ClickHouse/docs/en/operations/settings/permissions-for-queries.md

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

70 lines
2.2 KiB
Markdown
Raw Normal View History

2020-04-03 13:23:32 +00:00
---
2022-08-28 14:53:34 +00:00
slug: /en/operations/settings/permissions-for-queries
sidebar_position: 58
sidebar_label: Permissions for Queries
2020-04-03 13:23:32 +00:00
---
2022-06-02 10:55:18 +00:00
# Permissions for Queries
Queries in ClickHouse can be divided into several types:
2020-03-20 10:10:48 +00:00
1. Read data queries: `SELECT`, `SHOW`, `DESCRIBE`, `EXISTS`.
2. Write data queries: `INSERT`, `OPTIMIZE`.
3. Change settings query: `SET`, `USE`.
4. [DDL](https://en.wikipedia.org/wiki/Data_definition_language) queries: `CREATE`, `ALTER`, `RENAME`, `ATTACH`, `DETACH`, `DROP` `TRUNCATE`.
5. `KILL QUERY`.
The following settings regulate user permissions by the type of query:
2022-11-14 19:20:55 +00:00
## readonly
Restricts permissions for read data, write data, and change settings queries.
2022-11-14 19:20:55 +00:00
When set to 1, allows:
- All types of read queries (like SELECT and equivalent queries).
- Queries that modify only session context (like USE).
2022-11-14 19:20:55 +00:00
When set to 2, allows the above plus:
- SET and CREATE TEMPORARY TABLE
2022-11-14 19:20:55 +00:00
:::tip
Queries like EXISTS, DESCRIBE, EXPLAIN, SHOW PROCESSLIST, etc are equivalent to SELECT, because they just do select from system tables.
:::
Possible values:
- 0 — Read, Write, and Change settings queries are allowed.
- 1 — Only Read data queries are allowed.
- 2 — Read data and Change settings queries are allowed.
2022-11-14 19:20:55 +00:00
Default value: 0
:::note
2020-03-20 10:10:48 +00:00
After setting `readonly = 1`, the user cant change `readonly` and `allow_ddl` settings in the current session.
When using the `GET` method in the [HTTP interface](../../interfaces/http.md), `readonly = 1` is set automatically. To modify data, use the `POST` method.
Setting `readonly = 1` prohibits the user from changing settings. There is a way to prohibit the user from changing only specific settings. Also there is a way to allow changing only specific settings under `readonly = 1` restrictions. For details see [constraints on settings](../../operations/settings/constraints-on-settings.md).
2022-11-14 19:20:55 +00:00
:::
2023-09-18 18:39:21 +00:00
## allow_ddl {#allow_ddl}
Allows or denies [DDL](https://en.wikipedia.org/wiki/Data_definition_language) queries.
Possible values:
- 0 — DDL queries are not allowed.
- 1 — DDL queries are allowed.
Default value: 1
2022-11-14 19:20:55 +00:00
:::note
You cannot run `SET allow_ddl = 1` if `allow_ddl = 0` for the current session.
:::
:::note KILL QUERY
`KILL QUERY` can be performed with any combination of readonly and allow_ddl settings.
:::