I am reading Hive Authorization at
https://cwiki.apache.org/confluence/display/Hive/SQL+Standard+Based+Hive+Authorization#SQLStandardBasedHiveAuthorization-PrivilegesRequiredforHiveOperations
I noticed:
create table needs the database'owner privileges
create function needs the admin privileges
I don't understand, why create table and create function need different privileges? the table and the function are two objects belonging to a database, that is to say, I think create function should be the same as create table, just needs the database'owner privileges, not admin privileges.
Could someone help explain?
Related
I am a big fan of PostgreSQL but can't figure out one aspects of it's built in user management.
My problem is that I have set up pgAdmin and will have some non-developers manually update data in some specific tables. For this reason I have created a new user called "admin" and are looking to restrict this users rights.
I have tried to delete all rights for the user with the following query (from another user):
REVOKE ALL PRIVILEGES ON ALL TABLES IN SCHEMA public FROM admin;
REVOKE ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public FROM admin;
REVOKE ALL PRIVILEGES ON ALL FUNCTIONS IN SCHEMA public FROM admin;
The above did lead to the following error when I wrote a simple SELECT statement from the user admin on a table called "crap": ERROR: permission denied for relation crap.
But what I was able to do with the user admin which by now shouldn't have any rights was the following: DROP TABLE crap; which worked!?
I am really surprised by this. This user is not a Postgres superuser. How can I remove this right to drop tables for a specific user?
You're one level off in hierarchy for the permissions.
REVOKE ALL PRIVILEGES FROM SCHEMA public FROM <role_name>;
You were affecting permissions within the table. You must also go one level up to the schema as well to protect create/drop access. You may also want to revoke access at the database level as well to protect the schema.
REVOKE ALL PRIVILEGES FROM DATABASE <database_name> FROM <role_name>;
You could also simply remove the user. Alternatively you could simply disable that user's ability to login.
ALTER ROLE <role_name> SET NOLOGIN;
If these don't work for you, you can go down a somewhat more complicated route and make an event trigger that watches for DROP TABLE events, compares against the role, and either allows it to continue or aborts the transaction.
CREATE OR REPLACE FUNCTION no_admin_drop()
RETURNS event_trigger LANGUAGE plpgsql AS $$
BEGIN
IF CURRENT_USER = 'admin'::regrole THEN
RAISE EXCEPTION 'command is disabled';
END IF;
END;
$$;
CREATE EVENT TRIGGER no_admin_drop ON sql_drop
EXECUTE FUNCTION no_admin_drop();
I've been tasked with creating a usergroup where users of a database would be able to create objects, but only under the schemas of their own usernames. As an example user foo\bar would only be able to create objects on the schema 'foo\bar'. Is this something that can be done?
I'm working on MS SQL Server 2012. Any feedback would be greatly appreciated.
Not a complete answer but the first thing that comes to my mind: when you create a user, also create the schema and give that user create permissions on that schema.
CREATE USER 'Foo\bar' --FOR LOGIN / WITHOUT LOGIN ?? see url below
CREATE SCHEMA 'Foo\bar'
GRANT CREATE TABLE ON 'Foo\bar' TO 'Foo\bar'
See: https://learn.microsoft.com/en-us/sql/t-sql/statements/create-user-transact-sql
and https://learn.microsoft.com/en-us/sql/t-sql/statements/grant-database-permissions-transact-sql
I'm testing my project and I have to write permissions unit test for one of its components. Unit tests start from creating temporary database and table. I want to write SQL code which creates new user for temporary database and grants it permission to create trigger (single function which component does) just only for temp test table. This user will be used by my component. How can I do this? Any help appreciated.
Try this SQL code. It works for me:
USE [YourDatabase];
CREATE USER YourUser FOR LOGIN YourLogin;
GRANT ALTER ON dbo.YourTable TO [YourUser]
I created a read-only user in PostgreSQL and it is still able to create tables:
I created a test DB and then created a readonly2 user. Gave it only select privileges on 2 tables. When I log into this DB as readonly2 user I am still able to create tables:
create database test1
create user readonly2 with password 'readonly';
grant select on test1 to readonly2
grant select on test2 to readonly2
where test1 and test2 are 2 tables in test DB.
Now when I log into the test DB as readonly2 user, I am able to create tables:
test=> create table test55 (id int);
CREATE TABLE
I just want to create a read-only user with select permissions. I do not want to grant create table permissions.
Every table is created in a schema in Postgres. To create a table, a role must have the CREATE privilege for the schema. Per documentation:
CREATE
... For schemas, allows new objects to be created within the schema.
The default schema for a table to be created in is the first schema of the current search_path.
The first schema in the search_path is typically the schema with the same name as the user or the schema public.
And the public schema comes with default privileges:
A user can also be allowed to create objects in someone else's schema.
To allow that, the CREATE privilege on the schema needs to be granted.
Note that by default, everyone has CREATE and USAGE privileges on the
schema public.
Bold emphasis mine.
You can change that:
REVOKE CREATE ON SCHEMA public FROM PUBLIC;
Be sure to think about consequences first ...
(Either that, or the role is a superuser.)
When I try to create a trigger in schema A for a table located in schema B, I get an ora error : insufficient privileges.
What privileges do I need?
If you are creating the trigger in your schema, you'll need the CREATE TRIGGER privilege. In order to create the trigger in somebody else's schema, you'll need the CREATE ANY TRIGGER privilege.
This resource does a very good job of explaining the requirements, and contains more information about triggers (syntax, enabling, disabling, etc).