v.21.1Improvements

Access Control Changes in ClickHouse: Modifications to Introspection and DDL Granting Permissions

Published: November 25, 2025

Access control: allow_introspection_functions=0 prohibits usage of introspection functions but doesn't prohibit giving grants for them anymore (the grantee will need to set allow_introspection_functions=1 for himself to be able to use that grant). Similarly allow_ddl=0 prohibits usage of DDL commands but doesn't prohibit giving grants for them anymore. #17908 (Vitaly Baranov).

Improved access control behavior where disabling allow_introspection_functions or allow_ddl prohibits usage but no longer restricts granting these permissions to others.

Why it matters

This feature separates the ability to grant permissions for introspection functions and DDL commands from the ability to use them directly. It allows administrators to grant these permissions without enabling their direct usage by default, enhancing flexibility and security in access control management.

How to use it

Users with grants for introspection functions must explicitly set allow_introspection_functions=1 to use them, even if they have been granted the privilege. Similarly, allow_ddl=0 will block usage but does not prevent granting DDL command privileges. Configuration changes are done via the respective settings.

Related resources

Pull Request #17908