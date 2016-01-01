Common Access Management Queries
If you are working with self-managed ClickHouse please see SQL users and roles.
This article shows the basics of defining SQL users and roles and applying those privileges and permissions to databases, tables, rows, and columns.
Admin user
ClickHouse Cloud services have an admin user,
default, that is created when the service is created. The password is provided at service creation, and it can be reset by ClickHouse Cloud users that have the Admin role.
When you add additional SQL users for your ClickHouse Cloud service, they will need a SQL username and password. If you want them to have administrative-level privileges, then assign the new user(s) the role
default_role. For example, adding user
clickhouse_admin:
When using the SQL Console, your SQL statements will not be run as the
default user. Instead, statements will be run as a user named
sql-console:${cloud_login_email}, where
cloud_login_email is the email of the user currently running the query.
These automatically generated SQL Console users have the
default role.
Passwordless authentication
There are two roles available for SQL console:
sql_console_admin with identical permissions to
default_role and
sql_console_read_only with read-only permissions.
Admin users are assigned the
sql_console_admin role by default, so nothing changes for them. However, the
sql_console_read_only role allows non-admin users to be granted read-only or full access to any instance. An admin needs to configure this access. The roles can be adjusted using the
GRANT or
REVOKE commands to better fit instance-specific requirements, and any modifications made to these roles will be persisted.
Granular access control
This access control functionality can also be configured manually for user-level granularity. Before assigning the new
sql_console_* roles to users, SQL console user-specific database roles matching the namespace
sql-console-role:<email> should be created. For example:
When a matching role is detected, it will be assigned to the user instead of the boilerplate roles. This introduces more complex access control configurations, such as creating roles like
sql_console_sa_role and
sql_console_pm_role, and granting them to specific users. For example:
Test admin privileges
Log out as the user
default and log back in as user
clickhouse_admin.
All of these should succeed:
Non-admin users
Users should have the privileges necessary, and not all be admin users. The rest of this document provides example scenarios and the roles required.
Preparation
Create these tables and users to be used in the examples.
Creating a sample database, table, and rows
-
Create a test database
-
Create a table
-
Populate the table with sample rows
-
Verify the table:
-
Create a regular user that will be used to demonstrate restrict access to certain columns:
-
Create a regular user that will be used to demonstrate restricting access to rows with certain values:
Creating roles
With this set of examples:
- roles for different privileges, such as columns and rows will be created
- privileges will be granted to the roles
- users will be assigned to each role
Roles are used to define groups of users for certain privileges instead of managing each user separately.
-
Create a role to restrict users of this role to only see
column1in database
db1and
table1:
-
Set privileges to allow view on
column1
-
Add the
column_useruser to the
column1_usersrole
-
Create a role to restrict users of this role to only see selected rows, in this case, only rows containing
Ain
column1
-
Add the
row_userto the
A_rows_usersrole
-
Create a policy to allow view on only where
column1has the values of
A
-
Set privileges to the database and table
-
grant explicit permissions for other roles to still have access to all rowsNote
When attaching a policy to a table, the system will apply that policy, and only those users and roles defined will be able to do operations on the table, all others will be denied any operations. In order to not have the restrictive row policy applied to other users, another policy must be defined to allow other users and roles to have regular or other types of access.
Verification
Testing role privileges with column restricted user
-
Log into the clickhouse client using the
clickhouse_adminuser
-
Verify access to database, table and all rows with the admin user.
-
Log into the ClickHouse client using the
column_useruser
-
Test
SELECTusing all columnsNote
Access is denied since all columns were specified and the user only has access to
idand
column1
-
Verify
SELECTquery with only columns specified and allowed:
Testing role privileges with row restricted user
-
Log into the ClickHouse client using
row_user
-
View rows availableNote
Verify that only the above two rows are returned, rows with the value
Bin
column1should be excluded.
Modifying Users and Roles
Users can be assigned multiple roles for a combination of privileges needed. When using multiple roles, the system will combine the roles to determine privileges, the net effect will be that the role permissions will be cumulative.
For example, if one
role1 allows for only select on
column1 and
role2 allows for select on
column1 and
column2 then the user will have access to both columns.
-
Using the admin account, create new user to restrict by both row and column with default roles
-
Remove prior privileges for
A_rows_usersrole
-
Allow
A_row_usersrole to only select from
column1
-
Log into the ClickHouse client using
row_and_column_user
-
Test with all columns:
-
Test with limited allowed columns:
Troubleshooting
There are occasions when privileges intersect or combine to produce unexpected results, the following commands can be used to narrow the issue using an admin account
Listing the grants and roles for a user
List roles in ClickHouse
Display the policies
View how a policy was defined and current privileges
Example commands to manage roles, policies, and users
The following commands can be used to:
- delete privileges
- delete policies
- unassign users from roles
- delete users and roles
Run these commands as an admin user or the
default user
Remove privilege from a role
Delete a policy
Unassign a user from a role
Delete a role
Delete a user
Summary
This article demonstrated the basics of creating SQL users and roles and provided steps to set and modify privileges for users and roles. For more detailed information on each please refer to our user guides and reference documentation.