Add ClickHouse User and Password variables for external databases

• set up an external ClickHouse server

• create a ClickHouse user with a password (follow the recommendations in the doc section below)

• launch a PMM Server while providing the environment variables allowing it to connect to an external ClickHouse database

  • -e PMM_CLICKHOUSE_USER=<username> and -e PMM_CLICKHOUSE_PASSWORD=<password>, -e PMM_DISABLE_BUILTIN_CLICKHOUSE=1 and others (check the documentation)

• add a database to monitoring

• verify that the connection to ClickHouse server is successfully established

• verify that you can see metrics collected from the database

• verify that you don’t see Clickhouse user’s password in clear text format in the following logs:

  • pmm-managed.log

  • qan-api2.log

• verify that telemetry is functional (the metrics are being collected from Clickhouse)

• verify the you can run queries against ClickHouse database (pmm.metrics) using the Grafana ClickHouse Datasource from the Explore menu (it is now password-protected)

• run a sanity check of dashboards in PMM, especially those that make use of ClickHouse metrics

PMM-13171 introduces a few security enhancements to the ClickHouse Server, which contributes to a better security posture of PMM Server.

1. Two environment variables were added allowing to change credential for an external ClickHouse server connection:

• PMM_CLICKHOUSE_USER: <username>

• PMM_CLICKHOUSE_PASSWORD: <password>

2. The password security was hardened by:

   1. disabling empty passwords

   2. disabling plain text passwords

   3. preventing the implicit creation of users without passwords

For optimal security we recommend to generate random user passwords and hash them using the SHA256 function:

For more details refer to ClickHouse’s User Settings documentation.