thevar1able/ClickHouse
1
0
Fork 0
mirror of https://github.com/ClickHouse/ClickHouse.git synced 2024-11-17 05:03:20 +00:00
Code Issues Packages Projects Releases Wiki Activity
2d0020e9f6
ClickHouse/docs/en/operations/external-authenticators/ssl-x509.md
Marcelo Rodriguez 2d0020e9f6 updated config file and xml tag 
Updated with correct config file.
updated xml tag per this commit:
cb66a63aa4
2022-05-11 11:36:53 -06:00

1.5 KiB
Raw Blame History

SSL X.509 certificate authentication

SSL 'strict' option enables mandatory certificate validation for the incoming connections. In this case, only connections with trusted certificates can be established. Connections with untrusted certificates will be rejected. Thus, certificate validation allows to uniquely authenticate an incoming connection. Common Name field of the certificate is used to identify connected user. This allows to associate multiple certificates with the same user. Additionally, reissuing and revoking of the certificates does not affect the ClickHouse configuration.

To enable SSL certificate authentication, a list of Common Name's for each ClickHouse user must be specified in the settings file users.xml :

Example

<clickhouse>
    <!- ... -->
    <users>
        <user_name>
            <ssl_certificates>
                <common_name>host.domain.com:example_user</common_name>
                <common_name>host.domain.com:example_user_dev</common_name>
                <!-- More names -->
            </ssl_certificates>
            <!-- Other settings -->
        </user_name>
    </users>
</clickhouse>

For the SSL chain of trust to work correctly, it is also important to make sure that the caConfig parameter is configured properly.