I'm trying to lock a table in my python script (to avoid a serialization isolation error), using a Redshift DB table (table1). I'm getting the following error, and I can't figure out what permissions to grant to allow table locking.
sqlalchemy.exc.ProgrammingError: (psycopg2.errors.InsufficientPrivilege) permission denied for relation table1
[SQL: begin; lock table1;]
The SQL code is in the 2nd line above - simply:
begin; lock table1;
I've looked at the AWS documentation (like Grant and Lock) and also scoured Google and can't seem to find anything referencing what permissions Lock is under. Any help appreciated, thank you!
I believe that UPDATE, DELETE, or TRUNCATE permission will allow the user to perform an explicit LOCK on a table. INSERT permission is not enough and this comes from Postgres and some corner cases that can be set up.
Related
I am having issues with dropping a user becauase it has default privileges, but I am as well unable to revoke those privileges.
To reproduce my issue:
-- executed with master user redshift_master
CREATE USER anton_test_user PASSWORD '***' IN GROUP redshift_dev;
Then using anton_test_user
CREATE SCHEMA anton_test_schema;
CREATE TABLE anton_test_schema.anton_test_table AS SELECT 1 AS anton;
ALTER DEFAULT PRIVILEGES IN SCHEMA anton_test_schema
GRANT SELECT ON TABLES TO GROUP redshift_readonly;
Again with redshift_master
ALTER SCHEMA anton_test_schema OWNER TO redshift_master;
ALTER TABLE anton_test_schema.anton_test_table OWNER TO redshift_master;
Now trying to drop the user it complains about default privileges:
DROP USER anton_test_user;
Result as expected:
owner of default privileges on new relations belonging to user
anton_test_user in schema anton_test_schema;
Now to the weird part, still with redshift_master
ALTER DEFAULT PRIVILEGES FOR USER anton_test_user IN SCHEMA anton_test_schema
REVOKE ALL ON TABLES FROM redshift_readonly;
Gives Invalid operation: permission denied for schema anton_test_schema. What?
If running with anton_test_user
ALTER DEFAULT PRIVILEGES IN SCHEMA anton_test_schema
REVOKE ALL ON TABLES FROM redshift_readonly;
As well gives Invalid operation: permission denied for schema anton_test_schema.
The only way for me to solve this and being able to drop anton_test_user was to, with redshift_master drop the schema and table completely
DROP TABLE anton_test_schema.anton_test_table;
DROP SCHEMA anton_test_schema;
DROP USER anton_test_user; -- it works now
Transfering ownership back to anton_test_user and then revoking default privileges did not help - dropping the table and schema was the only solution I could find.
My completely uninformed guess is that anton_test_user had lost permissions to the schema, so no grants for the user could be applied or revoked in that schema.
Question(s):
Is there any way to avoid dropping anton_test_schema and anton_test_table while also dropping anton_test_user?
Is it supposed to work this way?
Do Postgres behave in the same way?
This is a bit of a follow up to a question already asked, to which I gave an answer - but I have no idea what is going on even though I came up with a "solution" ("" because dropping objects was a solution, albeit a pretty poor one). It might be that I have completely misunderstood user privileges in Redshift as well.
The original question is not completely the same as this - and I would like to know what is going on, so it is not really a repost even though it might look like it.
I had the same issue myself. I was able to avoid dropping the user/schema by first re-granting access of the schema to my end user (my version of anton_test_user).
grant all on schema analyst_data to anton_test_user;
After doing so, I was able to run my alter default privileges command
ALTER DEFAULT PRIVILEGES for user <user> in schema <schema> REVOKE ALL on tables FROM group <group>;
Your uninformed guess was spot on 😀
I'm trying to truncate a table in redshift but it's throwing the following error -
SQL Error [500310] [42501]: Amazon Invalid operation: must
be owner of relation table;
I have already granted all the privileges on the table to the user. As checked through the online documentation for redshift, I can't grant the truncate table access explicitly like the way it's enabled now in PostgreSQL. Is there a way or a best practice to handle this scenario?
As you say only the table owner or a superuser can truncate a table. There are several options.
Change the table to be owned by the user that needs to truncate but this may not meet other constraints
Alter table to current user, truncate, and alter it back to the previous user (requires DROP permission)
Drop and recreate the table but this may break dependencies
Make a table LIKE the original, perform an ALTER TABLE APPEND to this new table, and then drop the new table (some restrictions like no identity columns)
created two schemas in redshift and one has all tables and other schema has views created from earlier schema tables. Users were granted select privileges on second schema views. When trying to query one particular view using select in redshift, it throws "Job::UserError: PG::InsufficientPrivilege: ERROR: permission denied for schema".
The error comes only when accessing that particular view, all others are absolutely fine.
Verified the privileges and users do have select permission on views and tables. Any direction would be helpful.
You must also grant the USAGE privilege on the new schema:
GRANT USAGE ON SCHEMA <schema_name> TO <schema_user>
If you find that this is only affecting one particular view, it may be because the view was dropped and recreated after the privileges were assigned (and therefore the table has lost its inheritance of the schema permissions).
The solution may be to:
Reapply the privileges
Next time you need to change the view, rather than DROP and then CREATE the view, use the CREATE OR REPLACE VIEW your_view_name AS command
I am running a stored procedure in DB2 10.1 which creates a created global temporary table and it returns the following error message that seems to say that it cannot select from the temporary table that it has just created in the same stored procedure
"USER" does not have the required authorization or privilege to
perform operation "SELECT" on object "MYSCHEMA.MYTABLE"..
SQLCODE=-551, SQLSTATE=42501, DRIVER=4.16.53
I have not encountered this problem with the other stored procedures and they create temp tables in the same way. The user privileges are controlled by groups, but due to issues with the groups I have started to give privileges to the users directly.
I cannot grant select permissions to the temp table because its not yet created and not sure how to fix this situation.
Has anyone come across this problem before and if so how did you fix it?
Thanks for any help.
GRANT ALL ON TABLE <table_name> TO <user_name>;
The above statement gives permission to a particular user to ALTER the table structures as well to users. How can we restrict the permission of ALTER to tables to users? I want the users only to SELECT, INSERT, UPDATE and DELETE records rather than allowing them to ALTER the DB structures as well?
Will the below statement help me in achieving my requirement?
GRANT SELECT, INSERT, UPDATE, DELETE ON TABLE <table_name> TO <user_name>;
I want the issue related to postgres.
Refer to http://www.postgresql.org/docs/9.3/static/sql-grant.html & http://www.postgresql.org/docs/9.3/static/sql-revoke.html
As you can see GRANT and REVOKE will do the job.
Suggestion: Keep in mind to use groups for the privileges and handle the assignment by membership to these groups.