Contact UsTry it for free
© 2025 Direct Cursus Technology L.L.C.

Managing ClickHouse® users

Written by
Updated at December 17, 2025

Managed Service for ClickHouse® provides two methods for managing users and their individual settings:

  • Using the native Yandex Cloud interfaces, such as the management console, CLI, Terraform, or API . Select this method to create, edit, and delete users and custom user settings using the Yandex Managed Service for ClickHouse® features.
  • Using SQL queries to the cluster. Select this method to use your own solutions to create and manage users or if you are using RBAC.

Warning

In a Managed Service for ClickHouse® cluster, you can only employ one user management method at a time: either via native interfaces or via SQL queries.

Note

Creating a new ClickHouse® cluster automatically creates service users to administer and monitor the service.

User management via SQL

To enable this management method, select User management via SQL when creating or reconfiguring your cluster.

Warning

You cannot disable User management via SQL once it is enabled.

In a cluster with User management via SQL enabled:

  • User management via the native Yandex Cloud interfaces, such as the management console, CLI, API, and Terraform, is unavailable.
  • The existing users as well as user settings created with the native Yandex Cloud interfaces will remain unchanged.
  • Users are managed by the admin account. You set the admin password when selecting the User management via SQL option.

For more information about managing users via SQL, see this ClickHouse® article.

Getting a list of users

  1. In the management console, select the folder the cluster is in.
  2. Go to Managed Service for ClickHouse.
  3. Click the cluster name and select the Users tab.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

To get a list of cluster users, run this command:

yc managed-clickhouse user list
   --cluster-name=<cluster_name>

You can get the cluster name with the list of clusters in the folder.

  1. Get an IAM token for API authentication and place it in an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Call the User.List method, for instance, via the following cURL request:

    curl \
    --request GET \
    --header "Authorization: Bearer $IAM_TOKEN" \
    --url 'https://mdb.api.cloud.yandex.net/managed-clickhouse/v1/clusters/<cluster_ID>/users'

    You can get the cluster ID with the list of clusters in the folder.

  3. View the server response to make sure your request was successful.

  1. Get an IAM token for API authentication and place it in an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Clone the cloudapi repository:

    cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi

    Below, we assume the repository contents are stored in the ~/cloudapi/ directory.

  3. Call the UserService.List method, for instance, via the following gRPCurl request:

    grpcurl \
    -format json \
    -import-path ~/cloudapi/ \
    -import-path ~/cloudapi/third_party/googleapis/ \
    -proto ~/cloudapi/yandex/cloud/mdb/clickhouse/v1/user_service.proto \
    -rpc-header "Authorization: Bearer $IAM_TOKEN" \
    -d '{
            "cluster_id": "<cluster_ID>"
        }' \
    mdb.api.cloud.yandex.net:443 \
    yandex.cloud.mdb.clickhouse.v1.UserService.List

    You can get the cluster ID with the list of clusters in the folder.

  4. View the server response to make sure your request was successful.

  1. Connect to your cluster as admin.

  2. Get a list of users:

    SHOW USERS;

Creating a user

  1. In the management console, select the folder the cluster is in.

  2. Go to Managed Service for ClickHouse.

  3. Click the cluster name and select the Users tab.

  4. Click Create user.

  5. Specify the database user’s name.

    The username may contain Latin letters, numbers, hyphens, and underscores but must begin with a letter or underscore. The name may be up to 32 characters long.

  6. Select the method for setting a password:

    • Enter manually: Set your own password. It must be from 8 to 128 characters long.

    • Generate: Generate a password using Connection Manager.

    To view the password, navigate to the cluster page, select the Users tab, and click View password for the new user. This will open the page of the Yandex Lockbox secret containing the password. To view passwords, you need the lockbox.payloadViewer role.

  7. Select one or more databases the user must have access to:

    1. Click and select a database from the drop-down list.
    2. Repeat the previous step until you select all the required databases.
    3. To delete a database added by mistake, click to the right of the database name.

  8. Specify additional settings for the user:

    1. Set quotas under Additional settings → Quotas:
      1. To add a quota, click . You can add multiple quotas that will apply concurrently.
      2. To delete a quota, click to the right of the quota name and select Delete.
      3. To change a quota, specify the required values in its settings.
    2. Configure ClickHouse® under Additional settings → Settings.

  9. Click Create.

See also the example of creating a user with read-only access permissions.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

To create a cluster user, run this command:

yc managed-clickhouse user create <username> \
   --cluster-name=<cluster_name> \
   --password=<user_password> \
   --permissions=<database_list> \
   --quota=<list_of_single_quota_settings_for_user> \
   --settings=<list_of_ClickHouse®_settings_for_user>

Where:

  • --cluster-name: Cluster name.

  • --password: User password. The password must be from 8 to 128 characters long.

    You can also generate a password using Connection Manager. Do it by specifying --generate-password instead of --password=<password>.

    To view the password, select your cluster in the management console, navigate to the Users tab, and click View password for the new user. This will open the page of the Yandex Lockbox secret containing the password. To view passwords, you need the lockbox.payloadViewer role.

  • --permissions: List of databases the user should have access to.

For more information about quotas and query-level settings, see ClickHouse® settings.

To set multiple quotas, list them by specifying the --quota parameter for each quota in the following command:

yc managed-clickhouse user create <username> \
   ...
   --quota="<quota_0_settings>" \
   --quota="<quota_1_settings>" \
   ...

You can get the cluster name with the list of clusters in the folder.

See also the example of creating a user with read-only access permissions.

  1. Open the current Terraform configuration file describing your infrastructure.

    For information on how to create such a file, see Creating a cluster.

  2. Add the yandex_mdb_clickhouse_user resource:

    resource "yandex_mdb_clickhouse_user" "<username>" {
  cluster_id = "<cluster_ID>"
  name       = "<username>"
  password   = "<password>"
  permission {
    database_name = "<DB_name>"
  }
  settings {
    <parameter_1_name> = <value_1>
    <parameter_2_name> = <value_2>
    ...
  }
}

    The username may contain Latin letters, numbers, hyphens, and underscores but must begin with a letter or underscore. The name may be up to 32 characters long.

    The password must be from 8 to 128 characters long.

    You can also generate a password using Connection Manager. Do it by specifying generate_password = true instead of password = "<password>".

    To view the password, select your cluster in the management console, navigate to the Users tab, and click View password for the new user. This will open the page of the Yandex Lockbox secret containing the password. To view passwords, you need the lockbox.payloadViewer role.

    When creating both a cluster and a user with Terraform at the same time, specify a name for the new cluster rather than cluster ID in the yandex_mdb_clickhouse_user resource:

    
resource "yandex_mdb_clickhouse_cluster" "<cluster_name>" {
  name = "<cluster_name>"
  ...
}

resource "yandex_mdb_clickhouse_user" "<username>" {
  cluster_id = yandex_mdb_clickhouse_cluster.<cluster_name>.id
  name       = "<username>"
  ...
}

  3. Make sure the settings are correct.

    1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.

    2. Run this command:

      terraform validate

      Terraform will show any errors found in your configuration files.

  4. Confirm updating the resources.

    1. Run this command to view the planned changes:

      terraform plan

      If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

    2. If everything looks correct, apply the changes:

      1. Run this command:

        terraform apply

      2. Confirm updating the resources.

      3. Wait for the operation to complete.

For more information, see this Terraform provider guide.

  1. Get an IAM token for API authentication and place it in an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Call the User.Create method, e.g., via the following cURL request:

    1. Create a file named body.json and paste the following code into it:

      {
  "userSpec": {
    "name": "<username>",
    "password": "<user_password>",
    "permissions": [
      {
        "databaseName": "<DB_name>"
      }
    ],
    "settings": {<ClickHouse®_settings>},
    "quotas": [
      {
        "intervalDuration": "<quota_interval>",
        "queries": "<total_number_of_queries>",
        "errors": "<number_of_failed_queries>",
        "resultRows": "<number_of_result_rows>",
        "readRows": "<number_of_source_rows>",
        "executionTime": "<total_execution_time>"
      },
      { <similar_settings_for_quota_2> },
      { ... },
      { <similar_settings_for_quota_N> }
    ]
  },
  { <similar_settings_for_new_user_2> },
  { ... },
  { <similar_settings_for_new_user_N> }
}

      Where userSpec is the array of the new users' settings. Each array element contains the configuration for a single user and has the following structure:

      • name: Username. It may contain Latin letters, numbers, hyphens, and underscores, and must start with a letter or underscore. The name may be up to 32 characters long.

      • password: User password. The password must be from 8 to 128 characters long.

        You can also generate a password using Connection Manager. To do this, specify "generatePassword": true instead of "password": "<user_password>".

        To view the password, select your cluster in the management console, navigate to the Users tab, and click View password for the relevant user. This will open the page of the Yandex Lockbox secret containing the password. To view passwords, you need the lockbox.payloadViewer role.

      • permissions: List of databases the user should have access to.

        The list appears as an array of databaseName parameters. Each parameter contains the name of a separate database.

      • settings: List of ClickHouse® settings for the user.

        Settings are specified as comma-separated key: value pairs.

      • quotas: Array of quota settings. Each array element contains settings for a single quota.

    2. Run this query:

      curl \
  --request POST \
  --header "Authorization: Bearer $IAM_TOKEN" \
  --header "Content-Type: application/json" \
  --url 'https://mdb.api.cloud.yandex.net/managed-clickhouse/v1/clusters/<cluster_ID>/users' \
  --data '@body.json'

      You can get the cluster ID with the list of clusters in the folder.

  3. View the server response to make sure your request was successful.

See also the example of creating a user with read-only access permissions.

  1. Get an IAM token for API authentication and place it in an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Clone the cloudapi repository:

    cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi

    Below, we assume the repository contents are stored in the ~/cloudapi/ directory.

  3. Call the UserService.Create method, e.g., via the following gRPCurl request:

    1. Create a file named body.json and paste the following code into it:

      {
  "cluster_id": "<cluster_ID>",
  "user_spec": {
    "name": "<username>",
    "password": "<user_password>",
    "permissions": [
      {
        "database_name": "<DB_name>"
      }
    ],
    "settings": {<ClickHouse®_settings>},
    "quotas": [
      {
        "interval_duration": "<quota_interval>",
        "queries": "<total_number_of_queries>",
        "errors": "<number_of_failed_queries>",
        "result_rows": "<number_of_result_rows>",
        "read_rows": "<number_of_source_rows>",
        "execution_time": "<total_execution_time>"
      },
      { <similar_settings_for_quota_2> },
      { ... },
      { <similar_settings_for_quota_N> }
    ]
  },
  { <similar_settings_for_new_user_2> },
  { ... },
  { <similar_settings_for_new_user_N> }
}

      Where user_spec is the array of the new users' settings. Each array element contains the configuration for a single user and has the following structure:

      • name: Username. It may contain Latin letters, numbers, hyphens, and underscores, and must start with a letter or underscore. The name may be up to 32 characters long.

      • password: User password. The password must be from 8 to 128 characters long.

        You can also generate a password using Connection Manager. To do this, specify "generate_password": true instead of "password": "<user_password>".

        To view the password, select your cluster in the management console, navigate to the Users tab, and click View password for the relevant user. This will open the page of the Yandex Lockbox secret containing the password. To view passwords, you need the lockbox.payloadViewer role.

      • permissions: List of databases the user should have access to.

        The list appears as an array of database_name parameters. Each parameter contains the name of a separate database.

      • settings: List of ClickHouse® settings for the user.

        Settings are specified as comma-separated key: value pairs.

      • quotas: Array of quota settings. Each array element contains settings for a single quota.

      You can get the cluster ID with the list of clusters in the folder.

    2. Run this query:

      grpcurl \
  -format json \
  -import-path ~/cloudapi/ \
  -import-path ~/cloudapi/third_party/googleapis/ \
  -proto ~/cloudapi/yandex/cloud/mdb/clickhouse/v1/user_service.proto \
  -rpc-header "Authorization: Bearer $IAM_TOKEN" \
  -d @ \
  mdb.api.cloud.yandex.net:443 \
  yandex.cloud.mdb.clickhouse.v1.UserService.Create \
  < body.json

  4. View the server response to make sure your request was successful.

See also the example of creating a user with read-only access permissions.

  1. Connect to your cluster as admin.

  2. Create a user:

    CREATE USER <username> IDENTIFIED WITH sha256_password BY '<user_password>';

    Note

    The username may contain Latin letters, numbers, hyphens, and underscores but must begin with a letter or underscore.

    The password must be from 8 to 128 characters long.

For more information about creating users, see this ClickHouse® guide.

Changing a password

We recommend using the Yandex Cloud interfaces listed below. Do not use SQL to change your password; otherwise, the password may reset to the previous one after maintenance.

  1. In the management console, select the folder the cluster is in.

  2. Go to Managed Service for ClickHouse.

  3. Click the cluster name and select the Users tab.

  4. Click and select Change password.

  5. Select the method for setting a new password:

    • Enter manually: Set your own password. It must be from 8 to 128 characters long.

    • Generate: Generate a password using Connection Manager.

  6. Click Edit.

To view the new password, navigate to the cluster page, select the Users tab, and click View password for the relevant user. This will open the page of the Yandex Lockbox secret containing the password. The new password version is marked as Current.

To view passwords, you need the lockbox.payloadViewer role.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

To change a user password, run this command:

yc managed-clickhouse user update <username> \
   --cluster-name=<cluster_name> \
   --password=<new_password>

The password must be from 8 to 128 characters long.

You can also generate a new password using Connection Manager. Do it by specifying --generate-password instead of --password=<new_password>.

To view the new password, select your cluster in the management console, navigate to the Users tab, and click View password for the relevant user. This will open the page of the Yandex Lockbox secret containing the password. The new password version is marked as Current.

To view passwords, you need the lockbox.payloadViewer role.

You can get the cluster name with the list of clusters in the folder.

  1. Open the current Terraform configuration file describing your infrastructure.

    For information on how to create such a file, see Creating a cluster.

  2. Locate the yandex_mdb_clickhouse_user resource for the user in question.

  3. Change the password field value:

    resource "yandex_mdb_clickhouse_user" "<username>" {
  ...
  name     = "<username>"
  password = "<password>"
  ...
}

    The password must be from 8 to 128 characters long.

    You can also generate a new password using Connection Manager. Do it by specifying generate_password = true instead of password = "<new_password>".

    To view the new password, select your cluster in the management console, navigate to the Users tab, and click View password for the relevant user. This will open the page of the Yandex Lockbox secret containing the password. The new password version is marked as Current.

    Note

    If the current password has been automatically generated, you cannot regenerate it using Terraform due to the provider limitations.

  4. Make sure the settings are correct.

    1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.

    2. Run this command:

      terraform validate

      Terraform will show any errors found in your configuration files.

  5. Confirm updating the resources.

    1. Run this command to view the planned changes:

      terraform plan

      If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

    2. If everything looks correct, apply the changes:

      1. Run this command:

        terraform apply

      2. Confirm updating the resources.

      3. Wait for the operation to complete.

For more information, see this Terraform provider guide.

  1. Get an IAM token for API authentication and place it in an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Call the User.Update method, for instance, via the following cURL request:

    Warning

    The API method will assign default values to all the parameters of the object you are modifying unless you explicitly provide them in your request. To avoid this, list the settings you want to change in the updateMask parameter as a single comma-separated string.

    curl \
    --request PATCH \
    --header "Authorization: Bearer $IAM_TOKEN" \
    --header "Content-Type: application/json" \
    --url 'https://mdb.api.cloud.yandex.net/managed-clickhouse/v1/clusters/<cluster_ID>/users/<username>' \
    --data '{
              "updateMask": "password",
              "password": "<new_password>"
            }'

    Where:

    • updateMask: Comma-separated list of settings you want to update.

      Here, we only specified a single setting, password.

    • password: New password. The password must be from 8 to 128 characters long.

      You can also generate a password using Connection Manager. To do this, edit the data field as follows:

      {
  "updateMask": "generatePassword",
  "generatePassword": true
}

      To view the new password, select your cluster in the management console, navigate to the Users tab, and click View password for the relevant user. This will open the page of the Yandex Lockbox secret containing the password. The new password version is marked as Current.

      To view passwords, you need the lockbox.payloadViewer role.

    You can get the cluster ID with the list of clusters in the folder. You can get the username with the list of users in the cluster.

  3. View the server response to make sure your request was successful.

  1. Get an IAM token for API authentication and place it in an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Clone the cloudapi repository:

    cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi

    Below, we assume the repository contents are stored in the ~/cloudapi/ directory.

  3. Call the UserService.Update method, for instance, via the following gRPCurl request:

    Warning

    The API method will assign default values to all the parameters of the object you are modifying unless you explicitly provide them in your request. To avoid this, list the settings you want to change in the update_mask parameter as an array of paths[] strings.

    Format for listing settings
    "update_mask": {
    "paths": [
        "<setting_1>",
        "<setting_2>",
        ...
        "<setting_N>"
    ]
}

    grpcurl \
    -format json \
    -import-path ~/cloudapi/ \
    -import-path ~/cloudapi/third_party/googleapis/ \
    -proto ~/cloudapi/yandex/cloud/mdb/clickhouse/v1/user_service.proto \
    -rpc-header "Authorization: Bearer $IAM_TOKEN" \
    -d '{
          "cluster_id": "<cluster_ID>",
          "user_name": "<username>",
          "update_mask": {
            "paths": [
              "password"
            ]
          },
          "password": "<new_password>"
        }' \
    mdb.api.cloud.yandex.net:443 \
    yandex.cloud.mdb.clickhouse.v1.UserService.Update

    Where:

    • update_mask: List of settings you want to update as an array of strings (paths[]).

      Here, we only specified a single setting, password.

    • password: New password. The password must be from 8 to 128 characters long.

      You can also generate a password using Connection Manager. To do this, edit the d parameter as follows:

      {
  "cluster_id": "<cluster_ID>",
  "user_name": "<username>",
  "update_mask": {
    "paths": [
      "generate_password"
    ]
  },
  "generate_password": true
}

      To view the new password, select your cluster in the management console, navigate to the Users tab, and click View password for the relevant user. This will open the page of the Yandex Lockbox secret containing the password. The new password version is marked as Current.

      To view passwords, you need the lockbox.payloadViewer role.

    You can get the cluster ID with the list of clusters in the folder. You can get the username with the list of users in the cluster.

  4. View the server response to make sure your request was successful.

Changing the admin password

We recommend using the Yandex Cloud interfaces listed below. Do not use SQL to change your password; otherwise, the password may reset to the previous one after maintenance.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

To change the admin password, run this command:

yc managed-clickhouse cluster update <cluster_name_or_ID> \
  --admin-password <new_admin_password>

Note

The password must be from 8 to 128 characters long.

You can get the cluster ID and name with the list of clusters in the folder.

Tip

  • For enhanced security, use the --read-admin-password parameter instead of --admin-password, as you will need to enter the new password using your keyboard, and it will not be saved in the command history.
  • To generate a password automatically, use --generate-admin-password. The command output will contain the new password.

  1. Open the current Terraform configuration file describing your infrastructure.

    For information on how to create such a file, see Creating a cluster.

  2. Edit the admin_password field value:

    resource "yandex_mdb_clickhouse_cluster" "<cluster_name>" {
  ...
  admin_password = "<admin_password>"
  ...
}

    Note

    The password must be from 8 to 128 characters long.

  3. Make sure the settings are correct.

    1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.

    2. Run this command:

      terraform validate

      Terraform will show any errors found in your configuration files.

  4. Confirm updating the resources.

    1. Run this command to view the planned changes:

      terraform plan

      If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

    2. If everything looks correct, apply the changes:

      1. Run this command:

        terraform apply

      2. Confirm updating the resources.

      3. Wait for the operation to complete.

For more information, see this Terraform provider guide.

  1. Get an IAM token for API authentication and place it in an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Call the Cluster.Update method, e.g., via the following cURL request:

    Warning

    The API method will assign default values to all the parameters of the object you are modifying unless you explicitly provide them in your request. To avoid this, list the settings you want to change in the updateMask parameter as a single comma-separated string.

    curl \
    --request PATCH \
    --header "Authorization: Bearer $IAM_TOKEN" \
    --header "Content-Type: application/json" \
    --url 'https://mdb.api.cloud.yandex.net/managed-clickhouse/v1/clusters/<cluster_ID>' \
    --data '{
              "updateMask": "configSpec.adminPassword",
              "configSpec": {
                "adminPassword": "<new_password>"
              }
            }'

    Where:

    • updateMask: Comma-separated list of settings you want to update.

      Here, we only specified a single setting, configSpec.adminPassword.

    • configSpec.adminPassword: New user password.

      The password must be from 8 to 128 characters long.

    You can get the cluster ID with the list of clusters in the folder.

  3. View the server response to make sure your request was successful.

  1. Get an IAM token for API authentication and place it in an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Clone the cloudapi repository:

    cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi

    Below, we assume the repository contents are stored in the ~/cloudapi/ directory.

  3. Call the ClusterService.Update method, e.g., via the following gRPCurl request:

    Warning

    The API method will assign default values to all the parameters of the object you are modifying unless you explicitly provide them in your request. To avoid this, list the settings you want to change in the update_mask parameter as an array of paths[] strings.

    Format for listing settings
    "update_mask": {
    "paths": [
        "<setting_1>",
        "<setting_2>",
        ...
        "<setting_N>"
    ]
}

    grpcurl \
    -format json \
    -import-path ~/cloudapi/ \
    -import-path ~/cloudapi/third_party/googleapis/ \
    -proto ~/cloudapi/yandex/cloud/mdb/clickhouse/v1/cluster_service.proto \
    -rpc-header "Authorization: Bearer $IAM_TOKEN" \
    -d '{
          "cluster_id": "<cluster_ID>",
          "update_mask": {
            "paths": [
              "config_spec.admin_password"
            ]
          },
          "config_spec": {
            "admin_password": "<new_password>"
          }
        }' \
    mdb.api.cloud.yandex.net:443 \
    yandex.cloud.mdb.clickhouse.v1.ClusterService.Update

    Where:

    • update_mask: List of settings you want to update as an array of strings (paths[]).

      Here, we only specified a single setting, config_spec.admin_password.

    • config_spec.admin_password: New user password.

      The password must be from 8 to 128 characters long.

    You can get the cluster ID with the list of clusters in the folder.

  4. View the server response to make sure your request was successful.

Changing user settings

  1. In the management console, select the folder the cluster is in.
  2. Go to Managed Service for ClickHouse.
  3. Click the cluster name and select the Users tab.
  4. Click and select Configure.
  5. Configure user permissions to access specific databases:
    1. To grant access to the required databases:
      1. Click and select a database from the drop-down list.
      2. Repeat the previous step until you select all the required databases.
    2. To delete a database, click to the right of the database name.
  6. Set quotas for the user under Additional settings → Quotas:
    1. To add a quota, click . You can add multiple quotas that will apply concurrently.
    2. To delete a quota, click to the right of the quota name and select Delete.
    3. To change a quota, specify the required values in its settings.
  7. Change the user ClickHouse® settings under Additional settings → Settings.
  8. Click Save.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

You can change user settings from the command line interface:

  1. To configure user access to specific databases, run this command with a list of database names specified in the --permissions option:

    yc managed-clickhouse user update <username> \
   --cluster-name=<cluster_name> \
   --permissions=<database_list>

    You can get the cluster name with the list of clusters in the folder.

    This command grants the user access to the listed databases.

    To revoke access to a specific database, remove its name from the list, and run the command with the updated list.

  2. To change user quota settings, run the following command, specifying each quota in a separate --quota parameter:

    yc managed-clickhouse user update <username> \
   --cluster-name=<cluster_name> \
   --quota=<quota_0_settings_(unchanged)> \
   --quota=<quota_1_settings_(unchanged)> \
   --quota=<quota_2_settings_(changed)> \
   --quota=<quota_3_settings_(unchanged)> \
   --quota=<quota_4_settings_(changed)> \
   --quota=<quota_5_settings_(new_quota)>
  ...

    You can get the cluster name with the list of clusters in the folder.

    This command overwrites all existing user quota settings with the new ones you provided.
    Before running the command, make sure you included the settings for new and changed quotas as well as the settings for existing quotas that have not changed.

    To delete one or more user quotas, remove their settings from the list and run the command with the updated list of --quota parameters.

    When setting a quota interval, you can specify hours (h), minutes (m), seconds (s), and milliseconds (ms) in the value, e.g., 3h20m10s7000ms. The resulting value is still provided in milliseconds, e.g., 12017000. The interval value must be a multiple of 1,000 milliseconds. For example, 1s500ms is invalid.

  3. To update user ClickHouse® settings, run the command below, listing the changed settings in the --settings parameter:

    yc managed-clickhouse user update <username> \
   --cluster-name=<cluster_name> \
   --settings=<list_of_ClickHouse®_settings>

    You can get the cluster name with the list of clusters in the folder.

    The command only updates the settings that are explicitly specified in the --settings parameter. For example, the command with the --settings="readonly=1" parameter will only update the readonly setting and will not reset any other value. This is the difference between changing ClickHouse® settings and changing quota settings.

    You cannot use this command to delete an existing setting. You can only explicitly set it to its default value (specified for each setting).

  1. Open the current Terraform configuration file describing your infrastructure.

    For information on how to create such a file, see Creating a cluster.

  2. Locate the yandex_mdb_clickhouse_user resource for the user in question.

  3. To set up user access permissions for specific databases, add a permission section for each database you need:

    resource "yandex_mdb_clickhouse_user" "<username>" {
  ...
  name       = "<username>"
  password   = "<password>"
  permission {
    database_name = "<DB_1_name>"
  }
  ...
  permission {
    database_name = "<DB_N_name>"
  }
  ...
}

    In the database_name field, specify the name of the database to grant access to.

  4. To update user quota settings, add the required number of quota sections to the cluster user description.

    When describing quotas, only the interval_duration field is required.

    resource "yandex_mdb_clickhouse_user" "<username>" {
  ...
  name       = "<username>"
  password   = "<password>"
  ...
  quota {
    interval_duration = <interval_in_milliseconds>
    ...
  }
}

  5. To update user ClickHouse® settings, add the settings section to the cluster user description.

    resource "yandex_mdb_clickhouse_user" "<username>" {
  ...
  name       = "<username>"
  password   = "<password>"
  ...
  settings {
    <parameter_1_name> = <value_1>
    <parameter_2_name> = <value_2>
    ...
  }
}

  6. Make sure the settings are correct.

    1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.

    2. Run this command:

      terraform validate

      Terraform will show any errors found in your configuration files.

  7. Confirm updating the resources.

    1. Run this command to view the planned changes:

      terraform plan

      If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

    2. If everything looks correct, apply the changes:

      1. Run this command:

        terraform apply

      2. Confirm updating the resources.

      3. Wait for the operation to complete.

For more information, see this Terraform provider guide.

  1. Get an IAM token for API authentication and place it in an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Call the User.Update method, for instance, via the following cURL request:

    Warning

    The API method will assign default values to all the parameters of the object you are modifying unless you explicitly provide them in your request. To avoid this, list the settings you want to change in the updateMask parameter as a single comma-separated string.

    curl \
    --request PATCH \
    --header "Authorization: Bearer $IAM_TOKEN" \
    --header "Content-Type: application/json" \
    --url 'https://mdb.api.cloud.yandex.net/managed-clickhouse/v1/clusters/<cluster_ID>/users/<username>' \
    --data '{
              "updateMask": "<list_of_settings_to_update>",
              "permissions": [ <updated_DB_list> ],
              "settings": { <ClickHouse®_settings> },
              "quotas": [ <updated_list_of_quota_settings> ]
            }'

    Where updateMask is a comma-separated string of parameters to update.

    Specify the required parameters to update individual categories of settings:

    • To edit the list of databases the user can access, provide the updated list in the permissions parameter.

      The list appears as an array of databaseName parameters. Each parameter contains the name of a separate database.

      Warning

      The current database list in the cluster will be completely overwritten by the list provided in the permissions parameter.

      Before running your query, make sure you listed all the required databases, including the existing ones.

    • To update user ClickHouse® settings, provide these settings with updated values in the settings parameter.

    • To update quota settings, provide the updated list of settings in the quotas parameter.

      The list appears as an array. Each array element contains settings for a single quota.

      Warning

      The current list of quota settings in the cluster will be completely overwritten by the list provided in the quotas parameter.

      Before running your query, make sure you listed all the required quota settings, including the existing ones.

    You can get the cluster ID with the list of clusters in the folder. You can get the username with the list of users in the cluster.

  3. View the server response to make sure your request was successful.

  1. Get an IAM token for API authentication and place it in an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Clone the cloudapi repository:

    cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi

    Below, we assume the repository contents are stored in the ~/cloudapi/ directory.

  3. Call the UserService.Update method, for instance, via the following gRPCurl request:

    Warning

    The API method will assign default values to all the parameters of the object you are modifying unless you explicitly provide them in your request. To avoid this, list the settings you want to change in the update_mask parameter as an array of paths[] strings.

    Format for listing settings
    "update_mask": {
    "paths": [
        "<setting_1>",
        "<setting_2>",
        ...
        "<setting_N>"
    ]
}

    grpcurl \
    -format json \
    -import-path ~/cloudapi/ \
    -import-path ~/cloudapi/third_party/googleapis/ \
    -proto ~/cloudapi/yandex/cloud/mdb/clickhouse/v1/user_service.proto \
    -rpc-header "Authorization: Bearer $IAM_TOKEN" \
    -d '{
          "cluster_id": "<cluster_ID>",
          "user_name": "<username>",
          "update_mask": {
            "paths": [
              <list_of_settings_to_update>
            ]
          },
          "permissions": [ <updated_DB_list> ],
          "settings": { <ClickHouse®_settings> },
          "quotas": [ <updated_list_of_quota_settings> ]
        }' \
    mdb.api.cloud.yandex.net:443 \
    yandex.cloud.mdb.clickhouse.v1.UserService.Update

    Where update_mask is the list of parameters to update as an array of strings (paths[]).

    Specify the required parameters to update individual categories of settings:

    • To edit the list of databases the user can access, provide the updated list in the permissions parameter.

      The list appears as an array of database_name parameters. Each parameter contains the name of a separate database.

      Warning

      The current database list in the cluster will be completely overwritten by the list provided in the permissions parameter.

      Before running your query, make sure you listed all the required databases, including the existing ones.

    • To update user ClickHouse® settings, provide these settings with updated values in the settings parameter.

    • To update quota settings, provide the updated list of settings in the quotas parameter.

      The list appears as an array. Each array element contains settings for a single quota.

      Warning

      The current list of quota settings in the cluster will be completely overwritten by the list provided in the quotas parameter.

      Before running your query, make sure you listed all the required quota settings, including the existing ones.

    You can get the cluster ID with the list of clusters in the folder. You can get the username with the list of users in the cluster.

  4. View the server response to make sure your request was successful.

  1. Connect to your cluster as admin.

  2. To change user privileges and roles, use the GRANT and REVOKE statements. For example, grant the user read permissions for all objects in a specific database:

    GRANT SELECT ON <DB_name>.* TO <username>;

  3. To update user quota settings, use the CREATE QUOTA, ALTER QUOTA, and DROP QUOTA statements. For example, limit the total number of user queries for a 15-month period:

    CREATE QUOTA <quota_name> FOR INTERVAL 15 MONTH MAX QUERIES 100 TO <username>;

  4. To change a user account, use the ALTER USER statement. For example, to update ClickHouse® settings, run the command below, listing the settings to update:

    ALTER USER <username> SETTINGS <list_of_ClickHouse®_settings>;

Deleting a user

  1. In the management console, select the folder the cluster is in.
  2. Go to Managed Service for ClickHouse.
  3. Click the cluster name and select the Users tab.
  4. Click and select Delete.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

To delete a user, run this command:

yc managed-clickhouse user delete <username> \
   --cluster-name=<cluster_name>

You can get the cluster name with the list of clusters in the folder.

  1. Open the current Terraform configuration file describing your infrastructure.

    For information on how to create such a file, see Creating a cluster.

  2. Delete the yandex_mdb_clickhouse_user resource with the user description.

  3. Make sure the settings are correct.

    1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.

    2. Run this command:

      terraform validate

      Terraform will show any errors found in your configuration files.

  4. Confirm updating the resources.

    1. Run this command to view the planned changes:

      terraform plan

      If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

    2. If everything looks correct, apply the changes:

      1. Run this command:

        terraform apply

      2. Confirm updating the resources.

      3. Wait for the operation to complete.

For more information, see this Terraform provider guide.

  1. Get an IAM token for API authentication and place it in an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Call the User.Delete method, for instance, via the following cURL request:

    curl \
    --request DELETE \
    --header "Authorization: Bearer $IAM_TOKEN" \
    --url 'https://mdb.api.cloud.yandex.net/managed-clickhouse/v1/clusters/<cluster_ID>/users/<username>'

    You can get the cluster ID with the list of clusters in the folder. You can get the username with the list of users in the cluster.

  3. View the server response to make sure your request was successful.

  1. Get an IAM token for API authentication and place it in an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Clone the cloudapi repository:

    cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi

    Below, we assume the repository contents are stored in the ~/cloudapi/ directory.

  3. Call the UserService.Delete method, for instance, via the following gRPCurl request:

    grpcurl \
    -format json \
    -import-path ~/cloudapi/ \
    -import-path ~/cloudapi/third_party/googleapis/ \
    -proto ~/cloudapi/yandex/cloud/mdb/clickhouse/v1/user_service.proto \
    -rpc-header "Authorization: Bearer $IAM_TOKEN" \
    -d '{
            "cluster_id": "<cluster_ID>",
            "user_name": "<username>"
        }' \
    mdb.api.cloud.yandex.net:443 \
    yandex.cloud.mdb.clickhouse.v1.UserService.Delete

    You can get the cluster ID with the list of clusters in the folder. You can get the username with the list of users in the cluster.

  4. View the server response to make sure your request was successful.

  1. Connect to your cluster as admin.

  2. Delete the user:

    DROP USER <username>;

Learn more about deleting objects in this ClickHouse® guide.

Examples

Creating a read-only user

Let's say you need to add a new user named ro-user with the Passw0rd password to the existing mych cluster with the cat0adul1fj0******** ID, and:

  • The user has access to the db1 database in the cluster.
  • The access is read-only, with no option to change any settings.
  1. In the management console, select the folder the cluster is in.
  2. Go to Managed Service for ClickHouse.
  3. Click the mych cluster and select the Users tab.
  4. Click Create user.
  5. Enter ro-user as the database user name and Passw0rd as the password.
  6. Click and select db1 from the drop-down list.
  7. Select Additional settings → Settings → Readonly.
  8. Set the Readonly field value to 1.
  9. Click Create.

Run this command:

yc managed-clickhouse user create "ro-user" \
   --cluster-name="mych" \
   --password="Passw0rd" \
   --permissions="db1" \
   --settings="readonly=1"

Once you create the user, make sure it actually has read-only access:

  1. Connect to the mych cluster as ro-user you created.

  2. Try changing any setting, e.g., disable read-only mode:

    SET readonly=0

    The command should return a message stating that you cannot change the setting in read-only mode:

    DB::Exception: Cannot modify 'readonly' setting in readonly mode.

  1. Open the current Terraform configuration file describing your infrastructure.

    For information on how to create such a file, see Creating a cluster.

  2. Add the yandex_mdb_clickhouse_user resource:

    resource "yandex_mdb_clickhouse_user" "ro-user" {
  cluster_id = "cat0adul1fj0********"
  name = "ro-user"
  password = "Passw0rd"
  permission {
    database_name = "db1"
  }
  settings {
    readonly = 1
  }
}

  3. Make sure the settings are correct.

    1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.

    2. Run this command:

      terraform validate

      Terraform will show any errors found in your configuration files.

  4. Confirm updating the resources.

    1. Run this command to view the planned changes:

      terraform plan

      If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

    2. If everything looks correct, apply the changes:

      1. Run this command:

        terraform apply

      2. Confirm updating the resources.

      3. Wait for the operation to complete.

  1. Get an IAM token for API authentication and place it in an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Run this cURL request:

    curl \
    --request POST \
    --header "Authorization: Bearer $IAM_TOKEN" \
    --header "Content-Type: application/json" \
    --url 'https://mdb.api.cloud.yandex.net/managed-clickhouse/v1/clusters/cat0adul1fj0********/users' \
    --data '{
              "userSpec": {
                "name": "ro-user",
                "password": "Passw0rd",
                "permissions": [
                  {
                    "databaseName": "db1"
                  }
                ],
                "settings": {
                  "readonly": "1"
                }
              }
            }'

  1. Get an IAM token for API authentication and place it in an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Clone the cloudapi repository:

    cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi

    Below, we assume the repository contents are stored in the ~/cloudapi/ directory.

  3. Run this gRPCurl request:

    grpcurl \
    -format json \
    -import-path ~/cloudapi/ \
    -import-path ~/cloudapi/third_party/googleapis/ \
    -proto ~/cloudapi/yandex/cloud/mdb/clickhouse/v1/user_service.proto \
    -rpc-header "Authorization: Bearer $IAM_TOKEN" \
    -d '{
          "cluster_id": "cat0adul1fj0********",
          "user_spec": {
            "name": "ro-user",
            "password": "Passw0rd",
            "permissions": [
              {
                "database_name": "db1"
              }
            ],
            "settings": {
              "readonly": "1"
            }
          }
        }' \
    mdb.api.cloud.yandex.net:443 \
    yandex.cloud.mdb.clickhouse.v1.UserService.Create

  1. Connect to the mych cluster as admin.

  2. Create a user:

    CREATE USER ro-user IDENTIFIED WITH sha256_password BY 'Passw0rd';

  3. Grant the user read permissions for all objects in the db1 database:

    GRANT SELECT ON db1.* TO ro-user;

ClickHouse® is a registered trademark of ClickHouse, Inc.

Previous
Database management
Next
Managing a custom geobase