3.7 KiB
slug | title |
---|---|
/en/operations/external-authenticators/http | HTTP |
import SelfManaged from '@site/docs/en/_snippets/_self_managed_only_no_roadmap.md';
HTTP server can be used to authenticate ClickHouse users. HTTP authentication can only be used as an external authenticator for existing users, which are defined in users.xml
or in local access control paths. Currently, Basic authentication scheme using GET method is supported.
HTTP authentication server definition
To define HTTP authentication server you must add http_authentication_servers
section to the config.xml
.
Example
<clickhouse>
<!- ... -->
<http_authentication_servers>
<basic_auth_server>
<uri>http://localhost:8000/auth</uri>
<connection_timeout_ms>1000</connection_timeout_ms>
<receive_timeout_ms>1000</receive_timeout_ms>
<send_timeout_ms>1000</send_timeout_ms>
<max_tries>3</max_tries>
<retry_initial_backoff_ms>50</retry_initial_backoff_ms>
<retry_max_backoff_ms>1000</retry_max_backoff_ms>
</basic_auth_server>
</http_authentication_servers>
</clickhouse>
Note, that you can define multiple HTTP servers inside the http_authentication_servers
section using distinct names.
Parameters
uri
- URI for making authentication request
Timeouts in milliseconds on the socket used for communicating with the server:
connection_timeout_ms
- Default: 1000 ms.receive_timeout_ms
- Default: 1000 ms.send_timeout_ms
- Default: 1000 ms.
Retry parameters:
max_tries
- The maximum number of attempts to make an authentication request. Default: 3retry_initial_backoff_ms
- The backoff initial interval on retry. Default: 50 msretry_max_backoff_ms
- The maximum backoff interval. Default: 1000 ms
Enabling HTTP authentication in users.xml
In order to enable HTTP authentication for the user, specify http_authentication
section instead of password
or similar sections in the user definition.
Parameters:
server
- Name of the HTTP authentication server configured in the mainconfig.xml
file as described previously.scheme
- HTTP authentication scheme.Basic
is only supported now. Default: Basic
Example (goes into users.xml
):
<clickhouse>
<!- ... -->
<my_user>
<!- ... -->
<http_authentication>
<server>basic_server</server>
<scheme>basic</scheme>
</http_authentication>
</test_user_2>
</clickhouse>
:::note
Note that HTTP authentication cannot be used alongside with any other authentication mechanism. The presence of any other sections like password
alongside http_authentication
will force ClickHouse to shutdown.
:::
Enabling HTTP authentication using SQL
When SQL-driven Access Control and Account Management is enabled in ClickHouse, users identified by HTTP authentication can also be created using SQL statements.
CREATE USER my_user IDENTIFIED WITH HTTP SERVER 'basic_server' SCHEME 'Basic'
...or, Basic
is default without explicit scheme definition
CREATE USER my_user IDENTIFIED WITH HTTP SERVER 'basic_server'
Passing session settings
If a response body from HTTP authentication server has JSON format and contains settings
sub-object, ClickHouse will try parse its key: value pairs as string values and set them as session settings for authenticated user's current session. If parsing is failed, a response body from server will be ignored.