v.22.6Improvement

Add Separate CLUSTER Grant and Backward Compatibility Configuration Directive

Published: November 25, 2025

Add separate CLUSTER grant (and access_control_improvements.on_cluster_queries_require_cluster_grant configuration directive, for backward compatibility, default to false). #35767 (Azat Khuzhin).

Introduces a separate CLUSTER grant to control access for cluster-related queries in ClickHouse, enhancing the granularity of access control.

Why it matters

This feature provides improved security by allowing administrators to explicitly grant permissions for executing queries on clusters. It addresses the need to separate cluster query permissions from other privileges, reducing risks and improving clarity in access management.

How to use it

To enable the separate CLUSTER grant, assign the CLUSTER privilege to the appropriate users or roles. For backward compatibility, the configuration directive access_control_improvements.on_cluster_queries_require_cluster_grant is introduced and defaults to false. Set it to true to enforce this new grant requirement.

Related resources

Pull Request #35767