Skip to content

ClickhouseGrant

Usage examples

Prerequisites

  • A Kubernetes cluster with the operator installed using helm, kubectl or kind (for local development).
  • A Kubernetes Secret with an Aiven authentication token.
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
apiVersion: aiven.io/v1alpha1
kind: ClickhouseGrant
metadata:
  name: demo-ch-grant
spec:
  authSecretRef:
    name: aiven-token
    key: token

  project: my-aiven-project
  serviceName: my-clickhouse

  privilegeGrants:
    - grantees:
        - user: user1
        - user: my-clickhouse-user-🦄
      privileges:
        - SELECT
        - INSERT
      database: my-db
      # If table is omitted, the privileges are granted on all tables in the database
      # If columns is omitted, the privileges are granted on all columns in the table
    - grantees:
        - role: my-role
      privileges:
        - SELECT
      database: my-db
      table: my-table
      columns:
        - col1
        - col2

  roleGrants:
    - roles:
        - other-role
      grantees:
        - user: my-user
        - role: my-role

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
apiVersion: aiven.io/v1alpha1
kind: ClickhouseGrant
metadata:
  name: my-clickhouse-grant
spec:
  authSecretRef:
    name: aiven-token
    key: token

  project: aiven-project-name
  serviceName: my-clickhouse-service

  privilegeGrants:
    - grantees:
        - role: my-clickhouse-role
      privileges:
        - INSERT
        - SELECT
        - CREATE TABLE
        - CREATE VIEW
      database: my-clickhouse-db
  roleGrants:
    - grantees:
        - user: my-clickhouse-user
      roles:
        - my-clickhouse-role

---

apiVersion: aiven.io/v1alpha1
kind: Clickhouse
metadata:
  name: my-clickhouse-service
spec:
  authSecretRef:
    name: aiven-token
    key: token

  project: aiven-project-name
  cloudName: google-europe-west1
  plan: startup-16

---

apiVersion: aiven.io/v1alpha1
kind: ClickhouseDatabase
metadata:
  name: my-clickhouse-db
spec:
  authSecretRef:
    name: aiven-token
    key: token

  project: aiven-project-name
  serviceName: my-clickhouse-service

---

apiVersion: aiven.io/v1alpha1
kind: ClickhouseUser
metadata:
  name: my-clickhouse-user
spec:
  authSecretRef:
    name: aiven-token
    key: token

  project: aiven-project-name
  serviceName: my-clickhouse-service

---

apiVersion: aiven.io/v1alpha1
kind: ClickhouseRole
metadata:
  name: my-clickhouse-role
spec:
  authSecretRef:
    name: aiven-token
    key: token

  project: aiven-project-name
  serviceName: my-clickhouse-service
  role: my-clickhouse-role

Apply the resource with:

kubectl apply -f example.yaml

Verify the newly created ClickhouseGrant:

kubectl get clickhousegrants demo-ch-grant

The output is similar to the following: 

Name             Project             Service Name     
demo-ch-grant    my-aiven-project    my-clickhouse

ClickhouseGrant

ClickhouseGrant is the Schema for the ClickhouseGrants API

Warning

Due to the way ClickHouse operates, updating this resource first revokes the existing privileges.

Required

  • apiVersion (string). Value aiven.io/v1alpha1.
  • kind (string). Value ClickhouseGrant.
  • metadata (object). Data that identifies the object, including a name string and optional namespace.
  • spec (object). ClickhouseGrantSpec defines the desired state of ClickhouseGrant. See below for nested schema.

spec

Appears on ClickhouseGrant.

ClickhouseGrantSpec defines the desired state of ClickhouseGrant.

Required

  • project (string, Immutable, Pattern: ^[a-zA-Z0-9_-]+$, MaxLength: 63). Identifies the project this resource belongs to.
  • serviceName (string, Immutable, Pattern: ^[a-z][-a-z0-9]+$, MaxLength: 63). Specifies the name of the service that this resource belongs to.

Optional

  • authSecretRef (object). Authentication reference to Aiven token in a secret. See below for nested schema.
  • privilegeGrants (array of objects). Configuration to grant a privilege. Privileges not in the manifest are revoked. Existing privileges are retained; new ones are granted. See below for nested schema.
  • roleGrants (array of objects). Configuration to grant a role. Role grants not in the manifest are revoked. Existing role grants are retained; new ones are granted. See below for nested schema.

authSecretRef

Appears on spec.

Authentication reference to Aiven token in a secret.

Required

  • key (string, MinLength: 1).
  • name (string, MinLength: 1).

privilegeGrants

Appears on spec.

PrivilegeGrant represents the privileges to be granted to users or roles. See.

Required

  • database (string). The database that the grant refers to.
  • grantees (array of objects, MinItems: 1). List of grantees (users or roles) to grant the privilege to. See below for nested schema.
  • privileges (array of strings). The privileges to grant, i.e. INSERT, SELECT. See.

Optional

  • columns (array of strings). The column that the grant refers to.
  • table (string). The tables that the grant refers to. To grant a privilege on all tables in a database, omit this field instead of writing table: "*".
  • withGrantOption (boolean). If true, then the grantee (user or role) get the permission to execute the GRANT query. Users can grant privileges of the same scope they have and less. See.

grantees

Appears on spec.privilegeGrants.

Grantee represents a user or a role to which privileges or roles are granted.

Ambiguity in the GRANT syntax

Due to an ambiguity in the GRANT syntax in ClickHouse, users and roles should not share the same name. It is unclear whether a grant applies to the user or the role.

Optional

roleGrants

Appears on spec.

RoleGrant represents the roles to be assigned to users or roles. See.

Required

  • grantees (array of objects, MinItems: 1). List of grantees (users or roles) to grant the privilege to. See below for nested schema.
  • roles (array of strings, MinItems: 1). List of roles to grant to the grantees.

Optional

  • withAdminOption (boolean). If true, the grant is executed with ADMIN OPTION privilege. See.

grantees

Appears on spec.roleGrants.

Grantee represents a user or a role to which privileges or roles are granted.

Ambiguity in the GRANT syntax

Due to an ambiguity in the GRANT syntax in ClickHouse, users and roles should not share the same name. It is unclear whether a grant applies to the user or the role.

Optional