I'm using DB2 10.5 and have two users: db2admin and db2user. db2admin is an Administrator of the Windows 7 Operating System while db2user is a normal user. I have created a database named DB1 using db2admin and now I want to allow db2user to access the TB1 table in it.
I used the following command for that:
db2 => connect to db1 user db2admin using db2admin
db2 => grant select, insert, update, delete on tb1 to user db2user
The Result when executed following commands:
connect to db1 user db2user using db2user
SELECT * FROM SYSIBMADM.PRIVILEGES WHERE AUTHID = SESSION_USER AND AUTHIDTYPE = 'U'
AUTHID AUTHIDTYPE PRIVILEGE GRANTABLE OBJECTNAME
DB2USER U UPDATE N TB1
DB2USER U SELECT N TB1
DB2USER U INSERT N TB1
DB2USER U DELETE N TB1
According to that result set db2user seems to have privileges to the TB1. However, when I tried to access it programmatically using db2user, following error was thrown:
DB2 SQL Error: SQLCODE=-204, SQLSTATE=42704, SQLERRMC=DB2USER.TB1
According to the error code there is no TB1 in the DB2USER schema.
Following commands confirmed that:
connect to db1 user db2user using db2user
db2 => list tables
0 record(s) selected.
What am I missing or doing wrong? Any guidance on how to get this working is much appreciated.
UPDATE: I have already tried accessing the same table with db2admin and it works perfectly. What I want to get done is to access it using db2user, but db2user shouldn't create the tables; that's db2admin's job. So how can I get that working? How can db2admin put the tables inside db2user's schema?
SQLCODE -204 means that the object cannot be found. My guess is that since you didn't provide a schema, your table was implicitly placed in the db2admin schema. Try doing
SELECT * FROM db2admin.tb1
And see if that works.
You created the table from user DB2ADMIN and the implicit schema will be used. In this case, the table is called db2admin.tb1
When you perform a select from the DB2USER, the implicit schema is the same user name, and that table does not exist.
Related
I have a problem with a select in postgres. Create a db with a new user but in pg admin when applying a query within the program it returns me
ERROR: permission denied for table users
Apply a query to give privileges with:
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO someuser;
as well as a query to give privileges to the table but nothing: /
I set up a connection to a foreign db using dblink_connect according to the docs:
CREATE SERVER fdtest FOREIGN DATA WRAPPER dblink_fdw OPTIONS (hostaddr '127.0.0.1', dbname 'foreign_test_db');
CREATE USER test_user WITH PASSWORD 'secret';
CREATE USER MAPPING FOR test_user SERVER fdtest OPTIONS (user 'test_user', password 'secret');
GRANT USAGE ON FOREIGN SERVER fdtest TO regress_dblink_user;
GRANT SELECT ON TABLE foo TO test_user;
\c - regress_dblink_user
SELECT dblink_connect('myconn', 'fdtest');
SELECT * FROM dblink('myconn','SELECT * FROM foo') AS t(a int, b text, c text[]);
The final 'GRANT SELECT' appears to infer that if it is meant to grant select permissions to local user test_user to the table foo on the fdtest foreign data wrapper. However, how I would interpret this command is that it is granting permissions to test_user to select on local table foo (which does not exist). As expected, when I run this command I get an error:
ERROR: relation "foo" does not exist
I would love to know how to actually accomplish this. I would like to be able to restrict local users to only access certain tables from a foreign data wrapper.
You'll have to connect to the remote database and run the GRANT statement there.
Of course you could do that via dblink, but then you'd have to connect with a superuser or the owner of the table.
The connection they show is a loop back connection, it just connects back to the same server and (apparently) database you are already in. This is useful for testing purposes. So granting the permission on the local server is the same thing as granting it on the remote server, as they are the same server.
They do not show the creation of the table, you can find it in the regression test contrib/dblink/sql/dblink.sql (from which the example in the doc derives) as:
CREATE TABLE foo(f1 int, f2 text, f3 text[], primary key (f1,f2));
When creating a new user on our Potgis enabled database I run into the strange issue that that new user cannot access the postgis extension while earlier created users can.
With my user account I get the following output:
mydb => SELECT postgis_version();
postgis_version
---------------------------------------
2.3 USE_GEOS=1 USE_PROJ=1 USE_STATS=1
(1 row)
With the new user I get the following:
mydb => SELECT postgis_version()
mydb-> ;
ERROR: function postgis_version() does not exist
LINE 1: SELECT postgis_version()
^
HINT: No function matches the given name and argument types. You might need to add explicit type casts.
Also QGIS is giving me hint that postgis is not active:
2018-01-23T16:38:13 1 No PostGIS support in the database.
I am connecting to the exact same database.
The user does have access to the public schema and to the geometry_columns table.
I am a bit lost here since according to my info Postgis is an extansion on the database level and it should be there for all users.
The PostGIS extension must be installed in a schema that must also be in the user search path.
You can check where it is installed with the command
select e.extname,n.*
from pg_extension e, pg_namespace n
where e.extnamespace = n.oid and e.extname='postgis';
And you can check if the schema where it is installed is in the user search path by issuing
show search_path;
If not, you can permanently add the path by altering the user.
ALTER USER username SET search_path TO "$user", public, postgis_schema;
As the previous command takes effect at the next login only, you can apply it immediately by applying
SET search_path TO "$user", public, postgis_schema;
I am trying to edit PostgreSQL schema script and make it executable in Oracle (Oracle Express). In PostgreSQL were under the each CREAT TABLE these commands:
ALTER TABLE table_name OWNER TO user;
For example table_name is appuser and user is projectX.
The table is successfully created, but there is an error: ORA-01735: invalid ALTER TABLE option
I have also created another user in my scheme (projectX), but the error is still there. So I am confused. Does this command ALTER TABLE table_name OWNER TO user; even exists in Oracle database?
How do you view users that have been issued GRANT CONNECT ON DATABASE <database> TO <user>?
\dp - lists table/view permissions
\dn+ - lists schema permissions
\l+ does not list all users that can access the database
A bit odd if the \l+ command just displays some of the users that have permission/privilege to connect to the database. I could not repeat that myself on a PostgreSQL 8.4 installation (Ubuntu 10.04 LTS). What version are you using?
Anyway, perhaps you could check the table holding the ACL's for that particular database and from that deduce whether the user has the correct privileges or not:
SELECT datname as "Relation", datacl as "Access permissions" FROM pg_database WHERE datname = 'databasename';
If you just want to check one user you could do something like this:
SELECT * FROM has_database_privilege('username', 'database', 'connect');
How are the permissions/privileges to interpreted? The privileges are to be read like this:
user = privileges / granted by
Omitting user means that PUBLIC is granted the privilege, ie all roles. For example if the privilege is =Tc/postgres then all roles may connect and create temporary tables in that particular database and it is the postgres user who granted the privilege.
There is a synopsis at the PostgreSQL site explaining the different privileges: https://www.postgresql.org/docs/current/ddl-priv.html#PRIVILEGE-ABBREVS-TABLE.
rolename=xxxx -- privileges granted to a role
=xxxx -- privileges granted to PUBLIC
r -- SELECT ("read")
w -- UPDATE ("write")
a -- INSERT ("append")
d -- DELETE
D -- TRUNCATE
x -- REFERENCES
t -- TRIGGER
X -- EXECUTE
U -- USAGE
C -- CREATE
c -- CONNECT
T -- TEMPORARY
arwdDxt -- ALL PRIVILEGES (for tables, varies for other objects)
* -- grant option for preceding privilege
/yyyy -- role that granted this privilege
I'm using psql from postgres 8.4 and postgres 9.0, and the command \l or \l+ gives me column Access Privileges where I have entry:
<user_name>=c/<database_name>
and earlier I gave the user the connect privilege as you wanted.
As it states on the page http://www.postgresql.org/docs/9.0/static/sql-grant.html, the c letter here means Connect.