Ansible manage clickhouse settings profiles

[aagbsn]

merge #417 and #409 and let ansible manage the profiles, settings, and quotas.

[github-actions]

Ansible Run Output 🤖

Ansible Playbook Recap 🔍

Ansible playbook output 📖success

Show Execution

$ ansible-playbook playbook.yml --check --diff -i ../tf/modules/ansible_inventory/inventories/inventory-dev.ini
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'
[ERROR]: the role 'geerlingguy.docker' was not found in /home/runner/work/devops/devops/ansible/roles:/home/runner/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles:/home/runner/work/devops/devops/ansible
Origin: /home/runner/work/devops/devops/ansible/deploy-testlists.yml:16:7

14         node_exporter_host: "0.0.0.0"
15         node_exporter_options: ""
16     - role: geerlingguy.docker
         ^ column 7

Pusher	@aagbsn
Action	pull_request
Working Directory
Workflow	.github/workflows/check_ansible.yml
Last updated	Thu, 30 Apr 2026 08:54:58 GMT

[aagbsn]

see history for example of what doesn't work

[aagbsn]

It looks like the users and profiles are set as storage users_xml, but the ansible role above uses the database-backed config. I tried changing it to use and manage users usign the _xml keys, but this caused an error which prevented clickhouse from starting, so I reverted the changes. I also note that the oonimeasurements user is in local_directory, unlike the others

SELECT *
FROM users

Query id: 1a6f0277-a422-4e8a-a8fd-b8e6f718f9d9

   ┌─name─────────────┬─id───────────────────────────────────┬─storage─────────┬─auth_type──────────┬─auth_params─┬─host_ip──┬─host_names────┬─host_names_regexp─┬─host_names_like─┬─default_roles_all─┬─default_roles_list─┬─default_roles_except─┬─grantees_any─┬─grantees_list─┬─grantees_except─┬─default_database─┐
1. │ default          │ 94309d50-4f52-5250-31bd-74fecac179db │ users_xml       │ plaintext_password │ {}          │ []       │ ['localhost'] │ []                │ []              │                 1 │ []                 │ []                   │            1 │ []            │ []              │                  │
2. │ write            │ 35c7796a-3252-5e56-53d4-1bcece1315fa │ users_xml       │ sha256_password    │ {}          │ ['::/0'] │ []            │ []                │ []              │                 1 │ []                 │ []                   │            1 │ []            │ []              │                  │
3. │ admin            │ 70284628-c47f-7656-e015-41d9ed668f69 │ users_xml       │ sha256_password    │ {}          │ []       │ ['localhost'] │ []                │ []              │                 1 │ []                 │ []                   │            1 │ []            │ []              │                  │
4. │ readonly         │ 97db8f60-4e69-f266-a0d9-c5270500251e │ users_xml       │ sha256_password    │ {}          │ ['::/0'] │ []            │ []                │ []              │                 1 │ []                 │ []                   │            1 │ []            │ []              │                  │
5. │ oonimeasurements │ 0c43664e-102e-2233-417a-5a77422f3891 │ local_directory │ sha256_password    │ {}          │ ['::/0'] │ []            │ []                │ []              │                 1 │ []                 │ []                   │            1 │ []            │ []              │                  │
   └──────────────────┴──────────────────────────────────────┴─────────────────┴────────────────────┴─────────────┴──────────┴───────────────┴───────────────────┴─────────────────┴───────────────────┴────────────────────┴──────────────────────┴──────────────┴───────────────┴─────────────────┴──────────────────┘

5 rows in set. Elapsed: 0.002 sec. 

SELECT *
FROM settings_profiles

Query id: 53b81b04-0ccd-488d-8b7b-25e6a08dd6ed

   ┌─name─────┬─id───────────────────────────────────┬─storage───┬─num_elements─┬─apply_to_all─┬─apply_to_list─┬─apply_to_except─┐
1. │ admin    │ 7a7dc106-4174-55c8-8757-d73d2702c13e │ users_xml │            1 │            0 │ []            │ []              │
2. │ write    │ 1b34e30d-4a12-bae6-8874-8726a54db7f3 │ users_xml │            2 │            0 │ []            │ []              │
3. │ readonly │ d1659f3e-83fe-3845-f1be-5fada6046b67 │ users_xml │            2 │            0 │ []            │ []              │
4. │ default  │ 4bfbe653-9137-0ea6-b97d-dc391ec9a919 │ users_xml │            5 │            0 │ []            │ []              │
   └──────────┴──────────────────────────────────────┴───────────┴──────────────┴──────────────┴───────────────┴─────────────────┘

4 rows in set. Elapsed: 0.001 sec. 

[aagbsn]

https://clickhouse.com/docs/operations/access-rights#access-control-usage
By default, SQL-driven access control and account management is disabled for all users. You need to configure at least one user in the users.xml configuration file and set the values of the [access_management](https://clickhouse.com/docs/operations/settings/settings-users#access_management-user-setting), named_collection_control, show_named_collections, and show_named_collections_secrets settings to 1.
currently our admin user only has:

      <access_management>1</access_management>

[aagbsn]

after running deploy-clickhouse.yml ansible playbook, clickhouse failed to start with:

2026.04.29 16:58:12.499389 [ 2234460 ] {} <Error> Application: Code: 180. DB::Exception: Profile ['readonly'] was not found: while parsing user 'oonimeasurements' in users configuration file: while loading configuration file '/etc/clickhouse-server/users.xml'. (THERE_IS_NO_PROFILE), Stack trace (when copying this message, always include the lines below):

when I reverted the ansible role to use the _xml config this is the change it undid to users.xml:

TASK [idealista.clickhouse_role : CLICKHOUSE | Configure users (from vars)] ****************************************************************************************************************************************
--- before: /etc/clickhouse-server/users.xml
+++ after: /root/.ansible/tmp/ansible-local-5412nis4algf/tmp9v7vl5gu/users.xml.j2
@@ -65,17 +65,6 @@
       <access_management>1</access_management>
     </admin>
   <!-- Custom users -->
-    <oonimeasurements>
-      <password>***</password>
-      <networks>
-        <ip>IP '0.0.0.0/0'</ip>
-      </networks>
-      <profile>['readonly']</profile>
-      <quota>oonimeasurements</quota>
-      <allow_databases>
-        <database>ooni</database>
-      </allow_databases>
-    </oonimeasurements>
   </users>
 
   <!-- Quotas. -->

Maybe it's all-or-nothing with regard to using _xml variants of all of the profiles, users, etc

[aagbsn]

2026.04.30 06:18:51.668681 [ 2250587 ] {b5f4f122-6ca2-4911-9781-510d112cbc41} <Error> executeQuery: Code: 495. DB::Exception: Cannot insert settings profile `readonly` to users_xml because this storage is readonl
y. (ACCESS_STORAGE_READONLY) (version 24.8.6.70 (official build)) (from [::ffff:127.0.0.1]:56270) (in query: CREATE SETTINGS PROFILE IF NOT EXISTS readonly SETTINGS readonly = 1, max_memory_usage = 1001001000;), 
Stack trace (when copying this message, always include the lines below):

0. DB::Exception::Exception(DB::Exception::MessageMasked&&, int, bool) @ 0x000000000d16d15b

[aagbsn]

2026.04.30 06:18:51.668756 [ 2250587 ] {b5f4f122-6ca2-4911-9781-510d112cbc41} <Error> TCPHandler: Code: 495. DB::Exception: Cannot insert settings profile `readonly` to users_xml because this storage is readonly. (ACCESS_STORAGE_READONLY), Stack trace (when copying this message, always include the lines below):