altinity-expert-clickhouse-grants

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Diagnostics

诊断步骤

Run all queries from the file checks.sql and analyze the results.

执行checks.sql文件中的所有查询并分析结果。

Propose Minimal Grants

建议最小权限授予

Provide the smallest set of

GRANT

statements that match observed

needed_grant

values. Prefer role-based grants when the user already uses roles.

Example pattern:

sql

-- Direct grants
GRANT SELECT ON system.processes TO user_x;
GRANT SELECT ON INFORMATION_SCHEMA.COLUMNS TO svc_y;
GRANT CLUSTER ON *.* TO svc_z;

-- Role-based grants (preferred)
GRANT SELECT ON system.processes TO role_analytics;
GRANT role_analytics TO user_x;

提供与检测到的

needed_grant

值匹配的最小

GRANT

语句集合。如果用户已使用角色，优先基于角色的权限授予。

示例模板：

sql

-- 直接授权
GRANT SELECT ON system.processes TO user_x;
GRANT SELECT ON INFORMATION_SCHEMA.COLUMNS TO svc_y;
GRANT CLUSTER ON *.* TO svc_z;

-- 基于角色的授权（优先推荐）
GRANT SELECT ON system.processes TO role_analytics;
GRANT role_analytics TO user_x;

Post-Upgrade Compatibility Checks

升级后兼容性检查

Verify

access_control_improvements

settings, which can change privilege requirements:

```
select_from_system_db_requires_grant
```

select_from_information_schema_requires_grant

on_cluster_queries_require_cluster_grant

If these are enabled post-upgrade, users may require new explicit grants for

system.*

INFORMATION_SCHEMA.*

, or

CLUSTER

验证

access_control_improvements

相关设置，这些设置可能会改变权限要求：

```
select_from_system_db_requires_grant
```

select_from_information_schema_requires_grant

on_cluster_queries_require_cluster_grant

如果升级后启用了这些设置，用户可能需要针对

system.*

、

INFORMATION_SCHEMA.*

或

CLUSTER

获取新的显式授权。