Permission denied on schema in PostgreSQL - postgresql

I can't find why I am getting an permission denied error in my database.
The role owns the schema and has access to the table, but still the log says:
ERROR: permission denied for schema myschema at character 20
QUERY: SELECT 1 FROM ONLY "myshema"."mytable" x WHERE "id" OPERATOR(pg_catalog.=) $1 FOR KEY SHARE OF x

There is a foreign key in a table referring to a table in the schema in question, to which the table owner role does not have permission. Foreign key checks are done with the permissions of the role that own the table, not the role performing the query.
The query is actually doing the internal foreign key check.
Found an explanation on sharingtechknowledge.blogspot.fi

Related

Using CREATE SCHEMA AUTHORIZATION

Can I use CREATE SCHEMA AUTHORIZATION for something other than the current user's schema?
I can do the following:
CREATE USER MAIN_USER
IDENTIFIED BY main_user_pass;
GRANT CREATE SESSION TO MAIN_USER;
GRANT CREATE TABLE TO MAIN_USER;
ALTER SESSION SET CURRENT_SCHEMA = MAIN_USER;
Query 1:
SELECT USER FROM DUAL;
Result 1:
SYS
Query 2:
SELECT sys_context( 'userenv', 'current_schema') FROM dual;
Result 2:
MAIN_USER
I can do this:
CREATE SCHEMA AUTHORIZATION SYS
CREATE TABLE new_product
(color VARCHAR2(10) PRIMARY KEY);
Result:
Schema AUTHORIZATION created.
But when I try to do this, an error appears:
CREATE SCHEMA AUTHORIZATION MAIN_USER
CREATE TABLE new_product
(color VARCHAR2(10) PRIMARY KEY);
Result:
ORA-02421: missing or invalid schema authorization identifier
02421. 00000 - "missing or invalid schema authorization identifier"
*Cause: the schema name is missing or is incorrect in an authorization
clause of a create schema statement.
*Action: If the name is present, it must be the same as the current
schema.
The error message is pretty clear: you can't do that. From the documentation:
The schema name must be the same as your Oracle Database username.
Setting current_schema only changes the default schema name prepended to an object reference in a SQL command that isn't fully qualified, so after setting it to MAIN_USER, this command:
select * table table_a;
would be interpreted as
select * from main_user.table_a;
instead of
select * from sys.table_a;
Setting current_schema doesn't actually change your logged in identity or affect your privileges in any way, and if sys can't execute a command like that against another schema then nobody can do it.
Can I use CREATE SCHEMA AUTHORIZATION for something other than the current user's schema?
No, you can't. The documentation says:
Use the CREATE SCHEMA statement to create multiple tables and views and perform multiple grants in your own schema in a single transaction.
This statement lets you populate your schema ...
Specify the name of the schema. The schema name must be the same as your Oracle Database username.
You have to be connected as the schema owner, so user returns MAIN_USER. Just changing your current schema with ALTER SESSION SET CURRENT_SCHEMA is not sufficient.
It also says:
To issue a CREATE SCHEMA statement, you must have the privileges necessary to issue the included statements.
and you have granted CREATE TABLE so that should work once you connect as that user. But it means you can't rely on the privileged SYS user's CREATE ANY privs to bypass the schema grants, which might have been an advantage had it been allowed to work as you hoped; if you want your user to end up without those privileges you'll have to grant them, run CREATE SCHEMA as that user, then revoke them again. Or go back to individual CREATE object statements, which you can run for another user as SYS - but without the all-or-nothing single-transaction benefit you get from CREATE SCHEMA.

Grant privileges on tables in other database

Context
I want to grant privileges to a specific user, on the public schema in database mydb.
Currently, I connect as user postgres on database mydb, and run :
GRANT insert, update, delete, truncate ON ALL TABLES IN SCHEMA public TO myuser
My Issue
I would feel more comfortable naming the target database in the query, rather than relying on the connection being on the correct database.
For example, I wouldn't want to accidentally give accesses on the postgres database, rather than on mydb.
Question
Is there a way to target tables in another database in a GRANT query ?
I couldn't find a way to do so in the doc (perhaps I overlooked a paragraph ?) and the following do not work :
# grant insert on all tables in schema mydb.public to myuser;
ERROR: syntax error at or near "."
LINE 1: grant insert on all tables in schema mydb.public to...
^
# grant insert on mydb.public.mytable1 to myuser;
ERROR: cross-database references are not implemented: "mydb.public.mytable1"
No, as the error message says, cross-database references are not implemented.
This is a security feature: There is no way to affect another database than the one you are connected to with an SQL statement (unless you are using something like dblink or foreign data wrappers).

Have access to table and function, but not the table within the function

I ran into a peculiar problem with my database that I haven't been able to solve since yesterday.
So I created a user that has access to the function "write_match_history()" and access to the table "match_history," and I can use this user to query match history as well as write to it directly using sql. However, when I try to run "write_match_history," I get the following error:
error: error: permission denied for relation match_history
Here are the accesses I've granted to this user:
drop OWNED by d_write;
drop user if exists d_write;
create user d_write with encrypted password 'supersecret';
grant execute on function write_match_history(a,b,c,d,e,f) to d_write;
grant usage on schema d to d_write;
grant insert on table d.match_history to d_write;
grant select on table d.match_history to d_write;
grant select on all SEQUENCES in SCHEME d to d_write;
grant insert on all tables in schema d to d_write;
grant select on all talbes in schema d to d_write;
These permissions are everything I've tried so far. Let me know if you need more information.
Thanks!
Well, what is the owner of the function write_match_history(a,b,c,d,e,f). Do it allow to insert/update on table match_history. If not, please try it. I think the problem is here.

how can we identified schema name in sybase ase 15.5?

I am trying to get schema name in sybase database.
First I have create login(user1) from sa user and than i have connect with user1 by giving login name(user1) and password now i have tried to create table by giving following command:-
create table user1.table1(
emp_id int not null,
name varchar(80) not null
)
but it was showing access denied error than i have logged-in from sa user and grant sa_role to user1 and then again i have run above mention query for create table and table were created successfully.
here I am not exactly getting that user1 is schema name or not or how can I identified schema name?
I want to also know that is there any role except sa_role for grant create insert delete table ,views and all other objects of sybase database.
Sybase ASE does not use the schema concept that SQL Server and Oracle use. Objects are located inside a database, and owned by a user - no other logical separations are there. So your syntax is wrong.
create table table1
(
emp_id int not null,
name varchar(80) not null
)
Sybase ASE Create Table
Additionally, Sybase/SAP best practices tells us all database objects should be created/owned by dbo with permissions granted to groups/roles/users to access those objects. Users who own database objects can not be removed, so if User1 gets fired, you will have to identify all the objects he owns, and change the ownership of those objects before his account can be deleted.
So for your example, the dbo user (typically sa) would create the objects, then GRANT permissions (INSERT/UPDATE/DELETE/etc) to the groups/roles/users who need access.
More information on managing user permissions can be found in the Sybase ASE System Administrators Guide Vol 1.
And more information about Roles/Groups from the System Admin Guide.

How to drop a Redshift index?

I've got a superuser account and am trying to drop an index on a Redshift table with:
DROP INDEX my_table_pkey;
But I receive a ERROR: Insufficient privileges. I'm confused because I can drop the table just fine, and I'm logged in as a Superuser.
# \du admin
List of roles
Role name | Attributes | Member of
-----------+----------------------+-----------
admin | Superuser, Create DB |
I've even tried
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO admin;
But I still get the insufficient privileges error when I try to drop the index.
Any ideas?
Please note that as documented here, Redshift doesn't support indexes so likely as not, there's not an actual index to drop. Primary and foreign keys are for informational purposes only but are still recommend (see Defining Constraints) for the optimizer. It is up to the application though, to actually enforce the keys.
you can't drop index in Redshift.
but you can.
create your table without the index.
insert the data from the old table
change the table name