2020-04-03 13:23:32 +00:00
---
2022-08-28 14:53:34 +00:00
slug: /en/operations/settings/settings-users
2022-04-09 13:29:05 +00:00
sidebar_position: 63
sidebar_label: User Settings
2020-04-03 13:23:32 +00:00
---
2022-06-02 10:55:18 +00:00
# User Settings
2019-06-05 23:43:12 +00:00
2019-07-04 22:03:28 +00:00
The `users` section of the `user.xml` configuration file contains user settings.
2019-06-05 23:43:12 +00:00
2022-04-09 13:29:05 +00:00
:::note
2023-03-18 02:45:43 +00:00
ClickHouse also supports [SQL-driven workflow ](../../guides/sre/user-management/index.md#access-control ) for managing users. We recommend using it.
2022-04-09 13:29:05 +00:00
:::
2020-05-01 14:48:16 +00:00
2019-06-05 23:43:12 +00:00
Structure of the `users` section:
2020-03-20 10:10:48 +00:00
``` xml
2019-06-05 23:43:12 +00:00
< users >
<!-- If user name was not specified, 'default' user is used. -->
< user_name >
< password > < / password >
<!-- Or -->
< password_sha256_hex > < / password_sha256_hex >
2020-05-01 14:48:16 +00:00
< access_management > 0|1< / access_management >
2019-06-05 23:43:12 +00:00
< networks incl = "networks" replace = "replace" >
< / networks >
< profile > profile_name< / profile >
< quota > default< / quota >
2022-07-20 11:21:06 +00:00
< default_database > default< / default_database >
2019-06-05 23:43:12 +00:00
< databases >
< database_name >
< table_name >
< filter > expression< / filter >
2022-10-05 07:55:28 +00:00
< / table_name >
2019-06-05 23:43:12 +00:00
< / database_name >
< / databases >
2023-05-06 02:57:48 +00:00
< grants >
< query > GRANT SELECT ON system.*< / query >
< / grants >
2019-06-05 23:43:12 +00:00
< / user_name >
<!-- Other users settings -->
< / users >
```
2020-10-13 17:23:29 +00:00
### user_name/password {#user-namepassword}
2019-06-05 23:43:12 +00:00
2020-01-19 05:57:21 +00:00
Password can be specified in plaintext or in SHA256 (hex format).
2019-06-05 23:43:12 +00:00
2023-04-19 15:55:29 +00:00
- To assign a password in plaintext (**not recommended**), place it in a `password` element.
2019-06-05 23:43:12 +00:00
2020-03-21 04:11:51 +00:00
For example, `<password>qwerty</password>` . The password can be left blank.
2019-06-05 23:43:12 +00:00
2020-01-19 05:57:21 +00:00
< a id = "password_sha256_hex" > < / a >
2023-04-19 15:55:29 +00:00
- To assign a password using its SHA256 hash, place it in a `password_sha256_hex` element.
2019-06-05 23:43:12 +00:00
2020-03-21 04:11:51 +00:00
For example, `<password_sha256_hex>65e84be33532fb784c48129675f9eff3a682b27168c0ea744b2cf58ee02337c5</password_sha256_hex>` .
2019-06-05 23:43:12 +00:00
2020-03-21 04:11:51 +00:00
Example of how to generate a password from shell:
2019-06-05 23:43:12 +00:00
2020-03-21 04:11:51 +00:00
PASSWORD=$(base64 < /dev/urandom | head -c8); echo "$PASSWORD"; echo -n "$PASSWORD" | sha256sum | tr -d '-'
2019-06-05 23:43:12 +00:00
2020-03-21 04:11:51 +00:00
The first line of the result is the password. The second line is the corresponding SHA256 hash.
2019-06-05 23:43:12 +00:00
2020-01-19 05:57:21 +00:00
< a id = "password_double_sha1_hex" > < / a >
2023-04-19 15:55:29 +00:00
- For compatibility with MySQL clients, password can be specified in double SHA1 hash. Place it in `password_double_sha1_hex` element.
2020-01-19 05:57:21 +00:00
2020-03-21 04:11:51 +00:00
For example, `<password_double_sha1_hex>08b4a0f1de6ad37da17359e592c8d74788a83eb0</password_double_sha1_hex>` .
2020-01-19 05:57:21 +00:00
2020-03-21 04:11:51 +00:00
Example of how to generate a password from shell:
2020-01-19 05:57:21 +00:00
2020-03-21 04:11:51 +00:00
PASSWORD=$(base64 < /dev/urandom | head -c8); echo "$PASSWORD"; echo -n "$PASSWORD" | sha1sum | tr -d '-' | xxd -r -p | sha1sum | tr -d '-'
2020-01-19 05:57:21 +00:00
2020-03-21 04:11:51 +00:00
The first line of the result is the password. The second line is the corresponding double SHA1 hash.
2019-06-05 23:43:12 +00:00
2020-10-13 17:23:29 +00:00
### access_management {#access_management-user-setting}
2020-05-01 14:48:16 +00:00
2023-03-18 02:45:43 +00:00
This setting enables or disables using of SQL-driven [access control and account management ](../../guides/sre/user-management/index.md#access-control ) for the user.
2020-05-01 14:48:16 +00:00
Possible values:
2023-04-19 15:55:29 +00:00
- 0 — Disabled.
- 1 — Enabled.
2020-05-01 14:48:16 +00:00
Default value: 0.
2023-05-06 02:57:48 +00:00
### grants {#grants-user-setting}
This setting allows to grant any rights to selected user.
Each element of the list should be `GRANT` query without any grantees specified.
Example:
```xml
< user1 >
< grants >
< query > GRANT SHOW ON *.* </ query >
< query > GRANT CREATE ON *.* WITH GRANT OPTION</ query >
< query > GRANT SELECT ON system.*< / query >
< / grants >
< / user1 >
```
This setting can't be specified at the same time with
`dictionaries` , `access_management` , `named_collection_control` , `show_named_collections_secrets`
and `allow_databases` settings.
2020-10-13 17:23:29 +00:00
### user_name/networks {#user-namenetworks}
2019-06-05 23:43:12 +00:00
2019-07-04 22:03:28 +00:00
List of networks from which the user can connect to the ClickHouse server.
2019-06-05 23:43:12 +00:00
2019-07-04 22:03:28 +00:00
Each element of the list can have one of the following forms:
2019-06-05 23:43:12 +00:00
2023-04-19 15:55:29 +00:00
- `<ip>` — IP address or network mask.
2019-06-05 23:43:12 +00:00
2020-03-21 04:11:51 +00:00
Examples: `213.180.204.3` , `10.0.0.1/8` , `10.0.0.1/255.255.255.0` , `2a02:6b8::3` , `2a02:6b8::3/64` , `2a02:6b8::3/ffff:ffff:ffff:ffff::` .
2019-06-05 23:43:12 +00:00
2023-04-19 15:55:29 +00:00
- `<host>` — Hostname.
2019-06-05 23:43:12 +00:00
2020-03-21 04:11:51 +00:00
Example: `example01.host.ru` .
2019-06-05 23:43:12 +00:00
2020-03-21 04:11:51 +00:00
To check access, a DNS query is performed, and all returned IP addresses are compared to the peer address.
2019-06-05 23:43:12 +00:00
2023-04-19 15:55:29 +00:00
- `<host_regexp>` — Regular expression for hostnames.
2019-06-05 23:43:12 +00:00
2020-03-21 04:11:51 +00:00
Example, `^example\d\d-\d\d-\d\.host\.ru$`
2019-06-05 23:43:12 +00:00
2020-03-21 04:11:51 +00:00
To check access, a [DNS PTR query ](https://en.wikipedia.org/wiki/Reverse_DNS_lookup ) is performed for the peer address and then the specified regexp is applied. Then, another DNS query is performed for the results of the PTR query and all the received addresses are compared to the peer address. We strongly recommend that regexp ends with $.
2019-06-05 23:43:12 +00:00
2019-07-04 22:03:28 +00:00
All results of DNS requests are cached until the server restarts.
2019-06-05 23:43:12 +00:00
**Examples**
To open access for user from any network, specify:
2020-03-20 10:10:48 +00:00
``` xml
2019-06-05 23:43:12 +00:00
< ip > ::/0< / ip >
```
2023-03-27 18:54:05 +00:00
:::note
2022-04-09 13:29:05 +00:00
It’ s insecure to open access from any network unless you have a firewall properly configured or the server is not directly connected to Internet.
:::
2019-06-05 23:43:12 +00:00
To open access only from localhost, specify:
2020-03-20 10:10:48 +00:00
``` xml
2019-06-05 23:43:12 +00:00
< ip > ::1< / ip >
< ip > 127.0.0.1< / ip >
```
2020-10-13 17:23:29 +00:00
### user_name/profile {#user-nameprofile}
2019-06-05 23:43:12 +00:00
2020-06-18 08:24:31 +00:00
You can assign a settings profile for the user. Settings profiles are configured in a separate section of the `users.xml` file. For more information, see [Profiles of Settings ](../../operations/settings/settings-profiles.md ).
2019-06-05 23:43:12 +00:00
2020-10-13 17:23:29 +00:00
### user_name/quota {#user-namequota}
2019-06-05 23:43:12 +00:00
2019-07-04 22:03:28 +00:00
Quotas allow you to track or limit resource usage over a period of time. Quotas are configured in the `quotas`
2019-06-05 23:43:12 +00:00
section of the `users.xml` configuration file.
2020-06-18 08:24:31 +00:00
You can assign a quotas set for the user. For a detailed description of quotas configuration, see [Quotas ](../../operations/quotas.md#quotas ).
2019-06-05 23:43:12 +00:00
2020-10-13 17:23:29 +00:00
### user_name/databases {#user-namedatabases}
2019-06-05 23:43:12 +00:00
2021-02-22 03:17:05 +00:00
In this section, you can limit rows that are returned by ClickHouse for `SELECT` queries made by the current user, thus implementing basic row-level security.
2019-06-05 23:43:12 +00:00
**Example**
2019-07-04 22:03:28 +00:00
The following configuration forces that user `user1` can only see the rows of `table1` as the result of `SELECT` queries, where the value of the `id` field is 1000.
2019-06-05 23:43:12 +00:00
2020-03-20 10:10:48 +00:00
``` xml
2019-06-05 23:43:12 +00:00
< user1 >
< databases >
< database_name >
< table1 >
< filter > id = 1000< / filter >
< / table1 >
< / database_name >
< / databases >
< / user1 >
```
2020-04-30 18:19:18 +00:00
The `filter` can be any expression resulting in a [UInt8 ](../../sql-reference/data-types/int-uint.md )-type value. It usually contains comparisons and logical operators. Rows from `database_name.table1` where filter results to 0 are not returned for this user. The filtering is incompatible with `PREWHERE` operations and disables `WHERE→PREWHERE` optimization.