Skip to content

Add ooni clickhouse users #421

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
aagbsn wants to merge 11 commits into
base: main
Choose a base branch
from
Open

Add ooni clickhouse users #421

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
9f86d7f
Apply stricter constraints on oonimeasurements user queries
hellais Apr 17, 2026
d9addca
Reduce max rows to 50k
hellais Apr 17, 2026
d442c90
raise oonimeasuremenets max memory
aagbsn Apr 27, 2026
7e52d43
Merge remote-tracking branch 'origin/main' into oonimeasurements-limits
aagbsn Apr 29, 2026
a5fd688
Merge remote-tracking branch 'origin/raise_oonimeasurements_max_memor…
aagbsn Apr 29, 2026
b7a4246
enable clickhouse_role_manage_settings_profiles and clickhouse_role_m…
aagbsn Apr 29, 2026
798b0c2
fix user password misconfiguration
aagbsn Apr 30, 2026
3773e15
sql managed users does NOT read var password_sha256_hex nor hash pass…
aagbsn Apr 30, 2026
b7baff6
add clickhouse users for each ooniapi service, fastpath, and testlists
aagbsn May 1, 2026
ea6e883
add clickhouse secrets, clickhouse_url to prod environment
aagbsn May 1, 2026
7520f88
remove clickhouse settings for oonifindings: uses psgql
aagbsn May 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
132 changes: 116 additions & 16 deletions ansible/group_vars/clickhouse/vars.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -165,6 +165,7 @@ clickhouse_distributed_ddl:
cleanup_delay_period: 60
max_tasks_in_queue: 1000

clickhouse_role_manage_settings_profiles: True
clickhouse_default_profiles:
default:
readonly: 2
Expand Down Expand Up @@ -226,48 +227,147 @@ clickhouse_default_users:
profile: write
quota: default

clickhouse_role_manage_users: true
clickhouse_role_manage_users: True
clickhouse_custom_users:
- user:
name: fastpath
password_type: sha256_hash
password: "{{ lookup('amazon.aws.aws_ssm', '/oonidevops/secrets/clickhouse_fastpath_password', profile='oonidevops_user_prod') | hash('sha256') }}"
networks:
- "IP '0.0.0.0/0'"
profile:
- write
quota: "fastpath"
databases: [ooni]

- user:
name: oonimeasurements
password_type: sha256_password
password: "{{ lookup('amazon.aws.aws_ssm', '/oonidevops/secrets/clickhouse_oonimeasurements_password', profile='oonidevops_user_prod') }}"
password_type: sha256_hash
password: "{{ lookup('amazon.aws.aws_ssm', '/oonidevops/secrets/clickhouse_oonimeasurements_password', profile='oonidevops_user_prod') | hash('sha256') }}"
networks:
- "IP '0.0.0.0/0'"
settings:
# 500 MB
- "max_memory_usage = 501001000"
# 1 GB
- "max_memory_usage = 1001001000"
# 60 seconds
- "max_execution_time = 30"
# 500 GB
- "max_bytes_to_read = 501001001000"
# 5 B
- "max_rows_to_read = 5001001000"
# 5s
- "timeout_before_checking_execution_speed = 5"
# 50k
- "max_result_rows = 51000"
profile:
- readonly
quota: "oonimeasurements"
quota: oonimeasurements
databases: [ooni, oonitest]

- user:
name: ooniprobe
password_type: sha256_hash
password: "{{ lookup('amazon.aws.aws_ssm', '/oonidevops/secrets/clickhouse_ooniprobe_password', profile='oonidevops_user_prod') | hash('sha256') }}"
networks:
- "IP '0.0.0.0/0'"
profile:
- write
quota: ooniprobe
databases: [ooni]

# TODO: this quota was created by hand since it wasn't working in the idealista playbook
clickhouse_role_manage_quotas: false
- user:
name: oonirun
password_type: sha256_hash
password: "{{ lookup('amazon.aws.aws_ssm', '/oonidevops/secrets/clickhouse_oonirun_password', profile='oonidevops_user_prod') | hash('sha256') }}"
networks:
- "IP '0.0.0.0/0'"
profile:
- write
quota: oonirun
databases: [ooni]

- user:
name: oonitestlists
password_type: sha256_hash
password: "{{ lookup('amazon.aws.aws_ssm', '/oonidevops/secrets/clickhouse_oonitestlists_password', profile='oonidevops_user_prod') | hash('sha256') }}"
networks:
- "IP '0.0.0.0/0'"
profile:
- write
quota: oonitestlists
databases: [ooni]

clickhouse_role_manage_quotas: True
clickhouse_custom_quotas:
# quota over a 10 minute window
- quota:
name: oonimeasurements
settings:
- "INTERVAL 10 minute MAX queries = 12000, MAX errors = 1000, MAX execution_time = 1000"
to:
- oonimeasurements
duration: 600
queries: 12000
errors: 1000
result_rows: 0
read_rows: 0
execution_time: 1000

clickhouse_role_manage_grants: true
clickhouse_role_manage_roles: true
# no limits set
- quota:
name: ooniprobe
duration: 0
queries: 0
errors: 0
result_rows: 0
read_rows: 0
execution_time: 0

# no limits set
- quota:
name: oonirun
duration: 0
queries: 0
errors: 0
result_rows: 0
read_rows: 0
execution_time: 0

- quota:
name: oonitestlists
duration: 600
queries: 12000
errors: 1000
result_rows: 0
read_rows: 0
execution_time: 1000

clickhouse_role_manage_grants: True
clickhouse_custom_grants:
- on:
databases: [ooni]
tables: ["*"]
privileges: [SELECT]
to: [oonimeasurements]
to: [ooniprobe, oonimeasurements, oonirun, fastpath]

- on:
databases: [ooni]
tables: [url_priorities]
privileges: [INSERT]
to: [oonitestlists]

- on:
databases: [ooni]
tables: [faulty_measurements]
privileges: [INSERT]
to: [ooniprobe]

- on:
databases: [ooni]
tables: [fastpath, obs_web, obs_openvpn, jsonl, new_jsonl]
privileges: [INSERT]
to: [fastpath]

clickhouse_custom_grant_roles:
- roles: [oonimeasurements]
to: [oonimeasurements]

clickhouse_role_manage_roles: True
clickhouse_custom_roles:
- role:
name: oonimeasurements
Expand Down
2 changes: 1 addition & 1 deletion ansible/host_vars/fastpath.dev.ooni.io/vars.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
s3_ooni_open_data_access_key: "{{ lookup('amazon.aws.aws_ssm', '/oonidevops/secrets/s3_ooni_open_data_access_key', profile='oonidevops_user_dev') }}"
clickhouse_url: "clickhouse://write:{{ lookup('amazon.aws.aws_ssm', '/oonidevops/secrets/clickhouse_write_password', profile='oonidevops_user_prod') }}@clickhouseproxy.dev.ooni.io/oonitest"
clickhouse_url: "clickhouse://fastpath:{{ lookup('amazon.aws.aws_ssm', '/oonidevops/secrets/clickhouse_fastpath_password', profile='oonidevops_user_prod') }}@clickhouseproxy.dev.ooni.io/oonitest"
bucket_name: "ooni-data-eu-fra-test"
# COLLECTOR ID SHOULD BE DIFFERENT BETWEEN EACH FASTPATH INSTANCE
collector_id: "3"
Expand Down
2 changes: 1 addition & 1 deletion ansible/host_vars/fastpath.prod.ooni.io/vars.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
s3_ooni_open_data_access_key: "{{ lookup('amazon.aws.aws_ssm', '/oonidevops/secrets/s3_ooni_open_data_access_key', profile='oonidevops_user_prod') }}"
clickhouse_url: "clickhouse://write:{{ lookup('amazon.aws.aws_ssm', '/oonidevops/secrets/clickhouse_write_password', profile='oonidevops_user_prod') }}@clickhouseproxy.prod.ooni.io/ooni"
clickhouse_url: "clickhouse://fastpath:{{ lookup('amazon.aws.aws_ssm', '/oonidevops/secrets/clickhouse_fastpath_password', profile='oonidevops_user_prod') }}@clickhouseproxy.prod.ooni.io/ooni"
bucket_name: "ooni-data-eu-fra"
# COLLECTOR ID SHOULD BE DIFFERENT BETWEEN EACH FASTPATH INSTANCE
collector_id: "1"
Expand Down
2 changes: 1 addition & 1 deletion ansible/host_vars/fastpath2.prod.ooni.io/vars.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
s3_ooni_open_data_access_key: "{{ lookup('amazon.aws.aws_ssm', '/oonidevops/secrets/s3_ooni_open_data_access_key', profile='oonidevops_user_prod') }}"
clickhouse_url: "clickhouse://write:{{ lookup('amazon.aws.aws_ssm', '/oonidevops/secrets/clickhouse_write_password', profile='oonidevops_user_prod') }}@data3.htz-fsn.prod.ooni.nu/ooni"
clickhouse_url: "clickhouse://fastpath:{{ lookup('amazon.aws.aws_ssm', '/oonidevops/secrets/clickhouse_fastpath_password', profile='oonidevops_user_prod') }}@data3.htz-fsn.prod.ooni.nu/ooni"
bucket_name: "ooni-data-eu-fra"
# COLLECTOR ID SHOULD BE DIFFERENT BETWEEN EACH FASTPATH INSTANCE
collector_id: "4"
Expand Down
1 change: 1 addition & 0 deletions ansible/host_vars/testlist-ec2.dev.ooni.io/vars.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
jwt_encryption_key: "{{ lookup('amazon.aws.aws_ssm', '/oonidevops/secrets/ooni_services/jwt_secret', profile='oonidevops_user_dev') }}"
github_token: "{{ lookup('amazon.aws.aws_secret', 'oonidevops/ooni_services/testlists_github_token', profile='oonidevops_user_dev') }}"
log_level: "debug"
clickhouse_url: "clickhouse://oonitestlists:{{ lookup('amazon.aws.aws_ssm', '/oonidevops/secrets/clickhouse_oonitestlists_password', profile='oonidevops_user_prod') }}@clickhouseproxy.dev.ooni.io/ooni"
2 changes: 1 addition & 1 deletion ansible/host_vars/testlist-ec2.prod.ooni.io/vars.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
jwt_encryption_key: "{{ lookup('amazon.aws.aws_ssm', '/oonidevops/secrets/ooni_services/jwt_secret', profile='oonidevops_user_prod') }}"
github_token: "{{ lookup('amazon.aws.aws_secret', 'oonidevops/ooni_services/testlists_github_token', profile='oonidevops_user_prod') }}"
log_level: "info"
clickhouse_url: "clickhouse://write:{{ lookup('amazon.aws.aws_ssm', '/oonidevops/secrets/clickhouse_write_password', profile='oonidevops_user_prod') }}@clickhouseproxy.prod.ooni.io/ooni"
clickhouse_url: "clickhouse://oonitestlists:{{ lookup('amazon.aws.aws_ssm', '/oonidevops/secrets/clickhouse_oonitestlists_password', profile='oonidevops_user_prod') }}@clickhouseproxy.prod.ooni.io/ooni"
2 changes: 1 addition & 1 deletion ansible/roles/fastpath/defaults/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,4 +5,4 @@ fastpath_user: fastpath
fastpath_home: "/opt/{{ fastpath_user }}"

# Fastpath settings
clickhouse_url: "clickhouse://write:{{ lookup('amazon.aws.aws_ssm', '/oonidevops/secrets/clickhouse_write_password', profile='oonidevops_user_prod') }}@clickhouseproxy.dev.ooni.io/oonitest"
clickhouse_url: "clickhouse://fastpath:{{ lookup('amazon.aws.aws_ssm', '/oonidevops/secrets/clickhouse_fastpath_password', profile='oonidevops_user_prod') }}@clickhouseproxy.dev.ooni.io/oonitest"
23 changes: 13 additions & 10 deletions tf/environments/dev/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -237,16 +237,20 @@ resource "aws_secretsmanager_secret_version" "oonipg_url" {
)
}

data "aws_ssm_parameter" "clickhouse_readonly_url" {
name = "/oonidevops/secrets/clickhouse_readonly_url"
data "aws_ssm_parameter" "clickhouse_oonimeasurements_url" {
name = "/oonidevops/secrets/clickhouse_oonimeasurements_url"
}

data "aws_ssm_parameter" "clickhouse_readonly_test_url" {
name = "/oonidevops/secrets/clickhouse_readonly_test_url"
data "aws_ssm_parameter" "clickhouse_oonimeasurements_test_url" {
name = "/oonidevops/secrets/clickhouse_oonimeasurements_test_url"
}

data "aws_ssm_parameter" "clickhouse_write_url" {
name = "/oonidevops/secrets/clickhouse_write_url"
data "aws_ssm_parameter" "clickhouse_ooniprobe_url" {
name = "/oonidevops/secrets/clickhouse_ooniprobe_url"
}

data "aws_ssm_parameter" "clickhouse_oonirun_url" {
name = "/oonidevops/secrets/clickhouse_oonirun_url"
}

data "aws_ssm_parameter" "account_id_hashing_key" {
Expand Down Expand Up @@ -592,7 +596,7 @@ module "ooniapi_ooniprobe" {
POSTGRESQL_URL = data.aws_ssm_parameter.oonipg_url.arn
JWT_ENCRYPTION_KEY = data.aws_ssm_parameter.jwt_secret_legacy.arn
PROMETHEUS_METRICS_PASSWORD = data.aws_ssm_parameter.prometheus_metrics_password.arn
CLICKHOUSE_URL = data.aws_ssm_parameter.clickhouse_write_url.arn
CLICKHOUSE_URL = data.aws_ssm_parameter.clickhouse_ooniprobe_url.arn
ANONC_SECRET_KEY = data.aws_ssm_parameter.anonc_secret_key.arn
}

Expand Down Expand Up @@ -973,7 +977,7 @@ module "ooniapi_oonirun" {
POSTGRESQL_URL = data.aws_ssm_parameter.oonipg_url.arn
JWT_ENCRYPTION_KEY = data.aws_ssm_parameter.jwt_secret.arn
PROMETHEUS_METRICS_PASSWORD = data.aws_ssm_parameter.prometheus_metrics_password.arn
CLICKHOUSE_URL = data.aws_ssm_parameter.clickhouse_readonly_url.arn
CLICKHOUSE_URL = data.aws_ssm_parameter.clickhouse_oonirun_url.arn
}

ooniapi_service_security_groups = [
Expand Down Expand Up @@ -1024,7 +1028,6 @@ module "ooniapi_oonifindings" {
POSTGRESQL_URL = data.aws_ssm_parameter.oonipg_url.arn
JWT_ENCRYPTION_KEY = data.aws_ssm_parameter.jwt_secret.arn
PROMETHEUS_METRICS_PASSWORD = data.aws_ssm_parameter.prometheus_metrics_password.arn
CLICKHOUSE_URL = data.aws_ssm_parameter.clickhouse_readonly_url.arn
}

ooniapi_service_security_groups = [
Expand Down Expand Up @@ -1145,7 +1148,7 @@ module "ooniapi_oonimeasurements" {
POSTGRESQL_URL = data.aws_ssm_parameter.oonipg_url.arn
JWT_ENCRYPTION_KEY = data.aws_ssm_parameter.jwt_secret.arn
PROMETHEUS_METRICS_PASSWORD = data.aws_ssm_parameter.prometheus_metrics_password.arn
CLICKHOUSE_URL = data.aws_ssm_parameter.clickhouse_readonly_test_url.arn
CLICKHOUSE_URL = data.aws_ssm_parameter.clickhouse_oonimeasurements_test_url.arn
ACCOUNT_ID_HASHING_KEY = data.aws_ssm_parameter.account_id_hashing_key.arn
}

Expand Down
20 changes: 12 additions & 8 deletions tf/environments/prod/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -239,16 +239,20 @@ data "aws_ssm_parameter" "oonipg_url" {
name = "/oonidevops/secrets/ooni-tier0-postgres/postgresql_write_url"
}

data "aws_ssm_parameter" "clickhouse_readonly_url" {
name = "/oonidevops/secrets/clickhouse_readonly_url"
}

data "aws_ssm_parameter" "clickhouse_oonimeasurements_url" {
name = "/oonidevops/secrets/clickhouse_oonimeasurements_url"
}

data "aws_ssm_parameter" "clickhouse_write_url" {
name = "/oonidevops/secrets/clickhouse_write_url"
data "aws_ssm_parameter" "clickhouse_oonimeasurements_test_url" {
name = "/oonidevops/secrets/clickhouse_oonimeasurements_test_url"
}

data "aws_ssm_parameter" "clickhouse_ooniprobe_url" {
name = "/oonidevops/secrets/clickhouse_ooniprobe_url"
}

data "aws_ssm_parameter" "clickhouse_oonirun_url" {
name = "/oonidevops/secrets/clickhouse_oonirun_url"
}

data "aws_ssm_parameter" "account_id_hashing_key" {
Expand Down Expand Up @@ -890,7 +894,7 @@ module "ooniapi_ooniprobe" {
POSTGRESQL_URL = data.aws_ssm_parameter.oonipg_url.arn
JWT_ENCRYPTION_KEY = data.aws_ssm_parameter.jwt_secret.arn
PROMETHEUS_METRICS_PASSWORD = data.aws_ssm_parameter.prometheus_metrics_password.arn
CLICKHOUSE_URL = data.aws_ssm_parameter.clickhouse_write_url.arn
CLICKHOUSE_URL = data.aws_ssm_parameter.clickhouse_ooniprobe_url.arn
ANONC_SECRET_KEY = data.aws_ssm_parameter.anonc_secret_key.arn
}

Expand Down Expand Up @@ -1088,7 +1092,7 @@ module "ooniapi_oonirun" {
POSTGRESQL_URL = data.aws_ssm_parameter.oonipg_url.arn
JWT_ENCRYPTION_KEY = data.aws_ssm_parameter.jwt_secret.arn
PROMETHEUS_METRICS_PASSWORD = data.aws_ssm_parameter.prometheus_metrics_password.arn
CLICKHOUSE_URL = data.aws_ssm_parameter.clickhouse_readonly_url.arn
CLICKHOUSE_URL = data.aws_ssm_parameter.clickhouse_oonirun_url.arn
}

ooniapi_service_security_groups = [
Expand Down
Loading