Clickhouse

Configuring the Veza integration for ClickHouse.

Last updated 6 months ago

Was this helpful?

Clickhouse

Configuring the Veza integration for ClickHouse.

Overview

ClickHouse is a high-performance columnar database management system (DBMS) optimized for Online Analytical Processing (OLAP). The Veza integration for ClickHouse Cloud enables discovery of users, roles, and services configured for your organization, providing visibility into what human and non-human identities have permissions on ClickHouse data and settings.

Prerequisites

A ClickHouse Cloud account
Administrator access to create API keys in ClickHouse
A Developer API key with permissions to read organization metadata
Note: The integration currently supports connecting to a single organization only

Configuring the Veza integration for ClickHouse

Retrieve a ClickHouse API Key

In the ClickHouse Cloud Console, select API Keys from the left menu.
Click New API Key in the top-right corner. For new accounts, you'll see a prompt to create your first key.
Configure the API key:
- Enter a descriptive Key Name
- For Organization Permissions, select Developer
- Set an appropriate expiration time
Click Generate API Key
Copy and securely store both the Key ID and Key Secret. These values cannot be retrieved after leaving this page.

Add the ClickHouse Integration to Veza

Browse to your Veza instance
In the left navigation, choose Integrations
Click Add Integration and select ClickHouse
Enter the following values:
- Client ID: The Key ID from your ClickHouse API key
- Client Secret: The Key Secret from your ClickHouse API key
Click Create Integration to save your changes

Notes and Supported Entities

Organization Level Properties

The integration captures organization-level metadata for a ClickHouse Cloud deployment. Note that the integration currently supports connecting to a single organization only.

Veza Field Name

Description

Property Type

organization_id

Unique identifier for your ClickHouse organization

Application Custom Property

organization_name

Display name of your ClickHouse organization

Application Custom Property

created_at

Organization creation timestamp in ISO-8601 format

Application Custom Property

Users

Users represent members of your ClickHouse organization who can access and manage services. Each user is assigned either an Admin or Developer role, which determines their access to services and organization settings.

Veza Field Name

Description

Property Type

id

The user's unique identifier

LocalUser Property

name

User's display name

LocalUser Property

email

User's email address

LocalUser Property

created_at

When the user joined the organization (ISO-8601 format)

LocalUser Property

Role Assignment:

Users with role "admin" are assigned the Admin role with full access to all services
All other users are automatically assigned the Developer role with selective service access

Services

Services represent individual ClickHouse database instances within your organization. Each service represents a deployable database with specific configuration options across cloud providers and regions.

Veza Field Name

Description

Property Type

id

Unique identifier for the service

Resource ID

name

Display name of the service

Resource Name

provider

Cloud provider where service is deployed (aws, gcp, azure)

CustomResource Property

region

Cloud region where service is deployed

CustomResource Property

state

Current operational state of the service

CustomResource Property

tier

Service tier determining scaling capabilities

CustomResource Property

is_primary

Whether this is the primary service

CustomResource Property

created_at

Service creation timestamp (ISO-8601 format)

CustomResource Property

Service Tiers:

development: Fixed-size instances with limited scaling (not available on Azure)
production: Fully scalable instances
dedicated_high_mem: Memory-optimized instances
dedicated_high_cpu: Compute-optimized instances

Roles

ClickHouse uses a role-based access control (RBAC) system with two predefined roles:

Admin: Full administrative access to all services and organization settings
Developer: Limited access focused on service usage and monitoring

Permissions

The integration maps ClickHouse system permissions to standardized Veza permission types. These mappings include:

Service Management:

View service: DataRead, MetadataRead
Create service: DataCreate, MetadataCreate
Delete service: DataDelete, MetadataDelete
Stop service: DataWrite, MetadataWrite
Restart service: DataWrite, MetadataWrite
Reset service password: DataWrite, MetadataWrite
View service metrics: DataRead, MetadataRead

Access Management:

View API key records: DataRead, MetadataRead
Create API key: DataCreate, MetadataCreate
Delete API key: DataDelete, MetadataDelete
View users: DataRead, MetadataRead
Invite users: DataCreate, MetadataCreate
Change user role: DataWrite, MetadataWrite
Delete users: DataDelete, MetadataDelete

Organization Management:

View billing: DataRead, MetadataRead
Manage billing: DataRead, DataWrite, DataCreate, DataDelete, MetadataRead, MetadataWrite, MetadataCreate, MetadataDelete
View organization activity: DataRead, MetadataRead
Submit support requests: DataCreate, MetadataCreate
View integrations: DataRead, MetadataRead

PreviousCisco Duo NextConcur

Last updated 6 months ago

Was this helpful?

Overview

Prerequisites

A ClickHouse Cloud account
Administrator access to create API keys in ClickHouse
A Developer API key with permissions to read organization metadata
Note: The integration currently supports connecting to a single organization only

Configuring the Veza integration for ClickHouse

Retrieve a ClickHouse API Key

In the ClickHouse Cloud Console, select API Keys from the left menu.
Click New API Key in the top-right corner. For new accounts, you'll see a prompt to create your first key.
Configure the API key:
- Enter a descriptive Key Name
- For Organization Permissions, select Developer
- Set an appropriate expiration time
Click Generate API Key
Copy and securely store both the Key ID and Key Secret. These values cannot be retrieved after leaving this page.

Add the ClickHouse Integration to Veza

Browse to your Veza instance
In the left navigation, choose Integrations
Click Add Integration and select ClickHouse
Enter the following values:
- Client ID: The Key ID from your ClickHouse API key
- Client Secret: The Key Secret from your ClickHouse API key
Click Create Integration to save your changes

Notes and Supported Entities

Organization Level Properties

The integration captures organization-level metadata for a ClickHouse Cloud deployment. Note that the integration currently supports connecting to a single organization only.

Veza Field Name

Description

Property Type

organization_id

Unique identifier for your ClickHouse organization

Application Custom Property

organization_name

Display name of your ClickHouse organization

Application Custom Property

created_at

Organization creation timestamp in ISO-8601 format

Application Custom Property

Users

Veza Field Name

Description

Property Type

id

The user's unique identifier

LocalUser Property

name

User's display name

LocalUser Property

email

User's email address

LocalUser Property

created_at

When the user joined the organization (ISO-8601 format)

LocalUser Property

Role Assignment:

Users with role "admin" are assigned the Admin role with full access to all services
All other users are automatically assigned the Developer role with selective service access

Services

Veza Field Name

Description

Property Type

id

Unique identifier for the service

Resource ID

name

Display name of the service

Resource Name

provider

Cloud provider where service is deployed (aws, gcp, azure)

CustomResource Property

region

Cloud region where service is deployed

CustomResource Property

state

Current operational state of the service

CustomResource Property

tier

Service tier determining scaling capabilities

CustomResource Property

is_primary

Whether this is the primary service

CustomResource Property

created_at

Service creation timestamp (ISO-8601 format)

CustomResource Property

Service Tiers:

development: Fixed-size instances with limited scaling (not available on Azure)
production: Fully scalable instances
dedicated_high_mem: Memory-optimized instances
dedicated_high_cpu: Compute-optimized instances

Roles

ClickHouse uses a role-based access control (RBAC) system with two predefined roles:

Admin: Full administrative access to all services and organization settings
Developer: Limited access focused on service usage and monitoring

Permissions

The integration maps ClickHouse system permissions to standardized Veza permission types. These mappings include:

Service Management:

View service: DataRead, MetadataRead
Create service: DataCreate, MetadataCreate
Delete service: DataDelete, MetadataDelete
Stop service: DataWrite, MetadataWrite
Restart service: DataWrite, MetadataWrite
Reset service password: DataWrite, MetadataWrite
View service metrics: DataRead, MetadataRead

Access Management:

View API key records: DataRead, MetadataRead
Create API key: DataCreate, MetadataCreate
Delete API key: DataDelete, MetadataDelete
View users: DataRead, MetadataRead
Invite users: DataCreate, MetadataCreate
Change user role: DataWrite, MetadataWrite
Delete users: DataDelete, MetadataDelete

Organization Management:

View billing: DataRead, MetadataRead
Manage billing: DataRead, DataWrite, DataCreate, DataDelete, MetadataRead, MetadataWrite, MetadataCreate, MetadataDelete
View organization activity: DataRead, MetadataRead
Submit support requests: DataCreate, MetadataCreate
View integrations: DataRead, MetadataRead