clickhouse 数据库默认的用户是default ,clickhouse 数据库的用户管理有两种方式:
1、直接修改配置文件(user.xml) 在用户配置文件里面配置需要创建的用户。
2、使用SQL直接创建用户并授权(比较灵活,无需重启服务)与mysql 管理用户类似,但是需要修改一下默认的user配置文件。默认的配置default 用户没有创建用户的权限。需要给default 用户添加access_management>1</access_management>选项
3、重启服务后使用default用户登录后创建一个管理员用户
clickhouse-client --user default --port 9000
create user dba@‘%’ identified with plaintext_password by 'dba@123' on cluster cluster_name;
grant on cluster cluster_name all on *.* to 'dba'@'%' with grant option;
以后使用dba用户进行日常管理。
0、clickhouse 使用默认配置启动后,登录clickhouse 服务,尝试创建用户时报如下错误:
op-data-base :) create user clickhouse_admin@'%' identified with plaintext_password by 'clickhouse_password';
CREATE USER clickhouse_admin IDENTIFIED WITH plaintext_password BY 'clickhouse_password'
Query id: c3f78024-7d87-476d-b66e-b202aefa7bac
0 rows in set. Elapsed: 0.001 sec.
Received exception from server (version 22.6.2):
Code: 497. DB::Exception: Received from localhost:9000. DB::Exception: default: Not enough privileges. To execute this query it's necessary to have grant CREATE USER ON *.*. (ACCESS_DENIED)
这是因为default用户没有access_management权限。
1、开启default 用户的超级管理员权限添加 access_management>1</access_management>;
<default>
<password></password>
<access_management>1</access_management>
2、重启clickhouse 服务
clickhouse restart
[root@op-data-base clickhouse-server]# clickhouse restart
/var/run/clickhouse-server/clickhouse-server.pid file exists and contains pid = 26366.
The process with pid = 26366 is running.
Sent terminate signal to process with pid 26366.
Waiting for server to stop
/var/run/clickhouse-server/clickhouse-server.pid file exists and contains pid = 26366.
The process with pid = 26366 is running.
Waiting for server to stop
/var/run/clickhouse-server/clickhouse-server.pid file exists and contains pid = 26366.
The process with pid = 26366 is running.
Waiting for server to stop
Now there is no clickhouse-server process.
Server stopped
chown -R clickhouse: '/var/run/clickhouse-server/'
Will run clickhouse su 'clickhouse' /usr/bin/clickhouse-server --config-file /etc/clickhouse-server/config.xml --pid-file /var/run/clickhouse-server/clickhouse-server.pid --daemon
Waiting for server to start
Waiting for server to start
Server started
3、创建用户并授权
op-data-base :) create user clickhouse_admin identified with plaintext_password by 'clickhouse_admin';
CREATE USER clickhouse_admin IDENTIFIED WITH plaintext_password BY 'clickhouse_admin'
Query id: eb4f758d-c3f8-4362-90ee-29785203351e
Ok.
0 rows in set. Elapsed: 0.001 sec.
4、授与新用户拥有所有管理权限
grant all on *.* to clickhouse_admin with grant option;
5、使用clickhouse_admin 用户创建一个列管理用户;
clickhouse-client --user clickhouse_admin --password clickhouse_admin
create user column_user identified with plaintext_password by 'column_user';
CREATE USER column_user IDENTIFIED WITH plaintext_password BY 'column_user'
Query id: a62d60e1-c492-4404-acbf-7dff27d54c56
Ok.
0 rows in set. Elapsed: 0.001 sec.
6、创建一个行管理用户;
create user row_user identified with plaintext_password by 'row_user';
7、建库建表并插入数据
op-data-base :) select * from db1.t1;
SELECT *
FROM t1
Query id: 01ec08a4-abff-42a6-ad30-c555125b0531
┌─id─┬─column1─┬─column2─┐
│ 1 │ A │ abc │
│ 2 │ A │ def │
│ 3 │ B │ abc │
│ 4 │ B │ def │
└────┴─────────┴─────────┘
8、创建角色
1、创建一个角色 只允许查看表t1的Colum1列;
create role column1_users;
3. Creating roles
With this set of examples, roles for different privileges such as columns and rows will be created, privileges will be granted to the roles and users will be assigned to each role. Roles are used to define groups of users for certain privileges instead of managing each user seperately.
-
Create a role to restrict users of this role to only see
column1
in databasedb1
andtable1
:CREATE ROLE column1_users;
-
Set privileges to allow view on
column1
GRANT SELECT(id, column1) ON db1.table1 TO column1_users;
-
Add the
column_user
user to thecolumn1_users
roleGRANT column1_users TO column_user;
-
Create a role to restrict users of this role to only see selected rows, in this case only rows containing
A
incolumn1
CREATE ROLE A_rows_users;
-
Add the
row_user
to theA_rows_users
roleGRANT A_rows_users TO row_user;
-
Create a policy to allow view on only where
column1
has the values ofA
CREATE ROW POLICY A_row_filter ON db1.table1 FOR SELECT USING column1 = 'A' TO A_rows_users;
-
Set privileges to the database and table
GRANT SELECT(id, column1, column2) ON db1.table1 TO A_rows_users;
-
grant explicit permissions for other roles to still have access to all rows
CREATE ROW POLICY allow_other_users_filter ON db1.table1 FOR SELECT USING 1 TO clickhouse_admin, column1_users;
NOTE
When attaching a policy to a table, the system will apply that policy and only those users and roles defined will be able to do operations on the table, all others will be denied any operations. In order to not have the restrictive row policy applied to other users, another policy must be defined to allow other users and roles to have regular or other types of access.
4. Testing role privileges with column restricted user
-
Log into the clickhouse client using the
clickhouse_admin
userclickhouse-client --user clickhouse_admin --password password
-
Verify access to database, table and all rows with the admin user.
SELECT * FROM db1.table1
Query id: f5e906ea-10c6-45b0-b649-36334902d31d ┌─id─┬─column1─┬─column2─┐ │ 1 │ A │ abc │ │ 2 │ A │ def │ │ 3 │ B │ abc │ │ 4 │ B │ def │ └────┴─────────┴─────────┘
-
Log into the ClickHouse client using the
column_user
userclickhouse-client --user column_user --password password
-
Test
SELECT
using all columnsSELECT * FROM db1.table1
Query id: 5576f4eb-7450-435c-a2d6-d6b49b7c4a23 0 rows in set. Elapsed: 0.006 sec. Received exception from server (version 22.3.2): Code: 497. DB::Exception: Received from localhost:9000. DB::Exception: column_user: Not enough privileges. To execute this query it's necessary to have grant SELECT(id, column1, column2) ON db1.table1. (ACCESS_DENIED)
NOTE
Access is denied since all columns were specified and the user only has access to
id
andcolumn1
-
Verify
SELECT
query with only columns specified and allowed:SELECT id, column1 FROM db1.table1
Query id: cef9a083-d5ce-42ff-9678-f08dc60d4bb9 ┌─id─┬─column1─┐ │ 1 │ A │ │ 2 │ A │ │ 3 │ B │ │ 4 │ B │ └────┴─────────┘
5. Testing role privileges with row restricted user
-
Log into the ClickHouse client using
row_user
clickhouse-client --user row_user --password password
-
View rows available
SELECT * FROM db1.table1
Query id: a79a113c-1eca-4c3f-be6e-d034f9a220fb ┌─id─┬─column1─┬─column2─┐ │ 1 │ A │ abc │ │ 2 │ A │ def │ └────┴─────────┴─────────┘
4. Modifying Users and Roles
Users can be assigned multiple roles for a combination of privileges needed. When using multiple roles, the system will combine the roles to determine privileges, the net effect will be that the role permissions will be cumulative.
For example, if one role1
allows for only select on column1
and role2
allows for select on column1
and column2
then the user will have access to both columns.
-
Using the admin account, create new user to restrict by both row and column with default roles
CREATE USER row_and_column_user IDENTIFIED WITH plaintext_password BY 'password' DEFAULT ROLE A_rows_users;
-
Remove prior privileges for
A_rows_users
roleREVOKE SELECT(id, column1, column2) ON db1.table1 FROM A_rows_users;
-
Allow
A_row_users
role to only select fromcolumn1
GRANT SELECT(id, column1) ON db1.table1 TO A_rows_users;
-
Log into the ClickHouse client using
row_and_column_user
clickhouse-client --user row_and_column_user --password password;
-
Test with all columns:
SELECT * FROM db1.table1
Query id: 8cdf0ff5-e711-4cbe-bd28-3c02e52e8bc4
0 rows in set. Elapsed: 0.005 sec.
Received exception from server (version 22.3.2):
Code: 497. DB::Exception: Received from localhost:9000. DB::Exception: row_and_column_user: Not enough privileges. To execute this query it's necessary to have grant SELECT(id, column1, column2) ON db1.table1. (ACCESS_DENIED)
```
-
Test with limited allowed columns:
SELECT id, column1 FROM db1.table1
Query id: 5e30b490-507a-49e9-9778-8159799a6ed0 ┌─id─┬─column1─┐ │ 1 │ A │ │ 2 │ A │ └────┴─────────┘
-
Examples on how to delete privileges, policies, unassign users from roles, delete users and roles:
- Remove privilege from a role
REVOKE SELECT(column1, id) ON db1.table1 FROM A_rows_users;
- Delete a policy
DROP ROW POLICY A_row_filter ON db1.table1;
- Unassign a user from a role
REVOKE A_rows_users FROM row_user;
- Delete a role
DROP ROLE A_rows_users;
- Delete a user
DROP USER row_user;
5. Troubleshooting
-
There are occasions when privileges intersect or combine to produce unexpected results, the following commands can be used to narrow the issue using an admin account
- Listing the grants and roles for a user
SHOW GRANTS FOR row_and_column_user
Query id: 6a73a3fe-2659-4aca-95c5-d012c138097b ┌─GRANTS FOR row_and_column_user───────────────────────────┐ │ GRANT A_rows_users, column1_users TO row_and_column_user │ └──────────────────────────────────────────────────────────┘
- List roles in ClickHouse
SHOW ROLES
Query id: 1e21440a-18d9-4e75-8f0e-66ec9b36470a ┌─name────────────┐ │ A_rows_users │ │ column1_users │ └─────────────────┘
- Display the policies
SHOW ROW POLICIES
Query id: f2c636e9-f955-4d79-8e80-af40ea227ebc ┌─name───────────────────────────────────┐ │ A_row_filter ON db1.table1 │ │ allow_other_users_filter ON db1.table1 │ └────────────────────────────────────────┘
- View how a policy was defined and current privileges
SHOW CREATE ROW POLICY A_row_filter ON db1.table1
Query id: 0d3b5846-95c7-4e62-9cdd-91d82b14b80b ┌─CREATE ROW POLICY A_row_filter ON db1.table1────────────────────────────────────────────────┐ │ CREATE ROW POLICY A_row_filter ON db1.table1 FOR SELECT USING column1 = 'A' TO A_rows_users │ └─────────────────────────────────────────────────────────────────────────────────────────────┘
Summary
This article demostrated the basics of creating SQL users and roles and provided steps to set and modify privileges for users and roles. For more detailed information on each please refer to our user guides and reference documenation.