Clickhouse安装部署
Centos 安装
First, you need to add the official repository:
sudo yum install -y yum-utils
sudo yum-config-manager --add-repo https://packages.clickhouse.com/rpm/clickhouse.repo
Later any yum install can be replaced by zypper install. To specify a particular version, add -$VERSION to the end of the package name, e.g. clickhouse-client-22.2.2.22.
Install ClickHouse server and client
yum install -y clickhouse-server clickhouse-client
Deprecated Method for installing rpm-packages 已弃用安装rpm包的方法
sudo yum install yum-utils sudo rpm --import https://repo.clickhouse.com/CLICKHOUSE-KEY.GPG sudo yum-config-manager --add-repo https://repo.clickhouse.com/rpm/clickhouse.repo sudo yum install clickhouse-server clickhouse-client sudo /etc/init.d/clickhouse-server startclickhouse-client # or "clickhouse-client --password" if you set up a password.
sudo systemctl enable clickhouse-server sudo systemctl start clickhouse-server sudo systemctl status clickhouse-server clickhouse-client # or "clickhouse-client --password" if you set up a password.
3 Install standalone ClickHouse Keeper
tip
In production environment we strongly recommend running ClickHouse Keeper on dedicated nodes. In test environments, if you decide to run ClickHouse Server and ClickHouse Keeper on the same server, you do not need to install ClickHouse Keeper as it is included with ClickHouse server. This command is only needed on standalone ClickHouse Keeper servers.
sudo yum install -y clickhouse-keeper
Enable and start ClickHouse Keeper
sudo systemctl enable clickhouse-keeper
sudo systemctl start clickhouse-keeper
sudo systemctl status clickhouse-keeper
4 端口设置
<!-- Listen specified address. Use :: (wildcard IPv6 address), if you want to accept connections both with IPv4 and IPv6 from everywhere. Notes: If you open connections from wildcard address, make sure that at least one of the following measures applied: - server is protected by firewall and not accessible from untrusted networks; - all users are restricted to subset of network addresses (see users.xml); - all users have strong passwords, only secure (TLS) interfaces are accessible, or connections are only made via TLS interfaces. - users without password have readonly access. See also: https://www.shodan.io/search?query=clickhouse --> <!-- <listen_host>::</listen_host> --> <listen_host>::</listen_host> <!-- Same for hosts without support for IPv6: --> <!-- <listen_host>0.0.0.0</listen_host> --> <!-- Default values - try listen localhost on IPv4 and IPv6. --> <!-- <listen_host>::1</listen_host> <listen_host>127.0.0.1</listen_host> -->
5 用户设置
参考文档:
https://blog.csdn.net/mnasd/article/details/127567352 ClickHouse—用户权限控制
https://www.cnblogs.com/MrYang-11-GetKnow/p/16190018.html clickhouse用户密码的三种设置方法
...
...
<!-- Users and ACL. --> <users> <!-- If user name was not specified, 'default' user is used. --> <clickuser> <!-- See also the files in users.d directory where the password can be overridden. Password could be specified in plaintext or in SHA256 (in hex format). If you want to specify password in plaintext (not recommended), place it in 'password' element. Example: <password>qwerty</password>. Password could be empty. If you want to specify SHA256, place it in 'password_sha256_hex' element. Example: <password_sha256_hex>65e84be33532fb784c48129675f9eff3a682b27168c0ea744b2cf58ee02337c5</password_sha256_hex> Restrictions of SHA256: impossibility to connect to ClickHouse using MySQL JS client (as of July 2019). If you want to specify double SHA1, place it in 'password_double_sha1_hex' element. Example: <password_double_sha1_hex>e395796d6546b1b65db9d665cd43f0e858dd4303</password_double_sha1_hex> If you want to specify a previously defined LDAP server (see 'ldap_servers' in the main config) for authentication, place its name in 'server' element inside 'ldap' element. Example: <ldap><server>my_ldap_server</server></ldap> If you want to authenticate the user via Kerberos (assuming Kerberos is enabled, see 'kerberos' in the main config), place 'kerberos' element instead of 'password' (and similar) elements. The name part of the canonical principal name of the initiator must match the user name for authentication to succeed. You can also place 'realm' element inside 'kerberos' element to further restrict authentication to only those requests whose initiator's realm matches it. Example: <kerberos /> Example: <kerberos><realm>EXAMPLE.COM</realm></kerberos> How to generate decent password: Execute: PASSWORD=$(base64 < /dev/urandom | head -c8); echo "$PASSWORD"; echo -n "$PASSWORD" | sha256sum | tr -d '-' In first line will be password and in second - corresponding SHA256. How to generate double SHA1: Execute: PASSWORD=$(base64 < /dev/urandom | head -c8); echo "$PASSWORD"; echo -n "$PASSWORD" | sha1sum | tr -d '-' | xxd -r -p | sha1sum | tr -d '-' In first line will be password and in second - corresponding double SHA1. --> <password>tEus7#KHp$lntP=luiR3</password> <!-- List of networks with open access. To open access from everywhere, specify: <ip>::/0</ip> To open access only from localhost, specify: <ip>::1</ip> <ip>127.0.0.1</ip> Each element of list has one of the following forms: <ip> IP-address or network mask. Examples: 213.180.204.3 or 10.0.0.1/8 or 10.0.0.1/255.255.255.0 2a02:6b8::3 or 2a02:6b8::3/64 or 2a02:6b8::3/ffff:ffff:ffff:ffff::. <host> Hostname. Example: server01.clickhouse.com. To check access, DNS query is performed, and all received addresses compared to peer address. <host_regexp> Regular expression for host names. Example, ^server\d\d-\d\d-\d\.clickhouse\.com$ To check access, DNS PTR query is performed for peer address and then regexp is applied. Then, for result of PTR query, another DNS query is performed and all received addresses compared to peer address. Strongly recommended that regexp is ends with $ All results of DNS requests are cached till server restart. --> <networks> <ip>::/0</ip> </networks> <!-- Settings profile for user. --> <profile>default</profile> <!-- Quota for user. --> <quota>default</quota> <!-- User can create other users and grant rights to them. --> <access_management>1</access_management> <!-- User can manipulate named collections. --> <named_collection_control>1</named_collection_control> <!-- User permissions can be granted here --> <!-- <grants> <query>GRANT ALL ON *.*</query> </grants> --> </clickuser> </users>
