Support ClickHouse EXECUTE AS <user> for Proper RBAC and Auditability

[shahparthiv]

Background

The current Grafana ClickHouse datasource allows configuring only one ClickHouse user at the data source level.

As a result:

• All dashboard and alert queries run with the same ClickHouse user, regardless of who is logged into Grafana.
• ClickHouse cannot distinguish which actual Grafana user initiated a query.
• Proper RBAC becomes impossible.
• Example: If User A should only access one specific table, we cannot enforce this, because the plugin must be configured with a user that has broad access to support all queries across dashboard panels and alerts.

This creates major limitations in:

• Security
• Access control
• Auditability
• Compliance

New ClickHouse Feature: EXECUTE AS (introduced in ClickHouse 25.11)

ClickHouse 25.11 introduced the ability for one user to run a query on behalf of another user, inheriting the target user’s:

• Access rights
• Limits
• Settings
• Quotas

This is enabled by granting impersonation rights:

GRANT IMPERSONATE ON user1 TO user2;

And used as:

EXECUTE AS target_user
SELECT * FROM table;

This new capability solves the RBAC and auditing problem perfectly for applications that authenticate with a single technical user, but need queries to be executed on behalf of real application users.

Proposed Enhancement for Grafana ClickHouse Plugin

I would like to request support for an optional setting in the datasource configuration that enables query impersonation using EXECUTE AS.
How it would work

1. Enable Impersonation (Data Source Setting)
   Add a toggle such as:

     ✔️ Enable ClickHouse Impersonation (EXECUTE AS)
   

If enabled, the plugin should wrap outgoing queries with:

EXECUTE AS <grafana_logged_in_user><original_query>

2. Handling Dashboard Queries
   For all dashboard panels:

• The query should execute as the currently logged‑in Grafana user.
• This user’s email/name can map to ClickHouse user accounts that have appropriate RBAC configuration.
• This allows ClickHouse to enforce access rights per user.

3. Handling Alert Queries
   Alerts are tricky because they do not execute in a user session.
   Proposal:

• When an alert is created, capture the creator's username.
• Stored alert queries should run as:

EXECUTE AS <alert_creator_user>
<alert_query>

This provides per‑user RBAC and auditability even for alerts that run in the background.

Benefits
✔️ Full RBAC enforcement
Queries inherit access controls of each individual user.

✔️ Proper auditing
ClickHouse logs show which user actually executed each query.

✔️ Least privilege principle
Datasource can be configured with a technical user that has minimal rights + impersonation ability.

✔️ No need to create a datasource per user
Users remain fully isolated while sharing a single datasource configuration.

✔️ Better compliance
Helps organizations meet audit requirements in regulated environments.

Request
I would like to propose adding support for this feature in the Grafana ClickHouse Datasource plugin. I am happy to contribute as well.