NEW

Pulse 2025 Product Roundup: From Monitoring to AI-Native Control Plane

ClickHouse DB::Exception: Function not allowed

Pulse - Elasticsearch Operations Done Right

On this page

Impact Common Causes Troubleshooting and Resolution Steps Best Practices Frequently Asked Questions

The "DB::Exception: Function not allowed" error in ClickHouse means you tried to call a function that has been explicitly restricted for your user, role, or session. ClickHouse supports fine-grained access control that can block specific functions through user profiles and settings constraints. The error code is FUNCTION_NOT_ALLOWED.

Impact

The query fails before execution. This error is intentional -- it enforces security policies. The function exists and would otherwise work, but administrative policy prevents it from being used in the current context. Repeated attempts with the same user or role will continue to fail until permissions are updated.

Common Causes

  1. User profile restrictions -- the administrator configured a user profile that disallows certain functions via allow_ddl, allow_introspection_functions, or similar settings.
  2. Introspection functions blocked -- functions like addressToLine, addressToSymbol, and demangle are disabled by default for security reasons (controlled by allow_introspection_functions).
  3. Dangerous functions blocked -- settings like allow_experimental_* or allow_suspicious_* may block access to experimental or potentially unsafe functions.
  4. Readonly mode -- when a session is in readonly mode, functions that modify state may be blocked.
  5. Role-based access control (RBAC) -- a GRANT/REVOKE policy may restrict specific function usage for certain roles.

Troubleshooting and Resolution Steps

  1. Read the full error message. It usually names the blocked function and sometimes the setting that controls access:

    DB::Exception: Function addressToLine is not allowed:
set allow_introspection_functions = 1 to enable it

  2. Check your current settings. See if the relevant setting is disabled:

    SELECT name, value FROM system.settings
WHERE name LIKE '%allow%' AND value = '0';

  3. Enable the required setting if permitted. Some settings can be changed at the session level:

    SET allow_introspection_functions = 1;
SELECT addressToLine(ptr) FROM system.trace_log LIMIT 10;

  4. Check your user profile and role. Verify what restrictions are in place:

    SHOW GRANTS FOR CURRENT_USER;
SHOW SETTINGS PROFILES;

  5. Ask an administrator to update permissions. If you cannot change the setting yourself, the admin needs to update your user profile or role:

    -- Admin command to update a settings profile
ALTER SETTINGS PROFILE 'analyst'
SETTINGS allow_introspection_functions = 1;

  6. Check for readonly mode. If your session is readonly, some settings cannot be changed:

    SELECT value FROM system.settings WHERE name = 'readonly';

Best Practices

  • Follow the principle of least privilege -- only enable function access for users who genuinely need it.
  • Use settings profiles to manage function access at scale rather than per-user configurations.
  • Document which functions are restricted and why, so developers understand the policy.
  • For development environments, consider more permissive profiles than production, but still restrict truly dangerous operations.
  • Audit usage of powerful functions like introspection and system functions periodically.

Frequently Asked Questions

Q: Which functions are blocked by default in ClickHouse?
A: Introspection functions (addressToLine, addressToSymbol, demangle) are blocked by default. Experimental functions (controlled by various allow_experimental_* settings) are also typically disabled. The exact list depends on your ClickHouse version and configuration.

Q: Can I allow a function for one query without changing my profile permanently?
A: Yes, if your profile allows setting changes, you can use SET for the current session. Alternatively, use settings clauses directly in the query: SELECT ... SETTINGS allow_introspection_functions = 1.

Q: Is FUNCTION_NOT_ALLOWED the same as ACCESS_DENIED?
A: No. ACCESS_DENIED relates to RBAC privileges (GRANT/REVOKE on tables, databases, etc.). FUNCTION_NOT_ALLOWED is specifically about function-level restrictions through settings. They are separate mechanisms, though both serve security purposes.

Q: Can I restrict specific UDFs from being called by certain users?
A: Yes. You can control UDF access through RBAC by granting or revoking the CREATE FUNCTION and usage privileges. Additionally, settings profiles can be used to limit what types of functions users can execute.

ClickHouse DB::Exception: Function not allowed

Get AI-Powered Cluster Maintenance

Try it Free

Subscribe to the Pulse Newsletter

Get early access to new Pulse features, insightful blogs & exclusive events , webinars, and workshops.

We use cookies to provide an optimized user experience and understand our traffic. To learn more, read our use of cookies; otherwise, please choose 'Accept Cookies' to continue using our website.