Permissions for Queries
Queries in ClickHouse can be divided into several types:
- Read data queries:
SELECT,SHOW,DESCRIBE,EXISTS. - Write data queries:
INSERT,OPTIMIZE. - Change settings query:
SET,USE. - DDL queries:
CREATE,ALTER,RENAME,ATTACH,DETACH,DROPTRUNCATE. KILL QUERY.
The following settings regulate user permissions by the type of query:
readonly
Restricts permissions for read data, write data, and change settings queries.
When set to 1, allows:
- All types of read queries (like SELECT and equivalent queries).
- Queries that modify only session context (like USE).
When set to 2, allows the above plus:
-
SET and CREATE TEMPORARY TABLE
TipQueries like EXISTS, DESCRIBE, EXPLAIN, SHOW PROCESSLIST, etc are equivalent to SELECT, because they just do select from system tables.
Possible values:
- 0 — Read, Write, and Change settings queries are allowed.
- 1 — Only Read data queries are allowed.
- 2 — Read data and Change settings queries are allowed.
Default value: 0
After setting readonly = 1, the user can’t change readonly and allow_ddl settings in the current session.
When using the GET method in the HTTP interface, readonly = 1 is set automatically. To modify data, use the POST method.
Setting readonly = 1 prohibits the user from changing settings. There is a way to prohibit the user from changing only specific settings. Also there is a way to allow changing only specific settings under readonly = 1 restrictions. For details see constraints on settings.
allow_ddl
Allows or denies DDL queries.
Possible values:
- 0 — DDL queries are not allowed.
- 1 — DDL queries are allowed.
Default value: 1
You cannot run SET allow_ddl = 1 if allow_ddl = 0 for the current session.
KILL QUERY can be performed with any combination of readonly and allow_ddl settings.