Managing users and access permissions in Yandex Managed Service for ClickHouse®

In Managed Service for ClickHouse®, user access permissions depend on the privileges granted to the user.

A privilege is a permission to perform certain operations in the cluster. For more information about the hierarchy of privileges and their scope, see this ClickHouse® guide.

A role is a set of privileges.

Your access management capabilities depend on the user management method you select:

• Via Yandex Cloud interfaces (management console, CLI, Terraform, and API): Allows managing user access to databases using Managed Service for ClickHouse®.
• Via SQL: Allows managing user access to database objects based on a role model (RBAC).

Concurrent management via Yandex Cloud interfaces and via SQL is not supported.

Creating a cluster automatically creates service users.

User management via Yandex Cloud interfacesUser management via Yandex Cloud interfaces

Yandex Cloud interfaces allow you to:

• Create users and grant them access to databases.

• Configure access settings:

  • Read-only access (Readonly option).
  • No DDL queries (Allow DDL option).

You can enable user management via Yandex Cloud interfaces only when creating a cluster.

User privilege restrictionsUser privilege restrictions

Users created via Yandex Cloud interfaces do not have the following privileges:

• SYSTEM SHUTDOWN
• FILE
• ALTER FREEZE PARTITION
• CREATE DATABASE and DROP DATABASE
• ACCESS MANAGEMENT
• Privileges for modifying operations for system databases (system and _system)

User management via SQLUser management via SQL

You can activate user management via SQL when creating a cluster or updating its settings. Once you do that, SQL will be your only user management option; you cannot switch back to Yandex Cloud interfaces. However, users created via Yandex Cloud interfaces will remain.

Enabling this option creates the admin user whom you can use to create other users and manage their roles, privileges, and row policies.

For more information about managing access permissions via SQL, see this ClickHouse® guide.

Privilege restrictions for the admin userPrivilege restrictions for the admin user

The admin user does not have the following privileges:

• SYSTEM SHUTDOWN
• FILE
• ALTER FREEZE PARTITION
• Privileges for modifying operations for system databases (system and _system)

In addition, the CREATE DATABASE and DROP DATABASE privileges are granted only on condition that databases are managed via SQL.

The admin user having limited privileges, the GRANT ALL command is unavailable. To grant all available privileges, use the GRANT CURRENT GRANTS command.

For more on GRANT CURRENT GRANTS, see this ClickHouse® guide.

Service usersService users

Service users are users created and managed by Managed Service for ClickHouse®. The cluster needs service users to operate. Such users cannot be managed manually.

_admin_admin

User to administer and manage the ClickHouse® cluster: create databases, users, and auxiliary tables.

_backup_admin_backup_admin

User to create backups and restore data from them.

_monitor, _sli_monitor, _sli

Users to health check the ClickHouse® cluster and its subsystems.

_metrics_metrics

User to calculate the metrics delivered to Yandex Monitoring.

ClickHouse® is a registered trademark of ClickHouse, Inc.