Clickhouse: user `default` doesn't have enough grants for creating another user \ role \ row policy for 20.4 and 20.5
Describe the bug
user default doesn't have enough grants for creating another user \ role \ row policy for 20.4 and 20.5
How to reproduce
I use following docker-compose.yaml
version: '3'
services:
clickhouse:
image: docker.io/yandex/clickhouse-server:latest
ports:
- 8123:8123
- 8443:8443
- 9000:9000
- 9009:9009
docker-compose up -d clickhouse
docker-compose exec clickhouse clickhouse-client
SHOW GRANTS;
ββGRANTSββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β GRANT SHOW, SELECT, INSERT, ALTER, CREATE, DROP, TRUNCATE, OPTIMIZE, KILL QUERY, SYSTEM, dictGet, INTROSPECTION, SOURCES ON *.* TO default β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
according to documentation https://clickhouse.tech/docs/en/sql-reference/statements/grant/#grant-privileges
look like default user lost "ACCESS MANAGEMENT" grant groups in 20.4 and 20.5 version
cause
CREATE USER OR REPLACE monitoring IDENTIFIED WITH NO_PASSWORD HOST ANY SETTINGS PROFILE 'default';
return
Code: 497. DB::Exception: Received from localhost:9000. DB::Exception: default: Not enough privileges. To execute this query it's necessary to have the grant CREATE USER ON *.*.
- Which ClickHouse server version to use
20.5.3
20.4.7
for 20.3
all works fine
SHOW GRANTS;
return
ββGRANTSβββββββββββββββββββββββββββββββββββββββββ
β GRANT ALL ON *.* TO default WITH GRANT OPTION β
βββββββββββββββββββββββββββββββββββββββββββββββββ
and
CREATE USER OR REPLACE monitoring PROFILE 'default';
return
Ok.
0 rows in set. Elapsed: 0.002 sec.
Slach
All 7 comments
Do you have access_management enabled?
https://clickhouse.tech/docs/en/operations/access-rights/#enabling-access-control
It is done by setting access_management to 1 in users.xml
qoega
on 29 Jul 2020
I think the bug is 'misleading exception'
filimonov
on 29 Jul 2020
hmm, ok, I understood,
I think exception with clarified message when we try to CREATE USER \ ROLE etc. about enabling access control will be good solution
Slach
on 29 Jul 2020
@vitlibar @abyss7 @filimonov
Also, misleading error messages for default user I get when run the following SQL queries:
SHOW USERS;
SHOW ROLES;
SELECT * FROM system.quota_usage;
Exception message is correct but it can be more detailed.
alexey-milovidov
on 29 Jul 2020
Exception message is correct but it can be more detailed.
I think if we can't create user because of access_management is disabled, we should say smth like Can't create user because access_management is disabled the message Not enough privileges is very misleading.
filimonov
on 29 Jul 2020
@vitlibar This is a small tech debt, need to fix.
alexey-milovidov
on 22 Oct 2020
Related issues
zhicwu
Β·
3Comments
hatarist
Β·
3Comments
goranc
Β·
3Comments
amonakhov
Β·
3Comments
jimmykuo
Β·
3Comments
Most helpful comment
I think the bug is 'misleading exception'