I am observing weird behavior with db2 z/OS revoke operation.
Suppose I create a user, assign some privileges and try to drop a user or if I try to revoke some privileges, I get error
"DB2 SQL Error: SQLCODE=-556, SQLSTATE=42504, SQLERRMC=USER3;CREATETAB; ON DSN00016;TESTJDBC, DRIVER=3.67.28"
As per the error code, it means "Cannot revoke a privilege that the user does not possess".
But I see that privilege assigned to an user.
And if assign same privilege and then if try revoking it successfully revokes.
Help me with this
If someone else granted the privilege, then DB2 may be complaining that you weren't the grantor. You might try adding BY <other_grantor>, or just BY ALL to the end of your REVOKE.
Here's the relevant snippet from Knowledge Center:
If the BY clause is not specified, the authorization ID of the
statement must have granted at least one of the specified privileges
to every authorization-name specified in the FROM clause (including
PUBLIC, if specified). If the BY clause is specified, the
authorization ID of the statement must have SECADM or
ACCESSCTRL authority.
Related
I want to revoke the administrator or executive functions to a specific user in Postgres in user creation in java.
for example, let's have a user with read-only privileges "readonlyuser" and I don't want him to execute these functions. So I tried below to revoke, first all functions and then pg_sleep alone.
REVOKE EXECUTE ON FUNCTIONS FROM readonlyuser, public;
REVOKE EXECUTE ON FUNCTION pg_sleep FROM readonlyuser;
like below,
String sql = "CREATE USER 'readonlyuser' WITH ENCRYPTED PASSWORD 'pass';";
Statement stmt = connection.createStatement();
stmt.execute(sql);
stmt.execute("REVOKE EXECUTE ON FUNCTIONS FROM 'readonlyuser', public");
or
stmt.execute("REVOKE EXECUTE ON FUNCTION pg_sleep FROM readonlyuser;");
But still, I can able to execute functions from readonlyuser.
please, help me out to know how can I achieve this.
REVOKE EXECUTE ON FUNCTIONS is not correct SQL, so let me take pg_sleep as an example.
pg_sleep has the default permissions, since
SELECT proacl FROM pg_proc WHERE proname = 'pg_sleep';
returns NULL. The documentation has that
the default privileges granted to PUBLIC are as follows: [...] EXECUTE privilege for functions and procedures
So the privilege is granted to PUBLIC. Now you can only revoke a privilege that was granted, so the attempt to revoke the privilege from readonlyuser achieves nothing. You'd have to revoke the privilege from PUBLIC.
Be warned that you should not change the privileges of system functions. Such changes will be lost during an upgrade. Also, it may break client tools that expect to be able to use these functions. Note that functions that are considered dangerous are restricted to privileged users anyway.
If your goal is to keep users that can run SQL statements on your database from performing denial-of-service attacks, forget it. There is no way you can do that. Restricting access to certain functions is your least worry in that case. Don't let untrustworthy users run their own SQL statements on your database.
So I am having an issue that I wanted to clear up. I am granting access to a user in postgres, but I only want that user to be able to execute functions.
I have the following code:
GRANT USAGE ON SCHEMA not_public TO test_id;
GRANT USAGE ON SCHEMA public TO test_id;
GRANT EXECUTE ON FUNCTION testFunction TO web_reporting_id;
When this is ran, though, and I try to run the function under that user, I get a permissions error on the first table the function tries to read from.
I know some db languages you only need to grant permissions for the functions/procedures and not the underlying objects. In postgres, do I need to grant permissions on the tables too? Or do I need to update my grant scripts?
Thanks!
Normally, functions run with the privileges of the user calling them, so all SQL statements in them will be executed by that user.
You could define the function as SECURITY DEFINER to have it run with the privileges of the function owner, but then you must use the SET clause of CREATE FUNCTION to fix the search_path for the duration of the function execution for security reasons.
Also note that by default, everybody (PUBLIC) has execute privileges on functions, so you might want to revoke that.
I am maintaining a database 'db' in which there are around 100 tables.I have one super user 'A' and 'A' is the owner of all tables. How can I give Alter permission to new user 'B' specific to single table without inheriting all permissions from 'A'.
I tried by providing Grant A to B;. This Grant option given all permissions from 'A' to 'B'. I want above scenario to restrict to one particular table.
Is this possible?
The documentation recently acquired this explanation:
The right to modify or destroy an object is inherent in being the object's owner, and cannot be granted or revoked in itself. (However, like all privileges, that right can be inherited by members of the owning role; see Section 21.3.)
So the only people who can run ALTER TABLE are:
Superusers
the table owner
members of the table owner role
So GRANT a TO b is the only way to give somebody the privilege.
You might be able to use a SECURITY DEFINER function that belongs to a, but be careful with that.
I'm trying to allow a database user to be able to alter/drop (certain) tables, but not GRANT privileges on them. Is this possible?
It looks like they need to be the owner of the tables, but from https://www.postgresql.org/docs/current/sql-grant.html
The right to drop an object, or to alter its definition in any way, is not treated as a grantable privilege; it is inherent in the owner, and cannot be granted or revoked. (However, a similar effect can be obtained by granting or revoking membership in the role that owns the object; see below.) The owner implicitly has all grant options for the object, too.
This sounds like it's not possible. However, is this definitely the case? Is there some way with triggers for example to make certain GRANTs fail?
Yes, only the owner of a table or a superuser can ALTER or DROP it, and these users can always GRANT privileges on the table.
Your only option is to create an event trigger that fires on GRANT and throws an error for the tables where it should be forbidden.
I am working around a workaround to a "feature" in IBM DB2.
This fancy database has a "feature" in it which if I try to use a CREATE TABLE statement and it doesn't find the schema, it will create this schema for me, even if I don't want it to. This bug has caused me a lot of hours in debugging, because my code right now exists with the expectation that it won't create the schema if it doesn't exist
My question is -- how do I change the permissions of a particular schema (or even during the create schema phase) which a particular user does not have access to view?
I checked out this doc..
It seems with GRANT, there are the following three permissions:
ALTERIN
Grants the privilege to alter or comment on all objects in the
schema. The owner of an explicitly created schema automatically
receives ALTERIN privilege.
CREATEIN
Grants the privilege to create
objects in the schema. Other authorities or privileges required to
create the object (such as CREATETAB) are still required. The owner of
an explicitly created schema automatically receives CREATEIN
privilege. An implicitly created schema has CREATEIN privilege
automatically granted to PUBLIC.
DROPIN
Grants the privilege to drop
all objects in the schema. The owner of an explicitly created schema
automatically receives DROPIN privilege
With only ALTERIN, CREATEIN, and DROPIN, I don't see anything relevant to view access permissions :/
EDIT:
I checked out our Dash DB database for this particular table which has these special permissions for particular users using the following SQL:
SELECT * FROM SYSIBMADM.PRIVILEGES WHERE OBJECTSCHEMA = 'FAKE_SCRATCH';
This is the result:
EDIT 2:
I tried the following to emulate Dash DB's permissions for that user for that schema:
GRANT ALTERIN, CREATEIN, DROPIN ON SCHEMA FAKE_SCRATCH TO USER TEST_USER;
Still doesn't work :/
The following SQL query executed in DB2 fixed the problem:
REVOKE IMPLICIT_SCHEMA ON DATABASE FROM PUBLIC