ooni · aagbsn · Apr 17, 2026 · Apr 17, 2026 · Apr 27, 2026 · Apr 29, 2026
diff --git a/ansible/group_vars/clickhouse/vars.yml b/ansible/group_vars/clickhouse/vars.yml
@@ -165,6 +165,7 @@ clickhouse_distributed_ddl:
   cleanup_delay_period: 60
   max_tasks_in_queue: 1000
 
+clickhouse_role_manage_settings_profiles: True
 clickhouse_default_profiles:
   default:
     readonly: 2
@@ -226,37 +227,45 @@ clickhouse_default_users:
     profile: write
     quota: default
 
-clickhouse_role_manage_users: true
+clickhouse_role_manage_users: True
 clickhouse_custom_users:
   - user:
     name: oonimeasurements
-    password_type: sha256_password
-    password: "{{ lookup('amazon.aws.aws_ssm', '/oonidevops/secrets/clickhouse_oonimeasurements_password', profile='oonidevops_user_prod') }}"
+    password_type: sha256_hash
+    password: "{{ lookup('amazon.aws.aws_ssm', '/oonidevops/secrets/clickhouse_oonimeasurements_password', profile='oonidevops_user_prod') | hash('sha256') }}"
     networks:
       - "IP '0.0.0.0/0'"
     settings:
-      # 500 MB
-      - "max_memory_usage = 501001000"
+      # 1 GB
+      - "max_memory_usage = 1001001000"
       # 60 seconds
       - "max_execution_time = 30"
+      # 500 GB
+      - "max_bytes_to_read = 501001001000"
+      # 5 B
+      - "max_rows_to_read = 5001001000"
+      # 5s
+      - "timeout_before_checking_execution_speed = 5"
+      # 50k
+      - "max_result_rows = 51000"
     profile:
       - readonly
     quota: "oonimeasurements"
     databases: [ooni]
 
-# TODO: this quota was created by hand since it wasn't working in the idealista playbook
-clickhouse_role_manage_quotas: false
+clickhouse_role_manage_quotas: True
 clickhouse_custom_quotas:
   # quota over a 10 minute window
   - quota:
     name: oonimeasurements
-    settings:
-      - "INTERVAL 10 minute MAX queries = 12000, MAX errors = 1000, MAX execution_time = 1000"
-    to:
-      - oonimeasurements
+    duration: 600
+    queries: 12000
+    errors: 1000
+    result_rows: 0
+    read_rows: 0
+    execution_time: 1000
 
-clickhouse_role_manage_grants: true
-clickhouse_role_manage_roles: true
+clickhouse_role_manage_grants: True
 clickhouse_custom_grants:
 - on:
   databases: [ooni]
@@ -268,6 +277,7 @@ clickhouse_custom_grant_roles:
   - roles: [oonimeasurements]
     to: [oonimeasurements]
 
+clickhouse_role_manage_roles: True
 clickhouse_custom_roles:
   - role:
     name: oonimeasurements