I have two kinds of users in my Postgres database. One has access to everything in the database and has admin access. The other kind has SELECT access on public schema and USAGE access on information_schema.
When I run the following query, the second kind of user sees only a subset of all results which the first kind of user can see.
SELECT action_statement, event_object_table
FROM information_schema.triggers;
I am not able to understand what could be happening here. Triggers on the table from same public schema are present, but miraculously some triggers are missing for other tables in the same public schema.
Related
I have situation where I have to give schema wise access to users where the user should not even be able to see other schema names as well as its contents like tables. I have tried below queries :
create user potter with password 'potter';
create schema if not exists potter AUTHORIZATION potter;
set search_path to 'potter';
create table pottertable(id numeric);
grant SELECT, UPDATE, INSERT ON potter.pottertable to potter;
In this case when connected to the server (PostgreSQL 9.6 localhost) as new user using pgAdmin 4, the user is not able to SELECT other schema data but able to see other schema names as well as the tables inside it, which is what I am looking to prevent. Any help is appreciated.
Let's say that I have four tables in my Postgres database, two of which are private and contain highly sensitive information (private1 and private2), and two that contain information I want to allow anyone in the world to be able to query arbitrarily (public1 and public2). I'm aware that this is a very poor design, but bear with me.
I want to set up a user that can solely run SELECTs on the two public tables, but can in no way do anything else even remotely malicious with the other two tables (or the database more generally).
My naive approach would be to do something like set up a new user public_querier, run a REVOKE ALL ON private1, private2, public1, public2 FROM public_querier; and then a GRANT SELECT ON public1, public2 TO public_querier;.
My sneaking suspicion is that this does not fulfill my security desideratum because of some subtleties that I don't have knowledge of, and I'd greatly appreciate a spot check on that suspicion.
Cheers!
You can only revoke permissions that were previously granted.
Use \z table_name in psql to examine the permissions.
If you see nothing, the table has the default permissions: only the table owner can access it.
In that case, grant SELECT to the public tables to the role and do nothing about the private tables.
If there are already permissions granted on the private tables, revoke them as desired.
I m working in oracle SQL developer database where I want to display list of all tables from current user/schema
You see the list of tables as owned by the current schema user in the Tree view of the connection under "tables". If you login as sys, then you see sys owned (of course).
If you want to see the schema of a different user, you need to have select permissions on the tables (and maybe some more in SQL Developer). Then you can see the tables of the other schema under <Connection>/Other Users/<User>/Tables/*.
If you don't see tables there, then you need to check for Synonyms, global synonyms or views. Finally if none of them are showing the expected tables (and you are aure you logged into the correct instance and CDB) then there might be a different active default schema for your user active after logon (typical case of a logon trigger). In this case the statement from before applies: look under the user who owns them.
SQL Developer internally used the ALL_* and USER_ system views. For example your tables owned by you: select TABLE_NAME from user_tables. More complete description of that is here.
I want to execute a query that selects data from a different schema than the one specified in the DB connection (same Oracle server, same database, different schema)
I have an python app talking to an Oracle server. It opens a connection to database (server/schema) A, and executes select queries to tables inside that database.
I've tried the following :
select ....
from pct.pi_int, pct.pi_ma, pct.pi_es
where ...
But I get:
ORA-00942: table or view does not exist
I've also tried surrounding the schema name with brackets:
from [PCT].pi_int, [PCT].pi_ma, [PCAT].pi_es
I get:
ORA-00903: invalid table name
The queries are executed using the cx_Oracle python module from inside a Django app.
Can this be done or should I make a new db connection?
Does the user that you are using to connect to the database (user A in this example) have SELECT access on the objects in the PCT schema? Assuming that A does not have this access, you would get the "table or view does not exist" error.
Most likely, you need your DBA to grant user A access to whatever tables in the PCT schema that you need. Something like
GRANT SELECT ON pct.pi_int
TO a;
Once that is done, you should be able to refer to the objects in the PCT schema using the syntax pct.pi_int as you demonstrated initially in your question. The bracket syntax approach will not work.
In addition to grants, you can try creating synonyms. It will avoid the need for specifying the table owner schema every time.
From the connecting schema:
CREATE SYNONYM pi_int FOR pct.pi_int;
Then you can query pi_int as:
SELECT * FROM pi_int;
Depending on the schema/account you are using to connect to the database, I would suspect you are missing a grant to the account you are using to connect to the database.
Connect as PCT account in the database, then grant the account you are using select access for the table.
grant select on pi_int to Account_used_to_connect
An external DB admin guy exported a production database and imported it into test environment. We are using Oracle 9.2. Majority of imported database objects (tables, views, idexes, packages,...) works fine, but we have problems with three specific tables: we can do SELECT,UPDATE, DELETE on those tables, but we can not create views on this tables.
In other words, the folowing works:
create or replace view v_test_view as select 1 x from dual; // we can create views
create or replace view v_test_view as select 1 x from someTable;
select * from problematicTable; // we can select data from problematic table
But this does NOT work:
create or replace view v_test_view as select 1 x from problematicTable;
--> ORA-01031: insufficient privileges
Background info:
db admin used import/export utility to copy the database schema
the version of production and test Oracle are not exactly the same (production is 9.2.0.8, test is 9.2.0.7)
after the initial import was done, the problematicTable was visible in object catalog (and database development tools), but when trying to SELECT from this table, we got back "invalid identifier". After that, the tables were re-imported and now we are able to SELECT from the, but not to create views on them
Any ideas?
UPDATE:
It looks like the situation is even more strange. When using one oracle session we can SELECT data from this table, in another Oracle session (using the same user to login!), we are getting "ORA-00904: invalid identifier"
UPDATE#2:
The export data that was used to import from was sucesfully used to import data to another test environment (lets call it TEST1) which is located on the same instace of Oracle as the problematic one (TEST2). The difference beteween those two environments are that TEST1 uses the same user (schema name) as the production, but TEST2 uses another user (soo the objects were imported into another schema name). The problematicTables do not have any special security properties that are different from the tables that works OK.
Matra
Is the user creating the view granted select on the problematic table via a ROLE? If so, try giving an explicit grant on the table.
From Oracle:
"In order to create a view in a schema, that schema must have the privileges necessary to either select, insert, update, or delete rows from all the tables or views on which the view is based. The view owner must be granted these privileges directly, rather than through a role. The reason is that privileges granted to roles cannot be inherited via objects."
It looks like there was something wrong with the import. So what our DB admin did to fix the problem was:
drop the problematic tables
reimport the structure of the problematic tables (columns, constraints, indexes)
after the structure was re-created he re-imported the data
he also played with the CREATE TABLE AS SELECT to copy the data back and forth
When he was re-creating the table structure he discovered, that the current schema run out of free space (it was not set to auto grow). The strange thing is, that the first import did not complain about insufficient space.
So in theory is that insufficeint space was the reason for corrupted data dictionary.