Manage database accounts in Community-compatible Edition clusters - ApsaraDB for ClickHouse

ApsaraDB for ClickHouse Community-compatible Edition clusters support two methods for configuring database accounts: XML configuration files and SQL statements. The method available to your cluster depends on its engine version and creation date. This document explains how to create accounts, modify permissions, change passwords, and delete accounts.

Choose a configuration method

Each cluster uses exactly one configuration method — you cannot use both.

Configuration method	Applicable clusters	Account types
XML	Version 20.8 or later clusters created before December 27, 2022; clusters with engine version 20.3 or earlier	Standard account only
SQL	Version 20.8 or later clusters created after December 27, 2022	Privileged account + Standard account

To check which method your cluster uses, go to the Community Edition instance list, click the target cluster, click Account Management in the left navigation pane, and check the Configuration Method column.

Important

If your cluster uses XML, the GRANT and SHOW GRANTS SQL commands do not take effect — modify permissions in the console instead. If your cluster uses SQL, modify permissions using SQL statements, not the console.

Account types

Account type	Configuration method	Description
Standard account	XML or SQL	Create and manage in the console or via API operations (XML clusters), or also via SQL statements (SQL clusters). Up to 500 standard accounts per cluster. By default, a standard account can only log in to databases and cannot create or manage other accounts.
Privileged account	SQL only	Create and manage in the console or via API operations. Only one privileged account is allowed per cluster. Use it to manage all standard accounts and databases, and to grant fine-grained permissions — for example, restricting a standard account to query specific tables.

Create a database account

Prerequisites

Before you begin, ensure that you have:

An ApsaraDB for ClickHouse Community-compatible Edition cluster
Access to the ApsaraDB for ClickHouse console

Steps

Log in to the ApsaraDB for ClickHouse console.
In the upper-left corner, select the region where the cluster is deployed.
On the Clusters page, select Clusters of Community-compatible Edition and click the ID of the target cluster.
In the left navigation pane, click Account Management.
In the upper-right corner of the Account Management page, click Create Account.

In the Create Account panel, set the parameters for your cluster version.

Version 20.8 or later

Parameter	Description
Database Account	The account name. Must be 2–64 characters, contain only lowercase letters, digits, or underscores (`_`), start with a lowercase letter, and end with a lowercase letter or digit. Must be unique in the cluster.
Account Type	Select Privileged Account or Standard Account. A standard account can only log in to databases by default. Use a privileged account to grant additional permissions via SQL statements. For details, see GRANT.
Password	Must be 8–32 characters and include at least three of the following: uppercase letters, lowercase letters, digits, and special characters (`!@#$%^&*()_+-=`).
Confirm Password	Re-enter the same password.
Description	(Optional) Up to 256 characters. Cannot start with `http://` or `https://`.

Version 20.3

Parameter	Description
Database Account	The account name. Must be 2–64 characters, contain only lowercase letters, digits, or underscores (`_`), start with a lowercase letter, and end with a lowercase letter or digit. Must be unique in the cluster.
Authorized Access Scope	The resources the account can access. Select All Databases and Dictionaries, or select Partial Databases and Dictionaries and use the add and remove buttons to grant or revoke access to specific databases and dictionaries.
DML Permission	Specifies write access. Read, Write, and Set Permissions grants full read/write access. Read and Set Permissions restricts the account to read-only access on the authorized resources.
DDL Permission	Specifies whether the account can run DDL statements. Select Enable DDL or Disable DDL.
Password	Must be 8–32 characters and include at least three of the following: uppercase letters, lowercase letters, digits, and special characters (`!@#$%^&*()_+-=`).
Confirm Password	Re-enter the same password.
Description	(Optional) Up to 256 characters. Cannot start with `http://` or `https://`.

Click OK.

Modify permissions

How you modify permissions depends on your cluster's configuration method.

Modify permissions using SQL (SQL clusters only)

This applies only to version 20.8 or later clusters created after December 27, 2022. For XML clusters, modify permissions in the console instead.

Log in to the database using a privileged account. For details, see Connect to a database.
Run a GRANT statement to assign the required permissions to a standard account. For the full syntax and available permissions, see GRANT. By default, a standard account can only log in to databases. Use GRANT to expand its access — for example, to allow queries on specific tables or databases.

Modify permissions in the console (XML clusters only)

This applies only to clusters with engine version 20.3 or earlier, and version 20.8 or later clusters created before December 27, 2022. For SQL clusters, use SQL statements instead. Even if you execute the GRANT operation on an XML cluster, the authorization will not take effect. In addition, the SHOW GRANTS command may display administrator permissions, but the actual permissions are subject to the console.

Log in to the ApsaraDB for ClickHouse console.
In the upper-left corner, select the region where the cluster is deployed.
On the Clusters page, select Clusters of Community-compatible Edition and click the ID of the target cluster.
In the left navigation pane, click Account Management.
In the Actions column for the target account, click Modify Permissions.
In the Modify Permissions panel, update the Authorized Access Scope, DML Permission, and DDL Permission as needed.
Click OK.

Change a password

Log in to the ApsaraDB for ClickHouse console.
In the upper-left corner, select the region where the cluster is deployed.
On the Clusters page, select Clusters of Community-compatible Edition and click the ID of the target cluster.
In the left navigation pane, click Account Management.
In the Actions column for the target account, click Change Password.
In the Change Password panel, enter and confirm the new password.
Click OK.

Delete a database account

Warning

Deleting an account is irreversible. The account cannot be restored after deletion.

Log in to the ApsaraDB for ClickHouse console.
In the upper-left corner, select the region where the cluster is deployed.
On the Clusters page, select Clusters of Community-compatible Edition and click the ID of the target cluster.
In the left navigation pane, click Account Management.
In the Actions column for the target account, click Delete.
In the Delete Account dialog box, click OK.

What's next

To create standard accounts using SQL statements, see CREATE USER.
To manage permissions for standard accounts, see GRANT.
To connect a client to your cluster, see Connect to a database.