Glossary¶
ClickHouse - An open-source, column-oriented DBMS for online analytical processing (OLAP). ClickVault manages users and credentials for ClickHouse clusters through the Vault database secrets engine.
Cluster (ClickHouse) - A multi-node ClickHouse deployment. When a
connection config includes a cluster field, ClickVault automatically
inserts ON CLUSTER '<name>' at the grammatically correct position in
every generated DDL statement.
Creation statements - SQL statements in a dynamic role definition that create a new database user and grant the appropriate permissions. Required for every dynamic role; there is no built-in default.
Database secrets engine - A Vault secrets engine that generates dynamic database credentials on demand and manages the lifecycle of those credentials (creation, rotation, revocation).
DDL - Data Definition Language. SQL statements like CREATE USER,
ALTER USER, DROP USER, GRANT, and REVOKE.
Dynamic role - A Vault database role that creates ephemeral ClickHouse users on demand. Each lease produces a unique user with a configurable TTL; the user is automatically dropped when the lease expires or is revoked.
Plugin RPC - The protocol buffer-based remote procedure call interface
that Vault uses to communicate with database plugins. ClickVault implements
the sdk/database/dbplugin/v5 interface.
Revocation statements - SQL statements that clean up a dynamic user.
Defaults to DROP USER IF EXISTS "{{username}}" when not set in the role
definition.
Rotation statements - SQL statements for static roles that change the
user's password. Defaults to ALTER USER "{{username}}" IDENTIFIED WITH
sha256_password BY '{{password}}'.
Static role - A Vault database role that manages an existing long-lived
ClickHouse user. Vault rotates the user's password on a configurable
schedule (the rotation_period).
Username template - A Go template string used to generate usernames for
dynamic users. Supports .DisplayName, .RoleName, random N, unix_time,
truncate N, and uppercase functions.
Vault - HashiCorp Vault, a tool for secrets management, encryption, and access control. ClickVault integrates with Vault's database secrets engine to manage ClickHouse credentials.