ClickHouse

1
# This is an example of a configuration file "config.xml" rewritten in YAML
2
# You can read this documentation for detailed information about YAML configuration:
3
# https://clickhouse.com/docs/en/operations/configuration-files/
4

5
# NOTE: User and query level settings are set up in "users.yaml" file.
6
# If you have accidentally specified user-level settings here, server won't start.
7
# You can either move the settings to the right place inside "users.xml" file
8
# or add skip_check_for_incorrect_settings: 1 here.
9
logger:
10
    # Possible levels [1]:
11
    # - none (turns off logging)
12
    # - fatal
13
    # - critical
14
    # - error
15
    # - warning
16
    # - notice
17
    # - information
18
    # - debug
19
    # - trace
20
    # [1]: https://github.com/pocoproject/poco/blob/poco-1.9.4-release/Foundation/include/Poco/Logger.h#L105-L114
21
    level: trace
22
    log: /var/log/clickhouse-server/clickhouse-server.log
23
    errorlog: /var/log/clickhouse-server/clickhouse-server.err.log
24
    # Rotation policy
25
    # See https://github.com/pocoproject/poco/blob/poco-1.9.4-release/Foundation/include/Poco/FileChannel.h#L54-L85
26
    size: 1000M
27
    count: 10
28
    # console: 1
29
    # Default behavior is autodetection (log to console if not daemon mode and is tty)
30

31
    # Per level overrides (legacy):
32
    # For example to suppress logging of the ConfigReloader you can use:
33
    # NOTE: levels.logger is reserved, see below.
34
    # levels:
35
    #     ConfigReloader: none
36

37
    # Per level overrides:
38
    # For example to suppress logging of the RBAC for default user you can use:
39
    # (But please note that the logger name maybe changed from version to version, even after minor upgrade)
40
    # levels:
41
    #     - logger:
42
    #         name: 'ContextAccess (default)'
43
    #         level: none
44
    #     - logger:
45
    #         name: 'DatabaseOrdinary (test)'
46
    #         level: none
47

48
# It is the name that will be shown in the clickhouse-client.
49
# By default, anything with "production" will be highlighted in red in query prompt.
50
# display_name: production
51

52
# Port for HTTP API. See also 'https_port' for secure connections.
53
# This interface is also used by ODBC and JDBC drivers (DataGrip, Dbeaver, ...)
54
# and by most of web interfaces (embedded UI, Grafana, Redash, ...).
55
http_port: 8123
56

57
# Port for interaction by native protocol with:
58
# - clickhouse-client and other native ClickHouse tools (clickhouse-benchmark);
59
# - clickhouse-server with other clickhouse-servers for distributed query processing;
60
# - ClickHouse drivers and applications supporting native protocol
61
# (this protocol is also informally called as "the TCP protocol");
62
# See also 'tcp_port_secure' for secure connections.
63
tcp_port: 9000
64

65
# Compatibility with MySQL protocol.
66
# ClickHouse will pretend to be MySQL for applications connecting to this port.
67
mysql_port: 9004
68

69
# Compatibility with PostgreSQL protocol.
70
# ClickHouse will pretend to be PostgreSQL for applications connecting to this port.
71
postgresql_port: 9005
72

73
# HTTP API with TLS (HTTPS).
74
# You have to configure certificate to enable this interface.
75
# See the openSSL section below.
76
# https_port: 8443
77

78
# Native interface with TLS.
79
# You have to configure certificate to enable this interface.
80
# See the openSSL section below.
81
# tcp_port_secure: 9440
82

83
# Native interface wrapped with PROXYv1 protocol
84
# PROXYv1 header sent for every connection.
85
# ClickHouse will extract information about proxy-forwarded client address from the header.
86
# tcp_with_proxy_port: 9011
87

88
# Port for communication between replicas. Used for data exchange.
89
# It provides low-level data access between servers.
90
# This port should not be accessible from untrusted networks.
91
# See also 'interserver_http_credentials'.
92
# Data transferred over connections to this port should not go through untrusted networks.
93
# See also 'interserver_https_port'.
94
interserver_http_port: 9009
95

96
# Port for communication between replicas with TLS.
97
# You have to configure certificate to enable this interface.
98
# See the openSSL section below.
99
# See also 'interserver_http_credentials'.
100
# interserver_https_port: 9010
101

102
# Hostname that is used by other replicas to request this server.
103
# If not specified, than it is determined analogous to 'hostname -f' command.
104
# This setting could be used to switch replication to another network interface
105
# (the server may be connected to multiple networks via multiple addresses)
106
# interserver_http_host: example.clickhouse.com
107

108
# You can specify credentials for authenthication between replicas.
109
# This is required when interserver_https_port is accessible from untrusted networks,
110
# and also recommended to avoid SSRF attacks from possibly compromised services in your network.
111
# interserver_http_credentials:
112
#     user: interserver
113
#     password: ''
114

115
# Listen specified address.
116
# Use :: (wildcard IPv6 address), if you want to accept connections both with IPv4 and IPv6 from everywhere.
117
# Notes:
118
# If you open connections from wildcard address, make sure that at least one of the following measures applied:
119
# - server is protected by firewall and not accessible from untrusted networks;
120
# - all users are restricted to subset of network addresses (see users.xml);
121
# - all users have strong passwords, only secure (TLS) interfaces are accessible, or connections are only made via TLS interfaces.
122
# - users without password have readonly access.
123
# See also: https://www.shodan.io/search?query=clickhouse
124
# listen_host: '::'
125

126
# Same for hosts without support for IPv6:
127
# listen_host: 0.0.0.0
128

129
# Default values - try listen localhost on IPv4 and IPv6.
130
# listen_host: '::1'
131
# listen_host: 127.0.0.1
132

133
# Don't exit if IPv6 or IPv4 networks are unavailable while trying to listen.
134
# listen_try: 0
135

136
# Allow multiple servers to listen on the same address:port. This is not recommended.
137
# listen_reuse_port: 0
138

139
# listen_backlog: 64
140
max_connections: 4096
141

142
# For 'Connection: keep-alive' in HTTP 1.1
143
keep_alive_timeout: 3
144

145
# gRPC protocol (see src/Server/grpc_protos/clickhouse_grpc.proto for the API)
146
# grpc_port: 9100
147
grpc:
148
    enable_ssl: false
149

150
    # The following two files are used only if enable_ssl=1
151
    ssl_cert_file: /path/to/ssl_cert_file
152
    ssl_key_file: /path/to/ssl_key_file
153

154
    # Whether server will request client for a certificate
155
    ssl_require_client_auth: false
156

157
    # The following file is used only if ssl_require_client_auth=1
158
    ssl_ca_cert_file: /path/to/ssl_ca_cert_file
159

160
    # Default compression algorithm (applied if client doesn't specify another algorithm).
161
    # Supported algorithms: none, deflate, gzip, stream_gzip
162
    compression: deflate
163

164
    # Default compression level (applied if client doesn't specify another level).
165
    # Supported levels: none, low, medium, high
166
    compression_level: medium
167

168
    # Send/receive message size limits in bytes. -1 means unlimited
169
    max_send_message_size: -1
170
    max_receive_message_size: -1
171

172
    # Enable if you want very detailed logs
173
    verbose_logs: false
174

175
# Used with https_port and tcp_port_secure. Full ssl options list: https://github.com/ClickHouse-Extras/poco/blob/master/NetSSL_OpenSSL/include/Poco/Net/SSLManager.h#L71
176
openSSL:
177
    server:
178
        # Used for https server AND secure tcp port
179
        # openssl req -subj "/CN=localhost" -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout /etc/clickhouse-server/server.key -out /etc/clickhouse-server/server.crt
180
        # certificateFile: /etc/clickhouse-server/server.crt
181
        # privateKeyFile: /etc/clickhouse-server/server.key
182

183
        # dhparams are optional. You can delete the dhParamsFile: element.
184
        # To generate dhparams, use the following command:
185
        # openssl dhparam -out /etc/clickhouse-server/dhparam.pem 4096
186
        # Only file format with BEGIN DH PARAMETERS is supported.
187
        dhParamsFile: /etc/clickhouse-server/dhparam.pem
188
        verificationMode: none
189
        loadDefaultCAFile: true
190
        cacheSessions: true
191
        disableProtocols: 'sslv2,sslv3'
192
        preferServerCiphers: true
193
    client:
194
        # Used for connecting to https dictionary source and secured Zookeeper communication
195
        loadDefaultCAFile: true
196
        cacheSessions: true
197
        disableProtocols: 'sslv2,sslv3'
198
        preferServerCiphers: true
199

200
        # Use for self-signed: verificationMode: none
201
        invalidCertificateHandler:
202
            # Use for self-signed: name: AcceptCertificateHandler
203
            name: RejectCertificateHandler
204

205
# Default root page on http[s] server. For example load UI from https://tabix.io/ when opening http://localhost:8123
206
# http_server_default_response: |-
207
#     <html ng-app="SMI2"><head><base href="http://ui.tabix.io/"></head><body><div ui-view="" class="content-ui"></div><script src="http://loader.tabix.io/master.js"></script></body></html>
208

209
# Maximum number of concurrent queries.
210
max_concurrent_queries: 100
211

212
# Maximum memory usage (resident set size) for server process.
213
# Zero value or unset means default. Default is "max_server_memory_usage_to_ram_ratio" of available physical RAM.
214
# If the value is larger than "max_server_memory_usage_to_ram_ratio" of available physical RAM, it will be cut down.
215

216
# The constraint is checked on query execution time.
217
# If a query tries to allocate memory and the current memory usage plus allocation is greater
218
# than specified threshold, exception will be thrown.
219

220
# It is not practical to set this constraint to small values like just a few gigabytes,
221
# because memory allocator will keep this amount of memory in caches and the server will deny service of queries.
222
max_server_memory_usage: 0
223

224
# Maximum number of threads in the Global thread pool.
225
# This will default to a maximum of 10000 threads if not specified.
226
# This setting will be useful in scenarios where there are a large number
227
# of distributed queries that are running concurrently but are idling most
228
# of the time, in which case a higher number of threads might be required.
229
max_thread_pool_size: 10000
230

231
# On memory constrained environments you may have to set this to value larger than 1.
232
max_server_memory_usage_to_ram_ratio: 0.9
233

234
# Simple server-wide memory profiler. Collect a stack trace at every peak allocation step (in bytes).
235
# Data will be stored in system.trace_log table with query_id = empty string.
236
# Zero means disabled.
237
total_memory_profiler_step: 4194304
238

239
# Collect random allocations and deallocations and write them into system.trace_log with 'MemorySample' trace_type.
240
# The probability is for every alloc/free regardless to the size of the allocation.
241
# Note that sampling happens only when the amount of untracked memory exceeds the untracked memory limit,
242
# which is 4 MiB by default but can be lowered if 'total_memory_profiler_step' is lowered.
243
# You may want to set 'total_memory_profiler_step' to 1 for extra fine grained sampling.
244
total_memory_tracker_sample_probability: 0
245

246
# Set limit on number of open files (default: maximum). This setting makes sense on Mac OS X because getrlimit() fails to retrieve
247
# correct maximum value.
248
# max_open_files: 262144
249

250
# Size of cache of uncompressed blocks of data, used in tables of MergeTree family.
251
# In bytes. Cache is single for server. Memory is allocated only on demand.
252
# Cache is used when 'use_uncompressed_cache' user setting turned on (off by default).
253
# Uncompressed cache is advantageous only for very short queries and in rare cases.
254

255
# Note: uncompressed cache can be pointless for lz4, because memory bandwidth
256
# is slower than multi-core decompression on some server configurations.
257
# Enabling it can sometimes paradoxically make queries slower.
258
uncompressed_cache_size: 8589934592
259

260
# Approximate size of mark cache, used in tables of MergeTree family.
261
# In bytes. Cache is single for server. Memory is allocated only on demand.
262
# You should not lower this value.
263
mark_cache_size: 5368709120
264

265
# If you enable the `min_bytes_to_use_mmap_io` setting,
266
# the data in MergeTree tables can be read with mmap to avoid copying from kernel to userspace.
267
# It makes sense only for large files and helps only if data reside in page cache.
268
# To avoid frequent open/mmap/munmap/close calls (which are very expensive due to consequent page faults)
269
# and to reuse mappings from several threads and queries,
270
# the cache of mapped files is maintained. Its size is the number of mapped regions (usually equal to the number of mapped files).
271
# The amount of data in mapped files can be monitored
272
# in system.metrics, system.metric_log by the MMappedFiles, MMappedFileBytes metrics
273
# and in system.asynchronous_metrics, system.asynchronous_metrics_log by the MMapCacheCells metric,
274
# and also in system.events, system.processes, system.query_log, system.query_thread_log, system.query_views_log by the
275
# CreatedReadBufferMMap, CreatedReadBufferMMapFailed, MMappedFileCacheHits, MMappedFileCacheMisses events.
276
# Note that the amount of data in mapped files does not consume memory directly and is not accounted
277
# in query or server memory usage - because this memory can be discarded similar to OS page cache.
278
# The cache is dropped (the files are closed) automatically on removal of old parts in MergeTree,
279
# also it can be dropped manually by the SYSTEM DROP MMAP CACHE query.
280
mmap_cache_size: 1000
281

282
# Cache size in bytes for compiled expressions.
283
compiled_expression_cache_size: 134217728
284

285
# Cache size in elements for compiled expressions.
286
compiled_expression_cache_elements_size: 10000
287

288
# Path to data directory, with trailing slash.
289
path: /var/lib/clickhouse/
290

291
# Path to temporary data for processing hard queries.
292
tmp_path: /var/lib/clickhouse/tmp/
293

294
# Policy from the <storage_configuration> for the temporary files.
295
# If not set <tmp_path> is used, otherwise <tmp_path> is ignored.
296

297
# Notes:
298
# - move_factor              is ignored
299
# - keep_free_space_bytes    is ignored
300
# - max_data_part_size_bytes is ignored
301
# - you must have exactly one volume in that policy
302
# tmp_policy: tmp
303

304
# Directory with user provided files that are accessible by 'file' table function.
305
user_files_path: /var/lib/clickhouse/user_files/
306

307
# LDAP server definitions.
308
ldap_servers: ''
309

310
# List LDAP servers with their connection parameters here to later 1) use them as authenticators for dedicated local users,
311
# who have 'ldap' authentication mechanism specified instead of 'password', or to 2) use them as remote user directories.
312
# Parameters:
313
# host - LDAP server hostname or IP, this parameter is mandatory and cannot be empty.
314
# port - LDAP server port, default is 636 if enable_tls is set to true, 389 otherwise.
315
# bind_dn - template used to construct the DN to bind to.
316
# The resulting DN will be constructed by replacing all '{user_name}' substrings of the template with the actual
317
# user name during each authentication attempt.
318
# user_dn_detection - section with LDAP search parameters for detecting the actual user DN of the bound user.
319
# This is mainly used in search filters for further role mapping when the server is Active Directory. The
320
# resulting user DN will be used when replacing '{user_dn}' substrings wherever they are allowed. By default,
321
# user DN is set equal to bind DN, but once search is performed, it will be updated with to the actual detected
322
# user DN value.
323
# base_dn - template used to construct the base DN for the LDAP search.
324
# The resulting DN will be constructed by replacing all '{user_name}' and '{bind_dn}' substrings
325
# of the template with the actual user name and bind DN during the LDAP search.
326
# scope - scope of the LDAP search.
327
# Accepted values are: 'base', 'one_level', 'children', 'subtree' (the default).
328
# search_filter - template used to construct the search filter for the LDAP search.
329
# The resulting filter will be constructed by replacing all '{user_name}', '{bind_dn}', and '{base_dn}'
330
# substrings of the template with the actual user name, bind DN, and base DN during the LDAP search.
331
# Note, that the special characters must be escaped properly in XML.
332
# verification_cooldown - a period of time, in seconds, after a successful bind attempt, during which a user will be assumed
333
# to be successfully authenticated for all consecutive requests without contacting the LDAP server.
334
# Specify 0 (the default) to disable caching and force contacting the LDAP server for each authentication request.
335
# enable_tls - flag to trigger use of secure connection to the LDAP server.
336
# Specify 'no' for plain text (ldap://) protocol (not recommended).
337
# Specify 'yes' for LDAP over SSL/TLS (ldaps://) protocol (recommended, the default).
338
# Specify 'starttls' for legacy StartTLS protocol (plain text (ldap://) protocol, upgraded to TLS).
339
# tls_minimum_protocol_version - the minimum protocol version of SSL/TLS.
340
# Accepted values are: 'ssl2', 'ssl3', 'tls1.0', 'tls1.1', 'tls1.2' (the default).
341
# tls_require_cert - SSL/TLS peer certificate verification behavior.
342
# Accepted values are: 'never', 'allow', 'try', 'demand' (the default).
343
# tls_cert_file - path to certificate file.
344
# tls_key_file - path to certificate key file.
345
# tls_ca_cert_file - path to CA certificate file.
346
# tls_ca_cert_dir - path to the directory containing CA certificates.
347
# tls_cipher_suite - allowed cipher suite (in OpenSSL notation).
348
# Example:
349
# my_ldap_server:
350
#     host: localhost
351
#     port: 636
352
#     bind_dn: 'uid={user_name},ou=users,dc=example,dc=com'
353
#     verification_cooldown: 300
354
#     enable_tls: yes
355
#     tls_minimum_protocol_version: tls1.2
356
#     tls_require_cert: demand
357
#     tls_cert_file: /path/to/tls_cert_file
358
#     tls_key_file: /path/to/tls_key_file
359
#     tls_ca_cert_file: /path/to/tls_ca_cert_file
360
#     tls_ca_cert_dir: /path/to/tls_ca_cert_dir
361
#     tls_cipher_suite: ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:AES256-GCM-SHA384
362

363
# Example (typical Active Directory with configured user DN detection for further role mapping):
364
# my_ad_server:
365
#     host: localhost
366
#     port: 389
367
#     bind_dn: 'EXAMPLE\{user_name}'
368
#     user_dn_detection:
369
#         base_dn: CN=Users,DC=example,DC=com
370
#         search_filter: '(&amp;(objectClass=user)(sAMAccountName={user_name}))'
371
#     enable_tls: no
372

373
# To enable Kerberos authentication support for HTTP requests (GSS-SPNEGO), for those users who are explicitly configured
374
# to authenticate via Kerberos, define a single 'kerberos' section here.
375
# Parameters:
376
# principal - canonical service principal name, that will be acquired and used when accepting security contexts.
377
# This parameter is optional, if omitted, the default principal will be used.
378
# This parameter cannot be specified together with 'realm' parameter.
379
# realm - a realm, that will be used to restrict authentication to only those requests whose initiator's realm matches it.
380
# This parameter is optional, if omitted, no additional filtering by realm will be applied.
381
# This parameter cannot be specified together with 'principal' parameter.
382
# Example:
383
# kerberos: ''
384

385
# Example:
386
# kerberos:
387
#     principal: HTTP/clickhouse.example.com@EXAMPLE.COM
388

389
# Example:
390
# kerberos:
391
#     realm: EXAMPLE.COM
392

393
# Sources to read users, roles, access rights, profiles of settings, quotas.
394
user_directories:
395
    users_xml:
396
        # Path to configuration file with predefined users.
397
        path: users.yaml
398
    local_directory:
399
        # Path to folder where users created by SQL commands are stored.
400
        path: /var/lib/clickhouse/access/
401

402
#   # To add an LDAP server as a remote user directory of users that are not defined locally, define a single 'ldap' section
403
#   # with the following parameters:
404
#   # server - one of LDAP server names defined in 'ldap_servers' config section above.
405
#   # This parameter is mandatory and cannot be empty.
406
#   # roles - section with a list of locally defined roles that will be assigned to each user retrieved from the LDAP server.
407
#   # If no roles are specified here or assigned during role mapping (below), user will not be able to perform any
408
#   # actions after authentication.
409
#   # role_mapping - section with LDAP search parameters and mapping rules.
410
#   # When a user authenticates, while still bound to LDAP, an LDAP search is performed using search_filter and the
411
#   # name of the logged in user. For each entry found during that search, the value of the specified attribute is
412
#   # extracted. For each attribute value that has the specified prefix, the prefix is removed, and the rest of the
413
#   # value becomes the name of a local role defined in ClickHouse, which is expected to be created beforehand by
414
#   # CREATE ROLE command.
415
#   # There can be multiple 'role_mapping' sections defined inside the same 'ldap' section. All of them will be
416
#   # applied.
417
#   # base_dn - template used to construct the base DN for the LDAP search.
418
#   # The resulting DN will be constructed by replacing all '{user_name}', '{bind_dn}', and '{user_dn}'
419
#   # substrings of the template with the actual user name, bind DN, and user DN during each LDAP search.
420
#   # scope - scope of the LDAP search.
421
#   # Accepted values are: 'base', 'one_level', 'children', 'subtree' (the default).
422
#   # search_filter - template used to construct the search filter for the LDAP search.
423
#   # The resulting filter will be constructed by replacing all '{user_name}', '{bind_dn}', '{user_dn}', and
424
#   # '{base_dn}' substrings of the template with the actual user name, bind DN, user DN, and base DN during
425
#   # each LDAP search.
426
#   # Note, that the special characters must be escaped properly in XML.
427
#   # attribute - attribute name whose values will be returned by the LDAP search. 'cn', by default.
428
#   # prefix - prefix, that will be expected to be in front of each string in the original list of strings returned by
429
#   # the LDAP search. Prefix will be removed from the original strings and resulting strings will be treated
430
#   # as local role names. Empty, by default.
431
#   # Example:
432
#   # ldap:
433
#   #     server: my_ldap_server
434
#   #     roles:
435
#   #         my_local_role1: ''
436
#   #         my_local_role2: ''
437
#   #     role_mapping:
438
#   #         base_dn: 'ou=groups,dc=example,dc=com'
439
#   #         scope: subtree
440
#   #         search_filter: '(&amp;(objectClass=groupOfNames)(member={bind_dn}))'
441
#   #         attribute: cn
442
#   #         prefix: clickhouse_
443
#   # Example (typical Active Directory with role mapping that relies on the detected user DN):
444
#   # ldap:
445
#   #     server: my_ad_server
446
#   #     role_mapping:
447
#   #         base_dn: 'CN=Users,DC=example,DC=com'
448
#   #         attribute: CN
449
#   #         scope: subtree
450
#   #         search_filter: '(&amp;(objectClass=group)(member={user_dn}))'
451
#   #         prefix: clickhouse_
452

453
# Default profile of settings.
454
default_profile: default
455

456
# Comma-separated list of prefixes for user-defined settings.
457
# custom_settings_prefixes: ''
458
# System profile of settings. This settings are used by internal processes (Distributed DDL worker and so on).
459
# system_profile: default
460

461
# Buffer profile of settings.
462
# This settings are used by Buffer storage to flush data to the underlying table.
463
# Default: used from system_profile directive.
464
# buffer_profile: default
465

466
# Default database.
467
default_database: default
468

469
# Server time zone could be set here.
470

471
# Time zone is used when converting between String and DateTime types,
472
# when printing DateTime in text formats and parsing DateTime from text,
473
# it is used in date and time related functions, if specific time zone was not passed as an argument.
474

475
# Time zone is specified as identifier from IANA time zone database, like UTC or Africa/Abidjan.
476
# If not specified, system time zone at server startup is used.
477

478
# Please note, that server could display time zone alias instead of specified name.
479
# Example: Zulu is an alias for UTC.
480
# timezone: UTC
481

482
# You can specify umask here (see "man umask"). Server will apply it on startup.
483
# Number is always parsed as octal. Default umask is 027 (other users cannot read logs, data files, etc; group can only read).
484
# umask: 022
485

486
# Perform mlockall after startup to lower first queries latency
487
# and to prevent clickhouse executable from being paged out under high IO load.
488
# Enabling this option is recommended but will lead to increased startup time for up to a few seconds.
489
mlock_executable: true
490

491
# Reallocate memory for machine code ("text") using huge pages. Highly experimental.
492
remap_executable: false
493

494
# Uncomment below in order to use JDBC table engine and function.
495
# To install and run JDBC bridge in background:
496
# * [Debian/Ubuntu]
497
# export MVN_URL=https://repo1.maven.org/maven2/ru/yandex/clickhouse/clickhouse-jdbc-bridge
498
# export PKG_VER=$(curl -sL $MVN_URL/maven-metadata.xml | grep '<release>' | sed -e 's|.*>\(.*\)<.*|\1|')
499
# wget https://github.com/ClickHouse/clickhouse-jdbc-bridge/releases/download/v$PKG_VER/clickhouse-jdbc-bridge_$PKG_VER-1_all.deb
500
# apt install --no-install-recommends -f ./clickhouse-jdbc-bridge_$PKG_VER-1_all.deb
501
# clickhouse-jdbc-bridge &
502
# * [CentOS/RHEL]
503
# export MVN_URL=https://repo1.maven.org/maven2/ru/yandex/clickhouse/clickhouse-jdbc-bridge
504
# export PKG_VER=$(curl -sL $MVN_URL/maven-metadata.xml | grep '<release>' | sed -e 's|.*>\(.*\)<.*|\1|')
505
# wget https://github.com/ClickHouse/clickhouse-jdbc-bridge/releases/download/v$PKG_VER/clickhouse-jdbc-bridge-$PKG_VER-1.noarch.rpm
506
# yum localinstall -y clickhouse-jdbc-bridge-$PKG_VER-1.noarch.rpm
507
# clickhouse-jdbc-bridge &
508
# Please refer to https://github.com/ClickHouse/clickhouse-jdbc-bridge#usage for more information.
509

510
# jdbc_bridge:
511
#     host: 127.0.0.1
512
#     port: 9019
513

514
# Configuration of clusters that could be used in Distributed tables.
515
# https://clickhouse.com/docs/en/operations/table_engines/distributed/
516
remote_servers:
517
    # Test only shard config for testing distributed storage
518
    default:
519
        # Inter-server per-cluster secret for Distributed queries
520
        # default: no secret (no authentication will be performed)
521

522
        # If set, then Distributed queries will be validated on shards, so at least:
523
        # - such cluster should exist on the shard,
524
        # - such cluster should have the same secret.
525

526
        # And also (and which is more important), the initial_user will
527
        # be used as current user for the query.
528

529
        # Right now the protocol is pretty simple and it only takes into account:
530
        # - cluster name
531
        # - query
532

533
        # Also it will be nice if the following will be implemented:
534
        # - source hostname (see interserver_http_host), but then it will depends from DNS,
535
        # it can use IP address instead, but then the you need to get correct on the initiator node.
536
        # - target hostname / ip address (same notes as for source hostname)
537
        # - time-based security tokens
538
        # secret: ''
539
        shard:
540
            # Optional. Whether to write data to just one of the replicas. Default: false (write data to all replicas).
541
            # internal_replication: false
542
            # Optional. Shard weight when writing data. Default: 1.
543
            # weight: 1
544
            replica:
545
                host: localhost
546
                port: 9000
547
                # Optional. Priority of the replica for load_balancing. Default: 1 (less value has more priority).
548
                # priority: 1
549
                # Use SSL? Default: no
550
                # secure: 0
551

552
# The list of hosts allowed to use in URL-related storage engines and table functions.
553
# If this section is not present in configuration, all hosts are allowed.
554
# remote_url_allow_hosts:
555

556
# Host should be specified exactly as in URL. The name is checked before DNS resolution.
557
# Example: "clickhouse.com", "clickhouse.com." and "www.clickhouse.com" are different hosts.
558
# If port is explicitly specified in URL, the host:port is checked as a whole.
559
# If host specified here without port, any port with this host allowed.
560
# "clickhouse.com" -> "clickhouse.com:443", "clickhouse.com:80" etc. is allowed, but "clickhouse.com:80" -> only "clickhouse.com:80" is allowed.
561
# If the host is specified as IP address, it is checked as specified in URL. Example: "[2a02:6b8:a::a]".
562
# If there are redirects and support for redirects is enabled, every redirect (the Location field) is checked.
563

564
# Regular expression can be specified. RE2 engine is used for regexps.
565
# Regexps are not aligned: don't forget to add ^ and $. Also don't forget to escape dot (.) metacharacter
566
# (forgetting to do so is a common source of error).
567

568
# If element has 'incl' attribute, then for it's value will be used corresponding substitution from another file.
569
# By default, path to file with substitutions is /etc/metrika.xml. It could be changed in config in 'include_from' element.
570
# Values for substitutions are specified in /clickhouse/name_of_substitution elements in that file.
571

572
# ZooKeeper is used to store metadata about replicas, when using Replicated tables.
573
# Optional. If you don't use replicated tables, you could omit that.
574
# See https://clickhouse.com/docs/en/engines/table-engines/mergetree-family/replication/
575

576
# zookeeper:
577
#     - node:
578
#         host: example1
579
#         port: 2181
580
#     - node:
581
#         host: example2
582
#         port: 2181
583
#     - node:
584
#         host: example3
585
#         port: 2181
586

587
# Substitutions for parameters of replicated tables.
588
# Optional. If you don't use replicated tables, you could omit that.
589
# See https://clickhouse.com/docs/en/engines/table-engines/mergetree-family/replication/#creating-replicated-tables
590
# macros:
591
#     shard: 01
592
#     replica: example01-01-1
593

594
# Reloading interval for embedded dictionaries, in seconds. Default: 3600.
595
builtin_dictionaries_reload_interval: 3600
596

597
# Maximum session timeout, in seconds. Default: 3600.
598
max_session_timeout: 3600
599

600
# Default session timeout, in seconds. Default: 60.
601
default_session_timeout: 60
602

603
# Sending data to Graphite for monitoring. Several sections can be defined.
604
# interval - send every X second
605
# root_path - prefix for keys
606
# hostname_in_path - append hostname to root_path (default = true)
607
# metrics - send data from table system.metrics
608
# events - send data from table system.events
609
# asynchronous_metrics - send data from table system.asynchronous_metrics
610

611
# graphite:
612
#     host: localhost
613
#     port: 42000
614
#     timeout: 0.1
615
#     interval: 60
616
#     root_path: one_min
617
#     hostname_in_path: true
618

619
#     metrics: true
620
#     events: true
621
#     events_cumulative: false
622
#     asynchronous_metrics: true
623

624
# graphite:
625
#     host: localhost
626
#     port: 42000
627
#     timeout: 0.1
628
#     interval: 1
629
#     root_path: one_sec
630

631
#     metrics: true
632
#     events: true
633
#     events_cumulative: false
634
#     asynchronous_metrics: false
635

636
# Serve endpoint for Prometheus monitoring.
637
# endpoint - mertics path (relative to root, statring with "/")
638
# port - port to setup server. If not defined or 0 than http_port used
639
# metrics - send data from table system.metrics
640
# events - send data from table system.events
641
# asynchronous_metrics - send data from table system.asynchronous_metrics
642

643
# prometheus:
644
#     endpoint: /metrics
645
#     port: 9363
646

647
#     metrics: true
648
#     events: true
649
#     asynchronous_metrics: true
650

651
# Query log. Used only for queries with setting log_queries = 1.
652
query_log:
653
    # What table to insert data. If table is not exist, it will be created.
654
    # When query log structure is changed after system update,
655
    # then old table will be renamed and new table will be created automatically.
656
    database: system
657
    table: query_log
658

659
    # PARTITION BY expr: https://clickhouse.com/docs/en/table_engines/mergetree-family/custom_partitioning_key/
660
    # Example:
661
    # event_date
662
    # toMonday(event_date)
663
    # toYYYYMM(event_date)
664
    # toStartOfHour(event_time)
665
    partition_by: toYYYYMM(event_date)
666

667
    # Table TTL specification: https://clickhouse.com/docs/en/engines/table-engines/mergetree-family/mergetree/#mergetree-table-ttl
668
    # Example:
669
    # event_date + INTERVAL 1 WEEK
670
    # event_date + INTERVAL 7 DAY DELETE
671
    # event_date + INTERVAL 2 WEEK TO DISK 'bbb'
672

673
    # ttl: 'event_date + INTERVAL 30 DAY DELETE'
674

675
    # Instead of partition_by, you can provide full engine expression (starting with ENGINE = ) with parameters,
676
    # Example: engine: 'ENGINE = MergeTree PARTITION BY toYYYYMM(event_date) ORDER BY (event_date, event_time) SETTINGS index_granularity = 1024'
677

678
    # Interval of flushing data.
679
    flush_interval_milliseconds: 7500
680

681
# Trace log. Stores stack traces collected by query profilers.
682
# See query_profiler_real_time_period_ns and query_profiler_cpu_time_period_ns settings.
683
trace_log:
684
    database: system
685
    table: trace_log
686
    partition_by: toYYYYMM(event_date)
687
    flush_interval_milliseconds: 7500
688

689
# Query thread log. Has information about all threads participated in query execution.
690
# Used only for queries with setting log_query_threads = 1.
691
query_thread_log:
692
    database: system
693
    table: query_thread_log
694
    partition_by: toYYYYMM(event_date)
695
    flush_interval_milliseconds: 7500
696

697
# Query views log. Has information about all dependent views associated with a query.
698
# Used only for queries with setting log_query_views = 1.
699
query_views_log:
700
    database: system
701
    table: query_views_log
702
    partition_by: toYYYYMM(event_date)
703
    flush_interval_milliseconds: 7500
704

705
# Uncomment if use part log.
706
# Part log contains information about all actions with parts in MergeTree tables (creation, deletion, merges, downloads).
707
part_log:
708
    database: system
709
    table: part_log
710
    partition_by: toYYYYMM(event_date)
711
    flush_interval_milliseconds: 7500
712

713
# Uncomment to write text log into table.
714
# Text log contains all information from usual server log but stores it in structured and efficient way.
715
# The level of the messages that goes to the table can be limited (<level>), if not specified all messages will go to the table.
716
# text_log:
717
#     database: system
718
#     table: text_log
719
#     flush_interval_milliseconds: 7500
720
#     level: ''
721

722
# Metric log contains rows with current values of ProfileEvents, CurrentMetrics collected with "collect_interval_milliseconds" interval.
723
metric_log:
724
    database: system
725
    table: metric_log
726
    flush_interval_milliseconds: 7500
727
    collect_interval_milliseconds: 1000
728

729
# Asynchronous metric log contains values of metrics from
730
# system.asynchronous_metrics.
731
asynchronous_metric_log:
732
    database: system
733
    table: asynchronous_metric_log
734

735
    # Asynchronous metrics are updated once a minute, so there is
736
    # no need to flush more often.
737
    flush_interval_milliseconds: 60000
738

739
# OpenTelemetry log contains OpenTelemetry trace spans.
740
opentelemetry_span_log:
741

742
    # The default table creation code is insufficient, this <engine> spec
743
    # is a workaround. There is no 'event_time' for this log, but two times,
744
    # start and finish. It is sorted by finish time, to avoid inserting
745
    # data too far away in the past (probably we can sometimes insert a span
746
    # that is seconds earlier than the last span in the table, due to a race
747
    # between several spans inserted in parallel). This gives the spans a
748
    # global order that we can use to e.g. retry insertion into some external
749
    # system.
750
    engine: |-
751
        engine MergeTree
752
             partition by toYYYYMM(finish_date)
753
             order by (finish_date, finish_time_us, trace_id)
754
    database: system
755
    table: opentelemetry_span_log
756
    flush_interval_milliseconds: 7500
757

758
# Crash log. Stores stack traces for fatal errors.
759
# This table is normally empty.
760
crash_log:
761
    database: system
762
    table: crash_log
763
    partition_by: ''
764
    flush_interval_milliseconds: 1000
765

766
# top_level_domains_path: /var/lib/clickhouse/top_level_domains/
767
# Custom TLD lists.
768
# Format: name: /path/to/file
769

770
# Changes will not be applied w/o server restart.
771
# Path to the list is under top_level_domains_path (see above).
772
top_level_domains_lists: ''
773

774
# public_suffix_list: /path/to/public_suffix_list.dat
775

776
# Configuration of external dictionaries. See:
777
# https://clickhouse.com/docs/en/sql-reference/dictionaries/external-dictionaries/external-dicts
778
dictionaries_config: '*_dictionary.xml'
779

780
# Uncomment if you want data to be compressed 30-100% better.
781
# Don't do that if you just started using ClickHouse.
782

783
# compression:
784
#     # Set of variants. Checked in order. Last matching case wins. If nothing matches, lz4 will be used.
785
#     case:
786
#         Conditions. All must be satisfied. Some conditions may be omitted.
787
#         # min_part_size: 10000000000    # Min part size in bytes.
788
#         # min_part_size_ratio: 0.01     # Min size of part relative to whole table size.
789
#         # What compression method to use.
790
#         method: zstd
791

792
# Allow to execute distributed DDL queries (CREATE, DROP, ALTER, RENAME) on cluster.
793
# Works only if ZooKeeper is enabled. Comment it if such functionality isn't required.
794
distributed_ddl:
795
    # Path in ZooKeeper to queue with DDL queries
796
    path: /clickhouse/task_queue/ddl
797

798
    # Settings from this profile will be used to execute DDL queries
799
    # profile: default
800

801
    # Controls how much ON CLUSTER queries can be run simultaneously.
802
    # pool_size: 1
803

804
    # Cleanup settings (active tasks will not be removed)
805

806
    # Controls task TTL (default 1 week)
807
    # task_max_lifetime: 604800
808

809
    # Controls how often cleanup should be performed (in seconds)
810
    # cleanup_delay_period: 60
811

812
    # Controls how many tasks could be in the queue
813
    # max_tasks_in_queue: 1000
814

815
# Settings to fine tune MergeTree tables. See documentation in source code, in MergeTreeSettings.h
816
# merge_tree:
817
#     max_suspicious_broken_parts: 5
818

819
# Protection from accidental DROP.
820
# If size of a MergeTree table is greater than max_table_size_to_drop (in bytes) than table could not be dropped with any DROP query.
821
# If you want do delete one table and don't want to change clickhouse-server config, you could create special file <clickhouse-path>/flags/force_drop_table and make DROP once.
822
# By default max_table_size_to_drop is 50GB; max_table_size_to_drop=0 allows to DROP any tables.
823
# The same for max_partition_size_to_drop.
824
# Uncomment to disable protection.
825

826
# max_table_size_to_drop: 0
827
# max_partition_size_to_drop: 0
828

829
# Example of parameters for GraphiteMergeTree table engine
830
graphite_rollup_example:
831
    pattern:
832
        regexp: click_cost
833
        function: any
834
        retention:
835
            - age: 0
836
              precision: 3600
837
            - age: 86400
838
              precision: 60
839
    default:
840
        function: max
841
        retention:
842
            - age: 0
843
              precision: 60
844
            - age: 3600
845
              precision: 300
846
            - age: 86400
847
              precision: 3600
848

849
# Directory in <clickhouse-path> containing schema files for various input formats.
850
# The directory will be created if it doesn't exist.
851
format_schema_path: /var/lib/clickhouse/format_schemas/
852

853
# Default query masking rules, matching lines would be replaced with something else in the logs
854
# (both text logs and system.query_log).
855
# name - name for the rule (optional)
856
# regexp - RE2 compatible regular expression (mandatory)
857
# replace - substitution string for sensitive data (optional, by default - six asterisks)
858
query_masking_rules:
859
    rule:
860
        name: hide encrypt/decrypt arguments
861
        regexp: '((?:aes_)?(?:encrypt|decrypt)(?:_mysql)?)\s*\(\s*(?:''(?:\\''|.)+''|.*?)\s*\)'
862
        # or more secure, but also more invasive:
863
        # (aes_\w+)\s*\(.*\)
864
        replace: \1(???)
865

866
# Uncomment to use custom http handlers.
867
# rules are checked from top to bottom, first match runs the handler
868
# url - to match request URL, you can use 'regex:' prefix to use regex match(optional)
869
# methods - to match request method, you can use commas to separate multiple method matches(optional)
870
# headers - to match request headers, match each child element(child element name is header name), you can use 'regex:' prefix to use regex match(optional)
871
# handler is request handler
872
# type - supported types: static, dynamic_query_handler, predefined_query_handler
873
# query - use with predefined_query_handler type, executes query when the handler is called
874
# query_param_name - use with dynamic_query_handler type, extracts and executes the value corresponding to the <query_param_name> value in HTTP request params
875
# status - use with static type, response status code
876
# content_type - use with static type, response content-type
877
# response_content - use with static type, Response content sent to client, when using the prefix 'file://' or 'config://', find the content from the file or configuration send to client.
878

879
# http_handlers:
880
#     - rule:
881
#         url: /
882
#         methods: POST,GET
883
#         headers:
884
#           pragma: no-cache
885
#         handler:
886
#           type: dynamic_query_handler
887
#           query_param_name: query
888
#     - rule:
889
#         url: /predefined_query
890
#         methods: POST,GET
891
#         handler:
892
#           type: predefined_query_handler
893
#           query: 'SELECT * FROM system.settings'
894
#     - rule:
895
#         handler:
896
#           type: static
897
#           status: 200
898
#           content_type: 'text/plain; charset=UTF-8'
899
#           response_content: config://http_server_default_response
900

901
send_crash_reports:
902
    # Changing <enabled> to true allows sending crash reports to
903
    # the ClickHouse core developers team via Sentry https://sentry.io
904
    # Doing so at least in pre-production environments is highly appreciated
905
    enabled: false
906
    # Change <anonymize> to true if you don't feel comfortable attaching the server hostname to the crash report
907
    anonymize: false
908
    # Default endpoint should be changed to different Sentry DSN only if you have
909
    # some in-house engineers or hired consultants who're going to debug ClickHouse issues for you
910
    endpoint: 'https://6f33034cfe684dd7a3ab9875e57b1c8d@o388870.ingest.sentry.io/5226277'
911
    # Uncomment to disable ClickHouse internal DNS caching.
912
    # disable_internal_dns_cache: 1
913