ClickHouse
ClickHousedatabase4 credentials1 default credential
Default User with Blank Password
clickhouse / default-user-blank-password
ClickHouse packages include a default user. Many default/example configurations allow the default user with no password, especially for local or development deployments, until operators configure users.xml/users.d secrets.
Default credentials
defaultLocation
ClickHouse native TCP, HTTP interface, clickhouse-client, JDBC/ODBC, and web integrationsusers.xml, users.d/*.xmluser password, password_sha256_hex, networks, profiles, and quotas
Kubernetes Secrets, ClickHouse Keeper/ZooKeeper stores, and password vaults
query_log, text_log, server logs, and authentication failures
Notes
Treat this as a default/no-password configuration risk: the default user name exists and the password is absent, so `default.password` is null rather than an empty-string credential. Hardened production deployments should set a password or external authentication.
ClickHouse User Password / Hash
clickhouse / user-password-hash
ClickHouse users can be configured with plaintext passwords, SHA256/double-SHA1 hashes, LDAP/Kerberos, or SQL-managed access control.
Looks like
pattern<password(_sha256_hex|_double_sha1_hex)?>[^<]*</password(_sha256_hex|_double_sha1_hex)?>IDENTIFIED\s+WITH\s+\w+\s+BYLocation
users.xml, users.d/*.xml, config.xmllocal users, LDAP/Kerberos auth, interserver credentials, and profiles
SQL access-control storage and system tables for users/roles where enabled
native TCP, HTTP API, SQL clients, and cluster interserver endpointsKubernetes Secrets, cloud secret managers, and password vaults
deployment manifests, application configs, and test fixtures
Interserver / Replication / Keeper Secret
clickhouse / interserver-replication-secret
ClickHouse clusters use interserver HTTP credentials, distributed DDL/Keeper/ZooKeeper credentials, macros, TLS keys, and replication secrets for node-to-node operations.
Location
config.xml, conf.d/*.xmlinterserver_http_credentials, remote_servers secrets, Keeper/ZooKeeper auth, and cluster config
Kubernetes Secrets, Keeper/ZooKeeper ACL stores, and deployment vaults
replication, distributed DDL, Keeper, and interserver logs
TLS Private Key
clickhouse / tls-private-key
ClickHouse can use TLS certificates/private keys for native, HTTPS, interserver, and Keeper communication.
Looks like
pattern-----BEGIN (RSA |EC |ENCRYPTED |)PRIVATE KEY-----Location
config.xml, certs/openSSL server/client key files and TLS settings
Kubernetes Secrets, certificate stores, and vaults
cluster backups and diagnostics bundles
Scope
Authorized use
LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.