Atlas now supports ClickHouse wildcard grants (e.g., GRANT SELECT ON db.prefix* TO role), allowing pattern-based permissions on tables matching a name prefix.
ClickHouse 24.10 introduced wildcard grants, which let you grant permissions on all tables matching a name prefix with a single statement. Atlas now fully supports inspecting, diffing, and migrating these grants.
Wildcard Grants
Instead of granting permissions on each table individually, you can use a wildcard pattern to match all tables with a common prefix:
-- Grant SELECT on all tables starting with "level" in app_dbGRANT SELECT ON app_db.level* TO data_reader;-- This matches: level, level_data, levels, level_metrics, etc.
Version-Aware Behavior
Atlas detects the ClickHouse version and adapts its output accordingly. On ClickHouse 24.10+, Atlas generates compact wildcard grant statements. On older versions, it falls back to explicit per-table grants:
-- Without wildcard grants (ClickHouse < 24.10), Atlas generates per-table grants:GRANT SELECT ON app_db.level TO data_reader;GRANT SELECT ON app_db.level_data TO data_reader;GRANT SELECT ON app_db.levels TO data_reader;
Usage
Define wildcard grants in your schema file alongside roles and other permissions. Atlas will detect the pattern and generate the appropriate migration:
-- Define roles and wildcard grants in your schemaCREATE ROLE data_reader;GRANT SELECT ON app_db.level* TO data_reader;
To use permissions in your Atlas project, enable the permissions and roles schema modes in your project configuration.