clickhouse-1
- name: clickhouse-storage-template-2
mountPath: /var/lib/clickhouse-2
- name: clickhouse-backup
image: clickhouse-backup:2.5.13
imagePullPolicy: Always
volumeMounts:
- name: clickhouse-storage-template
mountPath: /var/lib/clickhouse
- name: clickhouse-storage-template-1
mountPath: /var/lib/clickhouse-1
- name: clickhouse-storage-template-2
mountPath: /var/lib/clickhouse-2
command:
- bash
- -xc
- "/bin/clickhouse-backup server"
resources:
requests:
memory: "4Gi"
cpu: "2"
limits:
memory: "4Gi"
cpu: "2"
envFrom:
- configMapRef:
name: clickhouse-backup-config
ports:
- name: backup-rest
containerPort: 7171
- name: pod-template-with-volumes-replica
spec:
# affinity:
# nodeAffinity:
# requiredDuringSchedulingIgnoredDuringExecution:
# nodeSelectorTerms:
# - matchExpressions:
# - key: Name
# operator: In
# values:
# - clickhouse-dev-2
# tolerations:
# - key: "High"
# operator: "Equal"
# value: "high-click-2"
# effect: "NoSchedule"
containers:
- name: clickhouse
image: clickhouse-server:24.4.2-alpine
imagePullPolicy: Always
resources:
requests:
memory: "8Gi"
cpu: "4"
limits:
memory: "8Gi"
cpu: "4"
volumeMounts:
- name: clickhouse-storage-template
mountPath: /var/lib/clickhouse
- name: clickhouse-storage-template-1
mountPath: /var/lib/clickhouse-1
- name: clickhouse-storage-template-2
mountPath: /var/lib/clickhouse-2
- name: clickhouse-backup
image: clickhouse-backup:2.5.13
imagePullPolicy: Always
volumeMounts:
- name: clickhouse-storage-template
mountPath: /var/lib/clickhouse
- name: clickhouse-storage-template-1
mountPath: /var/lib/clickhouse-1
- name: clickhouse-storage-template-2
mountPath: /var/lib/clickhouse-2
command:
- bash
- -xc
- "/bin/clickhouse-backup server"
resources:
requests:
memory: "4Gi"
cpu: "2"
limits:
memory: "4Gi"
cpu: "2"
envFrom:
- configMapRef:
name: clickhouse-backup-config
ports:
- name: backup-rest
containerPort: 7171
volumeClaimTemplates:
- name: clickhouse-storage-template
spec:
# no storageClassName - means use default storageClassName
storageClassName: robin-encrypt
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 500Gi
- name: clickhouse-storage-template-1
spec:
# no storageClassName - means use default storageClassName
storageClassName: robin-encrypt
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 500Gi
- name: clickhouse-storage-template-2
spec:
storageClassName: robin-encrypt
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 500Gi
serviceTemplates:
- name: chi-service-template
generateName: "clickhouse-{chi}"
spec:
type: NodePort
ports:
- name: http
port: 8123
targetPort: 8123
- name: tcp
port: 9000
targetPort: 9000
- name: interserver
port: 9009
targetPort: 9009
@Slach I have made one changes in CHI by adding one more section, now pod is not crashing by above error but still not getting authenticated
users:
# test user has 'password' specified, while admin user has 'password_sha256_hex' specified
default/networks/ip:
- "0.0.0.0/0"
- "::/0"
admin/password: xxx
admin/access_management: 1
admin/networks/ip:
- "0.0.0.0/0"
- "::/0"
ldap_user:
ldap:
server: kiba_ldap
Do i need follow any more step line to create user locally..?
Even i have added one user like which is in AD
CREATE USER 'sanjeev.gautam-a' IDENTIFIED WITH ldap SERVER 'my_ldap_server';
Even verified using ldapsearch getting detail for this user using mentioned ldap details.
[sanjeev.gautam-a@uhn5klbjhmgmt-s ldap-click]$ ldapsearch -x -H ldap://test.rmb-adtest.jp:389 -D "CN=svc.yugabyte-a,OU=Users,OU=JP,OU=APAC,OU=Earth,DC=test,DC=rmb-adtest,DC=jp" -w "xxxxxxxxxxxx" -b "OU=JP,OU=APAC,OU=Earth,DC=test,DC=rmb-adtest,DC=jp" "cn=sanjeev.gautam-a"
# extended LDIF
#
# LDAPv3
# base <OU=JP,OU=APAC,OU=Earth,DC=test,DC=rmb-adtest,DC=jp> with scope subtree
# filter: cn=sanjeev.gautam-a
# requesting: ALL
#
# sanjeev.gautam-a, katanaCICD, JP, APAC, Earth, test.rmb-adtest.jp
dn: CN=sanjeev.gautam-a,OU=katanaCICD,OU=JP,OU=APAC,OU=Earth,DC=test,DC=rmb-ad
test,DC=jp
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: sanjeev.gautam-a
sn: gautam
givenName: sanjeev
distinguishedName: CN=sanjeev.gautam-a,OU=katanaCICD,OU=JP,OU=APAC,OU=Earth,DC
=test,DC=rmb-adtest,DC=jp
instanceType: 4
whenCreated: 20211208013700.0Z
whenChanged: 20250130065525.0Z
displayName: sanjeev.gautam-a
uSNCreated: 2521517