clickhouse-用户和角色

一、用户相关

1.赋予default用户权限

默认default用户是没有办法创建用户的,这时候需要我们修改配置文件users.xml,便能创建用户了,详见官网

bash 复制代码
<networks>
        <ip>::/0</ip>
    </networks>

    <!-- Settings profile for user. -->
    <profile>default</profile>

    <!-- Quota for user. -->
    <quota>default</quota>

    <!-- User can create other users and grant rights to them. -->
    <access_management>1</access_management> # 该部分控制权限,把原本注释去掉就能建用户了
    # 下面这几行也要加,不然授权all的时候会提示权限不足
    <named_collection_control>1</named_collection_control>
    <show_named_collections>1</show_named_collections>
    <show_named_collections_secrets>1</show_named_collections_secrets>
</default>
# 修改后需要重启clickhouse服务

2.创建管理用户

bash 复制代码
CREATE USER [IF NOT EXISTS | OR REPLACE] name1 [ON CLUSTER cluster_name1]
        [, name2 [ON CLUSTER cluster_name2] ...]
    [NOT IDENTIFIED | IDENTIFIED {[WITH {no_password | plaintext_password | sha256_password | sha256_hash | double_sha1_password | double_sha1_hash}] BY {'password' | 'hash'}} | {WITH ldap SERVER 'server_name'} | {WITH kerberos [REALM 'realm']} | {WITH ssl_certificate CN 'common_name'}]
    [HOST {LOCAL | NAME 'name' | REGEXP 'name_regexp' | IP 'address' | LIKE 'pattern'} [,...] | ANY | NONE]
    [DEFAULT ROLE role [,...]]
    [DEFAULT DATABASE database | NONE]
    [GRANTEES {user | role | ANY | NONE} [,...] [EXCEPT {user | role} [,...]]]
    [SETTINGS variable [= value] [MIN [=] min_value] [MAX [=] max_value] [READONLY | WRITABLE] | PROFILE 'profile_name'] [,...]

2.1 密码验证方式

bash 复制代码
IDENTIFIED WITH no_password # 无密码
IDENTIFIED WITH plaintext_password BY 'qwerty'
IDENTIFIED WITH sha256_password BY 'qwerty'或IDENTIFIED BY 'password'
IDENTIFIED WITH sha256_hash BY 'hash'或IDENTIFIED WITH sha256_hash BY 'hash' SALT 'salt'
IDENTIFIED WITH double_sha1_password BY 'qwerty'
IDENTIFIED WITH double_sha1_hash BY 'hash'
IDENTIFIED WITH bcrypt_password BY 'qwerty'
IDENTIFIED WITH bcrypt_hash BY 'hash'
IDENTIFIED WITH ldap SERVER 'server_name'
IDENTIFIED WITH kerberos或IDENTIFIED WITH kerberos REALM 'realm'
IDENTIFIED WITH ssl_certificate CN 'mysite.com:user'
IDENTIFIED BY 'qwerty'

2.2 指定用户主机

bash 复制代码
HOST IP 'ip_address_or_subnetwork' # 用户只能从指定的 IP 地址或子网连接到 ClickHouse 服务器。例子:。对于在生产中使用,请仅指定元素(IP 地址及其掩码),因为使用 和可能会导致额外的延迟。HOST IP '192.168.0.0/16'HOST IP '2001:DB8::/32'HOST IPhosthost_regexp
HOST ANY # 用户可以从任何位置进行连接。这是默认选项。
HOST LOCAL # 用户只能在本地连接。
HOST NAME 'fqdn' # 可以将用户主机指定为 FQDN。例如。HOST NAME 'mysite.com'
HOST REGEXP 'regexp' # 您可以在指定用户主机时使用 pcre 正则表达式。例如。HOST REGEXP '.*\.mysite\.com'
HOST LIKE 'template' # 允许您使用 LIKE 运算符过滤用户主机。例如, 等效于 ,筛选域中的所有主机。HOST LIKE '%'HOST ANYHOST LIKE '%.mysite.com'mysite.com

CREATE USER mira HOST IP '127.0.0.1' IDENTIFIED WITH sha256_password BY 'qwerty';

2.3 指定允许从此用户接收权限的用户或角色

先决条件: 此用户还具有grant option的所有必需访问权限

GRANTEES详情

  • user--- 指定此用户可以向其授予权限的用户。
  • role--- 指定此用户可以授予权限的角色。
  • ANY--- 此用户可以向任何人授予权限。这是默认设置。
  • NONE--- 此用户可以不向任何人授予权限。
bash 复制代码
CREATE USER john DEFAULT ROLE role1, role2;
CREATE USER john DEFAULT ROLE ALL;
# 除了role1,role2的所有角色可以继承jack的权限
CREATE USER john DEFAULT ROLE ALL EXCEPT role1, role2;
# jack可以继承john的权限
CREATE USER john GRANTEES jack;
bash 复制代码
create user root identified by 'root';
grant all on *.* to root with grant option;

3.更改用户

bash 复制代码
ALTER USER [IF EXISTS] name1 [ON CLUSTER cluster_name1] [RENAME TO new_name1]
        [, name2 [ON CLUSTER cluster_name2] [RENAME TO new_name2] ...]
    [NOT IDENTIFIED | IDENTIFIED {[WITH {no_password | plaintext_password | sha256_password | sha256_hash | double_sha1_password | double_sha1_hash}] BY {'password' | 'hash'}} | {WITH ldap SERVER 'server_name'} | {WITH kerberos [REALM 'realm']} | {WITH ssl_certificate CN 'common_name'}]
    [[ADD | DROP] HOST {LOCAL | NAME 'name' | REGEXP 'name_regexp' | IP 'address' | LIKE 'pattern'} [,...] | ANY | NONE]
    [DEFAULT ROLE role [,...] | ALL | ALL EXCEPT role [,...] ]
    [GRANTEES {user | role | ANY | NONE} [,...] [EXCEPT {user | role} [,...]]]
    [SETTINGS variable [= value] [MIN [=] min_value] [MAX [=] max_value] [READONLY | WRITABLE] | PROFILE 'profile_name'] [,...]

# 例子
ALTER USER user DEFAULT ROLE ALL EXCEPT role1, role2

4.删除用户

bash 复制代码
DROP USER [IF EXISTS] name [,...] [ON CLUSTER cluster_name]

5.查看创建用户语句

bash 复制代码
SHOW CREATE USER [name1 [, name2 ...] | CURRENT_USER]

show create user admin
┌─CREATE USER admin─────────────────────────────────┐
│ CREATE USER admin IDENTIFIED WITH sha256_password │
└───────────────────────────────────────────────────┘

6.查看用户

bash 复制代码
show users

二、角色相关

1.创建角色

bash 复制代码
CREATE ROLE [IF NOT EXISTS | OR REPLACE] name1 [ON CLUSTER cluster_name1] [, name2 [ON CLUSTER cluster_name2] ...]
    [SETTINGS variable [= value] [MIN [=] min_value] [MAX [=] max_value] [CONST|READONLY|WRITABLE|CHANGEABLE_IN_READONLY] | PROFILE 'profile_name'] [,...]

# 例子
# 创建角色并赋予角色权限
CREATE ROLE accountant;
GRANT SELECT ON db.* TO accountant;
# 将角色授权给用户
GRANT accountant TO mira;
# 激活当前用户角色,这样用户便拥有权限了
SET ROLE accountant;
SELECT * FROM db.*;

2.修改角色

bash 复制代码
ALTER ROLE [IF EXISTS] name1 [ON CLUSTER cluster_name1] [RENAME TO new_name1]
        [, name2 [ON CLUSTER cluster_name2] [RENAME TO new_name2] ...]
    [SETTINGS variable [= value] [MIN [=] min_value] [MAX [=] max_value] [CONST|READONLY|WRITABLE|CHANGEABLE_IN_READONLY] | PROFILE 'profile_name'] [,...]

3.删除角色

bash 复制代码
DROP ROLE [IF EXISTS] name [,...] [ON CLUSTER cluster_name]

4.激活角色

bash 复制代码
SET ROLE {DEFAULT | NONE | role [,...] | ALL | ALL EXCEPT role [,...]}

5.为用户设置默认角色

bash 复制代码
# 默认角色在用户登录时自动激活。
SET DEFAULT ROLE {NONE | role [,...] | ALL | ALL EXCEPT role [,...]} TO {user|CURRENT_USER} [,...]

# 例子
SET DEFAULT ROLE role1, role2, ... TO user

6.查看创建角色语句

bash 复制代码
SHOW CREATE ROLE name1 [, name2 ...]

7.查看所有角色

bash 复制代码
SHOW [CURRENT|ENABLED] ROLES

三、行策略相关

行策略是一个筛选器,用于定义哪些行可供用户或角色使用

1.创建行策略

bash 复制代码
CREATE [ROW] POLICY [IF NOT EXISTS | OR REPLACE] policy_name1 [ON CLUSTER cluster_name1] ON [db1.]table1|db1.*
        [, policy_name2 [ON CLUSTER cluster_name2] ON [db2.]table2|db2.* ...]
    [FOR SELECT] USING condition
    [AS {PERMISSIVE | RESTRICTIVE}]
    [TO {role1 [, role2 ...] | ALL | ALL EXCEPT role1 [, role2 ...]}]

# 例子
# 禁止用户mira, peter查看mydb.table1除b=1外的其他看,禁止其他用户查看mydb.table1的任何行
CREATE ROW POLICY pol1 ON mydb.table1 USING b=1 TO mira, peter

# 允许同一张表启用多个策略,默认情况下使用or运算符组合不同策略
CREATE ROW POLICY pol1 ON mydb.table1 USING b=1 TO mira, peter
CREATE ROW POLICY pol2 ON mydb.table1 USING c=2 TO peter, antonio

# AS 子句指定策略应如何与其他策略组合。
# 规则解释如下
# restrictive严格满足
# permissive宽松策略
# row_is_visible = (one or more of the permissive policies' conditions are non-zero) AND (all of the restrictive policies's conditions are non-zero)

# 所以下面的写法中peter仅能查看同时满足b=1 and c=2的行         
CREATE ROW POLICY pol1 ON mydb.table1 USING b=1 TO mira, peter
CREATE ROW POLICY pol2 ON mydb.table1 USING c=2 AS RESTRICTIVE TO peter, antonio
# 下面的写法中peter也仅能查看mysql.table1中同时满足b=1 and c=2的行
CREATE ROW POLICY pol1 ON mydb.* USING b=1 TO mira, peter
CREATE ROW POLICY pol2 ON mydb.table1 USING c=2 AS RESTRICTIVE TO peter, antonio

#默认情况下,CREATE、DROP、ALTER 和 RENAME 查询仅影响执行它们的当前服务器。 在集群设置中,可以使用 ON CLUSTER 子句以分布式方式运行此类查询。例如,以下查询在集群中的每个主机上创建 all_hits 分布式表:
CREATE TABLE IF NOT EXISTS all_hits ON CLUSTER cluster (p Date, i Int32) ENGINE = Distributed(cluster, default, hits)
# 为了正确运行这些查询,每个主机必须具有相同的集群定义(为了简化同步配置,您可以使用 ZooKeeper)。 它们还必须连接到 ZooKeeper 服务器。
# 本地版本的查询最终将在集群中的每个主机上执行,即使某些主机当前不可用。

# 一起其他的展示例子
CREATE ROW POLICY filter1 ON mydb.mytable USING a<1000 TO accountant, john@localhost
CREATE ROW POLICY filter2 ON mydb.mytable USING a<1000 AND b=5 TO ALL EXCEPT mira
CREATE ROW POLICY filter3 ON mydb.mytable USING 1 TO admin
CREATE ROW POLICY filter4 ON mydb.* USING 1 TO admin

2.更改行策略

bash 复制代码
ALTER [ROW] POLICY [IF EXISTS] name1 [ON CLUSTER cluster_name1] ON [database1.]table1 [RENAME TO new_name1]
        [, name2 [ON CLUSTER cluster_name2] ON [database2.]table2 [RENAME TO new_name2] ...]
    [AS {PERMISSIVE | RESTRICTIVE}]
    [FOR SELECT]
    [USING {condition | NONE}][,...]
    [TO {role [,...] | ALL | ALL EXCEPT role [,...]}]

3.删除行策略

bash 复制代码
DROP [ROW] POLICY [IF EXISTS] name [,...] ON [database.]table [,...] [ON CLUSTER cluster_name]

4.查看创建行策略

bash 复制代码
SHOW CREATE [ROW] POLICY name ON [database1.]table1 [, [database2.]table2 ...]

5.查看所有行策略

bash 复制代码
SHOW [ROW] POLICIES [ON [db.]table]

四、配置文件相关

设置配置文件包含设置和约束,以及应用此配置文件的角色和/或用户的列表。

1.创建配置文件

bash 复制代码
CREATE SETTINGS PROFILE [IF NOT EXISTS | OR REPLACE] name1 [ON CLUSTER cluster_name1]
        [, name2 [ON CLUSTER cluster_name2] ...]
    [SETTINGS variable [= value] [MIN [=] min_value] [MAX [=] max_value] [CONST|READONLY|WRITABLE|CHANGEABLE_IN_READONLY] | INHERIT 'profile_name'] [,...]

# 例子
# 使用 max_memory_usage 设置的值和约束创建 max_memory_usage_profile 设置配置文件,并将其分配给用户 robin:
CREATE
SETTINGS PROFILE max_memory_usage_profile SETTINGS max_memory_usage = 100000001 MIN 90000000 MAX 110000000
TO robin

2.更改配置文件

bash 复制代码
ALTER SETTINGS PROFILE [IF EXISTS] TO name1 [ON CLUSTER cluster_name1] [RENAME TO new_name1]
        [, name2 [ON CLUSTER cluster_name2] [RENAME TO new_name2] ...]
    [SETTINGS variable [= value] [MIN [=] min_value] [MAX [=] max_value] [CONST|READONLY|WRITABLE|CHANGEABLE_IN_READONLY] | INHERIT 'profile_name'] [,...]

3.删除配置文件

bash 复制代码
DROP [SETTINGS] PROFILE [IF EXISTS] name [,...] [ON CLUSTER cluster_name]

4.查看创建配置文件

bash 复制代码
SHOW CREATE [SETTINGS] PROFILE name1 [, name2 ...]

5.查看所有配置

bash 复制代码
SHOW [SETTINGS] PROFILES

五、配额相关

配额包含一组针对某些持续时间的限制,以及应使用此配额的角色和/或用户列表。

1.创建配额

bash 复制代码
CREATE QUOTA [IF NOT EXISTS | OR REPLACE] name [ON CLUSTER cluster_name]
    [KEYED BY {user_name | ip_address | client_key | client_key,user_name | client_key,ip_address} | NOT KEYED]
    [FOR [RANDOMIZED] INTERVAL number {second | minute | hour | day | week | month | quarter | year}
        {MAX { {queries | query_selects | query_inserts | errors | result_rows | result_bytes | read_rows | read_bytes | execution_time} = number } [,...] |
         NO LIMITS | TRACKING ONLY} [,...]]
    [TO {role [,...] | ALL | ALL EXCEPT role [,...]}]

# 键 user_name、ip_address、client_key、client_key、user_name 和 client_key、ip_address 对应于 system.quotas 表中的字段。

#参数querys、query_selects、query_inserts、errors、result_rows、result_bytes、read_rows、read_bytes、execution_time对应于system.quotas_usage表中的字段。

# 例子
# 限制当前用户的最大查询次数,15个月只可查询123次:
CREATE QUOTA qA FOR INTERVAL 15 month MAX queries = 123 TO CURRENT_USER;

# 对于默认用户,30分钟内最大执行时间限制为半秒,5个季度内最大查询数限制为321,最大错误数限制为10:
CREATE QUOTA qB FOR INTERVAL 30 minute MAX execution_time = 0.5, FOR INTERVAL 5 quarter MAX queries = 321, errors = 10 TO default;

2.修改配额

bash 复制代码
ALTER QUOTA [IF EXISTS] name [ON CLUSTER cluster_name]
    [RENAME TO new_name]
    [KEYED BY {user_name | ip_address | client_key | client_key,user_name | client_key,ip_address} | NOT KEYED]
    [FOR [RANDOMIZED] INTERVAL number {second | minute | hour | day | week | month | quarter | year}
        {MAX { {queries | query_selects | query_inserts | errors | result_rows | result_bytes | read_rows | read_bytes | execution_time} = number } [,...] |
        NO LIMITS | TRACKING ONLY} [,...]]
    [TO {role [,...] | ALL | ALL EXCEPT role [,...]}]

# 例子
ALTER QUOTA IF EXISTS qA FOR INTERVAL 15 month MAX queries = 123 TO CURRENT_USER;

3.删除配额

bash 复制代码
DROP QUOTA [IF EXISTS] name [,...] [ON CLUSTER cluster_name]

4.查看创建配额

bash 复制代码
SHOW CREATE QUOTA [name1 [, name2 ...] | CURRENT]

5.查看配额

bash 复制代码
SHOW CREATE QUOTA [name1 [, name2 ...] | CURRENT]
# 返回所有用户或当前用户的配额消耗。 要查看其他参数,请参见系统表system.quotas_usage 和system.quota_usage。
SHOW [CURRENT] QUOTA

六、补充

1.权限结构

bash 复制代码
.
├── ALTER (only for table and view)/
│   ├── ALTER TABLE/
│   │   ├── ALTER UPDATE
│   │   ├── ALTER DELETE
│   │   ├── ALTER COLUMN/
│   │   │   ├── ALTER ADD COLUMN
│   │   │   ├── ALTER DROP COLUMN
│   │   │   ├── ALTER MODIFY COLUMN
│   │   │   ├── ALTER COMMENT COLUMN
│   │   │   ├── ALTER CLEAR COLUMN
│   │   │   └── ALTER RENAME COLUMN
│   │   ├── ALTER INDEX/
│   │   │   ├── ALTER ORDER BY
│   │   │   ├── ALTER SAMPLE BY
│   │   │   ├── ALTER ADD INDEX
│   │   │   ├── ALTER DROP INDEX
│   │   │   ├── ALTER MATERIALIZE INDEX
│   │   │   └── ALTER CLEAR INDEX
│   │   ├── ALTER CONSTRAINT/
│   │   │   ├── ALTER ADD CONSTRAINT
│   │   │   └── ALTER DROP CONSTRAINT
│   │   ├── ALTER TTL/
│   │   │   └── ALTER MATERIALIZE TTL
│   │   ├── ALTER SETTINGS
│   │   ├── ALTER MOVE PARTITION
│   │   ├── ALTER FETCH PARTITION
│   │   └── ALTER FREEZE PARTITION
│   └── ALTER LIVE VIEW/
│       ├── ALTER LIVE VIEW REFRESH
│       └── ALTER LIVE VIEW MODIFY QUERY
├── ALTER DATABASE
├── ALTER USER
├── ALTER ROLE
├── ALTER QUOTA
├── ALTER [ROW] POLICY
└── ALTER [SETTINGS] PROFILE
bash 复制代码
GRANT ALTER COLUMN ON my_db.my_table TO my_user;

REVOKE ALTER ADD COLUMN ON my_db.my_table FROM my_user;

相关推荐
期待着20132 天前
ClickHouse创建分布式表
数据库·clickhouse
昨天今天明天好多天3 天前
【ClickHouse】创建表
数据库·clickhouse·oracle
从未完美过3 天前
clickhouse自增id的处理
数据库·clickhouse
sunny052964 天前
ClickHouse数据库SSL配置和SSL连接测试
数据库·clickhouse·ssl
东皋长歌4 天前
ClickHouse创建账号和连接测试
clickhouse
gengjianchun6 天前
clickhouse 安装配置
服务器·网络·clickhouse
东皋长歌6 天前
ClickHouse安装
clickhouse
大嘴吧Lucy6 天前
实战攻略 | ClickHouse优化之FINAL查询加速
数据库·mysql·clickhouse
东皋长歌6 天前
SpringBoot+ClickHouse集成
clickhouse·springboot
从未完美过7 天前
ClickHouse集成Mysql表引擎跨服务器读表说明
服务器·mysql·clickhouse