ClickHouse: user `default` doesn't have enough grants for creating another user \ role \ row policy for 20.4 and 20.5
Describe the bug
user default doesn’t have enough grants for creating another user \ role \ row policy for 20.4 and 20.5
How to reproduce I use following docker-compose.yaml
version: '3'
services:
clickhouse:
image: docker.io/yandex/clickhouse-server:latest
ports:
- 8123:8123
- 8443:8443
- 9000:9000
- 9009:9009
docker-compose up -d clickhouse
docker-compose exec clickhouse clickhouse-client
SHOW GRANTS;
┌─GRANTS─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
│ GRANT SHOW, SELECT, INSERT, ALTER, CREATE, DROP, TRUNCATE, OPTIMIZE, KILL QUERY, SYSTEM, dictGet, INTROSPECTION, SOURCES ON *.* TO default │
└────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘
according to documentation https://clickhouse.tech/docs/en/sql-reference/statements/grant/#grant-privileges
look like default user lost “ACCESS MANAGEMENT” grant groups in 20.4 and 20.5 version
cause
CREATE USER OR REPLACE monitoring IDENTIFIED WITH NO_PASSWORD HOST ANY SETTINGS PROFILE 'default';
return
Code: 497. DB::Exception: Received from localhost:9000. DB::Exception: default: Not enough privileges. To execute this query it's necessary to have the grant CREATE USER ON *.*.
- Which ClickHouse server version to use 20.5.3 20.4.7
for 20.3 all works fine
SHOW GRANTS;
return
┌─GRANTS────────────────────────────────────────┐
│ GRANT ALL ON *.* TO default WITH GRANT OPTION │
└───────────────────────────────────────────────┘
and
CREATE USER OR REPLACE monitoring PROFILE 'default';
return
Ok.
0 rows in set. Elapsed: 0.002 sec.
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Reactions: 1
- Comments: 18 (13 by maintainers)
I think if we can’t create user because of
access_managementis disabled, we should say smth likeCan't create user because access_management is disabledthe messageNot enough privilegesis very misleading.Do you have access_management enabled? https://clickhouse.tech/docs/en/operations/access-rights/#enabling-access-control It is done by setting
access_managementto 1 inusers.xmlI think the bug is ‘misleading exception’
Look like there are something changed ? In recent code base, I run into very similar problems. I tried to run query by using HTTP interface without specifying any username/password. It reported
DB::Exception: default: Authentication failed: password is incorrect or there is no user with such name (version 20.12.1.1), but this issue doesn’t exist in prior versions.Then i use the clickhouse-client to login without specifying any user/password neither. It worked. And I run the following command to try to fix the HTTP issue.
I tried to issue the HTTP query again, it reported a different message like below and now clickhouse-client login (without user/password) had the same issue as well (reporting not enough privileges errors).
I have enabled access_management in users.xml by the way
for work GRANT ALL users.d/grant_all.xml
Still experiencing this on a new setup
I tried to run query by using HTTP interface without specifying any username/password.
The default has changed in 23.11.