In case you have different roles for the same user on multiple clusters,
ON CLUSTER query can help to overcome some limitations.
Consider the following example:
- cluster_with_data, dev_user (readonly=2)
- stage_cluster, dev_user (readonly=0)
So when you will execute the following query from stage_cluster, it will
be successfully executed, since ON CLUSTER queries has different system
profile:
DROP DATABASE default ON CLUSTER cluster_with_data
This is not 100% safe, but at least something.
Note, that right now only ON CLUSTER query it self is supported, but
separate clusters are not (i.e. GRANT CLUSTER some_cluster_name TO
default), since right now grants sticked to database+.
v2: on_cluster_queries_require_cluster_grant
v3: fix test and process flags as bit mask
Signed-off-by: Azat Khuzhin <a.khuzhin@semrush.com>
This is the system table that will contain Processors level profiling.
v2: one entry per Processor, not 3 (PortFull/NeedData/work())
v3: us over ms
v4: Enable processors_profile_log table by default
Signed-off-by: Azat Khuzhin <a.khuzhin@semrush.com>
Which logs all the info about LogIn, LogOut and LogIn Failure events.
Additional info that is logged:
- User name
- event type (LogIn, LogOut, LoginFailure)
- Event date\time\time with microseconds
- authentication type (same as for IDENTIFIED BY of CREATE USER statement)
- array of active settings profiles upon login
- array of active roles upon login
- array of changed settings with corresponding values
- client address and port
- interface (TCP\HTTP\MySQL\PostgreSQL, etc.)
- client info (name, version info)
- optional LoginFailure reason text message.
Added some tests to verify that events are properly saved with all necessary info via following interfaces:
- TCP
- HTTP
- MySQL
Known limitations
- Not tested against named HTTP sessions, PostgreSQL and gRPC, hence those are not guaranteed to work 100% properly.
* Add a codec Encrypted() for encrypting columns on disk
While this is implemented as a compression codec, it does not actually compress data. It instead encrypts data on disk. The key is obtained by executing a user-specified command at the server startup, or if it's not specified the codec refuses to process any data. For now the only supported cipher is 'AES-128-GCM-SIV'.
* master: (694 commits)
Fix integration test test_storage_kafka failed error
Fix test 00163_column_oriented_formats failed error
Read ORC file by stripe to reduce memory cost
Function toDateTime decimal overflow ubsan fix
Revert "[RFC] Fix memory tracking with min_bytes_to_use_mmap_io"
Zlib use attribute constructor for functable initialization
Translate to Russian (clickhouse-client documentation)
Simple key dictionary primary key wrong order fix
Disable hedged requests
Added integration test
Revert "Function `arrayFold` for folding over array with accumulator"
Fix documentation for the GRANT command.
Added system query reload model
Make function `unhex` case insensitive for compatibility
Improve documentation for CREATE ROW POLICY command #2.
Add exception message
Fix tidy
Fix waiting for all connections closed on shutdown.
Disable postgresql_port in perf tests
Mark 01605_adaptive_granularity_block_borders as long
...
* master: (860 commits)
Update version_date.tsv after release 21.2.8.31
Update version_date.tsv after release 21.3.5.42
Fixed typos
Add metric to track how much time is spend during waiting for Buffer layer lock
Safer SCOPE_EXIT
Add SCOPE_EXIT_SAFE/SCOPE_EXIT_MEMORY_SAFE helpers
Lock MEMORY_LIMIT_EXCEEDED in ThreadStatus::detachQuery()
Update CHANGELOG.md
Reset timeouts to default
Add Third party service info
Disable table function view in expression (#21465)
fix test 01702_system_query_log
Remove strange fsync on coordination logs rotation
add test
MemoryStorage sync comments and code
Fix typos
Support alter setting
Handle not plain where tree in StorageMerge modifySelect
Updated test
Change Aggregatingmergetree to AggregatingMergeTree in docs
...
Refactor some config parsing code
Rename some arguments to better reflect their meaning
Add documentation for user_dn_detection section and user_dn placeholder in config.xml and in docs
