# Profiles of settings. profiles: # Default settings. default: # Maximum memory usage for processing single query, in bytes. max_memory_usage: 10000000000 # How to choose between replicas during distributed query processing. # random - choose random replica from set of replicas with minimum number of errors # nearest_hostname - from set of replicas with minimum number of errors, choose replica # with minimum number of different symbols between replica's hostname and local hostname (Hamming distance). # hostname_levenshtein_distance - just the same with nearest_hostname but calculate the difference by Levenshtein distance. # in_order - first live replica is chosen in specified order. # first_or_random - if first replica one has higher number of errors, pick a random one from replicas with minimum number of errors. load_balancing: random # Profile that allows only read queries. readonly: readonly: 1 # Users and ACL. users: # If user name was not specified, 'default' user is used. default: # Password could be specified in plaintext or in SHA256 (in hex format). # # If you want to specify password in plaintext (not recommended), place it in 'password' element. # Example: password: qwerty # Password could be empty. # # If you want to specify SHA256, place it in 'password_sha256_hex' element. # Example: password_sha256_hex: 65e84be33532fb784c48129675f9eff3a682b27168c0ea744b2cf58ee02337c5 # Restrictions of SHA256: impossibility to connect to ClickHouse using MySQL JS client (as of July 2019). # # If you want to specify double SHA1, place it in 'password_double_sha1_hex' element. # Example: password_double_sha1_hex: e395796d6546b1b65db9d665cd43f0e858dd4303 # # If you want to specify a previously defined LDAP server (see 'ldap_servers' in the main config) for authentication, # place its name in 'server' element inside 'ldap' element. # Example: ldap: # server: my_ldap_server # # If you want to authenticate the user via Kerberos (assuming Kerberos is enabled, see 'kerberos' in the main config), # place 'kerberos' element instead of 'password' (and similar) elements. # The name part of the canonical principal name of the initiator must match the user name for authentication to succeed. # You can also place 'realm' element inside 'kerberos' element to further restrict authentication to only those requests # whose initiator's realm matches it. # Example: kerberos: '' # Example: kerberos: # realm: EXAMPLE.COM # # How to generate decent password: # Execute: PASSWORD=$(base64 < /dev/urandom | head -c8); echo "$PASSWORD"; echo -n "$PASSWORD" | sha256sum | tr -d '-' # In first line will be password and in second - corresponding SHA256. # # How to generate double SHA1: # Execute: PASSWORD=$(base64 < /dev/urandom | head -c8); echo "$PASSWORD"; echo -n "$PASSWORD" | sha1sum | tr -d '-' | xxd -r -p | sha1sum | tr -d '-' # In first line will be password and in second - corresponding double SHA1. password: '' # List of networks with open access. # # To open access from everywhere, specify: # - ip: '::/0' # # To open access only from localhost, specify: # - ip: '::1' # - ip: 127.0.0.1 # # Each element of list has one of the following forms: # ip: IP-address or network mask. Examples: 213.180.204.3 or 10.0.0.1/8 or 10.0.0.1/255.255.255.0 # 2a02:6b8::3 or 2a02:6b8::3/64 or 2a02:6b8::3/ffff:ffff:ffff:ffff::. # host: Hostname. Example: server01.clickhouse.com. # To check access, DNS query is performed, and all received addresses compared to peer address. # host_regexp: Regular expression for host names. Example, ^server\d\d-\d\d-\d\.clickhouse\.com$ # To check access, DNS PTR query is performed for peer address and then regexp is applied. # Then, for result of PTR query, another DNS query is performed and all received addresses compared to peer address. # Strongly recommended that regexp is ends with $ and take all expression in '' # All results of DNS requests are cached till server restart. networks: ip: '::/0' # Settings profile for user. profile: default # Quota for user. quota: default # User can create other users and grant rights to them. # access_management: 1 # Quotas. quotas: # Name of quota. default: # Limits for time interval. You could specify many intervals with different limits. interval: # Length of interval. duration: 3600 # No limits. Just calculate resource usage for time interval. queries: 0 errors: 0 result_rows: 0 read_rows: 0 execution_time: 0