Skip to content

Glossary

ClickHouse - An open-source, column-oriented DBMS for online analytical processing (OLAP). ClickVault manages users and credentials for ClickHouse clusters through the Vault database secrets engine.

Cluster (ClickHouse) - A multi-node ClickHouse deployment. When a connection config includes a cluster field, ClickVault automatically inserts ON CLUSTER '<name>' at the grammatically correct position in every generated DDL statement.

Creation statements - SQL statements in a dynamic role definition that create a new database user and grant the appropriate permissions. Required for every dynamic role; there is no built-in default.

Database secrets engine - A Vault secrets engine that generates dynamic database credentials on demand and manages the lifecycle of those credentials (creation, rotation, revocation).

DDL - Data Definition Language. SQL statements like CREATE USER, ALTER USER, DROP USER, GRANT, and REVOKE.

Dynamic role - A Vault database role that creates ephemeral ClickHouse users on demand. Each lease produces a unique user with a configurable TTL; the user is automatically dropped when the lease expires or is revoked.

Plugin RPC - The protocol buffer-based remote procedure call interface that Vault uses to communicate with database plugins. ClickVault implements the sdk/database/dbplugin/v5 interface.

Revocation statements - SQL statements that clean up a dynamic user. Defaults to DROP USER IF EXISTS "{{username}}" when not set in the role definition.

Rotation statements - SQL statements for static roles that change the user's password. Defaults to ALTER USER "{{username}}" IDENTIFIED WITH sha256_password BY '{{password}}'.

Static role - A Vault database role that manages an existing long-lived ClickHouse user. Vault rotates the user's password on a configurable schedule (the rotation_period).

Username template - A Go template string used to generate usernames for dynamic users. Supports .DisplayName, .RoleName, random N, unix_time, truncate N, and uppercase functions.

Vault - HashiCorp Vault, a tool for secrets management, encryption, and access control. ClickVault integrates with Vault's database secrets engine to manage ClickHouse credentials.