Manage database users
This guide demonstrates two ways to manage database users, within SQL console and directly within the database.
SQL console passwordless authentication
SQL console users are created for each session and authenticated using X.509 certificates that are automatically rotated. The user is removed when the session is terminated. When generating access lists for audits, please navigate to the Settings tab for the service in the console and note the SQL console access in addition to the database users that exist in the database. If custom roles are configured, the user's access is listed in the role ending with the user's username.
SQL console users and roles
Basic SQL console roles can be assigned to users with Service Read Only and Service Admin permissions. For more information, refer to Manage SQL Console Role Assignments. This guide demonstrates how to create a custom role for a SQL console user.
To create a custom role for a SQL console user and grant it a general role, run the following commands. The email address must match the user's email address in the console.
Create database_developer and grant permissions
Create the database_developer role and grant SHOW, CREATE, ALTER, and DELETE permissions.
Create SQL console user role
Create a role for the SQL console user my.user@domain.com and assign it the database_developer role.
The user is assigned the new role when they use SQL console
The user will be assigned the role associated with their email address whenever they use SQL console.
Database authentication
Database user ID and password
Use the SHA256_hash method when creating user accounts to secure passwords. ClickHouse database passwords must contain a minimum of 12 characters and meet complexity requirements: upper case characters, lower case characters, numbers and/or special characters.
Since users with less than administrative privileges cannot set their own password, ask the user to hash their password using a generator such as this one before providing it to the admin to setup the account.
Database user with secure shell (SSH) authentication
To set up SSH authentication for a ClickHouse Cloud database user.
- Use ssh-keygen to create a keypair.
- Use the public key to create the user.
- Assign roles and/or permissions to the user.
- Use the private key to authenticate against the service.
For a detailed walkthrough with examples, check out How to connect to ClickHouse Cloud using SSH keys in our Knowledgebase.
Database permissions
Configure the following within the services and databases using the SQL GRANT statement.
| Role | Description |
|---|---|
| Default | Full administrative access to services |
| Custom | Configure using the SQL GRANT statement |
- Database roles are additive. This means if a user is a member of two roles, the user has the most access granted to the two roles. They do not lose access by adding roles.
- Database roles can be granted to other roles, resulting in a hierarchical structure. Roles inherit all permissions of the roles for which it is a member.
- Database roles are unique per service and may be applied across multiple databases within the same service.
The illustration below shows the different ways a user could be granted permissions.
Initial settings
Databases have an account named default that is added automatically and granted the default_role upon service creation. The user that creates the service is presented with the automatically generated, random password that is assigned to the default account when the service is created. The password is not shown after initial setup, but may be changed by any user with Service Admin permissions in the console at a later time. This account or an account with Service Admin privileges within the console may set up additional database users and roles at any time.
To change the password assigned to the default account in the console, go to the Services menu on the left, access the service, go to the Settings tab and click the Reset password button.
We recommend creating a new user account associated with a person and granting the user the default_role. This is so activities performed by users are identified to their user IDs and the default account is reserved for break-glass type activities.
Users can use a SHA256 hash generator or code function such as hashlib in Python to convert a 12+ character password with appropriate complexity to a SHA256 string to provide to the system administrator as the password. This ensures the administrator does not see or handle clear text passwords.
Database access listings with SQL console users
The following process can be used to generate a complete access listing across the SQL console and databases in your organization.
Get a list of all database grants
Run the following queries to get a list of all grants in the database.
Associate grant list to Console users with access to SQL console
Associate this list with Console users that have access to SQL console.
a. Go to the Console.
b. Select the relevant service.
c. Select Settings on the left.
d. Scroll to the SQL console access section.
e. Click the link for the number of users with access to the database There are # users with access to this service. to see the user listing.
Warehouse users
Warehouse users are shared across services within the same warehouse. For more information, review warehouse access controls.
