ClickhouseGrant
Usage examples¶
example_2
apiVersion: aiven.io/v1alpha1
kind: ClickhouseGrant
metadata:
name: demo-ch-grant
spec:
authSecretRef:
name: aiven-token
key: token
project: my-aiven-project
serviceName: my-clickhouse
privilegeGrants:
- grantees:
- user: user1
- user: my-clickhouse-user-🦄
privileges:
- SELECT
- INSERT
database: my-db
# If table is omitted, the privileges are granted on all tables in the database
# If columns is omitted, the privileges are granted on all columns in the table
- grantees:
- role: my-role
privileges:
- SELECT
database: my-db
table: my-table
columns:
- col1
- col2
roleGrants:
- roles:
- other-role
grantees:
- user: my-user
- role: my-role
Example
apiVersion: aiven.io/v1alpha1
kind: ClickhouseGrant
metadata:
name: my-clickhouse-grant
spec:
authSecretRef:
name: aiven-token
key: token
project: aiven-project-name
serviceName: my-clickhouse-service
privilegeGrants:
- grantees:
- role: my-clickhouse-role
privileges:
- INSERT
- SELECT
- CREATE TABLE
- CREATE VIEW
database: my-clickhouse-db
roleGrants:
- grantees:
- user: my-clickhouse-user
roles:
- my-clickhouse-role
---
apiVersion: aiven.io/v1alpha1
kind: Clickhouse
metadata:
name: my-clickhouse-service
spec:
authSecretRef:
name: aiven-token
key: token
project: aiven-project-name
cloudName: google-europe-west1
plan: startup-16
---
apiVersion: aiven.io/v1alpha1
kind: ClickhouseDatabase
metadata:
name: my-clickhouse-db
spec:
authSecretRef:
name: aiven-token
key: token
project: aiven-project-name
serviceName: my-clickhouse-service
---
apiVersion: aiven.io/v1alpha1
kind: ClickhouseUser
metadata:
name: my-clickhouse-user
spec:
authSecretRef:
name: aiven-token
key: token
project: aiven-project-name
serviceName: my-clickhouse-service
---
apiVersion: aiven.io/v1alpha1
kind: ClickhouseRole
metadata:
name: my-clickhouse-role
spec:
authSecretRef:
name: aiven-token
key: token
project: aiven-project-name
serviceName: my-clickhouse-service
role: my-clickhouse-role
Info
To create this resource, a Secret containing Aiven token must be created first.
Apply the resource with:
Verify the newly created ClickhouseGrant:
The output is similar to the following:
ClickhouseGrant¶
ClickhouseGrant is the Schema for the ClickhouseGrants API
Warning
Due to the way ClickHouse operates, updating this resource first revokes the existing privileges.
Required
apiVersion(string). Valueaiven.io/v1alpha1.kind(string). ValueClickhouseGrant.metadata(object). Data that identifies the object, including anamestring and optionalnamespace.spec(object). ClickhouseGrantSpec defines the desired state of ClickhouseGrant. See below for nested schema.
spec¶
Appears on ClickhouseGrant.
ClickhouseGrantSpec defines the desired state of ClickhouseGrant.
Required
project(string, Immutable, Pattern:^[a-zA-Z0-9_-]+$, MaxLength: 63). Identifies the project this resource belongs to.serviceName(string, Immutable, Pattern:^[a-z][-a-z0-9]+$, MaxLength: 63). Specifies the name of the service that this resource belongs to.
Optional
authSecretRef(object). Authentication reference to Aiven token in a secret. See below for nested schema.privilegeGrants(array of objects). Configuration to grant a privilege. Privileges not in the manifest are revoked. Existing privileges are retained; new ones are granted. See below for nested schema.roleGrants(array of objects). Configuration to grant a role. Role grants not in the manifest are revoked. Existing role grants are retained; new ones are granted. See below for nested schema.
authSecretRef¶
Appears on spec.
Authentication reference to Aiven token in a secret.
Required
privilegeGrants¶
Appears on spec.
PrivilegeGrant represents the privileges to be granted to users or roles. See.
Required
database(string). The database that the grant refers to.grantees(array of objects, MinItems: 1). List of grantees (users or roles) to grant the privilege to. See below for nested schema.privileges(array of strings). The privileges to grant, i.e.INSERT,SELECT. See.
Optional
columns(array of strings). The column that the grant refers to.table(string). The tables that the grant refers to. To grant a privilege on all tables in a database, omit this field instead of writingtable: "*".withGrantOption(boolean). If true, then the grantee (user or role) get the permission to execute theGRANTquery. Users can grant privileges of the same scope they have and less. See.
grantees¶
Appears on spec.privilegeGrants.
Grantee represents a user or a role to which privileges or roles are granted.
Ambiguity in the GRANT syntax
Due to an ambiguity in the GRANT syntax in ClickHouse, users and roles should not share the same name. It is unclear whether a grant applies to the user or the role.
Optional
roleGrants¶
Appears on spec.
RoleGrant represents the roles to be assigned to users or roles. See.
Required
grantees(array of objects, MinItems: 1). List of grantees (users or roles) to grant the privilege to. See below for nested schema.roles(array of strings, MinItems: 1). List of roles to grant to the grantees.
Optional
withAdminOption(boolean). If true, the grant is executed withADMIN OPTIONprivilege. See.
grantees¶
Appears on spec.roleGrants.
Grantee represents a user or a role to which privileges or roles are granted.
Ambiguity in the GRANT syntax
Due to an ambiguity in the GRANT syntax in ClickHouse, users and roles should not share the same name. It is unclear whether a grant applies to the user or the role.
Optional