Clickhouse
Configuring the Veza integration for ClickHouse.
Last updated
Configuring the Veza integration for ClickHouse.
Last updated
ClickHouse is a high-performance columnar database management system (DBMS) optimized for Online Analytical Processing (OLAP). The Veza integration for ClickHouse Cloud enables discovery of users, roles, and services configured for your organization, providing visibility into what human and non-human identities have permissions on ClickHouse data and settings.
A ClickHouse Cloud account
Administrator access to create API keys in ClickHouse
A Developer API key with permissions to read organization metadata
Note: The integration currently supports connecting to a single organization only
In the ClickHouse Cloud Console, select API Keys from the left menu.
Click New API Key in the top-right corner. For new accounts, you'll see a prompt to create your first key.
Configure the API key:
Enter a descriptive Key Name
For Organization Permissions, select Developer
Set an appropriate expiration time
Click Generate API Key
Copy and securely store both the Key ID and Key Secret. These values cannot be retrieved after leaving this page.
Browse to your Veza instance
In the left navigation, choose Integrations
Click Add Integration and select ClickHouse
Enter the following values:
Client ID: The Key ID from your ClickHouse API key
Client Secret: The Key Secret from your ClickHouse API key
Click Create Integration to save your changes
The integration captures organization-level metadata for a ClickHouse Cloud deployment. Note that the integration currently supports connecting to a single organization only.
| Veza Field Name | Description | Property Type |
|---|---|---|
| Unique identifier for your ClickHouse organization | Application Custom Property |
| Display name of your ClickHouse organization | Application Custom Property |
| Organization creation timestamp in ISO-8601 format | Application Custom Property |
Users represent members of your ClickHouse organization who can access and manage services. Each user is assigned either an Admin or Developer role, which determines their access to services and organization settings.
| Veza Field Name | Description | Property Type |
|---|---|---|
| The user's unique identifier | LocalUser Property |
| User's display name | LocalUser Property |
| User's email address | LocalUser Property |
| When the user joined the organization (ISO-8601 format) | LocalUser Property |
Role Assignment:
Users with role "admin" are assigned the Admin role with full access to all services
All other users are automatically assigned the Developer role with selective service access
Services represent individual ClickHouse database instances within your organization. Each service represents a deployable database with specific configuration options across cloud providers and regions.
| Veza Field Name | Description | Property Type |
|---|---|---|
| Unique identifier for the service | Resource ID |
| Display name of the service | Resource Name |
| Cloud provider where service is deployed (aws, gcp, azure) | CustomResource Property |
| Cloud region where service is deployed | CustomResource Property |
| Current operational state of the service | CustomResource Property |
| Service tier determining scaling capabilities | CustomResource Property |
| Whether this is the primary service | CustomResource Property |
| Service creation timestamp (ISO-8601 format) | CustomResource Property |
Service Tiers:
development: Fixed-size instances with limited scaling (not available on Azure)
production: Fully scalable instances
dedicated_high_mem: Memory-optimized instances
dedicated_high_cpu: Compute-optimized instances
ClickHouse uses a role-based access control (RBAC) system with two predefined roles:
Admin: Full administrative access to all services and organization settings
Developer: Limited access focused on service usage and monitoring
The integration maps ClickHouse system permissions to standardized Veza permission types. These mappings include:
Service Management:
View service: DataRead, MetadataRead
Create service: DataCreate, MetadataCreate
Delete service: DataDelete, MetadataDelete
Stop service: DataWrite, MetadataWrite
Restart service: DataWrite, MetadataWrite
Reset service password: DataWrite, MetadataWrite
View service metrics: DataRead, MetadataRead
Access Management:
View API key records: DataRead, MetadataRead
Create API key: DataCreate, MetadataCreate
Delete API key: DataDelete, MetadataDelete
View users: DataRead, MetadataRead
Invite users: DataCreate, MetadataCreate
Change user role: DataWrite, MetadataWrite
Delete users: DataDelete, MetadataDelete
Organization Management:
View billing: DataRead, MetadataRead
Manage billing: DataRead, DataWrite, DataCreate, DataDelete, MetadataRead, MetadataWrite, MetadataCreate, MetadataDelete
View organization activity: DataRead, MetadataRead
Submit support requests: DataCreate, MetadataCreate
View integrations: DataRead, MetadataRead
