how do I find what privileges a group has in redshift? - sql

I'm having a peculiar problem with one group.
I have revoked all database access for this group
I have revoked all schema access for this group
I have revoked all table access for this group
I have revoked all execute privileges on functions
When I try to drop the group, I get an error saying it cannot be dropped because the group have a privilege on some object.
How can I find out what privileges a group has on redshift?
Thanks

I remember seeing somewhere that this could be accomplished via terminal on the server. However, you may have the same issue that I had, preventing you from dropping a group. I had default privileges set. I had to do something like this:
alter default privileges in schema seeds revoke all on tables from xyz cascade;

The answer from jbasko was almost right, I've got mine working this way:
select
'alter default privileges for user ' || u.usename || ' in schema '||s.schemaname||' revoke all on tables from group groupname;'
from pg_default_acl d
join pg_user u on d.defacluser = u.usesysid
cross join
(select distinct schemaname from pg_tables) s
where array_to_string(defaclacl, ',') like '%group groupname=%'
and u.usename = 'some username';

You can see the default group privileges in pg_default_acl table. It's those entries in defaclacl column that are in format group <groupname>=<privileges>/<grantor>.
You have to issue the alter default privileges for each creating user that the privileges are set for. It's the defacluser column which refers to pg_user.usesysid.
Replace groupname and schemaname accordingly and generate the queries to revoke the privileges:
select 'alter default privileges for ' || pg_user.usename || ' in schema schemaname revoke all on tables from group groupname;'
from pg_default_acl
join pg_user on pg_default_acl.defacluser = pg_user.usesysid
where array_to_string(defaclacl, ',') like '%group groupname=%';
select 'alter default privileges for ' || pg_user.usename || ' in schema schemaname revoke all on functions from group groupname;'
from pg_default_acl
join pg_user on pg_default_acl.defacluser = pg_user.usesysid
where array_to_string(defaclacl, ',') like '%group groupname=%';

Related

Want to grant select to a specific user on all tables

I use the below to grant select permission to amy on table1:
grant select schema.table1 to amy;
However, the below does not work:
grant select on schema.* to amy;
the error is
ORA-00903: invalid table name
Please advise what is wrong in my command. What I want is grant select to amy on ALL tables.
thanks
The syntax for the GRANT command (as of Oracle 21c) makes it clear that the granted item can only be a specific object:
on_object_clause:
The best you can do is create a role and grant the role to Amy, but you will still have to grant privileges on each individual table to the role.
create role analyst;
grant analyst to amy;
grant read on hr.countries to analyst;
grant read on hr.departments to analyst;
grant read on hr.employees to analyst;
To create a role and grant it to amy:
create role select_all_tables;
grant select_all_tables to amy;
alter user amy default role select_all_tables;
Use the following query to generate a script, which you can copy/paste and run to complete all the grants:
select 'grant select on '|| owner || '.' || table_name ||' to select_all_tables;'
from dba_tables where owner='SCHEMA';
copy and paste the output, and execute it as as script.
grant select on schema.table1 to select_all_tables;
grant select on schema.table2 to select_all_tables;
...
If you would rather grant the privileges directly and not use a role, alter the script query:
select 'grant select on '|| owner || '.' || table_name ||' to amy;'
from dba_tables where owner='SCHEMA';
and then run the output as a script:
grant select on schema.table1 to amy;
grant select on schema.table2 to amy;
...
grant select on table to public;
But be careful when you do that -- make sure it's what you really want to do.

Dropping postgres role and database after many grants

I'm trying to efficiently drop role from a postgres instance, and running into some problems. I'm looking for some SQL to drop role so that I can stop reading error messages and don't have to do this manually.
In the setup I'm working in, every roles gets its own database of the same name:
CREATE ROLE alpha_user;
CREATE DATABASE alpha_user;
ALTER DATABASE alpha_user OWNER TO alpha_user;
Users often grant access to schemas in their database to other users:
-- alpha_user logs in to the alpha_user database
GRANT USAGE ON SCHEMA myschema TO beta_user;
When I attempt to drop beta_user, this happens:
-- log in as superuser
DROP ROLE beta_user;
-- ERROR: role "beta_user" cannot be dropped because some objects depend on it
-- DETAIL: N objects in database alpha_user
I can connect to the alpha_user database, and drop OWNED BY, but this is inefficient:
-- log in as superuser
\c alpha_user;
DROP OWNED BY beta_user CASCADE;
DROP beta_user;
-- success
Users can grant access to any number of databases, and there are many users. Is there a statement (or series of statements) that a super user can execute to DROP OWNED BY for a user across all databases where the user has been granted access?
Maybe this will help you:
with
user_id as (select oid, rolname as my_user from pg_authid where rolname in('abc', 'xyz'))
select 'REVOKE ' || rolname || ' FROM ' || my_user || ' CASCADE;' as sql
from pg_auth_members
join pg_authid on pg_auth_members.roleid = pg_authid.oid
JOIN user_id ON pg_auth_members.member = user_id.oid
union
SELECT 'REVOKE ALL ON ' || datname || ' FROM ' || my_user || ' CASCADE;'
FROM pg_database
JOIN user_id ON pg_database.datdba = user_id.oid

How can i give grant access to specific user-role for a frquently dropped and created table in Vertica?

I have a table which is frequently dropped and created with the same name in a schema. How can i create grant access to a user-role when the table is created in Vertica?
P.S: This question is specifc to vertica, but all ideas are welcome. Also dropping is business requirement and we cannot even truncate the table and clear data out.
Unfortunately Vertica does not support a fixed role that can run a SELECT statement against any table or view in the database(SQL Server db_datareader roles for example).
So depending on how you create the object(DBA creation,workflow or any ETL tool), you need to automate this.
You can create a UDP to do this for you and just call the UDP in your job,script,workflow.
Also you can create a UDP to extract the actual grants,access to the object and also stores it in a temp file to be executed after object recreation.
But the question is ? is recreating the table needed ? What is the use of this ? Maybe there is a better solution !
And #Kermit you gotta stop down voting !
You'll have to do it in steps when you recreate the table.
1) Generate the GRANT script based on the existing grants. (You'll need to change this to match how you handle grants)
select 'GRANT ' || privileges_description || ' ON ' || object_schema || '.' || object_name || ' TO ' || grantee || ';' from grants
where object_schema = 'MYSCHEMA' object_name = 'MYTABLE'
and grantee ilike 'role%';
2) Create the new table like the old one (be sure to save your projections!)
CREATE TABLE MYSCHEMA.NEW_MYTABLE LIKE MYSCHEMA.MYTABLE INCLUDING PROJECTIONS;
3) Drop old table
DROP TABLE MYSCHEMA.MYTABLE;
4) Rename new table
ALTER TABLE MYSCHEMA.NEW_MYTABLE RENAME TO MYTABLE;
5) Apply generated grants
GRANT ROLE_MYROLE TO MYSCHEMA.MYTABLE;

Select access to all tables

In oracle 11g, I have a owner schema which contains the relevant tables required for an app.
For my external application i am trying to create another user which should have select access on certain tables to the above schema.
Lets call the owner schema A and the new schema B
create user B identified by blah;
grant connect to B;
After logging into the original schema A i ran the following (for demo i am giving select on all tables)
begin
FOR x IN (select * from user_tables)
LOOP
EXECUTE IMMEDIATE 'GRANT SELECT ON ' || x.table_name || ' TO some_role';
END LOOP;
end;
grant some_role to B;
If i login as user B and execute a query like
select count(*) from A.some_table ;
it works. But without creating a public synonym is it possible for me to grant
in such a way that the following works when logged in as user B?
select count(*) from some_table;
Thanks
You can create private synonyms for user B to use.
As user B, run the following block:
begin
FOR t IN (SELECT * FROM role_tab_privs WHERE grantee = 'SOME_ROLE' and owner = 'A')
LOOP
EXECUTE IMMEDIATE 'CREAETE SYNONYM ' || table_name || ' FOR A.' || table_name';
END LOOP;
end;
if you are just reading data from tables owned by userB, you can set below command and run SELECT on tables as if they were in userA schema:
alter session set current_schema=userB
(logged as UserA)
Then below two commands will be equivalent (have same result):
select ... from userB.TABLE1
select ... from TABLE1
GRANT SELECT ANY TABLE TO YOUR_USER_OR_ROL;

Revoking Oracle Permissions to multiple users at once

We're rationalising our database user permissions and to that end we'd like to revoke all select permissions across all tables in a schema granted to all users (but not a specific role).
With some regular expressions I've tried creating a universal revoke for each table giving something like:
revoke select on TABLE1 from USER1,USER2,USER3...;
revoke select on TABLE2 from USER1,USER2,USER3...;
However as not all users were granted permissions to all tables, this results in the oracle error:
01927. 00000 - "cannot REVOKE privileges you did not grant"
Which makes sense but isn't helpful.
I also tried using All_Tab_Privs to get a list of all tables with the requisite grants to be revoked, and this works, but I can't see how to easily get from this to actually revoking the permissions.
SELECT * From All_Tab_Privs where grantor = 'GRANTING_USER' and grantee != 'READROLE' and grantee != 'PUBLIC' and grantee != 'SYS';
Any suggestions for how to do this without spending hours in a spreadsheet? I'm guessing some PL/SQL? Thanks.
A general pattern for this kind of job is to use an implicit cursor to return the data you want and then to build the DDL and execute them.
begin
for x in (select attribute_1, attribute_2 ... from ... where ...)
loop
execute immediate 'REVOKE ...'||x.attribute1||' etc';
end loop;
end;
/
A nice alternative is to build the SQL you want to execute in the SELECT and then just execute that. It's easier to test but the SQL then looks a bit clunky.
-- Revoke Privs Granted to Users
BEGIN
FOR r IN (SELECT * FROM all_tab_privs WHERE grantee IN ('USER_1', 'USER_2'))
LOOP
EXECUTE IMMEDIATE 'REVOKE '||r.privilege||' ON '||r.table_name||' FROM '||r.grantee;
END LOOP;
END;
/
Some PL/SQL and dynamic SQL:
begin
for r in (SELECT * From All_Tab_Privs
where grantor = 'GRANTING_USER'
and grantee != 'READROLE'
and grantee != 'PUBLIC'
and grantee != 'SYS')
loop
execute immediate 'revoke '||r.privilege||' from '||r.grantee;
end loop;
end;
I had a quite interesting situation on my database. Oracles own SQL Developer still listed the existing grants for each table, although they were gone from the all_tab_privs table (a SELECT brought no result for the searched grantees).
I've fixed that by using the following construct:
BEGIN
FOR r IN (SELECT owner, table_name FROM dba_tables WHERE owner IN ('owner1', 'owner2'))
LOOP
EXECUTE IMMEDIATE 'REVOKE ALL ON '||r.owner||'.'||r.table_name||' FROM grantee1, grantee2';
END LOOP;
END;
/
This first selects all owners and table names from each table of certain owners. Then it revokes all grants for certain grantees.
The good thing is, that this won't fail if there aren't any grants for one of the listed grantee for one of the selected tables.
Mind that this should be executed from an administrator account, like system, so the current user has the right to revoke grants for tables of another user.