clickhouse-operator icon indicating copy to clipboard operation
clickhouse-operator copied to clipboard

Published 20 hours ago verified publisher icon Altinity

Guide to securing a ClickHouse installation?

Open rolinh opened this issue 3 years ago • 2 comments

Sorry for this "meta" issue but I'm trying to enable TLS and generally reduce the attack surface of a ClickHouse deployment and I cannot find any related documentation or issue. Here's what I'm trying to achieve at the moment (there's probably more to it in the long run but that's a start):

  1. Enable TLS with a robust configuration using TLSv1.3 only
  2. Disable protocols that are unused, namely: a. MySQL (port 9004) b. PostgreSQL (port 9005) c. gRPC (port 9100) d. tcp_with_proxy_port (I don't even know that this one is), ie port 9011
  3. If possible, also disable non-TLS enabled protocols, ie: a. HTTP (port 8123) b. interserver HTTP (port 9009) c. client (port 9000)

EDIT: related Hardening Guide

1. Enable TLS with a robust configuration using TLSv1.3 only

I have the following in spec.configuration.settings (should hostTemplate be used instead?):

      tcp_port_secure: 9440
      https_port: 8443
      interserver_https_port: 9010
      openSSL/server/certificateFile: "/etc/clickhouse-server/certs/server.crt"
      openSSL/server/privateKeyFile: "/etc/clickhouse-server/certs/server.key"
      openSSL/server/caConfig: "/etc/clickhouse-server/certs/ca.crt"
      openSSL/server/loadDefaultCAFile: false
      openSSL/server/verificationMode: "relaxed"
      openSSL/server/disableProtocols: "sslv2,sslv3,tlsv1,tlsv1_1,tlsv1_2"
      openSSL/server/preferServerCiphers: false
      openSSL/server/requireTLSv1: false
      openSSL/server/requireTLSv1_1: false
      openSSL/server/requireTLSv1_2: false
      openSSL/server/requireTLSv1_3: true
      openSSL/server/cacheSessions: false
      openSSL/client/caConfig: "/etc/clickhouse-server/certs/ca.crt"
      openSSL/client/loadDefaultCAFile: false
      openSSL/client/verificationMode: "relaxed"
      openSSL/client/disableProtocols: "sslv2,sslv3,tlsv1,tlsv1_1,tlsv1_2"
      openSSL/client/preferServerCiphers: false
      openSSL/client/requireTLSv1: false
      openSSL/client/requireTLSv1_1: false
      openSSL/client/requireTLSv1_2: false
      openSSL/client/requireTLSv1_3: true
      openSSL/client/cacheSessions: false

How can I get the certificate files mounted from secrets? I've only seen advice to use the files directive which is a no-go in a GitOps environment as the certificate key cannot be in the charts.

2. Disable protocols that are unused

I have no idea how to get started as when no port is specified, it gets interpreted as if the default port is desired.

3. Disable non-TLS enabled protocols

This is more of a question about feasibility as I don't even know if this would work because I think that the HTTP /ping endpoint is used for liveness probes, etc.

rolinh avatar Nov 09 '21 14:11 rolinh

@rolinh , looks like we need to write a comprehensive security guide.

ClickHouse settings should got to spec.configuration.settings. Usually you run one cluster per ClickHouse installation (in fact, we recommend doing that), so no need to go to cluster level settings.

alex-zaitsev avatar Nov 14 '21 22:11 alex-zaitsev

Any attempt to turn off https will result in the readiness probe failing as it seems to be hard code to use http.

bkuschel avatar Mar 28 '22 19:03 bkuschel

https://github.com/Altinity/clickhouse-operator/blob/master/docs/security_hardening.md

cc @bkuschel @rolinh

alex-zaitsev avatar Mar 07 '23 07:03 alex-zaitsev