v.23.3New Feature
Allow Separate Grants for Named Collections in ClickHouse
Allow separate grants for named collections (e.g. to be able to giveSHOW/CREATE/ALTER/DROP named collectionaccess only to certain collections, instead of all at once). Closes #40894. Add new access typeNAMED_COLLECTION_CONTROLwhich is not given to user default unless explicitly added to the user config (is required to be able to doGRANT ALL), alsoshow_named_collectionsis no longer obligatory to be manually specified for user default to be able to have full access rights as was in 23.2. #46241 (Kseniia Sumarokova).
Why it matters
This feature allows administrators to assignSHOW, CREATE, ALTER, and DROP privileges on specific named collections instead of applying permissions globally to all collections. It improves security and access control by enabling more precise management of user rights related to named collections. Additionally, the new access type NAMED_COLLECTION_CONTROL is not granted by default, requiring explicit assignment, and removes the need to specify show_named_collections manually for full access rights as was previously necessary.How to use it
To use this feature, administrators must explicitly grant theNAMED_COLLECTION_CONTROL access type to users or roles who need control over named collections. Permissions like SHOW, CREATE, ALTER, and DROP can then be granted on individual named collections. For example:GRANT NAMED_COLLECTION_CONTROL ON named_collection <collection_name> TO <user_or_role>;This replaces the previous requirement to assign
show_named_collections manually for full access.