Common security tasks

Here are shortcuts to some common security-related tasks.

• Disabling password-based logins
• Giving someone complete control of all ClickHouse® clusters inside certain Altinity.Cloud environments
• Giving someone access to certain ClickHouse clusters in certain Altinity.Cloud environments
• Giving someone complete access to all Altinity.Cloud environments, including the ability to create or delete them
• Securing access to your ClickHouse clusters

As you would expect, there are links to in-depth documentation throughout.

Disabling password-based logins

Scenario: You want to protect yourself from the security risk of leaked passwords.

The answer: Change your organization’s login settings.

How to do it:

1. Click the Accounts tab on the left to go to the Accounts page. Click the LOGIN SETTINGS button:
   
   

   

2. Enable Block password logins and disable Allow password for admins:
   
   

   

See Configuring login settings for complete details. For more information about setting up an identity provider for your Altinity.Cloud account, see our Auth0 page.

Giving someone complete control of all clusters inside certain environments

Scenario: You want a user to be able to create, read, edit, or delete clusters inside the environment(s) you specify. The user is not able to create or delete an environment, however.

The answer: Create a new user with role envadmin.

How to do it:

1. Click the Accounts tab on the left to go to the Accounts page. Click the + ADD ACCOUNT button:
   
   

   

2. On the Common Information tab, give the user the role envadmin:
   
   

   

3. On the Environment Access tab, select the environments you want. The new user will be able to read or edit any cluster in those environments:
   
   

   

   Again, the user will not be able to create or delete environments.

Giving someone access to certain clusters in certain environments

Scenario: You want a user to be able to read, edit, or delete clusters you specify inside the environments you specify. The user can also create new clusters in those environments.

The answer: Create a new user with role envuser.

How to do it:

1. Click the Accounts tab on the left to go to the Accounts page. Click the + ADD ACCOUNT button:
   
   

   

2. On the Common Information tab, give the user the role envuser:
   
   

   

3. On the Environment Access tab, select the environments you want. The new user will be able to read, edit, or delete the clusters you select in those environments. They can also create clusters in any of those environments:
   
   

   

4. On the Cluster Access tab, select the clusters you want. The new user will be able to read, edit, or delete those clusters. The only clusters in the list are the ones in the environments you selected previously:
   
   

   

Giving someone complete access to all environments, including the ability to create or delete them

Scenario: You want a user to be able to do anything with all the environments in your organization, including the ability to create or delete them.

The answer: Create a new user with role orgadmin.

How to do it:

1. Click the Accounts tab on the left to go to the Accounts page. Click the + ADD ACCOUNT button:
   
   

   

2. On the Common Information tab, give the user the role orgadmin:
   
   

   

Securing access to your ClickHouse clusters

Scenario: You want to do everything you can to control access to your ClickHouse clusters.

The answer: Well, there are several things you can do:

• The best way is to use VPC endpoints (AWS) or Private Service Connect (GCP).
• IP whitelisting is the easiest way to get started.
• You can also contact Altinity support to set up VPC peering for your Altinity.Cloud account.

See the Securing access to your ClickHouse clusters section of the security best practices page for all the details.