This question already has answers here:
Create PostgreSQL ROLE (user) if it doesn't exist
(12 answers)
Closed 1 year ago.
I have few CREATE user as part of myquery.sql files and it contains few other queries as well
my file looks like this
CREATE USER myuser NOLOGIN;
GRANT CONNECT on DATABSE myDataBase to myuser;
GRANT USAGE ON SCHEAMA myschema to myuser;
I have few queries like this in the same file, due to some reason I need to add new queries to same file, when execute the same file again I stuck with error user already exists, and does not reach to newly added query.
also I checked there is no IF NOT EXISTS kind of help for CREATE USER in postgres.
so how to add the check to create a USER only if not EXISTS.
I don't know what you mean by "there is no IF NOT EXISTS kind of help for CREATE USER in postgres". A quick search yielded this, which will let you use plpgsql to do the check:
DO
$do$
BEGIN
IF NOT EXISTS ( SELECT FROM pg_roles
WHERE rolname = 'my_user') THEN
CREATE USER myuser NOLOGIN;
GRANT CONNECT on DATABSE myDataBase to myuser;
GRANT USAGE ON SCHEMA myschema to myuser;
END IF;
END
$do$;
From here. Optionally, you can catch any exceptions of duplicate users so the remainder of your query runs smoothly, without any race conditions; there are even some bash alternatives even further down that thread.
NB: You may need to use escape character for $ (like $) if you use
the code block in a shell scripting.
Related
I am a big fan of PostgreSQL but can't figure out one aspects of it's built in user management.
My problem is that I have set up pgAdmin and will have some non-developers manually update data in some specific tables. For this reason I have created a new user called "admin" and are looking to restrict this users rights.
I have tried to delete all rights for the user with the following query (from another user):
REVOKE ALL PRIVILEGES ON ALL TABLES IN SCHEMA public FROM admin;
REVOKE ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public FROM admin;
REVOKE ALL PRIVILEGES ON ALL FUNCTIONS IN SCHEMA public FROM admin;
The above did lead to the following error when I wrote a simple SELECT statement from the user admin on a table called "crap": ERROR: permission denied for relation crap.
But what I was able to do with the user admin which by now shouldn't have any rights was the following: DROP TABLE crap; which worked!?
I am really surprised by this. This user is not a Postgres superuser. How can I remove this right to drop tables for a specific user?
You're one level off in hierarchy for the permissions.
REVOKE ALL PRIVILEGES FROM SCHEMA public FROM <role_name>;
You were affecting permissions within the table. You must also go one level up to the schema as well to protect create/drop access. You may also want to revoke access at the database level as well to protect the schema.
REVOKE ALL PRIVILEGES FROM DATABASE <database_name> FROM <role_name>;
You could also simply remove the user. Alternatively you could simply disable that user's ability to login.
ALTER ROLE <role_name> SET NOLOGIN;
If these don't work for you, you can go down a somewhat more complicated route and make an event trigger that watches for DROP TABLE events, compares against the role, and either allows it to continue or aborts the transaction.
CREATE OR REPLACE FUNCTION no_admin_drop()
RETURNS event_trigger LANGUAGE plpgsql AS $$
BEGIN
IF CURRENT_USER = 'admin'::regrole THEN
RAISE EXCEPTION 'command is disabled';
END IF;
END;
$$;
CREATE EVENT TRIGGER no_admin_drop ON sql_drop
EXECUTE FUNCTION no_admin_drop();
I had a schema in one oracle DB as ui_prod. I asked my DBA team guys to create exactly same schema like ui_prod but as read only and name it ui_prod_readonly. Usually I will use Oracle SQL developer to connect a DB and query directly with table name like below.
--Connect to ui_prod
select * from table
but why I requested to put owner name infront when query for readonly schema they created for me, as without putting it, I get error table not exist.
--Connect to ui_prod_readonly
select * from ui_prod.table
I have project files which hardcode the sql query with only table names and adding owner name in front will cause many changes and effort. Can anyone explain me on this? or provide me any document/link to read. Thanks
You should look into synonyms, apparently the user you are connecting to the database as is not the owner of the objects. So to view the object you have to prepend the names with the schema name (the owner of the object themselves).
http://www.techonthenet.com/oracle/synonyms.php
CREATE OR REPLACE SYNONYM ui_prod_readonly.synonym_name
FOR ui_prod.object_name
It seems to me that your dbas have not created another set of tables but just granted the existing tables to the user ui_prod_readonly.
When you log in to Oracle, the current schema is the name of the user you used to log in. So if you log in with ui_prod_readonly Oracle checks that schema for the table if you do not qualify it with the owner (=schema).
If you want to change the current schema so that you don't need to fully qualify the tables, you can do that with ALTER SESSION
alter session set current_schema = ui_prod;
Once you have done that, you don't need to fully qualify the table with the owner (=schema).
if you need a user to read the data only
its simple to create new user and grant it only select privilege
you can create user and grant select privilege using
CREATE USER [user] IDENTIFIED BY [your_password];
grant select on table to [user]
I am the first user of Oracle Database.
Now, I want to create a DB schema called ERDB.
I need to create the ERDB user and granting appropriate privileges to the ERDB user on SQL script file.
CREATE USER dmuser IDENTIFIED BY password
DEFAULT TABLESPACE USERS
TEMPORARY
TABLESPACE TEMP
QUOTA UNLIMITED ON USERS;
GRANT CREATE JOB TO dmuser;
GRANT CREATE MINING MODEL TO dmuser;
GRANT CREATE PROCEDURE TO dmuser;
GRANT CREATE SEQUENCE TO dmuser;
GRANT CREATE SESSION TO dmuser;
GRANT CREATE SYNONYM TO dmuser;
GRANT CREATE TABLE TO dmuser;
GRANT CREATE TYPE TO dmuser;
GRANT CREATE VIEW TO dmuser;
GRANT EXECUTE ON ctxsys.ctx_ddl TO dmuser;
but the error happens, SQL Error: ORA 01031 insufficient privileges;
please help me.
The Oracle documentation clearly states the following:
Prerequisites
You must have the CREATE USER system privilege.
Connect as SYSTEM, no need of SYSDBA and then execute:
CREATE USER user IDENTIFIED BY password
Similarly, execute other command to create the tablespaces and required grants etc.
On a side note, regarding SYSDBA:
Never ever use SYS (or SYSDBA) but for maintenance purpose (startup, shutdown, backup, recover)
SYS/SYSDBA is special
SYS/SYSDBA is Oracle proprietary (try to open a SR/TAR starting with "i did that with SYS/SYSDBA" and you'll see the immediate answer)
SYS/SYSDBA does not act like any other user
When you use SYS/SYSDBA Oracle deactivates some code path and activates others
Whatever you do with SYS/SYSDBA will neither validate nor invalidate the same thing with any other user.
NEVER EVER use SYS/SYSDBA for anything that can be done by another
user. Use SYS/SYSDBA ONLY for something that can't be done by someone
else.
I've got
url: jdbc:oracle:thin:#195.123.456.789:1521:someSID
User: artem
Password: unchangeableForAllUsers
I'm also got second DB, all the same, changing only the name
url: jdbc:oracle:thin:#195.123.456.789:1521:someSID
User: denis
Password: unchangeableForAllUsers
How can I make update query from one DB to other? Using pl/sql I've got next message from Web-browser, when I try to change artem.table to denis.table:
ORA-01031: insufficient privileges
SQL Statement ignored
When I try to save changes in artem pl/sql package(query to denis db, like that
update denis.table dt
set dt.someColumn=1
where dt.ID=3305;
), see next in my IDE:
PL/SQL ORA-00942: User table or view does not exist
While I'm in IDE, logged like artem, I can to change and commit other users db free, from IDE SQL console.. maybe couse they have the same url and password? How can I save my query
update denis.table dt
set dt.someColumn=1
where dt.ID=3305;
in artem package for get access(update cell) to nearby database from Web-site, when i logged there like artem.
Thanks
As described, this is not a jdbc or plsql issue but rather a permissions issue.
You are connecting to the same database, but as two different users. In Oracle, a user has their own schema (same name as the user). If you wish to access data in schema A from schema B, schema A must GRANT permissions to schema B.
For example, if you want the user "artem" to have permission to UPDATE table "mytable" in schema "denis", log into the account "denis" and GRANT UPDATE permission to "artem":
-- While logged in as "denis"
GRANT UPDATE ON mytable TO artem;
Now you can log in as "artem" and query "denis.mytable". Grants you may want to give: SELECT, INSERT, UPDATE, DELETE. This, of course, works both ways (if you want user "denis" to have access to "artem" objects, then "artem" must GRANT permission to "denis".
This question already has answers here:
In psql, why do some commands have no effect?
(2 answers)
Closed 9 years ago.
I want simply drop some databases and after that create a new one.
Within postgresql version 9.1, running these commands first to create:
postgres=# createdb [dbname]
or
postgres=# CREATE DATABASE name
as described here Postgresql Documentation.
Now, to drop away some databases:
postgres=# DROP DATABASE name
as described here as well Postgresql Documentation.
They all didn't work. What am I missing?
You forgot the semicolons.
postgres=# DROP DATABASE name;
SQL commands may carry on over multiple lines, and are only sent to the server when you end them with a semicolon. That's why the prompt changes:
postgres=# DROP DATABASE name
postgres-#
It might be a good idea to take a look through the tutorial.
Additionally createdb isn't an SQL command. It's a shell utility command that wraps CREATE DATABASE for convenience.
See also:
Can't delete database
In psql, why do some commands have no effect?
I think you have to be a superuser because accroding to the documentation :
for create a new database :
To create a database, you must be a superuser or have the special
CREATEDB privilege. See CREATE USER.
for drop a database
DROP DATABASE drops a database. It removes the catalog entries for the
database and deletes the directory containing the data. It can only be
executed by the database owner.
Read this tutorial, it will help you.