From 9f86d7f3a8a3af83cb8416930af39bc56d20b73a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Arturo=20Filast=C3=B2?= Date: Fri, 17 Apr 2026 15:10:07 +0200 Subject: [PATCH 1/9] Apply stricter constraints on oonimeasurements user queries --- ansible/group_vars/clickhouse/vars.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/ansible/group_vars/clickhouse/vars.yml b/ansible/group_vars/clickhouse/vars.yml index 7b48ebe1..efcf2bc6 100644 --- a/ansible/group_vars/clickhouse/vars.yml +++ b/ansible/group_vars/clickhouse/vars.yml @@ -239,6 +239,14 @@ clickhouse_custom_users: - "max_memory_usage = 501001000" # 60 seconds - "max_execution_time = 30" + # 500 GB + - "max_bytes_to_read = 501001001000" + # 5 B + - "max_rows_to_read = 5001001000" + # 5s + - "timeout_before_checking_execution_speed = 5" + # 10 M + - "max_result_rows = 11001000" profile: - readonly quota: "oonimeasurements" From d9addcad900f21731fff1f801c9970fc74b75186 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Arturo=20Filast=C3=B2?= Date: Fri, 17 Apr 2026 17:16:20 +0200 Subject: [PATCH 2/9] Reduce max rows to 50k --- ansible/group_vars/clickhouse/vars.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ansible/group_vars/clickhouse/vars.yml b/ansible/group_vars/clickhouse/vars.yml index efcf2bc6..96c1ce2f 100644 --- a/ansible/group_vars/clickhouse/vars.yml +++ b/ansible/group_vars/clickhouse/vars.yml @@ -245,8 +245,8 @@ clickhouse_custom_users: - "max_rows_to_read = 5001001000" # 5s - "timeout_before_checking_execution_speed = 5" - # 10 M - - "max_result_rows = 11001000" + # 50k + - "max_result_rows = 51000" profile: - readonly quota: "oonimeasurements" From d442c904625067734d572004a5721abe6d9e668b Mon Sep 17 00:00:00 2001 From: Aaron Gibson Date: Mon, 27 Apr 2026 16:49:59 +0200 Subject: [PATCH 3/9] raise oonimeasuremenets max memory --- ansible/group_vars/clickhouse/vars.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ansible/group_vars/clickhouse/vars.yml b/ansible/group_vars/clickhouse/vars.yml index 7b48ebe1..30f3ca0c 100644 --- a/ansible/group_vars/clickhouse/vars.yml +++ b/ansible/group_vars/clickhouse/vars.yml @@ -235,8 +235,8 @@ clickhouse_custom_users: networks: - "IP '0.0.0.0/0'" settings: - # 500 MB - - "max_memory_usage = 501001000" + # 1 GB + - "max_memory_usage = 1001001000" # 60 seconds - "max_execution_time = 30" profile: From b7a42466a6c03fbb401286ff24babdf1d1fdbf58 Mon Sep 17 00:00:00 2001 From: Aaron Gibson Date: Wed, 29 Apr 2026 18:12:44 +0200 Subject: [PATCH 4/9] enable clickhouse_role_manage_settings_profiles and clickhouse_role_manage_quotas https://github.com/idealista/clickhouse_role/blob/main/molecule/default/group_vars/clickhouse_group.yml actually use sha256 password type clickhouse role disregards password_type and only looks at key password_sha256_hex ... fix quotas keys --- ansible/group_vars/clickhouse/vars.yml | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/ansible/group_vars/clickhouse/vars.yml b/ansible/group_vars/clickhouse/vars.yml index 63738884..efeb752d 100644 --- a/ansible/group_vars/clickhouse/vars.yml +++ b/ansible/group_vars/clickhouse/vars.yml @@ -165,6 +165,7 @@ clickhouse_distributed_ddl: cleanup_delay_period: 60 max_tasks_in_queue: 1000 +clickhouse_role_manage_settings_profiles: True clickhouse_default_profiles: default: readonly: 2 @@ -226,12 +227,12 @@ clickhouse_default_users: profile: write quota: default -clickhouse_role_manage_users: true +clickhouse_role_manage_users: True clickhouse_custom_users: - user: name: oonimeasurements password_type: sha256_password - password: "{{ lookup('amazon.aws.aws_ssm', '/oonidevops/secrets/clickhouse_oonimeasurements_password', profile='oonidevops_user_prod') }}" + password_sha256_hex: "{{ lookup('amazon.aws.aws_ssm', '/oonidevops/secrets/clickhouse_oonimeasurements_password', profile='oonidevops_user_prod') | hash('sha256') }}" networks: - "IP '0.0.0.0/0'" settings: @@ -252,19 +253,19 @@ clickhouse_custom_users: quota: "oonimeasurements" databases: [ooni] -# TODO: this quota was created by hand since it wasn't working in the idealista playbook -clickhouse_role_manage_quotas: false +clickhouse_role_manage_quotas: True clickhouse_custom_quotas: # quota over a 10 minute window - quota: name: oonimeasurements - settings: - - "INTERVAL 10 minute MAX queries = 12000, MAX errors = 1000, MAX execution_time = 1000" - to: - - oonimeasurements + duration: 600 + queries: 12000 + errors: 1000 + result_rows: 0 + read_rows: 0 + execution_time: 1000 -clickhouse_role_manage_grants: true -clickhouse_role_manage_roles: true +clickhouse_role_manage_grants: True clickhouse_custom_grants: - on: databases: [ooni] @@ -276,6 +277,7 @@ clickhouse_custom_grant_roles: - roles: [oonimeasurements] to: [oonimeasurements] +clickhouse_role_manage_roles: True clickhouse_custom_roles: - role: name: oonimeasurements From 798b0c22e456c44f97b8d4c874f1040345123af9 Mon Sep 17 00:00:00 2001 From: Aaron Gibson Date: Thu, 30 Apr 2026 10:44:10 +0200 Subject: [PATCH 5/9] fix user password misconfiguration the difference between the _xml and sql managed user settings is poorly documented and fails open. --- ansible/group_vars/clickhouse/vars.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ansible/group_vars/clickhouse/vars.yml b/ansible/group_vars/clickhouse/vars.yml index efeb752d..30390f1a 100644 --- a/ansible/group_vars/clickhouse/vars.yml +++ b/ansible/group_vars/clickhouse/vars.yml @@ -231,8 +231,8 @@ clickhouse_role_manage_users: True clickhouse_custom_users: - user: name: oonimeasurements - password_type: sha256_password - password_sha256_hex: "{{ lookup('amazon.aws.aws_ssm', '/oonidevops/secrets/clickhouse_oonimeasurements_password', profile='oonidevops_user_prod') | hash('sha256') }}" + password_type: sha256_hash + password: "{{ lookup('amazon.aws.aws_ssm', '/oonidevops/secrets/clickhouse_oonimeasurements_password', profile='oonidevops_user_prod') }}" networks: - "IP '0.0.0.0/0'" settings: From 3773e152ae4c99f9af606de8a2b2b9339d46d6db Mon Sep 17 00:00:00 2001 From: Aaron Gibson Date: Thu, 30 Apr 2026 10:53:24 +0200 Subject: [PATCH 6/9] sql managed users does NOT read var password_sha256_hex nor hash password if type is sha256_hash --- ansible/group_vars/clickhouse/vars.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/group_vars/clickhouse/vars.yml b/ansible/group_vars/clickhouse/vars.yml index 30390f1a..0080d366 100644 --- a/ansible/group_vars/clickhouse/vars.yml +++ b/ansible/group_vars/clickhouse/vars.yml @@ -232,7 +232,7 @@ clickhouse_custom_users: - user: name: oonimeasurements password_type: sha256_hash - password: "{{ lookup('amazon.aws.aws_ssm', '/oonidevops/secrets/clickhouse_oonimeasurements_password', profile='oonidevops_user_prod') }}" + password: "{{ lookup('amazon.aws.aws_ssm', '/oonidevops/secrets/clickhouse_oonimeasurements_password', profile='oonidevops_user_prod') | hash('sha256') }}" networks: - "IP '0.0.0.0/0'" settings: From b7baff6a71c245bd2db830ae6b68e52f68297121 Mon Sep 17 00:00:00 2001 From: Aaron Gibson Date: Fri, 1 May 2026 11:56:39 +0200 Subject: [PATCH 7/9] add clickhouse users for each ooniapi service, fastpath, and testlists --- ansible/group_vars/clickhouse/vars.yml | 115 +++++++++++++++++- .../host_vars/fastpath.dev.ooni.io/vars.yml | 2 +- .../host_vars/fastpath.prod.ooni.io/vars.yml | 2 +- .../host_vars/fastpath2.prod.ooni.io/vars.yml | 2 +- .../testlist-ec2.dev.ooni.io/vars.yml | 1 + .../testlist-ec2.prod.ooni.io/vars.yml | 2 +- ansible/roles/fastpath/defaults/main.yml | 2 +- tf/environments/dev/main.tf | 28 +++-- 8 files changed, 137 insertions(+), 17 deletions(-) diff --git a/ansible/group_vars/clickhouse/vars.yml b/ansible/group_vars/clickhouse/vars.yml index 0080d366..21fe072a 100644 --- a/ansible/group_vars/clickhouse/vars.yml +++ b/ansible/group_vars/clickhouse/vars.yml @@ -229,6 +229,28 @@ clickhouse_default_users: clickhouse_role_manage_users: True clickhouse_custom_users: + - user: + name: fastpath + password_type: sha256_hash + password: "{{ lookup('amazon.aws.aws_ssm', '/oonidevops/secrets/clickhouse_fastpath_password', profile='oonidevops_user_prod') | hash('sha256') }}" + networks: + - "IP '0.0.0.0/0'" + profile: + - write + quota: "fastpath" + databases: [ooni] + + - user: + name: oonifindings + password_type: sha256_hash + password: "{{ lookup('amazon.aws.aws_ssm', '/oonidevops/secrets/clickhouse_oonifindings_password', profile='oonidevops_user_prod') | hash('sha256') }}" + networks: + - "IP '0.0.0.0/0'" + profile: + - readonly + quota: "oonifindings" + databases: [ooni] + - user: name: oonimeasurements password_type: sha256_hash @@ -250,12 +272,54 @@ clickhouse_custom_users: - "max_result_rows = 51000" profile: - readonly - quota: "oonimeasurements" + quota: oonimeasurements + databases: [ooni, oonitest] + + - user: + name: ooniprobe + password_type: sha256_hash + password: "{{ lookup('amazon.aws.aws_ssm', '/oonidevops/secrets/clickhouse_ooniprobe_password', profile='oonidevops_user_prod') | hash('sha256') }}" + networks: + - "IP '0.0.0.0/0'" + profile: + - write + quota: ooniprobe + databases: [ooni] + + - user: + name: oonirun + password_type: sha256_hash + password: "{{ lookup('amazon.aws.aws_ssm', '/oonidevops/secrets/clickhouse_oonirun_password', profile='oonidevops_user_prod') | hash('sha256') }}" + networks: + - "IP '0.0.0.0/0'" + profile: + - write + quota: oonirun + databases: [ooni] + + - user: + name: oonitestlists + password_type: sha256_hash + password: "{{ lookup('amazon.aws.aws_ssm', '/oonidevops/secrets/clickhouse_oonitestlists_password', profile='oonidevops_user_prod') | hash('sha256') }}" + networks: + - "IP '0.0.0.0/0'" + profile: + - write + quota: oonitestlists databases: [ooni] clickhouse_role_manage_quotas: True clickhouse_custom_quotas: # quota over a 10 minute window + - quota: + name: oonifindings + duration: 600 + queries: 12000 + errors: 1000 + result_rows: 0 + read_rows: 0 + execution_time: 1000 + - quota: name: oonimeasurements duration: 600 @@ -265,13 +329,60 @@ clickhouse_custom_quotas: read_rows: 0 execution_time: 1000 + # no limits set + - quota: + name: ooniprobe + duration: 0 + queries: 0 + errors: 0 + result_rows: 0 + read_rows: 0 + execution_time: 0 + + # no limits set + - quota: + name: oonirun + duration: 0 + queries: 0 + errors: 0 + result_rows: 0 + read_rows: 0 + execution_time: 0 + + - quota: + name: oonitestlists + duration: 600 + queries: 12000 + errors: 1000 + result_rows: 0 + read_rows: 0 + execution_time: 1000 + clickhouse_role_manage_grants: True clickhouse_custom_grants: - on: databases: [ooni] tables: ["*"] privileges: [SELECT] - to: [oonimeasurements] + to: [oonifindings, ooniprobe, oonimeasurements, oonirun, fastpath] + +- on: + databases: [ooni] + tables: [url_priorities] + privileges: [INSERT] + to: [oonitestlists] + +- on: + databases: [ooni] + tables: [faulty_measurements] + privileges: [INSERT] + to: [ooniprobe] + +- on: + databases: [ooni] + tables: [fastpath, obs_web, obs_openvpn, jsonl, new_jsonl] + privileges: [INSERT] + to: [fastpath] clickhouse_custom_grant_roles: - roles: [oonimeasurements] diff --git a/ansible/host_vars/fastpath.dev.ooni.io/vars.yml b/ansible/host_vars/fastpath.dev.ooni.io/vars.yml index fbd3d273..e60bcb31 100644 --- a/ansible/host_vars/fastpath.dev.ooni.io/vars.yml +++ b/ansible/host_vars/fastpath.dev.ooni.io/vars.yml @@ -1,5 +1,5 @@ s3_ooni_open_data_access_key: "{{ lookup('amazon.aws.aws_ssm', '/oonidevops/secrets/s3_ooni_open_data_access_key', profile='oonidevops_user_dev') }}" -clickhouse_url: "clickhouse://write:{{ lookup('amazon.aws.aws_ssm', '/oonidevops/secrets/clickhouse_write_password', profile='oonidevops_user_prod') }}@clickhouseproxy.dev.ooni.io/oonitest" +clickhouse_url: "clickhouse://fastpath:{{ lookup('amazon.aws.aws_ssm', '/oonidevops/secrets/clickhouse_fastpath_password', profile='oonidevops_user_prod') }}@clickhouseproxy.dev.ooni.io/oonitest" bucket_name: "ooni-data-eu-fra-test" # COLLECTOR ID SHOULD BE DIFFERENT BETWEEN EACH FASTPATH INSTANCE collector_id: "3" diff --git a/ansible/host_vars/fastpath.prod.ooni.io/vars.yml b/ansible/host_vars/fastpath.prod.ooni.io/vars.yml index e7210f1f..ffcb68ef 100644 --- a/ansible/host_vars/fastpath.prod.ooni.io/vars.yml +++ b/ansible/host_vars/fastpath.prod.ooni.io/vars.yml @@ -1,5 +1,5 @@ s3_ooni_open_data_access_key: "{{ lookup('amazon.aws.aws_ssm', '/oonidevops/secrets/s3_ooni_open_data_access_key', profile='oonidevops_user_prod') }}" -clickhouse_url: "clickhouse://write:{{ lookup('amazon.aws.aws_ssm', '/oonidevops/secrets/clickhouse_write_password', profile='oonidevops_user_prod') }}@clickhouseproxy.prod.ooni.io/ooni" +clickhouse_url: "clickhouse://fastpath:{{ lookup('amazon.aws.aws_ssm', '/oonidevops/secrets/clickhouse_fastpath_password', profile='oonidevops_user_prod') }}@clickhouseproxy.prod.ooni.io/ooni" bucket_name: "ooni-data-eu-fra" # COLLECTOR ID SHOULD BE DIFFERENT BETWEEN EACH FASTPATH INSTANCE collector_id: "1" diff --git a/ansible/host_vars/fastpath2.prod.ooni.io/vars.yml b/ansible/host_vars/fastpath2.prod.ooni.io/vars.yml index 28e22d69..fa79213e 100644 --- a/ansible/host_vars/fastpath2.prod.ooni.io/vars.yml +++ b/ansible/host_vars/fastpath2.prod.ooni.io/vars.yml @@ -1,5 +1,5 @@ s3_ooni_open_data_access_key: "{{ lookup('amazon.aws.aws_ssm', '/oonidevops/secrets/s3_ooni_open_data_access_key', profile='oonidevops_user_prod') }}" -clickhouse_url: "clickhouse://write:{{ lookup('amazon.aws.aws_ssm', '/oonidevops/secrets/clickhouse_write_password', profile='oonidevops_user_prod') }}@data3.htz-fsn.prod.ooni.nu/ooni" +clickhouse_url: "clickhouse://fastpath:{{ lookup('amazon.aws.aws_ssm', '/oonidevops/secrets/clickhouse_fastpath_password', profile='oonidevops_user_prod') }}@data3.htz-fsn.prod.ooni.nu/ooni" bucket_name: "ooni-data-eu-fra" # COLLECTOR ID SHOULD BE DIFFERENT BETWEEN EACH FASTPATH INSTANCE collector_id: "4" diff --git a/ansible/host_vars/testlist-ec2.dev.ooni.io/vars.yml b/ansible/host_vars/testlist-ec2.dev.ooni.io/vars.yml index 7ab99273..b6497100 100644 --- a/ansible/host_vars/testlist-ec2.dev.ooni.io/vars.yml +++ b/ansible/host_vars/testlist-ec2.dev.ooni.io/vars.yml @@ -1,3 +1,4 @@ jwt_encryption_key: "{{ lookup('amazon.aws.aws_ssm', '/oonidevops/secrets/ooni_services/jwt_secret', profile='oonidevops_user_dev') }}" github_token: "{{ lookup('amazon.aws.aws_secret', 'oonidevops/ooni_services/testlists_github_token', profile='oonidevops_user_dev') }}" log_level: "debug" +clickhouse_url: "clickhouse://oonitestlists:{{ lookup('amazon.aws.aws_ssm', '/oonidevops/secrets/clickhouse_oonitestlists_password', profile='oonidevops_user_prod') }}@clickhouseproxy.dev.ooni.io/ooni" diff --git a/ansible/host_vars/testlist-ec2.prod.ooni.io/vars.yml b/ansible/host_vars/testlist-ec2.prod.ooni.io/vars.yml index 59e4bb4c..fb061292 100644 --- a/ansible/host_vars/testlist-ec2.prod.ooni.io/vars.yml +++ b/ansible/host_vars/testlist-ec2.prod.ooni.io/vars.yml @@ -1,4 +1,4 @@ jwt_encryption_key: "{{ lookup('amazon.aws.aws_ssm', '/oonidevops/secrets/ooni_services/jwt_secret', profile='oonidevops_user_prod') }}" github_token: "{{ lookup('amazon.aws.aws_secret', 'oonidevops/ooni_services/testlists_github_token', profile='oonidevops_user_prod') }}" log_level: "info" -clickhouse_url: "clickhouse://write:{{ lookup('amazon.aws.aws_ssm', '/oonidevops/secrets/clickhouse_write_password', profile='oonidevops_user_prod') }}@clickhouseproxy.prod.ooni.io/ooni" +clickhouse_url: "clickhouse://oonitestlists:{{ lookup('amazon.aws.aws_ssm', '/oonidevops/secrets/clickhouse_oonitestlists_password', profile='oonidevops_user_prod') }}@clickhouseproxy.prod.ooni.io/ooni" diff --git a/ansible/roles/fastpath/defaults/main.yml b/ansible/roles/fastpath/defaults/main.yml index 1a15aea5..2a40e928 100644 --- a/ansible/roles/fastpath/defaults/main.yml +++ b/ansible/roles/fastpath/defaults/main.yml @@ -5,4 +5,4 @@ fastpath_user: fastpath fastpath_home: "/opt/{{ fastpath_user }}" # Fastpath settings -clickhouse_url: "clickhouse://write:{{ lookup('amazon.aws.aws_ssm', '/oonidevops/secrets/clickhouse_write_password', profile='oonidevops_user_prod') }}@clickhouseproxy.dev.ooni.io/oonitest" \ No newline at end of file +clickhouse_url: "clickhouse://fastpath:{{ lookup('amazon.aws.aws_ssm', '/oonidevops/secrets/clickhouse_fastpath_password', profile='oonidevops_user_prod') }}@clickhouseproxy.dev.ooni.io/oonitest" diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf index c569935b..6b955ffe 100644 --- a/tf/environments/dev/main.tf +++ b/tf/environments/dev/main.tf @@ -237,16 +237,24 @@ resource "aws_secretsmanager_secret_version" "oonipg_url" { ) } -data "aws_ssm_parameter" "clickhouse_readonly_url" { - name = "/oonidevops/secrets/clickhouse_readonly_url" +data "aws_ssm_parameter" "clickhouse_oonifindings_url" { + name = "/oonidevops/secrets/clickhouse_oonifindings_url" } -data "aws_ssm_parameter" "clickhouse_readonly_test_url" { - name = "/oonidevops/secrets/clickhouse_readonly_test_url" +data "aws_ssm_parameter" "clickhouse_oonimeasurements_url" { + name = "/oonidevops/secrets/clickhouse_oonimeasurements_url" } -data "aws_ssm_parameter" "clickhouse_write_url" { - name = "/oonidevops/secrets/clickhouse_write_url" +data "aws_ssm_parameter" "clickhouse_oonimeasurements_test_url" { + name = "/oonidevops/secrets/clickhouse_oonimeasurements_test_url" +} + +data "aws_ssm_parameter" "clickhouse_ooniprobe_url" { + name = "/oonidevops/secrets/clickhouse_ooniprobe_url" +} + +data "aws_ssm_parameter" "clickhouse_oonirun_url" { + name = "/oonidevops/secrets/clickhouse_oonirun_url" } data "aws_ssm_parameter" "account_id_hashing_key" { @@ -592,7 +600,7 @@ module "ooniapi_ooniprobe" { POSTGRESQL_URL = data.aws_ssm_parameter.oonipg_url.arn JWT_ENCRYPTION_KEY = data.aws_ssm_parameter.jwt_secret_legacy.arn PROMETHEUS_METRICS_PASSWORD = data.aws_ssm_parameter.prometheus_metrics_password.arn - CLICKHOUSE_URL = data.aws_ssm_parameter.clickhouse_write_url.arn + CLICKHOUSE_URL = data.aws_ssm_parameter.clickhouse_ooniprobe_url.arn ANONC_SECRET_KEY = data.aws_ssm_parameter.anonc_secret_key.arn } @@ -973,7 +981,7 @@ module "ooniapi_oonirun" { POSTGRESQL_URL = data.aws_ssm_parameter.oonipg_url.arn JWT_ENCRYPTION_KEY = data.aws_ssm_parameter.jwt_secret.arn PROMETHEUS_METRICS_PASSWORD = data.aws_ssm_parameter.prometheus_metrics_password.arn - CLICKHOUSE_URL = data.aws_ssm_parameter.clickhouse_readonly_url.arn + CLICKHOUSE_URL = data.aws_ssm_parameter.clickhouse_oonirun_url.arn } ooniapi_service_security_groups = [ @@ -1024,7 +1032,7 @@ module "ooniapi_oonifindings" { POSTGRESQL_URL = data.aws_ssm_parameter.oonipg_url.arn JWT_ENCRYPTION_KEY = data.aws_ssm_parameter.jwt_secret.arn PROMETHEUS_METRICS_PASSWORD = data.aws_ssm_parameter.prometheus_metrics_password.arn - CLICKHOUSE_URL = data.aws_ssm_parameter.clickhouse_readonly_url.arn + CLICKHOUSE_URL = data.aws_ssm_parameter.clickhouse_oonifindings_url.arn } ooniapi_service_security_groups = [ @@ -1145,7 +1153,7 @@ module "ooniapi_oonimeasurements" { POSTGRESQL_URL = data.aws_ssm_parameter.oonipg_url.arn JWT_ENCRYPTION_KEY = data.aws_ssm_parameter.jwt_secret.arn PROMETHEUS_METRICS_PASSWORD = data.aws_ssm_parameter.prometheus_metrics_password.arn - CLICKHOUSE_URL = data.aws_ssm_parameter.clickhouse_readonly_test_url.arn + CLICKHOUSE_URL = data.aws_ssm_parameter.clickhouse_oonimeasurements_test_url.arn ACCOUNT_ID_HASHING_KEY = data.aws_ssm_parameter.account_id_hashing_key.arn } From ea6e8832463413627d13124165dda60eb896c55b Mon Sep 17 00:00:00 2001 From: Aaron Gibson Date: Fri, 1 May 2026 15:27:47 +0200 Subject: [PATCH 8/9] add clickhouse secrets, clickhouse_url to prod environment note: why was oonifindings missing CLICKHOUSE_URL ? --- tf/environments/prod/main.tf | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/tf/environments/prod/main.tf b/tf/environments/prod/main.tf index 4c343293..16b79de9 100644 --- a/tf/environments/prod/main.tf +++ b/tf/environments/prod/main.tf @@ -239,16 +239,24 @@ data "aws_ssm_parameter" "oonipg_url" { name = "/oonidevops/secrets/ooni-tier0-postgres/postgresql_write_url" } -data "aws_ssm_parameter" "clickhouse_readonly_url" { - name = "/oonidevops/secrets/clickhouse_readonly_url" +data "aws_ssm_parameter" "clickhouse_oonifindings_url" { + name = "/oonidevops/secrets/clickhouse_oonifindings_url" } data "aws_ssm_parameter" "clickhouse_oonimeasurements_url" { name = "/oonidevops/secrets/clickhouse_oonimeasurements_url" } -data "aws_ssm_parameter" "clickhouse_write_url" { - name = "/oonidevops/secrets/clickhouse_write_url" +data "aws_ssm_parameter" "clickhouse_oonimeasurements_test_url" { + name = "/oonidevops/secrets/clickhouse_oonimeasurements_test_url" +} + +data "aws_ssm_parameter" "clickhouse_ooniprobe_url" { + name = "/oonidevops/secrets/clickhouse_ooniprobe_url" +} + +data "aws_ssm_parameter" "clickhouse_oonirun_url" { + name = "/oonidevops/secrets/clickhouse_oonirun_url" } data "aws_ssm_parameter" "account_id_hashing_key" { @@ -890,7 +898,7 @@ module "ooniapi_ooniprobe" { POSTGRESQL_URL = data.aws_ssm_parameter.oonipg_url.arn JWT_ENCRYPTION_KEY = data.aws_ssm_parameter.jwt_secret.arn PROMETHEUS_METRICS_PASSWORD = data.aws_ssm_parameter.prometheus_metrics_password.arn - CLICKHOUSE_URL = data.aws_ssm_parameter.clickhouse_write_url.arn + CLICKHOUSE_URL = data.aws_ssm_parameter.clickhouse_ooniprobe_url.arn ANONC_SECRET_KEY = data.aws_ssm_parameter.anonc_secret_key.arn } @@ -1088,7 +1096,7 @@ module "ooniapi_oonirun" { POSTGRESQL_URL = data.aws_ssm_parameter.oonipg_url.arn JWT_ENCRYPTION_KEY = data.aws_ssm_parameter.jwt_secret.arn PROMETHEUS_METRICS_PASSWORD = data.aws_ssm_parameter.prometheus_metrics_password.arn - CLICKHOUSE_URL = data.aws_ssm_parameter.clickhouse_readonly_url.arn + CLICKHOUSE_URL = data.aws_ssm_parameter.clickhouse_oonirun_url.arn } ooniapi_service_security_groups = [ @@ -1140,6 +1148,7 @@ module "ooniapi_oonifindings" { POSTGRESQL_URL = data.aws_ssm_parameter.oonipg_url.arn JWT_ENCRYPTION_KEY = data.aws_ssm_parameter.jwt_secret.arn PROMETHEUS_METRICS_PASSWORD = data.aws_ssm_parameter.prometheus_metrics_password.arn + CLICKHOUSE_URL = data.aws_ssm_parameter.clickhouse_oonifindings_url.arn } ooniapi_service_security_groups = [ From 7520f888bde383b714ee5928074a3658d52bb4d0 Mon Sep 17 00:00:00 2001 From: Aaron Gibson Date: Fri, 1 May 2026 15:43:58 +0200 Subject: [PATCH 9/9] remove clickhouse settings for oonifindings: uses psgql --- ansible/group_vars/clickhouse/vars.yml | 23 +---------------------- tf/environments/dev/main.tf | 5 ----- tf/environments/prod/main.tf | 5 ----- 3 files changed, 1 insertion(+), 32 deletions(-) diff --git a/ansible/group_vars/clickhouse/vars.yml b/ansible/group_vars/clickhouse/vars.yml index 21fe072a..236ce652 100644 --- a/ansible/group_vars/clickhouse/vars.yml +++ b/ansible/group_vars/clickhouse/vars.yml @@ -240,17 +240,6 @@ clickhouse_custom_users: quota: "fastpath" databases: [ooni] - - user: - name: oonifindings - password_type: sha256_hash - password: "{{ lookup('amazon.aws.aws_ssm', '/oonidevops/secrets/clickhouse_oonifindings_password', profile='oonidevops_user_prod') | hash('sha256') }}" - networks: - - "IP '0.0.0.0/0'" - profile: - - readonly - quota: "oonifindings" - databases: [ooni] - - user: name: oonimeasurements password_type: sha256_hash @@ -310,16 +299,6 @@ clickhouse_custom_users: clickhouse_role_manage_quotas: True clickhouse_custom_quotas: - # quota over a 10 minute window - - quota: - name: oonifindings - duration: 600 - queries: 12000 - errors: 1000 - result_rows: 0 - read_rows: 0 - execution_time: 1000 - - quota: name: oonimeasurements duration: 600 @@ -364,7 +343,7 @@ clickhouse_custom_grants: databases: [ooni] tables: ["*"] privileges: [SELECT] - to: [oonifindings, ooniprobe, oonimeasurements, oonirun, fastpath] + to: [ooniprobe, oonimeasurements, oonirun, fastpath] - on: databases: [ooni] diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf index 6b955ffe..09590756 100644 --- a/tf/environments/dev/main.tf +++ b/tf/environments/dev/main.tf @@ -237,10 +237,6 @@ resource "aws_secretsmanager_secret_version" "oonipg_url" { ) } -data "aws_ssm_parameter" "clickhouse_oonifindings_url" { - name = "/oonidevops/secrets/clickhouse_oonifindings_url" -} - data "aws_ssm_parameter" "clickhouse_oonimeasurements_url" { name = "/oonidevops/secrets/clickhouse_oonimeasurements_url" } @@ -1032,7 +1028,6 @@ module "ooniapi_oonifindings" { POSTGRESQL_URL = data.aws_ssm_parameter.oonipg_url.arn JWT_ENCRYPTION_KEY = data.aws_ssm_parameter.jwt_secret.arn PROMETHEUS_METRICS_PASSWORD = data.aws_ssm_parameter.prometheus_metrics_password.arn - CLICKHOUSE_URL = data.aws_ssm_parameter.clickhouse_oonifindings_url.arn } ooniapi_service_security_groups = [ diff --git a/tf/environments/prod/main.tf b/tf/environments/prod/main.tf index 16b79de9..7c26100e 100644 --- a/tf/environments/prod/main.tf +++ b/tf/environments/prod/main.tf @@ -239,10 +239,6 @@ data "aws_ssm_parameter" "oonipg_url" { name = "/oonidevops/secrets/ooni-tier0-postgres/postgresql_write_url" } -data "aws_ssm_parameter" "clickhouse_oonifindings_url" { - name = "/oonidevops/secrets/clickhouse_oonifindings_url" -} - data "aws_ssm_parameter" "clickhouse_oonimeasurements_url" { name = "/oonidevops/secrets/clickhouse_oonimeasurements_url" } @@ -1148,7 +1144,6 @@ module "ooniapi_oonifindings" { POSTGRESQL_URL = data.aws_ssm_parameter.oonipg_url.arn JWT_ENCRYPTION_KEY = data.aws_ssm_parameter.jwt_secret.arn PROMETHEUS_METRICS_PASSWORD = data.aws_ssm_parameter.prometheus_metrics_password.arn - CLICKHOUSE_URL = data.aws_ssm_parameter.clickhouse_oonifindings_url.arn } ooniapi_service_security_groups = [