Users and roles settings
The users section of the users.xml configuration file contains user settings.
ClickHouse also supports SQL-driven workflow for managing users. We recommend using it.
Structure of the users section:
user_name/password
Password can be specified in plaintext or in SHA256 (hex format).
-
To assign a password in plaintext (not recommended), place it in a
passwordelement.For example,
<password>qwerty</password>. The password can be left blank.
-
To assign a password using its SHA256 hash, place it in a
password_sha256_hexelement.For example,
<password_sha256_hex>65e84be33532fb784c48129675f9eff3a682b27168c0ea744b2cf58ee02337c5</password_sha256_hex>.Example of how to generate a password from shell:
The first line of the result is the password. The second line is the corresponding SHA256 hash.
-
For compatibility with MySQL clients, password can be specified in double SHA1 hash. Place it in
password_double_sha1_hexelement.For example,
<password_double_sha1_hex>08b4a0f1de6ad37da17359e592c8d74788a83eb0</password_double_sha1_hex>.Example of how to generate a password from shell:
The first line of the result is the password. The second line is the corresponding double SHA1 hash.
TOTP Authentication Configuration
Time-Based One-Time Password (TOTP) can be used to authenticate ClickHouse users by generating temporary access codes that are valid for a limited time.
This TOTP authentication method aligns with RFC 6238 standards, making it compatible with popular TOTP applications like Google Authenticator, 1Password and similar tools.
It can be set up trough the users.xml configuration file in addition to password-based authentication.
It's not yet supported in SQL-driven Access Control.
To authenticate using TOTP, users must provide a primary password along with a one-time password generated by their TOTP application via the --one-time-password command line option or concatenated to main password together with a '+' character.
For example if the primary password is some_password and the generated TOTP code is 345123, user may specify --password some_password+345123 or --password some_password --one-time-password 345123 when connecting to ClickHouse. If no password specified clickhouse-client will prompt for it interactively.
To enable TOTP authentication for a user, configure the time_based_one_time_password section in users.xml. This section defines the TOTP settings, such as secret, validity period, number of digits, and hash algorithm.
Example
This command will produce a base32-encoded secret that can be added to the secret field in users.xml.
To enable TOTP for a specific user, add to any existing password-based field (like password or password_sha256_hex) another time_based_one_time_password section.
The qrencode tool can be used to generate a QR code for the TOTP secret.
After configuring TOTP for a user, one-time password can be used as a part of the authentication process as described above.
username/ssh-key
This setting allows authenticating with SSH keys.
Given a SSH key (as generated by ssh-keygen) like
The ssh_key element is expected to be
Substitute ssh-ed25519 with ssh-rsa or ecdsa-sha2-nistp256 for the other supported algorithms.
Multiple Authentication Methods
A single user can be configured with multiple authentication methods using the <auth_methods> element. This allows a user to authenticate with any one of the listed methods — for example, a user could have both a password and an LDAP credential, and logging in with either one would succeed.
Each child element of <auth_methods> is an arbitrarily-named wrapper that contains exactly one authentication type. The wrapper name (e.g. <method1>, <primary>, <a1>) does not matter; only the inner authentication element is used.
Example: multiple passwords
Example: mixed authentication types
The following authentication types are supported inside <auth_methods>:
password— plaintext passwordpassword_sha256_hex— SHA256 password hashpassword_scram_sha256_hex— SCRAM-SHA-256 password hashpassword_double_sha1_hex— double SHA1 password hashldap— LDAP server authenticationkerberos— Kerberos authenticationssl_certificates— SSL certificate authenticationssh_keys— SSH key authenticationhttp_authentication— HTTP authentication
Rules and restrictions:
<auth_methods>cannot be used together with authentication methods specified at the user level. Use one style or the other, not both.<auth_methods>must contain at least one authentication method.- Each wrapper element inside
<auth_methods>must contain exactly one authentication type (with the exception of<ssh_keys>, which can contain multiple, for backwards compatibility). - TOTP (
<time_based_one_time_password>) is specified at the user level (outside<auth_methods>) and applies to all password-based methods in the list. At least one password-based method is required when TOTP is enabled.
Example: auth_methods with TOTP
In this example, TOTP verification is applied to the password-based method (<password>), while the LDAP method authenticates against the external server independently.
access_management
This setting enables or disables using of SQL-driven access control and account management for the user.
Possible values:
- 0 — Disabled.
- 1 — Enabled.
Default value: 0.
grants
This setting allows to grant any rights to selected user.
Each element of the list should be GRANT query without any grantees specified.
Example:
This setting can't be specified at the same time with
dictionaries, access_management, named_collection_control, show_named_collections_secrets
and allow_databases settings.
user_name/networks
List of networks from which the user can connect to the ClickHouse server.
Each element of the list can have one of the following forms:
-
<ip>— IP address or network mask.Examples:
213.180.204.3,10.0.0.1/8,10.0.0.1/255.255.255.0,2a02:6b8::3,2a02:6b8::3/64,2a02:6b8::3/ffff:ffff:ffff:ffff::. -
<host>— Hostname.Example:
example01.host.ru.To check access, a DNS query is performed, and all returned IP addresses are compared to the peer address.
-
<host_regexp>— Regular expression for hostnames.Example,
^example\d\d-\d\d-\d\.host\.ru$To check access, a DNS PTR query is performed for the peer address and then the specified regexp is applied. Then, another DNS query is performed for the results of the PTR query and all the received addresses are compared to the peer address. We strongly recommend that regexp ends with $.
All results of DNS requests are cached until the server restarts.
Examples
To open access for user from any network, specify:
It's insecure to open access from any network unless you have a firewall properly configured or the server is not directly connected to Internet.
To open access only from localhost, specify:
user_name/profile
You can assign a settings profile for the user. Settings profiles are configured in a separate section of the users.xml file. For more information, see Profiles of Settings.
user_name/quota
Quotas allow you to track or limit resource usage over a period of time. Quotas are configured in the quotas
section of the users.xml configuration file.
You can assign a quotas set for the user. For a detailed description of quotas configuration, see Quotas.
user_name/databases
In this section, you can limit rows that are returned by ClickHouse for SELECT queries made by the current user, thus implementing basic row-level security.
Example
The following configuration forces that user user1 can only see the rows of table1 as the result of SELECT queries, where the value of the id field is 1000.
The filter can be any expression resulting in a UInt8-type value. It usually contains comparisons and logical operators. Rows from database_name.table1 where filter results to 0 are not returned for this user. The filtering is incompatible with PREWHERE operations and disables WHERE→PREWHERE optimization.
Roles
You can create any predefined roles using the roles section of the user.xml configuration file.
Structure of the roles section:
These roles can also be granted to users from the users section:
