From d4e0ed6c5280d464ccb0a2cbef1fb6fcab0822e5 Mon Sep 17 00:00:00 2001
From: Sam Calder-Mason <sam.calder-mason@ethereum.org>
Date: Thu, 17 Oct 2024 13:57:41 +1000
Subject: [PATCH] feat(docker-compose): Add clickhouse users (#402)

* feat(docker-compose): Add clickhouse users

* fix: Update password tags to include replace attribute

* fix: Update password replacement value in users.xml

* fix: Update default ClickHouse password in script

* fix: Update ClickHouse password handling in scripts

* fix: Update CLICKHOUSE_PASSWORD handling in config files

* chore: Update ClickHouse password handling in config files

* fix: Update password variable in database connection URL
---
 .github/cannon/assert_clickhouse.sh           |  2 +-
 .github/workflows/sentry-smoke-test.yaml      |  2 +-
 .../etc/clickhouse-server/config.d/config.xml |  1 +
 .../docker-entrypoint-initdb.d/init-db.sh     | 41 ++++++++++++++++
 .../etc/clickhouse-server/users.d/users.xml   | 16 +++++++
 .../etc/clickhouse-server/config.d/config.xml |  1 +
 .../docker-entrypoint-initdb.d/init-db.sh     | 47 ++++++++++++++++++-
 .../etc/clickhouse-server/users.d/users.xml   | 16 +++++++
 .../grafana/datasources/datasources.yaml      | 20 ++++----
 docker-compose.yml                            | 26 ++++++++--
 10 files changed, 152 insertions(+), 20 deletions(-)

diff --git a/.github/cannon/assert_clickhouse.sh b/.github/cannon/assert_clickhouse.sh
index febbc7a4..dcd17ca9 100755
--- a/.github/cannon/assert_clickhouse.sh
+++ b/.github/cannon/assert_clickhouse.sh
@@ -12,7 +12,7 @@ SEEDING_YAML="$1"
 CLICKHOUSE_HOST=${CLICKHOUSE_HOST:-"localhost"}
 CLICKHOUSE_PORT=${CLICKHOUSE_PORT:-"9000"}
 CLICKHOUSE_USER=${CLICKHOUSE_USER:-"default"}
-CLICKHOUSE_PASSWORD=${CLICKHOUSE_PASSWORD:-""}
+CLICKHOUSE_PASSWORD=${CLICKHOUSE_PASSWORD}
 CLICKHOUSE_DB=${CLICKHOUSE_DB:-"default"}
 
 # Function to execute ClickHouse query
diff --git a/.github/workflows/sentry-smoke-test.yaml b/.github/workflows/sentry-smoke-test.yaml
index e8bbf7ba..526c87a4 100644
--- a/.github/workflows/sentry-smoke-test.yaml
+++ b/.github/workflows/sentry-smoke-test.yaml
@@ -134,7 +134,7 @@ jobs:
             for sentry in "${all_sentries[@]}"; do
                 pretty_print "Checking $table table for $sentry..." "none"
                 while true; do
-                    data_count=$(docker exec xatu-clickhouse-01 clickhouse-client --query "SELECT COUNT(*) FROM default.$table WHERE meta_client_name = '$sentry'" || true)
+                    data_count=$(docker exec xatu-clickhouse-01 clickhouse-client --user=default --query "SELECT COUNT(*) FROM default.$table WHERE meta_client_name = '$sentry'" || true)
                     if [[ $data_count -gt 0 ]]; then
                         pretty_print "$table has $data_count entries from $sentry" "green"
                         break
diff --git a/deploy/local/docker-compose/clickhouse/clickhouse-01/etc/clickhouse-server/config.d/config.xml b/deploy/local/docker-compose/clickhouse/clickhouse-01/etc/clickhouse-server/config.d/config.xml
index df4238cc..52f555cb 100644
--- a/deploy/local/docker-compose/clickhouse/clickhouse-01/etc/clickhouse-server/config.d/config.xml
+++ b/deploy/local/docker-compose/clickhouse/clickhouse-01/etc/clickhouse-server/config.d/config.xml
@@ -20,6 +20,7 @@
     </distributed_ddl>
     <remote_servers>
         <cluster_2S_1R>
+            <secret>supersecret</secret>
             <shard>
                 <replica>
                     <host>xatu-clickhouse-01</host>
diff --git a/deploy/local/docker-compose/clickhouse/clickhouse-01/etc/clickhouse-server/docker-entrypoint-initdb.d/init-db.sh b/deploy/local/docker-compose/clickhouse/clickhouse-01/etc/clickhouse-server/docker-entrypoint-initdb.d/init-db.sh
index 2005ff9b..72b0244d 100755
--- a/deploy/local/docker-compose/clickhouse/clickhouse-01/etc/clickhouse-server/docker-entrypoint-initdb.d/init-db.sh
+++ b/deploy/local/docker-compose/clickhouse/clickhouse-01/etc/clickhouse-server/docker-entrypoint-initdb.d/init-db.sh
@@ -1,2 +1,43 @@
 #!/bin/bash
 set -e
+
+cat /etc/clickhouse-server/users.d/users.xml
+
+cat <<EOT >> /etc/clickhouse-server/users.d/default.xml
+<yandex>
+  <users>
+    <${CLICKHOUSE_USER}>
+      <profile>default</profile>
+      <networks>
+        <ip>::/0</ip>
+      </networks>
+      $([ -n "${CLICKHOUSE_PASSWORD}" ] && echo "<password>${CLICKHOUSE_PASSWORD}</password>")
+      <quota>default</quota>
+    </${CLICKHOUSE_USER}>
+    <readonly>
+      <password>${CLICKHOUSE_USER_READONLY_PASSWORD}</password>
+    </readonly>
+  </users>
+</yandex>
+EOT
+
+cat <<EOT >> /etc/clickhouse-server/config.d/users.xml
+<clickhouse replace="true">
+    <remote_servers>
+        <cluster_2S_1R>
+            <shard>
+                <replica>
+                    <host>xatu-clickhouse-01</host>
+                    $([ -n "${CLICKHOUSE_PASSWORD}" ] && echo "<password replace=\"true\">${CLICKHOUSE_PASSWORD}</password>")
+                </replica>
+            </shard>
+            <shard>
+                <replica>
+                    <host>xatu-clickhouse-02</host>
+                    $([ -n "${CLICKHOUSE_PASSWORD}" ] && echo "<password replace=\"true\">${CLICKHOUSE_PASSWORD}</password>")
+                </replica>
+            </shard>
+        </cluster_2S_1R>
+    </remote_servers>
+</clickhouse>
+EOT
\ No newline at end of file
diff --git a/deploy/local/docker-compose/clickhouse/clickhouse-01/etc/clickhouse-server/users.d/users.xml b/deploy/local/docker-compose/clickhouse/clickhouse-01/etc/clickhouse-server/users.d/users.xml
index 0f32c646..31f5dbc0 100644
--- a/deploy/local/docker-compose/clickhouse/clickhouse-01/etc/clickhouse-server/users.d/users.xml
+++ b/deploy/local/docker-compose/clickhouse/clickhouse-01/etc/clickhouse-server/users.d/users.xml
@@ -7,6 +7,13 @@
             <load_balancing>in_order</load_balancing>
             <log_queries>1</log_queries>
         </default>
+        <readonly>
+            <max_memory_usage>10000000000</max_memory_usage>
+            <use_uncompressed_cache>0</use_uncompressed_cache>
+            <load_balancing>in_order</load_balancing>
+            <readonly>1</readonly>
+            <log_queries>1</log_queries>
+        </readonly>
     </profiles>
     <users>
         <default>
@@ -21,6 +28,15 @@
             <show_named_collections>1</show_named_collections>
             <show_named_collections_secrets>1</show_named_collections_secrets>
         </default>
+        <readonly>
+            <access_management>0</access_management>
+            <profile>readonly</profile>
+            <networks>
+                <ip>::/0</ip>
+            </networks>
+            <password from_env="CLICKHOUSE_USER_READONLY_PASSWORD" replace="replace"></password>
+            <quota>default</quota>
+        </readonly>
     </users>
     <quotas>
         <default>
diff --git a/deploy/local/docker-compose/clickhouse/clickhouse-02/etc/clickhouse-server/config.d/config.xml b/deploy/local/docker-compose/clickhouse/clickhouse-02/etc/clickhouse-server/config.d/config.xml
index 26d6c71d..3a9915f1 100644
--- a/deploy/local/docker-compose/clickhouse/clickhouse-02/etc/clickhouse-server/config.d/config.xml
+++ b/deploy/local/docker-compose/clickhouse/clickhouse-02/etc/clickhouse-server/config.d/config.xml
@@ -20,6 +20,7 @@
     </distributed_ddl>
     <remote_servers>
         <cluster_2S_1R>
+            <secret>supersecret</secret>
             <shard>
                 <replica>
                     <host>xatu-clickhouse-01</host>
diff --git a/deploy/local/docker-compose/clickhouse/clickhouse-02/etc/clickhouse-server/docker-entrypoint-initdb.d/init-db.sh b/deploy/local/docker-compose/clickhouse/clickhouse-02/etc/clickhouse-server/docker-entrypoint-initdb.d/init-db.sh
index e9eb30f7..adba0b29 100755
--- a/deploy/local/docker-compose/clickhouse/clickhouse-02/etc/clickhouse-server/docker-entrypoint-initdb.d/init-db.sh
+++ b/deploy/local/docker-compose/clickhouse/clickhouse-02/etc/clickhouse-server/docker-entrypoint-initdb.d/init-db.sh
@@ -1,7 +1,50 @@
 #!/bin/bash
 set -e
+cat /etc/clickhouse-server/users.d/users.xml
 
-clickhouse client --user default -n <<-EOSQL
+cat <<EOT >> /etc/clickhouse-server/users.d/default.xml
+<yandex>
+  <users>
+    <${CLICKHOUSE_USER}>
+      <profile>default</profile>
+      <networks>
+        <ip>::/0</ip>
+      </networks>
+      $([ -n "${CLICKHOUSE_PASSWORD}" ] && echo "<password>${CLICKHOUSE_PASSWORD}</password>")
+      <quota>default</quota>
+    </${CLICKHOUSE_USER}>
+    <readonly>
+      <password>${CLICKHOUSE_USER_READONLY_PASSWORD}</password>
+    </readonly>
+  </users>
+</yandex>
+EOT
+
+cat <<EOT >> /etc/clickhouse-server/config.d/users.xml
+<clickhouse>
+    <remote_servers>
+        <cluster_2S_1R>
+            <shard>
+                <replica>
+                    <host>xatu-clickhouse-01</host>
+                    $([ -n "${CLICKHOUSE_PASSWORD}" ] && echo "<password replace=\"true\">${CLICKHOUSE_PASSWORD}</password>")
+                </replica>
+            </shard>
+            <shard>
+                <replica>
+                    <host>xatu-clickhouse-02</host>
+                    $([ -n "${CLICKHOUSE_PASSWORD}" ] && echo "<password replace=\"true\">${CLICKHOUSE_PASSWORD}</password>")
+                </replica>
+            </shard>
+        </cluster_2S_1R>
+    </remote_servers>
+</clickhouse>
+EOT
+
+
+PASSWORD=${CLICKHOUSE_PASSWORD}
+
+clickhouse client --user default --password ${PASSWORD} -n <<-EOSQL
 CREATE TABLE default.schema_migrations_local ON CLUSTER '{cluster}'
 (
     "version" Int64,
@@ -14,3 +57,5 @@ SETTINGS index_granularity = 81921;
 CREATE TABLE schema_migrations on cluster '{cluster}' AS schema_migrations_local
 ENGINE = Distributed('{cluster}', default, schema_migrations_local, rand());
 EOSQL
+
+echo "ClickHouse schema initialized"
\ No newline at end of file
diff --git a/deploy/local/docker-compose/clickhouse/clickhouse-02/etc/clickhouse-server/users.d/users.xml b/deploy/local/docker-compose/clickhouse/clickhouse-02/etc/clickhouse-server/users.d/users.xml
index 0f32c646..31f5dbc0 100644
--- a/deploy/local/docker-compose/clickhouse/clickhouse-02/etc/clickhouse-server/users.d/users.xml
+++ b/deploy/local/docker-compose/clickhouse/clickhouse-02/etc/clickhouse-server/users.d/users.xml
@@ -7,6 +7,13 @@
             <load_balancing>in_order</load_balancing>
             <log_queries>1</log_queries>
         </default>
+        <readonly>
+            <max_memory_usage>10000000000</max_memory_usage>
+            <use_uncompressed_cache>0</use_uncompressed_cache>
+            <load_balancing>in_order</load_balancing>
+            <readonly>1</readonly>
+            <log_queries>1</log_queries>
+        </readonly>
     </profiles>
     <users>
         <default>
@@ -21,6 +28,15 @@
             <show_named_collections>1</show_named_collections>
             <show_named_collections_secrets>1</show_named_collections_secrets>
         </default>
+        <readonly>
+            <access_management>0</access_management>
+            <profile>readonly</profile>
+            <networks>
+                <ip>::/0</ip>
+            </networks>
+            <password from_env="CLICKHOUSE_USER_READONLY_PASSWORD" replace="replace"></password>
+            <quota>default</quota>
+        </readonly>
     </users>
     <quotas>
         <default>
diff --git a/deploy/local/docker-compose/grafana/datasources/datasources.yaml b/deploy/local/docker-compose/grafana/datasources/datasources.yaml
index 65a1a076..219d5bb5 100644
--- a/deploy/local/docker-compose/grafana/datasources/datasources.yaml
+++ b/deploy/local/docker-compose/grafana/datasources/datasources.yaml
@@ -13,24 +13,20 @@ datasources:
       port: 9000
       server: xatu-clickhouse-01
       tlsSkipVerify: true
+      username: readonly
+    user: readonly
+    secureJsonData:
+      password: $CLICKHOUSE_USER_READONLY_PASSWORD
 
   - name: ClickHouse-vert
     type: vertamedia-clickhouse-datasource
     access: proxy
     url: http://xatu-clickhouse-01:8123
-
-  - name: postgres
-    type: postgres
-    access: proxy
-    url: xatu-postgres:5432
-    user: user
-    secureJsonData:
-      password: password
+    user: readonly
     jsonData:
-      sslmode: disable
-      tlsSkipVerify: true
-      postgresVersion: 1500
-      database: xatu
+      user: readonly
+    secureJsonData:
+      password: $CLICKHOUSE_USER_READONLY_PASSWORD
   - name: Tempo
     type: tempo
     access: proxy
diff --git a/docker-compose.yml b/docker-compose.yml
index d8f4c82c..0d7cb5f6 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -34,6 +34,11 @@ services:
       timeout: 10s
       retries: 15
       start_period: 15s
+    environment:
+      - CLICKHOUSE_DEFAULT_ACCESS_MANAGEMENT=1
+      - CLICKHOUSE_USER=default
+      - CLICKHOUSE_PASSWORD=${CLICKHOUSE_PASSWORD}
+      - CLICKHOUSE_USER_READONLY_PASSWORD=${CLICKHOUSE_USER_READONLY_PASSWORD:-readonly}
   xatu-clickhouse-02:
     profiles:
       - clickhouse
@@ -69,6 +74,11 @@ services:
       timeout: 10s
       retries: 15
       start_period: 15s
+    environment:
+      - CLICKHOUSE_DEFAULT_ACCESS_MANAGEMENT=1
+      - CLICKHOUSE_USER=default
+      - CLICKHOUSE_PASSWORD=${CLICKHOUSE_PASSWORD:-supersecret}
+      - CLICKHOUSE_USER_READONLY_PASSWORD=${CLICKHOUSE_USER_READONLY_PASSWORD:-readonly}
   xatu-clickhouse-zookeeper-01:
     profiles:
       - clickhouse
@@ -197,10 +207,16 @@ services:
       GF_AUTH_ANONYMOUS_ENABLED: "true"
       GF_AUTH_ANONYMOUS_ORG_ROLE: Admin
       GF_AUTH_ANONYMOUS_ORG_NAME: Main Org.
+      CLICKHOUSE_USER_READONLY_PASSWORD: ${CLICKHOUSE_USER_READONLY_PASSWORD:-readonly}
     volumes:
       - ./deploy/local/docker-compose/grafana/datasources:/etc/grafana/provisioning/datasources
       - ./deploy/local/docker-compose/grafana/dashboard.yaml:/etc/grafana/provisioning/dashboards/main.yaml
       - ./deploy/local/docker-compose/grafana/dashboards:/var/lib/grafana/dashboards
+    command: >
+      bash -c "
+        sed -i 's/readonlypassword/'"$$CLICKHOUSE_USER_READONLY_PASSWORD"'/g' /etc/grafana/provisioning/datasources/datasources.yaml &&
+        /run.sh
+      "
   xatu-prometheus:
     profiles:
       - ""
@@ -386,8 +402,8 @@ services:
       - "${VECTOR_KAFKA_CLICKHOUSE_ADDRESS:-127.0.0.1}:${VECTOR_KAFKA_CLICKHOUSE_PORT:-8686}:8686"
     environment:
       CLICKHOUSE_ENDPOINT: "xatu-clickhouse-01:8123"
-      CLICKHOUSE_USER: default
-      CLICKHOUSE_PASSWORD: ""
+      CLICKHOUSE_USER: ${CLICKHOUSE_USER:-default}
+      CLICKHOUSE_PASSWORD: ${CLICKHOUSE_PASSWORD}
       KAFKA_BROKERS: "xatu-kafka:29092"
     healthcheck:
       test: ["CMD", "wget", "-q", "--spider", "http://127.0.0.1:8686/health"]
@@ -416,8 +432,8 @@ services:
       - xatu-net
     environment:
       CLICKHOUSE_ENDPOINT: "xatu-clickhouse-01:8123"
-      CLICKHOUSE_USER: default
-      CLICKHOUSE_PASSWORD: ""
+      CLICKHOUSE_USER: ${CLICKHOUSE_USER:-default}
+      CLICKHOUSE_PASSWORD: ${CLICKHOUSE_PASSWORD}
       KAFKA_BROKERS: "xatu-kafka:29092"
     healthcheck:
       test: ["CMD", "wget", "-q", "--spider", "http://127.0.0.1:8686/health"]
@@ -469,7 +485,7 @@ services:
         "-path",
         "/migrations",
         "-database",
-        "clickhouse://xatu-clickhouse-01:9000?username=default&database=default&x-multi-statement=true",
+        "clickhouse://xatu-clickhouse-01:9000?username=${CLICKHOUSE_USER:-default}&password=${CLICKHOUSE_PASSWORD}&database=default&x-multi-statement=true",
         "up",
       ]
     depends_on: