ALTER USER or CREATE USER ... IDENTIFIED BY changes a ClickHouse user’s password without service downtime.
Rotating credentials limits exposure if a password leaks and meets compliance policies. ClickHouse lets you update passwords online with a simple SQL statement.
Use ALTER USER
when the user already exists. Use CREATE USER
with IF NOT EXISTS
when setting the first password. Both support multiple authentication methods.
No.Password changes take effect instantly across the cluster when replicated via users.xml
or RBAC.
Run ALTER USER analytics IDENTIFIED BY 'N3wS3cret!';
. Replace the string with a strong password. Session re-authentication occurs on the next connection.
Yes. Supply IDENTIFIED WITH sha256_hash BY 'hex_hash'
for SHA-256 or double_sha1_password
for double SHA-1. Hash locally; never send plain text if policy forbids it.
You have analysts querying Customers
and Orders
.To rotate their password at quarter-end:
ALTER USER analyst IDENTIFIED BY 'Q1_2025_Sales^';
They keep access to views joining Customers
→ Orders
→ OrderItems
.
1. Use a password manager to generate 16+ character strings.
2. Restrict users to specific databases with GRANT
after changing passwords.
3. Automate rotation via CI pipelines running ClickHouse client scripts.
On multi-node setups managed by RBAC, append ON CLUSTER my_cluster
or the change applies only locally.
Older clients may hold persistent sessions.Close open connections or wait for idle timeout to force re-login.
✔ Confirm you’re on the correct cluster.
✔ Verify user name spelling.
✔ Store the new password securely.
✔ Retest application connectivity.
.
Yes. Integrate ALTER USER commands into CI/CD jobs or Ansible playbooks to run scheduled rotations.
No immediate kill occurs, but new queries after the password expires must reconnect. Manually terminate old sessions if required via SYSTEM KILL QUERY.