ClickHouse DB::Exception: Unknown access type

The "DB::Exception: Unknown access type" error in ClickHouse occurs when a GRANT or REVOKE statement references a privilege name that ClickHouse does not recognize. The UNKNOWN_ACCESS_TYPE error code indicates that the specified access type is not a valid ClickHouse privilege keyword.

Impact

The GRANT or REVOKE statement fails, and the intended permission change is not applied. This blocks administrators from configuring access control as planned. If part of an automated deployment or migration script, the failure may halt the entire provisioning process.

Common Causes

1. A typo in the privilege name (e.g., SELET instead of SELECT)
2. Using a privilege name from another database system that does not exist in ClickHouse (e.g., EXECUTE, REFERENCES)
3. Referencing a privilege introduced in a newer ClickHouse version while running an older one
4. Using shorthand or alias names that ClickHouse does not support
5. Incorrect casing combined with a misspelling (privilege names are case-insensitive, but the keyword itself must be valid)

Troubleshooting and Resolution Steps

1. Check the privilege name for typos:

   • Review the exact statement that produced the error and compare the privilege name against the ClickHouse documentation.

2. List all valid access types:

   SELECT * FROM system.privileges;
   

   This returns every privilege ClickHouse recognizes in your version.

3. Use the correct privilege name:

   • Common ClickHouse privileges include: SELECT, INSERT, ALTER, CREATE, DROP, TRUNCATE, SHOW, dictGet, INTROSPECTION, SOURCES, CLUSTER.
   • Example of a correct GRANT:

     GRANT SELECT, INSERT ON my_database.* TO my_user;
     

4. Check your ClickHouse version:

   SELECT version();
   

   If you are trying to use a privilege added in a recent release, confirm your server version supports it.

5. Review migration scripts:

   • If the error comes from an automated script, verify that all privilege names in the script are compatible with the target ClickHouse version.

Best Practices

• Always reference the ClickHouse documentation for your specific version when writing GRANT and REVOKE statements.
• Query system.privileges to discover available privilege names before constructing access control statements.
• Test access control scripts against a staging ClickHouse instance before applying them in production.
• Use version-aware deployment scripts that check the ClickHouse version and adjust privilege names accordingly.
• Keep ClickHouse versions consistent across environments to avoid privilege compatibility issues.

Frequently Asked Questions

Q: Are privilege names case-sensitive in ClickHouse?
A: No, privilege names are case-insensitive. SELECT, select, and Select are all valid. The error only occurs when the keyword itself is not a recognized ClickHouse privilege.

Q: How do I find out which privileges are available in my ClickHouse version?
A: Run SELECT * FROM system.privileges to see all supported access types for your installed version.

Q: I used a privilege that works in PostgreSQL but not in ClickHouse. Why?
A: ClickHouse has its own set of privilege names that differ from other databases. For example, ClickHouse uses dictGet for dictionary access and does not have an EXECUTE privilege. Check the ClickHouse access control documentation for the full list.

Q: Can I create custom access types in ClickHouse?
A: No, ClickHouse does not support user-defined privilege types. You can only use the built-in access types provided by your version.