ClickHouse Requirements#
System Requirements#
| Item | Minimum | Recommended |
|---|---|---|
| Version | 25.3 | 25.3 |
| Memory | 16GB | 32GB |
| CPU | 4vCPUs | 8vCPUs |
| Disk Space | 1TB | 3TB |
Table: Minimum and recommended system requirements for ClickHouse
Mandatory ClickHouse Settings#
| Setting | Value | Details |
|---|---|---|
allow_materialized_view_with_bad_select | 1 | Required for migrations to MES 11.0.0+ when moving to an external ClickHouse Cloud setup. Must be configured prior to starting the migration. See ClickHouse Migration ⧉. |
do_not_merge_across_partitions_select_final | 0 | Prevents data duplication in ODS state tables (e.g., CoreDataModel_T_Material). While default in ClickHouse 25.3 and automatically enforced from MES 11.2.3+, it must be manually verified for older versions or custom configurations to ensure it remains at 0. |
Table: Mandatory ClickHouse Settings
ACLs#
When creating a Customer Environment, ClickHouse users can be provisioned automatically or manually.
- Automatic Provisioning: The system creates all required users and assigns necessary roles and permissions.
- Manual Provisioning: The administrator must manually create users and assign the permissions detailed below. The system assings all required permissions to the default user.
Info
Permissions in ClickHouse are assigned using the GRANT statement ⧉. All users should authenticate with strong credentials and be restricted to the relevant databases only.
Default User#
The Default User is the account that must already exist in the customer ClickHouse installation. This user is either created manually by the customer or corresponds to the default user provided by their ClickHouse setup.
The Environment Manager uses this account to connect to ClickHouse during environment creation and configuration. Therefore, the following administrative grants must be assigned to this user to allow for the automatic provisioning of users required by Critical Manufacturing MES.
| Category | Permissions | Scope | WITH Grant Option? |
|---|---|---|---|
| User Management | CREATE USER, ALTER USER, DROP USER | *.* (Global) | No |
| Role Management | CREATE ROLE, DROP ROLE, ALTER ROLE, ROLE ADMIN | *.* (Global) | No |
| Settings & Profiles | CREATE SETTINGS PROFILE, DROP SETTINGS PROFILE, ALTER SETTINGS PROFILE | *.* (Global) | No |
| Quota Management | CREATE QUOTA, DROP QUOTA, ALTER QUOTA | *.* (Global) | No |
| Backup & Restore | BACKUP | *.* (Global) | No |
| Database Management | CREATE DATABASE, DROP DATABASE, SHOW | *.* (Global) | Yes |
| Data Management | SELECT, INSERT, ALTER, CREATE TABLE, CREATE VIEW, CREATE DICTIONARY, DROP TABLE, DROP VIEW, DROP DICTIONARY, UNDROP TABLE, TRUNCATE, OPTIMIZE, CREATE ROW POLICY, ALTER ROW POLICY, DROP ROW POLICY, SHOW ROW POLICIES, DICTGET | *.* (Global) | Yes |
| Other (Optional) | SHOW ACCESS | *.* (Global) | No |
Table: Default User required permissions
You can apply all the above permissions using the following SQL statement:
GRANT
CREATE USER, ALTER USER, DROP USER,
CREATE ROLE, DROP ROLE, ALTER ROLE, ROLE ADMIN,
CREATE SETTINGS PROFILE, DROP SETTINGS PROFILE, ALTER SETTINGS PROFILE,
CREATE QUOTA, DROP QUOTA, ALTER QUOTA,
BACKUP, SHOW ACCESS
ON *.* TO <User_Name>;
GRANT
CREATE DATABASE, DROP DATABASE, SHOW,
SELECT, INSERT, ALTER, CREATE TABLE, CREATE VIEW, CREATE DICTIONARY, DROP TABLE, DROP VIEW, DROP DICTIONARY,
UNDROP TABLE, TRUNCATE, OPTIMIZE, CREATE ROW POLICY, ALTER ROW POLICY, DROP ROW POLICY, SHOW ROW POLICIES, DICTGET
ON *.* TO <User_Name> WITH GRANT OPTION;
Other Users#
The table below summarizes the standard ClickHouse users created by MES, their database scope, and the permissions required for installation, upgrades, and daily operations.
| User Role | Primary Function | Databases | Permissions |
|---|---|---|---|
| Analytics (Read/Write) Admin | Administrative user with extended privileges for managing all analytics databases and deployments. | All required databases | CREATE DATABASE, DROP DATABASE, SHOW, SELECT, INSERT, ALTER, CREATE TABLE, CREATE VIEW, CREATE DICTIONARY, DROP TABLE, DROP VIEW, DROP DICTIONARY, UNDROP TABLE, TRUNCATE, OPTIMIZE, CREATE ROW POLICY, ALTER ROW POLICY, DROP ROW POLICY, SHOW ROW POLICIES, DICTGET |
| MES (Read/Write) | Responsible for reading and writing core operational MES data. | MES | SELECT, INSERT, ALTER, CREATE TABLE, CREATE VIEW, CREATE DICTIONARY |
| Analytics (Read) | Provides read-only access for general reporting and data consumption across all Analytics databases. | ODS, CDM, DWH, system | SELECT (on analytics databases), SELECT(volume_name, policy_name) on system.storage_policies, SELECT(value, name) on system.build_options |
| Analytics (Read) / DWH (Read/Write) | Used for processes that populate the DWH, but only require read-only access to source databases (CDM). | CDM, DWH | - CDM: SELECT - DWH: SHOW, SELECT, INSERT, ALTER, CREATE TABLE, CREATE VIEW, CREATE DICTIONARY, DROP TABLE, DROP VIEW, DROP DICTIONARY, UNDROP TABLE, TRUNCATE, OPTIMIZE, CREATE ROW POLICY, ALTER ROW POLICY, DROP ROW POLICY, SHOW ROW POLICIES, DICTGET |
| DWH (Read) | Provides read-only access exclusively to the Data Warehouse. | DWH | SELECT |
| DWH Playground (Read) | Provides read-only access to Cube Explorer users. | DWH | SELECT (with quotas: MAX execution_time = 900s, MAX result_rows = 1,000,000) |
Table: Standard ClickHouse user roles, associated databases, and required permissions for MES
Permission Descriptions#
The permissions assigned to MES users follow the standard ClickHouse security model. For a detailed breakdown of each privilege — including its hierarchy, scope, and specific administrative capabilities — please refer to the official ClickHouse documentation:
ClickHouse SQL Reference: GRANT Permissions ⧉
Hierarchy Note
Permissions like ALL are administrative shorthands that encompass multiple granular privileges (e.g., SELECT, INSERT, CREATE TABLE). When configuring the Default User, ensure that the WITH GRANT OPTION is included to allow the Environment Manager to delegate these functional rights to the MES sub-users.