v.22.5Improvement

Add CLUSTER Grant and Backward Compatibility Directive

Published: November 25, 2025

Add a separate CLUSTER grant (and access_control_improvements.on_cluster_queries_require_cluster_grant configuration directive, for backward compatibility, default to false). #35767 (Azat Khuzhin).

Introduces a separate CLUSTER grant to control permissions for cluster queries independently from other grants.

Why it matters

This feature adds finer-grained access control for cluster-wide queries in ClickHouse by allowing administrators to require a distinct CLUSTER grant. It addresses the need for improved security and permission management when running queries across clusters. The backward compatibility is maintained via the access_control_improvements.on_cluster_queries_require_cluster_grant configuration, which defaults to false to preserve existing behavior.

How to use it

To enable this feature, set the configuration parameter access_control_improvements.on_cluster_queries_require_cluster_grant to true in the server configuration. After enabling, assign the new CLUSTER grant to users who need permission to execute cluster queries.

Related resources

Pull Request #35767