How to revoke access to system.* table for db user?

Question

I'm creating a user with the following permissions:

CREATE USER IF NOT EXISTS U371bqJkJ6sGJ IDENTIFIED WITH sha256_password BY '...O4CqSR1' SETTINGS PROFILE 'default' DEFAULT ROLE user GRANTEES NONE
REVOKE ALL ON *.* FROM U371bqJkJ6sGJ
GRANT SHOW DATABASES ON U371bqJkJ6sGJ.* TO U371bqJkJ6sGJ
GRANT SELECT ON U371bqJkJ6sGJ.* TO U371bqJkJ6sGJ

But for some reason, he can read system.* tables, e.g.

SELECT * FROM system.errors

How to revoke access to the system tables? Thanks!

Answer 1

here is the only way https://github.com/ClickHouse/ClickHouse/issues/24887

create user foo identified by '123';
revoke all on *.* from foo;

create role RO;

CREATE ROW POLICY ro_query_log_filter  ON system.query_log USING 1 AS RESTRICTIVE TO RO;
CREATE ROW POLICY ro_part_log_filter  ON system.part_log USING 1 AS RESTRICTIVE TO RO;
CREATE ROW POLICY ro_trace_log_filter ON  system.trace_log USING 1 AS RESTRICTIVE TO RO;
CREATE ROW POLICY ro_processes_filter ON  system.processes USING 1 AS RESTRICTIVE TO RO;

grant RO to foo;
ALTER USER foo DEFAULT ROLE RO SETTINGS NONE;


clickhouse-client -u  foo --password=123

select count() from system.trace_log;
0 rows in set.

select count() from system.query_log;
0 rows in set.

select count() from system.tables;
0 rows in set.

select query from system.processes;
0 rows in set