I have an existing DB2 (10.5.0) project I am migrating to Liquibase (3.4.1), and I want to export my existing schema.
However it is skipping the GRANTs. How do I get those?
Also when I create new tables, indices etc, how can I add GRANT to a role within my changeLogFile.xml?
Liquibase does not currently support GRANTs as they are a database-specific concept. You would need to write the GRANT statements using the <sql> or <sqlFile> change types.
Related
I have a PostgreSQL database, which I am accessing with my spring application, that uses hibernate.
For security reasons I'd like to create a user that has only the necessary right (principle of least privilege).
I couldn't find anything about the rights hibernate needs to operate.
To be a bit more specific. The user should allow hibernate to
do CRUD operations
create all the tables and necessary stuff I don't even know about
When I search for it, I could only find tutorials, that are using the postgres superuser or are about creating user and role entities, which have nothing to do at all with the connecting user.
Hibernate runs SELECT, INSERT, UPDATE and DELETE statements. So the user will need (at least) those four privileges on the tables in question.
If the user should also create the tables, then the CREATE and privilege on the schema is needed.
An overview over the privilege system is available in the manual and details about each privilege are documented with the GRANT statement
I am new to Postgres and want to know if there is a way to CREATE a DB USER in such a way that it will have access to ALL the SCHEMA's including those which are not created yet, I mean access to all the current and future schema's.I have multiple Schema's in my Postgres DB which have the same Tables.If the above is possible I want this user to have SELECT,INSERT,UPDATE on only 2 Tables in the existing and future created Schemas.
You can use ALTER DEFAULT PRIVILEGES to give a user permissions on future schemas and tables, but you cannot restrict that to certain table names.
You may be able to do that with an event trigger.
Personally, I would put GRANT statements into the code that creates the tables.
I am using the ddlgen tool to get DDLs or whole databases. Now I need to re-generate databases into another location (structure only).
Can anyone help me to re-create database schema in another location?
ddlgen creates sql scripts
To recreate your database structure, just run the scripts in the correct order against your new system.
isql -Uusername -Sservername -iDDLGenScript.sql
If you have multiple scripts, then this is the recommended order from the SAP ASE Documentation
Segment
Group
User
Rules
Defaults
UDDs
Encrypted Keys
User Tables
Proxy Tables
Triggers
Functions and Views
All functions without any dependency
All views without any dependency
All functions and all views with any dependency on any objects
Instead of trigger
Stored Procedures
Extended Stored Procedures
PRS
User Defined Web Services
I have a Postgresql database for a web application. The database is owned by a particular user on the system, let's say foouser. As the owner, this user has full permissions on the database.
The server also has another user, let's say webappuser, which is the user under which the application server runs. Instead of specifying a username and password in the web application's config file, I want to use "peer" authentication. I have gotten the authentication to work properly, but I ran into the following issue.
When I created the webappuser role in Postgresql, I granted it LOGIN permission as well as GRANT ALL ON DATABASE foo TO webappuser; and within the database GRANT ALL ON SCHEMA public TO webappuser;.
The issue that I am having is with the table permissions. Unlike MySQL which allows access by default to all tables if you have access to the database (a reasonable assumption in my opinion), Postgresql denies access to all of the tables even though permission has been given on the schema and the database. In order to get around this, I have to explicitly grant permissions on all new tables, views, procedures, etc. that I create using GRANT ALL ON TABLE table_name TO webappuser; (and similarly for views, etc.).
It ends up that any time I run a database migration, I have to add the permissions to the database for the new tables that were created. The problem is that I can't add this permission information to the migrations themselves because developer machines don't have that additional user. In any case, that really looks like the wrong way of doing things.
How can I allow access to the database tables from this additional user without needing manual intervention every time a table, view, procedure, etc. is created?
BONUS POINTS: Is there a way to restrict the user's permission to only CRUD operations instead of full permissions and still do the whole thing automatically?
Without experience with the specifics of Laravel migrations: When you do migrations on the same server there should be no problem, so long as the permissions are also migrated, because the webappuser is available cluster-wide.
When migrating to a different server you need to create the user on that new server and set the permissions for all migrated objects. You basically have two ways to do that.
The first is to set default privileges on the tables in the schema before you migrate or GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA sch_name TO webappuser after the migration. Default privileges are set with:
ALTER DEFAULT PRIVILEGES IN SCHEMA sch_name
GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO webappuser;
Both commands are fully SQL-standard compliant so you should have no problems across compliant architectures.
Keep in mind that any other tables created in the same schema will also have privileges set for webappuser. Setting privileges this way for an "untrusted" user (the person using the web application) is not recommended in a production environment because of potential privilege leaks; in a development environment it may be acceptable.
The second - which I would favour personally - is to write a stored procedure that sets the appropriate permissions. Do the migration, run the stored procedure once and you should be up-and-running. This gives you more control over the permission granting. The procedure could be something like:
CREATE FUNCTION grant_webapp_privileges() RETURNS void AS $$
-- Create the webappuser, if necessary
CREATE ROLE webappuser LOGIN;
-- Grant privileges on all required objects
GRANT SELECT, INSERT, UPDATE, DELETE ON TABLE table1 TO webappuser;
...
$$ LANGUAGE SQL;
On the master database you simply need to keep the stored procedure up-to-date when you create or drop new relations. If Laravel supports insertion of code blocks not in the schema you are migrating, you can make the above procedure an anonymous code block that gets executed after the migration.
(As an aside, I NEVER give webappuser-like roles CRUD access. Instead I always provide access through views that hide some of the underlying data model specifics, such as a person having an address, contact_information and other details; the view serves it all up in one big row. That way you can easily change the underlying relations and update the view, rather than having to tweak your web application. Same principle really as OOP and easier to manage privileges.)
I have a PostgreSQL Database that is setup using Liquibase. When I run liquibase:dropAll using maven it drop me everything but trigger functions. Is there a way that with that maven goal also triggerfunctions are dropped?
Since when I reapply my changeset after the dropAll it fails to create the already existing functions.
Unfortuantely no. The way dropAll is implemented is that it uses the liquibase snapshot function to find all objects to drop which works fine except for object types not looked for by snapshot. Snapshot handles standard types like tables, columns, views, and sequences but does not get into more database-specific types like triggers, functions, procedures, user defined types, etc. Since snapshot does not know about triggers, dropAll cannot know to drop them.
If you are using postgresql, the easiest way may be to just run
drop schema public cascade;
create schema public;
as described in "Drop all tables in PostgreSQL?" rather than use liqubase dropAll.