Databricks Object Privileges - Design - permissions

Need guidance on the scenario at hand -
There exist 2 databases in a Databricks workspace: sd_t, sd_r.
sd_t contains delta tables only, sd_r contains delta views only for the corresponding delta tables in sd_t database.
Tables & Views in these 2 databases are owned by "admins" group. This group contains a set of people who act as Databricks platform admins. "Other" developers are given access to the views only (here sd_r database) so they can read from the views & write into allocated "rw/read-write" databases for their ETL work.
Now, there exist 4 more databases: sd_rw, sdbr_rw, sdus_rw.
sd_rw is the read-write database that Global sales distribution developers have permission on to create objects, modify etc. The global developers will also have create, modify permissions on sdbr_rw, sdus_rw databases.
sdbr_rw is the read-write database that Brazil sales distribution developers have permission on to create objects, modify etc.
sus_rw is the read-write database that US sales distribution developers have permission on to create objects, modify etc.
There exists a Tableau users group in Databricks who could access data via the SQL endpoint in the UI itself and/or via Tableau.
These users just get SELECT on the views from sd_rw, sdbr_rw, sdus_rw; not on the underlying tables. As an admin, I execute the below kind of statement:
Grant usage on sdbr_rw to tableau-users-group
Grant select on sdbr_rw.xxxx to tableau-users-group
Now, as the owners of the underlying tables in the views from sd_rw, sdbr_rw, sdus_rw, sd_r are different, the tableau users get error "User cannot select... due to underlying securables..."
One suggestion from Databricks is to make ownership of objects consistent, to alter ownership to "admins" group. But, then the developers who work in sd_rw, sdbr_rw, sdus_rw will loose ownership access to the tables & views, and they cannot drop/alter objects they created.
So, how should we design permissions model here so in the end the tableau users group can access data, and the respective developer groups still hold ownership (can drop, alter especially...)
Please note that the Tableau users group should be able to access views from sd_rw, sdbr_rw, sdus_rw together by joining them...
EDIT 17-AUG: Understood this ownership chaining is default behavior in the current hive metastore based version. This limitation won't be there in Unity Catalog.

Related

Removing SQL user from a server, multiple owners on a table?

I need to completely remove a user from a server.
I can remove any entires for that user in specific tables (tied to an app), I know how to remove from individual dataabses and the server, but on several databases, the users shema owns a table (that is also owned by several other users) so I cannot drop that user.
I cannot drop the table, other users need it.
I cannot just change ownership of the table, as again, other users need it. Perhaps I'm misunderstanding how it works, alter schema CAN be used to transfer ownership from jsut one specific user, right?
ALTER SCHEMA dbo TRANSFER OtherUserSchema.TargetTable;
GO
Will this affect ONLY the other users schema on the TargetTable, and leave other schemas that own that table?
Naturally, dropping the user won't work since I get:
Cannot drop schema 'BDR\TPRGOMET' because it is being referenced by object 'xkartkont'.
Does a schema with domain name cause any issues?

in oracle SQL developer How do I display list of all tables from current user/schema

I m working in oracle SQL developer database where I want to display list of all tables from current user/schema
You see the list of tables as owned by the current schema user in the Tree view of the connection under "tables". If you login as sys, then you see sys owned (of course).
If you want to see the schema of a different user, you need to have select permissions on the tables (and maybe some more in SQL Developer). Then you can see the tables of the other schema under <Connection>/Other Users/<User>/Tables/*.
If you don't see tables there, then you need to check for Synonyms, global synonyms or views. Finally if none of them are showing the expected tables (and you are aure you logged into the correct instance and CDB) then there might be a different active default schema for your user active after logon (typical case of a logon trigger). In this case the statement from before applies: look under the user who owns them.
SQL Developer internally used the ALL_* and USER_ system views. For example your tables owned by you: select TABLE_NAME from user_tables. More complete description of that is here.

Hide databases in Amazon Redshift cluster from certain users

Is it possible to hide the existence of and access to databases (incl. their schemas, tables etc) from certain users within Amazon Redshift.
By default, it seems like every user is able to see other DBs even though he doesnt have permission to select data nor any other (non-default) privileges.
I tried
REVOKE ALL PRIVILEGES ON DATABASE testdb FROM testdbuser;
and similar but still testdbuser can connect to the testdb DB and even see all other objects in his object browser in a SQL tool (here: Aginity Redshift Workbench).
Ideally, testdbuser would not be able to see anything else except what he got explicitly granted access to.
Note, testdbuser is not a superuser.
Thanks!
Try to revoke from the PUBLIC group vs the specific user
REVOKE USAGE ON SCHEMA information_schema FROM PUBLIC;
REVOKE USAGE ON SCHEMA pg_catalog FROM PUBLIC; -- This should suffice, but...
REVOKE SELECT ON TABLE pg_catalog.pg_database FROM PUBLIC; -- just to be sure.
Note that this could have an undesirable effect on all users within the selected database.
You will need to do this on all databases, since the user can guess another database name and see pg_catalog information there.
The user could still find all the databases via a brute force attack simply by trying to switch or connect to all possible strings.
Unfortunately it is not possible today. Redshift does not support the REVOKE CONNECT FROM DATABASE command, so users can connect to any database.
Because Redshift is built on PostgreSQL, once connected, users can read a list of all databases in the cluster from the system tables, and by connecting to each database can read the list of schemas, tables, and even table columns from the system tables, even if they are prevented from reading the data within those tables through the use of REVOKE ... FROM SCHEMA or REVOKE ... FROM TABLE.

New oracle user can't access tables

I've just imported an ORACLE database into an instance of Oracle 10 XE running on a Linux system.
The database has tables split across a number of tablespaces, and the sys user is able to access all the tables without problem.
I've created a new user (fred) and I'm unable to access any of the tables whilst logged on as this user. I've set the user's default tablespace in an attempt to be able to access the tables whilst logged on as fred.
alter user fred default tablespace t1;
When I then connect as fred and attempt to look at a table in tablespace t1, I receive the following error:
describe table1;
ERROR:
ORA-04043: object table1 does not exist
How can I configure the user fred, so that he can easily access all the tables in the various tablespaces (t1, t2, t3... t6), like the user sys currently can?
I've never really dabbled with oracle in the past, but have used MS SQL quite extensively.
In Oracle the concept of schemas and users is different than that of other DBMS. In order to get table access for user fred, you will need to create synonyms of those table and sys user needs to issue grants (eg select, update e.t.c) on those tables.
Some useful links.
Managing User Privileges and Roles
GRANT
Oracle/PLSQL: Grant/Revoke Privileges

Need to learn how to set appropriate permissions on SQL Server database to allow Synchronisation through Sync Framework 2.1

SQL Server is not my strong point and I start to get lost when going past the basic Create Table, Select from Table etc.
I am attempting to set up a database synchronisation scenario with an Microsoft SQLCompact 3.5 database being Synced through a Proxy to and SQL 2008 R2 database. It is being synced through the Microsoft Sync Framework 2.1.
I got everything set up and working fine through the proxy when the user account is the db_owner of the database.
Of course this now needs to be locked down - so I have been trying to restrict the permissions to the bare minimum required for Synchronisation.
According to the Microsoft articles, I need to do the following...
Use the principle of least permission. Do not grant more permissions than are required to perform a specific task. For example, do not grant INSERT permissions for server database tables that are involved in download-only synchronization. Synchronization operations require the following permissions:
EXECUTE permissions on all the stored procedures that Sync Framework uses to read and write to metadata tables and base tables.
SELECT, INSERT, UPDATE, and DELETE permissions for metadata tables and any base tables that will be updated during a synchronization session.
When you provision SQL Server databases that use SqlSyncProvider, be aware of the following permissions requirements for provisioning:
CREATE TABLE permissions to enable creation of the metadata tables: scope_info and scope_config, and the tracking tables that are created for each base table.
ALTER TABLE to add triggers to the base tables.
CREATE PROCEDURE permissions to create the procedures that Sync Framework requires.
SELECT and INSERT permissions for scope_info and scope_config tables.
SELECT permissions for base tables.
I allowed the wizards in Visual Studio 2010 to create the Sync database and proxy for me.
As such - I am unable to find the scope_info and scope_config tables in SQL Server databases, and I am also unable to find the metadata tables so cannot set permissions on these tables. Also - where would I find the stored procedures that the Synchronisation framework is trying to use - I have looked but cannto find them.
Where would I find these and how would I go about setting the appropriate permissions?
I have granted datareader and datawriter, Insert, Update, Delete and Select as well as Execute permissions on the SQL Server database but the sync fails. I have also granted Create Table, Create Procedure and ALTER permissions on the database for the user as well- but still it fails.
If i enable the db_owner role for the user - it works.
The error I receive is:
Unable to initialize the client database, because the schema for table 'tblApplications, tblApplicationConfiguration, tblApplicationInstallProperties, tblApplicationPreRequisites, tblApplicationTypes, tblComputerApps, tblComputers, tblComputerTypes, tblDriveHWSerials, tblDrives, tblDriveTypes, tblFunctions, tblLocationApps, tblLocationComputers, tblLocationIPAddress, tblLocations, tblLocationUsers, tblPermissions, tblRegionLocations, tblRegions, tblRegisteredModules, tblRequestFormats, tblRequestStatus, tblRequestTypes, tblRoles, tblRoleUsers, tblSecurity, tblUsers, tblVehicle, tblVehicleLocationMap, tblVehicleMake, tblRequestProcessingStatus, tblDriveStatus, tblVideoViewTypes' could not be retrieved by the GetSchema() method of DbServerSyncProvider.
Make sure that you can establish a connection to the client database and that either the SelectIncrementalInsertsCommand property or the SelectIncrementalUpdatesCommand property of the SyncAdapter is specified correctly.
I am not able to use the db_owner role when its released.
there are two types of database providers in Sync Framework, the offline provider (SqlCeClientSyncProvider/DbServerSyncProvider) which is used by the Local Database Cache project item and the collaboration/peer-to-peer provider (SqlSyncProvider/SqlCeSyncProvider).
the offline providers dont use the scope_xxx tables as such you wont find it.
assuming you used the default SQL Server Change Tracking when you configured the sync via the wizard, try granting VIEW CHANGE TRACKING permission to the account you're using to connect to the database.
I'm not sure if it will help, but I found this:
Try to set UploadOnly on the SyncTable object instead. When you set it on the SyncAdapterBuidler, the select incremental commands are not generated by the builder. These commands are used to get the table schema from the database. Since these are missing you are getting the schema error.
Also, maybe this blog entry will help.
As JuneT Mentioned, you should turn on Change Tracking
ALTER DATABASE YourDataBaseName
SET CHANGE_TRACKING = ON
(CHANGE_RETENTION = 2 DAYS, AUTO_CLEANUP = ON)