Merge pull request #27828 from adevyatova/annadevyatova-DOCSUP-12872-secured

DOCSUP-12872: Optional secured communication between ClickHouse and Zookeeper
2024-09-20 08:40:50 +00:00 · 2021-10-31 22:13:07 +03:00 · 2021-10-31 22:13:07 +03:00 · d2a0b25711
commit d2a0b25711
parent 211ff056e9 568a473612
2 changed files with 75 additions and 0 deletions
--- a/docs/en/operations/server-configuration-parameters/settings.md
+++ b/docs/en/operations/server-configuration-parameters/settings.md
@ -1290,6 +1290,7 @@ This section contains the following parameters:

 -   [Replication](../../engines/table-engines/mergetree-family/replication.md)
 -   [ZooKeeper Programmer’s Guide](http://zookeeper.apache.org/doc/current/zookeeperProgrammers.html)
+-   [Optional secured communication between ClickHouse and Zookeeper](../ssl-zookeeper.md#secured-communication-with-zookeeper)

 ## use_minimalistic_part_header_in_zookeeper {#server-settings-use_minimalistic_part_header_in_zookeeper}

--- a/docs/en/operations/ssl-zookeeper.md
+++ b/docs/en/operations/ssl-zookeeper.md
@ -0,0 +1,74 @@
+---
+toc_priority: 45
+toc_title: Secured communication with Zookeeper
+---
+
+# Optional secured communication between ClickHouse and Zookeeper {#secured-communication-with-zookeeper}
+
+You should specify `ssl.keyStore.location`, `ssl.keyStore.password` and `ssl.trustStore.location`, `ssl.trustStore.password` for communication with ClickHouse client over SSL. These options are available from Zookeeper version 3.5.2.
+
+You can add `zookeeper.crt` to trusted certificates.
+
+``` bash
+sudo cp zookeeper.crt /usr/local/share/ca-certificates/zookeeper.crt
+sudo update-ca-certificates
+```
+
+Client section in `config.xml` will look like:
+
+``` xml
+<client>
+    <certificateFile>/etc/clickhouse-server/client.crt</certificateFile>
+    <privateKeyFile>/etc/clickhouse-server/client.key</privateKeyFile>
+    <loadDefaultCAFile>true</loadDefaultCAFile>
+    <cacheSessions>true</cacheSessions>
+    <disableProtocols>sslv2,sslv3</disableProtocols>
+    <preferServerCiphers>true</preferServerCiphers>
+    <invalidCertificateHandler>
+        <name>RejectCertificateHandler</name>
+    </invalidCertificateHandler>
+</client>
+```
+
+Add Zookeeper to ClickHouse config with some cluster and macros:
+
+``` xml
+<yandex>
+    <zookeeper>
+        <node>
+            <host>localhost</host>
+            <port>2281</port>
+            <secure>1</secure>
+        </node>
+    </zookeeper>
+</yandex>
+```
+
+Start `clickhouse-server`. In logs you should see:
+
+```text
+<Trace> ZooKeeper: initialized, hosts: secure://localhost:2281
+```
+
+Prefix `secure://` indicates that connection is secured by SSL.
+
+To ensure traffic is encrypted run `tcpdump` on secured port:
+
+```bash
+tcpdump -i any dst port 2281 -nnXS
+```
+
+And query in `clickhouse-client`:
+
+```sql
+SELECT * FROM system.zookeeper WHERE path = '/';
+```
+
+On unencrypted connection you will see in `tcpdump` output something like this:
+
+```text
+..../zookeeper/q
+uota.
+```
+
+On encrypted connection you should not see this.