如何为db用户撤消对system.*表的访问?
如何为db用户撤消对system.*表的访问?
提问于 2022-02-18 09:42:31
我正在创建一个具有以下权限的用户:
CREATE USER IF NOT EXISTS U371bqJkJ6sGJ IDENTIFIED WITH sha256_password BY '...O4CqSR1' SETTINGS PROFILE 'default' DEFAULT ROLE user GRANTEES NONE
REVOKE ALL ON *.* FROM U371bqJkJ6sGJ
GRANT SHOW DATABASES ON U371bqJkJ6sGJ.* TO U371bqJkJ6sGJ
GRANT SELECT ON U371bqJkJ6sGJ.* TO U371bqJkJ6sGJ但出于某种原因,他能读懂系统。
SELECT * FROM system.errors如何撤消对系统表的访问?谢谢!
回答 1
Stack Overflow用户
发布于 2022-02-18 13:14:36
这里是https://github.com/ClickHouse/ClickHouse/issues/24887的唯一方法
create user foo identified by '123';
revoke all on *.* from foo;
create role RO;
CREATE ROW POLICY ro_query_log_filter ON system.query_log USING 1 AS RESTRICTIVE TO RO;
CREATE ROW POLICY ro_part_log_filter ON system.part_log USING 1 AS RESTRICTIVE TO RO;
CREATE ROW POLICY ro_trace_log_filter ON system.trace_log USING 1 AS RESTRICTIVE TO RO;
CREATE ROW POLICY ro_processes_filter ON system.processes USING 1 AS RESTRICTIVE TO RO;
grant RO to foo;
ALTER USER foo DEFAULT ROLE RO SETTINGS NONE;
clickhouse-client -u foo --password=123
select count() from system.trace_log;
0 rows in set.
select count() from system.query_log;
0 rows in set.
select count() from system.tables;
0 rows in set.
select query from system.processes;
0 rows in set页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/71171288
复制相关文章
相似问题
腾讯云开发者
