thevar1able/ClickHouse
1
0
Fork 0
mirror of https://github.com/ClickHouse/ClickHouse.git synced 2024-09-20 16:50:48 +00:00
Code Issues Packages Projects Releases Wiki Activity
78af414629
ClickHouse/docs/en/operations/ssl-zookeeper.md
Dan Roscigno f4f85a069b
Go live with doc updates (#42053) 
* QIP to add overview page

* wip

* New Tutorial and Datasets landing page

* give an example for Cloud

* Update UK Price Paid for Cloud

* Update nyc-taxi.md

* add option for Cloud Load Data button

* Removed the Import Raw Data section

* Update nyc-taxi.md

* update user management and replication docs

* mark self managed

* set doc ordering

* add redirects setting

* Simple fixes to index.md

Co-authored-by: rfraposa <richraposa@gmail.com>
2022-10-04 14:36:59 +03:00

2.0 KiB
Raw Blame History

slug sidebar_position sidebar_label
/en/operations/ssl-zookeeper 45 Secured Communication with Zookeeper

Optional secured communication between ClickHouse and Zookeeper

import SelfManaged from '@site/docs/en/_snippets/_self_managed_only_automated.md';

You should specify ssl.keyStore.location, ssl.keyStore.password and ssl.trustStore.location, ssl.trustStore.password for communication with ClickHouse client over SSL. These options are available from Zookeeper version 3.5.2.

You can add zookeeper.crt to trusted certificates.

sudo cp zookeeper.crt /usr/local/share/ca-certificates/zookeeper.crt
sudo update-ca-certificates

Client section in config.xml will look like:

<client>
    <certificateFile>/etc/clickhouse-server/client.crt</certificateFile>
    <privateKeyFile>/etc/clickhouse-server/client.key</privateKeyFile>
    <loadDefaultCAFile>true</loadDefaultCAFile>
    <cacheSessions>true</cacheSessions>
    <disableProtocols>sslv2,sslv3</disableProtocols>
    <preferServerCiphers>true</preferServerCiphers>
    <invalidCertificateHandler>
        <name>RejectCertificateHandler</name>
    </invalidCertificateHandler>
</client>

Add Zookeeper to ClickHouse config with some cluster and macros:

<clickhouse>
    <zookeeper>
        <node>
            <host>localhost</host>
            <port>2281</port>
            <secure>1</secure>
        </node>
    </zookeeper>
</clickhouse>

Start clickhouse-server. In logs you should see:

<Trace> ZooKeeper: initialized, hosts: secure://localhost:2281

Prefix secure:// indicates that connection is secured by SSL.

To ensure traffic is encrypted run tcpdump on secured port:

tcpdump -i any dst port 2281 -nnXS

And query in clickhouse-client:

SELECT * FROM system.zookeeper WHERE path = '/';

On unencrypted connection you will see in tcpdump output something like this:

..../zookeeper/quota.

On encrypted connection you should not see this.