From 9f86d7f3a8a3af83cb8416930af39bc56d20b73a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Arturo=20Filast=C3=B2?= Date: Fri, 17 Apr 2026 15:10:07 +0200 Subject: [PATCH 1/6] Apply stricter constraints on oonimeasurements user queries --- ansible/group_vars/clickhouse/vars.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/ansible/group_vars/clickhouse/vars.yml b/ansible/group_vars/clickhouse/vars.yml index 7b48ebe1..efcf2bc6 100644 --- a/ansible/group_vars/clickhouse/vars.yml +++ b/ansible/group_vars/clickhouse/vars.yml @@ -239,6 +239,14 @@ clickhouse_custom_users: - "max_memory_usage = 501001000" # 60 seconds - "max_execution_time = 30" + # 500 GB + - "max_bytes_to_read = 501001001000" + # 5 B + - "max_rows_to_read = 5001001000" + # 5s + - "timeout_before_checking_execution_speed = 5" + # 10 M + - "max_result_rows = 11001000" profile: - readonly quota: "oonimeasurements" From d9addcad900f21731fff1f801c9970fc74b75186 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Arturo=20Filast=C3=B2?= Date: Fri, 17 Apr 2026 17:16:20 +0200 Subject: [PATCH 2/6] Reduce max rows to 50k --- ansible/group_vars/clickhouse/vars.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ansible/group_vars/clickhouse/vars.yml b/ansible/group_vars/clickhouse/vars.yml index efcf2bc6..96c1ce2f 100644 --- a/ansible/group_vars/clickhouse/vars.yml +++ b/ansible/group_vars/clickhouse/vars.yml @@ -245,8 +245,8 @@ clickhouse_custom_users: - "max_rows_to_read = 5001001000" # 5s - "timeout_before_checking_execution_speed = 5" - # 10 M - - "max_result_rows = 11001000" + # 50k + - "max_result_rows = 51000" profile: - readonly quota: "oonimeasurements" From d442c904625067734d572004a5721abe6d9e668b Mon Sep 17 00:00:00 2001 From: Aaron Gibson Date: Mon, 27 Apr 2026 16:49:59 +0200 Subject: [PATCH 3/6] raise oonimeasuremenets max memory --- ansible/group_vars/clickhouse/vars.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ansible/group_vars/clickhouse/vars.yml b/ansible/group_vars/clickhouse/vars.yml index 7b48ebe1..30f3ca0c 100644 --- a/ansible/group_vars/clickhouse/vars.yml +++ b/ansible/group_vars/clickhouse/vars.yml @@ -235,8 +235,8 @@ clickhouse_custom_users: networks: - "IP '0.0.0.0/0'" settings: - # 500 MB - - "max_memory_usage = 501001000" + # 1 GB + - "max_memory_usage = 1001001000" # 60 seconds - "max_execution_time = 30" profile: From b7a42466a6c03fbb401286ff24babdf1d1fdbf58 Mon Sep 17 00:00:00 2001 From: Aaron Gibson Date: Wed, 29 Apr 2026 18:12:44 +0200 Subject: [PATCH 4/6] enable clickhouse_role_manage_settings_profiles and clickhouse_role_manage_quotas https://github.com/idealista/clickhouse_role/blob/main/molecule/default/group_vars/clickhouse_group.yml actually use sha256 password type clickhouse role disregards password_type and only looks at key password_sha256_hex ... fix quotas keys --- ansible/group_vars/clickhouse/vars.yml | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/ansible/group_vars/clickhouse/vars.yml b/ansible/group_vars/clickhouse/vars.yml index 63738884..efeb752d 100644 --- a/ansible/group_vars/clickhouse/vars.yml +++ b/ansible/group_vars/clickhouse/vars.yml @@ -165,6 +165,7 @@ clickhouse_distributed_ddl: cleanup_delay_period: 60 max_tasks_in_queue: 1000 +clickhouse_role_manage_settings_profiles: True clickhouse_default_profiles: default: readonly: 2 @@ -226,12 +227,12 @@ clickhouse_default_users: profile: write quota: default -clickhouse_role_manage_users: true +clickhouse_role_manage_users: True clickhouse_custom_users: - user: name: oonimeasurements password_type: sha256_password - password: "{{ lookup('amazon.aws.aws_ssm', '/oonidevops/secrets/clickhouse_oonimeasurements_password', profile='oonidevops_user_prod') }}" + password_sha256_hex: "{{ lookup('amazon.aws.aws_ssm', '/oonidevops/secrets/clickhouse_oonimeasurements_password', profile='oonidevops_user_prod') | hash('sha256') }}" networks: - "IP '0.0.0.0/0'" settings: @@ -252,19 +253,19 @@ clickhouse_custom_users: quota: "oonimeasurements" databases: [ooni] -# TODO: this quota was created by hand since it wasn't working in the idealista playbook -clickhouse_role_manage_quotas: false +clickhouse_role_manage_quotas: True clickhouse_custom_quotas: # quota over a 10 minute window - quota: name: oonimeasurements - settings: - - "INTERVAL 10 minute MAX queries = 12000, MAX errors = 1000, MAX execution_time = 1000" - to: - - oonimeasurements + duration: 600 + queries: 12000 + errors: 1000 + result_rows: 0 + read_rows: 0 + execution_time: 1000 -clickhouse_role_manage_grants: true -clickhouse_role_manage_roles: true +clickhouse_role_manage_grants: True clickhouse_custom_grants: - on: databases: [ooni] @@ -276,6 +277,7 @@ clickhouse_custom_grant_roles: - roles: [oonimeasurements] to: [oonimeasurements] +clickhouse_role_manage_roles: True clickhouse_custom_roles: - role: name: oonimeasurements From 798b0c22e456c44f97b8d4c874f1040345123af9 Mon Sep 17 00:00:00 2001 From: Aaron Gibson Date: Thu, 30 Apr 2026 10:44:10 +0200 Subject: [PATCH 5/6] fix user password misconfiguration the difference between the _xml and sql managed user settings is poorly documented and fails open. --- ansible/group_vars/clickhouse/vars.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ansible/group_vars/clickhouse/vars.yml b/ansible/group_vars/clickhouse/vars.yml index efeb752d..30390f1a 100644 --- a/ansible/group_vars/clickhouse/vars.yml +++ b/ansible/group_vars/clickhouse/vars.yml @@ -231,8 +231,8 @@ clickhouse_role_manage_users: True clickhouse_custom_users: - user: name: oonimeasurements - password_type: sha256_password - password_sha256_hex: "{{ lookup('amazon.aws.aws_ssm', '/oonidevops/secrets/clickhouse_oonimeasurements_password', profile='oonidevops_user_prod') | hash('sha256') }}" + password_type: sha256_hash + password: "{{ lookup('amazon.aws.aws_ssm', '/oonidevops/secrets/clickhouse_oonimeasurements_password', profile='oonidevops_user_prod') }}" networks: - "IP '0.0.0.0/0'" settings: From 3773e152ae4c99f9af606de8a2b2b9339d46d6db Mon Sep 17 00:00:00 2001 From: Aaron Gibson Date: Thu, 30 Apr 2026 10:53:24 +0200 Subject: [PATCH 6/6] sql managed users does NOT read var password_sha256_hex nor hash password if type is sha256_hash --- ansible/group_vars/clickhouse/vars.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/group_vars/clickhouse/vars.yml b/ansible/group_vars/clickhouse/vars.yml index 30390f1a..0080d366 100644 --- a/ansible/group_vars/clickhouse/vars.yml +++ b/ansible/group_vars/clickhouse/vars.yml @@ -232,7 +232,7 @@ clickhouse_custom_users: - user: name: oonimeasurements password_type: sha256_hash - password: "{{ lookup('amazon.aws.aws_ssm', '/oonidevops/secrets/clickhouse_oonimeasurements_password', profile='oonidevops_user_prod') }}" + password: "{{ lookup('amazon.aws.aws_ssm', '/oonidevops/secrets/clickhouse_oonimeasurements_password', profile='oonidevops_user_prod') | hash('sha256') }}" networks: - "IP '0.0.0.0/0'" settings: