The "DB::Exception: Password required" error in ClickHouse is triggered when a client attempts to connect to a user account that has been configured to require password authentication, but no password is supplied in the connection request. This corresponds to the REQUIRED_PASSWORD error code.
Impact
When this error occurs, the connection attempt is immediately rejected by the server. Any application or tool relying on that connection will be unable to execute queries or access data. If the affected user account is used by an automated pipeline or service, the disruption can cascade into downstream systems that depend on ClickHouse data.
Common Causes
- Connecting via
clickhouse-clientor an HTTP request without specifying a password for a user that requires one - A client application or driver configured with an empty or missing password field
- Environment variables or secrets managers failing to inject the password at runtime
- Migrating from a passwordless
defaultuser configuration to one that enforces passwords, without updating all connection strings - Load balancer or proxy stripping authentication headers before forwarding requests to ClickHouse
Troubleshooting and Resolution Steps
Confirm the user requires a password:
- Check the user definition in
users.xmlor via SQL:SHOW CREATE USER my_user; - Look for
IDENTIFIED BYorIDENTIFIED WITHclauses that indicate password-based authentication.
- Check the user definition in
Supply the password in your connection:
- For
clickhouse-client:clickhouse-client --user my_user --password my_password - For HTTP interface:
curl 'http://localhost:8123/?user=my_user&password=my_password' -d 'SELECT 1'
- For
Check application configuration:
- Verify that connection settings in your application or ORM include the password parameter.
- If using environment variables, ensure they are correctly set and accessible by the process at startup.
Review secrets management:
- Confirm that your secrets manager or vault is reachable and returning the expected credential.
- Check for expired tokens or rotated secrets that may result in an empty password being supplied.
Inspect proxy or middleware layers:
- If a reverse proxy sits between the client and ClickHouse, verify it forwards authentication headers or query parameters intact.
Audit recent configuration changes:
- If the error appeared suddenly, check recent changes to
users.xml,users.d/directory, or SQL-based access control that may have added a password requirement.
- If the error appeared suddenly, check recent changes to
Best Practices
- Always enforce password authentication for every ClickHouse user, including the
defaultuser, especially in production environments. - Store credentials in a secrets manager or environment variables rather than hardcoding them in configuration files.
- Use connection pooling libraries that support secure credential injection to reduce the risk of misconfigured connections.
- Regularly audit user accounts with
SHOW USERSandSHOW CREATE USERto verify authentication settings. - Document all connection requirements so that team members and CI/CD pipelines use consistent configuration.
Frequently Asked Questions
Q: Why did this error start appearing when it worked before without a password?
A: Someone likely changed the user's authentication settings. Check for recent modifications to users.xml, files in the users.d/ directory, or SQL-managed access control using SHOW CREATE USER.
Q: Can I allow passwordless access for a specific user?
A: Yes, you can configure a user with IDENTIFIED WITH no_password in SQL or set an empty password in users.xml. However, this is strongly discouraged in production for security reasons.
Q: Does this error apply to the HTTP interface as well as the native protocol?
A: Yes. Regardless of the protocol used, if the user account requires a password and none is provided, ClickHouse will raise the REQUIRED_PASSWORD exception.
Q: How do I set a password for an existing user?
A: Use the ALTER USER statement:
ALTER USER my_user IDENTIFIED BY 'secure_password';
