At the moment, Crate does not have a builtin concept of ACL or user permissions, but there are several ways to secure a cluster and prevent it from unauthorized access. However, sometimes you want make your cluster just read-only and people have been asking us about that. — https://crate.io/blog/readonly-crate-with-nginx-and-lua/

gistfile1.nginxconf

upstream crate {
    server 10.0.0.101:4200;
    server 10.0.0.102:4200;
    server 10.0.0.103:4200;
}

server {
    listen 4220;

    location = /_sql {
        # only permit POST requests
        if ($request_method !~ ^(POST)$ ) {
            return 403;
        }
        
        # request access to POST body
        lua_need_request_body on;

        # define access using lua
        access_by_lua '
          -- load json package
          cjson = require "cjson"
          -- read POST body
          local body = ngx.req.get_body_data()
          if body then
            -- decode JSON string into object
            local data = cjson.decode(body)
            -- check lower case stmt value
            if not string.match(string.lower(data.stmt), "^select.*") then
              -- if sql statement does not start with SELECT
              -- return HTTP 403
              ngx.exit(ngx.HTTP_FORBIDDEN)
            end
          else
            -- if no POST date
            -- return HTTP 403
            ngx.exit(ngx.HTTP_FORBIDDEN)
          end
        ';

        # set proxy headers
        proxy_set_header User-Agent $http_user_agent;
        proxy_set_header Accept "*/json";

        # set upstream timeout
        # complex queries may take some time
        proxy_read_timeout 60s;

        # conditions in which case to try the next upstream server
        # note: on timeout you must not try another upstream,
        #       otherwise you would invoke a statement several times
        proxy_next_upstream error invalid_header http_500 http_502 http_503;

        # define upstream
        proxy_pass http://crate;

    }

}