Access Control and Account Management

ClickHouse supports access control management based on RBAC approach.

ClickHouse access entities:
- User account
- Role
- Row Policy
- Settings Profile
- Quota

You can configure access entities using:

• SQL-driven workflow.

  You need to enable this functionality.

• Server configuration files users.xml and config.xml.

We recommend using SQL-driven workflow. Both of the configuration methods work simultaneously, so if you use the server configuration files for managing accounts and access rights, you can smoothly switch to SQL-driven workflow.

Warning

You can’t manage the same access entity by both configuration methods simultaneously.

To see all users, roles, profiles, etc. and all their grants use SHOW ACCESS statement.

Usage

By default, the ClickHouse server provides the default user account which is not allowed using SQL-driven access control and account management but has all the rights and permissions. The default user account is used in any cases when the username is not defined, for example, at login from client or in distributed queries. In distributed query processing a default user account is used, if the configuration of the server or cluster doesn’t specify the user and password properties.

If you just started using ClickHouse, consider the following scenario:

1. Enable SQL-driven access control and account management for the default user.
2. Log in to the default user account and create all the required users. Don’t forget to create an administrator account (GRANT ALL ON *.* TO admin_user_account WITH GRANT OPTION).
3. Restrict permissions for the default user and disable SQL-driven access control and account management for it.

Properties of Current Solution

• You can grant permissions for databases and tables even if they do not exist.
• If a table was deleted, all the privileges that correspond to this table are not revoked. This means that even if you create a new table with the same name later, all the privileges remain valid. To revoke privileges corresponding to the deleted table, you need to execute, for example, the REVOKE ALL PRIVILEGES ON db.table FROM ALL query.
• There are no lifetime settings for privileges.

User Account

A user account is an access entity that allows to authorize someone in ClickHouse. A user account contains:

• Identification information.
• Privileges that define a scope of queries the user can execute.
• Hosts allowed to connect to the ClickHouse server.
• Assigned and default roles.
• Settings with their constraints applied by default at user login.
• Assigned settings profiles.

Privileges can be granted to a user account by the GRANT query or by assigning roles. To revoke privileges from a user, ClickHouse provides the REVOKE query. To list privileges for a user, use the SHOW GRANTS statement.

Management queries:

• CREATE USER
• ALTER USER
• DROP USER
• SHOW CREATE USER
• SHOW USERS

Settings Applying

Settings can be configured differently: for a user account, in its granted roles and in settings profiles. At user login, if a setting is configured for different access entities, the value and constraints of this setting are applied as follows (from higher to lower priority):

1. User account settings.
2. The settings of default roles of the user account. If a setting is configured in some roles, then order of the setting application is undefined.
3. The settings from settings profiles assigned to a user or to its default roles. If a setting is configured in some profiles, then order of setting application is undefined.
4. Settings applied to all the server by default or from the default profile.

Role

Role is a container for access entities that can be granted to a user account.

Role contains:

• Privileges
• Settings and constraints
• List of assigned roles

Management queries:

• CREATE ROLE
• ALTER ROLE
• DROP ROLE
• SET ROLE
• SET DEFAULT ROLE
• SHOW CREATE ROLE
• SHOW ROLES

Privileges can be granted to a role by the GRANT query. To revoke privileges from a role ClickHouse provides the REVOKE query.

Row Policy

Row policy is a filter that defines which of the rows are available to a user or a role. Row policy contains filters for one particular table, as well as a list of roles and/or users which should use this row policy.

Management queries:

• CREATE ROW POLICY
• ALTER ROW POLICY
• DROP ROW POLICY
• SHOW CREATE ROW POLICY
• SHOW POLICIES

Settings Profile

Settings profile is a collection of settings. Settings profile contains settings and constraints, as well as a list of roles and/or users to which this profile is applied.

Management queries:

• CREATE SETTINGS PROFILE
• ALTER SETTINGS PROFILE
• DROP SETTINGS PROFILE
• SHOW CREATE SETTINGS PROFILE
• SHOW PROFILES

Quota

Quota limits resource usage. See Quotas.

Quota contains a set of limits for some durations, as well as a list of roles and/or users which should use this quota.

Management queries:

• CREATE QUOTA
• ALTER QUOTA
• DROP QUOTA
• SHOW CREATE QUOTA
• SHOW QUOTA
• SHOW QUOTAS

Enabling SQL-driven Access Control and Account Management

• Setup a directory for configurations storage.

  ClickHouse stores access entity configurations in the folder set in the access_control_path server configuration parameter.

• Enable SQL-driven access control and account management for at least one user account.

  By default, SQL-driven access control and account management is disabled for all users. You need to configure at least one user in the users.xml configuration file and set the value of the access_management setting to 1.

Original article