percona · ademidoff · Feb 13, 2025 · Feb 13, 2025 · Feb 13, 2025 · Feb 13, 2025
@@ -70,7 +70,10 @@ jobs:
         run: docker image rm ${{ env.PMM_CACHE_IMAGE }}
 
       - name: Rebuild the binaries
-        run: docker exec -i pmm-server make run-managed-ci run-agent run-vmproxy run-qan
+        run: |
+          # TODO: remove the line below before merging
+          docker cp ./build/ansible/roles/clickhouse/files/users.xml pmm-server:/etc/clickhouse-server/users.xml
+          docker exec -i pmm-server make run-managed-ci run-agent run-vmproxy run-qan
 
       - name: Check the status of components
         continue-on-error: true

@@ -138,7 +138,7 @@
     <!-- Compatibility with MySQL protocol.
          ClickHouse will pretend to be MySQL for applications connecting to this port.
     -->
-    <mysql_port>9004</mysql_port>
+    <!-- <mysql_port>9004</mysql_port> -->
 
     <!-- Compatibility with PostgreSQL protocol.
          ClickHouse will pretend to be PostgreSQL for applications connecting to this port.
@@ -484,9 +484,9 @@
     <tmp_path>/srv/clickhouse/tmp/</tmp_path>
 
     <!-- Disable AuthType plaintext_password and no_password for ACL. -->
-    <allow_plaintext_password>1</allow_plaintext_password>
-    <allow_no_password>1</allow_no_password>
-    <allow_implicit_no_password>1</allow_implicit_no_password>
+    <allow_plaintext_password>0</allow_plaintext_password>
+    <allow_no_password>0</allow_no_password>
+    <allow_implicit_no_password>0</allow_implicit_no_password>
 
     <!-- When a user does not specify a password type in the CREATE USER query, the default password type is used.
          Accepted values are: 'plaintext_password', 'sha256_password', 'double_sha1_password', 'bcrypt_password'.

@@ -0,0 +1,110 @@
+<clickhouse>
+    <!-- See also the files in users.d directory where the settings can be overridden. -->
+
+    <!-- Profiles of settings. -->
+    <profiles>
+        <!-- Default settings. -->
+        <default>
+        </default>
+
+        <!-- Profile that allows only read queries. -->
+        <readonly>
+            <readonly>1</readonly>
+        </readonly>
+    </profiles>
+
+    <!-- Users and ACL. -->
+    <users>
+        <!-- If user name was not specified, 'default' user is used. -->
+        <default>
+            <!-- See also the files in users.d directory where the password can be overridden.
+
+                 Password could be specified in plaintext or in SHA256 (in hex format).
+
+                 If you want to specify password in plaintext (not recommended), place it in 'password' element.
+                 Example: <password>qwerty</password>.
+                 Password could be empty.
+
+                 If you want to specify SHA256, place it in 'password_sha256_hex' element.
+                 Example: <password_sha256_hex>65e84be33532fb784c48129675f9eff3a682b27168c0ea744b2cf58ee02337c5</password_sha256_hex>
+                 Restrictions of SHA256: impossibility to connect to ClickHouse using MySQL JS client (as of July 2019).
+
+                 If you want to specify double SHA1, place it in 'password_double_sha1_hex' element.
+                 Example: <password_double_sha1_hex>e395796d6546b1b65db9d665cd43f0e858dd4303</password_double_sha1_hex>
+
+                 If you want to specify a previously defined LDAP server (see 'ldap_servers' in the main config) for authentication,
+                  place its name in 'server' element inside 'ldap' element.
+                 Example: <ldap><server>my_ldap_server</server></ldap>
+
+                 If you want to authenticate the user via Kerberos (assuming Kerberos is enabled, see 'kerberos' in the main config),
+                  place 'kerberos' element instead of 'password' (and similar) elements.
+                 The name part of the canonical principal name of the initiator must match the user name for authentication to succeed.
+                 You can also place 'realm' element inside 'kerberos' element to further restrict authentication to only those requests
+                  whose initiator's realm matches it.
+                 Example: <kerberos />
+                 Example: <kerberos><realm>EXAMPLE.COM</realm></kerberos>
+
+                 How to generate decent password:
+                 Execute: PASSWORD=$(base64 < /dev/urandom | head -c8); echo "$PASSWORD"; echo -n "$PASSWORD" | sha256sum | tr -d '-'
+                 In first line will be password and in second - corresponding SHA256.
+
+                 How to generate double SHA1:
+                 Execute: PASSWORD=$(base64 < /dev/urandom | head -c8); echo "$PASSWORD"; echo -n "$PASSWORD" | sha1sum | tr -d '-' | xxd -r -p | sha1sum | tr -d '-'
+                 In first line will be password and in second - corresponding double SHA1.
+            -->
+            <password_sha256_hex>7e099f39b84ea79559b3e85ea046804e63725fd1f46b37f281276aae20f86dc3</password_sha256_hex>
+
+            <!-- List of networks with open access.
+
+                 To open access from everywhere, specify:
+                    <ip>::/0</ip>
+
+                 To open access only from localhost, specify:
+                    <ip>::1</ip>
+                    <ip>127.0.0.1</ip>
+
+                 Each element of list has one of the following forms:
+                 <ip> IP-address or network mask. Examples: 213.180.204.3 or 10.0.0.1/8 or 10.0.0.1/255.255.255.0
+                     2a02:6b8::3 or 2a02:6b8::3/64 or 2a02:6b8::3/ffff:ffff:ffff:ffff::.
+                 <host> Hostname. Example: server01.clickhouse.com.
+                     To check access, DNS query is performed, and all received addresses compared to peer address.
+                 <host_regexp> Regular expression for host names. Example, ^server\d\d-\d\d-\d\.clickhouse\.com$
+                     To check access, DNS PTR query is performed for peer address and then regexp is applied.
+                     Then, for result of PTR query, another DNS query is performed and all received addresses compared to peer address.
+                     Strongly recommended that regexp is ends with $
+                 All results of DNS requests are cached till server restart.
+            -->
+            <networks>
+                <ip>::/0</ip>
+            </networks>
+
+            <!-- Settings profile for user. -->
+            <profile>default</profile>
+
+            <!-- Quota for user. -->
+            <quota>default</quota>
+
+            <!-- User can create other users and grant rights to them. -->
+            <!-- <access_management>1</access_management> -->
+        </default>
+    </users>
+
+    <!-- Quotas. -->
+    <quotas>
+        <!-- Name of quota. -->
+        <default>
+            <!-- Limits for time interval. You could specify many intervals with different limits. -->
+            <interval>
+                <!-- Length of interval. -->
+                <duration>3600</duration>
+
+                <!-- No limits. Just calculate resource usage for time interval. -->
+                <queries>0</queries>
+                <errors>0</errors>
+                <result_rows>0</result_rows>
+                <read_rows>0</read_rows>
+                <execution_time>0</execution_time>
+            </interval>
+        </default>
+    </quotas>
+</clickhouse>
@@ -36,11 +36,14 @@
 
 - name: Copy a customized clickhouse config
   copy:
-    src: config.xml
-    dest: /etc/clickhouse-server/config.xml
+    src: "{{ item }}"
+    dest: "/etc/clickhouse-server/{{ item }}"
     owner: pmm
     group: pmm
     mode: 0664
+  loop:
+    - config.xml
+    - users.xml
 
 # We need to remove capabilities because we run PMM in an unprivileged container
 # But we run clickhouse as root user

@@ -2,6 +2,7 @@ apiVersion: 1
 deleteDatasources:
   - name: ClickHouse
     orgId: 1
+
 datasources:
 - name: Metrics
   version: 2
@@ -14,6 +15,7 @@ datasources:
     httpMethod: POST
     keepCookies: []
     timeInterval: 1s
+
 - name: PostgreSQL
   version: 2
   orgId: 1
@@ -30,16 +32,22 @@ datasources:
     sslmode: ${PMM_POSTGRES_SSL_MODE}
   secureJsonData:
     password: ${PMM_POSTGRES_DBPASSWORD}
+
 - name: PTSummary
   version: 2
   orgId: 1
   type: pmm-pt-summary-datasource
   access: proxy
+
+# https://github.com/grafana/clickhouse-datasource?tab=readme-ov-file#with-a-configuration-file
 - name: ClickHouse
   orgId: 1
   version: 2
   type: grafana-clickhouse-datasource
   jsonData:
+    username: ${PMM_CLICKHOUSE_USERNAME}
     port: ${PMM_CLICKHOUSE_PORT}
-    server: ${PMM_CLICKHOUSE_HOST}
-    tlsSkipVerify: false
+    host: ${PMM_CLICKHOUSE_HOST}
+    tlsSkipVerify: false
+  secureJsonData:
+    password: ${PMM_CLICKHOUSE_PASSWORD}
@@ -26,12 +26,12 @@ Below is a list of affected variables and their new names.
 | `PERCONA_TEST_CHECKS_PUBLIC_KEY`              |                                            | Removed in PMM v3, use `PMM_DEV_PERCONA_PLATFORM_PUBLIC_KEY` |
 | `PERCONA_TEST_NICER_API`                      |                                            | Removed in PMM v3                                            |
 | `PERCONA_TEST_PMM_CLICKHOUSE_ADDR`            | `PMM_CLICKHOUSE_ADDR`                      |                                                              |
-| `PERCONA_TEST_PMM_CLICKHOUSE_BLOCK_SIZE`      |                                            | Removed in PMM v3, because of new clickhouse version.        |
 | `PERCONA_TEST_PMM_CLICKHOUSE_DATABASE`        | `PMM_CLICKHOUSE_DATABASE`                  |                                                              |
 | `PERCONA_TEST_PMM_CLICKHOUSE_DATASOURCE`      | `PMM_CLICKHOUSE_DATASOURCE`                |                                                              |
 | `PERCONA_TEST_PMM_CLICKHOUSE_HOST`            | `PMM_CLICKHOUSE_HOST`                      |                                                              |
-| `PERCONA_TEST_PMM_CLICKHOUSE_POOL_SIZE`       |                                            | Removed in PMM v3, because of new clickhouse version.        |
 | `PERCONA_TEST_PMM_CLICKHOUSE_PORT`            | `PMM_CLICKHOUSE_PORT`                      |                                                              |
+| `PERCONA_TEST_PMM_CLICKHOUSE_POOL_SIZE`       |                                            | Removed in PMM v3, because of new clickhouse version.        |
+| `PERCONA_TEST_PMM_CLICKHOUSE_BLOCK_SIZE`      |                                            | Removed in PMM v3, because of new clickhouse version.        |
 | `PERCONA_TEST_PMM_DISABLE_BUILTIN_CLICKHOUSE` | `PMM_DISABLE_BUILTIN_CLICKHOUSE`           |                                                              |
 | `PERCONA_TEST_PMM_DISABLE_BUILTIN_POSTGRES`   | `PMM_DISABLE_BUILTIN_POSTGRES`             |                                                              |
 | `PERCONA_TEST_INTERFACE_TO_BIND`              | `PMM_INTERFACE_TO_BIND`                    |                                                              |
@@ -53,5 +53,13 @@ Below is a list of affected variables and their new names.
 | `PMM_TEST_TELEMETRY_FILE`                     | `PMM_DEV_TELEMETRY_FILE`                   |                                                              |
 | `PERCONA_TEST_TELEMETRY_HOST`                 | `PMM_DEV_TELEMETRY_HOST`                   |                                                              |
 | `PERCONA_TEST_TELEMETRY_INTERVAL`             | `PMM_DEV_TELEMETRY_INTERVAL`               |                                                              |
-| `PERCONA_TEST_TELEMETRY_RETRY_BACKOFF`        | `PMM_DEV_TELEMETRY_RETRY_BACKOFF`          |                                                              |                 
+| `PERCONA_TEST_TELEMETRY_RETRY_BACKOFF`        | `PMM_DEV_TELEMETRY_RETRY_BACKOFF`          |                                                              |
 | `PERCONA_TEST_VERSION_SERVICE_URL`            |                                            | Removed in PMM v3, use `PMM_DEV_PERCONA_PLATFORM_ADDRESS`    |
+
+
+## Changes to environment variables in v3+
+
+| PMM 3                                      | Comments                                                     |
+|--------------------------------------------|--------------------------------------------------------------|
+| `PMM_CLICKHOUSE_USER`                      | Added in v3.1.0                                              |
+| `PMM_CLICKHOUSE_PASSWORD`                  | Added in v3.1.0                                              |
@@ -47,6 +47,8 @@ const (
 	defaultClickhouseDatabase           = "pmm"
 	defaultClickhouseAddr               = "127.0.0.1:9000"
 	defaultClickhouseDataSourceAddr     = "127.0.0.1:8123"
+	defaultClickhouseUser               = "default"
+	defaultClickhousePassword           = "clickhouse"
 	defaultVMSearchMaxQueryLen          = "1MB"
 	defaultVMSearchLatencyOffset        = "5s"
 	defaultVMSearchMaxUniqueTimeseries  = "100000000"
@@ -277,6 +279,8 @@ func (s *Service) marshalConfig(tmpl *template.Template, settings *models.Settin
 	clickhouseAddr := getValueFromENV("PMM_CLICKHOUSE_ADDR", defaultClickhouseAddr)
 	clickhouseDataSourceAddr := getValueFromENV("PMM_CLICKHOUSE_DATASOURCE_ADDR", defaultClickhouseDataSourceAddr)
 	clickhouseAddrPair := strings.SplitN(clickhouseAddr, ":", 2)
+	clickhouseUser := getValueFromENV("PMM_CLICKHOUSE_USER", defaultClickhouseUser)
+	clickhousePassword := getValueFromENV("PMM_CLICKHOUSE_PASSWORD", defaultClickhousePassword)
 	vmSearchDisableCache := getValueFromENV("VM_search_disableCache", strconv.FormatBool(!settings.IsVictoriaMetricsCacheEnabled()))
 	vmSearchMaxQueryLen := getValueFromENV("VM_search_maxQueryLen", defaultVMSearchMaxQueryLen)
 	vmSearchLatencyOffset := getValueFromENV("VM_search_latencyOffset", defaultVMSearchLatencyOffset)
@@ -308,6 +312,8 @@ func (s *Service) marshalConfig(tmpl *template.Template, settings *models.Settin
 		"ClickhouseDatabase":           clickhouseDatabase,
 		"ClickhouseHost":               clickhouseAddrPair[0],
 		"ClickhousePort":               clickhouseAddrPair[1],
+		"ClickhouseUser":               clickhouseUser,
+		"ClickhousePassword":           clickhousePassword,
 	}
 
 	s.addPostgresParams(templateParams)
@@ -317,7 +323,7 @@ func (s *Service) marshalConfig(tmpl *template.Template, settings *models.Settin
 	if settings.PMMPublicAddress != "" {
 		pmmPublicAddress := settings.PMMPublicAddress
 		if !strings.HasPrefix(pmmPublicAddress, "https://") && !strings.HasPrefix(pmmPublicAddress, "http://") {
-			pmmPublicAddress = fmt.Sprintf("https://%s", pmmPublicAddress)
+			pmmPublicAddress = "https://" + pmmPublicAddress
 		}
 		publicURL, err := url.Parse(pmmPublicAddress)
 		if err != nil {
@@ -574,6 +580,8 @@ command =
 environment =
 	PMM_CLICKHOUSE_ADDR="{{ .ClickhouseAddr }}",
 	PMM_CLICKHOUSE_DATABASE="{{ .ClickhouseDatabase }}",
+	PMM_CLICKHOUSE_USER="{{ .ClickhouseUser }}",
+	PMM_CLICKHOUSE_PASSWORD="{{ .ClickhousePassword }}",
 
 
 user = pmm
@@ -623,6 +631,8 @@ environment =
     PMM_CLICKHOUSE_DATASOURCE_ADDR="{{ .ClickhouseDataSourceAddr }}",
     PMM_CLICKHOUSE_HOST="{{ .ClickhouseHost }}",
     PMM_CLICKHOUSE_PORT="{{ .ClickhousePort }}",
+    PMM_CLICKHOUSE_USER="{{ .ClickhouseUser }}",
+    PMM_CLICKHOUSE_PASSWORD="{{ .ClickhousePassword }}",
     {{- if .PerconaSSODetails}}
     GF_AUTH_SIGNOUT_REDIRECT_URL="https://{{ .IssuerDomain }}/login/signout?fromURI=https://{{ .PMMServerAddress }}/graph/login"
     {{- end}}

@@ -19,6 +19,8 @@ environment =
     PMM_CLICKHOUSE_DATASOURCE_ADDR="127.0.0.1:8123",
     PMM_CLICKHOUSE_HOST="127.0.0.1",
     PMM_CLICKHOUSE_PORT="9000",
+    PMM_CLICKHOUSE_USER="default",
+    PMM_CLICKHOUSE_PASSWORD="clickhouse",
 user = pmm
 directory = /usr/share/grafana
 autorestart = true

@@ -8,6 +8,8 @@ command =
 environment =
 	PMM_CLICKHOUSE_ADDR="127.0.0.1:9000",
 	PMM_CLICKHOUSE_DATABASE="pmm",
+	PMM_CLICKHOUSE_USER="default",
+	PMM_CLICKHOUSE_PASSWORD="clickhouse",
 
 
 user = pmm

@@ -25,6 +25,7 @@ import (
 	"net"
 	"net/http"
 	_ "net/http/pprof" //nolint:gosec
+	"net/url"
 	"os"
 	"os/signal"
 	"strings"
@@ -49,7 +50,7 @@ import (
 	"google.golang.org/grpc/reflection"
 	"google.golang.org/protobuf/encoding/protojson"
 
-	qanpb "github.com/percona/pmm/api/qan/v1"
+	qanv1 "github.com/percona/pmm/api/qan/v1"
 	"github.com/percona/pmm/qan-api2/models"
 	aservice "github.com/percona/pmm/qan-api2/services/analytics"
 	rservice "github.com/percona/pmm/qan-api2/services/receiver"
@@ -62,7 +63,7 @@ import (
 
 const (
 	shutdownTimeout = 3 * time.Second
-	defaultDsnF     = "clickhouse://%s/%s"
+	defaultDsnF     = "clickhouse://%s:%s@%s/%s"
 	maxIdleConns    = 5
 	maxOpenConns    = 10
 )
@@ -93,8 +94,8 @@ func runGRPCServer(ctx context.Context, db *sqlx.DB, mbm *models.MetricsBucket,
 	)
 
 	aserv := aservice.NewService(rm, mm)
-	qanpb.RegisterCollectorServiceServer(grpcServer, rservice.NewService(mbm))
-	qanpb.RegisterQANServiceServer(grpcServer, aserv)
+	qanv1.RegisterCollectorServiceServer(grpcServer, rservice.NewService(mbm))
+	qanv1.RegisterQANServiceServer(grpcServer, aserv)
 	reflection.Register(grpcServer)
 
 	if l.Logger.GetLevel() >= logrus.DebugLevel {
@@ -154,7 +155,7 @@ func runJSONServer(ctx context.Context, grpcBindF, jsonBindF string) {
 
 	type registrar func(context.Context, *grpc_gateway.ServeMux, string, []grpc.DialOption) error
 	for _, r := range []registrar{
-		qanpb.RegisterQANServiceHandlerFromEndpoint,
+		qanv1.RegisterQANServiceHandlerFromEndpoint,
 	} {
 		if err := r(ctx, proxyMux, grpcBindF, opts); err != nil {
 			l.Panic(err)
@@ -255,9 +256,11 @@ func main() {
 	jsonBindF := kingpin.Flag("json-bind", "JSON bind address and port").Default("127.0.0.1:9922").String()
 	debugBindF := kingpin.Flag("listen-debug-addr", "Debug server listen address").Default("127.0.0.1:9933").String()
 	dataRetentionF := kingpin.Flag("data-retention", "QAN data Retention (in days)").Default("30").Uint()
-	dsnF := kingpin.Flag("dsn", "ClickHouse database DSN. Can be override with database/host/port options").Default(defaultDsnF).String()
-	clickHouseDatabaseF := kingpin.Flag("clickhouse-name", "Clickhouse database name").Default("pmm").Envar("PMM_CLICKHOUSE_DATABASE").String()
-	clickhouseAddrF := kingpin.Flag("clickhouse-addr", "Clickhouse database address").Default("127.0.0.1:9000").Envar("PMM_CLICKHOUSE_ADDR").String()
+	dsnF := kingpin.Flag("dsn", "ClickHouse database DSN. Can be overridden with database/host/port options").Default(defaultDsnF).String()
+	clickhouseDatabaseF := kingpin.Flag("clickhouse-name", "ClickHouse database name").Default("pmm").Envar("PMM_CLICKHOUSE_DATABASE").String()
+	clickhouseAddrF := kingpin.Flag("clickhouse-addr", "ClickHouse database address").Default("127.0.0.1:9000").Envar("PMM_CLICKHOUSE_ADDR").String()
+	clickhouseUserF := kingpin.Flag("clickhouse-user", "ClickHouse database user").Default("default").Envar("PMM_CLICKHOUSE_USER").String()
+	clickhousePasswordF := kingpin.Flag("clickhouse-password", "ClickHouse database user password").Default("clikchouse").Envar("PMM_CLICKHOUSE_PASSWORD").String()
 
 	debugF := kingpin.Flag("debug", "Enable debug logging").Bool()
 	traceF := kingpin.Flag("trace", "Enable trace logging (implies debug)").Bool()
@@ -285,12 +288,18 @@ func main() {
 
 	var dsn string
 	if *dsnF == defaultDsnF {
-		dsn = fmt.Sprintf(defaultDsnF, *clickhouseAddrF, *clickHouseDatabaseF)
+		dsn = fmt.Sprintf(defaultDsnF, *clickhouseUserF, *clickhousePasswordF, *clickhouseAddrF, *clickhouseDatabaseF)
 	} else {
 		dsn = *dsnF
 	}
 
-	l.Info("DSN: ", dsn)
+	u, err := url.Parse(dsn)
+	if err != nil {
+		l.Error("Failed to parse DSN: ", err)
+	} else {
+		l.Info("DSN: ", u.Redacted())
+	}
+
 	db := NewDB(dsn, maxIdleConns, maxOpenConns)
 
 	prom.MustRegister(sqlmetrics.NewCollector("clickhouse", "qan-api2", db.DB))
@@ -345,7 +354,7 @@ func main() {
 		defer wg.Done()
 		for {
 			// Drop old partitions once in 24h.
-			DropOldPartition(db, *clickHouseDatabaseF, *dataRetentionF)
+			DropOldPartition(db, *clickhouseDatabaseF, *dataRetentionF)
 			select {
 			case <-ctx.Done():
 				return