This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Administrator Guide

How to manage Altinity.Cloud.

Altinity.Cloud allows administrators to manage clusters, users, and keep control of their ClickHouse environments with a few clicks. Monitoring tools are provided so you can keep track of everything in your environment to keep on top of your business.

1 - Access Control

How to control access to your organizations, environments, and clusters.

Altinity.Cloud provides role based access control. Depending the role granted to an Altinity.Cloud Account, they can assign other Altinity.Cloud accounts roles and grant permissions to access organizations, environments, or clusters.

1.1 - Role-Based Access and Security Tiers

Altinity.Cloud hierarchy and role-based access.

25 April 2023 · Read time 3 min

Introduction

Access to ClickHouse data hosted in Altinity.Cloud is controlled through a combination of security tiers and account roles. This allows companies to tailor access to data in a way that maximizes security while still allowing ease of access.

Security Tiers

Altinity.Cloud groups a set of clusters together in ways that allow companies to provide Accounts access only to the clusters or groups of clusters that they need.

Altinity.Cloud groups clusters into the following security-related tiers:

Security Tiers
Figure 1 - Security tier showing the relationship between an organization, environment, cluster, and ClickHouse database nodes.


Hierarchy

  • ClickHouse databases and tables live inside clusters.
  • Clusters contain ClickHouse databases and manage access.
  • Environments contain one or more clusters.
  • Organization is the highest level that houses one or more environments.

Security Tier

Account access is controlled by assigning an account a single role and a security tier depending on their role.
A single account can be assigned to:

  • A single Organization
  • One or multiple Environments
  • One or multiple Clusters within an environment

Account Roles

The actions that can be taken by Altinity.Cloud accounts are based on the role they are assigned.
The following roles and their actions based on the security tier are detailed in Table 1.

Role Descriptions

  • orgadmin manages the Organization including all user accounts and Environment settings.
  • envadmin within an Organization can edit assigned Environments and has full access to any cluster.
  • envuser is a member of an Organization that has full access to specified clusters.
  • billing can access billing page only, view invoices, and update payment details.

Roles and Permissions
Table 1 - Role names and their levels of access to Environments and Clusters.


Organization Example

The following example in Table 2 shows an Organization called HappyDragon that shows how Accounts and Role assignments are configured. Role names are also shown in Figure 1. The account roles are tied into the security tiers and allow an account to access multiple environments and clusters depending on what type of tier they are assigned to.

Account Title Role Organization Accounts Billing Environments Clusters
mary Administrator orgadmin HappyDragon all all Access to all Env. all
jessica Operations envadmin HappyDragon n/a n/a HappyDragon_Prod
HappyDragon_Dev		 all
peter Developer envadmin HappyDragon n/a n/a HappyDragon_Dev all
paul Marketing envuser HappyDragon marketing n/a HappyDragon_Prod marketing

Table 2 - Accounts and their roles and security tiers.

Account and Roles

Mary (Administrator, Role: orgadmin)

Mary is the orgadmin role, which has the highest level of access in this example.

  • Has full access to the organization account
  • Can create and manage access for other users
  • Can create and manage new environments
  • Can create and manage new clusters

Jessica (Operations, Role: envadmin)

  • Has read access (but not write or delete access) to both Dev and Prod environments
  • Has full access to read, write and delete clusters in both environments

Peter (Developer, Role: envadmin)

  • Has read access (but not write or delete access) to the Dev environment
  • Has full access to read, write and delete any cluster in the Dev environment

Paul (Marketing user, Role: envuser)

  • Has read, write and delete access to the cluster marketing in the environment HappyDragon_Prod

1.2 - Account Management

How to manage Altinity.Cloud accounts.

Altinity.Cloud accounts with the role orgadmin are able to create new Altinity.Cloud accounts and associate them with organizations, environments, and one or more clusters depending on their role. For more information on roles, see Role Based Access and Security Tiers.

Account Page

The Account Page displays all accounts assigned to the same Organization and Environments as the logged in account.

For example: the accounts mario, luigi, and peach and todd are members of the organizations MushroomFactory and BeanFactory as follows:

Account Role Organization: MushroomFactory Organization: BeanFactory
peach orgadmin *  
mario orgadmin   *
luigi envuser   *
todd envuser *  
  • peach will be able to see their account and todd in the Account Page, while accounts mario and luigi will be hidden from them.
  • mario will be able to see their account and luigi.

Access Accounts

To access the accounts that are assigned to the same Organizations and Environments as the logged in user with the account role orgadmin:

  1. Login to Altinity.Cloud with an account granted the orgadmin role.
  2. From the left navigation panel, select Accounts.
  3. All accounts that are in the same Organizations and Environments as the logged in account will be displayed.

Account Details

Accounts have the following details that can be set by an account with the orgadmin role:

  1. Common Information:
    1. Name: The name of the account.
    2. Email (Required): The email address of the account. This will be used to login, reset passwords, notifications, and other uses. This must be a working email for these functions to work.
    3. Password: The password for the account. Once a user has authenticated to the account, they can change their password.
    4. Confirm Password: Confirm the password for the account.
    5. Role (Required): The role assigned to the account. For more information on roles, see Role Based Access and Security Tiers.
    6. Organization: The organization assigned to the account. Note that the orgadmin can only assign accounts the same organizations that the orgadmin account also belongs to.
    7. Suspended: When enabled, this prevents the account from logging into Altinity.Cloud.
  2. Environment Access:
    1. Select the environments that the account will require access to. Note that the orgadmin can only assign accounts the same environments that the orgadmin account also belongs to.
  3. Cluster Access:
    1. This is only visible if the Role is set to envuser. This allows one or more clusters in the environments the new account was assigned to in Environmental Access to be accessed by them.
  4. API Access:
    1. Allows the new account to make API calls from the listed domain names.

Account Actions

Create Account

orgadmin accounts can create new accounts and assign them to the same organization and environments they are assigned to. For example, continuing the scenario from above, if account peach is assigned to the organization MushroomFactory and the environments MushroomProd and MushroomDev, they can assign new accounts to the organization MushroomFactory, and to the environments MushroomProd or MushroomDev or both.

To create a new account:

  1. Login to Altinity.Cloud with an account granted the orgadmin role.

  2. From the left navigation panel, select Accounts.

  3. Select Add Account.

  4. Set the fields as listed in the Account Details section.

    New User Settings

  5. Once all settings are completed, select Save. The account will be able to login with the username and password, or if their email address is registered through Google, Auth0.

Edit Account

  1. Login to Altinity.Cloud with an account granted the orgadmin role.
  2. From the left navigation panel, select Accounts.
  3. From the left hand side of the Accounts table, select the menu icon for the account to update and select Edit.
  4. Update the fields as listed in the Account Details section.
  5. When finished, select Save.

Suspend Account

Instead of deleting an account, setting an account to Suspended may be more efficient to preserve the accounts name and other settings. A suspended account is unable to login to Altinity.Cloud. This includes directly logging through a browser and API calls made under the account.

To suspend or activate an account:

  1. Login to Altinity.Cloud with an account granted the orgadmin role.
  2. From the left navigation panel, select Accounts.
  3. From the left hand side of the Accounts table, select the menu icon for the account to update and select Edit.
    1. To suspend an account, toggle Suspended to on.
    2. To activate a suspended account, toggle Suspended to off.
  4. When finished, select Save.

Delete Account

Accounts can be deleted which removes all information on the account. Clusters and environments created by account will remain.

To delete an existing account:

  1. Login to Altinity.Cloud with an account granted the orgadmin role.
  2. From the left navigation panel, select Accounts.
  3. From the left hand side of the Accounts table, select the menu icon for the account to update and select Delete.
  4. Verify the account is to be deleted by selecting OK.

1.3 - Integrating Okta into the Altinity.Cloud login page

How to set up Okta integration with Auth0 in Altinity.Cloud

Overview - Okta Integration

Altinity uses Auth0 so that customers who are already logged into other identity providers such as Google or Okta are automatically granted access to Altinity.Cloud.

The following diagram shows the Altinity login process using Auth0, plus adding Okta as discussed on this page.

  1. Logging in to Altinity.Cloud using a Login Email and Password.
  2. The Auth0 login link to use a 3rd party authenticator such as Google or Okta. (See Okta/Auth0 Altinity Integration)
  3. Using Okta allows previously authorized logged-in employees to gain immediate access to Altinity.Cloud. (See Okta Customer Configuration)
Launch Cluster wizard screens

Figure 1 – Altinity integration of an Okta customer to Auth0.

Okta Client Details

Contact Altinity to add the Okta domain and Client ID to the Altinity.Cloud access list. Please provide the following:

  • The domain you want to sign in on the Okta side, e.g. somemail.com. Note: it should match your organization domain in Altinity.Cloud.
  • Okta Domain, e.g. somemail.okta.com
  • Okta Client ID

Okta/Auth0 Altinity Integration

These steps are for Altinity technical support to add an Okta connection to Auth0.


Setting up the Auth0 connection

  1. Go to Auth0 Dashboard -> Authentication -> Enterprise.
  2. Click Create (plus icon) next to OpenID Connect.
  3. Provide a name.
  4. Copy the Okta domain provided by a customer to Issuer URL.
  5. Copy the Client ID provided by a customer to the Client ID.
  6. Click Create.

Enabling the connection

  1. Go to Auth0 Dashboard -> Applications.
  2. Click the application you wish to use with the connection.
  3. Go to the Connections tab, find your newly created connection, and switch it on.

Testing the connection

  1. Go to Auth0 Dashboard -> Authentication -> Enterprise.
  2. Click OpenID Connect (not the plus sign, the text).
  3. Find the newly created connection.
  4. Click the three dots on the right -> Try.
    • You should be greeted with an Okta password prompt, or if there is a problem, an error is shown.

Enabling the button

  1. Go to Auth0 Dashboard -> Authentication -> Enterprise.
  2. Click OpenID Connect (not the plus sign, the text).
  3. Find the newly created connection and click its name.
  4. Go to the Login Experience tab.
  5. Check the Connection button -> Display connection as a button.
  6. Configure the Button display name and logo URL.
  7. Click Save.

Testing

  1. Go to the https://acm.altinity.cloud login page.
  2. Click Sign in with Auth0.
  3. A button for the new connection should be shown.
  4. Upon clicking the button, it should either ask for Okta credentials or log straight into the app.

Altinity blog post

The following Altinity blog post provides an in-depth discussion of adding Okta as an identity provider.

1.4 - Altinity Access to ClickHouse

How to restrict Altinity access to data and cluster administration.

5 June 2023 · Read time 3 min

Introduction

Altinity Access settings allow Altinity.Cloud users to limit the level of access Altinity personnel have to customer ClickHouse data or administrative operations. Altinity.Cloud provides two types of limits:

  • Data Access - Control the ability of Altinity personnel to view or change data in ClickHouse tables.
  • Management Access - Control ability to change cluster configuration or perform administrative actions.

If you restrict access to data or management functions you may choose to lift them from time to time to allow Altinity support to diagnose problems or perform operations on your behalf. You can apply the restrictions again afterward.

Viewing and Changing Altinity Access Settings

Access the Cluster Dashboard view of any cluster. You will see the ALTINITY ACCESS button on the upper right-hand side of the dashboard view.

Altinity Access button
Figure 1 - The Altinity Access Button in Cluster Dashboard

Button Colors

The color indicates the Altinity access level to ClickHouse data.

Altinity Access settings

  • Clear (shown) - Altinity personnel have no access to ClickHouse data.
  • Green - Altinity personnel have read-only access to system tables.
  • Orange - Altinity personnel have read-only access to all tables.
  • Red - Altinity personnel have read/write access to all tables.

Access Level Settings

Press the ALTINITY ACCESS button to manage access settings.

Altinity Access settings
Figure 2 - Altinity Access Dialog


You may change settings and press CONFIRM to apply or CANCEL to quit. Changing settings requires an account with EnvUser role or higher.

You may choose any data access level that you please. The following table shows the level of access for each.

Level Meaning
No Access Altinity personnel may not use the ACM Query Browser or Schema Browser. They cannot look at data or schema.
System (Default) Altinity personnel use the ACM Query browser to query system tables and may look at table definitions in the Schema Browser. This setting provides a good balance between protecting data and providing access required for quick support from Altinity.
Read Only In addition to the above, Altinity personnel may use the ACM Query Browser to run SELECT statements that read data from any table.
Full Access In addition to the above, Altinity personnel use the ACM Query Browser to run SQL statements that alter data.

Management Access Settings

You may similarly enable or disable management access. The following sections describe the affected access levels.

Enable Cluster Configuration Management

Checking this box allows Altinity personnel to perform any of the following operations related to configuration.

  • Changing cluster configuration settings.
  • Changing users or profiles.
  • Setting connection configuration.
  • Altering backup settings.
  • Setting uptime schedules.
  • Setting alerts.

The above actions can cause your server to restart, alter user passwords, or change the information that you receive from Altinity.Cloud about your clusters. If the box is unchecked only you can make these changes.

Enable Cluster Actions

Checking this box allows Altinity staff to perform any of the following operations related to cluster administration.

  • Creating new clusters.
  • Rescaling clusters.
  • Upgrading clusters.
  • Restarting clusters.

The above actions may cause your server to restart, behave differently for applications, or affect operating costs. If the box is unchecked only you can make these changes.

2 - Altinity Backup Solutions

This section covers Altinity backup and restore solutions.

14 March 2023 · Read time 1 min

Overview

This section covers backup and restore options provided by the Altinity Cloud Manager.

Backups

Restoring Data

Contact Altinity Support

3 - How to use Altinity Backup and the Restore Wizard

This section covers how to use the Altinity Restore Wizard.

14 March 2023 · Read time 5 min

Overview

This section covers the Altinity Cloud Manager Cluster Restore Wizard, which is available from your cluster’s ACTIONS > Restore a Backup menu. This guide walks you through the steps to restore a cluster from an Altinity backup.

Create Backup

In addition to scheduled backups, an ad hoc backup feature is provided to create an on-demand snapshot. By manually creating a backup from the ACTIONS 》 Create Backup Backup, each backup request adds a Tag with a timestamp.

  • Note that for ad hoc backups, there are no configuration options. A dialog box (Cluster Backup) displays to let you know the backup is in progress.
Cluster Backup acknowledgement dialog box

Figure 1 – Making an on-demand backup: the ACTIONS 》Create Backup and the confirmation window.

UI Text

  • Cluster Backup The Backup procedure for the Cluster your-backup has been scheduled. It will require some time to finish the procedure. Note: Backup files are handled by ACM and stored separately from the cluster instances. These backup files will remain available even if you accidentally delete the cluster.

Backup Scheduling

To change the backup schedule from the 7 day default, bring up your cluster Environments settings, select the 3-dot menu icon beside your cluster, choose Edit then the Backups tab.

Cluster Backup Schedulingz

Figure 2 – Backup Schedule settings from the Environment > Cluster > Edit > Backup tab.

Restore a Backup

Prerequisites

  • Login to the Altinity.Cloud Manager https://acm.altinity.cloud/clusters
  • The backup operator has backup roles and permissions set up in My Account > Common Information > Role and Access Rights
  • Accounts > Manage Roles > Account Role Details > Cluster Settings and NodeTypes are set to (Allow)
  • The backup provider is Altinity or an external cloud provider
  • The Organization list of account Names has been granted the role of allowing backups and restores to the listed Environments

NOTE: New users do not have the rights to perform manual backups and restore functions, so the default view of the Actions menu will not display the backup or restore options.

The following wizard screens are covered on this page:

  1. Backup Location
  2. Source Cluster
  3. Source Backup
  4. Destination Cluster
  5. Restore Summary
  6. Cluster Launch Wizard

The following illustration shows a summary of the various screens available in the Restore Wizard option.

  • The Backup Location may be the Altinity.Cloud Backup or a Remote Backup of your choice of cloud provider.
  • Colored orange, the Cluster Launch Wizard opens after you CONTINUE from the last screen of the Cluster Restore Wizard.
    Restore Wizard summary

Figure 2 – Each of the 5 Restore Wizard screens and the available settings.


Clusters > Actions - Where to find the Restore Wizard

The ACTIONS menu contains the Restore a Backup function that starts the Cluster Restore Wizard within the Altinity.Cloud Connection Manager. The following screenshot shows the Altinity.Cloud Connection Manager dashboard screen for cluster-a, highlighting points of interest.

  1. The your-environment menu is the parent for your clusters.
  2. The Clusters in the left navigation pane let you know where you are in the ACM.
  3. The cluster-a is the name of the dashboard you are currently viewing.
  4. The Actions menu is where the Backup and Restore functions are found.

NOTE: If your account and roles are not set up, you will not see all of the items in the left-hand pane or all the items in the Actions menu.

Environment

Figure 3 – The dashboard view of cluster-a showing the selected environment and the ACTIONS menu.


ACTIONS menu - Backup and Restore

From your cluster dashboard, the ACTIONS menu lists the Restore a Backup setting.

Backup and Restore options in the cluster Action menu

Figure 4 – The ACTIONS menu shows the Restore a Backup setting.


Running the Cluster Restore Wizard

From the Altinity Cloud Manager cluster screen select ACTIONS > Restore a Backup to open the Cluster Restore Wizard. The

Features of the interface shown in Figure 4:

  • The left side of each Cluster Restore Wizard screen shows the progress of the restore operation.
  • The green bar indicates the section of the wizard you are viewing.
  • The dimmed choices indicate you have not yet set anything in those screens.
  • After progressing through the wizard screens, you can return to a previous screen by clicking on any of the 5 names of the screens shown in the left pane.

Buttons located at the bottom right include:

  • CANCEL - Closes the Wizard without saving any settings.
  • NEXT - Indicates that there is another screen that you will go to.
  • BACK - Returns to the previous screen while retaining any changes you have made.
  • CONTINUE - Appears on the last screen of the wizard. Click to start the Cluster Launch Wizard.
  • The left pane titles are also buttons that allow you to jump directly to without using the BACK button.

1. Backup Location

This screen lets you choose where your backups are located, either from Altinity or from your own cloud provider.

  • Altinity.Cloud Backup
  • Remote Backup (AWS or GCP)

Backup Location Information

  • This Backup Location information screen is used to choose between an Altinity backup or an external cloud vendor.

Altinity.Cloud Backup

To use Altinity as the source of the cluster you want to restore:

  1. Select Altinity.Cloud Backup from the Backup Location Information.
  2. Select an Altinity environment from the Source Environment menu, for example, tenant-a.
  3. Select NEXT to go to the next screen Source Cluster.
Launch Cluster button

Figure 5 – The Backup Location Information screen, selecting the Altinity.Cloud Backup and the Source Environment (for example: tenant-a).

Remote Backup

Use this selection if you are using a third-party cloud provider such as Amazon (AWS) or Google (GCP). Select Remote Backup, fill in the fields then NEXT.

  1. Select Remote Backup, fill in the following fields from steps 2 to 7 then NEXT.
Launch Cluster button

Figure 6 – The Altinity Cloud Manager (ACM) home page, selecting the LAUNCH CLUSTER button.

  1. Select an Altinity-supported cloud provider:
    Cloud Storage Provider


  2. Copy the AWS or GCP Access Key and paste it here:
    Access Key

    • UI Text: Storage Access Key
    • Example: EXAMPLE_KEY_ID_ABCDEFGH

  1. Copy the AWS or GCP Secret Key and paste it here:
    Secret Key
    • UI Text: Storage Secret Key
    • Example: EXAMPLE_SECRET_ACCESS_KEY_ID_ABCDEFGH

  1. Enter the Region identifier string ID here:
    Region

  1. Enter the Bucket name:
    Bucket

  1. Select ACM (Altinity Cloud Manager) if you want to retain this folder structure:
    ACM Compatible Folder Structure
    • UI Text: Bucket contents was previously created by ACM or has a fully ACM-compatible structure
    • Example: (checked)

  1. Select NEXT to go to the next screen Source Cluster.

2. Source Cluster

The Source Cluster Information screen lets you choose one cluster from a list of cluster names. The following column names appear in a scrolling table:

  • Radio button - Marks the cluster you want to use as the source. (Example: selected)
  • Cluster - This is the name of the backed-up cluster. (Example: abc)
  • Namespace - This is the environment name. (Example: tenant-a)
  • Configuration - Checked if the configuration information is included in the backup (Example: checked)

To select a cluster name:

  1. In the Source Cluster Information scrolling table, select the radio button of the Cluster name.
    Source Cluster Information

    • UI Text: Note: It is possible to restore a complete Cluster’s configuration only if a given backup contains it.
    • Example: abc

  2. Select NEXT to go to the next screen Source Backup.

Launch Cluster wizard screens

Figure 7 – The restore wizard screen 2 of 5 Source Cluster Information showing the selected cluster abc.


3. Source Backup (Backup Tag)

The Backup Information: <environment name>/<cluster name> screen lists the available backups by date. Note that the environment name (example tenant-a) and cluster name (example: abc) were selected in the previous wizard screens.

The following column names appear in a scrolling table:

  • Radio button - Marks the backup Tag name you want to use.
  • Tag - This is the 14-digit name of the backed-up cluster that is the year yyyy month mm day dd time hhmmss (Example: 20230104201700)
  • Size - This is the size of the backup. (Example: 450 B)
  • Timestamp - The date and time of the backup (Example: 2023-01-04-20:17:00)
  • Configuration - Checked if the configuration information is included in the backup (Example: checked)

To select a backup:

  1. In the screen Backup Information: tenant-a/abc select the radio button by the Tag name. Example: Tag: 20230104201700

  2. Select NEXT to go to the next screen Destination Cluster.

Cluster Launch Wizard summary

Figure 8 – The wizard restore wizard screen 3 of 5 Backup Information showing a Tag backup selected.


4. Destination Cluster

The Destination Cluster Information screen is where the restored data is saved to.

Available options are:

  • Launch a new Cluster
  • Launch a new Cluster using configuration and settings of a source cluster
  • Restore into an existing cluster
    • A new cluster will be launched using a fresh setup (it may be different from the original Cluster configuration)

Launch a new Cluster

The Launch of a new cluster runs the Cluster Launch Wizard immediately after the Review & Confirm screen appears and you select CONTINUE.

Select Launch a new cluster then NEXT to advance to Restore Summary.

Launch a new Cluster using the configuration and settings of a source cluster

Use this setting if you want to override the backed-up cluster settings such as CPU, RAM, and Storage size to instead use the destination cluster values.

The Launch a New Cluster runs the Cluster Launch Wizard immediately after the Review & Confirm screen appears and you select CONTINUE.

Select Launch a new cluster then NEXT to advance to Restore Summary.

Launch a new Cluster

In the Name field, create a new name.

  • Example: restored-cluster-backup

Source Cluster

Ignores the backed-up settings and instead uses the settings in the destination cluster. This is useful when you want to ignore the settings of the existing cluster and instead use the backed-up configuration.

Existing Cluster

This is the opposite of the Source Cluster. This is useful when you want to use the settings of the existing cluster and not the backed-up configuration.

Cluster Launch Wizard summary

Figure 9 – The restore wizard screen 4 of 5 Destination Cluster Information with Launch a new Cluster selected.


5. Restore Summary

This Review & Confirm screen covers communication details such as port settings and endpoint information. To change a setting, select BACK or the title of the screen from the left-hand pane. Select CONTINUE to save and begin the restore process. IMPORTANT: Do not perform any changes to the restored cluster until the process is complete

UI Text: Please review and confirm the selected options:

Cluster Launch Wizard summary

Figure 10 – The last restore wizard screen 5 of 5 Review & Confirm.


Cluster Launch Wizard

The Cluster Launch Wizard starts automatically after selecting CONTINUE from the Cluster Restore Wizard. From that point, follow the instructions to create a cluster to restore to.

Cluster Launch Wizard summary

Figure 11 – The Cluster Launch Wizard appears after you select CONTINUE from the Cluster Restore Wizard.