thevar1able/ClickHouse
1
0
Fork 0
mirror of https://github.com/ClickHouse/ClickHouse.git synced 2024-11-08 08:35:20 +00:00
Code Issues Packages Projects Releases Wiki Activity
637e3dc2c2
ClickHouse/docs/en/sql-reference/statements/create/row-policy.md
Roman Bug 9ec78855cd
DOCSUP-2806: Add meta header in RU (#15801) 
* DOCSUP-2806: Add meta intro.

* DOCSUP-2806: Update meta intro.

* DOCSUP-2806: Fix meta.

* DOCSUP-2806: Add quotes for meta headers.

* DOCSUP-2806: Remove quotes from meta headers.

* DOCSUP-2806: Add meta headers.

* DOCSUP-2806: Fix quotes in meta headers.

* DOCSUP-2806: Update meta headers.

* DOCSUP-2806: Fix link to nowhere in EN.

* DOCSUP-2806: Fix link (settings to tune)

* DOCSUP-2806: Fix links.

* DOCSUP-2806:Fix links EN

* DOCSUP-2806: Fix build errors.

* DOCSUP-2806: Fix meta intro.

* DOCSUP-2806: Fix toc_priority in examples datasets TOC.

* DOCSUP-2806: Fix items order in toc.

* DOCSUP-2806: Fix order in toc.

* DOCSUP-2806: Fix toc order.

* DOCSUP-2806: Fix order in toc.

* DOCSUP-2806: Fix toc index in create

* DOCSUP-2806: Fix toc order in create.

Co-authored-by: romanzhukov <romanzhukov@yandex-team.ru>
Co-authored-by: alexey-milovidov <milovidov@yandex-team.ru>
2020-10-26 13:29:30 +03:00

1.8 KiB
Raw Blame History

toc_priority toc_title
41 ROW POLICY

CREATE ROW POLICY

Creates a filter for rows, which a user can read from a table.

Syntax:

CREATE [ROW] POLICY [IF NOT EXISTS | OR REPLACE] policy_name [ON CLUSTER cluster_name] ON [db.]table
    [AS {PERMISSIVE | RESTRICTIVE}]
    [FOR SELECT]
    [USING condition]
    [TO {role [,...] | ALL | ALL EXCEPT role [,...]}]

ON CLUSTER clause allows creating row policies on a cluster, see Distributed DDL.

AS Clause

Using this section you can create permissive or restrictive policies.

Permissive policy grants access to rows. Permissive policies which apply to the same table are combined together using the boolean OR operator. Policies are permissive by default.

Restrictive policy restricts access to rows. Restrictive policies which apply to the same table are combined together using the boolean AND operator.

Restrictive policies apply to rows that passed the permissive filters. If you set restrictive policies but no permissive policies, the user cant get any row from the table.

TO Clause

In the section TO you can provide a mixed list of roles and users, for example, CREATE ROW POLICY ... TO accountant, john@localhost.

Keyword ALL means all the ClickHouse users including current user. Keywords ALL EXCEPT allow to exclude some users from the all users list, for example, CREATE ROW POLICY ... TO ALL EXCEPT accountant, john@localhost

Examples

CREATE ROW POLICY filter ON mydb.mytable FOR SELECT USING a<1000 TO accountant, john@localhost

CREATE ROW POLICY filter ON mydb.mytable FOR SELECT USING a<1000 TO ALL EXCEPT mira