Skip to content

Deployment and Security

Boris Tyshkevich edited this page Jul 12, 2026 · 1 revision

Deployment and security

Back to Home. Related: Operations-Memory, Product-and-Features.

Artifact and routes

The build produces dist/sql.html. Deployment copies it to ClickHouse user_files and configures HTTP handlers for the SPA and public config.json. Cluster distribution options and tradeoffs are documented in docs/ASSET-DISTRIBUTION.md.

Authentication modes

  • Native/Bearer OAuth for ClickHouse variants with token processors and ephemeral users.
  • Basic transport (username: JWT) through ch-jwt-verify for stock ClickHouse.
  • Direct credential login where configured.
  • Multiple IdPs are supported; mappings must avoid username collisions.

config.json is served to browsers and is therefore public. Prefer PKCE public clients. If an IdP requires a client secret, treat it as exposed and tightly lock the redirect URI. Never commit rendered deploy/config.json; only deploy/config.json.example belongs in version control.

Demo-cluster operational rule

Build and upload the HTML without a restart. For ClickHouse config.d changes on ACM-managed demo clusters, use ACM settings plus cluster push; direct ConfigMap edits are reconciled away. Verify the effective preprocessed ClickHouse config.

Canonical source: docs/DEPLOYMENT.md, docs/CLICKHOUSE-OAUTH.md, docs/CLICKHOUSE-OSS-OAUTH.md, and SECURITY.md.

Clone this wiki locally