I have created two new users and a new role. Given select privilege to the role for one table in schema A and assigned this role to user b. While issuing a select query for the table in schema a with this user I am experiencing table or view not found issue.
CREATE USER READUSER1 IDENTIFIED BY readuser1;
CREATE USER READUSER2 IDENTIFIED BY readuser2;
CREATE ROLE READONLY_USER IDENTIFIED BY readonlyuser;
GRANT select ON READUSER1.TESTA TO READONLY_USER;
GRANT READONLY_USER TO READUSER2;
Now from READUSER2 session :
SELECT * FROM READUSER1.TESTA > 00942. 00000 - "table or view does not exist"
I assume that you created the table successfully in the readUser1 schema though you don't show that step.
When logged in as readUser2, what roles are enabled for the session?
select *
from session_roles
I'll wager that the role is not enabled for the session. Normally, you don't set passwords on roles because you normally want those roles to be available to the user as soon as they log in. If you set a password on a role, however, then every time the user creates a new session, they have to explicitly enable the role by specifying the password. That's quite useful in some unusual situations but it's not the norm.
Assuming that readonly_user does not appear in session_roles, you can enable the role using the set role command
set role readonly_user
identified by readonlyuser;
Once you've done that, the role should appear in session_roles and you should be able to query the table.
Normally, though, you'd have created a normal role not a password protected role by omitting the identified by clause
create role readonly_user;
Related
I want to drop a user who has a mapping to a database scoped credential.
When I use the command
SELECT *
FROM sys.database_scoped_credentials
I see the credentials with the principal_id of the user I want to drop.
How can I change the mapping of the principal_id to the database scoped credential?
When I use the drop command I get the following error message
The database principal has granted or denied permissions to objects in the database and cannot be dropped
It could be the user that you are trying to drop has played a role of grantor and hence you need to revoke those accesses before performing drop of user.
Try running below command to get details of grantee first:
select
permission_name,
state_desc,
object_name(major_id) as securable,
user_name(grantor_principal_id) as grantor
from sys.database_permissions
where grantee_principal_id = user_id('User Name to be dropped')
Next will be to find details on grantor using below:
select *
from sys.database_permissions
where grantor_principal_id = user_id ('User Name to be dropped');
On the basis of the result what you get from above query, you need to perform one of below:
REVOKE VIEW DEFINITION ON USER::User Name to be dropped TO public
REVOKE CONTROL ON USER::User Name to be dropped TO public
REVOKE ALTER ON USER::User Name to be dropped TO public
REVOKE ALTER ON USER::User Name to be dropped TO *grantee*
REVOKE CONTROL ON USER::User Name to be dropped TO *grantee*
REVOKE VIEW DEFINITION ON USER::User Name to be dropped TO *grantee*
Alongwith this, there could be some other type of access which might have been granted. So, you need to check the same and execute revoke accordingly.
We have an existing postgres database gsrdb in production with superuser gsr. We have been doing all the database maintenance with that user gsr. Also, the same user gsr is used by our app service to do transactions on the database.
We want to change this now. We want a separate superuser gsr_admin(whose credentials are managed by Vault) that can do the dba maintenance but still have our app service use existing user gsr.
The problem I am facing is that all the database objects so far are owned by gsr user and if I run updates, as user gsr_admin, on the database w.r.t. either table constraints or sequences it fails saying error: must be owner of relation...blah blah
How can I fix this?
So I was thinking if I could create a superuser admin group role called admin_group and reassign all the ownerships of all the database objects to it from user gsr and then alter both users gsr and gsr_admin to belong to this admin group role. Wouldn't that way everything that has been created so far would be owned by role admin_group ? And whether I create new objects as a user gsr or as gsr_admin either of them can still update the objects?
I might be wrong. Would really appreciate some inputs.
Simply run
ALTER ROLE gsr NOSUPERUSER;
ALTER ROLE gsr RENAME TO gsr_admin; -- needs a new password now
CREATE ROLE gsr LOGIN;
GRANT USAGE ON SCHEMA myschema TO gsr;
GRANT SELECT, INSERT, UPDATE, DELETE
ON ALL TABLES IN SCHEMA myschema TO gsr;
Similarly, grant USAGE on sequences and other required privileges. You may want to run some ALTER DEFAULT PRIVILEGES for future objects as well.
I'm coming to postgreSQL with a SQL Server background and was naively applying the same concepts to postgreSQL in order to allow different users to share 'by default' some objects within a database.
This is what I did:
CREATE DATABASE testdb;
CREATE ROLE testdb_role_full INHERIT;
GRANT ALL PRIVILEGES ON DATABASE testdb TO testdb_role_full;
CREATE USER user1 INHERIT;
GRANT testdb_role_full TO user1;
CREATE USER user2 INHERIT;
GRANT testdb_role_full TO user2;
Once done, I created a table t1 using the user1.
Then, I tried, as user2, to read the t1 table and I received a "permission denied error"... :-(
By reading the documentation, it seems that I have to issue a SET ROLE testdb_role_full first so as to act as the testdb_role_full.
However, this is not really that I want. I do not want the user to be aware of this.
So my question:
Is there any way to make this work?
Thanks a lot,
José
You've granted some privileges on the database, but that doesn't mean any user with the role testdb_role_full would have all privileges on all objects inside that database. To quote from the documentation:
When an object is created, it is assigned an owner. The owner is normally the role that executed the creation statement. For most kinds of objects, the initial state is that only the owner (or a superuser) can do anything with the object. To allow other roles to use it, privileges must be granted.
So after the user1 created the table t1, he is the owner and only he has the privileges on it. He would need to run
GRANT ALL PRIVILEGES ON TABLE t1 TO testdb_role_full;
then user2 would be able to access it as well (without having to switch any roles - that's only necessary when it has the NOINHERIT attribute on the role).
If you don't want your users to have to execute GRANT each time they create a new object in the database, you can alter the default privileges that will be applied whenever an object is created by user2:
ALTER DEFAULT PRIVILEGES FOR user2
GRANT ALL PRIVILEGES ON TABLES TO testdb_role_full;
Notice these specify the initial value only, and user2 could revoke the privileges on his tables if he wanted to prevent others from seeing them.
I am working around a workaround to a "feature" in IBM DB2.
This fancy database has a "feature" in it which if I try to use a CREATE TABLE statement and it doesn't find the schema, it will create this schema for me, even if I don't want it to. This bug has caused me a lot of hours in debugging, because my code right now exists with the expectation that it won't create the schema if it doesn't exist
My question is -- how do I change the permissions of a particular schema (or even during the create schema phase) which a particular user does not have access to view?
I checked out this doc..
It seems with GRANT, there are the following three permissions:
ALTERIN
Grants the privilege to alter or comment on all objects in the
schema. The owner of an explicitly created schema automatically
receives ALTERIN privilege.
CREATEIN
Grants the privilege to create
objects in the schema. Other authorities or privileges required to
create the object (such as CREATETAB) are still required. The owner of
an explicitly created schema automatically receives CREATEIN
privilege. An implicitly created schema has CREATEIN privilege
automatically granted to PUBLIC.
DROPIN
Grants the privilege to drop
all objects in the schema. The owner of an explicitly created schema
automatically receives DROPIN privilege
With only ALTERIN, CREATEIN, and DROPIN, I don't see anything relevant to view access permissions :/
EDIT:
I checked out our Dash DB database for this particular table which has these special permissions for particular users using the following SQL:
SELECT * FROM SYSIBMADM.PRIVILEGES WHERE OBJECTSCHEMA = 'FAKE_SCRATCH';
This is the result:
EDIT 2:
I tried the following to emulate Dash DB's permissions for that user for that schema:
GRANT ALTERIN, CREATEIN, DROPIN ON SCHEMA FAKE_SCRATCH TO USER TEST_USER;
Still doesn't work :/
The following SQL query executed in DB2 fixed the problem:
REVOKE IMPLICIT_SCHEMA ON DATABASE FROM PUBLIC
I would like to have user who can read and insert data to all tables within one schema. I've executed following SQl statements:
CREATE SCHEMA ABC;
CREATE USER MyUser with PASSWORD '12345678';
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA ABC TO MyUser;
When I try to login with this user I am getting exception: Role 'MyUser' does not exists.... What is not correct here?
How to Define Privileges Upon Role Creation
Now, we are ready to recreate the "demo_role" role with altered permissions. We can do this by specifying the permissions we want after the main create clause:
CREATE ROLE role_name WITH optional_permissions;
You can see a full list of the options by typing:
\h CREATE ROLE
We want to give this user the ability to log in, so we will type:
CREATE ROLE demo_role WITH LOGIN;
CREATE ROLE
If we want to get to this state without specifying the "login" attribute with every role creation, we can actually use the following command instead of the "CREATE ROLE" command:
CREATE USER role_name;
The only difference between the two commands is that "CREATE USER" automatically gives the role login privileges.
here or here about PostgreSQL User Administration.
Thanks
UPDATE
We want to give this user the ability to log in, so we will type:
CREATE ROLE demo_role WITH LOGIN;
CREATE ROLE
If we check the attributes \du
demo_role | | {}
my user name was case sensitive. using small letters solves problem.