I'm using SQL Server 2008.
There is a Procedure ...
CREATE PROCEDURE xxx WITH EXECUTE AS OWNER
AS
BEGIN
SET NOCOUNT ON;
TRUNCATE TABLE ttt;
INSERT INTO ttt
(
field
)
SELECT
order_number
FROM
OPENQUERY([sss], 'SELECT ...')
END
... the Owner User can execute the procedure without any issue.
My Expectation was, if I grant execution access to some other User the other user should also be able to run this procedure.
But using the other Account a error is received: 'Access to the remote server is denied because no login-mapping exists.'
Actually I try to avoid giving the 'other User' full access to the linked Server.
User must be mapped to db_owner group
Related
Per postgresql_exporter doc. In order to create one new user postgres_exporter for Prometheus PostgreSQL exporter. Here are the sample codes
ALTER USER postgres_exporter WITH PASSWORD 'password';
ALTER USER postgres_exporter SET SEARCH_PATH TO postgres_exporter,pg_catalog;
-- If deploying as non-superuser (for example in AWS RDS), uncomment the GRANT
-- line below and replace <MASTER_USER> with your root user.
-- GRANT postgres_exporter TO <MASTER_USER>;
GRANT CONNECT ON DATABASE postgres TO postgres_exporter;
One special SQL is GRANT postgres_exporter TO <MASTER_USER>. I am confused about it. I just remove it and run with the following codes to create one new user postgres_exporter
CREATE OR REPLACE FUNCTION __tmp_create_user() returns void as $$
BEGIN
IF NOT EXISTS (
SELECT
FROM pg_catalog.pg_user
WHERE usename = 'postgres_exporter') THEN
CREATE USER postgres_exporter;
END IF;
END;
$$ language plpgsql;
SELECT __tmp_create_user();
DROP FUNCTION __tmp_create_user();
ALTER USER postgres_exporter WITH PASSWORD 'password';
ALTER USER postgres_exporter SET SEARCH_PATH TO pg_catalog;
GRANT CONNECT ON DATABASE postgres TO postgres_exporter;
GRANT pg_monitor to postgres_exporter;
And this new user works well in PostgreSQL exporter with PostgreSQL version 10.
Shall we think this operation GRANT postgres_exporter1 TO <MASTER_USER> is useless? Please correct us if something is wrong or anything missing?
I am using PostgreSQL 11.8 in AWS RDS and I created a user as below:
CREATE USER test WITH LOGIN;
GRANT rds_iam TO test;
the code runs success but I can't find the user test from:
SELECT * FROM information_schema.table_privileges where grantee='test';
it returns an empty result to me.
I am able to see that user by running
SELECT *FROM pg_catalog.pg_user where usename='test';.
Why can't I grant access to the user?
Your GRANT statement didn't grant a privilege on a table, it added the user to the role (“group”) rds_iam.
User test itself doesn't have any privileges on tables, it only inherits them.
information_schema.table_privileges will only show the privileges that were granted to a user, not the privileges inherited via role membership.
Your SQL command is correct. The problem is on the given role_name. You can get all users by executing the below command
SELECT *FROM pg_catalog.pg_user
Make sure the given role_name is in the listed role name in the PostgreSQL server. Below the command, you can get users with role
SELECT usename AS role_name,
CASE
WHEN usesuper AND usecreatedb THEN
CAST('superuser, create database' AS pg_catalog.text)
WHEN usesuper THEN
CAST('superuser' AS pg_catalog.text)
WHEN usecreatedb THEN
CAST('create database' AS pg_catalog.text)
ELSE
CAST('' AS pg_catalog.text)
END role_attributes
FROM pg_catalog.pg_user
ORDER BY role_name desc;
In PostgreSQL RDS I seen this behavior, where "information_schema.table_privileges" is not getting updated with privileges which granted to any user or role If the table owner is not "dbuser".
So I changed the table owner to "dbuser" immediately it's started showing all the grants which I granted to different users and roles. Not sure how the "Table owner" impacting "table_privileges" view.
On exiting DB and existing schema I have created a new function. I am supposed to create a new role so that one can execute the new function that I have created.
Function has selects and inserts on some tables in public schema.(Db and schema are already existing)
--I have created new role with below SQL:
BEGIN TRANSACTION ISOLATION LEVEL SERIALIZABLE;
DO $BODY$
BEGIN
CREATE ROLE new_role LOGIN;
EXCEPTION
WHEN duplicate_object THEN
RAISE DEBUG '% (%)', SQLERRM, SQLSTATE;
END;
$BODY$;
ALTER ROLE new_role ENCRYPTED PASSWORD 'abc123';
COMMIT;
--Below are GRANT queries:
GRANT CONNECT ON DATABASE "existing_db" TO new_role;
GRANT ALL PRIVILEGES ON SCHEMA public TO new_role;
grant all ON FUNCTION new_fun(name text, address text) TO new_role
connected to Database using new_role and tried to select from new_fun prompts me with "permission denied for schema public".
I am not sure if I need to give other grant permission here. Please help.
Thanks,
-Div
postgresql 9.1 - access tables through functions
I did not know that had to revoke all on public from Public: foloowed steps from above link.
REVOKE ALL ON SCHEMA public FROM public;
got it now.
Thanks
If I execute single SQL statements in worksheet (eg CREATE ROLE my_user LOGIN PASSWORD 'my_pwd' VALID UNTIL 'infinity';) then is works correctly. Wrapping it in anonymous block like this:
DO
$$
BEGIN
CREATE ROLE my_user LOGIN PASSWORD 'my_pwd' VALID UNTIL 'infinity';
END
$$;
and I get following error message:
Error starting at line : 3 in command -
BEGIN
CREATE ROLE my_user LOGIN PASSWORD 'my_pwd' VALID UNTIL 'infinity';
END
$$;
Error report -
ERROR: syntax error at or near "CREATE"
Position: 10
However, the same script works fine when I execute it in psql shell. Am I missing something obvious?
Using:
PostgreSQL version 9.4
Postgres JDBC driver postgresql-9.3-1102.jdbc41
SQL Developer version 4.0 (jdk 1.7.0_71)
The source of the error is JDBC's inability to deal with dollar-quoting correctly (yet). Related answer:
Exceptions when creating a trigger in PostgreSQL 9.1
You might be able to circumvent the problem in this case with:
DO
'
BEGIN
CREATE ROLE my_user LOGIN PASSWORD ''my_pwd'' VALID UNTIL ''infinity'';
END
';
If that doesn't do the trick, try to set a different query terminator, like advised in the linked answer.
You seem to be aware that you do not need a DO statement for the example code at all. Just:
CREATE ROLE my_user LOGIN PASSWORD 'my_pwd' VALID UNTIL 'infinity';
I need to grant access of existing login into my database and change password of other login from a T-SQL script that is run from C++ update program in transaction. It should run against SQL Server 2000 and also against any newer SQL Server version.
CREATE USER FOR LOGIN and ALTER LOGIN WITH PASSWORD are not supported in MSDE and SQL Server 2000 but I'm not able to use sp_grantdbaccess and sp_password either because they fail with error -2147217900
That I think is caused by the fact that these stored procedures cannot be run from user transaction and it can also be deprecated in future SQL Server versions.
Can you suggest any other solution?
Below is the sample of the script that is run in user transaction
CREATE PROCEDURE [dbo].[_PasswordChangeSaveCleanup]
#Meno varchar(50),
#HesloEncrypted varchar(50)
AS
BEGIN
...
return 1
END
GO
--CREATE USER [some] FOR LOGIN [some]
EXECUTE sp_grantdbaccess #loginame='some'
GO
GRANT SELECT ON [dbo].[UZivatelia] TO [ese]
GO
--ALTER LOGIN SOME2 WITH PASSWORD='vreK.BH45'
EXECUTE sp_password #new='vreK.BH45',#loginame='SOME2'
GO
IF EXISTS (SELECT * FROM sys.objects WHERE object_id = OBJECT_ID(N'[dbo].[SOMESP]') AND type in (N'P', N'PC'))
DROP PROCEDURE [dbo].[SOMESP]
GO