I need to grant the permissions add, update and delete to a user called "test" in a database which I'm connected to.
What would be the syntax? I've tried:
db2 grant add, update, delete on database to test
Without luck.
I'm using DB2 10 in AIX (command line)
You have to check the kind of permissions you can grant in a database and its objects.
I suppose "add" is insert, but that is granted over a table, not a database. The same for update and delete.
You can give permission to yourself, only if you have a supperior authority, such as sysadm, dbadm or secadm (depends on the DB2 version, and security configured).
For example:
db2 grant insert, update, delete on table db2inst1.emp to user test
To grant all DML permission on table emp in schema db2inst1
If you want to grant that to all tables, you should generate the grant sentences:
db2 -x +o -z commands.sql "select 'grant insert, update, delete on table ' || trim(tabschema) || '.' || trim(tabname) || ' to user test;' from syscat.tables where type = 'T'" >
db2 -tvf commands.sql
First command generated dinamycally all grants just by accesing the catalog. The second one, is the execution of the output of the first command.
You could eventually execute both commands in one line via a pipe, but there is a Unix limit that blocks the output.
db2 -x "select 'grant inser... ... pe = 'T'" | db2 +p -tv
Grant info - http://publib.boulder.ibm.com/infocenter/db2luw/v10r1/topic/com.ibm.db2.luw.admin.sec.doc/doc/t0005804.html
db2 +p explanation - http://pic.dhe.ibm.com/infocenter/db2luw/v10r1/index.jsp?topic=%2Fcom.ibm.db2.luw.admin.cmd.doc%2Fdoc%2Fr0010412.html http://angocadb2.blogspot.fr/2011/12/ejecutar-la-salida-de-un-query-en-clp.html
Related
I dumped a database using pg_dump -O -x expecting all ownership and role information to be ignored, however, it is still including specific mentions to manager roles in the original database which are failing to be imported because they don't exist in the new database which I'm importing into. See the snippet of the dump.sql file:
--
-- Name: reassign_owned(); Type: FUNCTION; Schema: public; Owner: -
--
CREATE FUNCTION reassign_owned() RETURNS event_trigger
LANGUAGE plpgsql
AS $$
begin
-- do not execute if member of rds_superuser
IF EXISTS (select 1 from pg_catalog.pg_roles where rolname = 'rds_superuser')
AND pg_has_role(current_user, 'rds_superuser', 'member') THEN
RETURN;
END IF;
-- do not execute if not member of manager role
IF NOT pg_has_role(current_user, 'rdsbroker_xxxxx_manager', 'member') THEN
RETURN;
END IF;
-- do not execute if superuser
IF EXISTS (SELECT 1 FROM pg_user WHERE usename = current_user and usesuper = true) THEN
RETURN;
END IF;
EXECUTE 'reassign owned by "' || current_user || '" to "rdsbroker_xxxxx_manager"';
end
$$;
-O means that pg_dump itself does not emit ownership information. It doesn't cause it to edit the source code of any functions it might dump, in an attempt to prevent those functions from doing what they were written to do.
I've done a quick search in pg_dump and pg_restore source code and I see no usage of REASSIGN OWNED statement.
I need to revoke CREATEIN privilege for PUBLIC in a schema named THOMAS.XXXXXXX#XXX.XXX.XXX, I connected to the database and typed the following commands
this one to verify PUBLIC has createin permissions in the schema
db2 "select schemaname,CREATEINAUTH from SYSCAT.SCHEMAAUTH where GRANTEE= 'PUBLIC'"
SCHEMANAME CREATEINAUTH
THOMAS.XXXXXXX#XXX.XXX.XXX Y
db2 revoke CREATEIN ON SCHEMA 'THOMAS.XXXXXXX#XXX.XXX.XXX' FROM PUBLIC
DB21034E The command was processed as an SQL statement because it was not a
valid Command Line Processor command. During SQL processing it returned:
SQL0108N The name "COM" has the wrong number of qualifiers. SQLSTATE=42601
i also tried with "" but got the same result
db2 "revoke CREATEIN ON SCHEMA THOMAS.XXXXXXX#XXX.XXX.XXX FROM PUBLIC"
DB21034E The command was processed as an SQL statement because it was not a
valid Command Line Processor command. During SQL processing it returned:
SQL0108N The name "COM" has the wrong number of qualifiers. SQLSTATE=42601
Try this:
db2 "revoke CREATEIN ON SCHEMA \"THOMAS.XXXXXXX#XXX.XXX.XXX\" FROM PUBLIC"
If there is any special character in db2 command that is not accepted by OS command line, you may keep the command in file with some delimiter and run the file from OS command line.
For eg. create a file with name say revoke.sql and keep following statement in it:
revoke CREATEIN ON SCHEMA THOMAS.XXXXXXX#XXX.XXX.XXX FROM PUBLIC;
Then you can execute this file as follows:
db2 -tvf revoke.sql
I created a new database in Postgres (Ubuntu 18.04) and created a table from the Postgres command line with:
CREATE TABLE TMB01
the command line returns with no error messages. Then I created columns from the command line (one by one, but I only had four columns names to enter).
Now I want to see the names of all tables in my database:
\d+ "TMB01"
"Did not find any relation named "TMB01."
Try it without quotes:
\d+ TMB01
"Did not find any relation named "TMB01."
Then I tried:
select * from TMB01 where false
No error message, cursor returns.
What went wrong with my table creation?
The only reason you didn't get an error with this command:
CREATE TABLE TMB01
Is that it wasn't finished yet. There's no ; at the end. At a minimum you would need:
CREATE TABLE TMB01 ();
Try granting access privileges to the postgres user grant wizard
How do I go about granting DML (SELECT,INSERT,UPDATE,DELETE) on all tables in a schema in PostgreSQL 8.4? I'd also like this grant to persist for new table creation in the future as well.
I've seen solutions for 9.0 but I'm stuck with 8.4 as it ships with Debian stable.
I have tried the following as a baseline but it doesn't work, resulting in the inevitable "access to relation X denied":
GRANT ALL PRIVILEGES ON DATABASE testdb TO testuser;
I've dredged through the documentation and I can't seem to find a suitable solution.
I'd also like this grant to persist for new table creation in the future as well.
[...] I've dredged through the documentation and I can't seem to find a suitable solution.
Because before 9.0 there is none. All you can get is to set the permissions for existing tables. You have to do one GRANT for each table, because before 9.0 there was no "bulk" mode. See the SQL grammer for 8.4 and 9.0:
GRANT { { SELECT | INSERT | UPDATE | DELETE | TRUNCATE | REFERENCES | TRIGGER }
[,...] | ALL [ PRIVILEGES ] }
ON [ TABLE ] tablename [, ...]
TO { [ GROUP ] rolename | PUBLIC } [, ...] [ WITH GRANT OPTION ]
and 9.0 here:
GRANT { { SELECT | INSERT | UPDATE | DELETE | TRUNCATE | REFERENCES | TRIGGER }
[,...] | ALL [ PRIVILEGES ] }
ON { [ TABLE ] table_name [, ...]
| ALL TABLES IN SCHEMA schema_name [, ...] }
TO { [ GROUP ] role_name | PUBLIC } [, ...] [ WITH GRANT OPTION ]
The new ALL TABLES IN SCHEMA part is the one you are missing.
Also: Setting permissions on the database level as in you question won't help you: You will "only" set the permissions on he database, but not on any "contained" stuff like tables. The relevant section:
GRANT { { CREATE | CONNECT | TEMPORARY | TEMP } [,...] | ALL [ PRIVILEGES ] }
ON DATABASE dbname [, ...]
TO { [ GROUP ] rolename | PUBLIC } [, ...] [ WITH GRANT OPTION ]
Which means you can only set CREATE, CONNECT and TEMP permissions on the database itself but no SELECT, INSERT etc.
So far for the bad stuff. What you can do are the following things:
Reduce the number of permission management by granting rights not to users but to roles. Then add roles to individual users. When a new table is created you only need to adjust one or two roles, but not hundreds of users.
Query the system catalogues and create appropriate GRANT commands. Save them into a file and execute that file. This should give you an easier startup.
Such a query might look like this:
select 'GRANT ALL ON ' || table_schema || '.' || table_name ||' to my_group;'
from information_schema.tables
where
table_type = 'BASE TABLE' and
table_schema not in ('pg_catalog', 'information_schema');
Grants in PostgreSQL are not recursive; a GRANT on the database sets rights to the database object but does not affect the contained schemas or their tables, views, functions, etc.
Granting ALL PRIVELEGES on the database grants CREATE, CONNECT and TEMPORARY rights.
See \h GRANT in psql, or the documentation for GRANT in 8.4, to see what ALL PRIVILEGES means for DATABASE:
GRANT { { CREATE | CONNECT | TEMPORARY | TEMP } [, ...] | ALL [ PRIVILEGES ] }
ON DATABASE database_name [, ...]
TO { [ GROUP ] role_name | PUBLIC } [, ...] [ WITH GRANT OPTION ]
There are plpgsql functions and various 3rd party scripts available that use pg_catalog or information_schema to dynamically build GRANTs and recursively set rights. Search for "postgresql recursive grant".
These will not help you set default access rights for new tables. PostgreSQL doe have ALTER DEFAULT PRIVILEGES to allow you to set the default table rights for new tables, but it's only supported in Pg 9.1 and newer. Explicit GRANTs are required for each table in older versions or when permissions are to be set after table creation.
Newer versions, as you noted, have facilities for multiple grants via GRANT ... ALL TABLES, but your question is specific to 8.4.
I believe you can't do that. But you can use the information schema to generate the grants so you don't have to manually do it for 10,000 tables. See the link below for a relative example and the site linked to easy very good for info.
http://www.postgresonline.com/journal/archives/30-DML-to-generate-DDL-and-DCL-Making-structural-and-Permission-changes-to-multiple-tables.html
If you have another user who have the DML privileges, it works in postgresql 8.x/9.x:
grant <userWithDMLPrivileges> to testuser;
Hope it helps.
Add all priviledges on all tables:
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO [username];
The following works in PostgreSQL 8.4:
insert into credentials values('demo', pgp_sym_encrypt('password', 'longpassword'));
When I try it in version 9.1 I get this:
ERROR: function pgp_sym_encrypt(unknown, unknown) does not exist LINE
1: insert into credentials values('demo', pgp_sym_encrypt('pass...
^ HINT: No function matches the given name and argument types. You might need to add
explicit type casts.
*** Error ***
ERROR: function pgp_sym_encrypt(unknown, unknown) does not exist SQL
state: 42883 Hint: No function matches the given name and argument
types. You might need to add explicit type casts. Character: 40
If I try some explicit casts like this
insert into credentials values('demo', pgp_sym_encrypt(cast('password' as text), cast('longpassword' as text)))
I get a slightly different error message:
ERROR: function pgp_sym_encrypt(text, text) does not exist
I have pgcrypto installed. Does anyone have pgp_sym_encrypt() working in PostgreSQL 9.1?
On explanation could be that the module was installed into a schema that is not in your search path - or to the wrong database.
Diagnose your problem with this query and report back the output:
SELECT n.nspname, p.proname, pg_catalog.pg_get_function_arguments(p.oid) as params
FROM pg_catalog.pg_proc p
JOIN pg_catalog.pg_namespace n ON n.oid = p.pronamespace
WHERE p.proname ~~* '%pgp_sym_encrypt%'
AND pg_catalog.pg_function_is_visible(p.oid);
Finds functions in all schemas in your database. Similar to the psql meta-command
\df *pgp_sym_encrypt*
Make sure you install the extension on the desired schema.
sudo -i -u postgres
psql $database
CREATE EXTENSION pgcrypto;
OK, problem solved.
I was creating the pgcrypto extension as the first operation in the script. Then I dropped and added the VGDB database. That's why pgcrypto was there immediately after creating it, but didn't exist when running the sql later in the script or when I opened pgadmin.
This script is meant for setting up new databases and if I had tried it on a new database the create extension would have failed right away.
My bad. Thanks for the help, Erwin.
Just mention de schema where is installed pgcrypto like this:
#ColumnTransformer(forColumn = "TEST",
read = "public.pgp_sym_decrypt(TEST, 'password')",
write = "public.pgp_sym_encrypt(?, 'password')")
#Column(name = "TEST", columnDefinition = "bytea", nullable = false)
private String test;
I ran my (python) script again and the CREATE EXTENSION ran without error. The script also executes this command
psql -d VGDB -U postgres -c "select * from pg_available_extensions order by name"
which includes the following in the result set:
pgcrypto | 1.0 | 1.0 | cryptographic functions
So psql believes that it has installed pgcrypto.
Later in the same script when I execute
psql -d VGDB -U postgres -f sql/Create.Credentials.table.sql
where sql/Create.Credentials.table.sql includes this
insert into credentials values('demo', pgp_sym_encrypt('password', 'longpassword'));
I get this
psql:sql/Create.Credentials.table.sql:31: ERROR: function pgp_sym_encrypt(unknown, unknown) does not exist
LINE 1: insert into credentials values('demo', pgp_sym_encrypt('pass...
^
HINT: No function matches the given name and argument types. You might need to add explicit type casts.
When I open pgadmin it does not show pgcrypto in either the VGDB or postgres databases even though the query above called by psql shows that pgcrypto is installed.
Could there be an issue with needing to commit after using psql to execute the "create extension ..." command? None of my other DDL or SQL statements require a commit when they get executed with psql.
It's starting to look like psql is just flakey. Is there another way to call "create extension pgcrypto" - e.g. with Python's database support classes - or does that have to be run through psql?