Best Practices

What we’ve learned about keeping your ClickHouse® clusters and data secure

We’ll look at security from three perspectives here, all of which are essential:

The documentation covers specific topics that relate to security. They are referenced throughout this page, but here’s a list if you want to go directly to a particular topic:

Finally, see the Security page in the Altinity Operations Guide for an even more in-depth discussion of security topics.

Securing access to Altinity.Cloud

Your Altinity.Cloud account makes it easy to create and manage your ClickHouse clusters, so securing access to Altinity.Cloud is crucial. There are a few straightforward steps you can take to do this:

Use an external identity provider

Altinity.Cloud supports integration with external identity providers via Auth0. Altinity customers use a variety of identity providers, including Google, Microsoft Azure Active Directory, Okta, and Keycloak.

For complete details on setting up an external identity provider, see the Integrating SSO via Auto0 into the Altinity.Cloud login page.

Disable password logins

Once you’ve set up an external identity provider, it makes sense to disable password logins altogether. This removes the possibility of password leakage. We strongly recommend that anyone using an external identity provider disable password logins, including logins for administrators.

The Login Settings dialog in the ACM has controls to make this easy:

Password login settings

See the General login settings section on the Working with User Accounts page in the Administrator Guide.

Configure automatic user registration

If you use an identity provider, you can set up your Altinity.Cloud account to create a new Altinity.Cloud account for a previously unknown user who authenticated through your identity provider. If you’re an Okta customer, read on; otherwise you’ll need to contact Altinity support to configure Altinity.Cloud for your provider. If you’re curious about the technical details, see the Auth0 integration page.

You can configure automatic user registration as part of the Login settings for your organization. For all the details, see the Synchronizing users with an identity provider section of the Defining login settings page in the Administrator Guide.

Use different roles for different users

Obviously every user should have no more access to your Altinity.Cloud account than they need. See the details of account roles and security tiers to determine the right level of access for each user you create.

In addition, if you use an identity provider, you can define a mapping between roles in your Altinity.Cloud account and roles in your identity provider. (You might map the Okta admin role to the Altinity.Cloud orgadmin role, for example.) Those roles should be mapped to give every user no more access than they need as well. Contact Altinity support to configure how your Altinity.Cloud account works with your identity provider. For all the details, see the Auth0 integration page.

Securing access to your ClickHouse clusters

Altinity.Cloud provides HTTP and TCP access endpoints to your ClickHouse clusters. This traffic is encrypted in transit, and certificates are renewed every three months. If a ClickHouse cluster has sensitive data, you should avoid using a public load balancer. The public load balancer provides a public endpoint for third-party attackers.

There are several ways to secure the endpoints of your ClickHouse clusters:

Use VPC Endpoints (AWS) or Private Service Connect (GCP) endpoints

The best way to secure access to a ClickHouse cluster from within your cloud infrastructure is with a VPC Endpoint (AWS) or a Private Service Connect (GCP). In this scenario, Altinity.Cloud configures an internal load balancer and connectivity between the ClickHouse cluster and your VPC.

When a VPC endpoint is enabled, the public load balancer is automatically turned off, and the cluster view in the ACM displays the VPC endpoint icon:

VPC endpoint enabled

Figure 2 - VPC endpoint enabled

The Connecting to Altinity.Cloud documentation has complete details on setting up an Amazon VPC endpoint. Documentation for setting up a GCP Private Service Connect endpoint is coming soon; contact Altinity support for help in the meantime.

VPC peering (BYOC only)

Altinity.Cloud also supports VPC peering when managing resources in your account. Please contact Altinity support to configure VPC peering.

IP whitelisting

The ACM makes it easy to set up an IP whitelist. You can define one on the Connection Configuration tab of the Launch Cluster Wizard when you create a ClickHouse cluster, and you can change it later in the Connection Configuration dialog. IP restrictions are enabled by default, and the default whitelist is simply the IP address from which you’re accessing the ACM. The UI is straightforward:

Setting IP restrictions

Figure 3 - Setting IP restrictions

You can enter one or more addresses in CIDR format, separated by commas or newlines.

Looking at the clusters view in the Altinity Cloud Manager, the green lock icon means IP restrictions are enabled, while the red triangle icon means that IP restrictions are not enabled. Mousing over the icons displays a message:

IP restrictions status

Figure 4 - IP restrictions status

Once your ClickHouse cluster is configured, you can configure the cluster to edit the addresses on the whitelist or disable IP restrictions completely. Complete details are on the Configuring Connections page of the Configuring a Cluster section of the User Guide.

Use Altinity Shield (Beta)

Altinity Shield uses Altinity’s CHGuard as a sidecar proxy to protect your cluster endpoint from DDoS and password enumeration attacks. You can enable it on a per-cluster basis in the Configure Connections dialog:

Altinity Shield settings

Figure 5 - Altinity Shield enabled

You can disable it temporarily with the Temporary Bypass slider; that disables the shield without uninstalling it. The cluster view in the ACM displays the shield enabled or or shield bypassed icons:

Altinity Shield settings

Figure 6 - Altinity Shield status displayed in the clusters view

See the Configuring Connections page in the Configuring a Cluster section of the User Guide for complete details.

Securing access to your ClickHouse data

Once you’ve secured access to your Altinity.Cloud account and your ClickHouse clusters, there are steps you can take inside ClickHouse itself to protect your data.

The Security page in the Operations Guide has guidelines to secure ClickHouse systems in general, with recommendations for hardening your network, storage, and users. Much of the information in the Operations Guide doesn’t apply to Altinity.Cloud customers because Altinity.Cloud handles network and storage hardening for you automatically. Some of our security features include:

  • Your ClickHouse clusters are isolated; they’re all in separate Kubernetes clusters.
  • Your storage is isolated as well, and it users each cloud provider’s encryption features.
  • TLS is enabled.
  • VPC endpoints are supported.
  • Intercluster communications are secured.

For user hardening, you can increase ClickHouse security at the user level with the following techniques:

  • User configuration: Setup secure default users, roles and permissions through configuration or SQL.
  • Secure passwords: Store user information as hashed values.
  • Set quotas: Limit how many resources users can use in given intervals.
  • Use profiles: Use profiles to set common security settings across multiple accounts.
  • Database restrictions: Narrow the databases, tables and rows that a user can access.

See The Security page in the Operations Guide for all the details.